CCPA: Expansive Array of Consumer Rights Imposes Rigorous Compliance Burden

For years now, state laws have required subject organizations to provide notification to affected data subjects and, in some instances, to state agencies, consumer reporting agencies, and the media, when they experience a “breach” of certain categories of information.  And a growing number of states – including California, Colorado, Connecticut, Maryland, Massachusetts, Texas, and, most recently, New York – have gone a step further, requiring subject organizations to develop and implement “reasonable safeguards” to secure the personal information they collect and use.  With the passage of the California Consumer Privacy Act (“CCPA”), California is poised to establish the next frontier in U.S. privacy and data security law.

The CCPA, which is set to take effect on January 1, 2020, imposes on subject organizations not only the obligation to secure data, and to provide notification in the event of a breach, but also an obligation to develop programs to manage the sweeping suite of rights that the CCPA grants to consumers (a category which, as we’ve previously discussed, will likely include employees (at least in certain circumstances)).

The CCPA, which follows in the footsteps of the European Union’s GDPR, has already inspired the proposal of similar legislation in other states – such as Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, and Rhode Island – as well as at the federal level.

Access & Portability

One significant right the CCPA grants consumers is the right to request information regarding:

  • the categories of personal information businesses collect about them:
    • identifiers – e.g. real name, address, social security number
    • characteristics of protected classification under California or Federal law;
    • Commercial information – e.g. products purchased, records of personal property
    • Biometric information
    • Internet or other electronic network activity – e.g. browsing history, search history
    • Geolocation data
    • Audio, visual, and similar information
    • Profession or employment related information;
  • the sources from which that personal information was collected (e.g., online order histories, online surveys, tracking pixels, cookies, web beacons);
  • the categories of personal information sold to third parties;
  • the categories of personal information disclosed for business purposes;
  • the categories of third parties to whom personal information was sold or disclosed (e.g., tailored advertising partners, affiliates, social media websites, service providers);
  • the business or commercial purposes for which personal information was collected or sold (e.g., fraud prevention, marketing, improving customer experience); and
  • the “specific pieces” of personal information collected.

The CCPA imposes a one-year lookback period from the time of the request, and mandates that, in the event consumers request access to their personal information, the subject business provide responsive materials “in a readily usable format that allows consumers to transmit [the] information from one entity to another without hindrance.”

Deletion

Subject to certain exceptions (e.g., to complete to the transaction for which the personal information was collected; to protect against malicious, deceptive, fraudulent, or illegal activity; or to identify and repair errors that impair existing and intended functionality), the CCPA permits consumers to request that subject businesses delete – and direct service providers to delete – personal information collected about them.

Opt Out

Under the CCPA, consumers are empowered to opt out of the “sale” of their personal information.  To facilitate consumers’ exercise of this right, subject businesses are required to provide a link titled “Do Not Sell My Personal Information” to a web page where consumers can opt out of having their personal information sold to third parties. Similarly, Nevada recently enacted a new online privacy law requiring businesses to offer consumers the right to opt out of the “sale” of their personal information, effective October 1, 2019.

 Non-Discrimination

To protect consumers who exercise their rights under the CCPA, the law generally prohibits subject businesses from charging different prices or rates to consumers, providing different services to them, or denying them goods or services, because they exercised their CCPA rights.  That said, businesses are permitted to charge different prices or rates, or to provide different levels or qualities of goods or services, if those differences “reasonably relate” to the value provided to the consumer by the consumer’s data. Additionally, businesses may, under certain circumstances, offer financial incentives to consumers to entice them to permit the collection, retention, and/or sale of their information.

Privacy Policy

The CCPA requires subject businesses to disclose, and facilitate the exercise of, the above-discussed rights in their privacy policies.  Specifically, businesses should update their existing policies, or develop new polices, to include the following elements:

  • a description of the new rights afforded consumers under the CCPA;
  • a list of the categories of personal information collected by the business in the preceding 12 months;
  • a list of the categories of personal information sold or disclosed for a business purpose in the preceding 12 months;
  • a link to a “Do Not Sell My Personal Information” web-based opt-out tool;
  • a description of any financial incentives for providing data or not exercising rights (e.g., if the company offers a discount to consumers who provide their email addresses for marketing purposes, this incentive should be disclosed in the privacy policy); and
  • two or more designated methods for submitting information requests, including a toll-free number and a website address (if applicable).

Private Right Of Action

In contrast to many U.S. privacy and data security laws, the CCPA provides consumers a private right of action – albeit a limited one.  Specifically, the law empowers consumers to sue on their own behalves when a subject business’s failure to maintain “reasonable safeguards” results in the breach of their personal information.  Notably, the definition of personal information applicable to the private right of action is narrower than the definition used throughout the rest of the CCPA. A consumer can bring a private right of action under the CCPA only if the the following information is breached: an individual’s name along with his or her social security, driver’s license, or California identification card number; account, credit card, or debit card number, in combination with a code or password that would permit access to a financial account; or medical or health insurance information. While this private right of action does not extend to the rights discussed above – which will be subject to agency enforcement – even this limited private right will, if the recent flood of claims brought under the Illinois Biometric Information Privacy Act is any indication, result in a significant volume of class action litigation.

Takeaways

With the January 1, 2020 deadline less than four months away, subject businesses need to promptly evaluate whether they are prepared to effectively navigate the expansive array of rights the CCPA extends to consumers.  To do so, businesses will need to, among other things: (a) map the personal information about California residents that they collect, use, and sell; (2) design and document policies, procedures, and practices to manage disclosure, access, and deletion requests, and to avoid discriminatory conduct; and (3) train their workforce members to effectively comply with those policies, procedures, and practices.

One final point of note:  The CCPA has been a work in progress over the last year. California’s legislative session ended on September 13th, with some final modifications to bills that would amend certain aspects of the CCPA. Unanimously approved in final form, they now move on to California Governor Gavin Newsom for consideration and final action on the CCPA by mid-October.  We will continue to track these developments.

CCPA Amendments Updated, Finalized, and Moving on to Governor Newsom

The California Consumer Privacy Act is almost here! The groundbreaking law takes effect January 1, 2020. Covered businesses and their service providers have already started preparing, as the CCPA continues to evolve since it was introduced. California’s legislative session ended on September 13th, with some final modifications to bills that would amend certain aspects of the CCPA. Unanimously approved in final form, they now move on to California Governor Gavin Newsom for consideration and final action on the CCPA.

As we’ve reported periodically over the course of the year, businesses and stakeholders have been clamoring to shape the CCPA in a number of ways. In late April, the California Assembly of Privacy and Consumer Protection Committee (“Committee”) introduced several bills addressing a number of issues with the law, such as excluding certain categories of information from personal information or from certain requirements under the law, and clarifying ambiguities. Some survived, and some did not.

Below is a rundown of key substantive amendments:

  • AB 25 (Employee Personal Information Exemption): As we’ve previously reported, AB 25 went through several modifications over the course of the year. In its latest form, employee personal information would be excluded from many of the CCPA’s requirements (including the requirements that permit consumers to request: the deletion of their personal information; the categories of personal information collected; the sources from which personal information is collected; the purpose for collecting or selling personal information; and the categories of third parties with whom the business shares their personal information). But, employees of businesses subject to the CCPA still would be entitled to a privacy notice and able to commence a private right of action in the event affected by a data breach caused by a failure of the duty to maintain reasonable safeguards. Under the privacy notice provision, covered businesses would be required to inform consumers (including employees) as to the categories of personal information they collect and the purposes for which such personal information shall be used. Under the private right of action provision, employees of covered businesses would be permitted to bring an action, including as a class action, in the event their nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures. Note: These changes concerning employee personal information are set to sunset on January 1, 2021, on the understanding that during this one-year period, the Legislature would consider more comprehensive employee privacy legislation.

 

  • AB 874 (Publicly Available Information Exception): AB 874 removes a limitation on the “publicly available information” exception to the definition of personal information. If signed into law, publicly available information will be defined as “information that is lawfully made available from federal, state, or local government”. The bill removes the limitation stating that information is not publicly available if it is used for a purpose not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.

 

  • AB 1355 (Technical Corrections): AB 1355 made a number of noteworthy technical corrections and other changes:
    • Relief for certain “business-to-business” (B2B) communication or transactions. Many businesses have been concerned about how to handle the personal information of business contacts. That is, the personal information about individuals who are not acting as “consumers” in the general sense, but engaging with the business to carry out transactions. AB 1355 would provide relief from certain CCPA requirements such as providing notice and granting access and deletion rights for the following personal information:

“Personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency.”

Note, similar to the temporary treatment of employee personal information in AB 25, this relief also is temporary – it lasts until January 1, 2021.

    • Definition of “personal information.” Part of what makes the CCPA so expansive is its definition of personal information. That definition would cover information that is “capable of being associated with” a particular consumer or household. In an attempt to narrow the reach of personal information, AB 1355 inserts “reasonably” before “capable.” In addition, AB 1355 clarifies that personal information does not include deidentified or aggregate consumer information.
    • Clarification of Fair Credit Reporting Act (FCRA) Exception. AB 1355 makes clear that the FCRA exception applies to activity that is authorized by the FCRA and is not limited solely to the sale of personal information from a consumer report. The exception applies to FCRA authorized “activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency.”

 

  • AB 1146 (Vehicle Information Exemption): AB 1146 exempts from a consumer’s right to opt out, vehicle or ownership information retained or shared between a motor vehicle dealer and the vehicle’s manufacturer, in anticipation of a vehicle repair covered by warranty or recall. It also exempts from a consumer’s right to request deletion, personal information necessary for a business to maintain to fulfill terms of a vehicle warranty or recall.

 

  • AB 1564 (Consumer Requests for Disclosure Methods): AB 1564 provides alternatives to the current requirement that covered businesses make available to consumers a toll-free number to submit requests for information regarding the use of their personal information. If a business operates exclusively online, it may, in lieu of a toll-free number, provide an email address for submitting requests. This bill was recently narrowed limiting the exception to online businesses that have a direct relationship with California residents from which it collects personal information. Moreover, if an online business maintains a website, the business must provide the consumer with a submission request method via the website.

It also is worth noting that one important bill, AB 846, was removed on September 12th from consideration, with plans to be reintroduced next year. AB 846 addressed loyalty reward, discount and similar programs, including prohibitions on the sale of personal information collected as part of those programs, and a limited exception to that prohibition.

It is expected Governor Newsom will sign the Legislature-approved bills into law. Organizations should be doing their best to determine if they have CCPA obligations either directly as a business, because they control or are controlled by a business, or because they have contractual obligations flowing from a business. Efforts toward compliance need to begin now as the CCPA becomes effective January 1, 2020.

Eleventh Circuit Ruling May Impact TCPA Class Actions

Last week, the Eleventh Circuit ruled that a single unsolicited text message doesn’t meet the harm requirement necessary to proceed with a Telephone Consumer Protection Act (TCPA) claim.   The Eleventh Circuit ruling, Salcedo v. Hanna, reverses a decision by a lower court allowing the plaintiff to move forward with a TCPA claim on grounds that he received an unsolicited text message from his former attorney.

“The chirp, buzz, or blink of a cell phone receiving a single text message is more akin to walking down a busy sidewalk and having a flyer briefly [waved] in one’s face,” Circuit Judge Elizabeth L. Branch opined for the Eleventh Circuit three-judge panel. “Annoying, perhaps, but not a basis for invoking the jurisdiction of the federal courts.”

In reaching its conclusion, the Eleventh Circuit panel drew from the legislative history of the TCPA, its own precedent and the Supreme Court’s decision in Spokeo v. Robins which emphasized that in order to meet the Article III standing requirement, a concrete injury must be alleged.

While we often report on the growing circuit split stemming from Spokeo in the context of data breach litigation, due its lack of clarity on what constitutes a concrete injury (see here and here), the Spokeo ruling has generated a similar circuit split in the context of the TCPA. For example, in 2017 the Ninth Circuit concluded that receiving two unsolicited text messages was sufficient to meet the Spokeo standard for a concrete injury. The Eleventh Circuit panel was not persuaded by the Ninth Circuit’s reasoning, highlighting that the Ninth Circuit,

“…stopped short of examining whether isolated text messages not received at home come within that judgment of Congress. Instead, it concluded that ‘Congress identified unsolicited contact as a concrete harm’… We disagree with this broad overgeneralization of the judgment of Congress.”  

The Eleventh Circuit did not quantify how many unsolicited text messages, if any, would be enough to satisfy the concrete harm requirement to establish standing under the TCPA. The Eleventh Circuit decision may suggest that TCPA text messaging class actions are no longer possible, at least in the Eleventh Circuit. However until the Supreme Court weighs in, by clarifying its ruling in Spokeo, we will continue to see a lack of consistency across the circuit courts, both in the TCPA and data breach litigation contexts.

Although the Eleventh Circuit concluded that a single unsolicited text message did not meet the actual harm requirement necessary to sustain a TCPA claim, any organization that uses text messaging for promotional marketing purposes, should be mindful of the legal and regulatory guidelines that govern text message communications. Likewise, when contracting out these services, companies should ensure that their vendors are compliant with all regulatory requirements.

Illinois Enhances Its Data Breach Notification Requirements

In response to trends, heightened public awareness, and a string of large-scale data breaches, states continue to enhance their data breach notification laws. Illinois Governor J.B. Pritzker recently signed into law an amendment to the Personal Information Protection Act (PIPA), SB 1624, effective January 1, 2020. PIPA will now require that most “data collectors,” which includes entities that, for any purpose, handle, collect, disseminate, or otherwise deal with nonpublic personal information, notify the State’s Attorney General of certain data breaches. PIPA had already required notification of a data breach to the Attorney Generals’ office, but only in the event of data breach affecting state agencies, and only if those breaches affect more than 250 Illinois residents.

Under the amendment to PIPA, if a data collector is required to notify more than 500 Illinois residents as a result of a single data breach, that data collector also must notify the Illinois Attorney General’s office. Similar to the requirements in other states requiring Attorney General notification, the law requires certain content be included in the notification:

  •      A description of the nature of the breach of security or unauthorized acquisition or use.
  •      The number of Illinois residents affected by such incident at the time of notification.
  •      Any steps the data collector has taken or plans to take relating to the incident.

Furthermore, if the date of the breach is unknown at the time the notice is sent to the Attorney General, the data collector must inform the Attorney General of the date of the breach as soon as possible. Note, some states have more extensive content requirements, such as Massachusetts, which requires covered entities that experience a breach to inform the Attorney General (and the Commonwealth’s Office of Consumer Affairs and Business Regulation) about whether the organization maintains a written information security program.

Notification to the Attorney General must be made in the most expedient time possible and without unreasonable delay, but not later than when the data collector provides notice to individuals affected by the breach. Also joining some other states, including Massachusetts and New Hampshire, Illinois now provides that the Attorney General may publish the name of the data collector that suffered the breach, the types of personal information compromised in the breach, and the date range of the breach.

The update to Illinois law excludes covered entities or business associates that are subject to the privacy and security regulations under HIPAA, provided they are compliant with those regulations. Of course, covered entities and business associates would still have to notify the federal Office of Civil Rights in the event of a data breach affecting unsecured protected health information.

The patchwork of state breach notification laws continues to grow more complex, particularly for organizations that experience multistate data breaches. It is important, therefore, that organizations across the United States continue to evaluate and enhance their data breach prevention and response capabilities.

OCR Recognizes Insider Threats to HIPAA PHI, You Should Too

As we have observed here, news reports of security risks, hackings and breaches caused by individuals, terror groups or even countries around the world certainly are important and can be unsettling. But, for many organizations, including healthcare providers and business associates, a significant and perhaps more immediate area of data risk is malicious insiders. On August 29, the Office for Civil Right (OCR) published its 2019 summer cybersecurity newsletter entitled, “Managing Malicious Insider Threats,” acknowledging this threat and providing some best practices to neutralize it.

According to the OCR:

The 2019 edition of Verizon’s Data Breach Investigations Report (DBIR) found that trusted insiders were responsible for 59% of all security incidents and breaches (both malicious and inadvertent)…[with] the primary motivation for incidents and breaches perpetrated by insiders was financial gain.

What do malicious insider threats look like?

Threats from insiders can take many forms. If successful, they can cause substantial, sometimes crippling harm to an organization by intentionally modifying, leaking, selling, or destroying sensitive information. Here are some examples:

  • Employees on the move. Planning to end employment with provider A, workforce member copies provider A’s patient list and shares it with new employer, provider B, in the hope of luring patients to the new provider. If the workforce member is successful, in addition to potential notification obligations, provider A likely will find itself responding to a number of angry patients asking why another provider has their protected health information (PHI). Provider A might even wind up being investigated and fined, as was the case for a provider in New York.
  • Poor performing employees. Some workforce members feel they have been wrongly accused by their employers for providing inadequate patient care, especially when they believe their co-workers engage in the same activity without incident. Anticipating they will be fired, they begin copying, downloading, or otherwise collecting information from patient EMRs and sending it to themselves. Their goal is to support wrongful termination claims they anticipate making when their employment ends. In the process, patient data is compromised and may require notification to patients and the OCR.
  • Curious and criminal employees. Curious workforce members might use their employer’s EMR to access certain patient records for personal purposes: (i) accessing the medical records of celebrities for financial gain or to satisfy the member’s curiosity; (ii) examining the records of a former spouse to gain leverage in a custody dispute, (iii) obtaining patient demographic information to commit fraud and identify theft.

How do malicious insiders get the information?

Malicious insiders already have access to patient information on the expectation that they need access to perform their jobs. In some cases, they only need access to do harm. For example, an insider may want to learn if a family member is pregnant or using illegal substances, and only has to view the medical records. In other cases, the insider will want to exfiltrate the information. This can be accomplished in a number of ways: forwarding the information to the insider’s personal email account, taking pictures of the information using the insider’s smartphone, copying information to a mobile or storage device (e.g., cell phone, USB drive), or unauthorized physical removal or theft of equipment. As the OCR notes, transmitted or copied data could be further hidden using subtle means such as by embedding data within other data to hide it (i.e., steganography).

How do HIPAA covered entities and business associates stop malicious insiders?

Detecting and preventing data leakage by malicious authorized is not easy – remember, these are individuals who frequently are supposed to have access to the data. Identifying potential malicious activity as soon as possible is critical, however, and there are some things that organizations can be doing.

  • Know your data. To protect data, organizations need to know the data they have, where it is stored, what format it is in, who has access to it, and how it flows through the organization. With this information, the organization is better able to develop policies and procedures to access and address risks related to the data.
  • Access management. Workforce members should be able to access only the information they need to perform their jobs. This can be accomplished in a number of ways – physical access controls (e.g., locked doors and cabinets) and network access controls (e.g., role-based access controls for devices, applications, administrator accounts, or data stores).
  • Control mobile device usage. Considering how a workforce member needs to interact with data as the organization may be able to limit the unnecessary utilization of mobile devices to prevent copying. If workers do not need thumb drives to perform their jobs, for example, they should not be available. If thumb drives are needed, they should be more closely tracked and managed.
  • Remain vigilant. The steps above will help, but they may not be sufficient. Organizations need to continuously manage their business and their systems to help detect and prevent suspicious activities:
    • Periodically review system event logs, application audit logs, access reports, and security incident tracking reports.
    • Configure alerts for (i) unexpected downloads of large amounts of data by employees not believed to have a need for such volumes of data, (ii) access to certain sites, such as personal cloud storage accounts; (iii) downloads to external devices.
    • Revise employee access privileges immediately on changes to roles and responsibilities.
    • Enhance the organization’s vigilance for employees who expect their employment will soon be terminated.
    • Terminate physical and electronic access data in advance of a workforce member leaving the organization’s employ.

Again, risks to an organization’s data are not solely from external sources. Insiders have reasons to compromise their organizations’ confidential and personal information. Organizations need to take steps to minimize those ongoing risks.

CCPA FAQs on Cookies

As businesses prepare for the effective date of the California Consumer Privacy Act, many are conducting data mapping to identify the personal information they collect, who it belongs to, how they use it, with whom they share it and whether they sell or disclose it. The information a business collects from this exercise will set the groundwork for understanding compliance obligations. Given the CCPA’s expansive definition of personal information, it is easy to overlook elements of personal information during this exercise, including website cookies. These FAQs provide a high-level look at how the CCPA may apply to website cookies.

 Does the CCPA apply to website cookies?

A cookie is a small text file that a website places on a user’s computer (including smartphones, tablets or other connected devices) to store information about the user’s activity. Cookies have a variety of uses ranging from recognizing you when you return to the website to providing you with advertising targeted to your interests. Depending on their purpose, the website publisher or a third party may set the cookies and collect the information.

The CCPA defines personal information to include a “unique identifier.” This means “a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology… or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.” As a result, personal information collected by website cookies that identifies or could reasonably be linked to a particular consumer, family or device may be subject to the same disclosure notices and consumer rights, including the right to delete or opt out of the sale of information to a third party, as other personal information collected through the website.

Does the CCPA require that we have a cookie policy on our website?

The CCPA does not require websites of covered businesses to have a separate cookie policy to address the collection and use of personal information through cookies, or to permit consumers to exercise their rights. This information can be included in the website’s privacy policy.

Does our website need a cookie banner?

 The website does not need a separate cookie banner if the website discloses information relating to the collection and use of personal information through cookies, and permits consumers to exercise their rights, if this information is included in the website privacy policy and is provided at or before the point of collection.

Do cookies create special challenges to CCPA compliance?

Covered businesses may not have a full understanding of what cookies are present on their websites or their functionality. These businesses should inventory and audit their cookies to identify at a minimum:

  • the types of cookies set on their sites
  • their purpose and functionality
  • the personal information they collect and how it is used
  • whether the personal information is shared and, if so, to whom
  • if applicable, the purpose(s) for selling the personal information and to whom it is sold, and
  • whether the cookies are first party or third party cookies. This may require consulting with your IT provider, website designer, marketing department, and particularly advertising partners.

In certain cases, third parties may place cookies on the website that collect personal information as part of services necessary for the site’s business purpose. The services agreement with this third party should contain specific provisions identifying it as a service provider, stating the business purpose for collecting the personal data, and prohibiting the further use or sale of any personal information collected by the cookies. These provisions are necessary to demonstrate that any disclosure of personal information to a third party, or collection by a third party, is in the context of providing services and not a sale or disclosure to which the consumer’s right to opt out applies.

In other cases, it may be unclear if a third party cookie’s collection of personal information is strictly for the website’s business purpose or a sale subject to the right to opt out. This may apply in cases where cookies are placed by embedded content (e.g. video), a social media widget, or a vendor that provides targeted or behavioral advertising. While the website publisher should disclose all collection activity and use, it will need to review these activities to determine how to effectuate meaningful notice and the right to opt out.

It is not yet clear how the CCPA will apply to third party cookies used specifically for targeted and behavioral advertising. This creates significant uncertainty for website publishers who engage vendors to assist with advertising. The Adtech industry, legislators, and various stakeholders are currently reviewing how the CCPA may apply to third party cookies that track site users for targeting and behavioral advertising and clarification may be forthcoming.

Cookies and other website tracking technologies pose a unique challenge to businesses as they work to identify the personal information they collect and process. Identifying the presence of these technologies, their function, and the relationship with any third party that places them on the website is an essential part of data mapping. This process will require a greater understanding of the website’s functionality as well as a deeper dive into the business’ analytics, marketing, and advertising practices.

Georgia Supreme Court May Weigh in on Standing in Data Breach Litigation

The Georgia Supreme Court may weigh in on the hot issue plaguing data breach class action litigation across the nation, must a data breach victim suffer actual financial loss to recover damages, or is the threat of future harm enough? On August 20, the Georgia Supreme Court heard arguments in a class action suit stemming from a data breach in September 2017 at Athens Orthopedic, exposing 200,000 of its current and former patients’ personal information including names, addresses, social security numbers, dates of birth and telephone numbers. Upon discovery of the breach, Athens Orthopedic advised patients to place fraud alerts on their credit accounts and seek other advice.

In 2018, the Georgia Court of Appeals, in a 2-1 decision, ruled that because the plaintiffs did not suffer any actual financial loss or harm, they were not entitled to recover damages for potential or future harm. The class action suit alleged that some of hacked information was offered for sale on the dark web, and some information was temporarily made available on a data storage site. Plaintiffs argued that costs such as identity theft protection, credit monitoring, and costs associated with credit freeze, which they purchased are “classic measures of consequential damages” because they are incurred to mitigated “foreseeable” damages. The Court of Appeals rejected this argument, highlighting that “mitigation damages lessen the severity of an injury that has already taken place; if no injury occurred, there is no legally cognizable harm to mitigate”.

The Georgia Supreme Court is certainly not the first court in the nation to address this issue. Federal circuit courts over the past few years have struggled with this issue, in large part due to lack of clarity following the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins which held that even if a statute has been violated, plaintiffs must demonstrate that an “injury-in-fact” has occurred that is both concrete and particularized, but which failed to clarify whether a “risk of future harm” qualifies as such an injury. For example, the 3rd6th, 7th,  9th  and D.C. circuits have generally found standing, while the 1st2nd4th and 8th circuits have generally found no standing where a plaintiff only alleges a heightened “risk of future harm”.

Most recently, the U.S. Supreme Court  rejected a petition for a writ of certiorari by Zappos requesting the Court to review a Ninth Circuit Court decision which allowed customers affected by a data breach to proceed with a lawsuit on grounds of vulnerability to fraud and identity theft. The Supreme Court did not provide a reason for its denial of the Zappos petition.

The Georgia Supreme Court is expected to issue its ruling in Athens Orthopedic in the coming months. The lack of clarity on this issue has made it difficult for businesses to assess the likelihood of litigation and its associated costs in the wake of a data breach.  It is crucial for businesses to assess their breach readiness and develop an incident or breach response plan that takes into consideration the possibility of litigation.

Expansion of Technology at K-12 Schools Comes with Data Security Risks for Students and Parents

Image result for k-12 back to schoolA new school year is upon us and some students are already back at school. Upon their return, many students may experience new technologies and equipment rolled out by their schools districts, such as online education resources, district-provided equipment, etc. to enhance the education they provide and improve district administration. However, a recent report, “The State of K-12 Cybersecurity: 2018 Year in Review,” compiles sobering information about cybersecurity at K-12 schools. The report discusses 122 publicly-disclosed cybersecurity incidents affecting 119 public K-12 education agencies across 38 states in 2018. The trend seems to be continuing in 2019. Like other organizations, school districts should be allocating appropriate resources to ensure that the technologies and equipment they are leveraging and the third party vendors they are engaging to help students learn do not leave those same students (or their parents) vulnerable to a data breach.

Implementing technologies and other products and services for students in the course of their K-12 education often requires the collection of massive amounts of personal information about students and students’ parents. Children are enrolling in classes, sports activities, clubs, etc., providing immunization and health records, using school district equipment that could be tracking location and other metrics, paying for lunch and other goods and services with debit and credit cards, etc. It should be no surprise that K-12 school districts are targets and that security incidents are on the rise.

Why student data? In recent years, the marketing and sale of children’s personal information is growing. Criminals realize that students are not focused on their credit reports, nor are their parents. Left unchecked, personal data of children can be used to build new identities and engage in widespread fraud that could later come back to hurt unsuspecting students, and potentially their parents.

Reports of K-12 security incidents in 2019 suggest a continuing trend. Here are some examples:

  • The School of the Osage School District in Missouri reported a data security incident by an outside vendor used to provide support and educational services to individual students. The same incident is believed to have affected other school districts including the Rome City School District, the Carmel Clay Schools, and others.
  • San Dieguito Union High School District experienced a malware attack.
  • Student busing information concerning Cincinnati Public School children, including student names and pickup and drop-off locations, was inadvertently disclosed to unauthorized recipients, according to reporting by DataBreaches.net.
  • Camp Verde Unified School District in Arizona experienced a ransomware attack.
  • While reporting on a malware attack at the Watertown City School District in New York, Spectrum News also noted attacks at the Syracuse City School and the Onondaga County Public Library.
  • For more information about other reported breaches in the education sector, Databreaches.net provides an informative resource here.

These risks are not new. Fortunately, there are steps that school districts can take to address them. Here are some examples:

  • Educate their district community. Districts can develop materials to help inform parents and students about the importance of safeguarding personal information and best practices for doing so. This should include informing student and parents on how to quickly inform the district about potential incidents.
  • Appoint a data protection officer. Districts can appoint a data protection officer to be responsible for implementing all required security and privacy policies and procedures.
  • Develop data security and privacy policies.  Districts can establish written policies and procedures for protecting personal information. These policies and procedures should be informed by a thorough risk assessment. A recognized framework for school security policies is the National Institute for Standards and Technology Cybersecurity Framework (“NIST CSF”).
  • Consider privacy and security at the outset of any new technology initiative. Protecting student data should not be an afterthought. At the start of a new initiative, districts can evaluate what information is necessary for the initiative to be successful and design the initiative to include only that information, and to maintain it only for as long as it is needed.
  • Establish a vendor management program. Districts work with many third parties to support and extend technology-based services to students. They can take steps during the process to procure service providers to ensure appropriate measures will be applied by the service provider to safeguard personal information. They can ask questions, review policies, examine their systems, etc. Districts can also obligate providers by contract to secure information, and make sure the information is destroyed or deleted at the conclusion of the services.
  • Provide training for administrators, teachers, staff, and others. Information privacy and security awareness training, online or in person, is critical to creating awareness about security threats and following best practices.
  • Develop an incident response plan. Districts can make sure they have a response plan and are prepared to quickly respond to an actual or suspected security incident. This includes practicing that plan so the response team is ready.

Like many organizations, K-12 school districts have quite a challenge – they need to increasingly leverage technology to deliver their services, which requires access to and processing of personal information, but may not have sufficient resources to address all of the risks. Getting started is half the battle and there often is “low-hanging fruit” that districts can adopt with relatively little cost.

New Notification Requirements in New York for Healthcare Providers Facing a Cybersecurity Incident

On August 12, Mahesh Nattanmai, New York’s Chief Health Information Officer, issued a notice letter (“the notice”) on behalf of the New York State Department of Health (“Department”) requiring healthcare providers to use a new notification protocol for informing the Department of a potential cybersecurity incident. The updated protocol is considered effective immediately from a healthcare provider’s receipt of the notice letter.

“We recognize that providers must contact various other agencies in this type of event, such as local law enforcement. The Department, in collaboration with partner agencies, has been able to provide significant assistance to providers in recent cyber security events. Our timely awareness of this type of event enhances our ability to help mitigate the impact of the event and protect our healthcare system and the public health. The Department has designed a more efficient process to engage assistance for providers, as needed,” the Department states in its notice letter.

Moreover, the Department provides the types of healthcare providers, which should be implementing this update notice protocol immediately:

  • Hospitals, nursing homes, and diagnostic and treatment centers,
  • Adult care facilities, and
  • Home health agencies, hospices, licensed home care services agencies.

A cybersecurity incident is defined by the notice as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of data or interference with an information system operation”. Therefore, even if a healthcare provider is aware of an unsuccessful attempt of a breach (e.g. by a disgruntled employee), that incident should be reported to the Department.

The notice does not state the time period within which the Department should be notified upon a healthcare provider’s discovery of the cybersecurity incident. It is worth noting that the recently enacted New York SHIELD Act exempts HIPAA compliant covered entities from notification requirements following a data breach. Under HIPAA a covered entity is generally required to report a data breach of over 500 individuals to the U.S. Department of Health and Human Services (HHS) within 60 days of discovery of the breach, so it would not surprising if the length of time is similar, however we are currently confirming with the Department whether this is indeed the case. Contact information for the Department will vary depending on the healthcare provider’s location in New York. The notice provides contact information for each region: Capital District, Central New York, Metropolitan Area, Central Islip, New Rochelle and Western Area.

A recent study found that 70% of healthcare providers have experience a data breach. You can never be too prepared for a cybersecurity incident. Below are helpful resources from our blog on cybersecurity incident prevention and response for healthcare providers:

 

 

 

 

Does the CCPA Apply to Your Business?

The California Consumer Privacy Act (CCPA), considered the most expansive U.S. privacy laws to date, is set to take effect January 1, 2020. In short, the CCPA places limitations on the collection and sale of a consumer’s personal information and provides consumers certain rights with respect to their personal information. Wondering whether they will have to comply, many organizations are asking if the law will apply to them, hoping that being too small, being located outside of California, or “only having employee information,” among other things, might cause them not to have to gear up for CCPA.

So, we thought we would dig in a little deeper into the question of when the CCPA might apply to a business. However, note that the law is still developing as amendments work their way through the legislature and we await regulations from the California Attorney General intended to further clarify the statute. Organizations will need to continue to monitor these developments to determine if the CCPA will apply to them.

Basic Rule. In general, the CCPA applies to a “business” that:

A. does business in the State of California,

B. collects personal information (or on behalf of which such information is collected),

C. alone or jointly with others determines the purposes or means of processing of that data, and

D. satisfies one or more of the following

(i) annual gross revenue in excess of $25 million,

(ii) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or

(iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Related entities and non-for-profits. Under the CCPA, a “business” can be a “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners.” Thus, for example, a business under this definition generally would not include a not-for-profit or governmental entity. It also would not include a corporation that meets all of the prongs above, other than those listed under D.

However, a “business” under CCPA also includes any entity that controls or is controlled by a business that meets the requirements above and that shares common branding with such a business. “Control,” for this purpose, means either (i) ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; (ii) control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or (iii) the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark. Accordingly, organizations that would not themselves be a “business” under the CCPA could become subject to the law because of the entities that control them or that they control, and with which they share common branding.

Businesses that do not collect “consumer” personal information. It does not appear to be necessary under the CCPA for a business to actually be the one to collect personal information from consumers in order for the law to apply. So long as personal information is collected on behalf of a business (such as through a third party), the business could be covered by the CCPA, assuming the other requirements are satisfied.

Some businesses also may believe that because they do not engage in transactions directly with individual consumers and collect their personal information, they are not subject to the law. The businesses might be thinking this is because their “consumers” are other businesses and not individuals. However, a consumer under the CCPA generally means a natural person who is a California resident. Accordingly, when conducting business with other businesses, a business likely collects personal information from contacts at those other businesses. Similarly, virtually all businesses collect information about their employees. Recent legislative activity indicates that obligations under the CCPA may continue to extend to employee personal information.

Businesses located outside of California. It also does not appear that a business will need to be located in California in order to be subject to the CCPA. While the CCPA is not clear on this point, a business may be considered to be “doing business” in California if it conducts online transactions with persons who reside in California, has employees working in California, or has certain other connections to the state, and is without a physical location in the state. As noted, regulations may help to clarify what “doing business in California” means for purposes of the CCPA.

Businesses that process information on behalf of other businesses. The definition of a business under the CCPA requires that the business must alone or jointly with others “determine the purposes or means of processing” of that data. The CCPA does not expand on this language. However, since nearly identical language in the General Data Protection Regulation (GDPR) is used to define a controller, guidance from the UK’s Information Commissioner may provide some insight – here are some questions you might ask to see if your organization is a controller:

  • The business decides to collect or process the personal data.
  • The business decides what the purpose or outcome of the processing is to be.
  • The business decides what personal data should be collected.
  • The business decides which individuals to collect personal data about.
  • The business obtains a commercial gain or other benefit from the processing, except for any payment for services from another controller.
  • The business decides processes the personal data as a result of a contract between the business and the data subject.
  • The business exercises professional judgement in the processing of the personal data.
  • The business has a direct relationship with the data subjects.

An organization that merely processes personal information for businesses covered by the CCPA might take the position that it is not subject to the CCPA. That organization may be correct, however, its business partners that are subject to the CCPA may be required to push certain CCPA obligations down to the organization by contract.

Consequences of Non-compliance. Organizations on the fence about the application of the CCPA should consider what happens if they fail to comply but are determined later to be subject to the law. A business that violates the CCPA can face injunctions and penalties of not more than $2,500 for each violation, and not more than $7,500 for each intentional violation, in an action brought by the California Attorney General. That said, a business is provided 30 days after receiving written notice of noncompliance to cure the violation, before facing liability. In addition, the CCPA provides consumers a private right of action if their nonencrypted or nonredacted personal information is subject to an unauthorized access, exfiltration, theft, or disclosure because the covered business did not meet its duty to implement and maintain reasonable safeguards to protect that information.  That private action includes statutory damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

A recently survey by ESET found that over 44% of the 625 business owners and company executives polled had never heard of CCPA, and only 11.8% knew if the law applied to their business. Organizations should be doing their best to determine if they have CCPA obligations either directly as a business, because they control or are controlled by a business, or because they have contractual obligations flowing from a business. Efforts toward compliance need to begin now as the CCPA becomes effective January 1, 2020.

LexBlog