Musings of Retirement Plan Fiduciaries on Cybersecurity: Episode One

By now, plan fiduciaries and their service providers likely have heard about the DOL’s cybersecurity guidance. The Department of Labor’s stepping into cybersecurity in this way – a posting of best practices on the agency’s website – has left plan fiduciaries with some questions. Here are a few:

  • “When is this effective?”
  • “Does this apply to me?”
  • “Could I be liable if a service provider has a data breach?”
  • “We are halfway through the term of our services agreement with our recordkeeper, do we need to do something now?”
  • “This is IT’s problem, right?”
  • “What exactly do we have to do to be ‘prudent’?”
  • “Do we have to communicate anything to plan participants?”
  • “If our service provider had a data breach, do we have to terminate the relationship?” “What factors should we considering in making that decision?”

So, what are plan fiduciaries actually thinking? Fortunately, we’ve been able to obtain snippets of conversations between plan fiduciaries that may provide some insight into that question. Here is our first installment, and, of course, we redacted the text to protect the privacy of the individuals.

Retirement Plan Committee Chair: So, what did you think of your first retirement plan committee meeting?

New Committee Member: Well it sounds like it will be really interesting…though, I’m a little bit nervous about the personal responsibility part and I’m not much of a technology person. I keep hearing about these breaches in the news, ransomware, you know, and I was one of the people on the gas line due to the Colonial Pipeline incident.

Retirement Plan Committee Chair: I know what you mean. During the time we were out of the office for COVID, if it weren’t for my 13-year-old, I don’t think I would have been able to get onto any conference calls! But I think we have a good team and good procedures. There is a fiduciary training coming up and I believe they will cover this.

New Committee Member: Yea, that will be good. I am not sure I know all the service providers we have for the plans. We spoke a lot about the 401(k) plan’s recordkeeper tonight, are there others?

Retirement Plan Committee Chair: That is a good question. We definitely will need to identify all of our service providers, particularly those handling plan data. I know we have an auditor, and then there is our investment advisory firm…

New Committee Member (interrupting): …and what about the financial wellness vendor?

Retirement Plan Committee Chair: Yes, them too. Well, we should probably regroup after the training and come up with a plan. I have to run, see you next week.

New Committee Member:  OK, bye.

It looks like this organization takes its retirement plan administration seriously and has some thoughtful people on the team. Retirement committees generally are not required under ERISA but they can be a valuable tool for organizing the administrative responsibilities of an employee benefit plan.

Getting more educated on “cybersecurity” is a good initial step for a committee or plan fiduciaries generally. Done right, training will help fiduciaries better understand the threats and vulnerabilities to data generally (not just from criminal hackers) and gain more insight into the DOL’s best practices. Such training also can help plan fiduciaries (and personnel on virtually all levels of plan administration) appreciate more of the ways data may be accessed or transmitted in the course of operating a plan. Looking at plan operations from that perspective, where data lives and how it moves, can help plan fiduciaries identify the service providers they need to be thinking about.

Perhaps the most important nugget from the exchange above for addressing the DOL’s guidance is from the Retirement Plan Committee Chair – come up with a plan!

Texas Joins Other States with New Texas Data Breach Notification Requirement: Is This a New Trend?

The Texas Legislature, which meets every other year, pushed a change to its data breach notification law at the end of the session in late May, and yesterday Governor Greg Abbott signed the bill into law.  It follows a growing trend of changes to privacy and cybersecurity laws at the state level.

Texas House Bill 3746 will amend Texas Business and Commerce Code § 521.053, which requires notifications to individuals and the Texas Attorney General following certain data breaches.  The amendment adds a requirement for the Texas Attorney General to post on its website a listing of data breach notifications received, when a breach involves 250 or more Texas residents. California has a similar requirement, although it is for breaches affecting 500 or more residents.

Specifically, the Texas amendment would require the Texas Attorney General to:

  • Post on the Attorney General’s public website a listing of notifications received, excluding any sensitive personal information, any information that may compromise a data system’s security, and any other information reported to the Attorney General that is made confidential by law;
  • Maintain an updated listing on the website, and update the list no later than every 30 days; and
  • Remove data no later than one year following the date it was added, unless the entity notified the Attorney General of additional incidents.

The amendment also now requires that entities reporting a breach to the Texas Attorney General provide the number of Texas residents receiving notification of the breach, in addition to the current requirements of:

  • A detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach;
  • The number of residents affected by the breach;
  • The measures taken by the person regarding the breach and any measures the person intends to take regarding the breach after notification; and
  • Information regarding whether law enforcement is engaged in investigating the breach.

The Texas amendment may indicate a growing trend towards increased information sharing in an effort to prevent future data breaches. On the federal level, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has implemented several programs in the past year to promote information sharing and awareness.  “Information sharing is essential to the protection of critical infrastructure and to furthering cybersecurity for the nation. As the lead federal department for the protection of critical infrastructure and the furthering of cybersecurity, the CISA has developed and implemented numerous information sharing programs. Through these programs, CISA develops partnerships and shares substantive information with the private sector, which owns and operates the majority of the nation’s critical infrastructure. CISA also shares information with state, local, tribal, and territorial governments and with international partners, as cybersecurity threat actors are not constrained by geographic boundaries”, CISA states. More information on CISA information sharing and awareness programs is available here.

The updated Texas law will take effect September 1, 2021.  With no shortage of large-scale breaches and heightened public awareness across the nation, organizations regardless of jurisdiction are advised to evaluate and enhance their data breach prevention and response capabilities.

 

Connecticut on its Way to an Enhanced Data Breach Notification Law

UPDATE: On June 16, Gov. Ned Lamont signed HB 3510 into law which becomes effective October 1, 2021.

State legislatures across the nation are prioritizing privacy and security matters, and Connecticut is no exception. This week, Connecticut Attorney General William Tong announced the passage of An Act Concerning Data Privacy Breaches, a measure that will enhance and strengthen Connecticut’s data breach notification law. The Connecticut House of Representatives unanimously approved the bill on May 27th, and Senate followed with unanimous approval shortly after.  The bill now heads to Governor Ned Lamont for signage.

Connecticut has led the nation in data privacy for over a decade, and this legislation ensures that we will continue to do so. Since we passed one of our nation’s first laws protecting consumers from online data breaches, technology and risks have evolved. This legislation ensures that our laws reflect those evolving risks and continue to offer strong, comprehensive protection for Connecticut residents,

Attorney General Tong observed in his announcement of the data breach notification bill.

Key aspects of Connecticut’s enhanced data breach notification law include:

  • Expansion of the definition of “personal information.

Originally, Connecticut defined “personal information” as an individual’s first name or first initial and last name in combination with any one, or more, of the following data:

    • Social security number
    • Driver’s license number
    • State identification card number
    • Credit or debit card number
    • Financial account number in combination with any required security code, access code, or password that would permit access to such financial account.

The new law if enacted will look more like similar laws in California and Florida by including additional data categories:

    • Individual taxpayer identification number
    • Identity protection personal identification number issued by the IRS
    • Passport number, military identification number or other identification number issued by the government that is used to verify identity
    • Medical information regarding an individual’s medical history, mental or physical condition or medical treatment or diagnosis by a healthcare professional
    • Health insurance policy number or subscriber identification number, or any unique identifier by a health insurer to identify the individual
    • Biometric information consisting of data generated by electronic measurements of an individual’s unique physical characteristics and used to authenticate or ascertain the individual’s identity, such as a fingerprint, voice print, retina or iris image; and
    • User name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.
  • Notification Time and Content.

The new law would shorten the time a business has to notify affected Connecticut residents and the Office of the Attorney General of a data breach time from 90 days to 60 days. Remember, as with most other breach notification mandates, the timing requirement is “without unreasonable delay but not later than 60 days” in this case. In addition, if identification of a resident of the state whose personal information was breached or reasonably believed to have been breached will not be completed within 60 days, the business must provide preliminary substitute notice as outlined by the law, and proceed in good faith to work to identify affected residents and provide direct notice as expediently as possible. Incident response plans would need to be reviewed to ensure this requirement is incorporated.

  • Breach of Login Credential. 

The new law would add a section addressing unique notification requirements in the case of a breach of login credentials. In such a case, notice to an affected resident may be provided in electronic or other form that directs the resident to promptly change any password or security questions and answers, or to take other appropriate steps to protect the affected online account, or any account with the same login credentials.

  • HIPAA and HITECH Act Exception.

Any person subject to and in compliance with HIPAA and/or the HITECH Act privacy and security obligations is deemed in compliance of the new law with a couple of critical exceptions. First, as under New York’s SHIELD Act, a person subject to HIPAA or HITECH that is required to notify Connecticut residents of a data breach under HITECH still must notify Connecticut’s Attorney General at the same time residents are notified. Second,  if the person would have been required to provide identity theft prevention and/or mitigation services under Connecticut law, which is for a period of 24 months, that requirement remains.

  • Investigation Materials.

Under the new law, documents, material and information connected to the investigation of a breach of security would be exempt from public disclosure, unless required to be made available to third parties by the Attorney General in furtherance of the investigation.

This new law, if signed keeps Connecticut in line with other states across the nation currently enhancing their data breach notification laws in light of recent large-scale data breaches and heightened public awareness.  Organizations across the United States should be evaluating and enhancing their data breach prevention and response capabilities.

Below are several resources for understanding current trends in the state data breach notification law landscape:

Supreme Court Adopts Narrow Interpretation of Computer Fraud and Abuse Act

In a landmark decision, the U.S. Supreme Court has ruled that the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 et seq., does not prohibit improper use of computer information to which an individual has authorized access. Rather, the law prohibits obtaining information from areas of a computer, such as files, folders, or databases, that are outside the limits of the individual’s authorized access. Van Buren v. United States, No. 19-783 (June 3, 2021).

Before the Court took up the case, a sharp split existed among circuit courts, with serious ramifications for employers. The First, Fifth, Seventh, and Eleventh Circuits had adopted a broad construction of the CFAA, allowing claims to go forward when an individual misused information they were otherwise permitted to access. The Second, Fourth, and Ninth Circuits took a narrower approach, concluding that CFAA claims were limited to situations in which an individual accessed information off-limits to them, and mere misuse of information to which they had authorized access could not constitute a violation.  The Supreme Court resolved this split in favor of the narrower reading.

Employers should assess whether they have sufficient safeguards in place to protect against the conduct in Van Buren. While improper use of information through authorized access may no longer violate the CFAA, it can still wreak havoc on a business. Jackson Lewis’s Privacy, Data and Cybersecurity practice group, in conjunction with the Non-Competes and Protection Against Unfair Competition practice group, published an article on the Jackson Lewis website, explaining the Van Buren case in depth and its potential impact.

NY Attorney General Announces Settlement After Website Data Breach

In late May, New York Attorney General Letitia James announced a $200,000 settlement agreement with Filters Fast, an online water filtration retailer, stemming from a 2019 data breach compromising the personal information of over 300,000 consumers across the U.S., including nearly 17,000 in New York state.  The settlement also requires the online retailer to strengthen its cybersecurity policies and procedures.

The settlement was the result of an enforcement action brought by the State AG under New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). See our SHIELD Act FAQs here.  The SHIELD Act was enacted in 2019 with the goal of strengthening protection for New York residents against data breaches affecting their private information.   The Act imposes expansive data security obligations and updated the State’s existing data breach notification requirements.

The Filters Fast breach affected the names, billing addresses, and credit card expiration dates and security codes of customers who purchased products on the Company’s website for nearly a year, between July 2019 – July 2020. Filters Fast was first made aware of the breach in February 2020, but after conducting an internal investigation concluded that a breach had not occurred.  After receiving several additional reports of compromised data, however, the Company’s internal investigator concluded in late July of 2020 that a breach had in fact occurred, and the website was patched. On August 14th 2020 – over a year after the breach had initially occurred, and approximately six months after the Company first became aware of it – notification of the breach was sent to affected customers.

“New Yorkers should never have to worry that their personal information will be attacked during a routine online checkout process,” said Attorney General James in her announcement of the settlement. “Online information security has been especially critical during the COVID-19 pandemic, during which New Yorkers have increasingly relied on online retailers, such as Filters Fast, to purchase basic household goods. My office is committed to protecting consumers, which is why we will continue to use every available tool to hold companies accountable when they fail to safeguard personal information.”

In addition to the settlement payment, the AG’s agreement with Fast Filters  requires several improvements to the company’s policies and procedures to help prevent future data security incidents, such as:

  • Creating a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats, as well as regular reporting to the company’s CEO concerning security risks;
  • Designing an incident response and data breach notification plan that encompasses preparation, detection and analysis, containment, eradication, and recovery;
  • Adopting personal information safeguards and controls — including encryption, segmentation, penetration testing, logging and monitoring, virus protection policy, custom application code change reviews, authentication policy and procedures, management of service providers, and patch management; and
  • Ensuring that third-party security assessments take place over the next five years.

The SHIELD Act is far-reaching: it affects any business that holds private information of a New York resident — regardless of whether the organization does business in New York, and including small businesses. Under the Act, individuals and businesses that collect computerized data, including private information about New York residents, must implement and maintain reasonable administrative, physical and technical safeguards. The Act provides several safeguards which may be implemented to ensure compliance.

Data privacy and security risks continue to emerge with enforcement not far behind. Regardless of their location, organizations should be assessing and reviewing their data breach prevention and response activities, building robust data protection programs, and investing in written information security programs (WISPs).

Additional resources on security program implementation, particularly for small and mid-sized organizations are available here:

 

The New EU Standard Contractual Clauses

The EU Commission is expected to adopt the long awaited updated Standard Contractual Clauses (“SCCs”) on June 4, 2021. In the wake of the Schrems II decision invalidating the EU-U.S. Privacy Shield, the SCCs have played an increased role as an appropriate safeguard for transferring personal data from the European Economic Area to recipients in the U.S. and other countries without an EU Adequacy Decision. Globalization and the growth in outsourcing have created unanticipated transfer scenarios the original SCCs were unable to adequately address. For U.S. companies sending or receiving personal data from the European Economic Area, these new clauses will help accommodate an expanded set of transfer arrangements including processor to processor and processor to controller. Among other changes, it is anticipated the SCCs will address the data importer’s duties in situations where applicable laws affect its ability to comply with the SCCs, an issue raised in the Schrems II decision. Companies currently transferring personal data in reliance on existing SCCs will have a grace period in which to replace them with the new SCCs.

Long-Term Care Facilities Must Educate, Offer, and Report on COVID-19 Vaccinations for Residents and Staff, According to CMS Interim Rule

On May 11, 2021, the Centers for Medicare & Medicaid Services (CMS) of the U.S. Department of Health & Human Services published an interim final rule/guidance to establish COVID-19 vaccination requirements for Long-Term Care (LTC) facilities. The requirements are applicable to both residents and staff. LTC facilities have already been managing COVID-19 vaccination requirements both at the federal and state levels. CMS’ interim final rule, however, adds new requirements for educating residents (or resident representatives) and staff regarding the benefits and potential side effects associated with the COVID-19 vaccine, offering the vaccine, and reporting COVID-19 vaccine and therapeutics treatment information to the Center for Disease Control’s (CDC’s) National Healthcare Safety Network (NHSN)

An important definition in the guidance is of the term “staff.” This includes individuals who work in the facility on a regular (that is, at least once a week) basis, including individuals who may not be physically in the LTC facility for a period of time due to illness, disability, or scheduled time off, but who are expected to return to work. The term also includes individuals under contract or arrangement, including hospice and dialysis staff, physical therapists, occupational therapists, mental health professionals, or volunteers, who are in the facility on a regular basis, as the vaccine is available.

The chart below provides an outline of the requirements in the interim final rule.

Residents/Staff

Education Education should be provided in a manner that is easily understood and in advance of each vaccination dose, which should include (i) FDA EUA Fact Sheet, (ii) benefits and side effects (e.g., fever, aches, rare reactions) for each dose needed.
Vaccination LTC facilities must have policies and procedures to oversee that vaccines are offered when supplies are available (unless contraindicated or already immunized). Facilities also need to be screening for prior immunization, and medical precautions, contraindications necessary to determine eligibility.

Residents and staff must have opportunity to accept or decline the vaccine, and change their decisions. Note, residents may decline vaccines and LTC facilities may not take any adverse action, including social isolation, denied visitation, and involuntary discharge. However, staff may not be able to decline vaccination, as LTC facilities will need to review state law and organizational policies.

If a resident or staff member requested vaccination and missed prior opportunity for any reason, the LTC facility must offer vaccine as soon as possible.

Vaccinations must be conducted in accordance with CDC, ACIP, FDA, and manufacturer guidelines. All facilities must adhere to current infection prevention and control recommendations when preparing and administering vaccines, including monitoring for adverse reactions. This includes monitoring of indications and contraindications for COVID-19 vaccination, including new or revised guidelines issued by the CDC, FDA, vaccine manufacturers, or other expert stakeholders.

If the vaccine is unavailable, LTC facilities should provide information on obtaining vaccination opportunities (e.g., health department or local pharmacy)

Vaccine education and offer requirements do not apply to individuals entering the LTC facility for a specific purpose, or limited amount of time – e.g., delivery, repair persons, volunteers, entering facility less than once per week.

 

Residents

Staff

Documentation Residents’ medical record must document:

o   that resident or resident representative was provided education regarding the benefits and potential risks associated with COVID-19 vaccine;

o   each dose of vaccine administered, or that the resident did not receive the COVID-19 vaccine due to refusal or medical contraindications;

o   date education and offer of vaccine took place;

o   name of representative that received education and accepted/refused vaccine, if applicable; and

o   Samples of educational materials used.

LTC facilities need to document vaccine status of residents, including total numbers of residents, numbers of residents vaccinated, numbers of each dose of COVID19 vaccine received, vaccination adverse events, and therapeutics administered for treatment of COVID-19.

Documentation concerning staff includes:

o   that staff was provided education regarding the benefits and potential risks associated with COVID-19 vaccine;

o   that staff were offered the vaccine or information on obtaining-19 vaccine, unless contraindicated or already vaccinated; and

o   vaccine status of staff and related information as indicated by NHSN.

LTC facilities need to document vaccine status, including total numbers of staff, number of staff vaccinated, numbers of each dose of COVID19 vaccine received, and any vaccination adverse events.

This could be accomplished with a staff roster noting education (e.g., sign-in sheets), date of education, samples of educational materials. Additionally, for staff that have already been vaccinated or received the vaccination outside the LTC facility, the facility should request staff to substantiate their vaccination.

  LTC facilities must be able to provide evidence, upon request, of efforts made to make the vaccine available.

If there is manufacturing delay, LTC facility must be able to provide evidence of the delay, and efforts to acquire subsequent doses as necessary.

Reporting Adverse reactions must be reported to the Vaccine Adverse Event Reporting System (VAERS)

Through the National Healthcare Safety Network (NHSN) LTC facilities are required to report, on a weekly basis, the COVID-19 vaccination status of residents and staff, total numbers of residents and staff vaccinated, each dose of vaccine received, COVID-19 vaccination adverse events, and therapeutics administered to residents for treatment of COVID-19.

These new requirements will raise additional data privacy and security requirements for LTC facilities involving the collection, storage, transmission, and potential recordkeeping of resident and employee health information. LTC facilities should review their policies and procedures and how they will be applied these new requirements.

CMS will begin reviewing for compliance with the new vaccination reporting requirements beginning Monday, June 14, 2021.

Surveyors will engage in efforts to ensure compliance. Surveyors will be looking for a facility representative to provide information on how residents and staff are educated about and offered the COVID-19 vaccine. They will want to see educational materials. Surveyors will request a list of residents and staff and their COVID-19 vaccination status, further review their records and even conduct interviews to confirm residents and staff were educated on and offered the COVID-19 vaccine, in accordance with the new requirements.

According to the guidance, failure to meet reporting requirements will result in a Civil Monetary Penalty (CMP) starting at $1,000 for the first occurrence. For each subsequent week that the facility fails to submit the required report, noncompliance will result in an additional CMP imposed at an amount increased by $500 and added to the previously imposed CMP amount for each subsequent occurrence.

Is New York Next? A Comprehensive Consumer Privacy Bill Reintroduced

On May 13th, New York State Senator Kevin Thomas, Chair of NY’s Consumer Protection Committee, reintroduced the New York Privacy Act (“NYPA”), a comprehensive consumer privacy law similar in kind to the California Consumer Privacy Act (“CCPA”), California Privacy Rights Act (“CPRA”), and Virginia’s Consumer Data Protection Act (“CDPA”).  The NYPA had been introduced in a previous legislative session back in 2019, but failed to move forward in the legislative process.

This version of the NYPA is in some respects less ambitious than the prior version.  For example, the latest version removed the bill’s broad application to any “legal entities that conduct business in New York” or that produce products or services that “intentionally target” New York residents, which would have meant that small-to-medium size businesses, and potentially even not-for-profits, would have been subject to the law. Nevertheless the NYPA surpasses the CCPA and CDPA in some important respects, including by requiring data controllers to:

  • collect opt-in consent from consumers before processing their personal data for any purpose;
  • provide detailed disclosures about the activities of outside parties to whom they disclose personal data;
  • respond to consumer requests to correct personal data; and
  • make disclosures about their automated decision-making activities, afford consumers the opportunity to challenge automated decisions, and conduct and publish assessments on the impacts of their automated decision-making processes.

The NYPA would also impose on data controllers duties of loyalty and care – the latter of which would require an annual risk assessment of all of the data controller’s data processing activities – and take direct aim at targeted advertising and data sales, declaring that these activities “shall not be considered processing purposes that are necessary to provide services or goods requested by a consumer.”

“Consumers should have a right to choose if and how their personal information is collected and used by companies,” said Senator Thomas in his reintroduction of the NYPA. “And New Yorkers deserve to know that businesses who are collecting, processing and protecting their personally identifiable information are doing so ethically and responsibly. The New York Privacy Act will set new, groundbreaking standards for comprehensive privacy legislation by advancing consumer privacy rights and creating stronger industry standards that empower businesses to enhance consumer confidence by putting privacy and security front-and-center.”

Below is a rundown of the NYPA’s key components:

  • Application: The NYPA would apply to legal persons that conduct business in New York State or produce products or services intentionally targeted to residents in New York State and that satisfy at least one of the following thresholds:
    • have annual gross revenue of $25M or more;
    • control or process personal data of at least 100,000 New York residents;
    • control or process personal data of at least 500,000 persons nationwide, at least 10,000 of whom are New York residents; or
    • derives over 50% of its gross revenue from the sale of personal data, and controls or processes personal data of at least 25,000 New York residents.
    • Exempt: Exempted from the NYPA are state and local governments, and personal data that is regulated by HIPAA, HITECH, FERPA, DPPA, GLBA and notably, “data sets maintained for employment records purposes, for purposes other than sale”.
  • Personal Data: Similar to the CCPA and CDPA, the NYPA defines personal data broadly to include “any data that is identified or could reasonably be linked, directly or indirectly, with a specific natural person, household, or device”. That said, unlike the CPRA,  CDPA or GDPR, the New York bill does not include a category for “sensitive data” to which heightened protections apply.
  • Consumer: The NYPA defines “consumer” as “a natural person who is a resident of New York acting only in an individual or household context.” The NYPA states that the definition of consumer does not include a “natural person acting in a commercial or employment context.”
  • Consumer Rights: The NYPA provides consumers a broad set of rights over their personal data, including the rights to:
    • receive clear notice of how their data is being used, processed and shared;
    • provide or withhold consent for the processing of their data for any purpose;
    • access and obtain a copy of their data in a commonly used electronic format, with the ability to transfer it between services;
    • correct inaccuracies in their data;
    • delete their data; and
    • challenge certain automated decisions.
  • Notice to Consumers: Under the NYPA, data controllers must provide written notice to consumers when processing their personal data in an “easy-to-understand language at an eighth-grade reading level or below.” This notice must include a description of the consumers’ rights, the categories of personal data processed, the sources of that data, the purposes for which the data is processed, and the identities of all outside parties to whom the data is disclosed, as well as information about how those parties will use the data and how long they will retain it. The notice must be dated with its effective date and updated at least annually. The notice (as well as each version of the notice dating back six years) must be made readily available to consumers
  • Non-Discrimination: The NYPA prohibits discrimination against a consumer who exercises their rights under the law. For example, a business may not target the consumer by denying goods or services or charging a higher price.
  • Data Broker Registry: The NYPA requires data brokers to register, pay an annual fee to the Attorney General, and submit information regarding their data use practices and contact information. The Attorney General must maintain a data broker registry on its website. Additionally, controllers must annually submit a list of all known data brokers or persons reasonably believed to be data brokers with whom the controller provided personal data in the preceding year and can only share personal data with data brokers that are properly registered.
  • Data Security: At least annually, under the NYPA, data controllers are required to conduct and document risk assessments of all current processing of personal data. In addition, data controllers must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal data of consumers including adopting reasonable administrative, technical and physical safeguards appropriate to the volume and nature of the personal data at issue. The NYPA also imposes requirements related to data retention, data disposal and vendor management.
  • Enforcement and Private Right of Action: The NYPA authorizes the Attorney General to bring an action or special proceeding whenever it appears that a person has engaged or is about to engage in a violation of the law, with civil penalties of not more than $15,000 per violation (each instance of unlawful processing counts as a separate violation). And unlike comparable state laws, the NYPA would grant consumers a private right of action to enjoin violations of their rights under the law and to seek the greater of actual damages or liquidated damages in the amount of $1,000, along with attorney’s fees.  Contrary to other state consumer privacy bills introduced of late, such as Florida’s recently failed HB 969 or New York’s Biometric Privacy law, an organization found to have violated the NYPA does not have the opportunity to cure the violation before facing enforcement actions or litigation.

States across the country are contemplating ways to enhance their data privacy and security protections, with New York playing a leading role.  In addition to the reintroduction of the NYPA, there are other consumer privacy bills under consideration by the New York state legislature, and the New York City Council recently passed a data privacy bill that would impose rigorous requirements on owners of “Smart Access” buildings, and also created biometric information collection requirements for retail and hospitality businesses similar in kind to Illinois’s infamous Biometric Information Privacy Act (“BIPA”). Organizations, regardless of their location, should be assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs.

 

Don’t be Fooled by the CPRA Effective Date, Employers Have Current Obligations Under the CCPA

The passage of Prop 24, the California Privacy Rights Act of 2020 (“CPRA”), has caused a bit of confusion among businesses in California.  The confusion stems from the fact that the CPRA has an effective date of January 1, 2023, amending the existing California Consumer Privacy Act (CCPA) when it takes effect, but also immediately extending the current limited exemptions under the CCPA for employment-related data, also to January 1, 2023. (Without the CPRA, the limited exemptions would have already expired.)_ It appears that this labyrinth of amendments, extensions, and exemptions has misled some businesses subject to CCPA (the rules for which will change a little under the CPRA) into believing that they are completely exempt from privacy obligations until 2023 with respect to job applicants, employees, owners, directors, officers, medical staff, and contractors (collectively “employees and applicants”).  This is not the case!  In short, businesses have existing obligations under the CCPA concerning the personal information of their employees and applicants, which became effective on January 1, 2020.

To understand the current employment-related obligations of businesses in California, a brief history lesson is needed.  The CCPA was signed into law in 2018 by then Governor Jerry Brown.  Immediately, it became clear that there were major problems with the law, including, but not limited to, the definition of “consumer” (the second C in CCPA), which is defined to be any resident of California.  Lawmakers recognized the potential issues that would come from granting employment-related data subjects (i.e., job applicants, employees, independent contractors) all the rights a traditional consumer would have under the CCPA.  Thus, the California State Assembly introduced AB25, which originally tried to completely exempt business from having to comply with the CCPA for employees and applicants.

Unfortunately for employers, AB25 was amended in the State Senate and the version that was eventually passed and signed into law by Governor Gavin Newsom in October 2019 (just weeks before the CCPA became effective) exempted businesses in their role as employers from most but not all of the CCPA’s requirements with respect to employment-related data (i.e., limited exemptions mentioned above).

Under the CCPA (as amended by AB25), employers have the following current obligations:

  • Provide notices to employment-related data subjects (job applicants, employees, owners, directors, officers, medical staff, and contractors) of the categories of personal information being collected and the purposes for which the personal information will be used
  • Implement “reasonable security” over certain categories of personal information to avoid a private right of action following a data breach. To this end, it may be prudent to review and augment vendor contracts to ensure that employment-related personal information is handled properly.

Companies should continue to monitor CCPA/CPRA developments, and ensure their privacy programs and procedures remain aligned with current compliance requirements.

 

 

Biden Administration Issues Cybersecurity Executive Order Following Colonial Pipeline Cyberattack

On May 12, 2021, the Biden Administration issued an Executive Order on “Improving the Nation’s Cybersecurity” (EO). The EO was in the works prior to the Colonial Pipeline cyberattack, reportedly a ransomware incident that snarled the flow of gas on the east coast for days. Ransomware attacks are nothing new, but they are increasing in severity. Most do not see the large sums paid to hackers by victim organizations needing access to their encrypted data or wanting to stop a disclosure of sensitive information if they can. But most do see the crippling of vital infrastructure caused by compromised computer systems without which basic services cease to flow.

Of course, the Colonial Pipeline incident is not the only attack we have seen affecting entities that provide to critical infrastructure. In February of this year, ABC News reported that weak cybersecurity controls “allowed hackers to access a Florida wastewater treatment plant’s computer system and momentarily tamper with the water supply,” based on a memo by federal investigators obtained by ABC. A month later, sensitive data were exposed for some time in cloud storage by New England’s largest energy provider, according to reports. The SolarWinds breach last year, named Sunburst, was a massive compromise of government agencies including the Department of Energy.

Will the EO help? It is unclear at this point, however, the EO makes a clear statement on the policy of the Administration:

It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.  The Federal Government must lead by example.  All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.

The effect of the EO will mostly affect the federal government and its agencies. However, several of the requirements in the EO will reach certain federal contractors, and also will influence the private sector. Below are several of the items directed by the EO:

  • Removing contractual barriers in contracts between the federal government and its information technology (IT) and operational technology (OT) service providers. The goal here is to increase information sharing about threats, incidents, and risks in order to accelerate incident deterrence, prevention, and response efforts and to enable more effective defense of government systems and information. As part of this effort, the EO requires a review of the Federal Acquisition Regulation (FAR) concerning contracts with such providers and recommendations for language designed to achieve these goals. Recommendations will include, for example, time periods contractors must report cyber incidents based on severity, with reporting on the most severe cyber incidents not to exceed 3 days after initial detection. The changes also will seek to standardize common cybersecurity contractual requirements across agencies.
  • Modernize approach to cybersecurity. To achieve this goal, some of the steps called for in the EO include adopting security best practices, advance to Zero Trust Architecture, move to secure cloud services, including Software as a Service (SaaS), and centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks. More specifically, the EO requires that within 180 days of the date of the EO, agencies must adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.
  • Improve software supply chain security. Driven by the impact of the SolarWinds incident, the EO points to the lack of transparency in the software development and whether adequate controls exist to prevent tampering by malicious actors, among other things. The EO calls for guidance to be developed that will strengthen this supply chain, which will include standards, procedures, and criteria, such as securing development environments and attesting to conformity with secure software development practices. The EO also requires recommendations for contract language that would require suppliers of software available for purchase by agencies to comply with, and attest to complying with the guidance developed. Efforts also will be made to reach the private sector. For instance, pilot programs will be initiated by the Secretary of Commerce acting through the Director of NIST to educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices, and shall consider ways to incentivize manufacturers and developers to participate in these programs.
  • Establishing a Cyber Safety Review Board. Among the Board’s duties would include reviewing and assessing certain significant cyber incidents affecting FCEB Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses.
  • Standardize incident response. Standardize the federal government’s response to cybersecurity vulnerabilities and incidents to ensure a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.
  • Improve detection. The EO seeks to improve detection of cybersecurity vulnerabilities and incidents on federal government networks.
  • Improving the federal government’s investigative and remediation capabilities. The Administration recognizes it is essential that agencies and their IT service providers collect and maintain network and system logs on federal information systems in order to address a cyber incident. The EO seeks recommendations on the types of logs to be maintained, the time periods to retain the logs and other relevant data, the time periods for agencies to enable recommended logging and security requirements, and how to protect logs. These recommendations will also be considered by the FAR Council when promulgating rules for removing barriers to sharing threat information.

It is expected the U.S. government will ramp up efforts to strengthen its cybersecurity, and we can expect states to continue to legislate and regulate in this area. All businesses, including federal contractors, likely will experience pressure to evaluate their data privacy and security threats and vulnerabilities and adopt measures to address their risk and improve compliance.

LexBlog