CCPA 2.0 – More Privacy Legislation in the Golden State?

By Rachel E. Ehlers on

Most companies continue to grapple with compliance with the California Consumer Privacy Act (“CCPA”), which went into effect in January. Companies have overhauled their privacy programs and policies and designed new systems to comply with the CCPA.

Now, the privacy-right activist group that sponsored the CCPA – Californians for Consumer Privacy – is pushing for an even more stringent privacy bill, the California Privacy Rights Act (“CPRA”). The group recently announced it secured the 900,000 signatures needed to qualify for a place on the state’s November 2020 ballot.

If this appears on the ballot and passes, companies will have to once again review their privacy programs and likely amend further to comply. Many other states are also attempting to pass new legislation, so this could all create a complex regime of multiple states with different laws.

The CPRA, as drafted, would amend the CCPA, which has been criticized for over broad definitions and ambiguous language. It would expand the privacy rights of California residents and increase compliance obligations for companies. The CPRA would, as written and among other things:

  • New data category. Add a new category of information, known as “sensitive personal information”, which would include health, financial, and geolocation collected, and allow California consumers to block businesses from using this information. Much of this information is covered by federal privacy laws, like HIPAA and GLBA.
  • Privacy for children’s data. Enhance children’s privacy rights and triple fines for collecting and selling information of minors under 16 years of age.
  • Enforcement Arm. Establish new enforcement authority to protect data privacy rights.
  • Correction of data. Give Californians the right to ask businesses to correct inaccurate personal information.
  • More breach liability. Update data breach liability, specifically for breaches of a consumer’s email with password or security question. In such cases, hackers would be able to access the consumer’s account, and the CPRA would result in liability for the company experiencing the breach.

However, one thing the CPRA does that may help businesses is provide an additional two-year extension to exemptions for employee and business-to-business data. The current exemption is set to expire at the end of 2020. It is important to note that under the current exemption, while employees are temporarily excluded from most of the CCPA’s protections, two areas of compliance remain: (i) providing a notice at collection, and (ii) maintaining reasonable safeguards for personal information driven by a private right of action now permissible for individuals affected by a data breach caused by a business’s failure to do so.

While the CPRA may have enough signatures to qualify it for the upcoming ballot, the California Secretary of State and local election officials will have to certify the signatures by June 25, 2020. Of the 900,000 signatures submitted, 675,000 must be certified as valid for the CPRA to be included on the November ballot.

We will continue to monitor CPRA developments and provide guidance on compliance with CCPA and new regulations and guidance from the California Attorney General.

Vermont Updates its Data Breach Notification Law

By Joseph J. Lazzarotti, Jason C. Gavejian, Mary T. Costigan and Maya Atrakchi on

As the COVID-19 pandemic presses on, privacy and security matters continue to be at the forefront for federal and state legislature. We recently reported that Washington D.C. updated its data breach notification law. Now, the Vermont legislature also amended its data breach notification law, with significant overhauls including expansion of its definition of personal information, and the narrowing of permissible circumstances under which substitute notice may be applied. Bill S.110 amending Vermont’s Security Breach Notice Act, V.S.A §§ 2330 & 2335, b23-0215, was signed into law by Governor Phil Scott, and will take effect July 1, 2020.  In addition Bill S.110, creates a new duties and prohibitions with respect to student privacy directed towards educational technology services (similar to a law first enacted in California, and later adopted by over 20 states).

Key updates to Vermont’s Security Breach Notice Act include:

  • Expansion of Personally Identifiable Information (PII)

Following many other states, the new law will add to the data elements that if breached could trigger a notification obligation.  Prior to this amendment, the definition of PII in Vermont was limited to four basic data elements that when unencrypted, a consumer’s first name or first initial and last name in combination with:

    • Social Security number;
    • Driver license or nondriver identification card number; • Financial account number or credit or debit card number, if circumstances exist in which the number could be used without additional identifying information, access codes, or passwords; or
    • Account Passwords, personal identification numbers, or other access codes for a financial account.

The amended law includes these elements, and adds the following when combined with a consumer’s first name or first initial and last name:

    • Individual taxpayer identification number, passport number, military identification card number, or other identification number that originates from a government identification document that is commonly used to verify identity for a commercial transaction;
    • Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;
    • Genetic information; and
    • Health records or records of a wellness program or similar program of health promotion or disease prevention; a health care professional’s medical diagnosis or treatment of the consumer; or a health insurance policy number.

The amended law will also include notification requirements for breaches of “login credentials”. The amendment defines “login credentials” as “a consumer’s user name or e-mail address, in combination with a password or an answer to a security question, that together permit access to an online account.” If a breach is limited to “login credentials” (and no other PII), the data collector is only required to notify the Attorney General or Department of Finance, as applicable, if the login credentials were acquired directly from the data collector or its agent.

  • Substitute Notice

Previously, substitute notice was permitted where the cost of Direct Notice via writing or telephone would exceed $5,000, more than 5,000 consumers would be receiving notice, or the data collector does not have sufficient contact information.

Under the amended law, substitute notice is only permitted where the lowest cost of providing Direct Notice via writing, email, or telephone would exceed $10,000, or the data collector does not have sufficient contact information. It is no longer permitted to provide substitute notice where the number of consumers exceed a certain threshold.

Student Privacy Law 

Finally, Bill S.110 also includes the Student Online Personal Information Protection Act, which prohibits an “operator” from sharing student data and using that data for targeted advertising on students for a non-educational purpose. Under the new law, “operator” means the operator of an Internet website, online service, online application, or mobile application used primarily for K-12 purposes, and designed and marketed as such. The passage of this law is particularly relevant during the COVID-19 pandemic, as student use of education technology services has dramatically increased.

Conclusion

This amendment keeps Vermont in line with other states across the nation currently enhancing their data breach notification laws in light of recent large-scale data breaches and heightened public awareness.  Organizations across the United States should be evaluating and enhancing their data breach prevention and response capabilities.

 

Washington D.C. Significantly Overhauls its Data Breach Notification Law

By Joseph J. Lazzarotti and Maya Atrakchi on

In the midst of COVID-19 challenges, privacy and security matters continue to be at the forefront for federal and state legislature. In late March, the Washington D.C. (“D.C.”) legislature amended its data breach notification law, with significant overhauls including expansion of its definition of personal information, updates to notification requirements and new credit monitoring obligations. The Security Breach Protection Amendment Act of 2019, b23-0215, passed the 12-member D.C. Council unanimously and was signed by D.C. Mayor Muriel Bowser on March 26. The new law became effective on May 19, 2020.

Key updates to D.C.’s new law include:

  • Expansion of personal information

Following many other states, the new law will add to the data elements that if breached could trigger a notification obligation.  Currently, personal information is defined as (1) any number or code or combination of numbers or codes, such as account number, security code, access code, or password, that allows access to or use of an individual’s financial or credit account, (2) or an individual’s first name or first initial and last name, or phone number, or address, and any one or more of the following data elements: Social Security Number; Driver license number or DC identification card number; or Credit card number or debit card number.

The amendment significantly expands the definition of personal information to include the following new data elements:

  • Identifiers including taxpayer identification number, passport number, military identification number and other unique identification numbers issued on a government document;
  • medical information;
  • genetic information and DNA profile;
  • health insurance information, including a policy number, subscriber information number, or any unique identifier used by a health insurer that permits access to an individual’s health and billing information;
  • biometric data; and
  • any combination of data elements listed above, that would enable a person to commit identity theft without reference to the individual’s name.

Personal information also includes “a user name or email address in combination with a password, security question and answer, or other means of authentication, or any combination of data elements [listed above] that permits access an individual’s email account.”

  • Notification to Attorney General

Notification to the Office of the Attorney General is now required for any breach affecting 50 or more D.C. residents. Notice must be provided in the “most expedient manner possible, without unreasonable delay, but in no event later than when notice is provided”. There are also several specific content requirements for notice to the Attorney General, including whether there is knowledge of any foreign country involvement.

  • GLBA/HIPAA Exemption

The new law exempts entities subject to GLBA or HIPAA if those entities maintain breach notification procedures and provide notification as required under those law, as applicable. However those entities must still notify the Attorney General of any breach that requires notification by GLBA or HIPAA.

  • Risk of Harm Threshold

If a person or entity reasonable determines, after reasonable investigation and consultation with the Office of the Attorney General and federal law enforcement agencies, that the breach likely will not result in harm to affected individuals, notice is not required.

  • Free Mitigation Services for Affected Residents

D.C. joins California, Connecticut, Delaware and Massachusetts in requiring companies to provide identity theft protection or credit monitoring services to residents affected by a breach at no cost. The new D.C. law requires that a person or entity that experiences a breach that includes Social Security numbers and/or taxpayer identification numbers, must offer affected individuals at least 18 months of identity theft protection services at no cost.

Data Security Requirements

Finally, the new law, notably, establishes data security requirements for covered businesses. In short, any business that owns, licenses, maintains, handles or otherwise possesses personal information of D.C. residents must implement and maintain reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information and nature and size of the entity of the operation. Further, covered entities must enter written agreements with their third party service providers requiring the service provider to implement and maintain similar security procedures and practices.

This amendment keeps Washington D.C. in line with other states across the nation currently enhancing their data breach notification laws in light of recent large-scale data breaches and heightened public awareness.  Organizations across the United States should be evaluating and enhancing their data breach prevention and response capabilities.

Addressing the COVID19 Risks of Your Third-Party Service Providers and Vendors

By Joseph J. Lazzarotti on

States are reopening – find out which ones here. As they do, organizations will begin and/or continue adhering to a complex set of distancing, screening, capacity, sanitization, mask, posting, reporting, and other guidelines designed to maintain COVID19 curve flattening efforts. For organizations with operations in multiple states, the patchwork of federal, state, and local “guidelines” becomes even more complex. For organizations that tackle these guidelines, their job still may not be complete.

The risk of COVID19 infection in areas such as on a salesfloor, in common areas of an apartment complex, on a loading dock, or in an office environment is not limited to the members of an organization’s workforce or its customers or clients. Virtually all organizations rely on third-party service providers or vendors, directly or indirectly, to operate efficiently, including those providers and vendors. In a retail business, service providers or vendors might include delivery companies, manufacturer representatives, temporary staffing companies, and IT support services. Senior living communities might have similar service providers or vendors as retail businesses, along with landscape companies, building maintenance technicians, and equipment suppliers. The same is true for professional service providers, whose service providers or vendors also could include office equipment maintenance providers, window and office cleaners, food service providers, and transportation vendors.

As organizations develop policies and devise procedures to address COVID19 in their facilities, they should be taking their third-party service providers or vendors into account, especially when the workforce members of those entities will need to interact with the organizations’ employees, customers, clients, etc. How to do so presents some difficult questions and additional challenges. Some organizations may want to (or be required to) play a more active role, such as screening a vendor’s employees before being permitted to enter the organization’s facilities. Others might prefer to rely on the vendor’s compliance efforts. Either way, these decisions raise critical health, liability, insurance, public relations, operational, and business issues.

Depending on how organizations decide to approach the risks posed by third-party service providers or vendors, below is a checklist of items an organization might want to cover with respect to each of those entities.

  • Modifying the delivery of products and/or services to minimize COVID19 risk.
  • Compliance with all applicable federal, state, and local COVID19 guidelines, including those specific to the organization which may not be applicable to the service provider or vendor, and including changes to those guidelines and best practices as the pandemic continues to evolve.
  • Allocating responsibility for COVID19-related issues, such as reporting, exposures, liabilities, etc. For example, organizations may want to confirm whether they or their service providers are responsible to provide personal protective equipment (PPE) in the organizations’ facilities. Organizations also may want to reevaluate insurance coverage requirements, indemnification provisions, and limitation of liability clauses to ensure they align with a changing risk landscape due to the pandemic.
  • Ensuring service provider and vendor workforce members are aware and trained on the organization’s applicable COVID19 policies and procedures including without limitation social distancing, sanitization, screening, cleaning supplies, contact tracing, and other measures.
  • Administering screening/testing for all vendor or service provider workforce members prior to entering the organization’s facilities, and who is responsible for carrying it out.
  • Arranging for communication and reporting of COVID19 symptoms, or infections or likely infections in order to carry out contact tracing. As contact tracing efforts expand, many organizations are considering different approaches such as contact tracing apps. Depending on the circumstances, having service providers use the same contact tracing app could enhance the organization’s efforts.
  • Pushing service provider and vendor’s obligation downstream to their agents, subcontractors, and third-party service providers where applicable.
  • Ensuring cooperation and consistent communications in the event of any investigation concerning COVID19 infection believed to be at the organization’s facilities.
  • Maintaining a process to assess compliance and appropriate record keeping. Some organizations may want to be able to review a service provider or vendor’s record keeping to show they have been complying with applicable COVID-19 guidelines.
  • Confirming that service providers and vendors have hardened their privacy and cybersecurity protections as ransomware, business email compromise, and other attacks are on the rise with COVID-19 and could result in business interruption. Much of this post relates to increased physical interaction as organizations reopen. However, significant segments of the workforce will continue to work from home, including service providers and vendors, extending these heightened risks.

A “compliance with all applicable laws” or related clauses in the service provider or vendor’s master services agreement (MSA) likely will not be sufficient to address many, if not all, of these issues. COVID19 implications are far reaching, affecting the provision of services, service level agreements, costs, liabilities, etc. Organizations and their service providers and vendors may need to rethink certain provisions of their MSAs to address the new reality of how products and services are provided and performed during the coronavirus pandemic, including amendments that outline specific COVID19-related operational issues, practices, etc.

California AG Urges Consumers to be Vigilant While Online During the COVID-19 Pandemic

By Frank J. Fanshawe on

With California’s mandatory COVID-19 stay-at home orders impacting some 40 million people by forcing the vast majority of them to connect remotely to work, go to school, order necessities, socialize and do many other things, California’s Attorney General Xavier Becerra recently issued an alert reminding consumers of their privacy rights and to encourage them to be vigilant about practicing sound security practices while online.

In his alert, Attorney General Becerra urges consumers to take steps to understand their rights under the California Consumer Privacy Act (“CCPA”), a new law that went into effect on January 1, 2020 and provides important consumer privacy rights both during and after the COVID-19 public health crisis. To learn more about the CCPA’s consumer privacy rights, see our previous posts on this blog located at this link.

Attorney General Becerra’s alert also warns consumers about common COVID-19 phishing email scams; provides tips on how to enable privacy and security settings during virtual meetings and otherwise protect home networks from outside hackers; and recommends online resources that “help parents set boundaries and guide their children towards becoming good digital citizens.”

Visit our previous blog posts for more information about the CCPA and other privacy and security developments during the COVID-19 pandemic:

Federal COVID-19 Consumer Data Protection Bill Introduced

By Joseph J. Lazzarotti and Maya Atrakchi on

As the COVID-19 pandemic presses on, legislators and regulators continue to remind the public of the importance of data security and privacy protections. On April 30th, U.S. Senator Roger Wicker (R-Miss), Chairman of the Senate Committee on Commerce, Science, and Transportation, announced plans to introduce (jointly with several co-sponsors) the COVID-19 Consumer Data Protection Act. The bill aims to provide consumers with greater “transparency, choice, and control” over their health, geolocation and proximity data. Further, the bill would impose data privacy and security requirements on businesses that handle personal data related to COVID-19.

The text of the bill has not yet been released to the public, however according to Senator Wicker’s announcement, the COVID-19 Consumer Data Protection Act would:

  • Require companies under the jurisdiction of the Federal Trade Commission to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.
  • Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained.
  • Establish clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to protect consumer data from being re-identified.
  • Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
  • Direct companies to provide transparency reports to the public describing their data collection activities related to COVID-19.
  • Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity.
  • Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
  • Authorize state attorneys general to enforce the Act.

Although the bill focuses exclusively on data related to the spread of COVID-19, its consumer protections are similar in kind to those provided for in the California Consumer Protection Act (CCPA), including, for example, notice requirements, a consumer’s right to opt out, data security obligations and more.

“While the severity of the COVID-19 health crisis cannot be overstated, individual privacy, even during times of crisis, remains critically important…This bill strikes the right balance between innovation – allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread – and maintaining privacy protections for U.S. citizens,” stated Senator John Thune, a co-sponsor of the bill.

The bill is still in early stages of the legislative process, but may have greater success than some of the attempts at a federal consumer privacy law of late, given the urgency of the COVID-19 pandemic.

These are difficult times for many businesses, and while there has been significant flexibility from legislatures and regulators in certain areas of the law, the proposal of the COVID-19 Consumer Data Protection Act signals that data privacy and security protections continue to be a priority. Moreover, with the emergence of technologies such as contact tracing apps and social distancing wearables, increasingly used in the workplace to help limit the spread of COVID-19, collection of sensitive data related to the virus is almost inevitable. Organizations should be assessing and reviewing their data collection activities, and ensuring that a robust data protection program and written information security program (WISP) are in place.

Examples of COVID19 Screening, Social Distancing, and Contact Tracing Technologies and Related Legal and Practical Issues

By Joseph J. Lazzarotti and Jason C. Gavejian on

As organizations work feverishly to return to business in many areas of the country, they are mobilizing to meet the myriad of challenges for providing safe environments for their workers, customers, students, patients, and visitors. Chief among these challenges are screening for COVID19 symptoms, observing social distancing, contact tracing, and wearing masks. Fortunately, innovators are rising to meet this need, developing a range of technologies – wearables, apps, devices, kiosks, AI, etc. – all designed to support these efforts. But, for many organizations, the question is what technologies are out there and what should they be thinking about in deciding to adopt one or more of them.

Wading through the wide variety of COVID19-related technologies can be like scrolling through your cable provider’s movie guide – lots of time spent, not sure what to choose. So, to help you get a quick, bird’s eye view of some of the kinds of technologies being developed and which may be available, please see our table of “Selected COVID19 Distancing, Screening, Contact Tracing, and Other Technologies” (Table)*

Needless to say, compiling, implementing, enforcing, and documenting extensive and sometimes conflicting federal, state, and local mandates and recommendations for screening, distancing, contact tracing, and mask wearing requires a significant and on-going effort. Technologies, such as those listed in the Table, can help.  Some of the features of these technologies include:

  • Wearables that alert the wearer that he or she is getting too close to a colleague may boost an organization’s efforts to adhere to distancing requirements.
  • Kiosks with thermal scanning capabilities may facilitate temperature screening in a faster more efficient way while minimizing contact that might further spread of COVID19.
  • Apps that track the locations of individuals could automate otherwise laborious manual contact tracing activities.

The advantages of these technologies can be substantial, quickening the path to compliance and opening the organization’s doors to business. However, organizations should proceed carefully to examine not only whether the particular solution will have the desired effect, but whether it can be implemented in a compliant manner with minimal legal risk. Below are some questions organizations should be considering:

  • What is the organization’s goal for the technology? If the goals of the organization is keep workers who may have COVID19 from entering its facility, then screening technologies are something the organization may consider.  However, if the goal is the identify other workers who may have been exposed to a COVID19 positive co-worker, the contact tracing technologies may be more appropriate.  To this end, it is important to consider the organizations goals prior to selecting technologies for implementation.
  • Does the technology work? For temperature taking/scanning technology, this may mean validation of the accuracy of the device.  When looking at contact tracing, accuracy will similarly be key in your efforts to identify co-workers who may be potentially impacted by COVID19.
  • Will the technology require employees to incur expenses that must be reimbursed? In some states, the implementation of this technology may require reimbursement if workers must incur costs or expenses as part of the implementation. For example, if an app requires an employee to have a mobile device for work purposes, expense reimbursement obligations with respect to that device may exist.
  • Is bargaining with the union required? As organizations look to these technologies, there may be numerous instances where the organization will need to consult, and possibly engage in bargaining with, the applicable union(s).  Depending on which technology is being contemplated may dictate whether the organization’s efforts are supported or challenged.
  • Is notice/consent required? This may be a difficult question to answer without having an understanding of the data that the technology is collecting. For example, collecting the geolocation of employees as well as their COVID status, and interactions with others all are likely elements of personal information under the California Consumer Privacy Act (CCPA) which applies to employees that reside in California if the organization is subject to the law.   Similarly, electronic tracking of workers or the collection of worker’s biometric information (facial scans, etc.) may require notice and/or consent depending on the state of implementation.  If the technology requires access to an employee’s personally-owned device, notice and consent are likely required, but most certainly a best-practice.  While many think HIPAA is implicated in the collection of workers’ temperature or responses to screening questions, this is often not the case unless a third-party provider or lab (i.e., a covered entity) is performing the screening, in which case an authorization is needed to share the results with the employer.
  • Will workers participate? Determining whether technology implementation may require notice or consent is discussed above.  However, if implementation and/or usage is voluntary the effectiveness of the technology in meeting the organizations goals may be substantially impacted. Regardless of whether implementation is voluntary or required, it is important for organizations to communicate with their workers to explain the goals of the technology, answer questions regarding same, and address concerns over privacy and relates issues in order to ensure buy-in and effectiveness.
  • How is data collected, shared, secured, returned? Understanding the answers to these questions are imperative in order to help ensure compliance. This is especially true as there are numerous laws which may be implicated when data is collected from workers.  These include the Americans with Disabilities Act (ADA), the Genetic Information Nondiscrimination Act (GINA), state laws, CCPA, and the General Data Protection Regulation (GDPR).  In addition to statutory or regulatory mandates, organization will also need to consider existing contracts or services agreements which may provide for or limit the collection, sharing, storage, or return of data.  Finally, whether mandated by law or contract, organizations should still consider best practices to help ensure the privacy and security of the data it is responsible for.
  • Are employees implementing the technology capable, trained? Should “managers” be viewing dashboards which provide extensive information about many of the organization’s workers? In these uncertain times an organization may be left with no choice other than to expand the list of individuals who may have access to workers’ personal information. However, when doing so organizations still need to be mindful of the ADA’s confidentiality requirements, discrimination, as well as state laws protecting against discrimination for lawful off-duty conduct (that may be discovered during the monitoring process). Addressing privacy and security obligations through a confidentiality agreement may be one way to help address these concerns.
  • What is the relationship with the vendor? The organization’s relationship with the vendor is established way of contract or service agreement. It is important for these contracts/agreements to include confidentiality, data security, and similar provisions.   This is most important if the vendor will be maintaining, storing, accessing, or utilizing the information collected about the organization’s workers.
  • When should we stop using the technology? The Equal Employment Opportunity Commission (EEOC) has said that currently COVID19 meets the ADA’s direct threat standard and thus organizations may screen, take the temperatures of, and test workers prior to permitting those workers onsite. The EEOC has not yet expressly addressed contact tracing.  As organizations look to the future, and the hopeful end to the COVID19 pandemic, they will need to consider when the state of the pandemic no longer supports the use of these technologies.  The EEOC may provide that guidance, however, organizations may still have reasons to continue utilizing some of these technologies.  For example, contract tracing may continue to help slow/limit spread within an organization.  Similarly, organizations may face contractual demands from customers or clients who are looking to limit future risks or outbreaks related to COVID19.  At points during this process, organizations also will need to consider whether and how long to retain the data collected.

In short, in 2020 we have extensive technology at our disposal and/or in development which may play a crucial role in helping organizations address COVID19, ensuring a safe and health workplace and workforce, and preventing future pandemics.  Nevertheless, organizations must consider the legal risks, challenges, and requirements with any such technology prior to implementation.

 

*As noted, the Table is for general information purposes only. We have sampled none of these products or services. Neither the selection of these products and services nor the exclusion of others is in any way intended as an endorsement of, or opposition to, any type of product, service, application, or any manufacturer. The listing is intended solely to provide readers with a general, high-level overview of the kinds of products being developed to address certain aspects of COVID19 remediation. This is by no means an exhaustive list. All readers must carefully evaluate their own specific needs for COVID19 mitigation and compliance, review the specific features and specifications of any technology being considered, configure and install same with qualified information systems specialists, and obtain experienced and informed legal counsel concerning the applicable legal and compliance requirements concerning the selection and implementation of any technology solution.  

Legislators and Regulators Weigh in On Privacy and Data Security Protections for Healthcare Providers Amid COVID-19 Pandemic

By Michael R. Bertoncini on

As they work to combat the surging COVID-19 virus, healthcare providers recently were reminded by legislators and regulators of the importance of data security and privacy protections.

On the data security front, U.S. Senators Richard Blumenthal, Tom Cotton, David Perdue, and Mark Warner recently wrote to the Director of the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency (“CISA”) and the commanding general of the U.S. Cyber Command to express their “profound concerns” that healthcare providers are “facing an unprecedented and perilous campaign of sophisticated hacking operations from state and criminal actors amid the coronavirus pandemic,” which “pose an alarming risk of disrupting or undermining our public health response at this time of crisis.” The Senators urged CISA and the Cyber Command to issue guidance and provide technical resources to deter these threats.

Beyond their general call for action, the Senators offered specific measures CISA and the Cyber Command should adopt to protect healthcare providers’ data security:

  1. Provide private and public cyber threat intelligence information, such as indicators of compromise (IOCs), on attacks against the healthcare, public health, and research sectors, including malware and ransomware.
  2. Coordinate with the Department of Health and Human Services, the Federal Trade Commission, and the Federal Bureau of Investigation on efforts to increase public awareness on cyberespionage, cybercrime, and disinformation targeting employees and consumers, especially as increased telework poses new risks to companies.
  3. Provide threat assessments, resources, and additional guidance to the National Guard Bureau to ensure that personnel supporting state public health departments and other local emergency management agencies are prepared to defend critical infrastructure from cybersecurity breaches.
  4. Convene and consult partners in the healthcare, public health, and research sectors, including its government and private healthcare councils, on what resources and information are needed to reinforce efforts to defend healthcare IT systems, such as vulnerability detection tools and threat hunting.
  5. Consider issuing public statements regarding hacking operations and disinformation related to the coronavirus for public awareness and to put adversaries on notice, similar to the joint statement on election inference issued on March 2nd.
  6. Evaluate further necessary action to defend forward in order to detect and deter attempts to intrude, exploit, and interfere with the healthcare, public health, and research sectors.

On the heels of this call for action on data security, the Office for Civil Rights (“OCR”) at the U.S Department of Health and Human Services issued additional guidance reminding covered health care providers that the HIPAA Privacy Rule does not permit them to give media and film crews access to facilities where patients’ protected health information will be accessible without the patients’ prior authorization. In this guidance, the OCR reiterated that “it is not sufficient for a covered health care provider to require the media to mask patients’ identities when airing recorded video (such as by blurring, pixelation, or voice alteration), after the fact. Prior, express authorization from the patient is always required.” While this guidance does not break new ground, it serves as a timely reminder as newscasts focus daily on the efforts of healthcare providers to treat COVID-19 patients.

These are difficult times for healthcare providers, but even as they tackle the clinical demands of the COVID-19 pandemic, the developments discussed above demonstrate the importance of continuing to be vigilant in the enforcement of data security and privacy policies.

For more on recent privacy and cybersecurity updates for healthcare providers, check out some of our past blog posts:

U.S. Supreme Court Will Finally Weigh in on Scope of CFAA

By Jason C. Gavejian, Joseph J. Lazzarotti and Maya Atrakchi on

The United States Supreme Court recently granted a petition for certiorari in Van Buren v. United States addressing the issue of whether it is a violation of the Computer Fraud and Abuse Act (“CFAA”) when an individual who is authorized to access information on a computer, accesses the same information for an improper purpose. The Supreme Court will have a chance to resolve the long-standing circuit split regarding the scope of the CFAA. Some circuits (the 2nd, 4th and 9th) take a narrow view of the CFAA, allowing claims against employees who lacked any authorization to access information stored on computers, but not allowing claims against employees who were permitted access and misused that access for allegedly improper purposes. Other circuits (the 1st, 5th, 7th, and 11th) permit CFAA claims against employees for misusing information stored on the computer even though they otherwise were authorized to access such material.

Jackson Lewis’s Privacy, Data and Cybersecurity practice group, in conjunction with the Non-Competes and Protection Against Unfair Competition practice group, published an article on the Jackson Lewis website, explaining the Van Buren case and its potential impact.

Regardless of how the Supreme Court rules in Van Buren, employers should consider reviewing and clarifying their policies concerning which employees have access to what data, particularly in light of the spike in remote work.  We will monitor the Van Buren case and provide updates.

 

Out of Sight is Not Out of Mind – Monitoring Workers Working From Home

By Joseph J. Lazzarotti on

Maintain High Service Levels to Support for Work From HomeJust over a month ago, we provided a high-level checklist to help organizations think about critical issues as employees begin working from home to reduce the spread of COVID19. Consistent with “shelter-in-place”/”stay at home” orders, millions of workers that can are now working from home. However, out of sight is not out mind as many organizations want to be sure these workers remain productive. Periodic office visits to chat are not an option right now, but spyware and keylogging technologies are. Some employers are considering these technologies as they balance employee privacy with the need to manage their team and monitor productivity.

Distractions are easy to come by these days – the daily Gov. Cuomo briefing, kids also “working” from home, the latest firetruck birthday party, and the status of toilet paper deliveries.  For many workers, the idea of telecommuting itself is a distraction as they simply are not used to it on a regular basis. These and other distractions raise employers’ suspicion that workers are not being productive or as productive as they could be. But, productivity may not be the employer’s only goal. Protecting trade secrets, avoiding data breaches, finding ways to make remote work easier, and generally dissuading improper behavior are just some of the other drivers for increasing surveillance on remote workers.

Excessive, clumsy, or improper employee monitoring, however, can cause significant morale problems and, worse, create potential legal liability for privacy-related violations of statutory and common law protections. Advancements in technology have made it easier to monitor remote employees, and by extension easier to violate the law for employers that are not careful.

Spyware and keylogging are technologies that have been around for some time and can be attractive options for employers. In general, spyware is software that enables a user to obtain covert information about another’s computer activities by transmitting data covertly from their hard drive. This information could include screenshots from the other user’s computer. Screenshots could include, for example, text of “private” messages the employee believes she is sending to a social media friend. “Keyloggers” can be devices but are most often software designed to monitor and log all keystrokes. Like spyware, keylogging can covertly track a user’s keystrokes and obtain in the process private account credentials or confidential communications, and transfer that information to another computer.

This level of surveillance raises a number of legal and employee relations risks. Here are just a few.

  • California Consumer Protection Act (CCPA). Effective January 1, 2020, the CCPA currently applies to personal information of employees, at least until December 31, 2020. It requires that employees be provided a “notice at collection” – this is, a notice describing the categories of personal information (including network activity) that the company collects and the purposes that information is used. Businesses subject to the CCPA will need to be sure that this surveillance activity is appropriately covered in notices of collection for employees who reside in California.
  • State Social Media Password Protection Laws. Over 25 states have laws that prohibit employers from requesting or requiring employees to provide credentials to their online personal accounts. Deploying spyware or keylogging technologies arguably are not requests or requirements in the general sense. However, employers should consider how these laws may be interpreted and shape their approach accordingly.
  • Stored Communications Act. Accessing personal social media communications or other personal online account communications may run up against protections under the Stored Communications Act.
  • Taking action based on information obtained though the surveillance
    • Credit protection laws. Several states, such as California, Maryland, Nevada, have laws prohibiting employment discrimination on the basis of poor credit or payment histories. These laws were passed in reaction to the great recession and likely have increased relevance again today as more than 20 million workers have filed for unemployment.
    • Genetic Information Nondiscrimination Act (GINA). Learning about an employee’s family member suffering from a debilitating health condition or a contagious disease through spyware could raise issues under GINA. EEOC regulations except obtaining this genetic information through inadvertence, but if it was reasonably likely that such data would be collected or if the recipient continues to examine it or look for related information there is risk of a violation. Thus, just the collection of such information could be problematic under GINA, as well as using it for a discriminatory purpose.
    • ADA/State Protections for Medical Information. A similar analysis applies for medical information obtained through monitoring. However, the regulations are less specific under the ADA compared to GINA.
    • Safeguarding the Information Collected. A growing number of states have stringent requirements to maintain reasonable safeguards to protect personal information. The definition of personal information is not limited to SSNs. Medical information, online account credentials, credit card numbers, dates of birth all can be captured and stored using spyware, keylogging, and other surveillance tools.

What can organizations do?

  • Understand the technology. Organizations should avoid having their IT departments deploy these technologies without a careful review, one that involves appropriate persons outside the IT department. Input from HR and the Legal Department can be invaluable for minimizing legal risk and maintaining good employee relations and trust.
  • Acceptable Use and Electronic Communications Policy. When organizations decide to engage in any level of surveillance or search of employees, they should consider what their employees’ expectations are concerning privacy. In general, it is best practice to communicate to employees a well-drafted acceptable use and electronic communication policy that informs employees on what they can expect when using the organization’s systems, whether in the workplace or when working remotely. This includes addressing employees’ expectation of privacy, as well as making clear the information systems and activity that are subject to the policy.
  • Monitoring the monitors. Employees asked to perform monitoring using these technologies can sometimes feel empowered and, believing they are helping the organization, make it easier for them to go too far in their surveillance, creating legal risk. For this reason and others, it is recommended that organizations maintain guidelines for these employees to help make clear boundaries that the organization has determined with counsel to be appropriate, and review compliance with those guidelines from time to time.
  • Be prepared to investigate. Surveillance may uncover nonperformance, irregular activity, malicious insiders, and other problematic activity that the organization needs to address. The time to lay out that process and how to further investigate is not when evidence of the activity is discovered. Organizations should be prepared to react to findings with a comprehensive investigation plan that involves the appropriate persons at the earliest time.

It may be that this high level of remote work will continue for a while, or considering this forced experiment, certain organizations will realize that they can remain very productive in some or all parts of their business while deriving enormous savings from utilizing this new “workplace.” Either way, managing that work will raise new challenges for management. When more advanced monitoring and surveillance tools are deployed, organizations need to plan carefully, have the right team in place, review policies and applicable state and federal law, and be prepared to address problems when they arise.

LexBlog