August 24, 2022, marked a milestone for the California Consumer Privacy Act (CCPA), the California Attorney General announced the first enforcement and settlement against beauty retailer Sephora.

Since July 2022, the California Attorney General’s (AG) office conducted an investigative sweep of online retailers to check compliance with the CCPA and sent out over 100 notices of alleged CCPA violations. The notices provided a 30-day period for businesses to correct alleged violations before an enforcement measure is taken. Attorney General Rob Bonta stated that after the notices, the “vast majority” of businesses changed their practices to comply with the CCPA.

The State alleged that Sephora violated the CCPA by failing to disclose to consumers it was selling their personal information, failed to process user requests to opt out of sale via user-enabled global privacy controls, and that the company did not cure these violations within the 30-day period of notice. Specifically, the State alleged that Sephora failed to notify its consumers that it had arrangements with third-parties (such as market research firms) where Sephora allowed them to install tracking software on its website and app so that third-parties could monitor consumers as they shopped. Under the terms of the settlement, “sale” included “sale using online tracking technology” which was broadly defined as where a business discloses or makes available consumers’ personal information to third parties through the use of online tracking technologies such as pixels, web beacons, software developer kits, third party library, and cookies in exchange for monetary or other valuable consideration, including personal information or other information such as analytics or free or discounted services. Meaning the idea of “sale” was broader than simply selling information to a third party in exchange for money.

The State considered Sephora’s arrangement with these third-parties a “sale” of consumer information under the CCPA. In short, the State alleged that: “Sephora did not tell consumers that it sold their personal information; instead, Sephora did the opposite, telling California consumers on its website that ‘we do not sell personal information.’”

The State and Sephora have reached a settlement that includes $1.2 million in penalties and as well as injunctive terms including:

  • Allow for consumers to opt-out of the sale of personal info, including via Global Privacy Control
  • Clarify its online disclosures and privacy policy
  • Conform its service provider agreements to the CCPA
  • Provide reports to the Attorney General relating to its sale of personal information

On January 1, 2023, the California Privacy Rights Act (CPRA) takes effect and amends the CCPA to eliminate the cure period and instead only allow the California Privacy Protection Agency (CPPA) discretion to provide time to cure.

In light of the State’s push toward enforcement and the rapidly approaching effective date of the CPRA, businesses must review their compliance efforts with the CCPA and CPRA. If you need assistance with compliance contact a Jackson Lewis attorney or the CCPA Team.

For the past few years, California’s comprehensive privacy law known as the California Consumer Privacy Act (“CCPA”) included an important partial exemption for employees, applicants, and independent contractors (collectively, “workforce members”). The California Privacy Rights Act, which amended the CCPA, extended the exemption through December 31, 2022. While many expected the exemption would be extended, the current California legislative session ended on August 31, 2022, without a bill to do so.

The failure to get an extension across the legislative finish line leaves CCPA-covered businesses with not much time to begin expanding their CCPA compliance efforts. Currently, compliance with respect to workforce members, and certain others, is limited. It includes, in general, providing a notice at or before the time of collection of personal information and maintaining reasonable safeguards to protect certain personal information. By comparison, employers will need to, among other things, expand their privacy policy to address workforce members and be ready to respond to the requests of workforce members concerning their rights under the CCPA, including the right to delete their personal information.

Another exemption, known by some as the “B2B” exemption, generally excluded the personal information of individuals in their capacities as representatives of entities doing business with CCPA-covered businesses. It appears that exemption also will cease to apply in California on January 1, 2023.

For employers wondering if this applies to them and what needs to be done next, our CCPA/CPRA FAQs provide some helpful information, addressing questions such as:

  • Which businesses does the CCPA/CPRA apply to?
  • What is personal information under the CCPA?
  • Does the CCPA apply to employee/applicant data?

Of course, the last question is modified by this development and we will be updating the FAQs accordingly, as well as for CPRA regulations, which currently are in proposed form.

Key steps for compliance will include, among other things:

  • Getting a better handle on the personal information collected, used, retained, and disclosed about workforce members,
  • Updating the business’ privacy policy,
  • Updating agreements with service providers, and
  • Training staff on responding to requests from workforce members concerning their privacy rights under the CCPA.

It is worth noting that the other four states with comprehensive privacy laws – Colorado, Connecticut, Utah, and Virginia – all have excluded the personal information of individuals when acting in an employment or commercial context.

If you have questions about compliance requirements under CCPA/CPRA please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

 

On August 17, 2022, New York announced an amendment to the Continuing Legal Education (CLE) Program Rules, which adds a requirement for attorneys to complete at least one CLE credit hour in Cybersecurity, Privacy, and Data Protection as part of fulfilling their CLE requirements.

New York barred attorneys will be required to comply starting July 1, 2023.

Subjects that will satisfy the new requirement will include:

  • Cyberthreats
  • Cyberattacks
  • Data breaches
  • Securing and protecting electronic data and communication
  • Appropriate cybersecurity and privacy policies and protocols
  • Compliance with professional and ethical obligations to protect confidential client and law firm data.

Even in-house counsel and law firms outside New York should consider training to ensure an understanding of the data privacy and security laws, as attacks against law firms have increased, ethical rules are tightening, and data privacy and security are becoming increasingly important to clients.

If you need assistance in training attorneys or other high-level employees regarding data privacy and security, contact the Jackson Lewis attorney with whom you regularly work or reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss our training capabilities.

A $300,640 settlement announced yesterday by the Office for Civil Rights (OCR) provides important reminders about HIPAA Privacy Rule and data privacy practices generally: robust data disposal practices are critical and “protected health information” (PHI) is not limited to diagnosis or particularly sensitive information.

The OCR’s settlement involved a New England dermatology practice that reported a HIPAA breach last year which resulted when empty specimen containers with PHI on the labels were placed in a garbage bin of the practice’s parking lot. The containers’ labels included patient names and dates of birth, dates of sample collection, and name of the provider who took the specimen. Accordingly to the Resolution Agreement, the practice

regularly discarded specimen containers with an attached label that contained PHI as regular waste, bagged and placed in an exterior dumpster…without alteration to the PHI containing label.

Data Disposal

The disposal practice described above may be more common that we think, and it raises risks well beyond HIPAA and PHI. The OCR announcement reminds covered entities and business associate of HIPAA FAQs addressing data disposal. Here are some key points from those FAQs:

  • Reasonable safeguards must be implemented to limit incidental, and avoid prohibited, uses and disclosures of PHI. This includes procedures for electronic PHI and/or the hardware or electronic media on which it is stored, as well as to removal of electronic PHI from electronic media before the media are made available for re-use.
  • Workforce members must be trained on and follow the disposal policies and procedures.
  • HIPAA does not specify a particular disposal method, but covered entities and business associates “are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.” This includes paper records, labeled prescription bottles, hospital identification bracelets, PHI on electronic media, etc. Examples of disposal methods include:
    • Paper records with PHI: shred, burn, pulp, or pulverize the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
    • Maintain labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
    • Electronic media with PHI: clear (using software or hardware products to overwrite media with non-sensitive data), purge (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).

Of course, these best practices can be applied beyond HIPAA PHI to personal information as well as confidential company data.

Protected Health Information

A common and not necessarily unreasonable first reaction when considering the response to a potential data breach is that the compromised data is not PHI because it does not include diagnosis information. In cases like the one above, one might surmise that patient names, dates of birth, dates of sample collection, and name of provider who took the specimen are not PHI, or at least not sufficiently sensitive to warrant notification.

The definition of PHI starts with the definition of “individually identifiable health information,” which generally means identifiable health information transmitted or maintained in electronic media or any other form or medium that:

Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.   

 See 45 CFR 160.103. See also 42 U.S.C. 1320d(6). This includes demographic information which likely includes information such as name, address and other contact information, age, gender, and insurance status.

When dealing with information of a personal nature, it is important to understand the different buckets into which that information may fall. It might not seem intuitive that certain categories of information, if compromised, could trigger a notification obligation.

 

For covered entities and business associates under HIPAA, and just about any other organization that handles confidential personal and business information, completely and securely disposing that information when it is no longer needed is an important step in limiting information risk. Additionally, it can be risky to make assumptions about the regulatory obligations concerning certain data without doing the homework or seeking experienced counsel.

On August 11, 2022, the Federal Trade Commission (FTC) announced proposed rulemaking pertaining to “commercial surveillance and lax data security.”  However, the overall focus of the potential rulemaking is consumer privacy and data security. The FTC states in its notice that its “extensive enforcement and policy work over the last couple of decades on consumer data privacy and security have raised important questions about the prevalence of harmful commercial surveillance and lax data security practices” and that this experience has suggested enforcement alone without rulemaking is not sufficient.

The agency defines “commercial surveillance” as the business of collecting, analyzing, and profiting from information about people.”

FTC Chair Lina M. Khan stated in the commission’s press release, “[o]ur goal today is to begin building a robust public record to inform whether the FTC should issue rules to address commercial surveillance and data security practices and what those rules should potentially look like.”

In a fact sheet released in conjunction with the notice of proposed rulemaking, the FTC identified issues in the “commercial surveillance industry” including the collection of consumer information, data security, harm to children, bias and discrimination, and dark patterns. Similar practices and concerns were recently addressed in both technical guidance issued by the Equal Employment Opportunity Commission (EEOC) and Department of Justice (DOJ), as well as pending federal legislation, the American Data Privacy and Protection Act (ADPPA).

During the press conference regarding the proposed rulemaking, the FTC stated support for the pending ADPPA and that it did not intend to overlap with coverage of that legislation should it pass.

The FTC will be hosting a public forum on commercial surveillance and data security virtually on September 8, 2022, from 2 pm until 7:30 p.m. The FTC will also be soliciting comments on the proposed rulemaking, though the link to submit comments is not yet available.

Jackson Lewis will continue to track the FTC’s proposed rulemaking and related guidance. If you have questions about the proposed rulemaking or FTC enforcement actions or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

While the federal government attempts to move forward with a more uniform national law, Connecticut joined California, Colorado, Utah, and Virginia in passing a comprehensive consumer privacy law.

The legislation signed by Connecticut’s governor in May 2022, will take effect on July 1, 2023. However, provisions related to a task force to be convened by the state legislature take effect immediately, and the task force is charged with studying issues including information sharing among health care providers, algorithmic decision-making, and possible legislation regarding children’s privacy.

While businesses consider how to comply with Connecticut’s new privacy law, they should also be taking into account some of the data protection laws already in effect in the state. The following is an overview of just some of the other laws to keep in mind.

Obligation to Safeguard Personal Information and SSNs

Connecticut law already obligates businesses possessing “personal information” to

safeguard the data, computer files, and documents containing the information from misuse by third parties.

See Section 42-471. The term “personal information” under this law means

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.

This law also requires businesses that collect Social Security numbers (SSNs) to create and publish a policy that (i) protects the confidentiality of SSNs, (ii) prohibits unlawful disclosure of SSNs, and (iii) limit access to SSNs.

Obligation to Destroy Personal Information

The same law discussed above that requires businesses to safeguard personal information, also requires businesses to “destroy, erase or make unreadable such data, computer files and documents prior to disposal.”  For this reason, a record retention policy should address not only how long personal information (and other confidential business information) should be retained, but also a secure process for destroying it once the retention period has expired.

Data Breach Notification Law

When the safeguards contemplated above fail to prevent an unauthorized access or acquisition of computerized personal information (a “breach of security”), Connecticut’s breach notification law is triggered, which was updated and enhanced in 2021 by An Act Concerning Data Privacy Breaches.

Persons that own, license, or maintain computerized personal information and experience a breach of security involving such information may be required to notify affected Connecticut state residents. This law provides a more specific definition of personal information – an individual’s first name or initial and last name in combination with any one or more of the following:

  • Social security number;
  • driver’s license number or state identification card number;
  • financial account number in combination with any required security code, access code, password that would permit access to such financial account;
  • credit or debit card number;
  • individual taxpayer identification number;
  • identity protection personal identification number issued by the IRS;
  • passport number, military identification number, or other identification number issued by the government that is used to verify identity;
  • medical information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional;
  • health insurance policy number or subscriber identification number, or any unique identifier by a health insurer to identify the individual;
  • biometric information which consists of data generated by electronic measurements of an individual’s unique physical characteristics and used to authenticate or ascertain the individual’s identity, such as a fingerprint, voice print, retina or iris image; or
  • user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.

In general, notice must be made without unreasonable delay but not later than 60 days after the discovery of a breach, which also must include notice to the State’s Attorney General. However, if, after an appropriate investigation the business reasonably determines that the breach will not likely result in harm to the affected individuals whose personal information has been acquired or accessed, notification is not required. If notification is required, and if the breach involved a resident’s SSN or taxpayer identification number, the business shall offer the resident “appropriate identity theft prevention services” for not less than 24 months.

In the unfortunate event that a business experiences a breach of security potentially affecting Connecticut residents, it will need to carefully consider these and other provisions of the law.

The long and short of the requirements above (which also exist in many other states) is that businesses need a comprehensive written information security program, which includes robust incident response and record retention and destruction plans. If you have questions about developing a privacy and data compliance plan for Connecticut law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

The Consumer Financial Protection Bureau (CFPB) recently issued a legal Advisory in early July 2022, intending to protect the privacy rights of individuals subject to background checks by third-party consumer reporting agencies (CRAs) under the federal Fair Credit Reporting Act (FCRA).  The Advisory also seeks to remind users (e.g., employers) of their obligations under FCRA.

FCRA was initially enacted in 1970, and then significantly amended in 1996, resulting in the technical process employers must follow today when seeking and relying upon information received from a CRA.  For employers, the process starts with, whether the company has a “permissible purpose” for requesting the background check from the CRA.  The CFPB Advisory re-states a well-known FCRA principle: a permissible purpose to obtain a background check relates to credit, employment, and insurance.”  (FCRA Section 604, “Permissible purposes of consumer reports.”)

This legal advisory does not really change the “strict technical compliance” rules under FCRA for companies conducting post-offer background checks for applicants using third-party CRAs.  Nor do the technical rules change for promotions, which also typically fall under an “employment purpose.”  An employer deciding out of curiosity (with no employment purpose) to run a credit check on someone, for example, would not have a “permissible” purpose.

Because the CFPB’s mission is to protect consumer privacy, the Advisory reminds CRAs they cannot provide reports to anyone including an employer that does not have a “permissible” purpose.  The CFPB, for example, wants CRAs to use in certain instances, stronger name-matching techniques to avoid potential violations of Section 604.

To add strength to its Advisory, the CFPB reminds us there is potential criminal liability for obtaining a background check report under false pretenses or providing a background report to an unauthorized individual. There is potential civil liability under FCRA as well.

Key Takeaways for Employers

  • Employers should understand processes, practices, and agreements they have with CRA vendors given the CFPB’s advisory.
  • There are a host of other laws to consider in navigating the background checks process: from state fair credit reporting laws, credit laws, ban the box laws, criminal considerations, and more.
  • FCRA and CFPB’s advisories can impact all types of background checks by CRAs, not just “credit” checks.

Please speak with the Jackson Lewis attorney you regularly work with if you have any questions about the CFPB Advisory or background checks.

Special thanks to Sean King, a Summer Law Clerk for his assistance with this blog.

 

In response to the United States Supreme Court decision in Dobbs vs. Jackson Women’s Health Organization, President Joe Biden signed an Executive Order on Friday, July 8, 2022, designed to protect access to reproductive health care services. In addition to measures seeking to safeguard access to abortion and contraception, the Executive Order includes provisions aimed at protecting the privacy of patients and their access to accurate information, which will likely build on guidance from the Secretary of Health and Human Services issued June 29, 2022, addressing related concerns.

When individuals think about the privacy and security of their health information moving through U.S. health care system, their first stop usually is the complex set of rules under “HIPAA” – referring to the Privacy, Security and related rules under the Health Insurance Portability and Accountability Act of 1996. For nearly 20 years, the HIPAA rules applicable to most healthcare providers and health plans have worked to safeguard “protected health information” or “PHI.” During that time, a debate has raged over the effectiveness of the rules; some arguing the rules are too stringent, others arguing they are not stringent enough, and still others believing HIPAA is just right.

Of course, the protection of medical information does not begin or end with HIPAA. There is a myriad of other federal, state, and local laws that potentially impact the privacy and security of individual identifiable medical information generated in connection with the provision and payment for reproductive health care services. Here, we address the Executive Order and recent OCR guidance. However, organizations must also consider these other laws when making decisions concerning the collection, use, disclosure, retention, and security of such information.

Executive Order.

With regard to protecting the privacy of patients and their access to accurate information, the Executive Order focuses on potential threats to patient privacy caused by (i) the transfer and sale of sensitive health-related data, and (ii) digital surveillance related to reproductive healthcare services. Related measures in the Order call for efforts to protect people seeking reproductive health services from fraudulent schemes or deceptive practices. To these ends, the Order directs:

  • the Secretary of Health and Human Services (HHS) to consider actions, including additional guidance under HIPAA, to strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality. The Secretary also must work with the US Attorney General to consider actions designed to educate consumers on protecting privacy and limiting the collection and sharing of their sensitive health information.
  • the Chair of the Federal Trade Commission (FTC) to consider actions, including under the Federal Trade Commission Act, to protect consumers’ privacy when seeking information about and provision of reproductive healthcare services.
  • the Secretary to consult with the FTC Chair and Attorney General on ways to address deceptive and fraudulent practices related to reproductive healthcare services, including online, and to protect access to accurate information.

It remains to be seen what steps these agencies will take in response to the Executive Order. As noted above and summarized below, the Secretary has already issued guidance concerning patient privacy following Dobbs.

OCR Guidance Regarding Patient Privacy Following Dobbs.

Prior to the President’s Executive Order, the HHS Office for Civil Rights issued post-Dobbs guidance to help protect patients seeking reproductive care. The guidance comes in the form of reminders to providers and patients:

  • Reminder to providers about disclosures to third parties. In short, this guidance reminds HIPAA covered entities and business associates that they can use and disclose PHI, without an individual’s signed authorization, only as expressly permitted or required by the Privacy Rule. It reiterates some of the HIPAA Privacy Rule’s existing restrictions on disclosures of PHI (i) when required by law, (ii) for law enforcement purposes, and (iii) to avert a serious threat to health or safety. For example, the guidance makes clear that the HIPAA Privacy Rule permits but does not require covered entities to disclose PHI about an individual, without the individual’s authorization, when such disclosure is required by another law and the disclosure complies with the requirements of the other law. Further, the guidance reminds covered entities and business associates that the permission to disclose as “required by law” requires a mandate in the law that compels disclosure which is enforceable in court, explained through the following example:

An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the “required by law” permission. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected. (emphasis added)

The guidance includes a similar analysis when considering law enforcement requests made through legal processes such as court orders or subpoenas.

  • Reminders to patients to protect medical information when using period trackers and other health information apps. In general, PHI accessed or stored on individuals’ personal devices is not protected under the HIPAA rules. The OCR cites recent reports about patients expressing concerns that period trackers and other health information apps threaten privacy by disclosing geolocation data which may be misused by those seeking to deny care.

To help address these concerns, the guidance provides steps to limit how certain devices collect and share health and other personal information without the knowledge of the device’s owner. This includes instructions for turning off location services and best practices for selecting apps, browsers, and search engines. It also provides a list of several resources for protecting privacy when using apps and other electronic products, including from the FTC and Consumer Reports.

 

What all this means for healthcare providers, health plans, and business associates is heightened attention when handling individual identifiable health information related to reproductive health care services, including when it is permissible to disclose HIPAA protected health information, particularly without the authorization of the individual to whom it relates. Such organizations also will need to consider more stringent state law that may provide stronger protections for privacy, while health plans covered by the Employee Retirement Income Security Act will have to assess whether state laws might be preempted by ERISA. These are not easy tasks in a world with growing privacy protections, data breaches, labor shortages, and rapidly advancing technologies.

At the start of June, the California Privacy Protection Agency (CPPA), the agency tasked with implementing and enforcing the California Privacy Rights Act (CPRA) which amended the California Consumer Privacy Act (CCPA), voted to begin the rulemaking process.

On July 8, 2022, the CPPA officially began the formal rule-making process to adopt proposed regulations implementing the CPRA by releasing the notice of proposed rulemaking. The CPPA stated the proposed regulations are intended to: “(1) update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA; (2) operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law; and (3) reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand.”

The notice also indicates that the CPPA will not be promulgating rules on cybersecurity audits or automated decision-making technology at this time.

A hearing on the proposed regulations is scheduled to occur on August 24 and 25, 2022. Written comments on the proposed regulations must be submitted in advance of the public hearing on August 23, 2022. Comments can be submitted by email to regulations@cppa.ca.gov or by mail to The California Privacy Protection Agency, Attn: Brian Soublet, 2101 Arena Blvd., Sacramento, CA 95834.

Jackson Lewis will continue to track information related to privacy regulations and related issues. For additional information on the CPRA, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Last month, the Illinois Supreme Court heard oral argument in the closely watched case of Cothron v. White Castle System Inc., and is set to decide when claims under Sections 15(b) and 15(d) of the Illinois Biometric Information Privacy Act accrue.

The court’s forthcoming decision in Cothron is likely to have a significant impact on Illinois employers who are facing BIPA litigation, or who use, or have used, biometric technology in the workplace.

Read Full Article at Law360

Subscription may be required to view article