Washington Poised to Significantly Expand Its Data Breach Notification Law

It was looking like Washington state would be the first state to follow the California Consumer Privacy Act (CCPA), with a GDPR-like law of its own. That effort has stalled, perhaps temporarily. However, both Washington’s House and Senate voted unanimously to send HB 1071 to Gov. Jay Inslee, which would substantially expand the state’s current data breach notification obligations.

Here are some of the highlights:

Definition of personal information. Following many other states, the new law would add to the data elements that if breached could trigger a notification obligation. Currently, personal information includes an individual’s first initial or first name and last name, together with one or more of the following – (i) Social Security number, (ii) Driver’s license number or Washington identification card number; or (iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

The following elements would be added to the list:

  • Full date of birth;
  • Private key unique to an individual and that is used to authenticate or sign an electronic record;
  • Student, military, or passport identification number;
  • Health insurance policy number or health insurance identification number;
  • Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer; or
  • Biometric data generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual;
  • Username or email address in combination with a password or security questions and answers that would permit access to an online account.

In addition, these elements (other than online account credentials) could be considered personal information even without the consumer’s first name or first initial and last name. That would be the case if encryption, redaction, or other methods have not be applied to render the element(s) unusable and the element(s) would enable a person to commit identity theft against a consumer.

Special Rule for Online Accounts. To combat the practice of many who use the same username and password for different accounts (note to reader, if this is you, stop reading this post and go change your account credentials), the new law would require notifications to provide some direction on this point. Specifically, when a breach involves a username or password, notice may be provided electronically or by email, and must inform affected persons to promptly change his or her password and security question or answer, as applicable. The notice should inform affected persons to take other appropriate steps to protect the online account and all other online accounts for which the affected person uses the same username or email address and password or security question or answer.

The new law goes a step further when the person or business providing the notice also furnished the email account to the affected person. In that case, notification must be provided using a permissible method other than email to that account, and must also include the information noted above for changing passwords for at risk accounts.

Notice Timing and Content. Like other state breach notification laws, Washington’s law requires notification be provided in the most expedient time possible and without unreasonable delay. Current law provides, however, that notice may not be provided later than forty-five calendar days following discovery. The new law reduces that period to thirty calendar days both for notice to individuals as well as to the Attorney General.

Importantly, the new law retains the exceptions to the notification period – notice may be delayed at the request of law enforcement or if due to measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. It is not clear if these exceptions also apply for notifying the Attorney General.

When notification is required, the new law adds to existing content requirements by mandating that notifications include, if known, the time frame of exposure – the date of the breach and the date of the discovery of the breach. Additional information also must be provided under the new law to the Attorney General, but under existing law that notice is required only if more than 500 persons are affected by the breach.

If enacted, the law changes in HB 1071 provide good examples of the need for organizations to continue to monitor these developments and revisit their incident response plans (IRPs). For example, some organizations may get caught off guard by the expanding definition of personal information under these laws. Date of birth typically is not included as an element of personal information in most other states (North Dakota is one exception). Having out of date template letters also can minimize the effectiveness of the organizations IRP.

Secret Video Surveillance Found in Hospital Labor and Delivery Rooms

Image result for secret surveillanceThe New York Times newly established Privacy Project, recently highlighted the extent to which our society has created a “facial recognition machine” – cameras are everywhere, even in doorbells. Segments of society have accepted widespread surveillance on public streets, shopping malls, and in common areas of office buildings, apartment complexes, schools and similar places. But there are limits.

Early this month, 131 patients (and counting) of a women’s hospital in San Diego, California filed a lawsuit against the hospital after discovering that there was secret video surveillance in three labor and delivery operating rooms, recording medical procedures without patients’ consent. Patients were recorded during Cesarean sections, birth complications, treatment after miscarriage, hysterectomies and other medical procedures from July of 2012 to July of 2013.   Approximately 1,800 patients were recorded during this period. The patients are suing the hospital for invasion of privacy, breach of fiduciary duty, negligence, negligent infliction of emotional distress and unlawful recording of confidential information.

In addition to not informing the patients of the hidden cameras, the lawsuit alleges that the hospital was “grossly negligent” in its storage of the recordings. The lawsuit claims that recordings were stored on employee computers, often without password protection and that the hospital “destroyed at least half the recordings but cannot say when or how it deleted those files and cannot confirm that it took the appropriate steps to ensure the files were not otherwise recoverable.”

This is not the first lawsuit against the hospital regarding the hidden cameras. Since 2016, the hospital has faced several lawsuits alleging privacy violations and other claims stemming from the video records.

The hospital said in a statement on April 4th to the San Diego community that the cameras were installed as part of an investigation regarding drugs and other equipment missing from several anesthesia carts in hospital operating rooms, and it was not intended for patients to be visible on the recordings, although ultimately that was the case.

The issue of hidden cameras is particularly common in elder care facilities, where for example family members secretly install a “granny cam”, to step in and help protect their elderly loved ones from abuse in the facility, including neglect, physical abuse, unexplained serious injuries and thefts. A study published in 2011 found that an estimated 260,000 (1 in 13) older adults in New York had been victims of one form of abuse or another during a 12-month period between 2008 and 2009, with “a dramatic gap” between elder abuse events reported and the number of cases referred to formal elder abuse services. Clearly, states are struggling to protect a vulnerable and growing group of residents from abuse. Technologies such as hidden cameras may help to address the problem, but their use raises privacy, security, compliance, and other concerns.

Whether installed by a concerned family member in a nursing home, or a medical professional or a hospital administrator, the use of video surveillance devices can pose a number of issues and potential risks, particularly when the devices are hidden and/or record audio as well as video. Here are just a few questions these devices raise:

  • Has the organization addressed federal and state laws establishing consent requirements when recording communications?
  • Are there state laws that specifically addresses hidden cameras or similar privacy rights? For “granny cams”, at least five states (Illinois, New Mexico, Oklahoma, Texas, and Washington) have laws specifically addressing the use of cameras in this context. While state “granny cam” laws are not applicable to the hospital case, in California, for example, the California Invasion of Privacy Act (CIPA) protects against recording of an individual’s confidential information without prior consent.
  • In general, if the organization installs such a device, what rights and obligations does it have with respect to the scope, notice, content, access, security, storage, deletion and other aspects of the recording?
  • For surveillance likely to capture protected health information, have the HIPAA privacy and security regulations been addressed? This includes assessing the risk of making the recordings, controlling access to the recording, and securing that information.
  • What record retention, chain of custody, and record destruction requirements and best practices should be implemented?
  • How do the features of the device, such as camera placement and zoom capabilities, affect the analysis of the issues raised above?

Facilities considering this technology, even when well intentioned, must assess the privacy and security implications. Practices and procedures considered and implemented, as applicable, not only for what happens prior to device installation (i.e. notice, consent, device placement, scope etc.), but also for what happens after recordings occur, including lawful and effective data storage and deletion policies.

SEC Issues Privacy and Data Security Risk Alert

Following recent examinations of SEC-registered investment advisers and broker-dealers, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) published a privacy risk alert on April 16, 2019. OCIE is hoping to remind advisers and broker-dealers about providing compliant privacy and opt-out notices, and adopting and implementing effective policies and procedures for safeguarding customer records and information, under Regulation S-P.

Privacy Notices. During the examinations, OCIE observed advisors and broker-dealers were not providing initial privacy notices, annual privacy notices and opt-out notices to their customers. When these notices were provided, many did not accurately reflect firms’ policies and procedures and/or notify customers of their right to opt out of having their nonpublic personal information shared with nonaffiliated third parties. OCIE’s risk alert, thus, reminds advisors and broker-dealers that Regulation S-P requires that they:

  • provide a clear and conspicuous notice to customers that accurately reflects privacy policies and practices generally no later than when a customer relationship is established,
  • provide a similar notice not less than annually during the continuation of the customer relationship, and
  • deliver a clear and conspicuous notice to its customers that accurately explains the right to opt out of some disclosures of non-public personal information about the customer to nonaffiliated third parties.

Written Policies and Procedures to Safeguard Customer Information. OCIE also observed during these examinations that some advisors and broker-dealers had not adopted written policies and procedures as required under the Safeguards Rule. According to the risk alert, some firms simply:

restated the Safeguards Rule but did not include policies and procedures related to administrative, technical, and physical safeguards.

And, other policies

contained numerous blank spaces designed to be filled in by registrants.

Given the OCIE’s observations, purchasing sample privacy and data and security policies and procedures, perhaps online, without more, would likely be inconsistent with Regulation S-P. Data security compliance is more than simply having a policy document. OCIE explained that written policies and procedures under Regulation S-P must be “reasonably designed to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of customer records and information, and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.” Thus, the general approach for advisors and brokers-dealers should be to assess the threats and vulnerabilities to customer records and information, and then craft administrative, physical, and technical policies and procedures to address those threats and vulnerabilities.

OCIE also detailed data security practices that it found troubling under Regulation S-P. Examples include:

  • Personal devices – employees storing and maintaining customer information on their personal laptops without policies and procedures address how to protect the information on those devices.
  • Electronic communications – the absence of policies designed to prevent employees from regularly sending unencrypted emails to customers containing PII.
  • Training and monitoring – a lack of training for employee about encryption, password-protection, and transmission of PII through company-approved methods.
  • Outside vendors – advisors and broker-dealers maintaining policies that required outside vendors to contractually agree to keep customers’ PII confidential, but not following their own policies.
  • PII inventory – not maintaining an inventory of all systems on which PII is maintained leaving advisors and broker-dealers unaware of the categories of customer PII that they maintain, and limiting the ability to adequately safeguard customer information.
  • Incident response plans – plans failed to address role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.
  • Departed employees – former employees of advisors and broker-dealers retained access to restricted customer information rights after termination of employment.

Many of the observations noted above are common gaps to data security policies and procedures, particularly for small and medium-sized enterprises in any industry. For advisors and broker-dealers, the consequences of compliance lapses could result in data breaches, enhanced scrutiny by the SEC and OCIE, and reputational harm. Thus, as OCIE suggests following its recent examinations, advisors and broker-dealers should review and update, as needed, their written policies and procedures to mitigate the issues identified by OCIE staff.

Music to Your Ears? Court Rules Bose Can Gather Your Music Listening Habits

According to a recent decision from a federal district court in Illinois, Bose Corp. may monitor and collect information about the music and audio files consumers choose to play through its wireless products and transmit that information to third parties without the consumers’ knowledge. Such action does not violate the federal Wiretap Act or the Illinois Eavesdropping Statute. As such, the Court granted Bose’s motion to dismiss the plaintiff’s class action claims.

Bose manufactures and sells high-end wireless headphones and speakers. Consumers use the wireless headphones or speakers with their smartphones to listen to music streamed to their phone from music-streaming services. Users of certain models of Bose wireless headphones and speakers can access additional features of those products by downloading the Bose Connect App. Once downloaded, the App enables users to connect their smartphones to their Bose Wireless Products via a Bluetooth connection so that the user can access and control the products’ settings and features through the App. The App also displays the track title, artist, and album playing.

According to the Plaintiff, Bose designed the App to “(i) collect and record titles of the music and audio files consumers choose to play through their Bose wireless products and (ii) transmit such data along with other personal identifiers to a third-party data miner without consumers’ knowledge or consent.” Plaintiff alleged that Bose was not a party to the communication of the music information, but rather “intercepted” the contents of the communication between the user and the streaming services. Plaintiff further alleged that Bose did not have consent from either party to intercept the data.

For a customer using the App, Bose could access the data referenced above, link the music information to the particular Bose product’s serial number, identify the name and email address for the particular user, and in the process build detailed profile about the customer and his or her music listening habits.

The statutes at issue in the case prohibit intentionally intercepting or disclosing an electronic communication unless the interception is by a party to the communication or where one of the parties has given prior consent. The Court ruled that the complaint failed to sufficiently allege that Bose is not a party to the communication. The Court supported its analysis by noting that the complaint itself states that the Bose App is a participant in the communication of the information when it sends a user’s request for a song to the streaming service and in turn displays the provider’s song information on the App. Indeed, the court noted, that the display of such information is one of the primary functions of the App. Thus, the court concluded, Bose “is a part of the listener to streaming service communication.” Although the court notes that Plaintiff’s real issue may be the fact that Bose collects and discloses information it receives to third parties, the conduct falls outside both the federal Wiretap Act and the Illinois law as well. As such, the court dismissed these claims.

With the ever increasing reliance on wireless technology and businesses combing for as much data as possible to target consumers, companies collecting personal data need to be aware of how that data is collected and what steps are being taken to protect it. While Bose escaped liability for the Wiretap Act and the Illinois Eavesdropping Law, the future likely involves more consumers monitoring how their data is gathered, as well as a corresponding increase in regulation over the collection and protection of personal data, such as the California Consumer Privacy Act set to take effect in 2020, and other state consumer privacy initiatives popping up across the country.

Small Michigan Medical Practice To Close Following Ransomware Attack

Small and midsized enterprises (SMEs) continue to be targeted by ransomware, phishing and other cyberattacks; the consequences of which could be devastating. Those consequences include putting SMEs out of business, which is unfortunately the case for one small medical practice in Battle Creek, Michigan, as reported by HIPAAJournal.

The reality is that the effects of these attacks could be significantly mitigated with a bit of planning. Just maintaining good backups can go a long way. Of course, there are a number of other steps that SMEs can take to more comprehensively defend against these attacks.

The reports about the Michigan practice explain that the malware encrypted the system that maintained patient records and that the owners refused the attacker’s demands for payment. Refusing to pay these demands is not uncommon. The Federal Bureau of Investigation, which provides guidance on preventing ransomware attacks, does not encourage paying ransom. In some cases, ransomware attack victims have recovered their data after paying the ransom, however, there is no guarantee of that in a particular case. In fact, in some cases, after making the requested ransom payment, attackers have been known to request more money to unlock the data. Note also that payments of ransom to persons or entities on a U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) sanction list could be prosecuted.

When the Battle Creek physicians did not succumb to demands for payment, the attackers deleted all of the encrypted files. Reports indicate that no patient data had been accessed or exfiltrated (removed) from the practice’s systems, however, some patients may have lost all or a portion of their medical records.  The practice is schedule to close at the end of this month.

SMEs certainly can improve their defenses to prevent and minimize the effects of an attack, however, they also need to be prepared to respond to an attack when it happens. Maintaining a written incident response plan is critical. This is particularly true for health care providers and other HIPAA covered entities and business associates. The federal Office for Civil Rights has provided guidance for dealing with ransomware attacks. Notably, the guidance provides that when PHI (protected health information) is encrypted in such an attack, it is presumed to be a breach and notification required unless the entity determines the incident constitutes a low probability of compromise. The guidance adds that:

Although entities are required to consider the four factors listed above in conducting their risk assessments to determine whether there is a low probability of compromise of the ePHI, entities are encouraged to consider additional factors, as needed, to appropriately evaluate the risk that the PHI has been compromised. If, for example, there is high risk of unavailability of the data, or high risk to the integrity of the data, such additional factors may indicate compromise. In those cases, entities must provide notification to individuals without unreasonable delay, particularly given that any delay may impact healthcare service and patient safety.

Taking steps to prevent an attack is important, but all SMEs, including those in the healthcare sector, also need to be prepared to respond to these and similar kinds of attacks. Failure to take these steps could have substantial effects on the business, including causing the business to close.

Updates to Massachusetts Breach Notification Law – Much More Than Mandatory Credit Monitoring

UPDATE: The changes to the Massachusetts data breach notification law described below are now in effect. Thus, if you have discovered a data incident involving the personal information of Massachusetts residents you will want to review these changes carefully – they are significant and the Commonwealth is intent on educating the public about them. Because we have coached many clients through data breaches affecting Massachusetts residents, we recently received a letter from the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) alerting us of these changes. The same office published a set of FAQs about the law changes which emphasize some key points. For example, as discussed below, the new law expanded the content requirements for notifications to the Attorney General and OCABR to include, among other things, whether the business that experienced the breach maintains a written information security program (WISP) and whether they have updated the WISP. Businesses maintaining personal information of Massachusetts residents should revisit their incident response plan (or develop one).

Observers of the recent changes in the Massachusetts data breach notification law likely will focus on the addition of the obligation to provide 18 months of credit monitoring following a breach involving Social Security numbers (42 months, if the breached entity is a consumer reporting agency). This certainly is a significant change, making Massachusetts only the fourth state to have enacted a similar mandate (See also, California, Connecticut, and Delaware). However, other changes are perhaps much more significant for an organization that has a breach triggering the updated Massachusetts law, which becomes effective April 10, 2019.

Data security and breach notification legislative developments are off to a running start in 2019. On January 1, 2019, Vermont began regulating data brokers and South Carolina’s adoption of the National Association of Insurance Commissioners’ (NAIC’s) Insurance Data Security Model Law became effective adding significant breach notification and information security requirements for entities licensed by state insurance regulators, including insurers and agents. The North Carolina Attorney General announced a proposal to make significant changes to that state’s notification law, among them requiring notification for ransomware attacks. The trend continues in Massachusetts, where last week Gov. Charlie Baker signed legislation substantially updating the state’s breach notification law.

Here is an overview of some of key changes:

Organizations that experience a breach must report to the Attorney General and the Office of Consumer Affairs and Business Regulation whether they have a written information security program (WISP). Nearly ten years ago, Massachusetts enacted one of the most comprehensive set of data security regulations affecting certain organizations in the state. (Read more about that and get a compliance checklist here.) Organizations that have not adopted a WISP will have to inform the government that they have not done so, which likely will lead to a follow up inquiry concerning compliance and potentially significant penalties. But that is not all, they also will have to report information such as the type of personal information involved in the incident (e.g., social security number, driver’s license number), steps the organization has taken or plans to take relating to the incident, including updating the WISP, and a certification that they have offered compliant credit monitoring services, if applicable.

Parent companies may have to answer for breaches by subsidiaries. Organizations that must report a breach under the new law and that are owned by another person or corporation, must inform affected residents of the name of the parent or affiliated corporation. This provision is sure to create some confusion. For example, there is no level of ownership that is needed to be listed in the notice to affected residents. Additionally, because a breached entity might be owned by a few different entities, it is unclear if all of those entities would have to be listed. Clearly, this provision may create some unfavorable publicity for organizations whose subsidiaries experience a breach. As such, it might spur them to be more actively involved with the date security compliance and breach response efforts of their subsidiary and affiliated entities. Parents and affiliated companies may also want to revisit their cyber insurance policies to assess coverage for losses that may arise out of a subsidiary’s breach. For the breached subsidiary, this provision may result in them involving their parent companies sooner and more extensively in the breach response process.

Once an organization knows about a breach affecting a Massachusetts resident, it must notify the resident as soon as practicable and without unreasonable delay, and cannot wait to determine the total number of residents affected by the incident. Security incident investigations sometimes take time and it is not uncommon during those investigations for the number affected persons to grow as the investigation continues. With this change, businesses need to notify continually, and not wait for the investigation to conclude before sending notification. Additionally, because state agency notifications must include the number of affected persons, business will need to keep these agencies apprised of the growing number of residents affected.

The Office of Consumer Affairs and Business Regulation will be reporting about your breach on its website. When an organization reports a breach to the Office of Consumer Affairs and Business Regulation (OCABR), under the new law OCABR must post on its website copies of the sample notice sent to affected residents within 1 business day of receipt and continually update the site with information learned from the investigation. OCABR also will be helping affected residents file public records requests to obtain the notices that organizations that experienced the breach have filed with the Attorney General and OCABR.

A number of the updates to the Massachusetts data breach notification law are not the typical changes we see made in many other states – e.g., expanding the definition of personal information, establishing a set number of days by which notice must be provided. Some of the changes seem intent on drawing attention to organizations that had a breach and their related companies (posting of OCABR website, helping affected residents get more information about the breach, requiring the name of parent companies be listed in the notice, etc.) and pushing for greater enforcement of data security safeguards (requiring reporting on whether a WISP is maintained). Organizations will need to revisit their overall incident response plans, as well as confirm their compliance with the state’s data security mandate, now nine years old.

Bill Which Would Expand the CCPA Private Right of Action Moves Forward

As we reported, in late February, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced Senate Bill 561, legislation intended to strengthen and clarify the California Consumer Privacy Act (CCPA). This week, the Senate Judiciary Committee referred the bill to the Senate Appropriations Committee by a vote of 6-2. This move came despite concerns raised about the scope of the amendment’s expanded private right of action. It is worth noting that a restricted private right of action is believed to have been fundamental to the compromise that led to the CCPA becoming law.

If SB 561 becomes law, it would make a number of significant changes to the current law. In particular, SB 561 would significantly expand the scope of the private right of action presently written into the CCPA. In its current form, the CCPA provides consumers a private right of action if their nonencrypted or nonredacted personal information is subject to an unauthorized access, exfiltration, theft, or disclosure because the covered business did not meet its duty to implement and maintain reasonable safeguards to protect that information. The amendment proposed under SB 561 broadens this provision to grant consumers a private right of action if their rights under the CCPA are violated.

This could become very costly for businesses subject to CCPA. A plaintiff suing under CCPA can recover statutory damages in an amount not less than $100 and not greater than $750 per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper. With the change under SB 561, violations of rights under the statute, such as rights to certain notifications or the right to have certain information deleted upon request potentially could trigger statutory damages,

A similar cause of action exists under an Illinois privacy law that you might have heard about, the Illinois Biometric Information Privacy Act or “BIPA.” That provision has resulted in a flood of litigation, including putative class actions, seeking to recover statutory damages for plaintiffs who allege their biometric information has been collected and/or disclosed in violation of the statute.

According to reports, while Senator Jackson promised to work with stakeholders to address concerns about an expanded private right of action, the lawmaker apparently is intent on maintaining the ability for consumers whose CCPA privacy rights are violated to sue, without having to rely on the Attorney General’s office to enforce the CCPA.

Proposed Legislation in Massachusetts Would Create Private Right of Action for Improper Collection of Personal or Biometric Information

Pending legislation could create new consumer privacy rights in Massachusetts. Earlier this year, Senator Cynthia Creem presented An Act Relative to Consumer Data Privacy in the Massachusetts Senate. This Consumer Privacy Bill, SD.341, combines key aspects of the California Consumer Privacy Act (CCPA) and Illinois’s Biometric Information Privacy Act (BIPA). This bill would allow Massachusetts consumers a private right of action if their personal information or biometric information (referred to separately in the bill) is improperly collected.

The Consumer Privacy Bill defines “biometric information” as an individual’s physiological, biological or behavioral characteristics, including an individual’s DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

The bill defines “personal information” as any information relating to an identified or identifiable consumer. “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or the consumer’s device.

However, this definition does not include publicly available information or consumer information that is deidentified or aggregate consumer information. Moreover, the bill creates an exception for a business collecting or disclosing personal information of the business’s employees so long as the business is collecting or disclosing such information within the scope of its role as an employer. Therefore unlike California’s CCPA, where the application to employee data remains an open question, under the current text of the Massachusetts bill it is pretty clear that the law would not apply to employee data as defined above. That said, it is still early in the legislative process and the bill could be revised to include employee data.

The pending legislation would require businesses collecting a Massachusetts consumer’s personal information to notify the consumer of the following rights before the point of collection:

(1) The categories of personal information it will collect about that consumer;

(2) The business purposes for which the categories of personal information shall be used;

(3) The categories of third parties with whom the business discloses personal information;

(4) The business purpose for third party disclosure; and

(5) The consumer’s rights to request:

                  (A) A copy of the consumer’s personal information;

                  (B) The deletion of the consumer’s personal information; and

                  (C) Opt-out of third party disclosure.

In addition to this notice requirement, the bill would give consumers a statutory right to request that businesses collecting their personal information disclose to the consumer:

(1) The specific pieces of personal information the business has collected about that consumer;

(2) The sources from which the consumer’s personal information was collected;

(3) The names of third parties to whom the business disclosed the consumer’s personal information; and

(4) The business purpose for third party disclosure.

Businesses would have to make available to consumers two or more designated methods for submitting consumer verified requests for personal information, including, if the business maintains a web site, a link on the home page of the web site. A business receiving a verifiable consumer request generally must provide the requested information within 45 days of receiving the request, but may extend that period once by an additional 45 days, so long as the request for the extension is provided within the first 45-day period. The proposed legislation also creates a consumer right to request that a business delete any personal information collected from the consumer, and the right to opt out of third party disclosure at any time.

The legislation would be enforceable both through a private right of action and by the Massachusetts Attorney General. A consumer could recover damages in an amount not greater than $750 per consumer per incident or actual damages, whichever is greater (for any violation of the act); (2) injunctive or declaratory relief, and (3) reasonable attorney fees and costs. The Attorney General would be authorized to obtain a temporary restraining order or preliminary or permanent injunction against a violation of the Act. In addition, the Attorney General may seek a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation.

This Consumer Privacy Bill would impose administrative burdens on businesses, including an obligation to train employees, as well as creating new exposure to damages and penalties. Given the litigation we are seeing under BIPA, businesses collecting Massachusetts consumers’ personal information should monitor the progress of this legislation to determine whether they should begin preparations for complying with yet another consumer privacy provision.


Could This Be Your Retirement Plan?

Image result for cardboard box record storageAs reported by CBC, B.C. Pension Corporation announced a data breach involving pension plan records after discovering a box containing microfiche could not be found following a recent office move. The box contained personal information (names, social insurance numbers and dates of birth) on approximately 8,000 pension plan participants. The company employed those participants during the period 1982 to 1997. Learning of this incident, persons responsible for pension plan administration might be wondering how secure are their facilities (or their service provider’s facilities) for remote storage. And, pension plan participants might be wondering why do plans need this information and for so long.

In the U.S., the Employee Retirement Income Security Act (ERISA) governs the administration of pension plans, and the law includes specific record retention requirements. For example, persons who are responsible for filing plan reports must “maintain records to provide sufficient detail to verify, explain, clarify and check for accuracy and completeness.” ERISA Section 107. In addition, ERISA requires employers to maintain sufficient records to determine benefits due to employees. ERISA Section 209. Because employees may not retire for many years after accruing benefits under the pension plan, plans need to maintain records until plan participants retire and the records must be sufficient to determine benefits under the plan.

These record retention requirements present important issues for employers, plan administrators, and pension plan service providers. We have written about pension plans experiencing data breaches caused by malicious attackers. But, relatively straightforward administrative recordkeeping activities also can result personal information being compromised.  In late 2016, the ERISA Advisory Council, a 15-member body appointed by the Secretary of Labor to provide guidance on employee benefit plans, shared with the federal Department of Labor some considerations concerning cybersecurity. To date, the DOL has not issued any formal guidance on these recommendations, however, employers, plan administrators, and pension plan service providers should revisit their procedures for handling sensitive personal information maintained in their pension plan records.

According to the Council’s recommendations, there are four major areas for effective practices and policies: (i) data management; (ii) technology management; (iii) service provider management; and (iv) people issues. This is a good list to work from. However, while not an exhaustive list, the following action items may help to avoid incidents like the one discussed above:

  • Retain only the data that is needed; if certain data elements can be redacted, removed them;
  • Maintain an inventory of records that are retained regardless of format, and where to find them;
  • Outline a clear process for moving records, and track location and inventory during the move; and
  • Delete records that are no longer needed; confirm service providers have done so, as applicable.

Of course, no set of safeguards for protecting personal information will prevent all kinds of compromises to it. Mistakes happen, so employers and plan administrators should be prepared by developing and maintaining incident response plans and practice them.

Illinois BIPA Defendants May Soon Be Getting Relief…Or Not

UPDATE: As discussed below, SB2134, as introduced, would have amended BIPA to delete the language that creates a private right of action and provide, instead, that violations resulting from the collection of biometric information by an employer for employment, human resources, fraud prevention, or security purposes would be subject to the enforcement authority of the Department of Labor. But, to survive, SB 2134 needed to be reported out of committee by March 28, 2019. That did not happen. Again, businesses should continue their efforts to comply with the requirements of BIPA.

Many businesses currently are defending a wave of class action lawsuits filed under the Illinois’ Biometric Information Privacy Act, popularly known as “BIPA” ).  The floodgates to litigation were opened earlier this year when the Illinois Supreme Court ruled that individuals need not allege actual injury or adverse effect, beyond a violation of his/her rights under BIPA, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages, attorneys’ fees and costs, and injunctive relief under the Act.  Potential damages are substantial as the BIPA provides for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation of the Act. The majority of BIPA suits have been brought as class actions seeking statutory damages on behalf of each individual affected, exposing businesses to potentially crushing damages.

In February, SB2134 was introduced and would amend BIPA to delete the language that creates a private right of action. If enacted, the amendment would provide, instead, that violations resulting from the collection of biometric information by an employer for employment, human resources, fraud prevention, or security purposes would be subject to the enforcement authority of the Department of Labor. The amendment would permit employees and former employees to file a complaint with the DOL, provided they are filed within one year from the date of the violation. Violations of BIPA that constitute a violation of the Consumer Fraud and Deceptive Business Practices Act would be enforced by the Attorney General. If the amendment is enacted, the changes would be effective immediately. Of course, it is unclear what the effect would be for pending litigation.

We expect businesses will be watching developments concerning SB2134 closely, which is currently is in committee. However, businesses should continue their efforts to comply with the requirements of BIPA, which do not appear to be included in the changes being proposed in SB2134.