To celebrate Data Privacy Day, we present our top ten data privacy and cybersecurity predictions for 2023.

1. Healthcare and Medical Data Security and Tracking

The healthcare industry has been facing increased scrutiny for the protection of healthcare information both online and on apps.

2023 will see a significant increase in the number of lawsuits and perhaps OCR compliance reviews relating to medical information privacy and HIPAA, including new developments such as pixel and other tracking technologies. We will see more regulation of health apps and websites as the necessities and advantages of remote health care that were brought by the pandemic are considered further. 

Businesses in the healthcare industry should continue to work with counsel to review new ways of delivering healthcare services, including new technologies, with an eye toward the protection of medical information and privacy for patients. Building in protections from the outset can have significant advantages. Of course, medical device and technology companies also will need to consider how their devices and technologies could capture or affect medical information and the corresponding regulatory requirements and best practices.

2. A Patchwork of Legislation and Regulations Pertaining to Privacy and Cybersecurity

Currently, nine states are considering consumer privacy bills; Indiana, Iowa, Kentucky, Mississippi, New York, Oklahoma, Oregon, and Tennessee. This is already a complicated arena with California, Colorado, Connecticut, Utah, and Virginia that have laws on the books.

More cities and states will implement cybersecurity regulations with a view toward data protection and privacy, including in specific industries. In 2022, for example, we saw government entities such as the Nevada Gaming Commission issue security regulations for regulated entities in the gaming industry. The  New York State Bar is now requiring its members, lawyers practicing in New York, to have annual continuing legal education in cybersecurity.

The Biden Administration released its regulatory agenda which aimed at new cybersecurity requirements for government contractors, the maritime industry, public companies, and others. The Securities and Exchange Commission has also set goals to enact new cybersecurity regulations.

It will be important in 2023 for businesses to be more aware than ever about the data they are collecting, why it is processed, and how it is stored and safeguarded in order to comply with the myriad of privacy laws around the country.

3. California, California, California

California will continue to be a leader in the privacy data space, with both the implementation of its first-in-the-nation comprehensive consumer privacy law and further enforcement actions under that law. California will be sure to shape both state and national viewpoints on privacy requirements.

The California Privacy Protection Agency (CPPA) continues to work on revisions to regulations for the California Privacy Rights Act (CPRA). These changes are critical for covered organizations with respect to both their commercial activities and when functioning as an employer.

It does not stop there. Another first for California is that it is the first state to adopt a comprehensive law, AB 2273, addressing children’s online privacy.

4. Employee Privacy and Monitoring

As remote working remains mainstream, we will see more regulation on the monitoring of and privacy protections for employees. Last year, the NLRB’s General Counsel issued a memo on the electronic monitoring of employees. In the memo, the General Counsel suggested employers establish “narrowly tailored” practices to address “legitimate business needs” as to whether the practices outweigh employees’ Section 7 interests. If the employer establishes that its narrowly tailored business needs outweigh those rights, the General Counsel nonetheless will “urge the Board to require the employer to disclose to employees the technologies it uses to monitor and manage them, its reasons for doing so, and how it is using the information it obtains,” unless the employer can establish special circumstances.

In some industries, “workplace” monitoring goes beyond the home office. Consider transportation and logistics. An increasing number of states are advancing legislation on digital license plates, which could include related vehicle tracking and related telematics technologies. California’s recent statute on vehicle tracking and fleet management creates significant obligations for employers monitoring their fleets using these technologies.

5. Federal Government to Join in Privacy Regulation

We’re going out on a bit of a limb here as there have been predictions year after year that the federal government would enact a national privacy standard. Of course, none of those predictions turned out.  For sure, the federal government is on a much slower path toward joining states in privacy regulation, but we definitely see the federal government continuing its efforts whether via administrative regulations by the Federal Trade Commission or proposed legislation toward national privacy protection. Perhaps this is the year!

6. AI, Automated Decision Systems and Privacy

2022 saw a tremendous uptick in the attention to and use of AI and Automated Decision Systems, along with the potential effects of both in employment and related circumstances. Naturally, this raises significant privacy concerns among many stakeholders, including the Biden Administration. According to the framework issued by the White House in 2022 pertaining to the use of AI, data privacy was one of the five protections that individuals should be entitled to when using AI.

As the use of AI and automated decision systems continues to spread through industries and everyday life, how individuals’ privacy will be safeguarded will be a growing concern.

7. More privacy-related lawsuits

2023 will see more privacy-related lawsuits as privacy laws proliferate across the country.

We will continue to see more litigation under Illinois’ Biometric Information Privacy Act (BIPA) as plaintiff’s attorneys find more places that the law could apply from dash cams to timekeeping. Other states may enact laws that fuel more litigation, as several states including Maryland, Mississippi, and New York are considering biometric privacy laws. The facial recognition ban in the city of Portland a few years ago is beginning to see lawsuits filed under the ordinance.

While BIPA and the Telephone Consumer Protection Act (TCPA) continue to drive a significant amount of litigation, there is an emerging trend in cases seeking to apply newer technologies to privacy statutes such as the California Invasion of Privacy Act (CIPA), the Florida Telephone Solicitation Act (FTSA), the Video Privacy Protection Act (VPPA), and the Genetic Information Privacy Act (GIPA).

8. EU Continued Enforcement of Privacy Laws

Companies transferring personal data from the EEA (European Economic Area) to the U.S. may soon have an opportunity to leverage a new transfer mechanism. In October, President Biden signed Executive Order 14086 as part of the process to implement the EU-U.S. Data Privacy Framework (DPF), successor to the invalidated EU-U.S. Privacy Shield framework. The EU Commission has issued a draft decision that, upon adoption, will enable the DPF to proceed. In the meantime, the U.S. Department of Commerce announced it will help current U.S. Privacy Shield participants prepare to transition to the new framework.

In October, the European Data Protection Board approved Europrivacy, the first European Data Protection Seal. Europrivacy is a certification mechanism designed to help data controllers and processors demonstrate compliance with the GDPR.

Artificial Intelligence and data protection remain a top priority for the U.K. Information Commissioner’s Office. In November, the ICO published How to Use AI and Personal Data Appropriately and Lawfully. Earlier in the year, the EU Commission published an updated proposal for Laying Down Harmonised Rules On Artificial Intelligence (Artificial Intelligence Act). The proposal creates a legal framework and includes principle-based requirements for AI systems, harmonized rules for the development and use of AI systems, and a regulatory system.

9. Ransomware Attacks and Data Breaches Will Continue as Will Secondary Enforcement Actions

We will continue to see a flow of ransomware attacks, business email compromises, and other data breaches stemming from crafty hackers and cybersecurity lapses. In addition to business interruption costs and direct expenses incurred to respond to the incident, organizations will likely face more enforcement actions as states continue to tighten their data breach notification requirements.

Organizations cannot prevent all attacks from happening, but they can redouble their efforts around regulatory compliance, preparedness, and incident response planning. The stronger an organization is in these three areas, the more successful it likely will be in resolving a government agency enforcement action relating to a data breach.

10. More Focus on Critical Infrastructure Sector When it Comes to Cybersecurity and Privacy

In 2022, we saw the passage of federal legislation Cyber Incident Reporting for Critical Infrastructure of 2022 included within the Consolidated Appropriations Act, 2022. In short, the law requires certain entities in the critical infrastructure sector to report to the Department of Homeland Security (DHS):

  1. a covered cyber incident not later than 72 hours after the covered entity reasonably believes the incident occurred, and
  2. any ransom payment within 24 hours of making the payment as a result of a ransomware attack (even if the ransomware attack is not a covered cyber incident to be reported)

Because of the ongoing threats to critical infrastructure, the Cybersecurity Infrastructure Security Agency (CISA) has started to focus more on this sector, as small to medium-sized providers have been under threat. Recently, CISA stated in its review of 2022, that the agency would narrow in on “target-rich, resource-poor entities” such as small water facilities that are part of critical infrastructure but don’t have large security teams.

For these reasons and others, we believe data privacy will continue to be at the forefront of many industries in 2023.

Happy Privacy Day!

The Colorado Privacy Act (CPA), effective July 1, 2023, provides expansive protections to the personal data of Colorado residents acting in an individual or household context (a “consumer”). Similar to the California Consumer Privacy Act (CCPA), the CPA requires providing notice of an entity’s (“controller”) data collection activities, provides for consumer rights including the right to opt out of certain processing, and creates an affirmative duty to safeguard personal data. Notably, the CPA does not apply to employee personal data or data collected in a commercial context. 

On December 22, 2022, the Colorado Attorney General published Version 2 of Proposed Draft Rules for implementing the CPA and invited public comment. A rulemaking hearing on the proposed rules is scheduled for February 1, 2023.

While not an exhaustive list, the Proposed Draft Rules:

  • provide an extensive list of defined terms;
  • set forth presentation and accessibility requirements for consumer disclosures and notices (e.g., readable on all devices, straightforward and accurate, accessible to the target audience);
  • address the exercise of personal data rights (e.g., opt-out, access, correct, delete, and port data) and authentication of requests (i.e., establishing reasonable methods to authenticate a consumer based on the specific rights exercised, the risk of harm from improper access and the value, amount, and sensitivity of the personal data associated with the request);
  • require using a universal opt-out mechanism that enables opting out of processing for targeted advertising or the sale of personal data in an affirmative, freely given, and unambiguous manner; and prohibits using pre-installed, the default setting, universal opt-out mechanisms since they do not constitute freely given, affirmative consent to opt out; include technical specifications;
  • address privacy notice content (e.g., disclosing the processing purpose; whether the data is sold, used for targeted advertising, or used for profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer; data rights, etc.);
  • detail use of loyalty programs (e.g., prohibiting an increase in cost or decrease in the availability of a product or service based on a consumer’s exercise of a right; permitting a controller to offer bona fide loyalty program benefits based on a consumer’s voluntary participation);
  • detail duties regarding processing sensitive data (i.e., obtaining consent);
  • outline the affirmative obligation to safeguard consumer personal data;
  • set forth requirements for valid consent (e.g., informed, affirmative, freely given, specific and unambiguous);
  • detail the performance of a data protection assessment (e.g., identify and describe the heightened risk of harm to a consumer posed by processing; document measures taken to offset those risks; and demonstrate the benefits of processing outweigh the risks as offset by implemented safeguards).

The following non-exhaustive list notes substantive changes to the Proposed Draft Rules in the recently published Version 2. These changes: 

  • add key definitions (e.g., “employee”, “employer”, “employment records” since the CPA does not apply to data maintained for employment purposes; “non-commercial purpose” since the CPA applies to entities that conduct business in Colorado or produce or deliver commercial products or services intentionally targeted to Colorado consumers);  amends “biometric identifiers” to mean data generated by the technological processing, measurement, or analysis of an individual’s biological, physical, or behavioral characteristics that can be processed to uniquely identify an individual, including but not limited to a fingerprint, a voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics. The definition of biometric identifier is significant since consumer consent must be obtained prior to collecting biometric data;
  • permit delayed compliance with a consumer’s request to correct data when the data is archived or in backup systems;
  • detail the scope and application of a universal opt-out mechanism including an affirmative obligation to safeguard data processed with respect to the use of a universal opt-out mechanism;
  • provide controllers with six (6) months to recognize mechanisms added to the public list of recognized universal opt-out mechanisms published by the Colorado Department of Laws;
  • provide examples of substantive or materials changes that require a controller to notify a consumer of changes to its privacy policy (e.g., changes to categories of personal data processed or processing purposes, controller’s identity, or methods to exercise consumer rights);
  • list considerations for identifying and incorporating reasonable and appropriate safeguards for personal data;
  • require that an interface used to request consumer consent include specific disclosures;
  • detail when the controller must refresh consent received from a consumer to process certain personal information;
  • prohibit consent interface designs that subvert or impair user autonomy or decision-making, manipulate or coerce the consumer to provide consent;
  • replace the phrase “similarly significant effects concerning a consumer resulting from profiling” with specific examples (e.g., denial of financial or lending services, housing); and
  • permit the use of a profiling-related data protection assessment performed for purposes of another jurisdiction’s law to satisfy CPA requirements when the assessment is reasonably similar in scope.

The CPA rulemaking process is ongoing and, similar to California’s draft regulations, it is anticipated that Colorado’s Proposed Draft Rules will undergo further revisions prior to July 1, 2023. Jackson Lewis will continue to track updates to the CPA and Proposed Draft Rules. For additional information on the CPA and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Much is being written about “remote work” – is it productive, will demand for it continue or be curtailed in a recession, is cybersecurity compromised, does it inhibit workplace culture, collaboration, etc. Lots of questions, few clear answers. The discussion seems largely centered on office workers, professional services providers like me, who generally can perform the basic functions of our jobs just about anywhere.

But “virtual” nurses?

Well, yes, this should not come as a surprise, considering the growth of telehealth, in particular during the COVID-19 pandemic. For many reasons, using digital information and communication technologies to deliver healthcare services can provide enormous benefits to the overall healthcare system. Indeed, predictions from many leaders in healthcare see expanded use of remote patient care and monitoring, along with other technologies such as artificial intelligence, robotics, and wearables.

As with any significant shift in an organization’s business model, however, there are likely to be some challenges and risks. Among those risks is that individually identifiable health information of patients can become potentially more vulnerable in a remote work environment.

Keep in mind that large health systems are not the only providers of healthcare that can benefit from the virtual delivery of certain healthcare services, including patient monitoring. Similar benefits can be derived by “home” healthcare providers, mental health counselors and therapists, surgical practices, other categories of providers, and their patients. Yet, many of the same data-related risks and compliance challenges remain:

HIPAA Compliance. There are many aspects of the HIPAA privacy and security regulations that need to be considered. Covered entities should conduct and document a risk assessment to understand the threats and vulnerabilities of a new or enhanced remote work arrangement (including new devices and equipment that facilitate the arrangement). Policies and procedures may need to be amended or created based on the findings of the assessment, such as enhanced security and training, review of remote work environment, revisions to data retention and destruction procedures, and procedures related to a change or termination of a remote worker’s employment.

Contractual Requirements. Providers may have contract obligations limiting their ability to deliver services remotely. It is not uncommon to see contact terms prohibit storing protected health information outside the US, for instance. Providers need to understand whether remote worker services are within scope of such agreements, and what needs to be done to comply.

Insurance Coverage. In the case of a security incident or data breach, a cyber insurance policy can be vitally important to a healthcare organization. Verifying coverage applies to a new remote work arrangement is better performed before the incident than in the middle of the investigation.

The “Remote Work” policy. Providers need to think about the environment healthcare workers will be working in when remote, and what policies are necessary and prudent. Clearly, secure connections are needed for workers to be able to access patient data, communicate with patients, and satisfy charting, reporting, billing, and other related obligations.

Questions about work location, access to systems, distractions, monitoring, and others require a careful look at the effectiveness of an organization’s remote work policy. Recall that protecting patient data is not limited to confidentiality and security, the integrity of medical data is vital. It goes without saying, however, that the issues here extend beyond data privacy and security to include employee relations, patient relations, efficiency, compliance with wage and hour laws, ease and effectiveness of management, and productivity to name a few.

Monitoring performance. A significant concern for managers of remote workers is the ability to manage – being able to train newer workers, coach more senior workers, and monitor performance, among other things. Again, technology can be helpful here, but can raise additional risks. Recording calls, tracking employee keystrokes on the system, capturing screenshots, and requirements for employees to remain on camera during work hours can all be effective monitoring tools. However, they can come with compliance requirements, significant legal risks, and employee relations challenges. Providers also need to consider who monitors the monitors. A task that often falls to the IT department, it can invite abuses even if the activity is well-intended.

Delivering healthcare remotely is an exciting development and promises to deliver enormous benefits, particularly for a national and dynamic healthcare system facing staffing shortages and other systemic challenges. However, care needs to be taken when implementing to help minimize legal and compliance risks, and to maintain a high level of care, patient satisfaction, accessibility, and employee relations.

In 2021, New York City enacted a measure that banned the use of Automated Employment Decision-Making Tools (“AEDT”) to (1) screen job candidates for employment, or (2) evaluate current employees for promotion, unless the tool has been subject to a “bias audit, conducted not more than one year prior to the use of the tool.” The law also required certain notifications regarding the use of AEDTs to be made to job seekers. The measure, known as Local Law 144 of 2021, was set to take effect on January 1, 2023.

In September 2022, the NYC Department of Consumer and Worker Protection (DCWP) issued guidance about the new ordinance and announced it was hosting an initial public hearing. Following the hearing, DWCP announced the law would not be enforced until April 1, 2023, due to the large number of public comments it received in response to prior hearings.  

At the end of December 2022, DCWP released revised proposed rules to implement the ordinance and scheduled a further public hearing for January 23, 2023. These proposed rules modify the initial proposed rules. The comment period for the proposed regulations will remain open until January 16, 2023.

Here are some of the important highlights of the recently released rules:

Modification of the Definition of Automated Employment Decision Tools (AEDT)

Under the ordinance, an AEDT is defined as any computational process, derived from machine learning, statistical modeling, data analytics, or artificial intelligence, that issues simplified output, including a score, classification, or recommendation, that is used to substantially assist or replace discretionary decision-making employment decisions that impact natural persons.

The latest proposed rules seek to clarify this definition by stating that the phrase “to substantially assist or replace discretionary decision making” means:

            (i) to rely solely on a simplified output (score, tag, classification, ranking, etc.), with no other factors considered;

            (ii) to use a simplified output as one of a set of criteria where the simplified output is weighted more than any other criterion in the set; or

            (iii) to use a simplified output to overrule conclusions derived from other factors including human decision-making.

Clarification Regarding Bias Audits

The proposed rules also aim to clarify the meaning and scope of bias audits and independent auditors.

Bias Audits – The proposed rules indicate that historical data may be used to conduct a bias audit. Notably, if there is insufficient historical data to conduct a statistically sound bias audit, test data may be used. But if test data is utilized, the required bias audit summary must explain the reason(s) historical data was not used and describe how the test data used was generated and obtained. And if multiple employers are using the same AEDT, they may rely upon the same bias audit so long as they provide historical data, if available, for the independent auditor to consider in such bias audit. Employers must ensure that they are relying on bias audits that are no greater than one year old.

Independent Auditors – The proposed rules further seek to end any uncertainty as to what constitutes an “independent auditor.” Under the new definition, an “independent auditor” may not be employed or have a financial interest in an employer or employment agency that seeks to use or continue to use an AEDT or in a vendor that developed or distributed the AEDT.

Understandably, these changes only represent a fraction of the proposed rules that will be discussed at the upcoming hearing.

Jackson Lewis will continue to track guidance and changes pertaining to regulations pertaining to AI and automated decision-making. If you have questions about the NYC ordinance or related issues, contact a Jackson Lewis attorney to discuss.

Continuing its initiative regarding the use of data, automated processes, and artificial intelligence (“AI”), the U.S. Equal Employment Opportunity Commission (“EEOC”) is holding a hearing on January 31, 2023 for examining the use of automated systems and AI in employment decisions.

This in-person hearing will begin at 10:00am EST on January 31 at the EEOC headquarters in Washington DC and will be livestreamed. There is also an option for listening via telephone.

Read the full article on Jackson Lewis’ Data Intelligence Reporter.

Last month, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a bulletin with guidance concerning the use of online tracking technologies by covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA). The OCR Bulletin follows a significant uptick in litigation concerning these technologies in industries including but not limited to the healthcare. For healthcare entities, the allegations relate to the sharing of patient data obtained from patient portals and websites.

THE OCR BULLETIN

A Few Reminders

Before digging into the OCR Bulletin, let’s remember a few basic HIPAA rules:

  • In general, the HIPAA privacy and security regulations (the “HIPAA rules”) apply only to “covered entities” and “business associates” (we’ll call these “regulated entities”).
  • The HIPAA Rules apply to “protected health information” (PHI) which generally includes individually identifiable health information. That is, health information that relates to the individual’s past, present, or future health, health care, or payment for care, including demographic information. See 45 CFR 160.103.
  • Regulated entities can use or disclose PHI without an individual’s written authorization only as expressly permitted or required by the HIPAA Rules. See 45 CFR 164.502(a).

Definition of Tracking Technologies and Their Uses

As discussed in the OCR Bulletin, an online tracking technology is

a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app

Examples of these tracking technologies on websites include cookies, web beacons, or tracking pixels. Mobile apps may use tracking technologies such as tracking codes within the app, as well as captures of device-related information. As noted in the Bulletin,

For example, mobile apps may use a unique identifier from the app user’s mobile device, such as a device ID or advertising ID. These unique identifiers, along with any other information collected by the app, enable the mobile app owner or vendor or any other third party who receives such information to create individual profiles about each app user

Tracking technologies, whether developed internally or by third parties, are used by website or mobile app owners for various reasons, including to better understand the user experience on their site or app. Technologies developed by third parties may be able to track users and gather information after they navigate away from the original site. The OCR Bulletin focuses on third party tracking technologies.  

Why Do Tracking Technologies Trigger HIPAA?

When a regulated entity uses tracking technologies developed by a third party vendor on its mobile app or website, such use may result in the collection and/or disclosure of PHI to the third party.

The Bulletin states:

All such IIHI collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services.

(emphasis added.) So, according to the OCR, individuals with or without an existing patient relationship with the regulated entity could be sharing PHI with the entity (or a third party) through its website tracking technologies. This information might include an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, medical device IDs, etc.

Notably, not all such technologies will be collecting identifiable information. The Bulletin recognizes a distinction between user-authenticated and unauthenticated webpages. User-authenticated pages require a user to log in before access to the regulated entity’s page. According to the Bulletin, information collected on a user-authenticated webpage will be presumed to be PHI and subject to HIPAA.

Many regulated entities maintain unauthenticated webpages – those that do not require a log in for access. Typically, these are sites that provide general information only – locations, description of services, policies and procedures etc., and generally do not have access to PHI. For unauthenticated web pages, the determination is more detailed as tracking technologies on such webpages typically would not have access to PHI. However, regulated entities should be aware that tracking on such pages could capture PHI. Sites that address specific symptoms or health conditions, or that permit a visitor to search for a doctor or schedule an appointment may qualify as PHI, where, for example, the visitor’s email address or IP address is also captured.

Importantly, the Bulletin clarifies the HIPAA Rules do not apply to websites or mobile apps that are developed or offered by entities that are not regulated entities. For instance, a mobile app provider may offer individuals an online repository or tracking feature for their sensitive health information. If that provider if not a regulated entity, the HIPAA Rules do not apply, although other federal and/or state laws may, such as Federal Trade Commission (FTC) Act or state comprehensive privacy laws, such as the California Consumer Privacy Act. Notably, in September 2021, the FTC issued a policy statement confirming that covered companies (e.g., certain health apps) that hold fertility, heart health, glucose levels and other health data must notify consumers in the event of a breach.  

HIPAA Obligations When Using Tracking Technologies

When a regulated entity uses tracking technologies on its website(s) or mobile app(s), it may have obligations under the HIPAA Rules. While we cannot cover all of those requirements here, we summarize some key obligations:

  • Investigate whether the site or app has access to PHI. As noted above, do not assume that because the site is unauthenticated or only collects email addresses, it is not collecting PHI.  
  • Ensure that all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.
    • Remember that if a disclosure of PHI requires an authorization under HIPAA, website privacy policies and website banners that ask users to accept or reject the use of tracking activities, standing alone, will be unlikely to constitute a valid authorization.
    • If a tracking technology vendor is creating, receiving, maintaining, or transmitting PHI on behalf of a regulated entity for a covered function, it will likely be considered a business associate. In that case, a business associate agreement may need to be in place between the regulated entity and the vendor.
  • Address the use of tracking technologies in a risk analysis and risk management processes, and implement safeguards in accordance with the HIPAA security regulations.
  • Provide breach notifications to affected individuals and the OCR if impermissible disclosures of PHI occur via tracking technology.

LITIGATION.

During 2022, litigation concerning the use of website tracking technologies increased significantly. In one report, a health system settled claims for $18 million, while in another case, the plaintiffs alleged over 650 hospital system or medical provider websites use the Meta Pixel tracking tool and have sent data from those sites.

The trend does not just involve HIPAA regulated entities or HIPAA. According to a Bloomberg Law analysis, between February and October 2022, at least 47 proposed class actions were filed alleging transfers of “personal video consumption data from online platforms to Facebook without their consent,” in violation of the federal Video Privacy Protection Act.

For regulated entities under HIPAA, it is not much comfort that HIPAA does not have a private right of action for individuals. Plaintiffs are using other paths under similar federal and state laws to advance their claims. The trend is growing, but there are steps regulated entities can take to address these risks.

NEXT STEPS

Covered entities and business associates should conduct an audit of any tracking technologies used on their websites, web applications, or mobile apps and determine if they are being used in a manner that complies with HIPPA. Such tracking technologies should be included in a HIPAA risk analysis and risk management process.

Covered entities should review tracking technology vendor agreements and ensure a business associate agreement is in place to avoid potential impermissible disclosure of private health information.

If through an audit it is found that tracking technologies are being used in a manner not compliant with HIPAA, notification may be required under HIPAA and applicable state law.

If you have questions about HIPAA compliance or related issues contact a Jackson Lewis attorney to discuss.

It usually happens after a reported data breach. The organization experiencing the breach sends notifications to affected individuals, as well as federal and or state agencies where appropriate and perhaps other parties. Not long thereafter, the organization receives an inquiry from one or more government agencies. These inquiries typically seek more information about the breach and its incident response process, but also the nature and extent of the organization’s data security policies and procedures in place prior to the breach. Deficiencies in any of these areas could support getting “whacked”!

On December 16, Pennsylvania’s Attorney General and soon to be Governor, Josh Shapiro, announced a settlement with a company that experienced a data incident in April 2021 that exposed 30,295 Pennsylvania consumers’ payment card information. Following an investigation jointly conducted by Mr. Shapiro’s office and its counterpart in New York, it was determined that the company “failed to properly employ reasonable data security measures in protecting consumers’ payment card information.”  The forensic investigation revealed that in December 2020, an unknown hacker exploited a vulnerability in the company’s web servers that allowed them to steal customers’ payment card information and other personal information.

The company has agreed to pay $100,000 each to both the Pennsylvania and New York Attorneys General Offices. It also agreed to implement several security policies designed to protect consumer personal information including: (i) designating an employee to coordinate and supervise its information security program; (ii) conducting annual security risk assessments of its networks; and (iii) conducting annual employee training.

Businesses are increasingly facing a multitude of data privacy and security frameworks. Healthcare providers, for example, have to consider the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its privacy and security regulations, as well as more stringent state regulation. Of course, healthcare providers that process credit or debit cards for payment, also will have to consider the applicable provisions of the Payment Card Industry Data Security Standard (“PCI DSS”). A restaurant in New York will very likely need to consider the PCI DSS rules, but also the NY SHIELD Act when it considers what safeguards it needs to protect personal information. An insurance broker or agent also may have several frameworks to evaluate, such as HIPAA, if it is a business associate, and depending on the state of operation, that state’s version of the NAIC Data Security Model Law (nearly half of the states have adopted a version of this law).

In connection with his office’s announcement, AG Shapiro stated,

“Every corporation that does business in Pennsylvania needs to stay alert and protect their customer’s personal data or they will have to answer to my office in court.”

Pennsylvania Senior Deputy Attorney General Tim Murphy shared the announcement of the settlement on LinkedIn, noting,

Here is another data breach settlement following a joint investigation with my friends from the NY Office of Attorney General. My colleagues in the cyber community (especially insurers) should take note that some AG offices are going to keep whacking companies who lack basic components of an information security program.

Data breaches are difficult if not impossible to prevent in all cases, even when significant efforts are made to prevent them. When a breach happens, organizations should be prepared to respond, but also be positioned to avoid getting “whacked” should federal and/or state agency investigations follow. They can bolster their position in those cases with a strong compliance program that includes, among several other things, becoming more aware of their compliance requirements; conducting risk assessments; shaping their policies and procedures based on those assessments; documenting their processes, policies, procedures; and training employees.

Happy New Year and good luck in 2023!

On December 22, 2022, the Nevada Gaming Commission (NGC) adopted regulations creating new cybersecurity requirements for certain gaming operators. This action joins agencies in other jurisdictions moving quickly to protect consumers and their personal information in the gaming industry. The NGC adopted the October 17, 2022 version of the regulations, which become effective January 1, 2023.

Below is a summary of the new rules:

In general.

  • Gaming operators must take “all appropriate steps to secure and protect their information systems from the ongoing threat of cyber attacks,” including satisfying the requirements of chapter 603A of Nevada Revised Statutes (NRS).
  • The obligations apply to the operators’ own information, as well as the “personal information” of their patrons and employees as defined in NRS 603A.040.
  • In general, the rules apply to certain covered entities – those that hold:
    • a nonrestricted license as defined in NRS 463.0177 who deal, operate, carry on, conduct, maintain, or expose for play any game defined in NRS 463.0152 (e.g., games played with cards, dice, equipment or any mechanical or electronic device or machine such as monte, roulette, keno, bingo, blackjack, poker, baccarat, or slot machine
    • a gaming license that allows for the operation of a race book, a sports pool; or permits the operation of interactive gaming.
  • Covered entities must document in writing all procedures taken to comply with this section and the results thereof, and must maintain all such records for a minimum of five years from the date they are created. Such records must be provided to the Nevada Gaming Control Board (Board) upon request. 

Risk assessment and adoption of cybersecurity best practices.

  • Covered entities must conduct an initial risk assessment and develop the cybersecurity best practices they deems appropriate. Examples of such best practices include, without limitation, CIS Version 8, COBIT 5, ISO/IEC 27001, and NIST SP 800-53.
  • After the initial risk assessment, covered entities must continue to monitor cybersecurity risks to their business and make appropriate modifications.  
  • For the initial assessment and ongoing monitoring, covered entities may use affiliated entities or third parties with appropriate expertise in cybersecurity.
  • Covered entities have until December 31, 2023, to fully comply with these assessment and best practice requirements.

Incident response.

  • Provide written notice to the Board as soon as practicable but no later than 72 hours after becoming aware of a cyber attack to the covered entity’s information system resulting in a material loss of control, compromise, unauthorized disclosure of data or information, or any other similar occurrence.
  • A “cyber attack” means any act or attempt to gain unauthorized access to an information system for purpose of disrupting, disabling, destroying, or controlling the system or destroying or gaining access to the information contained therein. Notably, under these regulations, a cyber attack is not solely an incident resulting in unauthorized access or acquisition of personal information.
  • Covered entities must investigate the cyber attack (or engage a third party to do so), prepare a report documenting the results of the investigation, inform the Board the report is completed, and provide a copy to the Board upon request. Reports must include, without limit, the root cause of the cyber attack, the extent of the cyber attack, and any actions taken or planned to be taken to prevent similar events in the future. Many such investigations are performed at the direction of counsel and designed to be privileged. Covered entities need to think carefully about how they structure their investigations and related activities.

Additional requirements for Group I licensees under subsection 8 of regulation 6.010.

  • Designate a qualified individual to be responsible for developing, implementing, overseeing, and enforcing the covered entity’s cybersecurity best practices and procedures described above.
  • Perform at least annually observations, examinations, and inquiries of employees to verify compliance with cybersecurity best practices. The annual review may be performed by internal auditors or independent third parties entity with expertise in cybersecurity. Documents prepared by the internal auditor must be retained as described above.
  • Engage an independent accountant or other independent entity with cybersecurity expertise at least annually to (i) perform an independent review of the covered entity’s best practices and procedures and (ii) attest in writing that those practices and procedures comply with the requirements of Section 5.260 Cybersecurity of the NGC’s Regulations. The covered entity must retain the written attestation and any related documents as described above.

Gaming is not the only industry seeing a strengthening of regulations concerning privacy and cybersecurity. A few years ago, for example, we discussed an uptick in state regulation of the insurance industry with several states adopting the NAIC’s Model Security Law. Today there are over 20 states that have adopted the NAIC model law. Finance, healthcare, professional services, etc. all are seeing an uptick in industry-specific regulation, which shows no sign of slowing.

test

As the year comes to a close here are some of the highlights from the Workplace Privacy, Data Management & Security Report with our Top 10 most popular posts of 2022:

1. California Consumer Privacy Act FAQs: Employment Information

As the California Privacy Rights Act moves toward taking effect and exceptions applying to employment-related data expire, employers have questions about handling privacy when it comes to employee information.

2. “Get a Life” – Another Dentist Responds to Patient’s Online Review, This Time Faces a $50,000 OCR Penalty

The Office for Civil Rights (OCR) recently announced four enforcement actions, one against a small dental practice that imposed a $50,000 civil monetary penalty under HIPAA. The OCR alleged the dentist impermissibly disclosed a patient’s protected health information (PHI) when the dentist responded to a patient’s negative online review. 

3. California Tightens Rules on Vehicle Tracking, Fleet Management

In September 2022, Governor Gavin Newsom signed into law AB-984, which becomes effective January 1, 2023. The law builds on other privacy protections in California, such as the California Consumer Privacy Act and Penal Code Sec. 637.7. Section 637.7 prohibits using an electronic tracking device to determine the location or movement of a person; however, it does not apply when the vehicle owner (e.g., the employer) has consented to the use of the device.

4. Does Your Cyber Insurance Policy Look More Like Health Insurance?

Many factors are driving up the cost of cyber insurance policies including increases in ransomware attacks and the cost of business interruption from those attacks. Moreover, carriers are giving more scrutiny to the practices and procedures of the companies they insure. As such, companies need to consider their cyber security controls to assist in obtaining and maintaining coverage.

5. $600,000 Reasons To Review Your SHIELD Act Compliance Program: NY Attorney General Announces Significant Settlement Stemming From Email Data Breach

On January 24, 2022, New York Attorney General Letitia James announced a $600,000 settlement agreement with EyeMed Vision Care, a vision benefits company, stemming from a 2020 data breach compromising the personal information of approximately 2.1 million individuals across the United States, including nearly 99,000 in New York State

6. The RIPTA Data Breach May Provide Valuable Lessons About Data Collection and Retention

There is a basic principle of data protection that when applied across an organization can significantly reduce the impact of a data incident – the minimum necessary principle. A data breach reported late last year by the Rhode Island Public Transit Authority (RIPTA) highlights the importance of this relatively simple but effective tool.

7. From Time Keeping to Dashcams, BIPA Litigation Continues

Litigation under the Illinois Biometric Information Privacy Act (BIPA) continues to heat up, encompassing litigation about timekeeping systems that use fingerprints to dashcams.

8. Utah Becomes Fourth State to Enact A Comprehensive Privacy Law

Utah joined California, Colorado, and Virginia in passing a consumer privacy statute, the Utah Consumer Privacy Act takes effect on December 31, 2023.

9. Does a Poor ESG, Social Responsibility Rating Increase an Organization’s Cyber Risk?

With ransomware and other cyber threats top of mind for most in the c-suite these days, a question frequently raised is whether a particular organization is a target for hackers. Of course, nowadays, any organization is at risk of an attack, but the question is whether some organizations are targeted more than others. An Insurance Journal article discusses a paper published in September 2021 that identifies a factor that could elevate the risk of being targeted, a factor many in cyber might not have expected, “greenwashing.”

10. Connecticut Likely to Become Fifth State to Enact Comprehensive Consumer Privacy Law

Connecticut prepared and eventually passed the “Act Concerning Personal Data Privacy and Online Monitoring” Act which will take effect July 1, 2023.

Jackson Lewis will continue to track information related to privacy regulations and related issues. For additional information on these topics, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

In a recent opinion, Henderson v. The Source for Public Data, L.P., et al, the U.S. Court of Appeals for the 4th Circuit considered whether Section 230(c)(1) of the Communications Decency Act (CDA) – a federal law that allows social media websites to provide a forum for users to post videos or other information without holding the owner of the website responsible for the content of the uploaded material – likewise shielding online aggregators of public records from liability as a Consumer Reporting Agency under the Fair Credit Reporting Act (FCRA).   Disagreeing with the District Court, the Court of Appeals held that Section 230 did not apply because the online aggregator was an “information content provider that provided the improper information” and not merely providing a forum for its users to upload information. 

In Henderson, defendants were in the business of gathering publicly available information including criminal and civil records, voting records, driving information, and professional licensing, aggregating the information, and selling it to third parties. Defendants acknowledged the data they sold was used to determine an individual’s creditworthiness and perform background checks for employment purposes. The plaintiffs, job seekers who had background checks done on them by the online aggregators, filed claims under the FCRA, asserting that the online aggregators were producing “consumer reports” but not complying with the technical provisions of the FCRA, such as providing the plaintiffs with copies of their “consumer reports” upon request.

At the district court level, defendants sought to dispose of claims alleging that they were protected by Section 230 of the CDA. The district court agreed and granted the defendants’ dispositive motion.

On appeal, the 4th Circuit held that the activities of the online aggregators did not fall within the scope of protection provided by Section 230. The panel held that the defendants contributed in a material way to what made the online content inaccurate.  The panel opinion stated that the defendants made substantive changes to the records’ content that materially contributed to the records’ unlawfulness, making the defendants a content provider for the information meaning they are not entitled to protection under Section 230.

This opinion will likely have an impact on whether FCRA defendants can rely on Section 230, in whole or in part, as a source of immunity from FCRA claims.  More so, this ruling will influence the ongoing CDA reform debate, as legislators who already have reservations about the scope of CDA protection may look askance at the Henderson ruling and seek to add the FCRA as a statutory exemption to the CDA in a future reform bill.  Either way, this is an area that is developing and worth watching closely.  

If you have questions about FCRA compliance or related issues, contact the authors of this article or the Jackson Lewis attorney with whom you regularly work.