New Notification Requirements in New York for Healthcare Providers Facing a Cybersecurity Incident

By Frank J. Fanshawe, Joseph J. Lazzarotti, Jason C. Gavejian and Maya Atrakchi on

On August 12, Mahesh Nattanmai, New York’s Chief Health Information Officer, issued a notice letter (“the notice”) on behalf of the New York State Department of Health (“Department”) requiring healthcare providers to use a new notification protocol for informing the Department of a potential cybersecurity incident. The updated protocol is considered effective immediately from a healthcare provider’s receipt of the notice letter.

“We recognize that providers must contact various other agencies in this type of event, such as local law enforcement. The Department, in collaboration with partner agencies, has been able to provide significant assistance to providers in recent cyber security events. Our timely awareness of this type of event enhances our ability to help mitigate the impact of the event and protect our healthcare system and the public health. The Department has designed a more efficient process to engage assistance for providers, as needed,” the Department states in its notice letter.

Moreover, the Department provides the types of healthcare providers, which should be implementing this update notice protocol immediately:

  • Hospitals, nursing homes, and diagnostic and treatment centers,
  • Adult care facilities, and
  • Home health agencies, hospices, licensed home care services agencies.

A cybersecurity incident is defined by the notice as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of data or interference with an information system operation”. Therefore, even if a healthcare provider is aware of an unsuccessful attempt of a breach (e.g. by a disgruntled employee), that incident should be reported to the Department.

The notice does not state the time period within which the Department should be notified upon a healthcare provider’s discovery of the cybersecurity incident. It is worth noting that the recently enacted New York SHIELD Act exempts HIPAA compliant covered entities from notification requirements following a data breach. Under HIPAA a covered entity is generally required to report a data breach of over 500 individuals to the U.S. Department of Health and Human Services (HHS) within 60 days of discovery of the breach, so it would not surprising if the length of time is similar, however we are currently confirming with the Department whether this is indeed the case. Contact information for the Department will vary depending on the healthcare provider’s location in New York. The notice provides contact information for each region: Capital District, Central New York, Metropolitan Area, Central Islip, New Rochelle and Western Area.

A recent study found that 70% of healthcare providers have experience a data breach. You can never be too prepared for a cybersecurity incident. Below are helpful resources from our blog on cybersecurity incident prevention and response for healthcare providers:

 

 

 

 

Does the CCPA Apply to Your Business?

By Joseph J. Lazzarotti, Jason C. Gavejian, Mary T. Costigan and Maya Atrakchi on

The California Consumer Privacy Act (CCPA), considered the most expansive U.S. privacy laws to date, is set to take effect January 1, 2020. In short, the CCPA places limitations on the collection and sale of a consumer’s personal information and provides consumers certain rights with respect to their personal information. Wondering whether they will have to comply, many organizations are asking if the law will apply to them, hoping that being too small, being located outside of California, or “only having employee information,” among other things, might cause them not to have to gear up for CCPA.

So, we thought we would dig in a little deeper into the question of when the CCPA might apply to a business. However, note that the law is still developing as amendments work their way through the legislature and we await regulations from the California Attorney General intended to further clarify the statute. Organizations will need to continue to monitor these developments to determine if the CCPA will apply to them.

Basic Rule. In general, the CCPA applies to a “business” that:

A. does business in the State of California,

B. collects personal information (or on behalf of which such information is collected),

C. alone or jointly with others determines the purposes or means of processing of that data, and

D. satisfies one or more of the following

(i) annual gross revenue in excess of $25 million,

(ii) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or

(iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Related entities and non-for-profits. Under the CCPA, a “business” can be a “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners.” Thus, for example, a business under this definition generally would not include a not-for-profit or governmental entity. It also would not include a corporation that meets all of the prongs above, other than those listed under D.

However, a “business” under CCPA also includes any entity that controls or is controlled by a business that meets the requirements above and that shares common branding with such a business. “Control,” for this purpose, means either (i) ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; (ii) control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or (iii) the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark. Accordingly, organizations that would not themselves be a “business” under the CCPA could become subject to the law because of the entities that control them or that they control, and with which they share common branding.

Businesses that do not collect “consumer” personal information. It does not appear to be necessary under the CCPA for a business to actually be the one to collect personal information from consumers in order for the law to apply. So long as personal information is collected on behalf of a business (such as through a third party), the business could be covered by the CCPA, assuming the other requirements are satisfied.

Some businesses also may believe that because they do not engage in transactions directly with individual consumers and collect their personal information, they are not subject to the law. The businesses might be thinking this is because their “consumers” are other businesses and not individuals. However, a consumer under the CCPA generally means a natural person who is a California resident. Accordingly, when conducting business with other businesses, a business likely collects personal information from contacts at those other businesses. Similarly, virtually all businesses collect information about their employees. Recent legislative activity indicates that obligations under the CCPA may continue to extend to employee personal information.

Businesses located outside of California. It also does not appear that a business will need to be located in California in order to be subject to the CCPA. While the CCPA is not clear on this point, a business may be considered to be “doing business” in California if it conducts online transactions with persons who reside in California, has employees working in California, or has certain other connections to the state, and is without a physical location in the state. As noted, regulations may help to clarify what “doing business in California” means for purposes of the CCPA.

Businesses that process information on behalf of other businesses. The definition of a business under the CCPA requires that the business must alone or jointly with others “determine the purposes or means of processing” of that data. The CCPA does not expand on this language. However, since nearly identical language in the General Data Protection Regulation (GDPR) is used to define a controller, guidance from the UK’s Information Commissioner may provide some insight – here are some questions you might ask to see if your organization is a controller:

  • The business decides to collect or process the personal data.
  • The business decides what the purpose or outcome of the processing is to be.
  • The business decides what personal data should be collected.
  • The business decides which individuals to collect personal data about.
  • The business obtains a commercial gain or other benefit from the processing, except for any payment for services from another controller.
  • The business decides processes the personal data as a result of a contract between the business and the data subject.
  • The business exercises professional judgement in the processing of the personal data.
  • The business has a direct relationship with the data subjects.

An organization that merely processes personal information for businesses covered by the CCPA might take the position that it is not subject to the CCPA. That organization may be correct, however, its business partners that are subject to the CCPA may be required to push certain CCPA obligations down to the organization by contract.

Consequences of Non-compliance. Organizations on the fence about the application of the CCPA should consider what happens if they fail to comply but are determined later to be subject to the law. A business that violates the CCPA can face injunctions and penalties of not more than $2,500 for each violation, and not more than $7,500 for each intentional violation, in an action brought by the California Attorney General. That said, a business is provided 30 days after receiving written notice of noncompliance to cure the violation, before facing liability. In addition, the CCPA provides consumers a private right of action if their nonencrypted or nonredacted personal information is subject to an unauthorized access, exfiltration, theft, or disclosure because the covered business did not meet its duty to implement and maintain reasonable safeguards to protect that information.  That private action includes statutory damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

A recently survey by ESET found that over 44% of the 625 business owners and company executives polled had never heard of CCPA, and only 11.8% knew if the law applied to their business. Organizations should be doing their best to determine if they have CCPA obligations either directly as a business, because they control or are controlled by a business, or because they have contractual obligations flowing from a business. Efforts toward compliance need to begin now as the CCPA becomes effective January 1, 2020.

Licensed by Your State’s Insurance Commissioner? Comprehensive Data Security Requirements Are Headed Your Way

By Joseph J. Lazzarotti on

Most businesses in the insurance industry have one thing in common – they collect and maintain significant amounts of sensitive, nonpublic information including personal information. Not surprisingly, insurance-related businesses are a target of cyberattacks and a few have faced some of the largest data breaches reported to date. Beyond the headlines, however, small and mid-sized insurance companies face similar risks, and governments have stepped up their scrutiny of cybersecurity. Hearing the calls for legislation and regulation, the National Association of Insurance Commissioners (NAIC) adopted a Data Security Model Law with the goal of having it adopted in all states within a few years. So far, eight states (see below) have adopted a version of the Model Law and it looks like more are on the way.

What is the NAIC’s Data Security Model Law?

In an effort that largely began with establishing a task force in 2014, the NAIC adopted a Data Security Model Law in November 2017. The Model Law is intended to provide a benchmark for any cybersecurity program. The requirements in the Model Law track some familiar data security frameworks, such as the HIPAA Security Rule. It also has many similarities to the New York State Department of Financial Services (NYDFS) regulations (specifically the 23 NYCRR 500). Note that licensees are not subject to the Model Law unless the state where that licensee is licensed adopts a version of the Model Law. At that time, the licensee must comply with that law.

Who is Subject to the Model Law?

The Model Law generally applies to “Licensees,” defined as:

any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of this State but shall not include a purchasing group or a risk retention group chartered and licensed in a state other than this State or a Licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.

Licensees range from large insurance carriers to small independent adjusters. These include individuals providing insurance related services, firms such as agency and brokerage businesses, and insurance companies. Additionally, there may be business that require a license, but are not traditionally considered to be in the insurance business. Examples include car rental companies and travel agencies that offer insurance packages in connection with their primary business.

The Model Rule provides exceptions for certain licensees. For example, licensees with fewer than ten employees (including independent contractors) are exempt from the requirement to maintain an information security program. However, they remain subject to the other provisions in the Model Law, such as the requirement to provide notification in the case of certain cybersecurity events.

What are some of the requirements of the Model Law? Read More

Is Your Small Business Prioritizing Cybersecurity?

By Joseph J. Lazzarotti and Maya Atrakchi on

A recent study surveying small and mid sized businesses (SMBs) found that 67% had experienced a cyber attack in 2018, and yet that same study found that cybersecurity is still “not on the to do list” for SMBs – 60% of the SMBs surveyed responded that they did not have a cybersecurity plan in place, and only 9% ranked cybersecurity as a top business priority. The federal government has taken notice of these concerning statistics.

Early this month, the U.S. House of Representatives passed five bipartisan bills to help small businesses. Among the bills passed, two specifically aim to enhance a small business’s ability to prevent and respond to a cybersecurity incident. First, the SBA Cyber Awareness Act, H.R. 2331, aims to strengthen the Small Business Administration’s handling and reporting of the cyber threats that affect small businesses. The bill requires the SBA to provide an annual report on the status of SBA cybersecurity, and notify Congress of any incident of cyber risk and how the SBA is addressing it. Second, the Small Business Development Center Cyber Training Act of 2019, H.R. 1649, requires the Small Business Administrator to establish or certify an existing cyber counseling certification program to certify employees at small business development centers. It also requires the SBA to reimburse lead small business development centers (SBDCs) for any costs relating to such certifications up to $350,000 in a fiscal year.

The Senate has also introduced legislation to help SMBs better address cyber threats. In late June, Senator Marco Rubio (R-FL) joined by Senator Gary Peters (D-MI) introduced the Small Business Cybersecurity Assistance Act of 2019, S.2034 that aims to better educate small businesses on cybersecurity through counselors and resources offered at SBDCs. The bill incorporates recommendations suggested by DHS and SBA’s Small Business Development Center Cyber Strategy in a report from March of 2019, which described challenges small businesses face with implementing cybersecurity for their business, including the confusing nature of government cyber resources and lack of training.

The cyber threats plaguing SMBs are real, and SMBs need to address the significant risk to their businesses. The cyber insurance industry is increasingly targeting SMBs with robust insurance policies, comparable to offerings for larger companies. While insurance is a helpful component of an overall risk management strategy, it should not be the only component.

In the event of a data breach, the policy might cover costs related to responding to that breach (sending notices, offering credit monitoring, etc.) and business interruption costs, but it might not cover the costs of a federal or state agency inquiry following the reported breach. That is, if, for example, a small health care practice reporting a breach might trigger a compliance review by the federal Office of Civil Rights. In that case, OCR investigators would be looking for information about the breach, but also evidence that a risk assessment was conducted, copies of written policies and procedures covering administrative, physical, and technical safeguards to protect health information, acknowledgments that employees completed HIPAA training, and other information to support compliance. Having these compliance measures in place can substantially limit an SMB’s exposure in these kinds of federal or state agency inquiries, as well as strengthen the SMB’s defensible position should the SMB be sued as a result of a breach.

Healthcare Organizations, Is Your Patient Portal Secure?

By Michael R. Bertoncini on

Co-author: Valerie Jackson

While healthcare organizations are embracing new technologies such as patient portals, a recent report shows that organizations’ cybersecurity measures for these technologies are behind the times. A patient portal is a secure online website that allows patients to access their Electronic Health Record from any device with an Internet connection. Many patient portals also allow patients to request prescription refills, schedule appointments, and securely message providers. With this increased access for patients comes the risk that someone other than the patient will gain unauthorized access to the portal, and to the patient’s electronic protected health information (ePHI).

2019 has seen record numbers of patient records being breached. Halfway through 2019, around 25 million patient records have been breached, eclipsing the number of patient records breached in all of 2018 by over 66%. In this environment where hackers find patient records a valuable commodity on the black market, healthcare organizations are must balance patients’ desire for ease of use with the duty to prevent unauthorized access to patient records. To learn more about how healthcare organizations are meeting this challenge, LexisNexis® Risk Solutions in collaboration with the Information Security Media Group conducted a survey in spring 2019 asking healthcare organizations about their cybersecurity strategies and patient identity management practices. The results of the survey, which included responses from more than 100 healthcare organizations, including hospitals and physician group practices, were recently published in a report, “The State of Patient Identity Management” (the “report”).

The report concluded that healthcare organizations had a high level of confidence in the security of their patient portals, but this confidence may be misplaced based upon the security measures respondents reported they had in place. The vast majority of healthcare organizations reported that they continued to use traditional authentication methods such as username and password (93%), knowledge-based authentication questions and answers (39%), and email verification (38%). Notably, less than two-thirds reported using multifactor authentication. Multifactor authentication verifies a user’s identity in two or more ways, using: something the user knows (passwords, security questions); something the user has (mobile phone, hardware that generates authentication code); and/or something the user does or is (fingerprint, face ID, retina pattern).

While the HIPAA Security Rule does not require multifactor authentication, it does require covered entities and business associates to use security measures that reasonably and appropriately implement the HIPAA Security Rule standards and implementation specifications. Generally, the HIPAA Security Rule requires covered entities and business associates to (1) ensure the confidentiality, integrity, and availability of all ePHI the covered entity or business associate creates, receives, maintains, or transmits, (2) protect against any reasonably anticipated threats or hazards to the security or integrity of such information, and (3) protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required. The Person or Entity Authentication standard of the HIPAA Security Rule requires that covered entities and business associates implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. However, this standard has no implementation specifications. It is also worth mentioning that under the HIPAA Privacy Rule prior to a permissible disclosure, a covered entity must verify the identity of person requesting ePHI and their authority to have access to that ePHI, if either the identity or authority is not known to the covered entity. In addition, the covered entity must obtain “documentation, statements, or representations” from the person requesting the ePHI when such is a condition of the disclosure.

Healthcare organizations are not required to adopt any one cybersecurity framework or authentication method under HIPAA, however increasing cybersecurity and implementing multifactor authentication for access to patient portals certainly helps with compliance under the HIPAA Security Rule. Failure to implement reasonable and appropriate cybersecurity measures could not only lead to a healthcare data breach, but it could also result in a covered entity or business associate being fined by the HHS Office for Civil Rights. To learn more about how the firm can assist healthcare organizations with HIPAA compliance and data security, please contact your Jackson Lewis attorney.

New York Enacts the SHIELD Act

By Joseph J. Lazzarotti, Jason C. Gavejian, Damon W. Silver, Mary T. Costigan and Maya Atrakchi on

On Thursday, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), sponsored by Senator Kevin Thomas and Assemblymember Michael DenDekker. The SHIELD Act, which amends the State’s current data breach notification law, imposes more expansive data security and data breach notification requirements on companies, in the hope of  ensuring better protection for New York residents from data breaches of their private information. The SHIELD Act takes effect on March 21, 2020. Governor Cuomo also signed into law the Identity Theft Prevention and Mitigating Services Act that requires credit reporting agencies that face a breach involving Social Security numbers to provide five years of identity theft prevention and mitigation services to affected consumers. It also gives consumers the right to freeze their credit at no cost. This law becomes effective in 60 days.

Below are several FAQs highlighting key features of the SHIELD Act:

What is Private Information under the SHIELD Act?

Unlike other state data breach notification laws, New York’s original data breach notification law included definitions for “personal information” and “private information.” The current definition of “personal information” remains: “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person.” However, the SHIELD Act expands the definition of “private information” which sets forth the data elements that, if breached, could trigger a notification requirement. Under the amended law, “private information” means either:

  • personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the combination of personal information plus the data element is not encrypted, or is encrypted with an encryption key that has also been accessed or acquired:
    • social security number;
    • driver’s license number or non-driver identification card number;
    • account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account; account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or
    • biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity; OR
  • a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.

It is worth mentioning that the SHIELD Act’s expansive definition of “private information” is still not as broad as the definition of the analogous term under the laws of other states. For example, California, Illinois, Oregon, and Rhode Island have expanded the applicable definitions in their laws to include not only medical information, but also certain health insurance identifiers.

How has the term “breach of security of the system” changed?

The SHIELD Act alters the definition of “breach of the security of the system” in two significant ways. First, it broadens the circumstances that qualify as a “breach” by including within the definition of that term incidents that involve “access” to private information, regardless of whether they resulted in “acquisition” of that information. Under the old law, access absent acquisition did not qualify as a breach. In connection with this change, the amendments also add several factors for determining whether there has been unauthorized access to private information, including “indications that the information was viewed, communicated with, used, or altered by a person without valid authorization or by an unauthorized person.”

Second, as discussed above, the expansion of the definition of private information effectively expands the situations which could result in a breach of the security of the system.  Notably, the SHIELD Act retains the “good faith employee” exception to the definition of “breach.”

Are there any substantial changes to data breach notification requirements? And who must comply?

Any person or business that owns or licenses computerized data which includes private information of New York residents must comply with breach notification requirements, regardless of whether the person or business conducts business in New York.

That said, there are several circumstances which would exempt a business from the breach notification requirements. For example, notice is not required if “exposure of private information” was an “inadvertent disclosure and the individual or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials”. Further, businesses that are already regulated by and comply with data breach notice requirements under certain applicable state or federal cybersecurity laws (e.g., HIPAA, NY DFS Reg. 500, Gramm-Leach-Bliley Act) are not required to further notify affected New York residents, however, they are still required to notify the New York State Attorney General, the New York State Department of State Division of Consumer Protection, and the New York State Division of the State Police.

What are the “reasonable” data security requirements? And who must comply with them?

As with the notification requirements, the SHIELD Act requires that any person or business that owns or licenses computerized data which includes private information of a resident of New York must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information. Again, businesses in compliance with laws like HIPAA and the GLBA are considered in compliance with this section of the law. Small businesses are subject to the reasonable safeguards requirement, however safeguards may be “appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.” A small business is considered any business with fewer than fifty employees, less than $3 million in gross annual revenue in each of the last 3 years, or less than $5 million in year-end total assets.

The law provides examples of practices that are considered reasonable administrative, technical and physical safeguards. For example, risk assessments, employee training, selecting vendors capable of maintaining appropriate safeguards and implementing contractual obligations for those vendors, and disposal of private information within a reasonable time period, are all practices that qualify as reasonable safeguards under the law.

Are there penalties for failing to comply with the SHIELD Act?

The SHIELD Act does not authorize a private right of action, and in turn class action litigation is not available. Instead, the Attorney General may bring an action to enjoin violations of the law and obtain civil penalties. For data breach notification violations that are not reckless or knowing, the court may award damages for actual costs or losses incurred by a person entitled to notice, including consequential financial losses. For knowing and reckless violations, the court may impose penalties of the greater of $5,000 dollars or up to $20 per instance with a cap of $250,000. For reasonable safeguard requirement violations, the court may impose penalties of not more than $5,000 per violation.

Conclusion

The SHIELD Act has far reaching effects, as any business that holds private information of a New York resident – regardless of whether that organization does business in New York – is required to comply. “The SHIELD Act will put strong safeguards in place to curb data breaches and identity theft,” said Justin Brookman, Director of Privacy and Technology Policy for Consumer Reports. The SHIELD Act signifies how seriously New York, like other states across the nation, is taking privacy and data security matters.  Organizations, regardless of their location, should be assessing and reviewing their data breach prevention and response activities, building robust data protection programs, and investing in written information security programs (WISPs).

Illinois’ Attorney General Wants to Know About Data Breaches

By Joseph J. Lazzarotti on

Possibly adding to the list of states that have updated their privacy and breach notification laws this year, the Illinois legislature passed Senate Bill 1624 which would update the state’s current breach notification law to require most “data collectors,” which includes entities that, for any purpose, handle, collect, disseminate, or otherwise deal with nonpublic personal information, to notify the State’s Attorney General of certain data breaches. The state’s current statute already requires notification of a data breach to the Attorney Generals’ office, but only in the event of data breach affecting state agencies, and only if those breaches affect more than 250 Illinois residents.

Under the Senate Bill, if a data collector is required to notify more than 500 Illinois residents as a result of a single data breach, that data collector also must notify the Illinois Attorney General’s office. Similar to the requirements in other states requiring Attorney General notification, the law requires certain content be included in the notification:

  •      A description of the nature of the breach of security or unauthorized acquisition or use.
  •      The number of Illinois residents affected by such incident at the time of notification.
  •      Any steps the data collector has taken or plans to take relating to the incident.

In addition, if the date of the breach is unknown at the time the notice is sent to the Attorney General, the data collector must inform the Attorney General of the date of the breach as soon as possible. Note, some states have more extensive content requirements, such as Massachusetts, which requires covered entities that experience a breach to inform the Attorney General (and the Commonwealth’s Office of Consumer Affairs and Business Regulation) about whether the organization maintains a written information security program. The change in Illinois would exclude covered entities or business associates that are subject to the privacy and security regulations under HIPAA, provided they are compliant with those regulations. Of course, covered entities and business associates would still have to notify the federal Office of Civil Rights in the event of a data breach affecting unsecured protected health information.

The change would require the notification to be made in the most expedient time possible and without unreasonable delay, but not later than when the data collector provides notice to individuals affected by the breach. Also joining some other states, such as Massachusetts and New Hampshire, the Senate Bill provides that the Attorney General may publish the name of the data collector that suffered the breach, the types of personal information compromised in the breach, and the date range of the breach.

Should these changes become law, the patchwork of state breach notification laws continues to grow more complex, particularly for organizations that experience multistate data breaches. It is critical, therefore, that organizations are prepared with an incident response plan, one that not only addresses steps to drive systems-related investigations and recovery, but also a timely and compliant communication and notification strategy.

 

 

CCPA Update – Maybe Employees Are “Consumers” After All – Employee PI is Still In Play

By Jason C. Gavejian and Joseph J. Lazzarotti on

Employers, you are not out of the CCPA woods yet.

If you have been tracking the proposed amendments to the California Consumer Privacy Act (CCPA), you know that businesses and stakeholders have been clamoring to shape the new sweeping law in a number of ways. We reported earlier this year on some of the potential changes approved by the California Assembly Privacy and Consumer Protection Committee, which moved on for further consideration. Upon arrival at the Senate Judiciary Committee, several of these business-friendly changes met some resistance, including AB 25 which generally would have excluded employee personal information from being covered under the CCPA.

While employers had hoped AB 25 would amend the CCPA to exclude information gathered in the employment context outright, on July 9, 2019, the California Senate Judiciary Committee clarified that will not be the case.

As we previously noted, the Privacy and Consumer Protection Committee in April unanimously approved AB 25 which sought to modify the definition of “consumer” under the CCPA to exclude “a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business, to the extent the person’s personal information is collected and used solely within the context of the person’s role as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business.”

A coalition in opposition to AB 25 expressed concerns that the exemptions go too far in eroding the rights of employee consumers, especially in light of current and future workplace monitoring practices. In response to these concerns, the bill’s author, Assemblymember Ed Chau, agreed to amend AB 25 to clarify that while employee data would be excluded from many of the CCPA’s requirements (including permitting consumers to request: the deletion of their personal information; the categories of personal information collected; the sources from which personal information is collected; the purpose for collecting or selling personal information; and the categories of third parties with whom the business shares personal information), employers subject to the CCPA would still be required to inform consumers (including employees) as to the categories of personal information they collect and the purposes for which such personal information shall be used.

Notably, AB 25’s exemption for employee data would not apply to the CCPA’s subdivision which establishes a private right of action, including those brought as a class action, for any consumer whose nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices. This private right of action establishing statutory damages permitting the recovery of damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

To afford business and consumer groups time to develop additional legislation to address concerns about employee personal information, Assemblymember Chau further revised AB 25 to specify that the exemption for employee data would only be effective for the 2020 calendar year and would be inoperative on or after January 1, 2021.

As amended, AB 25 unanimously passed through the Senate Judiciary Committee and will now go to the Senate Appropriations Committee, and if passed, to a full Senate for a final vote. AB 25’s amendments highlight the growing recognition of privacy interests in the employment context and the need for businesses to continue to prepare for the CCPA’s effective date.

Maine and Nevada Sign into Law Consumer Privacy Laws

By Joseph J. Lazzarotti, Jason C. Gavejian and Maya Atrakchi on

The California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020, is considered the most robust state privacy law in the United States. The CCPA seems to have spurred a flood of similar legislative proposals on the state level, and started a shift in the consumer privacy law landscape. Many of these proposals end up dying somewhere along the rigorous legislative process, but in the last few weeks both Maine and Nevada signed into law bills that, although much more narrow than the CCPA, certainly bear resemblance.

Maine

Maine Governor Janet Mills recently signed into law the Act to Protect the Privacy of Online Consumer Information, LD 946, which imposes data privacy requirements on Internet service providers (ISPs). This law requires ISPs to obtain customer consent before “using, disclosing, selling or permitting access” to their data with a third party. In addition, an ISP is prohibited from refusing to serve a customer based on their refusal to consent to the data usage terms. Finally, ISPs will also be required to take “reasonable measures” to protect customer personal information from “unauthorized use, disclosure, sale or access”. The law is applicable to all ISPs that service customers physically based and billed for within the State. The Maine law will take effect July 1, 2020.

Nevada

 In late May, Nevada Governor Steve Sisolak signed into law an act relating to Internet privacy, SB 220. Nevada’s new law prohibits an operator of an Internet website or online service which collects “covered information” from consumers from selling that information to a third party without prior consent. “Covered information” is limited to “personally identifiable information” which includes a first and last name, home or other physical address, e-mail address, telephone number, social security number, an identifier that allows a specific person to be contacted either physically or online, and any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable. The law takes a limited approach to “sale” which is defined as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons”. The law includes several exemptions including financial institutions subject to GLBA, institutions subject to HIPAA, motor vehicle manufacturers and third parties that host or manage Internet websites or online services on behalf of their owners. Notably, the Nevada law will take effect October 1, 2019 (sooner than the CCPA, which becomes effective January 1, 2020).

While both the Maine and Nevada law are much more limited in scope than the CCPA, these types of laws signify how complicated the patchwork of laws will become as more states enact their own privacy laws which are inconsistent and often include mutually exclusive requirements from one another. Other states that are considering or have recently considered consumer privacy legislation include Connecticut, Hawaii, Illinois, Maryland, Massachusetts, New Jersey, New Mexico, North Dakota, Texas and Washington. Needless to say, the compliance challenges for affected organizations will only continue to grow with the passage of each state bill.

 

 

Upward Trend in Cyberattacks Targeting Senior Executives

By Joshua D. Allen on

Verizon recently published its 2019 Data Breach Investigations Report. This report is the 12th edition and contains an analysis of 41,686 security incidents with 2,013 confirmed breaches from 73 sources, including public and private entities. Included among its many findings, the report found high-level executives are twelve times more likely to be the target of social incidents, when an information asset is compromised, and nine times more likely to be the target of social breach, a confirm unauthorized disclosure of data, as compared to past years. It explained that senior executives, who typically face a great deal of time pressures and stress, are more likely to unknowingly click on sham emails, which could compromise their data security systems. Moreover, a successful attack on a senior executive can reap large rewards as a senior executive likely has access to critical systems and unchecked approval authority. Indeed, the report notes that financial gain is the primary motivator for all data breaches, representing 71% of breaches. As a close second, espionage accounts for 25% of all breaches.

The report also found an increasing number of cybersecurity attacks on cloud-based environments as many companies and organizations move their data to the cloud. That being said, ransomware attacks continue to be a significant threat, accounting for 24% of all malware incidents.

“Enterprises are increasingly using edge-based applications to deliver credible insights and experience. Supply chain data, video, and other critical – often personal – data will be assembled and analyzed at eye-blink speed, changing how applications utilize secure network capabilities” comments George Fischer, president of Verizon Global Enterprise. “Security must remain front and center when implementing these new applications and architectures.”

In addition to these types of cyberattacks, the report highlights that everyone is susceptible to cybersecurity incidents. In fact, small businesses account for nearly 43% of all cybersecurity victims.

As evidence by the report, the threat of a cybersecurity attack is not going anywhere. Although data security increasingly progresses, bad actors continue to evolve their tactics to obtain unlawfully sensitive data and information, resulting in significant damages to companies and individuals. The FBI found that the median direct loss for a business email compromise is about $8,000 and about $25,000 for a computer data breach.

The ease with which employees acquire, handle and transport massive amounts of sensitive personal information make it critical that businesses ensure their employees, regardless of department or level, have greater awareness of the sensitivity of this information and receive regular training on how to prevent, spot and respond to a cybersecurity attack. This should be a part of any written information security plan.

LexBlog