On September 17, 2021, a three-judge panel of the Illinois Appellate Court for the First Judicial District issued a long-awaited decision regarding the statute of limitations for claims under the state’s Biometric Information Privacy Act (“BIPA”) in Tims v. Black Horse Carriers, Inc. The Tims decision marks the first appellate guidance regarding this issue.  Although the BIPA is silent as to the applicable statute of limitations, the panel concluded that claims brought under section 15(a), (b), and (e) of the statute, which are the claims requiring companies to have a publicly available policy, obtain informed consent, and reasonably safeguard biometric data, are subject to a five-year limitations period.  BIPA claims brought under sections 15(c) and (d) of the statute, which are the claims which prohibit profiting from the use of biometric data or disclosure of biometric data are subject to a one-year statute of limitations.

In reaching its split decision regarding the applicable statute of limitations, the panel noted that each duty under the BIPA is “separate and distinct,” and that a private entity “could violate one of the duties while adhering to others.”  The panel further opined that “a plaintiff who alleges and eventually proves violation[s] of multiple duties could collect multiple recoveries of liquidated damages.” The panel looked to the text of the BIPA without consideration of the legislative history of the statute, and precedent, including the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corp., in reaching its conclusion.

Section 13-201 of the Illinois Code of Civil Procedure provides that there is a one-year statute of limitations for “actions for slander, libel or for publication  matter violating the right of privacy,” while section 13-205 has a five-year “catchall” statute of limitations for “all civil actions not otherwise provided for.”  The panel concluded that 13-201 does not apply to all privacy actions, but rather only privacy actions “where publication is an element or inherent part of the action.”  On these grounds, the panel determined that section 13-201’s one-year statute of limitations only applies to BIPA claims under sections 15(c) and (d) of the statute, which prohibit entities from “sell[ing], leas[ing], trad[ing], or otherwise profit[ing] from” or disclosing biometric data. With respect to those claims, the panel held that “publication or disclosure of biometric data is clearly an element of an action.”

Conversely, the panel concluded that claims under sections 15(a), (b), and (e) “have absolutely no element of publication or dissemination,” and thus, the five-year “catchall” statute of limitations applies.

In Tims, the First District was not asked, nor did it decide, the issue of when a claim under the BIPA accrues.  However, the accrual issue is currently the subject of an appeal before the federal Seventh Circuit Court of Appeals in Cothron v. White Castle.  The Seventh Circuit heard oral argument in Cothron on September 14, 2021, and has been asked by the plaintiff-appellant to certify the accrual issue to the Illinois Supreme Court for consideration.  In Marion v. Ring Container, the Illinois Appellate Court for the Third Judicial District is set to decide whether a one-year, two-year, or five-year statute of limitations applies to claims under the BIPA.  The Marion appeal is currently stayed pending a decision in McDonald v. Symphony Bronzeville, in which the Illinois Supreme Court will decide with finality whether BIPA claims arising in the employment context are preempted by the Illinois Workers’ Compensation Act.

There has been an influx of biometric privacy litigation in recent years. Private entities that collect, use, and store biometric data increasingly face compliance obligations as the law attempts to keep pace with ever-evolving technology. Creating a robust privacy and data protection program or regularly reviewing an existing one can mitigate risk and ensure legal compliance.

 

Yesterday, Baltimore’s local ordinance prohibiting persons from “obtaining, retaining, accessing, or using certain face surveillance technology or any information obtained from certain face surveillance technology,” became effective.  The new ordinance prohibits the use of facial recognition technology by city residents, businesses, and most of the city government (excluding the city police department) until December 2022. Baltimore joins a growing list of localities regulating private use of facial recognition technology including Portland (Oregon), and New York City.

Specifically, the Baltimore ordinance prohibits an individual or entity from obtaining, retaining, or using facial surveillance system or any information obtained from a facial surveillance system within the boundaries of Baltimore city. “Facial surveillance system” is defined as any computer software or application that performs face surveillance. Notably, the Baltimore ordinance explicitly excluded from the definition of “facial surveillance system” a biometric security system designed specifically to protect against unauthorized access to a particular location or an electronic device, meaning organizations using a biometric security system for employee/visitor access to their facilities would appear to be still be permissible under the bill. The ordinance also excludes from its definition of “facial surveillance system” the Maryland Image Repository System (MIRS) used by the Baltimore City Police in criminal investigations.

Significantly, a person in violation of the law is subject to fine of not more than $1,000, imprisonment of not more than 12 months, or both fine and imprisonment.  Each day that a violation continues is considered a separate offense. The criminalization of use of facial recognition, is first of its kind across the United States.

Businesses in the City of Baltimore should be evaluating whether they are using facial recognition technologies, whether they fall into one of the exceptions in the ordinance, and if not what alternatives they have for verification, security, and other purposes for which the technology was implemented. An earlier post providing details and analysis of the Baltimore prohibition on face surveillance technology is available here.

Watch out! A spike in ransomware attacks may be headed our way over Labor Day weekend. Yesterday, the FBI jointly with the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to be on high alert for ransomware attacks this weekend, after recent targeted attacks over Mother’s Day, Memorial Day and Fourth of July weekends.

“Cyber actors have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends over the last several months. The FBI and CISA do not currently have specific information regarding cyber threats coinciding with upcoming holidays and weekends. Cyber criminals, however, may view holidays and weekends—especially holiday weekends—as attractive timeframes in which to target potential victims, including small and large businesses. In some cases, this tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time”, the FBI and CISA noted in their alert.

In May 2021, leading into Mother’s Day weekend, malicious cyber attackers deployed the now infamous ransomware attack on Colonial Pipeline, resulting in the Biden Administration issuing a memo specifically addressing critical infrastructure cybersecurity. Shortly after, over Memorial Day weekend, an entity in the food and agricultural sector suffered a similar attack, resulting in a complete shutdown of production. And finally, over July 4th weekend, an entity in the IT sector was hit with an attack affecting hundreds of organizations including multiple managed service providers and their customers.  Needless to say, organizations across all sectors should be on high alert heading into Labor Day weekend.

The FBI’s Internet Crime Complaint Center (IC3), the go-to-source for cyber incident reporting, has tracked ransomware trends in recent years.  In 2020, a record number of complaints (791,790) related to internet crimes were reported to IC3, with reported losses exceeding $4.1 billion. In ransomware specifically, there was a 20% increase during 2020, and a 225% increase in ransomware demands.

The FBI/CISA’s joint ransomware warning for Labor Day, provides several suggestions for preventing and responding to an attack.  Here are a few key takeaways:

  • Make an offline backup of your data. This includes reviewing your organization’s back up schedule to consider the risk of possible disruption during weekends and holidays.
  • Do not click on suspicious links. Implementing an employee/user training program and phishing exercises can go a long way in warding off an attack.
  • If you use RDP-or other potentially risky services-secure and monitor. In particular limit access and monitor remote access, and review review review your third-party vendor’s security policies.
  • Upgrade your OS and Software; scan for vulnerabilities. Continue to review and upgrade your software, regularly patching and updating for the latest available versions that take into account security vulnerabilities.
  • Use strong passwords. Consistent password hygiene can make a world of difference. Ensure strong passwords, that are regularly updated and not used across multiple accounts or stored on the system.
  • Use multi-factor authentication. Where possible, implement multi-factor authentication, particularly for remote/virtual networks.
  • Secure your network (s) and user accounts. This includes securing home networks of remote workers, and regularly auditing user account logs to ensure legitimacy.
  • Have an incident response plan. There are several steps an organization can take to build an incident response plan that minimizes the chance and impact of a successful attack. Here are a few.

Organizations may not be able to prevent all attacks, but it is important to remain vigilant and be aware of emerging trends, such as spikes in attacks during the holidays.  Increasing awareness among employees to avoid becoming a victim of a phishing attack could be an excellent initial step.

Consumer privacy issues are as a hot as ever, and on the radar of the state and federal legislature alike.  Following in the footsteps of California, and most recently Virginia and Colorado, Ohio  introduced a comprehensive consumer privacy bill, the Ohio Personal Privacy Act (the “Act”). By introducing the Act, Ohio follows the growing nation-wide trend towards stronger state privacy laws related to consumer rights.

Application

The Act primarily applies to businesses in Ohio or business that collect data about consumers in Ohio which fall into one of the following categories:

  • at least $25 million in gross revenue;
  • with 100,000 customers;
  • derives more than 50% of its gross revenue from the sale of personal data and processes; or
  • controls personal data of 25,000 or more consumers.

The Act provides exceptions for certain business and institutions. Exceptions include institutions of higher education, business to business transactions, a covered entity or business associate under the Health Insurance Portability and Accountability Act, and a financial institution or an affiliate of a financial institution governed by the federal Gramm Leach-Bliley Act.

Consumer Data Rights

Businesses are expected to provide a “reasonably accessible, clear, and conspicuously posted privacy policy” to inform consumers about the data collected.

The Act specifies the following rights for consumers:

  • to ask companies what personal data they’ve collected;
  • to request corrections to the personal data collected;
  • to request that data be deleted subject to exceptions; and

to request that companies stop selling personal data.

It is also important to note, that as with its counterparts in certain other states, the Ohio bills defines “consumer” as a natural person who is a resident of the Ohio acting only in an individual or household context. The Act states that the definition of consumer does not include a “natural person acting in a business capacity or employment context.”

Anti-Discrimination Provision          

The Act prohibits businesses from engaging in discriminatory conduct related to the price of its products against consumers who exercise any of the above rights. Businesses must have legitimate business reasons for any differences in prices or ranges.

Remedies

Unlike many other states that have implemented consumer privacy protections, the Act does not provide for a private right of action. However, consumers may make a complaint to the Attorney General’s Office who has the sole authority to enforce the provisions of the Act. The Attorney General may seek civil penalties of up to $5,000 for each violation.

For more information on common features in the consumer privacy law landscape that should be considered when examining the effects of such laws on an organization, review our post on that topic. State consumer privacy legislative activity is only ramping up, and organizations across all jurisdictions need to be prepared.

 

Restaurants in New York City will soon gain access to valuable information about their delivery customers.  On July 29, 2021, the New York City Council approved a bill requiring third-party food delivery services (“FDS”), such as Uber Eats, DoorDash, and Grubhub, to share customer data – including names, phone numbers, delivery and mailing addresses, and purchase histories – with restaurants upon request.  This data-sharing requirement does not extend to telephone orders.

The bill requires an FDS to provide notice to its customer that their data may be shared with the restaurant with which the customer is placing its order, and mandates that the FDS provide a mechanism on its website that enables the customer to opt out of that data sharing.  If the customer declines to opt out when placing their order, consent is assumed.

Each FDS will be required to share customer data with restaurants on a monthly basis, and may not limit restaurants’ use of the data for marketing or other purposes.  However, restaurants are prohibited from selling, renting, or disclosing customer data to any other party in exchange for financial benefit without first obtaining written consent from the customer(s) in question.  Also, the restaurant must allow the customer to (1) withdraw that consent and/or (2) request that the restaurant delete their data.

This bill is expected to take effect in the next few months.  In the meantime, restaurants should prepare to avail themselves of this new dataset by developing internal policies to manage their collection, use, disclosure, and retention of this data, as well as to process customer requests to withdraw their consent or delete their data.

Cities step up their efforts to combat the COVID-19 Delta variant. New York City, New Orleans, and San Francisco have all announced requirements for certain persons to produce evidence of COVID vaccination status in order to patronize or work indoors at certain establishments. Adding to an already complex patchwork of COVID-related regulation – screening, social distancing, contact tracing, paid-time off, record keeping, etc. – certain businesses will need to absorb another layer. But while doing so, they should avoid creating new data privacy and security risks.

In general, each of the cities requires businesses in certain industries such as food services (restaurants, bars), fitness, and entertainment (hotels, casinos, music halls) to require employees, patrons, customers, contractors, and others to provide proof of vaccination to go indoors at these establishments. In some cases, proof is required even for certain outdoor activities. For example, in New Orleans, the requirement applies to outdoor events of more than 500 people if total attendance is more than 50% of the outdoor venue’s capacity.

There are several exceptions to these requirements. For example:

  • Persons under 12 do not have to provide proof of vaccination.
  • In New Orleans, a negative PCR test within 72 hours of access can be provided in lieu of vaccination proof. This is not permitted in San Francisco, which requires proof of full vaccination. See FAQs for COVID-19 Health Order C19-07y. NYC requires proof of at least one dose of the COVID-19 vaccination.
  • San Francisco businesses may allow patrons wearing a well-fitted mask to use a restroom indoors without vaccination verification. There is a similar exception in NYC.
  • If an individual in NYC is unable to show proof of vaccination due to a disability, the business must engage in a cooperative dialogue to see if a reasonable accommodation is possible. Reasonable accommodation is not required if the individual would create a direct threat to other customers or employees, or impose an undue hardship on the business. A similar approach is required for employees.

A significant issue for covered businesses, however, is whether they must collect any additional information in order to comply, and how should that information be safeguarded, retained, and/or disclosed, as necessary. Businesses will want to have sufficient proof that they have complied to avoid an enforcement action. In New York City, when enforcement begins on September 13, 2021, noncompliant establishments may be subject to a fine of $1,000, or more for repeated violations. But this does not mean they need to collect sensitive personal information.

The cities provide several ways for individuals to communicate proof of COVID vaccination.

  • In New Orleans, individuals can use the LA Wallet app; an original, digital photograph, or photocopy of CDC vaccination cards (both sides); or an official vaccine record issued by another state, foreign nation or the World Health Organization.
  • In San Francisco, one can show their CDC Vaccination Record Card (CRC), an image of the card saved to one’s smartphones, a digital COVID-19 vaccine record issued by the State of California, or an approved private app.
  • In NYC, any of the following could be a Key to NYC: one’s CDC vaccination card, the NYC COVID Safe App, the New York State Excelsior App, and official vaccine record, or a photo or hard copy of an official vaccination record of a vaccine administered outside the U.S.

In NYC, businesses also must check the ID of each person required to show proof of vaccination who appears to be 18 or older to confirm the individual is the same person as listed on the proof of vaccination. The ID must contain either the person’s name and picture, or name and date of birth. However, ID checks are not required for individuals that can be matched against information the business already maintains, such as employees.

Do I need to check other identification besides proof of vaccination?

Yes. Identification bearing the same identifying information as the proof of vaccination must also be displayed. (underline added)

See NYC’s Key to NYC FAQs. San Francisco has a similar requirement. See San Francisco FAQs (“Businesses subject to this new requirement must cross-check proof of vaccination against each patron’s photo identification.”)

Some of these methods raise privacy and data security issues for individuals, especially for those choosing to use apps. Pennsylvania is just one state reeling from a data breach involving a COVID app that exposed medical information of thousands of its citizens. But there are significant questions for businesses – what information do they have to collect, if any, and what steps should they take to process and safeguard that information.

NYC’s Key to NYC FAQs provides:

Who must display proof of vaccination?

Employees, patrons, interns, contractors, and volunteers at Key to NYC establishments must display proof of vaccination. Businesses may keep a record of people who have previously provided proof of vaccination, rather than require the proof be displayed every time the person enters the establishment. (underline added)…

What documents do I need to maintain?

You must have a written record that describes how you will verify proof of vaccination for staff and patrons. The record must be on site and available for inspection.

Based on the above, covered NYC businesses are not required to collect information from individuals about their vaccination status. They only need to document how they will verify proof. (NYC provides a sample written protocol) The guidance suggests, however, that businesses could maintain a record of persons who already confirmed vaccination status for ease of administration. But, doing so arguably would create confidential personal information.

New Orleans and San Francisco also do not require businesses to collect proof of vaccination information, although businesses in San Francisco should assess whether the California Consumer Privacy Act (CCPA), as amended, applies and whether additional compliance measures should be implemented.

So, the good news is that while there are some additional compliance requirements in these cities concerning COVID, covered businesses should not have to collect personal information from customers or employees in most cases to meet these requirements. When implementing these measures, businesses should consider advising employees to avoid collecting personal information. Of course, in cases where an employee or patron seeks a reasonable accommodation, the business may need additional information to process that request. In that case, there should be procedures in place to minimize the information needed, to safeguard what is collected, and to limit disclosure of what is retained.

Following a series of major ransomware attacks, including against Colonial Pipeline, which provides the East Coast with 45 percent of its gasoline, jet fuel and diesel, President Biden issued a National Security Memorandum (“the Memorandum”) last week intent on improving cybersecurity for critical infrastructure systems. The Memorandum comes in follow up to the Biden Administration’s Executive Order issued immediately following the Colonial Pipeline Cyberattack back in May, entitled “Improving the Nation’s Cybersecurity” (EO). The EO made a clear statement on the Administration’s cybersecurity policy,

“It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.  The Federal Government must lead by example.  All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.”

In the latest Memorandum, the Administration posited that the country’s critical infrastructure is a responsibility of both the government and private owners/operators of that infrastructure.  Any threat to that infrastructure is deemed a threat to the country’s national and economic security.  Critical infrastructure includes dams, energy, critical manufacturing, food and agriculture, and water and wastewater systems.

As a result, the Administration established an Industrial Control Systems Cybersecurity Initiative (the “Initiative”) that will be a voluntary, collaborative effort between the federal government and members of the critical infrastructure community aimed at improving voluntary cybersecurity standards for companies that provide critical services.

The primary objective of the Initiative is to encourage, develop, and enable deployment of a baseline of security practices, technologies and systems that can provide threat visibility, indications, detection, and warnings that facilitate response capabilities in the event of a cybersecurity threat.  According to the President’s Memo, “we cannot address threats we cannot see.”

The Initiative already had been undertaken with the electricity subsector and will now result in similar efforts with natural gas pipelines, followed by water and wastewater, and chemical sectors later this year.  According to news reports, more than 150 power industry utilities have enrolled in the voluntary program.

The Initiative will be coordinated by the Department of Homeland Security, which is being direct to issue preliminary performance goals for control systems for all sectors no later than September 22, 2021, followed by sector-specific system goals within one year.  These performance goals aim to serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services, to “protect national and economic security, as well as public and health safety”.

The U.S. government continues to ramp up efforts to strengthen its cybersecurity, and we can expect states to continue to legislate and regulate in this area. Businesses across all sectors will likely experience pressure to evaluate their data privacy and security threats and vulnerabilities and adopt measures to address their risk and improve compliance.

The complete Memorandum can be viewed by clicking here.

Facial recognition technology has become increasingly popular in recent years in the employment and consumer space (e.g. employee access, passport check-in systems, payments on smartphones), and in particular during the COVID-19 pandemic. As the need arose to screen persons entering a facility for symptoms of the virus, including temperature, thermal cameras, kiosks, and other devices with embedded with facial recognition capabilities were put into use. However, many have objected to the use of this technology in its current form, citing problems with the accuracy of the technology, and now, more alarmingly, there is growing concern that “Faces are the Next Target for Fraudsters” as summarized by a recently article in the Wall Street Journal (“WSJ”).

In the last year, there has been an uptick in hackers trying to “trick” facial recognition technology, in a myriad of settings, such as fraudulently claiming unemployment benefits from state workforce agencies, The majority of states are now using facial recognition technology as a way to verify to eligible citizens, ironically enough, in order to prevent other types of fraud. As discussed in the WSJ article, the firm ID.me.Inc. which provides facial recognition software for 26 states to help verify individuals eligible for unemployment benefits has seen between June 2020 – January 2021 over 80,000 attempts to fool government identification facial recognition systems.  Hackers of facial recognition systems use a myriad of techniques including deepfakes (AI generated images), special masks, or even holding up images or videos of the individual the hacker is looking to impersonate.

Fraud is not the only concern with facial recognition technology.  Despite its appeal for employers and organizations, there are concerns regarding the accuracy of the technology, as well as significant legal implications to consider.  First, there are growing concerns regarding accuracy and biases of the technology.  A recent report by the National Institute of Standards and Technology studied 189 facial recognition algorithms which is considered the “majority of the industry”.  The report found that most of the algorithms exhibit bias, falsely identifying Asian and Black faces 10 to beyond 100 times more than White faces.  Moreover, false positives are significantly more common in woman than men, and more elevated in elderly and children, than middle-aged adults.

In addition, several U.S. localities have already banned the use of facial recognition for law enforcement, other government agencies, and/or private and commercial use.  The City of Baltimore, for example, recently banned the use of facial recognition technologies by city residents, businesses, and most of the city government (excluding the city police department) until December 2022.  Council Bill 21-0001  prohibits persons from “obtaining, retaining, accessing, or using certain face surveillance technology or any information obtained from certain face surveillance technology.” Likewise in September of 2020 the City of Portland in Oregon became the first city in the United States to ban the use of facial recognition technologies in the private sector citing, among other things, a lack of standards for the technology and wide ranges in accuracy and error rates that differ by race and gender. Failure to comply can be painful. The Ordinance provides persons injured by a material violation a cause of action for damages or $1,000 per day for each day of violation, whichever is greater.

And finally, companies looking to implement facial recognition technologies, must consider their obligations under laws such as the Illinois’ Biometric Information Privacy Act (BIPA) and the California Consumer Privacy Act (CCPA). The BIPA addresses a business’s collection of biometric data from both customers and employees including for example facial recognition, finger prints, and voice prints.  The BIPA requires informed consent prior to collection of biometric data, mandates protection obligations and retention guidelines, and creates a private right of action for individuals aggrieved by BIPA violations which has resulted in a flood of BIPA class action litigation in recent years.  Texas, Washington and California also have similar requirements, New York is considering a BIPA-like privacy bill and NYC recently created BIPA-like requirements for retail, hospitality businesses concerning biometric collection from customers. Additionally, states are increasingly amending their breach notification laws to add biometric information to the categories of personal information that require notification, including 2020 amendments in California, D.C., and Vermont. Moreover, there are a myriad of data destruction, reasonable safeguards, and vendor requirements to consider, depending on the state, when collecting biometric data.

Takeaway

Facial recognition and other biometric data related technology is booming, and continues to infiltrate different facets of life that are hard to even contemplate. The technology brings innumerable potential benefits as well as significant data privacy and cybersecurity risks. Organizations that collect, use, and store biometric data increasingly face compliance obligations as the law attempts to keep pace with technology, cybersecurity crimes, and public awareness of data privacy and security. Creating a robust privacy and data protection program or regularly reviewing an existing one is a critical risk management and legal compliance step.

Patient record requests can be a significant administrative burden for health care providers. An OCR enforcement initiative and a new federal law give providers more reason to get this process right.  We summarize these rules here.

Since the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule became effective in 2003, it generally required covered entities to provide patients timely access to their medical records. However, continued concerns over the level of patient access to records are driving increased emphasis, heightened enforcement activity, and new laws to ensure individuals have easy access to their health information, including the 21st Century Cures Act.  A critical goal of these efforts is to empower patients to be more in control of decisions regarding their health and well-being. By helping individuals have ready access to their health records, according to OCR, they are better positioned:

to monitor chronic conditions, adhere to treatment plans, find and fix errors in their health records, track progress in wellness or disease management programs, and directly contribute their information to research.

The “Right to Access” under HIPAA established a floor for patients to access their health records, which could be exceeded by more stringent state laws. In 2019, the OCR commenced its Right of Access Initiative, an enforcement priority to support individuals’ right to timely access to their health records at a reasonable cost. At least one study found providers are struggling to fully comply. Nonetheless, the OCR has announced nearly 20 enforcement actions under its Right of Access Initiative – a full list of enforcement actions is available on the OCR website. Monetary settlements to date have ranged from $3,500 to $200,000. In addition, the OCR resolution agreements require the covered entities to develop a corrective action plans to prevent further violations.

The Cures Act significantly heightens the obligations under HIPAA right to access. Its Interoperability, Information Blocking, and the ONC Health IT Certification Program seeks to minimize the interference with the ability of authorized persons or entities to access, exchange, or use electronic health information – that is, it wants to eliminate impermissible “information blocking.” More specifically, the Cures Act defines information blocking as business, technical, and organizational practices that prevent or materially discourage the access, exchange, or use of EHI when an actor knows, or (for some actors like electronic health record vendors) should know, that these practices are likely to interfere with access, exchange, or use of EHI.  The law empowers the HHS Office of Inspector General (OIG) to investigate claims of information blocking and to provide referral processes to facilitate coordination with the OCR. The goal of these provisions is to support seamless, secure access, exchange, and use of electronic health information (EHI).

During the nearly 20 years since the HIPAA Privacy Rule became effective, technological changes now support even greater access rights, including enabling access in real time and on demand. Providers, even certain providers not subject to HIPAA, will need to ensure they have compliant policies and procedures for ensuring patients have access to their records and avoiding enforcement actions, headaches, and penalties.

Effective October 1, 2021, Connecticut becomes the third state with a data breach litigation “safe harbor” law (Public Act No. 21-119), joining Utah and Ohio. In short, the Connecticut law prohibits courts in the state from assessing punitive damages in data breach litigation against a covered defendant that created, maintained, and complied with a cybersecurity program that meets certain requirements. Cyberattacks are on the rise – think Colonial Pipeline, Kaseya, JBS, and others – with ransomware attacks up 158 percent from 2019-2020 in North America.

The hope is this law will provide covered entities of all sizes an incentive to implement stronger controls over their information systems. According to Homeland Security Secretary Alejandro Mayorkas:

As a matter of fact, small businesses comprise approximately one-half to three-quarters of the victims of ransomware 

So, what can “covered entities” in Connecticut do to at least try to protect themselves from punitive damages if sued following a data breach?

First, it is important to note that the law applies to “covered entities” – defined to include a business that “accesses, maintains, communicates or processes personal information or restricted information in or through one or more systems, networks or services located in or outside this state.”

The definition of “personal information” tracks the definition of the same term in Connecticut’s recently updated data breach notification law. But, the law adds the term “restricted information” to the mix, defined to include:

any information about an individual, other than personal information or publicly available information, that, alone or in combination with other information, including personal information, can be used to distinguish or trace the individual’s identity or that is reasonably linked or linkable to an individual, if the information is not encrypted, redacted or altered by any method or technology in such a manner that the information is unreadable, and the breach of which is likely to result in a material risk of identity theft or other fraud to a person or property.

PA 21-119 prohibits superior courts from assessing punitive damages against a covered entity defendant in any tort action brought under Connecticut law or in Connecticut courts alleging a failure to implement reasonable cybersecurity controls that resulted in a data breach involving personal information or restricted information, provided that:

[the covered entity] created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework.

Examples of the frameworks listed in the statute include: NIST SP 800-171, NIST SP 800-53, and the Center for Internet Security’s “Center for Internet Security Critical Security Controls for Effective Cyber Defense.” Covered entities regulated under federal or state laws, such as the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), can rely on compliance with the current version of those regulatory frameworks. Should these frameworks change, covered entities have six months to confirm to the changes.

Additionally, the cybersecurity program must be designed to:

  • protect the security and confidentiality of personal and restricted information;
  • protect against any threats or hazards to the security or integrity of such information; and
  • protect against unauthorized access to and acquisition of such information that would result in a material risk of identity theft or other fraud to the individual to whom the information relates.

Importantly, covered entities should consider how the framework they use covers the personal and restricted information they maintain. For example, a HIPAA covered entity or business associate relying solely on the HIPAA security rule could mean that its cybersecurity program reaches only “protected health information” as defined by HIPAA, but not personal and restricted information as defined in PA 21-119.

The Connecticut law, however, permits the program to be shaped by several factors including (i) the size and complexity of the covered entity; (ii) the nature and scope of the activities of the covered entity; (iii) the sensitivity of the information to be protected; and (iv) the cost and availability of tools to improve information security and reduce vulnerabilities.

This law, similar to the measures in Utah and Ohio, incentivize heightened protection of personal data, while providing a safe harbor from certain claims for organizations facing data breach litigation.  Creating, maintaining, and complying with a robust data protection program is a critical risk management and legal compliance step, and one that might provide protection from litigation following a data breach.