CCPA Litigation is on the Rise: Is Your Organization Prepared?

By Joseph J. Lazzarotti, Jason C. Gavejian and Maya Atrakchi on

On January 1, 2020 the California Consumer Privacy Act (CCPA) took effect. Largely considered the most expansive U.S. privacy law to date, there has been much anticipation over the impact the law will have on the privacy litigation landscape. Although the California Attorney General’s (“AG”) enforcement authority only begins on July 1, this has not stopped plaintiffs from already pursuing CCPA litigation in light of the January 1 effective date.

The CCPA authorizes a private cause of action against a covered business if a failure to implement reasonable security safeguards results in a data breach. The definition of personal information for this purpose is much narrower than the general definition of personal information under the CCPA. If successful, a plaintiff can recover statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper. This means that plaintiffs in these lawsuits likely do not have to show actual harm or injury to recover.

As of today, there have been approximately 25 CCPA-related claims filed in state and federal court. Thus far, there are three common types of CCPA-related litigation:

  • Reasonably Security Safeguards. Unsurprisingly, given the limited nature of the CCPA’s private cause of action, most claims to-date have been on the basis of an alleged failure to implement reasonable security safeguards resulting in a data breach. For example, in February a putative class action was filed in the Northern District of California, San Francisco Division, against a supermarket and its e-commerce platform provider, alleging negligence and a failure to maintain reasonable safeguards, among other things, leading to a data breach. The complaint specifically seeks recovery under the CCPA –  Civ. Code § 1798.100, et seq. It is worth noting that several complaints on the basis of an alleged failure to implement reasonable security safeguards were filed in light of the increase in videoconferencing platform usage in response to COVID-19. In addition, at least one complaint is based on a data breach that occurred before January. And, yet, another claim (the first CCPA case filed in federal court), was brought by a non-California resident. While many of these cases may face viability issues moving forward, they indicate the eagerness of plaintiffs and their counsel to pursue relief under the CCPA, and the likely uptick in CCPA litigation in the coming years.
  • Consumer Rights. The CCPA does not provide consumers with a private cause of action if their rights (g. right to notice, right to delete, right to opt out) under the statute are violated. This, however, has not stopped plaintiffs from filing claims on the basis that their rights under the CCPA have been violated. For example, in one case, the plaintiff alleged that the defendant violated the CCPA by failing to provide consumers notice of their right to opt out of sale of their personal information to a third party, and failure to provide notice of their collection and use of personal information practices.
  • CCPA References.  In several cases, although the plaintiff is not seeking relief on the basis of a CCPA violation, the CCPA is still mentioned in connection with a different violation. For example, in a case against a videoconference provider, the CCPA is mentioned in a claim regarding a violation of the Cal. Bus. Code – Unfair Competition law, highlighting that the defendant failed to provide accurate disclosures to users on their data sharing practices and failed to implement reasonable security measures, but never explicitly alleged that the defendant violated the CCPA.

CCPA litigation is only ramping up, and organizations need to be prepared. As data breaches continue to plague businesses across the country, including those subject to the CCPA, ensuring reasonable safeguards are in place may be the best defense. To learn more about the CCPA’s obligations and how to implement policies and procedures to ensure compliance, check out Jackson Lewis’s CCPA FAQS for Covered Businesses. For more information on what businesses can be doing to ensure they have reasonable safeguards to protect personal information, review our post on that topic.

The California Privacy Rights Act (“CPRA”) Headed to the November 2020 Ballot

By Jerel Pacis Agatep on

As we recently reported, the privacy-right activist group that sponsored the California Consumer Privacy Act (“CCPA”) – Californians for Consumer Privacy – is pushing for an even more stringent privacy bill, the California Privacy Rights Act (“CPRA”). The CRPA has now qualified for the November 3, 2020 ballot, gathering more than 600,000 valid signatures as required, according to the memorandum circulated by the California Secretary of State. If California voters approve the initiative in November, the CPRA would significantly expand the rights of Californians under the current California Consumer Privacy Act (“CCPA”) starting on January 1, 2023, with certain provisions going into effect immediately.

What are some of the key provision of the CPRA?

  • Establish the California Privacy Protection Agency (“CPPA”): – CPRA would establish the first agency of its kind in the United States. The Agency will be governed by a five-member board, including the Chair, and will have full administrative power, authority and jurisdiction to implement and enforce the CCPA, instead of the California Attorney General.
  • “Sensitive Personal Information” vs. “Personal Information”: – CPRA defines “sensitive personal information” stricter than personal information. The definition is broad, but it includes government-issued identifiers (i.e. SSN, Driver’s License, Passport), account credentials, financial information, precise geolocation, race or ethnic origin, religious beliefs, contents of certain types of messages (i.e. mail, e-mail, text), genetic data, biometric information, and others.

The CPRA creates new obligations for companies and organizations processing sensitive personal information. It would also allow consumers to limit the use and disclosure of their sensitive personal information.

  • Additional Consumer Rights: – In addition to the rights under CCPA, consumers will have additional rights under the CPRA, including, a) right to correct personal information, b) right to know length of data retention, c) right to opt-out of advertisers using precise geolocation, and d) right to restrict usage of sensitive personal information.
  • Employee Data: Expanded Moratorium from until January 1, 2023: In general, most of the provisions of the CCPA does not cover employee data until at least January 1, 2021. CPRA will expand that moratorium until at least January 1, 2023.
  • Expanded Breach Liability: In addition to the CCPA’s private right of action for breaches of nonencrypted, nonredacted personal information, the CPRA would expand that to the unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security.

The CCPA has not even celebrated its anniversary nor started its enforcement (July 1, 2020), and companies doing business in California will soon have to grapple with the nuances brought by the CPRA. Jackson Lewis will continue to monitor any developments with the CPRA as it marches to the ballots come November 2020.

 

 

New Ransomware Tactics and Strains Emerge, Including Public Auctions of Stolen Data

By Joseph J. Lazzarotti on

As many have learned over the last several years, ransomware is a type of malware that denies affected users access to critical data by encrypting it. Attackers profit handsomely by requiring victims to pay substantial sums, typically tendered in a cryptocurrency such as Bitcoin. A look at some of the numbers over the past two years is troubling. And, perhaps even more troubling, as in all “industries,” products evolve and there are new entrants to the marketplace.

MAZE and Sodinokibi

A comprehensive report by Coveware analyzing ransomware developments during the first quarter of 2020 highlights several interesting trends. In addition to calling attention to the uptick following the coronavirus COVID-19 outbreak, the report explains the rise in average ransom payments and the most common attack types and vectors. It also points to a disturbing new trend – data exfiltration.

For some time, the general view of ransomware has been that attackers encrypt their victims’ systems and files believing that many will be without good backups, increasing pressure to pay the ransom in order to recover critical business information, despite the risks that come with such transactions. That view is shifting. According to the Coveware report, and what we are seeing in our own experience:

Data exfiltration, where data is downloaded from victim computers and is threatened to be released publicly, became a prevalent tactic during ransomware attacks in [the first quarter of 2020]. This was a big change from the previous quarter where it was virtually non-existent.

Two popular variants driving this new trend in ransomware attacks are MAZE and Sodinokibi. Tactics include auctioning off stolen data and/or publicly shaming victims into paying the ransom. (This Krebsonsecurity post includes a snapshot showing such an auction on the dark web by the REvil ransomware group). The expectation is that these kinds of attacks will continue.

“WASTED”

As part of managing the data breach response services we provide to our clients around the country, we maintain relationships with forensic experts, such as Arete Advisors, LLC. These experts work with us to support our clients’ incident response needs, while tracking emerging threats. Arete recently reported on a new variant, “WASTED,” that appears to have certain features to be aware of:

  • Ransom demands have been nonnegotiable, and have been in the range of 40 BTC to 1,000 BTC. As of this writing, that means between approximately $360,000 to over $900,000, and the attackers threaten to increase the ransom every 24 hours.
  • The attackers sometimes enter through VPN with compromised credentials. As Arete suggests, using multifactor authentication on VPN connections can help prevent these and other attacks.
  • Ransomware payloads are customized to the victim’s environment. The file extension will have 3 characters that represent the victim’s company name along with a reference to the variant, e.g., “abcwasted.”
  • The attackers can be slow to respond, 12+ hours in some cases.

Organizations may not be able to prevent all attacks, but it is important to remain vigilant and be aware of emerging trends. There also are several steps organizations can take to minimize the chance and impact of a successful attack.

EEOC Issues Guidance on Antibody Testing in the Workplace

By Jason C. Gavejian and Maya Atrakchi on

In late-March and April 2020, the Equal Employment Opportunity Commission (EEOC) released guidance addressing various questions with answers concerning COVID-19 and related workplace disability-related issues under the Americans with Disabilities Act (ADA). Recently, on June 17th, the EEOC updated its guidance to include a new question regarding antibody testing.

Most of the questions concern general employee rights and privacy and employer obligations during the current state of the COVID-19 pandemic. A few of the questions relate to the anticipated gradual return to the office of employees temporarily working remotely due to the pandemic as the crisis subsides.

The EEOC’s April update, inter alia, included a determination that employers can administer COVID-19 testing (i.e. testing for active virus), and recommended that employers do the following:

  • Determine that tests are accurate and reliable.
  • Review guidance from the Food and Drug Administration (FDA), U.S. Centers for Disease Control and Prevention (CDC), and other public health authorities and regularly check those authorities for updates.
  • Consider incidences of false positives and false negatives associated with particular tests.
  • Keep in mind that a negative test does not mean an employee will not contract the virus in the future.
  • Require that employees continue infection control practices, including social distancing, handwashing, and other cleanliness and disinfecting measures.

The April update was silent on whether its determination regarding COVID-19 testing also included antibody testing. Antibody testing (i.e. serological testing), is able to detect antibodies from a previous infection. However, the test can take one to three weeks for antibodies to develop following onset of symptoms, and it is not certain that antibodies provide immunity or, if so, how long immunity would last – the current reliability and utility of these tests is in question.

The June 17th update to the EEOC guidance weighs in on antibody testing in the workplace. Specifically, the EEOC provides an answer to the following question:

CDC said in its Interim Guidelines that antibody test results “should not be used to make decisions about returning persons to the workplace.” In light of this CDC guidance, under the American with Disabilities Act (ADA) may an employer require antibody testing before permitting employees to re-enter the workplace? 

 The EEOC concludes that antibody testing constitutes a medical examination under the ADA, and employers cannot require antibody testing before permitting employees to re-enter the workplace.

In light of CDC’s Interim Guidelines that antibody test results “should not be used to make decisions about returning persons to the workplace,” an antibody test at this time does not meet the ADA’s “job related and consistent with business necessity” standard for medical examinations or inquiries for current employees. Therefore, requiring antibody testing before allowing employees to re-enter the workplace is not allowed under the ADA.”

 It is important to note that as with other types of COVID-19-related guidance, the EEOC will continue to monitor the CDC’s recommendations, and update its discussion on this topic in response to changes in the CDC’s recommendations.

Takeaway

 In general COVID-19 testing methods come with administrative burdens to implement and ensure compliance. Such testing presents privacy implications, particularly with respect to testing that requires a blood sample or swab. Moreover, any information collected should be protected with access appropriately limited, particularly if the organization is using a third party. As issues and concerns around COVID-19 unfold daily, employers must prepare to address the threat as it relates to the health and safety of their workforce.

 

 

 

Privacy Issues of U.S. Collection of Social Media Information from Visa Applicants

By Joseph J. Lazzarotti and Amy L. Peck on

The Department of State (DOS) has been collecting (and maintaining) information on social media use from all visa applicants (immigrant and non-immigrant) since June 2019. The DOS’s collection and maintenance of this information is the subject of a lawsuit. Despite claims of being part of the vetting process, concerns about privacy and misuse of information remain. Our analysis of these issues here.

CCPA 2.0 – More Privacy Legislation in the Golden State?

By Rachel E. Ehlers on

Most companies continue to grapple with compliance with the California Consumer Privacy Act (“CCPA”), which went into effect in January. Companies have overhauled their privacy programs and policies and designed new systems to comply with the CCPA.

Now, the privacy-right activist group that sponsored the CCPA – Californians for Consumer Privacy – is pushing for an even more stringent privacy bill, the California Privacy Rights Act (“CPRA”). The group recently announced it secured the 900,000 signatures needed to qualify for a place on the state’s November 2020 ballot.

If this appears on the ballot and passes, companies will have to once again review their privacy programs and likely amend further to comply. Many other states are also attempting to pass new legislation, so this could all create a complex regime of multiple states with different laws.

The CPRA, as drafted, would amend the CCPA, which has been criticized for over broad definitions and ambiguous language. It would expand the privacy rights of California residents and increase compliance obligations for companies. The CPRA would, as written and among other things:

  • New data category. Add a new category of information, known as “sensitive personal information”, which would include health, financial, and geolocation collected, and allow California consumers to block businesses from using this information. Much of this information is covered by federal privacy laws, like HIPAA and GLBA.
  • Privacy for children’s data. Enhance children’s privacy rights and triple fines for collecting and selling information of minors under 16 years of age.
  • Enforcement Arm. Establish new enforcement authority to protect data privacy rights.
  • Correction of data. Give Californians the right to ask businesses to correct inaccurate personal information.
  • More breach liability. Update data breach liability, specifically for breaches of a consumer’s email with password or security question. In such cases, hackers would be able to access the consumer’s account, and the CPRA would result in liability for the company experiencing the breach.

However, one thing the CPRA does that may help businesses is provide an additional two-year extension to exemptions for employee and business-to-business data. The current exemption is set to expire at the end of 2020. It is important to note that under the current exemption, while employees are temporarily excluded from most of the CCPA’s protections, two areas of compliance remain: (i) providing a notice at collection, and (ii) maintaining reasonable safeguards for personal information driven by a private right of action now permissible for individuals affected by a data breach caused by a business’s failure to do so.

While the CPRA may have enough signatures to qualify it for the upcoming ballot, the California Secretary of State and local election officials will have to certify the signatures by June 25, 2020. Of the 900,000 signatures submitted, 675,000 must be certified as valid for the CPRA to be included on the November ballot.

We will continue to monitor CPRA developments and provide guidance on compliance with CCPA and new regulations and guidance from the California Attorney General.

Vermont Updates its Data Breach Notification Law

By Joseph J. Lazzarotti, Jason C. Gavejian, Mary T. Costigan and Maya Atrakchi on

As the COVID-19 pandemic presses on, privacy and security matters continue to be at the forefront for federal and state legislature. We recently reported that Washington D.C. updated its data breach notification law. Now, the Vermont legislature also amended its data breach notification law, with significant overhauls including expansion of its definition of personal information, and the narrowing of permissible circumstances under which substitute notice may be applied. Bill S.110 amending Vermont’s Security Breach Notice Act, V.S.A §§ 2330 & 2335, b23-0215, was signed into law by Governor Phil Scott, and will take effect July 1, 2020.  In addition Bill S.110, creates a new duties and prohibitions with respect to student privacy directed towards educational technology services (similar to a law first enacted in California, and later adopted by over 20 states).

Key updates to Vermont’s Security Breach Notice Act include:

  • Expansion of Personally Identifiable Information (PII)

Following many other states, the new law will add to the data elements that if breached could trigger a notification obligation.  Prior to this amendment, the definition of PII in Vermont was limited to four basic data elements that when unencrypted, a consumer’s first name or first initial and last name in combination with:

    • Social Security number;
    • Driver license or nondriver identification card number; • Financial account number or credit or debit card number, if circumstances exist in which the number could be used without additional identifying information, access codes, or passwords; or
    • Account Passwords, personal identification numbers, or other access codes for a financial account.

The amended law includes these elements, and adds the following when combined with a consumer’s first name or first initial and last name:

    • Individual taxpayer identification number, passport number, military identification card number, or other identification number that originates from a government identification document that is commonly used to verify identity for a commercial transaction;
    • Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;
    • Genetic information; and
    • Health records or records of a wellness program or similar program of health promotion or disease prevention; a health care professional’s medical diagnosis or treatment of the consumer; or a health insurance policy number.

The amended law will also include notification requirements for breaches of “login credentials”. The amendment defines “login credentials” as “a consumer’s user name or e-mail address, in combination with a password or an answer to a security question, that together permit access to an online account.” If a breach is limited to “login credentials” (and no other PII), the data collector is only required to notify the Attorney General or Department of Finance, as applicable, if the login credentials were acquired directly from the data collector or its agent.

  • Substitute Notice

Previously, substitute notice was permitted where the cost of Direct Notice via writing or telephone would exceed $5,000, more than 5,000 consumers would be receiving notice, or the data collector does not have sufficient contact information.

Under the amended law, substitute notice is only permitted where the lowest cost of providing Direct Notice via writing, email, or telephone would exceed $10,000, or the data collector does not have sufficient contact information. It is no longer permitted to provide substitute notice where the number of consumers exceed a certain threshold.

Student Privacy Law 

Finally, Bill S.110 also includes the Student Online Personal Information Protection Act, which prohibits an “operator” from sharing student data and using that data for targeted advertising on students for a non-educational purpose. Under the new law, “operator” means the operator of an Internet website, online service, online application, or mobile application used primarily for K-12 purposes, and designed and marketed as such. The passage of this law is particularly relevant during the COVID-19 pandemic, as student use of education technology services has dramatically increased.

Conclusion

This amendment keeps Vermont in line with other states across the nation currently enhancing their data breach notification laws in light of recent large-scale data breaches and heightened public awareness.  Organizations across the United States should be evaluating and enhancing their data breach prevention and response capabilities.

 

Washington D.C. Significantly Overhauls its Data Breach Notification Law

By Joseph J. Lazzarotti and Maya Atrakchi on

In the midst of COVID-19 challenges, privacy and security matters continue to be at the forefront for federal and state legislature. In late March, the Washington D.C. (“D.C.”) legislature amended its data breach notification law, with significant overhauls including expansion of its definition of personal information, updates to notification requirements and new credit monitoring obligations. The Security Breach Protection Amendment Act of 2019, b23-0215, passed the 12-member D.C. Council unanimously and was signed by D.C. Mayor Muriel Bowser on March 26. The new law became effective on May 19, 2020.

Key updates to D.C.’s new law include:

  • Expansion of personal information

Following many other states, the new law will add to the data elements that if breached could trigger a notification obligation.  Currently, personal information is defined as (1) any number or code or combination of numbers or codes, such as account number, security code, access code, or password, that allows access to or use of an individual’s financial or credit account, (2) or an individual’s first name or first initial and last name, or phone number, or address, and any one or more of the following data elements: Social Security Number; Driver license number or DC identification card number; or Credit card number or debit card number.

The amendment significantly expands the definition of personal information to include the following new data elements:

  • Identifiers including taxpayer identification number, passport number, military identification number and other unique identification numbers issued on a government document;
  • medical information;
  • genetic information and DNA profile;
  • health insurance information, including a policy number, subscriber information number, or any unique identifier used by a health insurer that permits access to an individual’s health and billing information;
  • biometric data; and
  • any combination of data elements listed above, that would enable a person to commit identity theft without reference to the individual’s name.

Personal information also includes “a user name or email address in combination with a password, security question and answer, or other means of authentication, or any combination of data elements [listed above] that permits access an individual’s email account.”

  • Notification to Attorney General

Notification to the Office of the Attorney General is now required for any breach affecting 50 or more D.C. residents. Notice must be provided in the “most expedient manner possible, without unreasonable delay, but in no event later than when notice is provided”. There are also several specific content requirements for notice to the Attorney General, including whether there is knowledge of any foreign country involvement.

  • GLBA/HIPAA Exemption

The new law exempts entities subject to GLBA or HIPAA if those entities maintain breach notification procedures and provide notification as required under those law, as applicable. However those entities must still notify the Attorney General of any breach that requires notification by GLBA or HIPAA.

  • Risk of Harm Threshold

If a person or entity reasonable determines, after reasonable investigation and consultation with the Office of the Attorney General and federal law enforcement agencies, that the breach likely will not result in harm to affected individuals, notice is not required.

  • Free Mitigation Services for Affected Residents

D.C. joins California, Connecticut, Delaware and Massachusetts in requiring companies to provide identity theft protection or credit monitoring services to residents affected by a breach at no cost. The new D.C. law requires that a person or entity that experiences a breach that includes Social Security numbers and/or taxpayer identification numbers, must offer affected individuals at least 18 months of identity theft protection services at no cost.

Data Security Requirements

Finally, the new law, notably, establishes data security requirements for covered businesses. In short, any business that owns, licenses, maintains, handles or otherwise possesses personal information of D.C. residents must implement and maintain reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information and nature and size of the entity of the operation. Further, covered entities must enter written agreements with their third party service providers requiring the service provider to implement and maintain similar security procedures and practices.

This amendment keeps Washington D.C. in line with other states across the nation currently enhancing their data breach notification laws in light of recent large-scale data breaches and heightened public awareness.  Organizations across the United States should be evaluating and enhancing their data breach prevention and response capabilities.

Addressing the COVID19 Risks of Your Third-Party Service Providers and Vendors

By Joseph J. Lazzarotti on

States are reopening – find out which ones here. As they do, organizations will begin and/or continue adhering to a complex set of distancing, screening, capacity, sanitization, mask, posting, reporting, and other guidelines designed to maintain COVID19 curve flattening efforts. For organizations with operations in multiple states, the patchwork of federal, state, and local “guidelines” becomes even more complex. For organizations that tackle these guidelines, their job still may not be complete.

The risk of COVID19 infection in areas such as on a salesfloor, in common areas of an apartment complex, on a loading dock, or in an office environment is not limited to the members of an organization’s workforce or its customers or clients. Virtually all organizations rely on third-party service providers or vendors, directly or indirectly, to operate efficiently, including those providers and vendors. In a retail business, service providers or vendors might include delivery companies, manufacturer representatives, temporary staffing companies, and IT support services. Senior living communities might have similar service providers or vendors as retail businesses, along with landscape companies, building maintenance technicians, and equipment suppliers. The same is true for professional service providers, whose service providers or vendors also could include office equipment maintenance providers, window and office cleaners, food service providers, and transportation vendors.

As organizations develop policies and devise procedures to address COVID19 in their facilities, they should be taking their third-party service providers or vendors into account, especially when the workforce members of those entities will need to interact with the organizations’ employees, customers, clients, etc. How to do so presents some difficult questions and additional challenges. Some organizations may want to (or be required to) play a more active role, such as screening a vendor’s employees before being permitted to enter the organization’s facilities. Others might prefer to rely on the vendor’s compliance efforts. Either way, these decisions raise critical health, liability, insurance, public relations, operational, and business issues.

Depending on how organizations decide to approach the risks posed by third-party service providers or vendors, below is a checklist of items an organization might want to cover with respect to each of those entities.

  • Modifying the delivery of products and/or services to minimize COVID19 risk.
  • Compliance with all applicable federal, state, and local COVID19 guidelines, including those specific to the organization which may not be applicable to the service provider or vendor, and including changes to those guidelines and best practices as the pandemic continues to evolve.
  • Allocating responsibility for COVID19-related issues, such as reporting, exposures, liabilities, etc. For example, organizations may want to confirm whether they or their service providers are responsible to provide personal protective equipment (PPE) in the organizations’ facilities. Organizations also may want to reevaluate insurance coverage requirements, indemnification provisions, and limitation of liability clauses to ensure they align with a changing risk landscape due to the pandemic.
  • Ensuring service provider and vendor workforce members are aware and trained on the organization’s applicable COVID19 policies and procedures including without limitation social distancing, sanitization, screening, cleaning supplies, contact tracing, and other measures.
  • Administering screening/testing for all vendor or service provider workforce members prior to entering the organization’s facilities, and who is responsible for carrying it out.
  • Arranging for communication and reporting of COVID19 symptoms, or infections or likely infections in order to carry out contact tracing. As contact tracing efforts expand, many organizations are considering different approaches such as contact tracing apps. Depending on the circumstances, having service providers use the same contact tracing app could enhance the organization’s efforts.
  • Pushing service provider and vendor’s obligation downstream to their agents, subcontractors, and third-party service providers where applicable.
  • Ensuring cooperation and consistent communications in the event of any investigation concerning COVID19 infection believed to be at the organization’s facilities.
  • Maintaining a process to assess compliance and appropriate record keeping. Some organizations may want to be able to review a service provider or vendor’s record keeping to show they have been complying with applicable COVID-19 guidelines.
  • Confirming that service providers and vendors have hardened their privacy and cybersecurity protections as ransomware, business email compromise, and other attacks are on the rise with COVID-19 and could result in business interruption. Much of this post relates to increased physical interaction as organizations reopen. However, significant segments of the workforce will continue to work from home, including service providers and vendors, extending these heightened risks.

A “compliance with all applicable laws” or related clauses in the service provider or vendor’s master services agreement (MSA) likely will not be sufficient to address many, if not all, of these issues. COVID19 implications are far reaching, affecting the provision of services, service level agreements, costs, liabilities, etc. Organizations and their service providers and vendors may need to rethink certain provisions of their MSAs to address the new reality of how products and services are provided and performed during the coronavirus pandemic, including amendments that outline specific COVID19-related operational issues, practices, etc.

California AG Urges Consumers to be Vigilant While Online During the COVID-19 Pandemic

By Frank J. Fanshawe on

With California’s mandatory COVID-19 stay-at home orders impacting some 40 million people by forcing the vast majority of them to connect remotely to work, go to school, order necessities, socialize and do many other things, California’s Attorney General Xavier Becerra recently issued an alert reminding consumers of their privacy rights and to encourage them to be vigilant about practicing sound security practices while online.

In his alert, Attorney General Becerra urges consumers to take steps to understand their rights under the California Consumer Privacy Act (“CCPA”), a new law that went into effect on January 1, 2020 and provides important consumer privacy rights both during and after the COVID-19 public health crisis. To learn more about the CCPA’s consumer privacy rights, see our previous posts on this blog located at this link.

Attorney General Becerra’s alert also warns consumers about common COVID-19 phishing email scams; provides tips on how to enable privacy and security settings during virtual meetings and otherwise protect home networks from outside hackers; and recommends online resources that “help parents set boundaries and guide their children towards becoming good digital citizens.”

Visit our previous blog posts for more information about the CCPA and other privacy and security developments during the COVID-19 pandemic:

LexBlog