In a landmark decision, the U.S. Supreme Court has ruled that the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 et seq., does not prohibit improper use of computer information to which an individual has authorized access. Rather, the law prohibits obtaining information from areas of a computer, such as files, folders, or databases, that are outside the limits of the individual’s authorized access. Van Buren v. United States, No. 19-783 (June 3, 2021).

Before the Court took up the case, a sharp split existed among circuit courts, with serious ramifications for employers. The First, Fifth, Seventh, and Eleventh Circuits had adopted a broad construction of the CFAA, allowing claims to go forward when an individual misused information they were otherwise permitted to access. The Second, Fourth, and Ninth Circuits took a narrower approach, concluding that CFAA claims were limited to situations in which an individual accessed information off-limits to them, and mere misuse of information to which they had authorized access could not constitute a violation.  The Supreme Court resolved this split in favor of the narrower reading.

Employers should assess whether they have sufficient safeguards in place to protect against the conduct in Van Buren. While improper use of information through authorized access may no longer violate the CFAA, it can still wreak havoc on a business. Jackson Lewis’s Privacy, Data and Cybersecurity practice group, in conjunction with the Non-Competes and Protection Against Unfair Competition practice group, published an article on the Jackson Lewis website, explaining the Van Buren case in depth and its potential impact.

In late May, New York Attorney General Letitia James announced a $200,000 settlement agreement with Filters Fast, an online water filtration retailer, stemming from a 2019 data breach compromising the personal information of over 300,000 consumers across the U.S., including nearly 17,000 in New York state.  The settlement also requires the online retailer to strengthen its cybersecurity policies and procedures.

The settlement was the result of an enforcement action brought by the State AG under New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). See our SHIELD Act FAQs here.  The SHIELD Act was enacted in 2019 with the goal of strengthening protection for New York residents against data breaches affecting their private information.   The Act imposes expansive data security obligations and updated the State’s existing data breach notification requirements.

The Filters Fast breach affected the names, billing addresses, and credit card expiration dates and security codes of customers who purchased products on the Company’s website for nearly a year, between July 2019 – July 2020. Filters Fast was first made aware of the breach in February 2020, but after conducting an internal investigation concluded that a breach had not occurred.  After receiving several additional reports of compromised data, however, the Company’s internal investigator concluded in late July of 2020 that a breach had in fact occurred, and the website was patched. On August 14th 2020 – over a year after the breach had initially occurred, and approximately six months after the Company first became aware of it – notification of the breach was sent to affected customers.

“New Yorkers should never have to worry that their personal information will be attacked during a routine online checkout process,” said Attorney General James in her announcement of the settlement. “Online information security has been especially critical during the COVID-19 pandemic, during which New Yorkers have increasingly relied on online retailers, such as Filters Fast, to purchase basic household goods. My office is committed to protecting consumers, which is why we will continue to use every available tool to hold companies accountable when they fail to safeguard personal information.”

In addition to the settlement payment, the AG’s agreement with Fast Filters  requires several improvements to the company’s policies and procedures to help prevent future data security incidents, such as:

  • Creating a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats, as well as regular reporting to the company’s CEO concerning security risks;
  • Designing an incident response and data breach notification plan that encompasses preparation, detection and analysis, containment, eradication, and recovery;
  • Adopting personal information safeguards and controls — including encryption, segmentation, penetration testing, logging and monitoring, virus protection policy, custom application code change reviews, authentication policy and procedures, management of service providers, and patch management; and
  • Ensuring that third-party security assessments take place over the next five years.

The SHIELD Act is far-reaching: it affects any business that holds private information of a New York resident — regardless of whether the organization does business in New York, and including small businesses. Under the Act, individuals and businesses that collect computerized data, including private information about New York residents, must implement and maintain reasonable administrative, physical and technical safeguards. The Act provides several safeguards which may be implemented to ensure compliance.

Data privacy and security risks continue to emerge with enforcement not far behind. Regardless of their location, organizations should be assessing and reviewing their data breach prevention and response activities, building robust data protection programs, and investing in written information security programs (WISPs).

Additional resources on security program implementation, particularly for small and mid-sized organizations are available here:

 

The EU Commission is expected to adopt the long awaited updated Standard Contractual Clauses (“SCCs”) on June 4, 2021. In the wake of the Schrems II decision invalidating the EU-U.S. Privacy Shield, the SCCs have played an increased role as an appropriate safeguard for transferring personal data from the European Economic Area to recipients in the U.S. and other countries without an EU Adequacy Decision. Globalization and the growth in outsourcing have created unanticipated transfer scenarios the original SCCs were unable to adequately address. For U.S. companies sending or receiving personal data from the European Economic Area, these new clauses will help accommodate an expanded set of transfer arrangements including processor to processor and processor to controller. Among other changes, it is anticipated the SCCs will address the data importer’s duties in situations where applicable laws affect its ability to comply with the SCCs, an issue raised in the Schrems II decision. Companies currently transferring personal data in reliance on existing SCCs will have a grace period in which to replace them with the new SCCs.

On May 11, 2021, the Centers for Medicare & Medicaid Services (CMS) of the U.S. Department of Health & Human Services published an interim final rule/guidance to establish COVID-19 vaccination requirements for Long-Term Care (LTC) facilities. The requirements are applicable to both residents and staff. LTC facilities have already been managing COVID-19 vaccination requirements both at the federal and state levels. CMS’ interim final rule, however, adds new requirements for educating residents (or resident representatives) and staff regarding the benefits and potential side effects associated with the COVID-19 vaccine, offering the vaccine, and reporting COVID-19 vaccine and therapeutics treatment information to the Center for Disease Control’s (CDC’s) National Healthcare Safety Network (NHSN)

An important definition in the guidance is of the term “staff.” This includes individuals who work in the facility on a regular (that is, at least once a week) basis, including individuals who may not be physically in the LTC facility for a period of time due to illness, disability, or scheduled time off, but who are expected to return to work. The term also includes individuals under contract or arrangement, including hospice and dialysis staff, physical therapists, occupational therapists, mental health professionals, or volunteers, who are in the facility on a regular basis, as the vaccine is available.

The chart below provides an outline of the requirements in the interim final rule.

Residents/Staff
Education Education should be provided in a manner that is easily understood and in advance of each vaccination dose, which should include (i) FDA EUA Fact Sheet, (ii) benefits and side effects (e.g., fever, aches, rare reactions) for each dose needed.
Vaccination

LTC facilities must have policies and procedures to oversee that vaccines are offered when supplies are available (unless contraindicated or already immunized). Facilities also need to be screening for prior immunization, and medical precautions, contraindications necessary to determine eligibility.

Residents and staff must have opportunity to accept or decline the vaccine, and change their decisions. Note, residents may decline vaccines and LTC facilities may not take any adverse action, including social isolation, denied visitation, and involuntary discharge. However, staff may not be able to decline vaccination, as LTC facilities will need to review state law and organizational policies.

If a resident or staff member requested vaccination and missed prior opportunity for any reason, the LTC facility must offer vaccine as soon as possible.

Vaccinations must be conducted in accordance with CDC, ACIP, FDA, and manufacturer guidelines. All facilities must adhere to current infection prevention and control recommendations when preparing and administering vaccines, including monitoring for adverse reactions. This includes monitoring of indications and contraindications for COVID-19 vaccination, including new or revised guidelines issued by the CDC, FDA, vaccine manufacturers, or other expert stakeholders.

If the vaccine is unavailable, LTC facilities should provide information on obtaining vaccination opportunities (e.g., health department or local pharmacy)

Vaccine education and offer requirements do not apply to individuals entering the LTC facility for a specific purpose, or limited amount of time – e.g., delivery, repair persons, volunteers, entering facility less than once per week.
 

Residents

Staff
Documentation

Residents’ medical record must document:

o   that resident or resident representative was provided education regarding the benefits and potential risks associated with COVID-19 vaccine;

o   each dose of vaccine administered, or that the resident did not receive the COVID-19 vaccine due to refusal or medical contraindications;

o   date education and offer of vaccine took place;

o   name of representative that received education and accepted/refused vaccine, if applicable; and

o   Samples of educational materials used.

LTC facilities need to document vaccine status of residents, including total numbers of residents, numbers of residents vaccinated, numbers of each dose of COVID19 vaccine received, vaccination adverse events, and therapeutics administered for treatment of COVID-19.

Documentation concerning staff includes:

o   that staff was provided education regarding the benefits and potential risks associated with COVID-19 vaccine;

o   that staff were offered the vaccine or information on obtaining-19 vaccine, unless contraindicated or already vaccinated; and

o   vaccine status of staff and related information as indicated by NHSN.

LTC facilities need to document vaccine status, including total numbers of staff, number of staff vaccinated, numbers of each dose of COVID19 vaccine received, and any vaccination adverse events.

This could be accomplished with a staff roster noting education (e.g., sign-in sheets), date of education, samples of educational materials. Additionally, for staff that have already been vaccinated or received the vaccination outside the LTC facility, the facility should request staff to substantiate their vaccination.
 

LTC facilities must be able to provide evidence, upon request, of efforts made to make the vaccine available.

If there is manufacturing delay, LTC facility must be able to provide evidence of the delay, and efforts to acquire subsequent doses as necessary.
Reporting

Adverse reactions must be reported to the Vaccine Adverse Event Reporting System (VAERS)

Through the National Healthcare Safety Network (NHSN) LTC facilities are required to report, on a weekly basis, the COVID-19 vaccination status of residents and staff, total numbers of residents and staff vaccinated, each dose of vaccine received, COVID-19 vaccination adverse events, and therapeutics administered to residents for treatment of COVID-19.

These new requirements will raise additional data privacy and security requirements for LTC facilities involving the collection, storage, transmission, and potential recordkeeping of resident and employee health information. LTC facilities should review their policies and procedures and how they will be applied these new requirements.

CMS will begin reviewing for compliance with the new vaccination reporting requirements beginning Monday, June 14, 2021.

Surveyors will engage in efforts to ensure compliance. Surveyors will be looking for a facility representative to provide information on how residents and staff are educated about and offered the COVID-19 vaccine. They will want to see educational materials. Surveyors will request a list of residents and staff and their COVID-19 vaccination status, further review their records and even conduct interviews to confirm residents and staff were educated on and offered the COVID-19 vaccine, in accordance with the new requirements.

According to the guidance, failure to meet reporting requirements will result in a Civil Monetary Penalty (CMP) starting at $1,000 for the first occurrence. For each subsequent week that the facility fails to submit the required report, noncompliance will result in an additional CMP imposed at an amount increased by $500 and added to the previously imposed CMP amount for each subsequent occurrence.

On May 13th, New York State Senator Kevin Thomas, Chair of NY’s Consumer Protection Committee, reintroduced the New York Privacy Act (“NYPA”), a comprehensive consumer privacy law similar in kind to the California Consumer Privacy Act (“CCPA”), California Privacy Rights Act (“CPRA”), and Virginia’s Consumer Data Protection Act (“CDPA”).  The NYPA had been introduced in a previous legislative session back in 2019, but failed to move forward in the legislative process.

This version of the NYPA is in some respects less ambitious than the prior version.  For example, the latest version removed the bill’s broad application to any “legal entities that conduct business in New York” or that produce products or services that “intentionally target” New York residents, which would have meant that small-to-medium size businesses, and potentially even not-for-profits, would have been subject to the law. Nevertheless the NYPA surpasses the CCPA and CDPA in some important respects, including by requiring data controllers to:

  • collect opt-in consent from consumers before processing their personal data for any purpose;
  • provide detailed disclosures about the activities of outside parties to whom they disclose personal data;
  • respond to consumer requests to correct personal data; and
  • make disclosures about their automated decision-making activities, afford consumers the opportunity to challenge automated decisions, and conduct and publish assessments on the impacts of their automated decision-making processes.

The NYPA would also impose on data controllers duties of loyalty and care – the latter of which would require an annual risk assessment of all of the data controller’s data processing activities – and take direct aim at targeted advertising and data sales, declaring that these activities “shall not be considered processing purposes that are necessary to provide services or goods requested by a consumer.”

“Consumers should have a right to choose if and how their personal information is collected and used by companies,” said Senator Thomas in his reintroduction of the NYPA. “And New Yorkers deserve to know that businesses who are collecting, processing and protecting their personally identifiable information are doing so ethically and responsibly. The New York Privacy Act will set new, groundbreaking standards for comprehensive privacy legislation by advancing consumer privacy rights and creating stronger industry standards that empower businesses to enhance consumer confidence by putting privacy and security front-and-center.”

Below is a rundown of the NYPA’s key components:

  • Application: The NYPA would apply to legal persons that conduct business in New York State or produce products or services intentionally targeted to residents in New York State and that satisfy at least one of the following thresholds:
    • have annual gross revenue of $25M or more;
    • control or process personal data of at least 100,000 New York residents;
    • control or process personal data of at least 500,000 persons nationwide, at least 10,000 of whom are New York residents; or
    • derives over 50% of its gross revenue from the sale of personal data, and controls or processes personal data of at least 25,000 New York residents.
    • Exempt: Exempted from the NYPA are state and local governments, and personal data that is regulated by HIPAA, HITECH, FERPA, DPPA, GLBA and notably, “data sets maintained for employment records purposes, for purposes other than sale”.
  • Personal Data: Similar to the CCPA and CDPA, the NYPA defines personal data broadly to include “any data that is identified or could reasonably be linked, directly or indirectly, with a specific natural person, household, or device”. That said, unlike the CPRA,  CDPA or GDPR, the New York bill does not include a category for “sensitive data” to which heightened protections apply.
  • Consumer: The NYPA defines “consumer” as “a natural person who is a resident of New York acting only in an individual or household context.” The NYPA states that the definition of consumer does not include a “natural person acting in a commercial or employment context.”
  • Consumer Rights: The NYPA provides consumers a broad set of rights over their personal data, including the rights to:
    • receive clear notice of how their data is being used, processed and shared;
    • provide or withhold consent for the processing of their data for any purpose;
    • access and obtain a copy of their data in a commonly used electronic format, with the ability to transfer it between services;
    • correct inaccuracies in their data;
    • delete their data; and
    • challenge certain automated decisions.
  • Notice to Consumers: Under the NYPA, data controllers must provide written notice to consumers when processing their personal data in an “easy-to-understand language at an eighth-grade reading level or below.” This notice must include a description of the consumers’ rights, the categories of personal data processed, the sources of that data, the purposes for which the data is processed, and the identities of all outside parties to whom the data is disclosed, as well as information about how those parties will use the data and how long they will retain it. The notice must be dated with its effective date and updated at least annually. The notice (as well as each version of the notice dating back six years) must be made readily available to consumers
  • Non-Discrimination: The NYPA prohibits discrimination against a consumer who exercises their rights under the law. For example, a business may not target the consumer by denying goods or services or charging a higher price.
  • Data Broker Registry: The NYPA requires data brokers to register, pay an annual fee to the Attorney General, and submit information regarding their data use practices and contact information. The Attorney General must maintain a data broker registry on its website. Additionally, controllers must annually submit a list of all known data brokers or persons reasonably believed to be data brokers with whom the controller provided personal data in the preceding year and can only share personal data with data brokers that are properly registered.
  • Data Security: At least annually, under the NYPA, data controllers are required to conduct and document risk assessments of all current processing of personal data. In addition, data controllers must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal data of consumers including adopting reasonable administrative, technical and physical safeguards appropriate to the volume and nature of the personal data at issue. The NYPA also imposes requirements related to data retention, data disposal and vendor management.
  • Enforcement and Private Right of Action: The NYPA authorizes the Attorney General to bring an action or special proceeding whenever it appears that a person has engaged or is about to engage in a violation of the law, with civil penalties of not more than $15,000 per violation (each instance of unlawful processing counts as a separate violation). And unlike comparable state laws, the NYPA would grant consumers a private right of action to enjoin violations of their rights under the law and to seek the greater of actual damages or liquidated damages in the amount of $1,000, along with attorney’s fees.  Contrary to other state consumer privacy bills introduced of late, such as Florida’s recently failed HB 969 or New York’s Biometric Privacy law, an organization found to have violated the NYPA does not have the opportunity to cure the violation before facing enforcement actions or litigation.

States across the country are contemplating ways to enhance their data privacy and security protections, with New York playing a leading role.  In addition to the reintroduction of the NYPA, there are other consumer privacy bills under consideration by the New York state legislature, and the New York City Council recently passed a data privacy bill that would impose rigorous requirements on owners of “Smart Access” buildings, and also created biometric information collection requirements for retail and hospitality businesses similar in kind to Illinois’s infamous Biometric Information Privacy Act (“BIPA”). Organizations, regardless of their location, should be assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs.

 

The passage of Prop 24, the California Privacy Rights Act of 2020 (“CPRA”), has caused a bit of confusion among businesses in California.  The confusion stems from the fact that the CPRA has an effective date of January 1, 2023, amending the existing California Consumer Privacy Act (CCPA) when it takes effect, but also immediately extending the current limited exemptions under the CCPA for employment-related data, also to January 1, 2023. (Without the CPRA, the limited exemptions would have already expired.)_ It appears that this labyrinth of amendments, extensions, and exemptions has misled some businesses subject to CCPA (the rules for which will change a little under the CPRA) into believing that they are completely exempt from privacy obligations until 2023 with respect to job applicants, employees, owners, directors, officers, medical staff, and contractors (collectively “employees and applicants”).  This is not the case!  In short, businesses have existing obligations under the CCPA concerning the personal information of their employees and applicants, which became effective on January 1, 2020.

To understand the current employment-related obligations of businesses in California, a brief history lesson is needed.  The CCPA was signed into law in 2018 by then Governor Jerry Brown.  Immediately, it became clear that there were major problems with the law, including, but not limited to, the definition of “consumer” (the second C in CCPA), which is defined to be any resident of California.  Lawmakers recognized the potential issues that would come from granting employment-related data subjects (i.e., job applicants, employees, independent contractors) all the rights a traditional consumer would have under the CCPA.  Thus, the California State Assembly introduced AB25, which originally tried to completely exempt business from having to comply with the CCPA for employees and applicants.

Unfortunately for employers, AB25 was amended in the State Senate and the version that was eventually passed and signed into law by Governor Gavin Newsom in October 2019 (just weeks before the CCPA became effective) exempted businesses in their role as employers from most but not all of the CCPA’s requirements with respect to employment-related data (i.e., limited exemptions mentioned above).

Under the CCPA (as amended by AB25), employers have the following current obligations:

  • Provide notices to employment-related data subjects (job applicants, employees, owners, directors, officers, medical staff, and contractors) of the categories of personal information being collected and the purposes for which the personal information will be used
  • Implement “reasonable security” over certain categories of personal information to avoid a private right of action following a data breach. To this end, it may be prudent to review and augment vendor contracts to ensure that employment-related personal information is handled properly.

Companies should continue to monitor CCPA/CPRA developments, and ensure their privacy programs and procedures remain aligned with current compliance requirements.

 

 

On May 12, 2021, the Biden Administration issued an Executive Order on “Improving the Nation’s Cybersecurity” (EO). The EO was in the works prior to the Colonial Pipeline cyberattack, reportedly a ransomware incident that snarled the flow of gas on the east coast for days. Ransomware attacks are nothing new, but they are increasing in severity. Most do not see the large sums paid to hackers by victim organizations needing access to their encrypted data or wanting to stop a disclosure of sensitive information if they can. But most do see the crippling of vital infrastructure caused by compromised computer systems without which basic services cease to flow.

Of course, the Colonial Pipeline incident is not the only attack we have seen affecting entities that provide to critical infrastructure. In February of this year, ABC News reported that weak cybersecurity controls “allowed hackers to access a Florida wastewater treatment plant’s computer system and momentarily tamper with the water supply,” based on a memo by federal investigators obtained by ABC. A month later, sensitive data were exposed for some time in cloud storage by New England’s largest energy provider, according to reports. The SolarWinds breach last year, named Sunburst, was a massive compromise of government agencies including the Department of Energy.

Will the EO help? It is unclear at this point, however, the EO makes a clear statement on the policy of the Administration:

It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.  The Federal Government must lead by example.  All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.

The effect of the EO will mostly affect the federal government and its agencies. However, several of the requirements in the EO will reach certain federal contractors, and also will influence the private sector. Below are several of the items directed by the EO:

  • Removing contractual barriers in contracts between the federal government and its information technology (IT) and operational technology (OT) service providers. The goal here is to increase information sharing about threats, incidents, and risks in order to accelerate incident deterrence, prevention, and response efforts and to enable more effective defense of government systems and information. As part of this effort, the EO requires a review of the Federal Acquisition Regulation (FAR) concerning contracts with such providers and recommendations for language designed to achieve these goals. Recommendations will include, for example, time periods contractors must report cyber incidents based on severity, with reporting on the most severe cyber incidents not to exceed 3 days after initial detection. The changes also will seek to standardize common cybersecurity contractual requirements across agencies.
  • Modernize approach to cybersecurity. To achieve this goal, some of the steps called for in the EO include adopting security best practices, advance to Zero Trust Architecture, move to secure cloud services, including Software as a Service (SaaS), and centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks. More specifically, the EO requires that within 180 days of the date of the EO, agencies must adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.
  • Improve software supply chain security. Driven by the impact of the SolarWinds incident, the EO points to the lack of transparency in the software development and whether adequate controls exist to prevent tampering by malicious actors, among other things. The EO calls for guidance to be developed that will strengthen this supply chain, which will include standards, procedures, and criteria, such as securing development environments and attesting to conformity with secure software development practices. The EO also requires recommendations for contract language that would require suppliers of software available for purchase by agencies to comply with, and attest to complying with the guidance developed. Efforts also will be made to reach the private sector. For instance, pilot programs will be initiated by the Secretary of Commerce acting through the Director of NIST to educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices, and shall consider ways to incentivize manufacturers and developers to participate in these programs.
  • Establishing a Cyber Safety Review Board. Among the Board’s duties would include reviewing and assessing certain significant cyber incidents affecting FCEB Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses.
  • Standardize incident response. Standardize the federal government’s response to cybersecurity vulnerabilities and incidents to ensure a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.
  • Improve detection. The EO seeks to improve detection of cybersecurity vulnerabilities and incidents on federal government networks.
  • Improving the federal government’s investigative and remediation capabilities. The Administration recognizes it is essential that agencies and their IT service providers collect and maintain network and system logs on federal information systems in order to address a cyber incident. The EO seeks recommendations on the types of logs to be maintained, the time periods to retain the logs and other relevant data, the time periods for agencies to enable recommended logging and security requirements, and how to protect logs. These recommendations will also be considered by the FAR Council when promulgating rules for removing barriers to sharing threat information.

It is expected the U.S. government will ramp up efforts to strengthen its cybersecurity, and we can expect states to continue to legislate and regulate in this area. All businesses, including federal contractors, likely will experience pressure to evaluate their data privacy and security threats and vulnerabilities and adopt measures to address their risk and improve compliance.

As we noted in our last post, there has been a flurry of data privacy and security activity in New York, with the State appearing poised to join California as a leader in this space.  Most recently, on April 29, 2021, the New York City Council passed the Tenant Data Privacy Act (“TDPA”), which would impose on owners of “smart access” buildings obligations related to their collection, use, safeguarding, and retention of tenant data.

Under the TDPA, a “smart access” building is one that uses electronic or computerized technology (e.g., a key fob), radio frequency identification cards, mobile phone applications, biometric information (e.g., fingerprints, voiceprints, hand or face geometry), or other digital technology to grant entry to the building, or to common areas or individual dwelling units therein.  The TDPA would require owners of smart access buildings to develop and maintain policies and procedures to address the following requirements:

  1. Express Consent. Before collecting “reference data” from a tenant for use in connection with the building’s smart access system, the building owner would be required to obtain the tenant’s express consent “in writing or through a mobile application.”  “Reference data” is the data used by the system to verify that the individual seeking access is authorized to enter.  Even after obtaining consent, the owner would only be permitted to collect the minimum amount of data necessary to enable the smart access system to function effectively.
  2. Privacy Policy. Building owners would also need to provide a “plain language” privacy policy to its tenants that includes certain disclosures, including disclosure of the data elements that the system collects, the third parties that data is shared with, how the data is protected, and how long it will be retained.
  3. Stringent Security Safeguards. Additionally, the TDPA would require building owners to implement robust security measures and safeguards to protect the data of its tenants, guests, and other users of the smart access system.  At a minimum, these security measures would need to include data encryption, a password reset capability (if the system uses a password), and regularly updated firmware to address security vulnerabilities.
  4. Data Destruction. With limited exceptions, building owners would need to destroy any “authentication data” collected through their smart access systems no later than 90 days after collection.  “Authentication data” is the data collected from the user at the point of authentication, excluding any data generated through or collected by a video or camera system used to monitor entrances, but not to grant entry.

The TDPA would impose strict limits on the categories of tenant data that building owners would be permitted to collect, generate, or utilize through their smart access systems.  Specifically, they would only be permitted to collect:

  • the user’s name;
  • the dwelling unit number and that of other doors or common areas to which the user has access;
  • the user’s preferred method of contact;
  • the user’s biometric identifier information (if the smart access system utilizes such information);
  • the identification card number or any identifier associated with the physical hardware used to facilitate building entry (e.g., Bluetooth);
  • passwords, passcodes, usernames and contact information used singly or in conjunction with other reference data to grant the user access;
  • lease information, including move-in and, if available, move-out dates; and
  • the time and method of access (but solely for security purposes).

Building owners would also be prohibited, subject to certain exceptions, from selling, leasing, or otherwise disclosing tenant data to any third parties.  Building owners that wish to engage third-party vendors to operate or facilitate use of their smart access systems would be required to first (a) provide to users the name of the vendor, the intended use of user data by the vendor, and a copy of the vendor’s privacy, and (b) obtain the users’ express written authorization to disclose the users’ data to the vendor.

Significantly, the TDPA would also create a private right of action for tenants whose data is unlawfully sold.  Such tenants would be empowered to seek either compensatory damages or statutory damages ranging from $200 to $1,000 per tenant, along with attorneys’ fees.

Unless vetoed by the City’s Mayor, the TDPA will take effect at the end of June 2021, though building owners will be granted a grace period until January 1, 2023, to develop their compliance programs and replace or upgrade their smart access systems.  Building owners should use that time wisely, as the TDPA’s requirements will, in many instances, be a heavy lift.

Effective July 9, 2021, certain retail and hospitality businesses that collect and use “biometric identifier information” from customers will need to post conspicuous notices near all customer entrances to their facilities.  These businesses will also be barred from selling, leasing, trading, sharing or otherwise profiting from the biometric identifier information they collect from customers.  Customers will have a private right of action to remedy violations, subject to a 30-day notice and cure period, with damages ranging from $500 to $5,000 per violation, along with attorneys’ fees.

These new requirements, which are set forth in an amendment to Title 22 of the NYC Admin. Code (the “Amendment”), apply to “commercial establishments,” a three-pronged category that includes:

  1. Food and drink establishments: Establishments that give or offer for sale to the public food or beverages for consumption or use on or off the premises, or on or off a pushcart, stand or vehicle.
  2. Places of entertainment: Privately or publicly owned and operated entertainment facilities, such as a theaters, stadiums, arenas, racetracks, museums, amusement parks, observatories, or other places where attractions, performances, concerts, exhibits, athletic games or contests are held.
  3. Retail stores: Establishments wherein consumer commodities are sold, displayed or offered for sale, or where services are provided to consumers at retail.

The Amendment broadly defines “biometric identifier information” as a physiological or biological characteristic used to identify an individual including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.

The Amendment will take effect amidst a flurry of data privacy and security activity in New York.

  • Last year, the New York Department of Financial Services (“DFS”) filed its first enforcement action under New York’s Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Part 500 (“Reg 500”). DFS also announced a $1.5 million settlement with a residential mortgage services provider earlier this year.
  • In another recent development, the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), which took effect in March 2020, requires organizations that own or license private information related to New York residents to, among other things, develop, implement, and maintain reasonable safeguards to protect that information, which includes biometric information.
  • Building on the momentum from Reg 500 and the SHIELD Act, several additional privacy bills are currently under consideration:
  • One is the Biometric Privacy Act, which, if enacted could make New York the next hotbed of class action litigation over biometric privacy.
  • Another is the Tenant Privacy Act, which, among other things, would require owners of “smart access” buildings – i.e., those that use key fobs, mobile apps, biometric identifiers, or other digital technologies to grant access to their buildings – to provide privacy policies to their tenants prior to collecting certain types of data from them, as well as to strictly limit (a) the categories and scope of data that the building owner collects from tenants, (b) how it uses that data (including a prohibition on data sales), and (c) how long it retains the data.
  • Additionally, New York is considering two bills – S567 and A680 – which would grant consumers sweeping privacy rights, comparable to those available under the CCPA in California and CDPA in Virginia.

Jackson Lewis’ Privacy, Data & Cybersecurity Group has been closely monitoring these fast-moving developments and is available to assist organizations with their compliance and risk mitigation efforts.

As access to COVID-19 vaccines becomes more prevalent, and we begin to conceptualize what a post-pandemic world might look like, many governments are assessing the idea of a COVID-19 vaccine passport framework.  In late March, the European Commission announced its plan for a COVID-19 Digital Green Certificate framework (“the framework”) to facilitate “safe free movement of citizens within the EU during the COVID-19 pandemic”. The Digital Green Certificate provides proof that an individual has either: 1) been vaccinated against COVID-19, 2) received a negative test result or 3) recovered from COVID-19.  But while the benefits to such a plan are clear, there are significant privacy and security issues to consider.

Shortly after the European Commission released the proposal of the framework, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint opinion on the framework in respect to personal data protection implications (“the joint opinion”).  The joint opinion addressed the personal data implications of the framework, and highlighted, above all, that such a framework must be consistent and not conflict with application of the General Data Protection Regulations (“GDPR”), and that there should be adoption of adequate technical and organizational privacy and security measures in the context of the framework.

Below are key recommendations from the joint opinion:

  • Categories of Personal Data. While Annex I of the framework sets out categories and data fields of personal data that would be processed under the framework, the joint opinion emphasizes that the “justification for the need for such data fields” should also be included in the framework, as well as developing “more detailed data fields (sub-categories of data)…under the already defined categories of data should be added”. These revisions will help ensure that the framework is consistent with several GDRP principles including data minimization (i.e. not processing more than the data necessary to fulfil the purpose for which the data was collected) , purpose limitations (personal data shall only be collected for a specified, explicit and legitimate purpose) , and impact assessment (the obligation under the GDPR which requires controllers to conduct a data protection impact assessment before processing personal data would have to be redone if data fields were altered).
  • Adoption of Adequate Technical and Organizational Privacy and Security Measures in the Context of the Proposal. The joint opinion highlights that the framework should explicitly state that controllers and processors of personal data “shall take adequate technical and organizational measures to ensure a level of security appropriate to the risk of processing, in line with Article 32 GDPR”.  Also included, the joint opinion suggests “the establishment of processes for a regular testing, assessment and evaluation of the effectiveness of the privacy and security measures adopted”, as well as including language in the framework consistent with the GDPR to prevent confusion and ensure relevance.  Finally, the joint opinion notes that adoption of privacy and security measures should be taken both at the time of the determination of the means for processing, as well as by the time of the processing itself.
  • Identification of controllers and processors. The joint opinion recommends that the framework specify “the list of all entities foreseen to be acting as controllers, processors and recipients of the data in that Member State”. Identifying these entities will provide EU citizens with an understanding of “whom they may turn to for the exercise of their data protection rights under the GDPR, including in particular the right to receive transparent information on the ways in which data subject’s rights may be exercised with respect tot the processing of personal data”.
  • Transparency and data subject’s rights. The personal data related to the framework is particularly sensitive.  As a result, the joint opinion urges the European Commission to “ensure that the transparency of the processes are clearly outlined for citizens to able to exercise their data protection rights”.
  • Data storage. The joint opinion notes that to ensure GDPR principles surrounding data storage principles (e.g. storing data no longer than is necessary for the purposes for which it was processed) in the context of the framework, where possible, the framework should “explicitly define” and if not possible, then at least provide the “specific criteria used to determine such storage period”.
  • International data transfers. Finally, the joint opinion recommends “explicitly clarifying whether and when any international transfers of data are expected” as well as including safeguards “to ensure that third countries will only process the personal data exchanged for the purposes specified” within the framework.

The EU is not the only region implementing or considering a vaccine passport program.  Israel’s vaccine passport, the Green Pass, is already up and running (available to the 80% of the adult  population that is fully vaccinated), and several private companies are trying to develop globalized vaccine passport programs.  For example, one large tech company’s vaccine passport technology is being tested by the State of New York, for some sports venues and arenas.  Likewise, another technology, the Common Pass  if implemented will help individuals when travelling globally to demonstrate their COVID-19 status. It is worth noting however, that some states are actively banning vaccine passport technology and requirements.  For example, just last week in Florida, Governor Ron DeSantis signed into law legislation prohibiting businesses, schools and government offices from requiring proof of vaccination, with fines of up to $5000. And in general, public support of vaccine passports in the U.S. seems to vary by activity. According to a recent Gallup poll the majority of Americans support proof of vaccination for travel by airplanes and attending events with large crowds. Conversely, Americans are less supportive of proof of vaccination at work, staying in a hotel or dining at a restaurant.

Whatever the program, the privacy and security considerations surrounding the collection of personal data are similar, and become increasingly complicated in the context of a global vaccine program where overlapping, and sometimes conflicting, data privacy and security laws and guidance come into play.   In the U.S. alone, there are numerous laws which may be implicated when vaccine related data is collected from individuals in the public or private setting – such as for employees or customers.  These include the Americans with Disabilities Act (ADA), the Genetic Information Nondiscrimination Act (GINA), state laws, and the CCPA.  In addition to statutory or regulatory mandates, organizations will also need to consider existing contracts or services agreements which may provide for or limit the collection, sharing, storage, or return of data. Moreover, if a vendor were involved in a vaccine passport program, contracts/agreements would need to include confidentiality, data security, and similar provisions. This is most important if the vendor will be maintaining, storing, accessing, or utilizing the information collected about the organization’s employees or customers.

In short, a vaccine passport program may play a crucial role in ensuring a safe and healthy return to normalcy across the globe.  Nevertheless, the legal risks, challenges, and requirements of any such program, whether in the public and private forum, must be considered prior to implementation.