The National Institute of Standards and Technology (NIST) recently released a preliminary draft of its Cybersecurity Framework Profile for Ransomware Risk Management. The public comment period for this draft runs through July 9, 2021. NIST says “The profile can be used as a guide to managing the risk of ransomware events. That includes helping to gauge an organization’s level of readiness to counter ransomware threats and to deal with the potential consequences of events.” NIST is taking an iterative approach to this framework and there will be at least one additional public comment period on it.

Protecting Against Ransomware Attacks

The NIST framework recommends the following steps to protect against the ransomware threat:

  • Use antivirus software at all times. Set your software to automatically scan emails and flash drives.
  • Keep computers fully patched. Run scheduled checks to keep everything up-to-date.
  • Block access to ransomware sites. Use security products or services that block access to known ransomware sites.
  • Allow only authorized apps. Configure operating systems or use third-party software to allow only authorized applications on computers.
  • Restrict personally owned devices on work networks.
  • Use standard user accounts versus accounts with administrative privileges whenever possible.
  • Avoid using personal apps—like email, chat, and social media—from work computers.
  • Beware of unknown sources. Don’t open files or click on links from unknown sources unless you first run an antivirus scan or look at links carefully.

Recovering From Ransomware Attacks

In addition, NIST recommends the following steps organizations can take now to help recover from a future ransomware event:

  • Make an incident recovery plan. Develop and implement an incident recovery plan with defined roles and strategies for decision making. This can be part of a continuity of operations plan.
  • Backup and restore. Carefully plan, implement, and test a data backup and restoration strategy—and secure and isolate backups of important data.
  • Keep your contacts. Maintain an up-to-date list of internal and external contacts for ransomware attacks, including law enforcement.

Determining Your Organization’s State of Readiness to Prevent And Mitigate Ransomware Attacks

Organizations can use the NIST framework to profile their state of readiness for ransomware attacks, identifying and prioritizing opportunities for improving their ransomware resistance. NIST identifies the following functions as a further means to address ransomware risks:

  • Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.
  • Protect – Develop and implement appropriate safeguards to ensure delivery of critical services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.
  • Detect – Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events.
  • Respond – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident.
  • Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident.

Ransomware continues to present a significant threat to organizations.  The NIST framework presents an opportunity to assess and improve prevention and mitigation measures. Organizations may not be able to prevent all attacks, but it is important to remain vigilant and be aware of emerging trends.

Here are some additional helpful resources for ransomware attack prevention and response:

 

The Baltimore City Council recently passed an ordinance, in a vote of 13-2, barring the use of facial recognition technology by city residents, businesses, and most of the city government (excluding the city police department) until December 2022.  Council Bill 21-0001  prohibits persons from “obtaining, retaining, accessing, or using certain face surveillance technology or any information obtained from certain face surveillance technology.”

Facial recognition technology has become more popular in recent years, including during the COVID-19 pandemic. As the need arose to screen persons entering a facility for symptoms of the virus, including temperature, thermal cameras, kiosks, and other devices embedded with facial recognition capabilities were put into use, often inadvertently. However, many have objected to the use of this technology in its current form, citing problems with the accuracy of the technology, as summarized in a June 9, 2020 New York Times article, “A Case for Banning Facial Recognition.”

While many localities across the nation have barred the use of facial recognition systems by city police, and other government agencies, such as San Francisco and Oakland, Baltimore is only the second city (following Portland, Oregon), to ban biometric technology use by private residents and businesses. Effective January 1, 2021 the City of Portland banned the use of facial recognition by private entities in any “places of public accommodation” within the boundaries of the city. “Places of public accommodation was broadly defined to include any “place or service offering to the public accommodations, advantages, facilities, or privileges whether in the nature of goods, services, lodgings, amusements, transportation or otherwise.”

Specifically, the Baltimore ordinance prohibits an individual or entity from obtaining, retaining, or using facial surveillance system or any information obtained from a facial surveillance system within the boundaries of Baltimore city. “Facial surveillance system” is defined as any computer software or application that performs face surveillance. Notably, the Baltimore ordinance explicitly excluded from the definition of “facial surveillance system” a biometric security system designed specifically to protect against unauthorized access to a particular location or an electronic device, meaning employers using a biometric security system for employee/visitor access to their facilities would appear to be still be permissible under the bill. The ordinance also excludes from its definition of “facial surveillance system” the Maryland Image Repository System (MIRS) used by the Baltimore City Police in criminal investigations.

A person in violation of the law is subject to fine of not more than $1,000, imprisonment of not more than 12 months, or both fine and imprisonment.  Each day that a violation continues is considered a separate offense. The criminalization of use of facial recognition, is first of its kind across the United States.

The Baltimore bill also includes a separate section applicable only to the Mayor and City Council of Baltimore City, requiring an annual surveillance report by the Director of Baltimore City Information and Technology or any successor entity, in consultation with the Department of Finance to be submitted to the Mayor of Baltimore detailing: 1) each purchase of surveillance technology during the prior fiscal year, disaggregated by the purchasing agency, and 2) an explanation of the use of the surveillance technology.  In addition, the report must be posted to the Baltimore City Information and Technology website. Examples of surveillance technology that must be included in the report include: automatic license plate readers, x-ray vans, mobile DNA capture technology and software designed to forecast criminal activity or criminality.

It is important to note, that the bill’s provisions are set to automatically expire December 31, 2022 unless the City Council, after appropriate study, including public hearings and testimonial evidence concludes that such prohibitions and requirements are in the public interest, in which case the law will be extended for an additional 5 years.

The Baltimore ordinance has been met with significant opposition by industry experts, particularly as the ordinance would be the first in the U.S. to criminalize private use of biometric technologies. In a joint letter, the Security Industry Association (SIA), the Consumer Technology Associations (CTA) and the Information Technology and Innovation Foundation (ITIF) and XR Association to reject the enactment of the Baltimore ordinance on grounds that it is overly broad and prohibits commercial applications of facial recognition technology that already have widespread public acceptance and provide “beneficial and noncontroversial” services, including for example: increased and customized accessibility for disabled persons, healthcare facilities to verify patient identities while reducing the need for close-proximity interpersonal interactions, banks to enhance consumer security to verify purchases and ATM access, and many more. A similar concern was voiced by Councilmember Issac Schliefer who was one of the two votes opposing the ordinance.

The ordinance now awaits signage by Baltimore Mayor Brandon Scott, and if signed, will become effective 30 days after enactment. In anticipation, of the ordinance’s potential enactment, businesses in the City of Baltimore should begin evaluating whether they are using facial recognition technologies, whether they fall into one of the exceptions in the ordinance, and if not what alternatives they have for verification, security, and other purposes for which the technology was implemented.

By now, plan fiduciaries and their service providers likely have heard about the DOL’s cybersecurity guidance. The Department of Labor’s stepping into cybersecurity in this way – a posting of best practices on the agency’s website – has left plan fiduciaries with some questions. Here are a few:

  • “When is this effective?”
  • “Does this apply to me?”
  • “Could I be liable if a service provider has a data breach?”
  • “We are halfway through the term of our services agreement with our recordkeeper, do we need to do something now?”
  • “This is IT’s problem, right?”
  • “What exactly do we have to do to be ‘prudent’?”
  • “Do we have to communicate anything to plan participants?”
  • “If our service provider had a data breach, do we have to terminate the relationship?” “What factors should we considering in making that decision?”

So, what are plan fiduciaries actually thinking? Fortunately, we’ve been able to obtain snippets of conversations between plan fiduciaries that may provide some insight into that question. Here is our first installment, and, of course, we redacted the text to protect the privacy of the individuals.

Retirement Plan Committee Chair: So, what did you think of your first retirement plan committee meeting?

New Committee Member: Well it sounds like it will be really interesting…though, I’m a little bit nervous about the personal responsibility part and I’m not much of a technology person. I keep hearing about these breaches in the news, ransomware, you know, and I was one of the people on the gas line due to the Colonial Pipeline incident.

Retirement Plan Committee Chair: I know what you mean. During the time we were out of the office for COVID, if it weren’t for my 13-year-old, I don’t think I would have been able to get onto any conference calls! But I think we have a good team and good procedures. There is a fiduciary training coming up and I believe they will cover this.

New Committee Member: Yea, that will be good. I am not sure I know all the service providers we have for the plans. We spoke a lot about the 401(k) plan’s recordkeeper tonight, are there others?

Retirement Plan Committee Chair: That is a good question. We definitely will need to identify all of our service providers, particularly those handling plan data. I know we have an auditor, and then there is our investment advisory firm…

New Committee Member (interrupting): …and what about the financial wellness vendor?

Retirement Plan Committee Chair: Yes, them too. Well, we should probably regroup after the training and come up with a plan. I have to run, see you next week.

New Committee Member:  OK, bye.

It looks like this organization takes its retirement plan administration seriously and has some thoughtful people on the team. Retirement committees generally are not required under ERISA but they can be a valuable tool for organizing the administrative responsibilities of an employee benefit plan.

Getting more educated on “cybersecurity” is a good initial step for a committee or plan fiduciaries generally. Done right, training will help fiduciaries better understand the threats and vulnerabilities to data generally (not just from criminal hackers) and gain more insight into the DOL’s best practices. Such training also can help plan fiduciaries (and personnel on virtually all levels of plan administration) appreciate more of the ways data may be accessed or transmitted in the course of operating a plan. Looking at plan operations from that perspective, where data lives and how it moves, can help plan fiduciaries identify the service providers they need to be thinking about.

Perhaps the most important nugget from the exchange above for addressing the DOL’s guidance is from the Retirement Plan Committee Chair – come up with a plan!

The Texas Legislature, which meets every other year, pushed a change to its data breach notification law at the end of the session in late May, and yesterday Governor Greg Abbott signed the bill into law.  It follows a growing trend of changes to privacy and cybersecurity laws at the state level.

Texas House Bill 3746 will amend Texas Business and Commerce Code § 521.053, which requires notifications to individuals and the Texas Attorney General following certain data breaches.  The amendment adds a requirement for the Texas Attorney General to post on its website a listing of data breach notifications received, when a breach involves 250 or more Texas residents. California has a similar requirement, although it is for breaches affecting 500 or more residents.

Specifically, the Texas amendment would require the Texas Attorney General to:

  • Post on the Attorney General’s public website a listing of notifications received, excluding any sensitive personal information, any information that may compromise a data system’s security, and any other information reported to the Attorney General that is made confidential by law;
  • Maintain an updated listing on the website, and update the list no later than every 30 days; and
  • Remove data no later than one year following the date it was added, unless the entity notified the Attorney General of additional incidents.

The amendment also now requires that entities reporting a breach to the Texas Attorney General provide the number of Texas residents receiving notification of the breach, in addition to the current requirements of:

  • A detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach;
  • The number of residents affected by the breach;
  • The measures taken by the person regarding the breach and any measures the person intends to take regarding the breach after notification; and
  • Information regarding whether law enforcement is engaged in investigating the breach.

The Texas amendment may indicate a growing trend towards increased information sharing in an effort to prevent future data breaches. On the federal level, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has implemented several programs in the past year to promote information sharing and awareness.  “Information sharing is essential to the protection of critical infrastructure and to furthering cybersecurity for the nation. As the lead federal department for the protection of critical infrastructure and the furthering of cybersecurity, the CISA has developed and implemented numerous information sharing programs. Through these programs, CISA develops partnerships and shares substantive information with the private sector, which owns and operates the majority of the nation’s critical infrastructure. CISA also shares information with state, local, tribal, and territorial governments and with international partners, as cybersecurity threat actors are not constrained by geographic boundaries”, CISA states. More information on CISA information sharing and awareness programs is available here.

The updated Texas law will take effect September 1, 2021.  With no shortage of large-scale breaches and heightened public awareness across the nation, organizations regardless of jurisdiction are advised to evaluate and enhance their data breach prevention and response capabilities.

 

UPDATE: On June 16, Gov. Ned Lamont signed HB 5310 into law which becomes effective October 1, 2021.

State legislatures across the nation are prioritizing privacy and security matters, and Connecticut is no exception. This week, Connecticut Attorney General William Tong announced the passage of An Act Concerning Data Privacy Breaches, a measure that will enhance and strengthen Connecticut’s data breach notification law. The Connecticut House of Representatives unanimously approved the bill on May 27th, and Senate followed with unanimous approval shortly after.  The bill now heads to Governor Ned Lamont for signage.

Connecticut has led the nation in data privacy for over a decade, and this legislation ensures that we will continue to do so. Since we passed one of our nation’s first laws protecting consumers from online data breaches, technology and risks have evolved. This legislation ensures that our laws reflect those evolving risks and continue to offer strong, comprehensive protection for Connecticut residents,

Attorney General Tong observed in his announcement of the data breach notification bill.

Key aspects of Connecticut’s enhanced data breach notification law include:

  • Expansion of the definition of “personal information.

Originally, Connecticut defined “personal information” as an individual’s first name or first initial and last name in combination with any one, or more, of the following data:

    • Social security number
    • Driver’s license number
    • State identification card number
    • Credit or debit card number
    • Financial account number in combination with any required security code, access code, or password that would permit access to such financial account.

The new law if enacted will look more like similar laws in California and Florida by including additional data categories:

    • Individual taxpayer identification number
    • Identity protection personal identification number issued by the IRS
    • Passport number, military identification number or other identification number issued by the government that is used to verify identity
    • Medical information regarding an individual’s medical history, mental or physical condition or medical treatment or diagnosis by a healthcare professional
    • Health insurance policy number or subscriber identification number, or any unique identifier by a health insurer to identify the individual
    • Biometric information consisting of data generated by electronic measurements of an individual’s unique physical characteristics and used to authenticate or ascertain the individual’s identity, such as a fingerprint, voice print, retina or iris image; and
    • User name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.
  • Notification Time and Content.

The new law would shorten the time a business has to notify affected Connecticut residents and the Office of the Attorney General of a data breach time from 90 days to 60 days. Remember, as with most other breach notification mandates, the timing requirement is “without unreasonable delay but not later than 60 days” in this case. In addition, if identification of a resident of the state whose personal information was breached or reasonably believed to have been breached will not be completed within 60 days, the business must provide preliminary substitute notice as outlined by the law, and proceed in good faith to work to identify affected residents and provide direct notice as expediently as possible. Incident response plans would need to be reviewed to ensure this requirement is incorporated.

  • Breach of Login Credential. 

The new law would add a section addressing unique notification requirements in the case of a breach of login credentials. In such a case, notice to an affected resident may be provided in electronic or other form that directs the resident to promptly change any password or security questions and answers, or to take other appropriate steps to protect the affected online account, or any account with the same login credentials.

  • HIPAA and HITECH Act Exception.

Any person subject to and in compliance with HIPAA and/or the HITECH Act privacy and security obligations is deemed in compliance of the new law with a couple of critical exceptions. First, as under New York’s SHIELD Act, a person subject to HIPAA or HITECH that is required to notify Connecticut residents of a data breach under HITECH still must notify Connecticut’s Attorney General at the same time residents are notified. Second,  if the person would have been required to provide identity theft prevention and/or mitigation services under Connecticut law, which is for a period of 24 months, that requirement remains.

  • Investigation Materials.

Under the new law, documents, material and information connected to the investigation of a breach of security would be exempt from public disclosure, unless required to be made available to third parties by the Attorney General in furtherance of the investigation.

This new law, if signed keeps Connecticut in line with other states across the nation currently enhancing their data breach notification laws in light of recent large-scale data breaches and heightened public awareness.  Organizations across the United States should be evaluating and enhancing their data breach prevention and response capabilities.

Below are several resources for understanding current trends in the state data breach notification law landscape:

In a landmark decision, the U.S. Supreme Court has ruled that the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 et seq., does not prohibit improper use of computer information to which an individual has authorized access. Rather, the law prohibits obtaining information from areas of a computer, such as files, folders, or databases, that are outside the limits of the individual’s authorized access. Van Buren v. United States, No. 19-783 (June 3, 2021).

Before the Court took up the case, a sharp split existed among circuit courts, with serious ramifications for employers. The First, Fifth, Seventh, and Eleventh Circuits had adopted a broad construction of the CFAA, allowing claims to go forward when an individual misused information they were otherwise permitted to access. The Second, Fourth, and Ninth Circuits took a narrower approach, concluding that CFAA claims were limited to situations in which an individual accessed information off-limits to them, and mere misuse of information to which they had authorized access could not constitute a violation.  The Supreme Court resolved this split in favor of the narrower reading.

Employers should assess whether they have sufficient safeguards in place to protect against the conduct in Van Buren. While improper use of information through authorized access may no longer violate the CFAA, it can still wreak havoc on a business. Jackson Lewis’s Privacy, Data and Cybersecurity practice group, in conjunction with the Non-Competes and Protection Against Unfair Competition practice group, published an article on the Jackson Lewis website, explaining the Van Buren case in depth and its potential impact.

In late May, New York Attorney General Letitia James announced a $200,000 settlement agreement with Filters Fast, an online water filtration retailer, stemming from a 2019 data breach compromising the personal information of over 300,000 consumers across the U.S., including nearly 17,000 in New York state.  The settlement also requires the online retailer to strengthen its cybersecurity policies and procedures.

The settlement was the result of an enforcement action brought by the State AG under New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). See our SHIELD Act FAQs here.  The SHIELD Act was enacted in 2019 with the goal of strengthening protection for New York residents against data breaches affecting their private information.   The Act imposes expansive data security obligations and updated the State’s existing data breach notification requirements.

The Filters Fast breach affected the names, billing addresses, and credit card expiration dates and security codes of customers who purchased products on the Company’s website for nearly a year, between July 2019 – July 2020. Filters Fast was first made aware of the breach in February 2020, but after conducting an internal investigation concluded that a breach had not occurred.  After receiving several additional reports of compromised data, however, the Company’s internal investigator concluded in late July of 2020 that a breach had in fact occurred, and the website was patched. On August 14th 2020 – over a year after the breach had initially occurred, and approximately six months after the Company first became aware of it – notification of the breach was sent to affected customers.

“New Yorkers should never have to worry that their personal information will be attacked during a routine online checkout process,” said Attorney General James in her announcement of the settlement. “Online information security has been especially critical during the COVID-19 pandemic, during which New Yorkers have increasingly relied on online retailers, such as Filters Fast, to purchase basic household goods. My office is committed to protecting consumers, which is why we will continue to use every available tool to hold companies accountable when they fail to safeguard personal information.”

In addition to the settlement payment, the AG’s agreement with Fast Filters  requires several improvements to the company’s policies and procedures to help prevent future data security incidents, such as:

  • Creating a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats, as well as regular reporting to the company’s CEO concerning security risks;
  • Designing an incident response and data breach notification plan that encompasses preparation, detection and analysis, containment, eradication, and recovery;
  • Adopting personal information safeguards and controls — including encryption, segmentation, penetration testing, logging and monitoring, virus protection policy, custom application code change reviews, authentication policy and procedures, management of service providers, and patch management; and
  • Ensuring that third-party security assessments take place over the next five years.

The SHIELD Act is far-reaching: it affects any business that holds private information of a New York resident — regardless of whether the organization does business in New York, and including small businesses. Under the Act, individuals and businesses that collect computerized data, including private information about New York residents, must implement and maintain reasonable administrative, physical and technical safeguards. The Act provides several safeguards which may be implemented to ensure compliance.

Data privacy and security risks continue to emerge with enforcement not far behind. Regardless of their location, organizations should be assessing and reviewing their data breach prevention and response activities, building robust data protection programs, and investing in written information security programs (WISPs).

Additional resources on security program implementation, particularly for small and mid-sized organizations are available here:

 

The EU Commission is expected to adopt the long awaited updated Standard Contractual Clauses (“SCCs”) on June 4, 2021. In the wake of the Schrems II decision invalidating the EU-U.S. Privacy Shield, the SCCs have played an increased role as an appropriate safeguard for transferring personal data from the European Economic Area to recipients in the U.S. and other countries without an EU Adequacy Decision. Globalization and the growth in outsourcing have created unanticipated transfer scenarios the original SCCs were unable to adequately address. For U.S. companies sending or receiving personal data from the European Economic Area, these new clauses will help accommodate an expanded set of transfer arrangements including processor to processor and processor to controller. Among other changes, it is anticipated the SCCs will address the data importer’s duties in situations where applicable laws affect its ability to comply with the SCCs, an issue raised in the Schrems II decision. Companies currently transferring personal data in reliance on existing SCCs will have a grace period in which to replace them with the new SCCs.

On May 11, 2021, the Centers for Medicare & Medicaid Services (CMS) of the U.S. Department of Health & Human Services published an interim final rule/guidance to establish COVID-19 vaccination requirements for Long-Term Care (LTC) facilities. The requirements are applicable to both residents and staff. LTC facilities have already been managing COVID-19 vaccination requirements both at the federal and state levels. CMS’ interim final rule, however, adds new requirements for educating residents (or resident representatives) and staff regarding the benefits and potential side effects associated with the COVID-19 vaccine, offering the vaccine, and reporting COVID-19 vaccine and therapeutics treatment information to the Center for Disease Control’s (CDC’s) National Healthcare Safety Network (NHSN)

An important definition in the guidance is of the term “staff.” This includes individuals who work in the facility on a regular (that is, at least once a week) basis, including individuals who may not be physically in the LTC facility for a period of time due to illness, disability, or scheduled time off, but who are expected to return to work. The term also includes individuals under contract or arrangement, including hospice and dialysis staff, physical therapists, occupational therapists, mental health professionals, or volunteers, who are in the facility on a regular basis, as the vaccine is available.

The chart below provides an outline of the requirements in the interim final rule.

Residents/Staff
Education Education should be provided in a manner that is easily understood and in advance of each vaccination dose, which should include (i) FDA EUA Fact Sheet, (ii) benefits and side effects (e.g., fever, aches, rare reactions) for each dose needed.
Vaccination

LTC facilities must have policies and procedures to oversee that vaccines are offered when supplies are available (unless contraindicated or already immunized). Facilities also need to be screening for prior immunization, and medical precautions, contraindications necessary to determine eligibility.

Residents and staff must have opportunity to accept or decline the vaccine, and change their decisions. Note, residents may decline vaccines and LTC facilities may not take any adverse action, including social isolation, denied visitation, and involuntary discharge. However, staff may not be able to decline vaccination, as LTC facilities will need to review state law and organizational policies.

If a resident or staff member requested vaccination and missed prior opportunity for any reason, the LTC facility must offer vaccine as soon as possible.

Vaccinations must be conducted in accordance with CDC, ACIP, FDA, and manufacturer guidelines. All facilities must adhere to current infection prevention and control recommendations when preparing and administering vaccines, including monitoring for adverse reactions. This includes monitoring of indications and contraindications for COVID-19 vaccination, including new or revised guidelines issued by the CDC, FDA, vaccine manufacturers, or other expert stakeholders.

If the vaccine is unavailable, LTC facilities should provide information on obtaining vaccination opportunities (e.g., health department or local pharmacy)

Vaccine education and offer requirements do not apply to individuals entering the LTC facility for a specific purpose, or limited amount of time – e.g., delivery, repair persons, volunteers, entering facility less than once per week.
 

Residents

Staff
Documentation

Residents’ medical record must document:

o   that resident or resident representative was provided education regarding the benefits and potential risks associated with COVID-19 vaccine;

o   each dose of vaccine administered, or that the resident did not receive the COVID-19 vaccine due to refusal or medical contraindications;

o   date education and offer of vaccine took place;

o   name of representative that received education and accepted/refused vaccine, if applicable; and

o   Samples of educational materials used.

LTC facilities need to document vaccine status of residents, including total numbers of residents, numbers of residents vaccinated, numbers of each dose of COVID19 vaccine received, vaccination adverse events, and therapeutics administered for treatment of COVID-19.

Documentation concerning staff includes:

o   that staff was provided education regarding the benefits and potential risks associated with COVID-19 vaccine;

o   that staff were offered the vaccine or information on obtaining-19 vaccine, unless contraindicated or already vaccinated; and

o   vaccine status of staff and related information as indicated by NHSN.

LTC facilities need to document vaccine status, including total numbers of staff, number of staff vaccinated, numbers of each dose of COVID19 vaccine received, and any vaccination adverse events.

This could be accomplished with a staff roster noting education (e.g., sign-in sheets), date of education, samples of educational materials. Additionally, for staff that have already been vaccinated or received the vaccination outside the LTC facility, the facility should request staff to substantiate their vaccination.
 

LTC facilities must be able to provide evidence, upon request, of efforts made to make the vaccine available.

If there is manufacturing delay, LTC facility must be able to provide evidence of the delay, and efforts to acquire subsequent doses as necessary.
Reporting

Adverse reactions must be reported to the Vaccine Adverse Event Reporting System (VAERS)

Through the National Healthcare Safety Network (NHSN) LTC facilities are required to report, on a weekly basis, the COVID-19 vaccination status of residents and staff, total numbers of residents and staff vaccinated, each dose of vaccine received, COVID-19 vaccination adverse events, and therapeutics administered to residents for treatment of COVID-19.

These new requirements will raise additional data privacy and security requirements for LTC facilities involving the collection, storage, transmission, and potential recordkeeping of resident and employee health information. LTC facilities should review their policies and procedures and how they will be applied these new requirements.

CMS will begin reviewing for compliance with the new vaccination reporting requirements beginning Monday, June 14, 2021.

Surveyors will engage in efforts to ensure compliance. Surveyors will be looking for a facility representative to provide information on how residents and staff are educated about and offered the COVID-19 vaccine. They will want to see educational materials. Surveyors will request a list of residents and staff and their COVID-19 vaccination status, further review their records and even conduct interviews to confirm residents and staff were educated on and offered the COVID-19 vaccine, in accordance with the new requirements.

According to the guidance, failure to meet reporting requirements will result in a Civil Monetary Penalty (CMP) starting at $1,000 for the first occurrence. For each subsequent week that the facility fails to submit the required report, noncompliance will result in an additional CMP imposed at an amount increased by $500 and added to the previously imposed CMP amount for each subsequent occurrence.

On May 13th, New York State Senator Kevin Thomas, Chair of NY’s Consumer Protection Committee, reintroduced the New York Privacy Act (“NYPA”), a comprehensive consumer privacy law similar in kind to the California Consumer Privacy Act (“CCPA”), California Privacy Rights Act (“CPRA”), and Virginia’s Consumer Data Protection Act (“CDPA”).  The NYPA had been introduced in a previous legislative session back in 2019, but failed to move forward in the legislative process.

This version of the NYPA is in some respects less ambitious than the prior version.  For example, the latest version removed the bill’s broad application to any “legal entities that conduct business in New York” or that produce products or services that “intentionally target” New York residents, which would have meant that small-to-medium size businesses, and potentially even not-for-profits, would have been subject to the law. Nevertheless the NYPA surpasses the CCPA and CDPA in some important respects, including by requiring data controllers to:

  • collect opt-in consent from consumers before processing their personal data for any purpose;
  • provide detailed disclosures about the activities of outside parties to whom they disclose personal data;
  • respond to consumer requests to correct personal data; and
  • make disclosures about their automated decision-making activities, afford consumers the opportunity to challenge automated decisions, and conduct and publish assessments on the impacts of their automated decision-making processes.

The NYPA would also impose on data controllers duties of loyalty and care – the latter of which would require an annual risk assessment of all of the data controller’s data processing activities – and take direct aim at targeted advertising and data sales, declaring that these activities “shall not be considered processing purposes that are necessary to provide services or goods requested by a consumer.”

“Consumers should have a right to choose if and how their personal information is collected and used by companies,” said Senator Thomas in his reintroduction of the NYPA. “And New Yorkers deserve to know that businesses who are collecting, processing and protecting their personally identifiable information are doing so ethically and responsibly. The New York Privacy Act will set new, groundbreaking standards for comprehensive privacy legislation by advancing consumer privacy rights and creating stronger industry standards that empower businesses to enhance consumer confidence by putting privacy and security front-and-center.”

Below is a rundown of the NYPA’s key components:

  • Application: The NYPA would apply to legal persons that conduct business in New York State or produce products or services intentionally targeted to residents in New York State and that satisfy at least one of the following thresholds:
    • have annual gross revenue of $25M or more;
    • control or process personal data of at least 100,000 New York residents;
    • control or process personal data of at least 500,000 persons nationwide, at least 10,000 of whom are New York residents; or
    • derives over 50% of its gross revenue from the sale of personal data, and controls or processes personal data of at least 25,000 New York residents.
    • Exempt: Exempted from the NYPA are state and local governments, and personal data that is regulated by HIPAA, HITECH, FERPA, DPPA, GLBA and notably, “data sets maintained for employment records purposes, for purposes other than sale”.
  • Personal Data: Similar to the CCPA and CDPA, the NYPA defines personal data broadly to include “any data that is identified or could reasonably be linked, directly or indirectly, with a specific natural person, household, or device”. That said, unlike the CPRA,  CDPA or GDPR, the New York bill does not include a category for “sensitive data” to which heightened protections apply.
  • Consumer: The NYPA defines “consumer” as “a natural person who is a resident of New York acting only in an individual or household context.” The NYPA states that the definition of consumer does not include a “natural person acting in a commercial or employment context.”
  • Consumer Rights: The NYPA provides consumers a broad set of rights over their personal data, including the rights to:
    • receive clear notice of how their data is being used, processed and shared;
    • provide or withhold consent for the processing of their data for any purpose;
    • access and obtain a copy of their data in a commonly used electronic format, with the ability to transfer it between services;
    • correct inaccuracies in their data;
    • delete their data; and
    • challenge certain automated decisions.
  • Notice to Consumers: Under the NYPA, data controllers must provide written notice to consumers when processing their personal data in an “easy-to-understand language at an eighth-grade reading level or below.” This notice must include a description of the consumers’ rights, the categories of personal data processed, the sources of that data, the purposes for which the data is processed, and the identities of all outside parties to whom the data is disclosed, as well as information about how those parties will use the data and how long they will retain it. The notice must be dated with its effective date and updated at least annually. The notice (as well as each version of the notice dating back six years) must be made readily available to consumers
  • Non-Discrimination: The NYPA prohibits discrimination against a consumer who exercises their rights under the law. For example, a business may not target the consumer by denying goods or services or charging a higher price.
  • Data Broker Registry: The NYPA requires data brokers to register, pay an annual fee to the Attorney General, and submit information regarding their data use practices and contact information. The Attorney General must maintain a data broker registry on its website. Additionally, controllers must annually submit a list of all known data brokers or persons reasonably believed to be data brokers with whom the controller provided personal data in the preceding year and can only share personal data with data brokers that are properly registered.
  • Data Security: At least annually, under the NYPA, data controllers are required to conduct and document risk assessments of all current processing of personal data. In addition, data controllers must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal data of consumers including adopting reasonable administrative, technical and physical safeguards appropriate to the volume and nature of the personal data at issue. The NYPA also imposes requirements related to data retention, data disposal and vendor management.
  • Enforcement and Private Right of Action: The NYPA authorizes the Attorney General to bring an action or special proceeding whenever it appears that a person has engaged or is about to engage in a violation of the law, with civil penalties of not more than $15,000 per violation (each instance of unlawful processing counts as a separate violation). And unlike comparable state laws, the NYPA would grant consumers a private right of action to enjoin violations of their rights under the law and to seek the greater of actual damages or liquidated damages in the amount of $1,000, along with attorney’s fees.  Contrary to other state consumer privacy bills introduced of late, such as Florida’s recently failed HB 969 or New York’s Biometric Privacy law, an organization found to have violated the NYPA does not have the opportunity to cure the violation before facing enforcement actions or litigation.

States across the country are contemplating ways to enhance their data privacy and security protections, with New York playing a leading role.  In addition to the reintroduction of the NYPA, there are other consumer privacy bills under consideration by the New York state legislature, and the New York City Council recently passed a data privacy bill that would impose rigorous requirements on owners of “Smart Access” buildings, and also created biometric information collection requirements for retail and hospitality businesses similar in kind to Illinois’s infamous Biometric Information Privacy Act (“BIPA”). Organizations, regardless of their location, should be assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs.