FDA Names First Acting Director of Medical Device Cybersecurity

The U.S. Food and Drug Administration (FDA) named University of Michigan Associate Professor Kevin Fu Acting Director of Medical Device Security in its Center for Devices and Radiological Health. This is a newly created 12-month post in which Fu will “work to bridge the gap between medicine and computer science and help manufacturers protect medical devices from digital security threats.” Fu stated that his primary activities will include

  • Envisioning a strategic roadmap for the future state of medical device cybersecurity.
  • Assessing opportunities to fully integrate cybersecurity principles through the lens of the center’s total product life cycle model.
  • Training and mentoring CDRH staff for premarket and postmarket technical review of medical device cybersecurity.
  • Engaging multiple stakeholders across the medical device and cybersecurity ecosystems.
  • Fostering medtech cybersecurity collaborations across the federal government, including the National Institute of Standards and Technology, National Science Foundation, National Security Agency, Department of Health and Human Services, National Telecommunications and Information Administration, Cybersecurity and Infrastructure Security Agency, Department of Veterans Affairs, Department of Defense, Federal Trade Commission and others.

Fu also noted that “the FDA is working closely with federal partners — HHS and CISA — on sector incident and emergency response. The FDA’s 2021 efforts for the cybersecurity focal point program will further increase the review consistency of premarket submissions.”

The creation of this new post is the latest in the FDA’s ongoing efforts to promote cybersecurity in medical devices. As we previously reported, the FDA has published draft guidance for medical device manufacturers outlining steps that can be taken in the premarket process to better protect medical devices from cybersecurity threats. We expect this focus to continue especially as we see a rise in ransomware attacks and other hacking activity.

The FDA’s increasing focus on cybersecurity is yet another reason relevant employers and medical device manufacturers should continue to assess and address potential data security risks.

Maryland Joins New York with a BIPA-like Biometric Privacy Bill

On January 13, House Delegate Sara Love Introduced the “Biometric Identifiers and Biometric Information Privacy Act” (the “Act”) substantially modeled after the Biometric Information Privacy Act in Illinois, 740 ILCS 14 et seq. (the “BIPA”). Enacted in 2008, the Illinois BIPA only recently triggered an avalanche of class actions in Illinois, spurring other legislative activity, including in New York. If enacted, Maryland’s Act would become effective January 1, 2022.

Just like the BIPA and the proposed law in the Empire State, the Act would establish rules for “private entities” possessing “biometric identifiers” and “biometric information” of a person, such as:

  • Development of a publicly available policy establishing retention and destruction guidelines,
  • Mandated reasonable safeguards relating to the storage, transmission, and disclosure of such information in a manner at least as protective as for “confidential and sensitive information,” such as social security numbers and account numbers,
  • Prohibiting private entities from profiting from the information, and
  • Limited right to disclose without consent.

Unlike the BIPA, the Maryland bill would clarify the policy need not be publicly available when it applies only to employees and is used only for internal operations.

Most important, the Act also would create a private right of action for persons “aggrieved” by violations of the Act, using language similar to the BIPA, permitting persons to recover the greater of (i) statutory damages of at least $1,000 for each negligent violation, or $5,000 for each intentional or reckless violation, and (ii) actual damages.

We know the Illinois Supreme Court decided that, in general, persons bringing suit under the BIPA do not need to allege actual injury or adverse effect, beyond a violation of their rights under the BIPA, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages, attorneys’ fees and costs, and injunctive relief under the BIPA. See Rosenbach v. Six Flags Entertainment Corp.

As with the proposed BPA in New York, Maryland’s Act is not yet the law. However, if enacted, private entities covered by the Act should promptly take steps to comply. That is, they should review their time management, point of purchase, physical security, or other systems that obtain, use, or disclose biometric identifiers or biometric information against the requirements under the Act. Biometric identifiers under the Act include data of an individual generated by automatic measurements of that individual’s biological characteristics such as fingerprint, voiceprint, genetic print, retina or iris image, or any other unique biological characteristic that can be used to uniquely authenticate the individual’s identity. In this respect, the Act would be broader than the BIPA – in Illinois, a biometric identifier is limited to a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. There are, however, exclusions from biometric identifiers under the Act, such as writing samples, photographs, demographic data, physical descriptions (such as height and weight), and protected health information covered by HIPAA.

In the event private entities find technical or procedural gaps in compliance – such as not having a retention and destruction policy concerning such information or obtaining consent to provide biometric information to a third party – they should quickly remedy those gaps.

It is unclear whether courts in Maryland will interpret the availability of remedies under the Act, if enacted, the same as the Illinois Supreme Court in Rosenbach. However, if they do, the duties imposed on private entities subject to the law regarding the possession, retention, disclosure, safeguarding, and destruction of a person’s biometric identifiers or biometric information will define the statutory rights of persons protected by the law. Accordingly, when a private entity fails to comply with one of the Act’s requirements, that violation could constitute an invasion, impairment, or denial of a right under the Act resulting in the person being “aggrieved” and entitled to seek recovery.

Comprehensive State Privacy Laws On the Move, How Should Organizations Evaluate Them?

Virginia may be the first state to follow California’s lead on consumer privacy legislation, but it certainly will not be the last. The International Association of Privacy Professionals (IAPP) observed, “State-Level momentum for comprehensive privacy bills is at an all-time high.” The IAPP maintains a map of state consumer privacy legislative activity, with in-depth analysis comparing key provisions. We discuss the Virginia legislation here, along with legislative activity in several other states that seem likely to pass. It was California that enacted the first data breach notification law which became effective in 2003. In about 15 years’ time, all U.S. states have such a law, as well as many jurisdictions around the world.

Whether it is the pending Virginia Consumer Data Protection Act (VCDPA), the California Consumer Privacy Act (CCPA), or a similar framework, there are several features that should be considered when examining the effects of such laws on an organization:

  • Does the law apply? Neither the CCPA nor the VCDPA apply to all organizations doing business in the state. But, they may apply more broadly than initially assumed, including organizations without locations in the particular state. Also, some entities that control or are controlled by covered businesses also could become subject to one of these laws even if such entities would not otherwise fall into the law’s scope. Finally, data privacy and security laws increasingly reach third-party service providers to covered organizations either directly or indirectly through contracts that covered organizations must put in place.
  • Are we exempt? Perhaps just as important as whether an organization is covered by one of these laws is the question of whether an exemption applies. It is important to know that while an organization may not be exempt as a whole, certain classifications data it maintains may be. For example, under the CCPA, “protected health information” covered by the Health Insurance Portability and Accountability Act (HIPAA) is generally exempt from the law. Of course, that information comes with its own compliance obligations!
  • What is Personal Information? Assuming an organization is covered by the law, the next question it may want to ask is what data is covered. As we have discussed, there are various definitions and understandings of personal information.  Similar to the CCPA and General Data Protection Regulation (GDPR), the VCDPA would define personal data broadly to include “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Again, this broad definition should be read together with potential exemptions to obtain a firm understanding of the information within the scope of the law’s protections. In some cases, such as under the GDPR, and the amendment to the CCPA, the California Privacy Rights Act, there is a subset of personal information that comes with even more protections. Often referred to as “sensitive personal information,” this category can include personally identifiable information such as racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, and geolocation data. Of course, covered organizations with these categories of data would need to understand those additional requirements.
  • Who is protected? It is not enough to know what kind of information that is “personal information,” covered organizations also need to know whose personal information is protected under the law. Several of these laws protect “consumers” defined generally as natural persons who reside in the jurisdiction. Basing the analysis solely on the word “consumer” and assuming that does not include employees, students, website visitors, etc. might be a mistake. Some frameworks have specific exclusions for these and other categories, others do not.
  • What rights do protected persons have? Ostensibly, a key purpose for this kind of privacy legislation is to empower individuals with respect to their personal information. That is, to give them more access to and control over their data that is collected, used, disclosed, maintained, and sold . To effectively comply with these measures, covered organizations need to understand the kinds of rights granted. These rights can include:
    • The right to know what personal information is collected and processed, why, and to access such personal information
    • To right to correct inaccuracies in the personal information
    • To right to delete personal information
    • The right to limit processing of personal information
    • The right to opt out of the processing or sale of personal information
  • Can my organization be sued for violations of the law? It is important to understand the consequences of failing to comply with any law. The flood of litigation under the Illinois Biometric Information Privacy Act (BIPA) which permits substantial recovery for failing to comply with notice and other requirements, even without a showing of actual harm, confirms the importance of examining this issue. Several of these privacy frameworks, including the CCPA and legislation supported by Governor DeSantis in Florida, include a private right of action in connection with data breaches.
  • How will the law be enforce? Related to the question of whether consumers can sue for violations is how the law will be enforced, what are the potential penalties, and how are they measured. In most cases, enforcement rests with the state’s Attorney General’s office. Often, the law requires covered organizations be provided written notice of any violation and a period of time to cure the violation. Compliance can be challenging so covered organizations should be aware of a law’s enforcement scheme so that in cases where their compliance efforts may not be perfect, they have a plan in place for quickly acting on such notices and curing any violations.

Answering these questions is certainly not the end of the analysis. For example, if covered, there are a whole host of additional questions organizations need to ask in order to evaluate compliance needs, allocate resources, identify affected business units, weigh risk management objectives, manage vendor compliance, and implement new policies and procedures, as needed. However, these questions can help to sharpen the big picture on the effect one or more of these privacy laws may have on your organization.

 

CPRA Series: Redux on Data Security Requirements and Private Right of Action

The California Privacy Rights Act (CPRA), passed in November, 2020, added to the California Consumer Privacy Act (CCPA) an express obligation for covered businesses to adopt reasonable security safeguards to protect personal information. The CPRA also clarified the CCPA’s private right of action for consumers whose personal information is breached due to a failure to implement such safeguards. But, remember, reasonable security safeguards are already required under California law, and that requirement is not limited to businesses subject to the CCPA/CPRA.

The CPRA adds subsection (e) to Cal. Civ. Code 1798.100, as follows:

A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.

California Civil Code section 1798.81.5 requires a business that:

owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Unlike the CCPA/CPRA, section 1798.81.5 defines “business” more broadly to include “a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit.” Thus, even if the CCPA, as amended by the CPRA, does not apply to your business, California law still may require the business to have reasonable security safeguards.

The meaning of “reasonable safeguards” is not entirely clear in California.  One place to look, however, is in the California Data Breach Report former California Attorney General and now Vice President, Kamala D. Harris, issued in February, 2016. According to that report, an organization’s failure to implement all of the 20 controls set forth in the Center for Internet Security’s Critical Security Controls constitutes a lack of reasonable security.

So, although the CPRA generally is operative on January 1, 2023, California businesses might look to the 20 CIS controls at least as a starting point for securing personal information. With regard to which personal information to secure to minimize exposure under the CCPA/CPRA’s private right of action, the law is a bit more clear.

The CCPA extended the private right of action for data breaches only to personal information “defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5”:

(A)  An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

(i) Social security number.

(ii) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

(iv) Medical information.

(v) Health insurance information.

(vi) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.

The CPRA added to this list, a consumer’s “email address in combination with a password or security question and answer that would permit access to the account.”

In the event a CCPA-covered business experiences a data breach involving personal information, the CCPA authorized a private cause of action against the business if a failure to implement reasonable security safeguards caused the breach. If successful, a plaintiff can seek to recover statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper. This means that plaintiffs generally do not have to show actual harm to recover. In case you were wondering, CCPA data breach litigation has already commenced.

To bring such an action under the CCPA, a consumer must provide the business 30 days’ written notice specifying the violation and giving the business an opportunity to cure. If cured under the CCPA, no action may be initiated against the business for statutory damages. However, the CPRA clarifies that businesses cannot cure a failure to have reasonable safeguards before the breach:

implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach.

The CPRA also calls for additional regulations requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to (i) perform a cybersecurity audit on an annual basis, and (ii) submit to the California Privacy Protection Agency on a regular basis a risk assessment concerning the processing of personal information.

There is more to come following the passage of the CPRA, and businesses should be monitoring CCPA/CPRA developments. However, it is critical to ensure reasonable security safeguards are in place to protect personal information.

CPRA Series: Does the California Privacy Rights Act (CPRA) Apply to Your Business?

When California voters approved Proposition 24, the California Privacy Rights Act (CPRA), on November 3, 2020, the result was to substantially amend the California Consumer Privacy Act (CCPA) which became effective only 10 months earlier. We outlined the basic rules for determining when the CCPA applies, and summarize here the changes made by the CPRA.

Some of the requirements for the CCPA to apply remain the same, namely that a “business” (i) do business in the State of California, (ii) collect personal information (or on behalf of which such information is collected), and (iii) alone or jointly with others determines the purposes or means of processing of that data. However, a “business” under the CCPA also must satisfy at least one of three additional requirements which were modified by the CPRA as follows:

CCPA

CCPA as amended by CPRA

The business has annual gross revenue in excess of $25 million.

 

The annual revenue requirement is satisfied if, as of January 1 of a calendar year, the business had annual gross revenues in the preceding calendar year in excess of $25 million.
The business “alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices

 

The business “alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households

 

The business derives 50 percent or more of its annual revenues from selling consumers’ personal information.

 

The business derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

 

In addition to businesses that meet the requirements referenced above, the CCPA also applies to any entity that controls or is controlled by such a business and shares common branding with that business. However, the CPRA clarified when these rules apply. First, it is not enough to share common branding, the business also must share personal information with the entity controlling or under the control of the business. Second, under the CPRA, sharing “common branding” does not mean simply a shared name, servicemark, or trademark, but when doing so would cause the average consumer to understand that the entities are commonly owned.

The CPRA also adds a third category that would be a “business” for purposes of these rules:

A joint venture or partnership composed of businesses in which each business has at least a 40 percent interest.

In this case, the joint venture or partnership itself, and each business that composes the joint venture or partnership will be considered a single business. Notably, personal information in the possession of each business and disclosed to the joint venture or partnership may not be shared with the other business.

Persons to whom a business makes personal information available or who process or receive personal information from or on behalf of a business. The CPRA made substantial changes to the rules that apply to persons that work with covered businesses to receive and process personal information. For instance, the CPRA added a new category, “contractor,” which is a person to whom the business makes available a consumer’s personal information for a business purpose. A discussion of these rules is beyond the scope of this post, but businesses will need to better understand the relationships they have with unrelated “persons” that receive and/or process personal information from or on behalf of the business. This includes making sure such activity is pursuant to a written contract that satisfies certain requirements.

 

Businesses (and their service providers and contractors) should be reviewing the changes made by the CPRA to determine whether the CCPA, as modified, applies to them. Each of these entities could face administrative fines of not more than $2,500 for each violation, and not more than $7,500 for each intentional violation or violations involving the personal information of consumers whom the business, service provider, contractor, or other person has actual knowledge are under 16 years of age.

 

A Reminder for Employers About W-2 Phishing Scams

For the past several years, thousands of businesses have been hit with phishing scams during tax season. Through these social engineering scams, hackers obtain employee Forms W-2 for filing fraudulent tax returns seeking large refunds. These phishing emails are typically sent as clients begin the process of issuing W-2s to employees.  Often employers do not know the scam has occurred until it is too late. The consequences from a successful W-2 phishing scam can extend well beyond leaked data, and may include potential employee class action litigation.

With the tax season quickly approaching, it’s worth re-visiting W-2 phishing email scams and describing steps an employer can take to help avoid them. The cyber-scam consists of an e-mail sent to an HR or Accounting department employee, presumably from an executive or “higher-up” within the organization. Both the TO and FROM e-mail addresses are legitimate internal addresses, as are the “sender” and recipient names. The fake e-mail asks the employee to forward the company’s W-2 forms, or related tax data, to the “sender.” This request aligns with the job responsibilities of both the employee and the supposed internal “sender.” Despite its appearance, the e-mail is a fake. The scammer is “spoofing” the company executive’s identity. In other words, the cyber-criminal is assuming the executive’s identity and e-mail address for the purpose of sending what appears to be a legitimate request for sensitive company information. The unsuspecting employee relies on the accuracy of the sender e-mail address, coupled with the sender’s job title and role, and forwards the confidential W-2 information. The information goes to a hidden e-mail address controlled by the cyber-criminal.

If successful, the cyber-criminal obtains a trove of sensitive employee data that can include names, addresses, salary information, social security numbers, and well as employer information needed for tax filings. The information is used to file fake individual tax returns (Form 1040) which generate fraudulent tax refunds, or it is sold on the dark web to identity thieves.

This cyber-scam is form of ‘spear phishing’ known as business email compromise (BEC) attacks, or CEO spoofing. Spear phishing attacks target a specific victim by using personal or organizational information to earn the victim’s trust. The cyber-criminal uses information such as personal and work e-mail addresses, job titles and responsibilities, names of friends and colleagues, personal interests, etc. to lure the victim into providing sensitive or confidential information.  Quite often, the scammer culls this information from social media, LinkedIn, and corporate websites. The method is both convincing and highly successful.

While an organization can use firewalls, web filters, malware scans or other security software to hinder spear phishing, experts agree the best defense is employee awareness. This includes ongoing security awareness training for all levels of employees, simulated phishing exercises, internal procedures for verifying transfers of sensitive information, and reduced posting of personal information on-line.

In the event your business falls victim to a W-2 phishing scam, it will need to respond quickly. This may require (i) investigating the nature and scope of the attack, (ii) ensuring the attackers are no longer in the business’s systems, (iii) determining whether the business must notify  individuals and state agencies of the data loss under applicable state law, and extend ID theft and credit monitoring services, (iv) notifying the IRS of a W-2 data loss at dataloss@irs.gov, (v) reporting the phishing email to the IRS at phishing@irs.gov and the Internet Crime Complaint Center of the FBI, as well as state taxing authorities, and (vi) helping employees with any questions about rectifying  their tax returns.

A W-2 e-mail phishing scam can have a devastating impact on a business and its employees. This year presents increased challenges for employers trying to guard against these scams. Due primarily to vulnerabilities created by COVID-19, social engineering attacks designed to compromise employee accounts or credentials have proliferated. The FBI cautions that cyber criminals are trying to obtain employees’ credentials regardless of their position within the company. With tax season upon us, expect to see more creative attempts to bait your personnel.

More Movement towards Digital COVID Vaccination Records

A key tech initiative as COVID-19 vaccinations begin rolling out are digital health passports. One example is being developed by a group of large tech companies along with the Mayo Clinic as part of the Vaccination Credential Initiative. The Initiative’s digital vaccination record will likely be a smartphone app. The Initiative is leveraging the CommonPass app, which is already being used by airlines to allow passengers to show a negative COVID-19 test result, which is a requirement to board certain flights.

A goal of digital health passports is to establish universal standards to verify whether a person has had a vaccination. Such digital health passports will become important as governments and major airlines require proof of either negative COVID testing, or eventually of vaccinations.  For example, effective January 26, 2021, all air passengers arriving to the U.S. from a foreign country must provide proof of a negative test result or documentation that they have recovered from COVID-19 prior to boarding the flight.

A key aspect in the development of digital health passports is ensuring data security. The system is designed as a digital wallet, allowing individuals to have control over who they share their information with. However, the data still moves between multiple systems and users must maintain proper data safeguards on their device to ensure the data is protected.

See our blog post about other COVID related technologies and associated legal issues here. Reach out to any member of the Privacy, Data, and Cybersecurity Group, or your Jackson Lewis contact, if you have any questions or need help in this area.

You Have Heard of the BIPA, But What About the GIPA?

Enacted in 2008, the Illinois Biometric Information Privacy Act, 740 ILCS 14 et seq. (the “BIPA”), went largely unnoticed until a few years ago when a handful of cases sparked a flood of class action litigation over the collection, use, storage, and disclosure of biometric information. Seeing thousands of class action lawsuits, organizations have reevaluated and redoubled their compliance efforts. On January 28, 2021, a complaint was filed in Cook County, IL, Melvin v. Sequencing, LLC, alleging violations of the Illinois Genetic Information Privacy Act, 410 ILCS 513/1 – the “GIPA”…try not to get confused… which was originally effective in 1998.

Will the GIPA follow the BIPA?

The GIPA creates a private right of action using the same language as the BIPA:

Any person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in a federal district court against an offending party.

However, while the BIPA provides for liquidated damages of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation (or actual damages, if greater), the liquidated damages provisions under the GIPA are significantly higher: $2,000 and $15,000, respectively. If the holding of the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp., No. 123186 (Ill. Jan. 25, 2019) with regard to the BIPA is applied to the GIPA, plaintiffs could potentially maintain a cause of action and seek liquidated damages resulting from alleged violations of the GIPA, without any showing of actual injury beyond his or her rights under the Act.

Of note, in Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL App (1st 180175), the Illinois Appellate Court for the First Judicial District noted, in a pre-Rosenbach BIPA case, that the GIPA “provide[s] for a substantially identical, ‘any person aggrieved’ right of recovery” as the BIPA.  The First District noted that the GIPA was considered and amended during the same legislative session when the BIPA was passed, suggesting that the legislature intended a similar framework to apply to both statutes.

So, what are some of the requirements of the GIPA?

The GIPA is largely based on the federal Genetic Information Nondiscrimination Act (the “GINA”) and incorporates several terms and concepts from the Privacy Rule under the Health Insurance Portability and Accountability Act (the “HIPAA”). This includes the definition of the term “genetic information” which is defined under HIPAA Reg. 45 CFR 160.103 and includes the manifestation disease in a family member, which includes one’s spouse. GIPA also includes requirements applicable to genetic testing companies, health care providers, business associates, insurers, and employers.

While not an exhaustive list of requirements, in general, under GIPA:

  • Genetic testing and information derived from genetic testing is confidential and privileged and may be released only to the individual tested and to persons specifically authorized, in writing in accordance with Section 30 of GIPA, by that individual to receive the information.
  • An insurer may not seek information derived from genetic testing for use in connection with a policy of accident and health insurance.
  • An insurer shall not use or disclose protected health information that is genetic information for underwriting purposes. Examples of “underwriting purposes” include: (i) determining eligibility (including enrollment and continued eligibility) for benefits under the plan, coverage, or policy (including changes in deductibles or other cost-sharing mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program), (ii) the computation of premium or contribution amounts under the plan, coverage, or policy (including discounts in return for activities, such as completing a health risk assessment or participating in a wellness program); and (iii) other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.
  • Companies providing direct-to-consumer commercial genetic testing are prohibited from sharing any genetic test information or other personally identifiable information about a consumer with any health or life insurance company without written consent from the consumer.
  • Employers must treat genetic testing and genetic information consistent with the requirements of federal law, including but not limited to the GINA, the Americans with Disabilities Act, Title VII of the Civil Rights Act of 1964, the Family and Medical Leave Act of 1993, the Occupational Safety and Health Act of 1970, and certain other laws.
  • Employers may permit the disclosure of genetic testing information only in accordance with the GIPA.
  • Employers may not (i) solicit, request, require or purchase genetic testing or genetic information of a person or a family member of the person, or administer a genetic test to a person or a family member of the person as a condition of employment; (ii) affect the terms, conditions, or privileges of employment, or terminate the employment of any person because of genetic testing or genetic information with respect to the employee or family member; or (iii) retaliate against any person alleging a violation of this Act or participating in any manner in a proceeding under the GIPA.
  • Employers cannot use genetic information or genetic testing for workplace wellness programs benefiting employees unless (1) health or genetic services are offered by the employer, (2) the employee provides written authorization in accordance with the GIPA, (3) only the employee (or family member if the family member is receiving genetic services) and the licensed health care professional or licensed genetic counselor involved in providing such services receive individually identifiable information concerning the results of such services, and (4) any individually identifiable information is only available for purposes of such services and shall not be disclosed to the employer except in aggregate terms that do not disclose the identity of specific employees. Employers can not penalize employees who do not disclose their genetic information or choose not to participate in a program requiring disclosure of the employee’s genetic information.

Whether an organization is a health care provider, a genetic testing companies, an employer, or other company subject to the GIPA, it should review its policies and practices concerning genetic tests and genetic information. In Melvin v. Sequencing, LLC, the plaintiff alleges his genetic information was disclosed without his authorization. Based on our preliminary research we could find no other cases addressing violations of the GIPA, so this may be a sign of more to come.  Note also that Illinois is not the only state with laws protecting genetic information.

Court Denies Motion for Class Certification in Employee W-2 Data Breach Litigation

Form W-2: Understanding Your W-2 FormIn recent years, there has been an uptick of W-2 phishing scams, and their consequences for an employer extend well beyond leaked data, including potential employee class action litigation.   Just last week, a federal court in Illinois rejected a motion for class certification in a data breach case alleging disclosure of employees’ sensitive tax information and additional personal information, in McGlenn v. Driveline Retail Merch.

A W-2 phishing scam, is a simple cyberattack, but can be highly successful.  It consists of a phishing e-mail sent to an employee, generally in the Human Resources or Accounting department, and designed to appear to come from an executive within the organization. The e-mail requests that the recipient forward the company’s W-2 forms, or related data, to the sender. This request aligns with the job responsibilities of both parties to the email. Despite appearances, the e-mail is a fraud. The scammer is “spoofing” the executive’s identity. The recipient relies on the accuracy of the sender’s e-mail address, coupled with the sender’s job title and responsibilities, and forwards the confidential W-2 information.

In McGlenn v. Driveline Retail Merch., an unknown person sent a phishing email to a Driveline employee in the payroll department. The email falsely identified the sender as the company’s Chief Financial Officer (CFO), and requested the employee send a copy of W-2 information for all Driveline employees.  According to the allegations, the employee provided the unknown person with W-2 information for nearly 16,000 employees including names, addresses, Social Security Numbers, and other personal identifying information (PII).

The plaintiff filed a putative class action against her employer, on behalf of other employees of the company, asserting several torts and state consumer protection violations.  The plaintiff claimed as a result of the data breach the class suffered damages due to: unauthorized use and misuse of their PII; the loss of opportunity to control how their PII is used; the diminution in value of their PII, the compromise/publication/theft of their PII; out of pocket costs associated with prevention, detection, recovery and remediation from identity theft or fraud; lost opportunity costs and wages associated with efforts expended and loss of productivity attempting to mitigate consequence of the breach; the “imminent and certain” impending injury flowing from potential fraud/theft; continued risk to their PII and more.

Standing in data breach class action litigation is a highly contested issue, as courts differ on whether a data breach victim must suffer actual financial harm to recover damages, or the mere threat of future harm is enough.  Federal circuit courts over the past few years have struggled with this issue, in large part due to lack of clarity following the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins which held that even if a statute has been violated, plaintiffs must demonstrate that an “injury-in-fact” has occurred that is both concrete and particularized, but which failed to clarify whether a “risk of future harm” qualifies as such an injury. For example, the 3rd6th, 7th,  9th  and D.C. circuits have generally found standing, while the 1st2nd4th and 8th circuits have generally found no standing where a plaintiff only alleges a heightened “risk of future harm”.

Here, in McGlenn, the court denied class certification for several independent reasons, among which, the court emphasized doubts of whether the class suffered an injury that was compensable. Moreover, the court was unsure whether the employer (Driveline) even owed the potential class members a duty to protect their PII, as Illinois does not have a common law duty for employers to safeguard employee PI.

While such a holding is considered a win for employers, it still is an indication of how far the consequences of a phishing scam can extend.  Even a case dismissed at an early stage will result in significant time and legal fees for the employer, not to mention damaging employee relations. Also, the result might have been different in another state, such as California. Under the California Consumer Privacy Act, California residents have a private right of action when their personal information is involved in a data breach due to the business’s failure to maintain reasonable safeguards. If successful, plaintiffs could each recover between $100 and $750, or actual damages whichever is greater.

An organization can use firewalls, web filters, malware scans or other security software to hinder phishing scams, however experts agree the best defense is employee awareness. This includes ongoing security awareness training for all levels of employees, simulated phishing exercises, internal procedures for verifying transfers of sensitive information, and reduced posting of personal information on-line.

For more information on W-2 phishing scams, check out some past blog posts:

Federal Contractors: Have You Done Your Privacy Training?

Federal contractors know all too well the list of annual requirements and obligations can seem overwhelming at times.  One that may get overlooked by some is annual training requirements. A fairly new such training went into effect in 2017 – it requires certain federal contractors to do annual data privacy training.

According to the U.S. General Services Administration (“GSA”), for example, its agency-wide and role-based training offerings cover the GSA’s policies on protecting personally identifiable information (“PII”). The GSA requires all employees and contractors to complete privacy and security awareness training upon employment and each year thereafter. Importantly,

GSA account holders must complete this training in order to maintain access to the agency’s IT systems and resources such as email, Google Drive and other IT resources.

The current political landscape (President Biden has announced heighted focus in this area, including plans for $10B of investment in government cyber and IT infrastructure), the COVID-19 pandemic where many federal contractors are receiving large amounts of sensitive information, and recent high-profile data security incidents involving the U.S. government, like SolarWinds, provide further reasons to support a business imperative to bolster the privacy and security awareness of your workforce.  Therefore, we recommend following the below steps to ensure your teams are training in this critical area.

  1. Identify if requirements apply, and who needs training

In general, annual privacy training is required for any federal contractor employee who accesses, processes, or handles PII on behalf of a government agency. This includes contractor employees who have access to any system of government records, or who assist in designing, developing, maintaining, or operating a system of records. Prime contractors are required to flow down these privacy training requirements to their subcontractors.

PII is defined in this regulation as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.”

Per the FAR, as noted above, contractor employees may not have access to PII unless they have had the required privacy training.

  1. What must training include

Per the FAR, training must address:

  • The contractors policies and procedures for processing and safeguarding of PII;
  • The provisions of the Privacy Act of 1974, including penalties for violations of the Act;
  • The authorized and official use of a system of records;
  • The restriction on the unauthorized use, handling disclosure, or access of PII or a system of records; and
  • The procedures to follow in the event of a suspected or confirmed breach of a system of records or PII.
  1. Understanding the requirements

A one-size-fits-all training likely will not be sufficient as the FAR requirements are described as “role based” and should be appropriate for different levels of employees. There should also be measures in place to test the knowledge of users. Contractors must also maintain and be able to provide documentation regarding the completion of the privacy training upon the request of their Contracting Officers.

  1. Format of training

Contractors may provide their own training to employees, except in the limited cases where an agency requires that certain training be utilized. Contractors can develop the content internally or use a third-party vendor or firm to do the training. Jackson Lewis provides this type of training to many of our government contractor clients.

  1. Recommended next steps for Government Contractors
  • Determine if your employees have access to PII as part of a government contract.
  • Review privacy procedures and policies to confirm compliance with training requirements.
  • If you are not currently training your employees in compliance with FAR 52.224-3, implement training program for employees handling PII.
  • Review subcontracts, as the privacy training requirements also apply to subcontractors.
  • Reach out to your local Jackson Lewis office with any questions.
LexBlog