On December 22, 2022, the Nevada Gaming Commission (NGC) adopted regulations creating new cybersecurity requirements for certain gaming operators. This action joins agencies in other jurisdictions moving quickly to protect consumers and their personal information in the gaming industry. The NGC adopted the October 17, 2022 version of the regulations, which become effective January 1, 2023.

Below is a summary of the new rules:

In general.

  • Gaming operators must take “all appropriate steps to secure and protect their information systems from the ongoing threat of cyber attacks,” including satisfying the requirements of chapter 603A of Nevada Revised Statutes (NRS).
  • The obligations apply to the operators’ own information, as well as the “personal information” of their patrons and employees as defined in NRS 603A.040.
  • In general, the rules apply to certain covered entities – those that hold:
    • a nonrestricted license as defined in NRS 463.0177 who deal, operate, carry on, conduct, maintain, or expose for play any game defined in NRS 463.0152 (e.g., games played with cards, dice, equipment or any mechanical or electronic device or machine such as monte, roulette, keno, bingo, blackjack, poker, baccarat, or slot machine
    • a gaming license that allows for the operation of a race book, a sports pool; or permits the operation of interactive gaming.
  • Covered entities must document in writing all procedures taken to comply with this section and the results thereof, and must maintain all such records for a minimum of five years from the date they are created. Such records must be provided to the Nevada Gaming Control Board (Board) upon request. 

Risk assessment and adoption of cybersecurity best practices.

  • Covered entities must conduct an initial risk assessment and develop the cybersecurity best practices they deems appropriate. Examples of such best practices include, without limitation, CIS Version 8, COBIT 5, ISO/IEC 27001, and NIST SP 800-53.
  • After the initial risk assessment, covered entities must continue to monitor cybersecurity risks to their business and make appropriate modifications.  
  • For the initial assessment and ongoing monitoring, covered entities may use affiliated entities or third parties with appropriate expertise in cybersecurity.
  • Covered entities have until December 31, 2023, to fully comply with these assessment and best practice requirements.

Incident response.

  • Provide written notice to the Board as soon as practicable but no later than 72 hours after becoming aware of a cyber attack to the covered entity’s information system resulting in a material loss of control, compromise, unauthorized disclosure of data or information, or any other similar occurrence.
  • A “cyber attack” means any act or attempt to gain unauthorized access to an information system for purpose of disrupting, disabling, destroying, or controlling the system or destroying or gaining access to the information contained therein. Notably, under these regulations, a cyber attack is not solely an incident resulting in unauthorized access or acquisition of personal information.
  • Covered entities must investigate the cyber attack (or engage a third party to do so), prepare a report documenting the results of the investigation, inform the Board the report is completed, and provide a copy to the Board upon request. Reports must include, without limit, the root cause of the cyber attack, the extent of the cyber attack, and any actions taken or planned to be taken to prevent similar events in the future. Many such investigations are performed at the direction of counsel and designed to be privileged. Covered entities need to think carefully about how they structure their investigations and related activities.

Additional requirements for Group I licensees under subsection 8 of regulation 6.010.

  • Designate a qualified individual to be responsible for developing, implementing, overseeing, and enforcing the covered entity’s cybersecurity best practices and procedures described above.
  • Perform at least annually observations, examinations, and inquiries of employees to verify compliance with cybersecurity best practices. The annual review may be performed by internal auditors or independent third parties entity with expertise in cybersecurity. Documents prepared by the internal auditor must be retained as described above.
  • Engage an independent accountant or other independent entity with cybersecurity expertise at least annually to (i) perform an independent review of the covered entity’s best practices and procedures and (ii) attest in writing that those practices and procedures comply with the requirements of Section 5.260 Cybersecurity of the NGC’s Regulations. The covered entity must retain the written attestation and any related documents as described above.

Gaming is not the only industry seeing a strengthening of regulations concerning privacy and cybersecurity. A few years ago, for example, we discussed an uptick in state regulation of the insurance industry with several states adopting the NAIC’s Model Security Law. Today there are over 20 states that have adopted the NAIC model law. Finance, healthcare, professional services, etc. all are seeing an uptick in industry-specific regulation, which shows no sign of slowing.

test

As the year comes to a close here are some of the highlights from the Workplace Privacy, Data Management & Security Report with our Top 10 most popular posts of 2022:

1. California Consumer Privacy Act FAQs: Employment Information

As the California Privacy Rights Act moves toward taking effect and exceptions applying to employment-related data expire, employers have questions about handling privacy when it comes to employee information.

2. “Get a Life” – Another Dentist Responds to Patient’s Online Review, This Time Faces a $50,000 OCR Penalty

The Office for Civil Rights (OCR) recently announced four enforcement actions, one against a small dental practice that imposed a $50,000 civil monetary penalty under HIPAA. The OCR alleged the dentist impermissibly disclosed a patient’s protected health information (PHI) when the dentist responded to a patient’s negative online review. 

3. California Tightens Rules on Vehicle Tracking, Fleet Management

In September 2022, Governor Gavin Newsom signed into law AB-984, which becomes effective January 1, 2023. The law builds on other privacy protections in California, such as the California Consumer Privacy Act and Penal Code Sec. 637.7. Section 637.7 prohibits using an electronic tracking device to determine the location or movement of a person; however, it does not apply when the vehicle owner (e.g., the employer) has consented to the use of the device.

4. Does Your Cyber Insurance Policy Look More Like Health Insurance?

Many factors are driving up the cost of cyber insurance policies including increases in ransomware attacks and the cost of business interruption from those attacks. Moreover, carriers are giving more scrutiny to the practices and procedures of the companies they insure. As such, companies need to consider their cyber security controls to assist in obtaining and maintaining coverage.

5. $600,000 Reasons To Review Your SHIELD Act Compliance Program: NY Attorney General Announces Significant Settlement Stemming From Email Data Breach

On January 24, 2022, New York Attorney General Letitia James announced a $600,000 settlement agreement with EyeMed Vision Care, a vision benefits company, stemming from a 2020 data breach compromising the personal information of approximately 2.1 million individuals across the United States, including nearly 99,000 in New York State

6. The RIPTA Data Breach May Provide Valuable Lessons About Data Collection and Retention

There is a basic principle of data protection that when applied across an organization can significantly reduce the impact of a data incident – the minimum necessary principle. A data breach reported late last year by the Rhode Island Public Transit Authority (RIPTA) highlights the importance of this relatively simple but effective tool.

7. From Time Keeping to Dashcams, BIPA Litigation Continues

Litigation under the Illinois Biometric Information Privacy Act (BIPA) continues to heat up, encompassing litigation about timekeeping systems that use fingerprints to dashcams.

8. Utah Becomes Fourth State to Enact A Comprehensive Privacy Law

Utah joined California, Colorado, and Virginia in passing a consumer privacy statute, the Utah Consumer Privacy Act takes effect on December 31, 2023.

9. Does a Poor ESG, Social Responsibility Rating Increase an Organization’s Cyber Risk?

With ransomware and other cyber threats top of mind for most in the c-suite these days, a question frequently raised is whether a particular organization is a target for hackers. Of course, nowadays, any organization is at risk of an attack, but the question is whether some organizations are targeted more than others. An Insurance Journal article discusses a paper published in September 2021 that identifies a factor that could elevate the risk of being targeted, a factor many in cyber might not have expected, “greenwashing.”

10. Connecticut Likely to Become Fifth State to Enact Comprehensive Consumer Privacy Law

Connecticut prepared and eventually passed the “Act Concerning Personal Data Privacy and Online Monitoring” Act which will take effect July 1, 2023.

Jackson Lewis will continue to track information related to privacy regulations and related issues. For additional information on these topics, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

In a recent opinion, Henderson v. The Source for Public Data, L.P., et al, the U.S. Court of Appeals for the 4th Circuit considered whether Section 230(c)(1) of the Communications Decency Act (CDA) – a federal law that allows social media websites to provide a forum for users to post videos or other information without holding the owner of the website responsible for the content of the uploaded material – likewise shielding online aggregators of public records from liability as a Consumer Reporting Agency under the Fair Credit Reporting Act (FCRA).   Disagreeing with the District Court, the Court of Appeals held that Section 230 did not apply because the online aggregator was an “information content provider that provided the improper information” and not merely providing a forum for its users to upload information. 

In Henderson, defendants were in the business of gathering publicly available information including criminal and civil records, voting records, driving information, and professional licensing, aggregating the information, and selling it to third parties. Defendants acknowledged the data they sold was used to determine an individual’s creditworthiness and perform background checks for employment purposes. The plaintiffs, job seekers who had background checks done on them by the online aggregators, filed claims under the FCRA, asserting that the online aggregators were producing “consumer reports” but not complying with the technical provisions of the FCRA, such as providing the plaintiffs with copies of their “consumer reports” upon request.

At the district court level, defendants sought to dispose of claims alleging that they were protected by Section 230 of the CDA. The district court agreed and granted the defendants’ dispositive motion.

On appeal, the 4th Circuit held that the activities of the online aggregators did not fall within the scope of protection provided by Section 230. The panel held that the defendants contributed in a material way to what made the online content inaccurate.  The panel opinion stated that the defendants made substantive changes to the records’ content that materially contributed to the records’ unlawfulness, making the defendants a content provider for the information meaning they are not entitled to protection under Section 230.

This opinion will likely have an impact on whether FCRA defendants can rely on Section 230, in whole or in part, as a source of immunity from FCRA claims.  More so, this ruling will influence the ongoing CDA reform debate, as legislators who already have reservations about the scope of CDA protection may look askance at the Henderson ruling and seek to add the FCRA as a statutory exemption to the CDA in a future reform bill.  Either way, this is an area that is developing and worth watching closely.  

If you have questions about FCRA compliance or related issues, contact the authors of this article or the Jackson Lewis attorney with whom you regularly work.

On December 16, 2022, the California Privacy Protection Agency (CPPA) had its final meeting before the California Privacy Rights Act (CPRA) which amended the California Consumer Privacy Act takes effect on January 1, 2023. Despite the CPRA taking effect at the start of the year, the CPPA, the agency charged with implementing the law, has not finalized its rulemaking process. It was discussed at the Friday meeting that the final proposed rules are anticipated to be released at the end of January and after going through the various administrative requirements will take effect in April. In the meantime, regulations previously promulgated by the California Attorney General’s Office will remain in effect.

Though it has not finalized its CPRA rulemaking, the CPPA is setting its sights on other rulemaking duties, including the use of artificial intelligence in data collection and businesses’ cybersecurity assessments. The CPPA released sample questions covering these areas which will be finalized and approved in the new year and then released for a comment period in order to collect insights on the framework needed for risk assessments and automated decision-making.

Some of the considerations pertaining to risk assessments that are detailed in the sample questions include laws and other requirements that businesses already have to comply with regarding processing consumers’ personal information that require risk assessments and how those assessments can be aligned with the requirements under the CPRA. Further, the CPPA is considering whether assessments from other privacy statutes and regulations such as the European General Data Protection Regulation and Colorado’s Privacy Act can be used for CPRA purposes.

Similarly, in considering rulemaking regarding automated decision-making, the CPPA is considering questions of other laws requiring access and/or opt-out rights in the context of automated decision-making. The sample questions also seek information about how prevalent algorithmic discrimination based on classification/classes under California and federal law is and if it is more pronounced in some sectors.

Jackson Lewis will continue to track information related to privacy regulations and related issues. For additional information on the CPRA, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On January 1, 2023, Virginia’s Consumer Data Protection Act (CPDA) takes effect. Key features of the CPDA include expansive consumer privacy rights (right to access, right of rectification, right to delete, right to opt-out, right of portability, right against automatic decision making), a broad definition of “personal information”, the inclusion of a “sensitive data” category, and data protection assessment obligations for data controllers.

However, the CDPA is not the only privacy and data protection legislation in the Commonwealth. The following are some of the other laws to consider when working on privacy and data protection policies in the state.

Personal Information Privacy Act

This law which predates the CPDA restricts the sale of personal information of customers by merchants as well as the use of social security numbers. For example, with regard to the limitations on the use of social security numbers, a person shall not:

1. Intentionally communicate another individual’s social security number to the general public;

2. Print an individual’s social security number on any card required for the individual to access or receive products or services provided by the person;

3. Require an individual to use his social security number to access an Internet website, unless a password, unique personal identification number, or other authentication device is also required to access the site; or

4. Send or cause to be sent or delivered any letter, envelope, or package that displays a social security number on the face of the mailing envelope or package, or from which a social security number is visible, whether on the outside or inside of the mailing envelope or package.

Insurance Data Security Act

Effective July 1, 2020, Virginia adopted legislation establishing data security requirements applicable to persons licensed by the insurance laws of the Commonwealth. Following several other state laws that have created data security regimes applicable to the insurance industry, the law requires licensees to maintain the security of information systems and nonpublic information. The law also requires licensees to investigate cybersecurity events and to notify individuals and the Commissioner of Insurance. More recently, regulations have been approved effective June 1, 2021. Those regulations provide (i) rules for reporting cybersecurity events; (ii) risk assessment requirements that must be implemented by July 1, 2022; and (iii) additional security measures that must be implemented by July 1, 2022.

Data Breach Notification Law

Since July 2008, Virginia law has required entities doing business in Virginia and state agencies to notify individuals of a breach of their computerized, unredacted, and unencrypted personal information. Under the law, notice is required only if the breach causes, or it is reasonably believed that it has or will cause, identity theft or other fraud to a resident of the Commonwealth.

Similar to the data breach notification laws in other states, such as Massachusetts and New Hampshire, the notification must be provided to the Virginia Attorney General, as well as the affected residents. Also, if more than 1,000 persons would have to be notified at one time, the business would have to notify the Virginia Attorney General and all consumer reporting agencies of the timing, distribution, and content of the notice. Violations of this statute are enforced by the Attorney General, who may seek up to $150,000 in penalties per breach. Individuals also may recover direct economic damages from a violation.

If you have questions about developing a privacy and data compliance plan for Virginia law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

In June 2022, the California Privacy Protection Agency (CPPA) Board first started discussions about revising the regulations previously released by the California Attorney General.

In October, the Board released proposed modifications to the regulations in advance of a planned Board meeting. Since then, the Board has rescheduled both Board and public meetings.

The Board seems to be getting closer to a final vote on the regulations but recently published further modifications to regulations. These modifications start a new public comment period that ends November 21st.

Recent updates to the regulations include:

  • Sections clarifying how consumers can opt-out of having their data sold or shared, including via opt-out preference signals.
  • Provisions providing allowances for enforcement flexibility, which are intended to assuage businesses’ concerns that the current delay in adopting final regulations will present compliance challenges.
  • Allowances for businesses, service providers, and contractors to delay compliance with requests to correct archived or backup systems until the data is restored to an active system or is next accessed or used.

Businesses can submit comments regarding the current version of the regulations by:

  • E-mail to: regulations@cppa.ca.gov . Submissions should include “CPPA Public Comment” in the subject line and provide comments within an attachment.
  • Mail to: California Privacy Protection Agency
    Attn: Brian Soublet
    2101 Arena Blvd., Sacramento, CA 95834

Jackson Lewis will continue to track information related to privacy regulations and related issues. For additional information on the CPRA, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Responding in part to the nature of the post-COVID-19 remote workplace, NLRB GC Jennifer Abruzzo has released a memo on employers’ use of electronic monitoring and automated management in the workplace. The memo also directs NLRB Regions to submit to the Division of Advice any cases involving intrusive or abusive electronic surveillance and algorithmic management that interferes with the exercise of NLRA Section 7 rights.

Read the full article on Jackson Lewis’ Labor & Collective Bargaining.

We have been quite busy this October, which happens to be National Cybersecurity Awareness Month. But, we did not want to let the month go by without some recognition; and we are grateful to the HHS Office for Civil Rights (OCR) for this always timely reminder for HIPAA covered entities and business associates – have a written incident response plan

Why do we need another policy?

First, because it is required under the HIPAA Security Rule. See 45 CFR 164.308(a)(6). Also, because cybersecurity risks continue to rise. The OCR notes that cybersecurity incidents and data breaches continue to increase in the healthcare sector, citing a 69% increase in cyber-attacks for the first half of 2022 compared to 2021. Breaches of unsecured protected health information (PHI), including electronic PHI, reported to OCR affecting 500 or more individuals increased from 663 in 2020 to 714 in 2021.

Fine, so what does an incident response plan need to include?

The OCR describes some basic elements that should be included in an incident response plan (IRP):

  • identifying security incidents;
  • responding to security incidents;
  • mitigating harmful effects of security incidents; and
  • documenting security incidents and their outcomes.

As we get more specific below, note that each covered entity and business associate is different in several respects, such as size, number of locations, information systems, prior experience, cyber insurance policies, type of PHI, and state laws, just to name a few. So, your specific IRP may vary in significant ways, but these are four critical elements to address for your particular business and practice.

Can you be more specific?

Sure. The organization will want to think about who will be doing the responding – who is on the “security incident response team.” This is a team that is organized and trained to effectively respond to security incidents. OCR offers several areas to consider when forming a team, such as:

  • Have a strong balance of skill sets among team members (IT, legal, communications, etc.)
  • Ensure lines of communication will be available among team members during a crisis
  • Consider external parties that can provide specific expertise concerning incident response
  • Commit to regularly practicing incident response procedures for different types of attacks.

With a team established, the plan should provide for identifying security incidents. Of course, this requires knowing that a security incident is “the attempted or successful unauthorized access, use, disclosure modification, or destruction of information or interference with system operations in an information system .” One way to identify security incidents includes having audit logs in place and regularly reviewing them.

In the event of a security incident, the plan needs cover the steps for responding. This includes containing the security incident and any threat it may pose to ePHI, such as by identifying and removing any malicious code and mitigating any vulnerabilities that may have permitted the security incident to occur. However, to be better prepared to respond to security incidents, the plan should also include procedures such as:

  • Processes to identify and determine the scope of security incidents
  • Instructions for managing the security incident
  • Creating and maintaining a list of assets (computer systems and data) to prioritize when responding to a security incident
  • Conducting a forensic analysis to identify the extent and magnitude of the security incident
  • Reporting the security incident to appropriate internal and external entities
  • Processes for collecting and maintaining evidence of the security incident (e.g., log files, registry keys, and other artifacts) to determine what was accessed during the security incident

After the security incident has been neutralized, the next steps should include mitigation, including recovery and restoration of systems and data to return to normal operations. Mitigation efforts are facilitated through contingency planning, robust data backup, and recovery processes. These are areas that should not be thought about when a security incident occurs. For example, knowing that you have a backup is not enough, regularly making sure you are able to restore from backups while maintaining integrity is key. 

When these steps have been completed, particularly after operations have returned to normal, regulated entities must document their response to the security incident. This is required under HIPAA. The IRP can be helpful in outlining what information to include in the documentation (e.g., discovery of the security incident; systems and data affected; response and mitigation activities; recovery outcomes; root cause analysis; forensic data collected).

What about notification, shouldn’t that be part of the IRP?

Of course. The IRP should address the entity’s reporting obligations, whether to the affected individuals, the OCR, the media, state agencies, or a covered entity (for business associates). A critical aspect of notification is timing. For breaches affecting 500 or more individuals, notice is required without unreasonable delay and no later than 60 calendar days from the discovery of the breach. The OCR reminds regulated entities:

the time period [for reporting] begins when the incident is first known, not when the investigation of the incident is complete, even if it is initially unclear whether the incident constitutes a breach as defined in the rule. 

Further, 60 days is the outer limit for notification but,

in some cases, it may be an ‘unreasonable delay’ to wait until the 60th day to provide notification.

There is a lot more that can be said about IRPs, and it is not a good idea to wait until the next National Cybersecurity Awareness Month to craft one. Also, while directed to healthcare providers and their business associates, the same kind of planning is prudent for just about all organizations. 

Over the past several years, there has been a significant increase in the use of dashcam technology. The technology available in the market is quite advanced. As we observed here, these devices can be equipped with geolocation, AI, facial recognition, and other technologies.  Designed primarily to enhance driver safety and fleet management, privacy concerns are tapping the brakes on implementation in California.

On September 29, 2022, Governor Gavin Newsom signed into law AB-984, and becoming effective January 1, 2023. The law builds on other privacy protections in California, such as the California Consumer Privacy Act and Penal Code Sec. 637.7. Section 637.7 prohibits using an electronic tracking device to determine the location or movement of a person, however, it does not apply when the vehicle owner (e.g., the employer) has consented to the use of the device.

Among other exciting provisions, including the latest in vehicle tech – digital license plates, AB-984 places significant restrictions on the use of an alternative device to monitor employees. Specifically, the law provides:

An employer, or a person acting on behalf of the employer, shall not use an alternative device to monitor employees except during work hours, and only if strictly necessary for the performance of the employee’s duties.

The statute defines monitoring to include, without limitation, “locating, tracking, watching, listening to, or otherwise surveilling the employee.” However, there is no definition of “strictly necessary,” making the statute more difficult to navigate.

Employers that choose to install such a device must provide notice to employees prior to monitoring with the device. That notice must, at a minimum, include the following:

(A) A description of the specific activities that will be monitored.

(B) A description of the worker data that will be collected as a part of the monitoring.

(C) A notification of whether the data gathered through monitoring will be used to make or inform any employment-related decisions, including, but not limited to, disciplinary and termination decisions, and, if so, how, including any associated benchmarks.

(D) A description of the vendors or other third parties, if any, to which information collected through monitoring will be disclosed or transferred. The description shall include the name of the vendor or third party and the purpose for the data transfer.

(E) A description of the organizational positions that are authorized to access the data gathered through the alternative device.

(F) A description of the dates, times, and frequency that the monitoring will occur.

(G) A description of where the data will be stored and the length of time it will be retained.

(H) A notification of the employee’s right to disable monitoring, including vehicle location technology, outside of work hours.

Employers that fail to comply can be subject to significant penalties. A civil penalty of $250 can be imposed for an initial violation, while a $1,000 per employee can be imposed for each subsequent violation. The statute expressly provides that penalties “shall be assessed per employee, per violation, and per day that monitoring without proper notice is conducted.”

In addition to penalties, employer have additional exposure if found to have retaliated against an employee for removing or disabling an alternative device’s monitoring capabilities outside of work hours. In this case, the employee “shall be entitled to all available penalties, remedies, and compensation, including, but not limited to, reinstatement and reimbursement of lost wages, work benefits, or other compensation caused by the retaliation.”

For employers considering using an alternative device to monitor employees in vehicles, there are at least two steps to take:

  • Assess whether doing so is “strictly necessary” for the performance of the employee’s duties
  • Provide advance notice of the monitoring

There are several other issues to consider as well, just looking at the items required to be included in the notice.

On October 21 and 22, the California Privacy Protection Agency (CPPA) Board will meet to discuss possible action regarding the proposed regulations for the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Previously, in June 2022, the Board met to discuss revising the regulations previously released by the California Attorney General.  

In advance of the October CPPA Board meeting, further proposed modifications to the regulations have been published, along with an explanation of the proposed changes.

Some of the more significant changes include:

  • Revised Section 7002 regarding the “Restrictions on the Collection and Use of Personal Information” to clarify specific requirements. The revision sets forth factors to be considered in evaluating the collection and use including: (1) the reasonable expectations of a consumer concerning the purpose for which personal information is collected or processed, (2) the purposes that are compatible with the context in which the personal information is collected, and (3) whether collecting or processing personal information is reasonably necessary and proportionate to achieve those purposes.
  • Revised Section 7004 regarding the “Requirements for Methods for Submitting CCPA Requests and Obtaining Consumer Consent” to explain how different user interfaces can impair or interfere with consumers’ choice and can fail to meet the definition of consent under the Civil Code.
  • Also revised Section 7004 (a)(2) to clarify that the symmetry in choice principle also considers whether different paths are more difficult or time-consuming.
  • Revised Section 7052 regarding “Third Parties” to clarify that third parties are contractually required to treat the personal information that businesses make available to them, in the same manner, the business is required to treat it under the CCPA.

It is possible that at the October meeting, the CPPA could elect to adopt the modified regulations or choose to make further changes.

Jackson Lewis will continue to track information related to privacy regulations and related issues. For additional information on the CPRA, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.