Supreme Court Issues Monumental TCPA Decision

In a decision certain to have significant impact on Telephone Consumer Protection Act (TCPA) class action litigation, today the U.S. Supreme Court concluded narrowly that to qualify as an “automatic telephone dialing system”, a device must be able to either “store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator”.  The underlying decision of the Ninth Circuit is reversed and remanding.

Back in July of 2020, the Supreme Court accepted writ of certiorari to review a Ninth Circuit ruling regarding the TCPA addressing the issue of whether the definition of ATDS in the statute encompasses any device that can “store” and “automatically dial” telephone numbers, even if the device does not “us[e] a random or sequential number generator.” The Ninth Circuit had taken a broad approach to this issue, concluding that “an ATDS need not be able to use a random or sequential generator to store numbers[.]”  The Ninth Circuit court explained that “it suffices to merely have the capacity to ‘store numbers to be called’ and ‘to dial such numbers automatically.’”

ATDS Circuit Split

When the TCPA was enacted in 1991, most American consumers were using landline phones, and Congress could not begin to contemplate the evolution of the mobile phone. The TCPA defines “Automatic Telephone Dialing System” (ATDS) as “equipment which has the capacity—(A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.” 47 U.S.C § 227(a)(1). In 2015, the Federal Communications Commission (FCC) issued its 2015 Declaratory Ruling & Order (2015 Order), concerning clarifications on the TCPA for the mobile era, including the definition of ATDS and what devices qualify. The 2015 Order only complicated matters further, providing an expansive interpretation for what constitutes an ATDS, and sparking a surge of TCPA lawsuits in recent years.

Consequently, several FCC-regulated entities appealed the 2015 FCC Order to the D.C. Circuit Court of Appeals, in ACA International v. FCC, No. 15-1211, Doc. No. 1722606 (D.C. Cir. Mar. 16, 2018). The D.C. Court concluded the FCC’s opinion that all equipment that has the potential capacity for autodialing is subject to the TCPA, is too broad. Although the FCC did say in its 2015 Order “there must be more than a theoretical potential that the equipment could be modified to satisfy the ‘autodialer’ definition”, the Court held that this “ostensible limitation affords no ground for distinguishing between a smartphone and a Firefox browser”. The Court determined that the FCC’s interpretation of ATDS was “an unreasonably expansive interpretation of the statute”.

Since the decision in ACA Int’l, courts have weighed in on the D.C. Circuit Court ruling and the status of the 2015 Order, sparking a circuit split over what constitutes an ATDS. The Second and Ninth Circuit have both broadly interpreted the definition of an ATDS, while the Third, Seventh and Eleventh have taken a much narrower reading. For example, earlier this year the Eleventh and Seventh Circuit Courts reached similar conclusions, back-to-back, narrowly holding that the TCPA’s definition of Automatic Telephone Dialing System (ATDS) only includes equipment that is capable of storing or producing numbers using a “random or sequential” number generator, excluding most “smartphone age” dialers.

Supreme Court Decision 

The Supreme Court unanimously concluded, in a decision written by Justice Sotomayor, that to qualify as an “automatic telephone dialing system” under the TCPA, a device must have the capacity either to store, or to produce, a telephone number using a random or sequential number generator.

“Expanding the definition of an autodialer to encompass any equipment that merely stores and dials telephone numbers would take a chainsaw to these nuanced problems when Congress meant to use a scalpel,” Justice Sotomayor pointed out in rejecting the Ninth Circuit’s broad interpretation of the law.

Moreover, Sotomayor noted that, “[t]he statutory context confirms that the autodialer definition excludes equipment that does not “us[e] a random or sequential number generator.””  The TCPA’s restrictions on the use of autodialers include, using an autodialer to call certain “emergency telephone lines” and lines “for which the called party is charged for the call”. The TCPA also prohibits the use of an autodialer “in such a way that two or more telephone lines of a multiline business are engaged simultaneously.” The Court narrowly concluded that “these prohibitions target a unique type of telemarketing equipment that risks dialing emergency lines randomly or tying up all the sequentially numbered lines at a single entity.”

Take Away

The Supreme Court’s decision should help resolve the ATDS circuit split and provide greater clarity and certainty for parties facing TCPA class action litigation. And while this decision is considered a win for defendants facing TCPA litigation, organizations are advised to review and update their telemarketing and/or automatic dialing practices to ensure TCPA compliance.

 

 

Indiana Prohibits Employers from Mandating Device Implantations for Employees

On March 11th, Indiana Governor Eric Holcomb signed into law HB 1143, prohibiting employers from requiring a candidate for employment or an employee to have a device implanted or otherwise incorporated into their body, as a condition of employment. The Indiana law will take effect July 1, 2021.

The COVID-19 pandemic caused many companies to instruct employees to work-from-home for the foreseeable future, which resulted in a spike in the use of employee monitoring technologies in the workplace.  Frequently, the aim is to track an employee’s physical location, to measure productivity, or, most recently, to track close contacts for COVID-19-related contact tracing purposes. These measures bring up questions about proper protection for employee privacy rights.

Advancements in technology have made it easier to monitor remote employees, and by extension easier to violate the law for employers that are not careful. Several states have taken legislative action to prohibit an employer from requiring an employee to permit implantation of a device or microchip as a condition of employment or continued employment, Indiana being the latest.  We provide an in-depth analysis of the Indiana law here, along with legislative activity in other states.

Colorado Introduces a Comprehensive Consumer Privacy Bill

How To Do a Colorado DMV Change of Address | Moving.comColorado recently became the latest state to consider a comprehensive consumer privacy law.  On March 19, 2021, Colorado State Senators Rodriguez and Lundeen introduced SB 21-190, entitled “an Act Concerning additional protection of data relating to personal privacy”. Following California’s bold example of the California Consumer Privacy Act (“CCPA”) effective since January 2020, Virginia recently passed its own robust privacy law, the Consumer Data Protection Act (“CDPA”), and New York, as well as other states, like Florida, appear poised to follow suit.  Furthermore, California is expanding protections provided by the CCPA, with the California Privacy Rights Act (CPRA) – approved by California voters under Proposition 24 in the November election.

Unsurprisingly, Colorado’s SB 21-190 generally tracks the CCPA, CPDA, CPRA and the EU General Data Protection Regulation (GDPR).  Key elements of the Colorado bill include:

  • Jurisdictional Scope. SB 21-190 would apply to legal entities that conduct business or produce products or services that are intentionally targeted to Colorado residents and that either:
    • Control or process personal data of more than 100,000 consumers per calendar year; or
    • Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.
  • Exemptions. SB 21-190 includes various exemptions related to healthcare entities and health data, such as protected health information under HIPAA, patient identifying information maintains by certain substance abuse treatment facilities, and identifiable private information collected in connection with human subject research. Additional exemptions include without limitation personal data collected for the purposes of the Gramm Leach Bliley Act (GLBA), Driver’s Privacy Protection Act (DPPA), Children’s Online Privacy Protection Act (COPPA), Family Educational Rights Act and Privacy Act. Finally, data maintained for employment records purposes are exempted as well.
  • Personal Data. Similar to its counterparts, Colorado’s SB 21-190 broadly defines personal data to mean “information that is linked or reasonably linkable to an identified or identifiable individual.”
  • Sensitive Data. Like the CPDA, CPRA and GDPR, SB 21-190 includes a category for “sensitive data”. This is defined as “personal data revealing racial or ethical origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status OR genetic or biometric data that may be processed for the purpose of uniquely identifying an individual OR personal data from a known child”. As with Virginia’s CPDA, there are two key compliance obligations related to “sensitive data”.  First, sensitive data cannot be processed without obtaining consumer consent, or in the case of a known child or student, without obtaining consent from a parent or lawful guardian.  Second, the controller must conduct and document a data protection assessment specifically for the processing of sensitive data.
  • Protected Persons. SB 21-190 defines “consumer” as an “individual who is a Colorado resident acting only in an individual or household context”. The Colorado bill states that the definition of consumer does not include “an individual acting in a commercial or employment context”.
  • Consumer Rights. Under SB 21-190, consumers have the right to opt out of the processing of their personal data; access, correct, or delete the data; or obtain a portable copy of the data.
  • Data Protection Assessments. Akin to Virginia’s CPDA, the Colorado bill requires data controllers to conduct a data protection assessment for each of their processing activities involving personal data that presents a heightened risk of harm to consumers, such as processing for purposes of targeted advertising or processing sensitive data (as mentioned above).
  • Enforcement. If enacted, SB 21-190 would only be enforceable by the Colorado attorney general or district attorneys. A violation of law could result in a civil penalty of not more than $2,000 for each such violation (not to exceed $500,000 for any related series of violations), or injunction.

Colorado’s SB 21-190 is in the early stages of the legislative process, still it signals the continued momentum building in states across the country to enhance consumer data privacy and security protections. Organizations, regardless of their location, should be carefully assessing their data collection activities, developing policies and procedures to address their evolving compliance obligations and data-related risks, and training their workforce on effective implementation of those policies and procedures.

Small NJ Medical Practice Becomes 18th Target of OCR’s HIPAA Right of Access Enforcement Initiative

Understanding the HIPAA individual right of access to health information |  Healthcare InnovationA small New Jersey plastic surgery practice, Village Plastic Surgery (“VPS”), has become the eighteenth HIPAA covered entity to face an enforcement action under the Office for Civil Right’s HIPAA Right of Access Initiative. According to the OCR’s announcement, VPS agreed to a two-year corrective action plan and pay $30,000 to settle a potential HIPAA violation.

What is the “right to access” under HIPAA?

The HIPAA Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to PHI about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. This right applies for as long as the covered entity (or its business associate) maintains the information, regardless of the date the information was created, and whether the information is maintained in paper or electronic systems onsite, remotely, or is archived.

When implementing this rule, covered entities and their business associates have several issues to consider, such as:

  • What information is subject to the right and what information is not, such as psychotherapy notes.
  • Confirming the authority of “personal representative” to act on behalf of an individual.
  • Procedures for receiving and responding to requests – such as written request requirements, verifying the authority of requesting parties, timeliness of response, whether and on what grounds requests may be denied, and fees that can be charged for approved requests.
  • To assist covered entities (and business associates), the OCR provides a summary of right of access issues, as well as a set of frequently asked questions.

Resolution of OCR’s Eighteenth “Right of Access” Enforcement Action 

The OCR’s investigation commenced in September 2019, when it received a complaint from a patient that VPS failed to timely respond to a patient’s records access request made in the prior month. According to the OCR resolution agreement, OCR determined that VPS’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard, which requires a covered entity to take action on an access request within 30 days of receipt (or within 60 days, if an extension is applicable).

In addition to reaching a monetary settlement of $30,000, the resolution agreement also requires VPS will have a corrective action plan (“CAP”) that includes two years of monitoring by the OCR. The CAP requires the small practice to, among other things

  • revise its right of access policies,
  • submit its right of access policies to OCR review,
  • obtain written confirmation from staff that they read and understand the new right of access policies,
  • train staff on the new policies, and
  • every 90 days submit to OCR a list of requests for access from patients and VPS’ responses.

Getting Compliant

Providers receive all kinds of requests for medical and other records in the course of running their businesses. Reviewing and responding to these requests no doubt creates administrative burdens. However, buying forms online might not get the practice all it needs, and could put the practice at additional risk if those are followed without considering state law or are not implemented properly.

Putting in place relatively simple policies, carefully developing template forms, assigning responsibility, training, and documenting responses can go a long way toward substantially minimizing the risk an OCR enforcement action and its severity. Providers also should be considering sanctions under state law that also might flow from failing to provide patients access to their records. It is worth nothing that in some cases state law may be more stringent than HIPAA concerning the right of access, requiring modifications to the processes practices follow for providing access.

Does the Workers’ Compensation Act Bar BIPA Claims? Illinois Supreme Court Will Weigh In

The Illinois Supreme Court recently agreed to hear an appeal of an Appellate Court’s decision addressing whether an employee’s claim for damages under Illinois’s Biometric Information Protection Act is preempted by the exclusivity provisions of the Illinois Workers’ Compensation Act (“IWCA”). Back in September, the Illinois Appellate Court for the First Judicial District held that employees’ BIPA claims were not preempted under the Illinois Workers’ Compensation (IWCA) and could go forward.

The BIPA requires companies that collect and use biometric information to establish a policy and obtain a written release prior to collecting such data. Under the BIPA, individuals may sue for violations and, if successful, can recover liquidated damages ranging from $1,000 (or actual damages, whichever is greater) for negligent violations to $5,000 for intentional or reckless violations — plus attorneys’ fees and costs.

Over the past few years there has been a significant number of lawsuits under the BIPA, particularly after the Illinois Supreme Court held in 2019, in Rosenbach v. Six Flags,  that individuals need not allege actual injury or adverse effect, beyond a violation of his/her rights under BIPA, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages, attorneys’ fees and costs, and injunctive relief under the Act. A key defense for employers defending BIPA lawsuits has been that the BIPA is preempted by the IWCA.

The plaintiff in Illinois Supreme Court’s most recent case alleged that that their employer violated BIPA by requiring that employees use a fingerprint time clock system without properly: (1) informing the employees in advance and in writing of the specific purpose and length of time for which their fingerprints were being collected, stored, and used; (2) providing a publicly available retention schedule and guidelines for permanently destroying the scanned fingerprints; and (3) obtaining a written release from the employees prior to the collection of their fingerprints.  The employer moved to dismiss the complaint based on several arguments, including the assertion that the plaintiff’s claims would be barred by the exclusivity provisions of the IWCA.  The trial court denied the motion the dismiss, but certified the question for appeal regarding whether the IWCA exclusivity provisions bar a claim for statutory damages under the BIPA.

In September of 2020, the Appellate Court emphasized that the IWCA generally provides the exclusive means by which an employee can recover against an employer for a work-related injury, however an employee can escape the exclusivity provisions of the IWCA if the employee establishes that the injury: 1) was not accidental, 2) did not arise from their employment, 3) was not received during the course of employment or 4) was not compensable under the IWCA.  Focusing on the fourth exception, the Appellate Court concluded that a BIPA claim limited to statutory damages is not an injury compensable under the IWCA, and thus the plaintiff’s claims qualified under the fourth exception and were not preempted by the IWCA.

The Appellate Court, relying on Rosenbach, highlighted that because actual harm is not required under the BIPA to maintain a statutory damages claim, it does not,

“[f]it within the purview of the Compensation Act, which is a remedial statute designed to provide financial protection for workers that have sustained an actual injury.”

The Illinois Supreme Court has now granted leave to appeal the Appellate Court’s ruling, addressing the issue of whether injuries resulting from BIPA claims fall under the scope of the IWCA. While there is no telling how the Supreme Court will ultimately rule, it certainly leaves open the possibility that the Court’s decision will help reign in the significant number of lawsuits, including putative class actions, filed under the BIPA.

If they have not already done so, companies should immediately take steps to comply with the statute. That is, they should review their time management, point of purchase, physical security, or other systems that obtain, use, or disclose biometric information (any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry used to identify an individual) against the requirements under the BIPA. In the event they find technical or procedural gaps in compliance – such as not providing written notice, obtaining a release from the subject of the biometric information, obtaining consent to provide biometric information to a third party, or maintaining a policy and guidelines for the retention and destruction of biometric information – they need to quickly remedy those gaps.  For additional information on complying with the BIPA, please see our BIPA FAQs.

New York Considering Dramatic Expansion of Consumer Privacy Rights

In 2018, the California Consumer Privacy Act (“CCPA”), which provides for an expansive array of privacy rights and obligations, was enacted.  At the time, it was reasonable to wonder whether California’s bold example would catalyze similar activity in other states.  It’s clear now that it has.   Virginia recently passed its own robust privacy law, the Consumer Data Protection Act (“CDPA”), and New York, as well as other states, like Florida, appear poised to follow suit.  (Building on its own momentum, California passed another privacy law, the California Consumer Privacy Act (“CPRA”), last November, which expands the rights and obligations established by the CCPA).

New York currently has two bills under consideration, S567 and A680, which would dramatically expand the privacy rights afforded to New York data subjects and the compliance burden imposed on the organizations that control or process that data.

S567

S567, which tracks the CCPA in certain respects, would have broad jurisdictional scope.  It would apply to any for-profit organization doing business in New York that collects the personal information of New York residents and either (a) has annual gross revenue exceeding $50M, (b) annually sells the personal information of 100,000 or more state residents or devices, or (c) derives at least 50% of its annual revenue from the sale of residents’ personal information.  Like the CCPA, S567 broadly defines personal information as any “information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device.”

S567 has been referred to the Senate Consumer Protection Committee. If passed by the Senate, the bill would be sent to the governor and, if signed, would take effect 180 days thereafter.

Key Provisions:

Consumer Rights: S567 would grant consumers, among others, the rights to:

  • Know” what categories of their personal information an organization has collected, or sold or disclosed to a third party for a business purpose (including the categories of third parties to whom the information was sold or disclosed).
  • Opt-out” of the sale of their personal information.
  • Notice: Organizations subject to the law would be required to disclose the above rights, as well as instructions for exercising them, in its online privacy policy.
  • Non-Discrimination: Subject organizations would also be required to refrain from discriminating against consumers who exercise their rights under the law.
  • Private Right of Action: S567 would provide a broad private right of action to pursue violations of its privacy provisions.  This private right would extend to “any person who becomes aware, based on non-public information, that a person or business has violated” this law.  In theory, therefore, potential plaintiffs could include vendors, competitors, and consumer privacy groups. S567 provides for statutory damage awards of the greater of $1,000 per violation or actual damages, as well as up to $3,000 for knowing or willful violations.

A680

A680, meanwhile, would grant certain rights and impose certain obligations that extend beyond even those provided for under the CCPA/CPRA.  For instance, it would require subject organizations to obtain written consent from New York data subjects before using, processing, or transferring to a third party their “personal data,” which the bill broadly defines as “information relating to an identified or identifiable natural person.”

A680 would also make such organizations “data fiduciaries,” meaning that they would owe a “duty of care, loyalty, and confidentiality” to consumers to secure their personal data against “privacy risk” (a term which the bill expansively defines), as well as to “act in the best interests of the consumer” without regard to the organizations’ own interests.

A680 would apply to organizations “that conduct business in New York state or produce products or services that are intentionally targeted to residents of New York state,” subject to certain exceptions.

The bill has been referred to the Assembly’s Consumer Affairs and Protection Committee. If passed by the Assembly and Senate, the bill would be sent to the governor for signature and would take effect 180 days after it was signed into law.

Key Provisions:

Consumer Rights: A680 would grant consumers, among others, the rights to:

  • Opt in or out of the processing of their personal data.
  • Request confirmation of whether their personal data is being processed, including whether it is being sold to data brokers.
  • Request access to their personal data.
  • Request the names of the third parties to whom their personal data is sold.
  • Request correction of inaccurate personal data.
  • Request deletion of their personal data.

Notice: Organizations subject to the law would be required to disclose the above rights to consumers and to make other requisite disclosures regarding their processing of personal data.

De-Identified Data: Subject organizations that use de-identified data would be required to “exercise reasonable oversight to monitor compliance with any contractual commitments to which the de-identified data is subject” and to “take appropriate steps to address any breaches of contractual commitments.”

Private Right of Action: In addition to granting enforcement authority to the State AG, A680 would empower consumers to bring suit in their own names for injunctive relief, as well as actual damages and reasonable attorney’s fees.

Takeaway:

Momentum is building in states across the country to enhance consumer data privacy and security protections. Organizations, regardless of their location, must therefore carefully assess their data collection activities, develop policies and procedures to address their evolving compliance obligations and data-related risks, and train their workforce on effective implementation of those policies and procedures.

Jackson Lewis’ Privacy, Data & Cybersecurity Group has been monitoring these fast-moving developments and is available to assist organizations with their compliance and risk mitigation efforts.

 

 

 

 

 

 

The Circuit Split Continues: 11th Circuit Weighs in on Standing in Data Breach Litigation

The 11th Circuit recently weighed in on the hottest issue in data breach litigation, whether a demonstration of actual harm is required to have standing to sue. Joining several other circuit courts, the 11th Circuit in Tsao v. Captiva MVP Rest. Partners, concluded that the plaintiff had failed to allege either that the data breach placed him in a “substantial risk” of future identity theft or that identity theft was “certainly impending”.

The matter in Tsao stemmed from a data breach at a restaurant chain of which the plaintiff frequented. In May of 2017, a hacker exploited the restaurant chain’s point of sale system and gained access to customers’ personal data – the credit and debit card information – through an outside vendor’s remote connection tool. However, due to the nature of the breach the restaurant chain stated that it was not possible to determine the identity or exact number of credit card numbers or names that were accessed or acquired during the cyber-attack.

Within two weeks of the restaurant chain’s announcement of the breach, plaintiff filed a class action complaint on behalf of himself and other customers potentially impacted by the breach, alleging a variety of injuries due to the data breach, including “theft of their personal financial information,” “unauthorized charges on their debit and credit card accounts,” and “ascertainable losses in the form of the loss of cash back or other benefits.”  The plaintiff asserted that he and the class members “have been placed at an imminent, immediate, and continuing increased risk of harm from identity theft and identity fraud, requiring them to take the time which they otherwise would have dedicated to other life demands such as work and effort to mitigate the actual and potential impact of the Data Breach on their lives.”

Standing to sue in a data breach class action lawsuit largely turns on whether plaintiffs establish that they have suffered an “injury-in-fact” resulting from the data breach. Plaintiffs in data breach class actions are often not able to demonstrate that they have suffered financial or other actual damages resulting from a breach of their personal information. Instead, plaintiffs will allege that a heightened “risk of future harm” such as identity theft or fraudulent charges is enough to establish an “injury-in-fact”.

Federal circuits court over the past few years have struggled with the question whether plaintiffs in a data breach class action can establish standing if they only allege a heightened “risk of future harm”.  For example, the 3rd6th, 7th,  9th  and D.C. circuits have generally found standing, while the 1st2nd4th5th, and 8th circuits have generally found no standing where a plaintiff only alleges a heightened “risk of future harm”. This circuit court split is in large part to due to lack of clarity following the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins which held that even if a statute has been violated, plaintiffs must demonstrate that an “injury-in-fact” has occurred that is both concrete and particularized, but which failed to clarify whether a “risk of future harm” qualifies as such an injury.

In reaching its decision, the 11th Circuit relied heavily on the 8th Circuit’s analysis of the issue of standing to sue, in In re SuperVal, Inc. where the court found no standing based on an “increased risk of future identity theft” theory, even when a named plaintiff alleged actual misuse of personal information. Citing a U.S. Government Accountability Office Report on the likelihood of identity theft in the event of a data breach (“GAO Report”), the 8th Circuit reasoned that the hackers in the data breach at issue were not alleged to have stolen social security numbers, birth dates, or driver’s license numbers, and thus, according to the GAO report, the risk of identity theft was “little to no[ne].”

Similarly, the 11th Circuit reasoned in Tsao, that based on the GAO Report, since only credit and debit card information had potentially been breached in the data breach at issue, no “substantial risk” of identity theft existed. Moreover, the 11th Circuit emphasized that the plaintiff offered only vague, conclusory allegations that members of the class have suffered any actual misuse of their personal data—here, “unauthorized charges.”

“Without specific evidence of some misuse of class members’ data, a named plaintiff’s burden to plausibly plead factual allegations sufficient to show that the threatened harm of future identity theft was “certainly impending”—or that there was a “substantial risk” of such harm—will be difficult to meet”, the 11th Circuit stated.

Finally, the 11th Circuit Court noted that the plaintiff had immediately cancelled his credit cards following disclosure of the breach, “effectively eliminating the risk of credit card fraud in the future.”

Takeaway

The lack of clarity on this issue has made it difficult for businesses to assess the likelihood of litigation and its associated costs in the wake of a data breach.  It is crucial for businesses to assess their breach readiness and develop an incident or breach response plan that takes into consideration the possibility of litigation.

For more on standing in data breach litigation, check out some of our helpful resources:

 

California State Healthcare Worker Accesses COVID-19 Data on More Than 2,000 Patients and Employees

Employee Snooping: Your Employees' Temptations = Your LiabilityAs we noted in late January 2020, the spread of infectious disease raises particular concerns for healthcare workers who want to do their jobs and care for their patients, while also protect themselves and their families. Perhaps the desire to protect one’s self and family is what motivated a California state healthcare worker to access COVID-19-related health records of more than 2,000 current and former patients and employees over a ten-month period.

Regardless, this data breach should be a reminder for all organizations that (i) compromises to personal information of whatever kind are not only caused by criminal hackers, and (ii) considering all the personal health information being collected by organizations in connection with COVID-19 screening, testing, and vaccination programs, this is not a problem limited to health care employers.

In the healthcare sector, as with prior contagious disease outbreaks, fears about contracting the virus could lead to impermissible “snooping” and sharing of information by healthcare employees. According to a press release and published FAQs, an employee of Atascadero State Hospital with access to the hospital’s data servers as part of the employee’s information technology job duties improperly accessed approximately 1,415 patient and former patient, and 617 employee names, COVID-19 test results, and health information necessary for tracking COVID-19. The hospital discovered the breach on February 25, 2021, and, evidently, the employee’s improper access had been ongoing for 10 months.

Of course, HIPAA covered entities and business associates should be taking steps to address this risk. Such steps include, for example, continually reminding workforce members about access rights and the minimum necessary rule, which are required under HIPAA’s privacy and security regulations. At times, unauthorized access may be difficult to identify, particularly where employees have a need for broad access to information. In the case noted above, the breach was discovered as part of the hospital’s annual review of employee access to data files. Reviewing system activity generally is a good idea for all organizations, taking into account relevant threats and vulnerabilities to shape frequency, scope, and methodology.

The Office for Civil Rights has issued bulletins addressing HIPAA privacy in emergency situations, such as one in November 2014, during the Ebola outbreak, and one in February 2020 for the coronavirus. These bulletins provide good resources and reminders for health care providers when working in this environment.  They also convey helpful considerations for all organizations handling sensitive personal health information.

During the past 12 months, organizations have collected directly or through third party vendors massive amounts of data about employees. Examples include data collected during daily temperature and symptom screenings, COVID-19 test results for contact tracing purposes, and now vaccination status. Some organizations have used thermal imaging cameras that leverage facial recognition technology to screen, while others have rolled out newly developed devices and apps to manage social distancing and facilitate contact tracing efforts. We now are seeing systems being rolled-out to track and incentivize vaccinations. All of these activities involve the collection and storage of personal information at some level.

Organizations, whether covered by HIPAA or not, engaged in these activities should be thinking about how this information is being safeguarded. This includes assessing the safeguards implemented by third party vendors supporting the systems, devices, and activities. Again, these efforts should not be focused only on systems designed to prevent hackers from getting in, but what can be done internally to prevent unauthorized access, uses, and disclosures of such information by insiders, employees.

AG Becerra Announces Approval of Additional CCPA Regulations

Here we go again! On March 15th, 2021, the California Department of Justice (“Department”) announced approval of modifications to the California Consumer Privacy Act’s (CCPA) regulations, originally introduced in December of 2020.  The new regulations mainly modify provisions related to a consumer’s right to opt out of sale of their personal information, with the aim of “protecting consumers from unlawful business practices that may be deceptive or misleading”.  The changes to the regulations are effective immediately.

“California is at the cutting edge of online privacy protection, and this newest approval by OAL clears even more hurdles in empowering consumers to exercise their rights under the California Consumer Privacy Act,” said Attorney General Becerra in the press release announcing the latest modifications to the CCPA regulations. “These protections ensure that consumers will not be confused or misled when seeking to exercise their data privacy rights.”

Right to Opt-Out Modifications

  • Ban on Dark Patterns that Delay or Obscure Opt-Outs. The newly approved regulations prohibit what AG Becerra references as “dark patterns” that cause ambiguity in the process of a consumer’s opting out of sale of their personal information. The regulations provide five examples of prohibitive measures related to opt-out methods including developing confusing language such as “double negatives” or unnecessary steps such as requiring consumers to click through multiple screens before opting out. A business’s methods for submitting requests to opt-out must be easy for consumers to execute and require minimal steps to allow the consumer to opt-out.
  • Offline Opt-Out Methods. A business that sells personal information that it collects in the course of interacting with consumers offline shall also inform consumers by an offline method of their right to opt-out and provide instructions on how to submit a request to opt-out. For example, a brick-and-mortar store may inform consumers via paper forms or by posting signage in the area where personal information is collected and directing consumers to where opt-out information can be found online.
  • Privacy Icon. In addition, the latest regulations also provide covered businesses with an optional privacy options icon, which can be used in addition to posting the notice of right to opt out, but not in lieu of any related requirements. The icon should be the approximately the same size as any other icon used by the business on its webpage. The icon was developed by Carnegie Mellon University’s Cylab jointly with the University of Michigan’s School of Information by testing the icon against other icons to determine the most effective design for communicating to the consumer its right to opt out. The icon is available for download here.

Authorized Agent.

The latest regulations also address the use of an authorized agent. When a consumer uses an authorized agent to submit a request to know or a request to delete, a business may require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. Previously, this requirement was placed on the consumer.

That said, a business may still require a consumer to verify their own identity directly with the business or directly confirm with the business that they provided the authorized agent permission to submit the request.

Takeaway

 AG Becerra’s press release reminds companies that enforcement of the law is alive and well, but that the Department has been pleased to see widespread compliance by companies doing business in California, particularly in response to “notice to cure”, which provides companies a 30-day window to remedy their noncompliance.  Companies should continue to monitor CCPA developments and ensure their privacy programs and procedures remain aligned with current compliance requirements.

 

 

 

 

 

 

Virginia Becomes 2nd State to Enact a Comprehensive Consumer Privacy Law

On Tuesday, March 2nd, Virginia Governor Ralph Northam signed into law the Consumer Data Protection Act (CDPA), officially joining California as the second state with a comprehensive consumer privacy law, intended to enhance privacy rights and consumer protection for state residents.  We provide an in-depth analysis of the CDPA here, along with legislative activity in several other states that seem likely to pass, including in Florida. The CDPA will take effect January 1, 2023, the same day as the California Privacy Rights Act (CPRA), which expanded the protections provided by the California Consumer Privacy Act (CCPA) and was approved by California voters under Proposition 24 in the November election.

Originally introducing the CDPA in the Virginia Senate, State Senator David Marsden highlighted,

It is time that we find a meaningful way of protecting the citizens of the Commonwealth of Virginia’s data .… Virginia is in a unique position to be a leader on this issue. There’s a huge amount of the data on the internet that flows through the commonwealth. Privacy is not a new issue.

Unsurprisingly, Virginia’s CPDA was modeled on the CCPA, CPRA, and the EU General Data Protection Regulation (GDPR).  Key features of the CPDA include expansive consumer privacy rights (right to access, right of rectification, right to delete, right to opt out, right of portability, right against automatic decision making), a broad definition of “personal information”, the inclusion of a “sensitive data” category, and data protection assessment obligations for data controllers.

Virginia may be the first state to follow California’s lead on consumer privacy legislation, but it certainly will not be the last. As the International Association of Privacy Professionals (IAPP) observed, “State-Level momentum for comprehensive privacy bills is at an all-time high.” Since the start of 2021, at least 10 states have already introduced consumer privacy bills similar in kind to Virginia’s CDPA and the CCPA. And while some bills will likely fail to become law, this legislative activity is an indication of the priority states are placing on privacy and security matters as we move into 2021.

For more information on common features in the consumer privacy law landscape that should be considered when examining the effects of such laws on an organization, review our post on that topic. State consumer privacy legislative activity is only ramping up, and organizations across all jurisdictions need to be prepared.

LexBlog