The Illinois Supreme Court recently agreed to hear an appeal of an Appellate Court’s decision addressing whether an employee’s claim for damages under Illinois’s Biometric Information Protection Act is preempted by the exclusivity provisions of the Illinois Workers’ Compensation Act (“IWCA”). Back in September, the Illinois Appellate Court for the First Judicial District held that employees’ BIPA claims were not preempted under the Illinois Workers’ Compensation (IWCA) and could go forward.

The BIPA requires companies that collect and use biometric information to establish a policy and obtain a written release prior to collecting such data. Under the BIPA, individuals may sue for violations and, if successful, can recover liquidated damages ranging from $1,000 (or actual damages, whichever is greater) for negligent violations to $5,000 for intentional or reckless violations — plus attorneys’ fees and costs.

Over the past few years there has been a significant number of lawsuits under the BIPA, particularly after the Illinois Supreme Court held in 2019, in Rosenbach v. Six Flags,  that individuals need not allege actual injury or adverse effect, beyond a violation of his/her rights under BIPA, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages, attorneys’ fees and costs, and injunctive relief under the Act. A key defense for employers defending BIPA lawsuits has been that the BIPA is preempted by the IWCA.

The plaintiff in Illinois Supreme Court’s most recent case alleged that that their employer violated BIPA by requiring that employees use a fingerprint time clock system without properly: (1) informing the employees in advance and in writing of the specific purpose and length of time for which their fingerprints were being collected, stored, and used; (2) providing a publicly available retention schedule and guidelines for permanently destroying the scanned fingerprints; and (3) obtaining a written release from the employees prior to the collection of their fingerprints.  The employer moved to dismiss the complaint based on several arguments, including the assertion that the plaintiff’s claims would be barred by the exclusivity provisions of the IWCA.  The trial court denied the motion the dismiss, but certified the question for appeal regarding whether the IWCA exclusivity provisions bar a claim for statutory damages under the BIPA.

In September of 2020, the Appellate Court emphasized that the IWCA generally provides the exclusive means by which an employee can recover against an employer for a work-related injury, however an employee can escape the exclusivity provisions of the IWCA if the employee establishes that the injury: 1) was not accidental, 2) did not arise from their employment, 3) was not received during the course of employment or 4) was not compensable under the IWCA.  Focusing on the fourth exception, the Appellate Court concluded that a BIPA claim limited to statutory damages is not an injury compensable under the IWCA, and thus the plaintiff’s claims qualified under the fourth exception and were not preempted by the IWCA.

The Appellate Court, relying on Rosenbach, highlighted that because actual harm is not required under the BIPA to maintain a statutory damages claim, it does not,

“[f]it within the purview of the Compensation Act, which is a remedial statute designed to provide financial protection for workers that have sustained an actual injury.”

The Illinois Supreme Court has now granted leave to appeal the Appellate Court’s ruling, addressing the issue of whether injuries resulting from BIPA claims fall under the scope of the IWCA. While there is no telling how the Supreme Court will ultimately rule, it certainly leaves open the possibility that the Court’s decision will help reign in the significant number of lawsuits, including putative class actions, filed under the BIPA.

If they have not already done so, companies should immediately take steps to comply with the statute. That is, they should review their time management, point of purchase, physical security, or other systems that obtain, use, or disclose biometric information (any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry used to identify an individual) against the requirements under the BIPA. In the event they find technical or procedural gaps in compliance – such as not providing written notice, obtaining a release from the subject of the biometric information, obtaining consent to provide biometric information to a third party, or maintaining a policy and guidelines for the retention and destruction of biometric information – they need to quickly remedy those gaps.  For additional information on complying with the BIPA, please see our BIPA FAQs.

In 2018, the California Consumer Privacy Act (“CCPA”), which provides for an expansive array of privacy rights and obligations, was enacted.  At the time, it was reasonable to wonder whether California’s bold example would catalyze similar activity in other states.  It’s clear now that it has.   Virginia recently passed its own robust privacy law, the Consumer Data Protection Act (“CDPA”), and New York, as well as other states, like Florida, appear poised to follow suit.  (Building on its own momentum, California passed another privacy law, the California Consumer Privacy Act (“CPRA”), last November, which expands the rights and obligations established by the CCPA).

New York currently has two bills under consideration, S567 and A680, which would dramatically expand the privacy rights afforded to New York data subjects and the compliance burden imposed on the organizations that control or process that data.

S567

S567, which tracks the CCPA in certain respects, would have broad jurisdictional scope.  It would apply to any for-profit organization doing business in New York that collects the personal information of New York residents and either (a) has annual gross revenue exceeding $50M, (b) annually sells the personal information of 100,000 or more state residents or devices, or (c) derives at least 50% of its annual revenue from the sale of residents’ personal information.  Like the CCPA, S567 broadly defines personal information as any “information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device.”

S567 has been referred to the Senate Consumer Protection Committee. If passed by the Senate, the bill would be sent to the governor and, if signed, would take effect 180 days thereafter.

Key Provisions:

Consumer Rights: S567 would grant consumers, among others, the rights to:

  • Know” what categories of their personal information an organization has collected, or sold or disclosed to a third party for a business purpose (including the categories of third parties to whom the information was sold or disclosed).
  • Opt-out” of the sale of their personal information.
  • Notice: Organizations subject to the law would be required to disclose the above rights, as well as instructions for exercising them, in its online privacy policy.
  • Non-Discrimination: Subject organizations would also be required to refrain from discriminating against consumers who exercise their rights under the law.
  • Private Right of Action: S567 would provide a broad private right of action to pursue violations of its privacy provisions.  This private right would extend to “any person who becomes aware, based on non-public information, that a person or business has violated” this law.  In theory, therefore, potential plaintiffs could include vendors, competitors, and consumer privacy groups. S567 provides for statutory damage awards of the greater of $1,000 per violation or actual damages, as well as up to $3,000 for knowing or willful violations.

A680

A680, meanwhile, would grant certain rights and impose certain obligations that extend beyond even those provided for under the CCPA/CPRA.  For instance, it would require subject organizations to obtain written consent from New York data subjects before using, processing, or transferring to a third party their “personal data,” which the bill broadly defines as “information relating to an identified or identifiable natural person.”

A680 would also make such organizations “data fiduciaries,” meaning that they would owe a “duty of care, loyalty, and confidentiality” to consumers to secure their personal data against “privacy risk” (a term which the bill expansively defines), as well as to “act in the best interests of the consumer” without regard to the organizations’ own interests.

A680 would apply to organizations “that conduct business in New York state or produce products or services that are intentionally targeted to residents of New York state,” subject to certain exceptions.

The bill has been referred to the Assembly’s Consumer Affairs and Protection Committee. If passed by the Assembly and Senate, the bill would be sent to the governor for signature and would take effect 180 days after it was signed into law.

Key Provisions:

Consumer Rights: A680 would grant consumers, among others, the rights to:

  • Opt in or out of the processing of their personal data.
  • Request confirmation of whether their personal data is being processed, including whether it is being sold to data brokers.
  • Request access to their personal data.
  • Request the names of the third parties to whom their personal data is sold.
  • Request correction of inaccurate personal data.
  • Request deletion of their personal data.

Notice: Organizations subject to the law would be required to disclose the above rights to consumers and to make other requisite disclosures regarding their processing of personal data.

De-Identified Data: Subject organizations that use de-identified data would be required to “exercise reasonable oversight to monitor compliance with any contractual commitments to which the de-identified data is subject” and to “take appropriate steps to address any breaches of contractual commitments.”

Private Right of Action: In addition to granting enforcement authority to the State AG, A680 would empower consumers to bring suit in their own names for injunctive relief, as well as actual damages and reasonable attorney’s fees.

Takeaway:

Momentum is building in states across the country to enhance consumer data privacy and security protections. Organizations, regardless of their location, must therefore carefully assess their data collection activities, develop policies and procedures to address their evolving compliance obligations and data-related risks, and train their workforce on effective implementation of those policies and procedures.

Jackson Lewis’ Privacy, Data & Cybersecurity Group has been monitoring these fast-moving developments and is available to assist organizations with their compliance and risk mitigation efforts.

 

 

 

 

 

 

The 11th Circuit recently weighed in on the hottest issue in data breach litigation, whether a demonstration of actual harm is required to have standing to sue. Joining several other circuit courts, the 11th Circuit in Tsao v. Captiva MVP Rest. Partners, concluded that the plaintiff had failed to allege either that the data breach placed him in a “substantial risk” of future identity theft or that identity theft was “certainly impending”.

The matter in Tsao stemmed from a data breach at a restaurant chain of which the plaintiff frequented. In May of 2017, a hacker exploited the restaurant chain’s point of sale system and gained access to customers’ personal data – the credit and debit card information – through an outside vendor’s remote connection tool. However, due to the nature of the breach the restaurant chain stated that it was not possible to determine the identity or exact number of credit card numbers or names that were accessed or acquired during the cyber-attack.

Within two weeks of the restaurant chain’s announcement of the breach, plaintiff filed a class action complaint on behalf of himself and other customers potentially impacted by the breach, alleging a variety of injuries due to the data breach, including “theft of their personal financial information,” “unauthorized charges on their debit and credit card accounts,” and “ascertainable losses in the form of the loss of cash back or other benefits.”  The plaintiff asserted that he and the class members “have been placed at an imminent, immediate, and continuing increased risk of harm from identity theft and identity fraud, requiring them to take the time which they otherwise would have dedicated to other life demands such as work and effort to mitigate the actual and potential impact of the Data Breach on their lives.”

Standing to sue in a data breach class action lawsuit largely turns on whether plaintiffs establish that they have suffered an “injury-in-fact” resulting from the data breach. Plaintiffs in data breach class actions are often not able to demonstrate that they have suffered financial or other actual damages resulting from a breach of their personal information. Instead, plaintiffs will allege that a heightened “risk of future harm” such as identity theft or fraudulent charges is enough to establish an “injury-in-fact”.

Federal circuits court over the past few years have struggled with the question whether plaintiffs in a data breach class action can establish standing if they only allege a heightened “risk of future harm”.  For example, the 3rd6th, 7th,  9th  and D.C. circuits have generally found standing, while the 1st2nd4th5th, and 8th circuits have generally found no standing where a plaintiff only alleges a heightened “risk of future harm”. This circuit court split is in large part to due to lack of clarity following the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins which held that even if a statute has been violated, plaintiffs must demonstrate that an “injury-in-fact” has occurred that is both concrete and particularized, but which failed to clarify whether a “risk of future harm” qualifies as such an injury.

In reaching its decision, the 11th Circuit relied heavily on the 8th Circuit’s analysis of the issue of standing to sue, in In re SuperVal, Inc. where the court found no standing based on an “increased risk of future identity theft” theory, even when a named plaintiff alleged actual misuse of personal information. Citing a U.S. Government Accountability Office Report on the likelihood of identity theft in the event of a data breach (“GAO Report”), the 8th Circuit reasoned that the hackers in the data breach at issue were not alleged to have stolen social security numbers, birth dates, or driver’s license numbers, and thus, according to the GAO report, the risk of identity theft was “little to no[ne].”

Similarly, the 11th Circuit reasoned in Tsao, that based on the GAO Report, since only credit and debit card information had potentially been breached in the data breach at issue, no “substantial risk” of identity theft existed. Moreover, the 11th Circuit emphasized that the plaintiff offered only vague, conclusory allegations that members of the class have suffered any actual misuse of their personal data—here, “unauthorized charges.”

“Without specific evidence of some misuse of class members’ data, a named plaintiff’s burden to plausibly plead factual allegations sufficient to show that the threatened harm of future identity theft was “certainly impending”—or that there was a “substantial risk” of such harm—will be difficult to meet”, the 11th Circuit stated.

Finally, the 11th Circuit Court noted that the plaintiff had immediately cancelled his credit cards following disclosure of the breach, “effectively eliminating the risk of credit card fraud in the future.”

Takeaway

The lack of clarity on this issue has made it difficult for businesses to assess the likelihood of litigation and its associated costs in the wake of a data breach.  It is crucial for businesses to assess their breach readiness and develop an incident or breach response plan that takes into consideration the possibility of litigation.

For more on standing in data breach litigation, check out some of our helpful resources:

 

Employee Snooping: Your Employees' Temptations = Your LiabilityAs we noted in late January 2020, the spread of infectious disease raises particular concerns for healthcare workers who want to do their jobs and care for their patients, while also protect themselves and their families. Perhaps the desire to protect one’s self and family is what motivated a California state healthcare worker to access COVID-19-related health records of more than 2,000 current and former patients and employees over a ten-month period.

Regardless, this data breach should be a reminder for all organizations that (i) compromises to personal information of whatever kind are not only caused by criminal hackers, and (ii) considering all the personal health information being collected by organizations in connection with COVID-19 screening, testing, and vaccination programs, this is not a problem limited to health care employers.

In the healthcare sector, as with prior contagious disease outbreaks, fears about contracting the virus could lead to impermissible “snooping” and sharing of information by healthcare employees. According to a press release and published FAQs, an employee of Atascadero State Hospital with access to the hospital’s data servers as part of the employee’s information technology job duties improperly accessed approximately 1,415 patient and former patient, and 617 employee names, COVID-19 test results, and health information necessary for tracking COVID-19. The hospital discovered the breach on February 25, 2021, and, evidently, the employee’s improper access had been ongoing for 10 months.

Of course, HIPAA covered entities and business associates should be taking steps to address this risk. Such steps include, for example, continually reminding workforce members about access rights and the minimum necessary rule, which are required under HIPAA’s privacy and security regulations. At times, unauthorized access may be difficult to identify, particularly where employees have a need for broad access to information. In the case noted above, the breach was discovered as part of the hospital’s annual review of employee access to data files. Reviewing system activity generally is a good idea for all organizations, taking into account relevant threats and vulnerabilities to shape frequency, scope, and methodology.

The Office for Civil Rights has issued bulletins addressing HIPAA privacy in emergency situations, such as one in November 2014, during the Ebola outbreak, and one in February 2020 for the coronavirus. These bulletins provide good resources and reminders for health care providers when working in this environment.  They also convey helpful considerations for all organizations handling sensitive personal health information.

During the past 12 months, organizations have collected directly or through third party vendors massive amounts of data about employees. Examples include data collected during daily temperature and symptom screenings, COVID-19 test results for contact tracing purposes, and now vaccination status. Some organizations have used thermal imaging cameras that leverage facial recognition technology to screen, while others have rolled out newly developed devices and apps to manage social distancing and facilitate contact tracing efforts. We now are seeing systems being rolled-out to track and incentivize vaccinations. All of these activities involve the collection and storage of personal information at some level.

Organizations, whether covered by HIPAA or not, engaged in these activities should be thinking about how this information is being safeguarded. This includes assessing the safeguards implemented by third party vendors supporting the systems, devices, and activities. Again, these efforts should not be focused only on systems designed to prevent hackers from getting in, but what can be done internally to prevent unauthorized access, uses, and disclosures of such information by insiders, employees.

Here we go again! On March 15th, 2021, the California Department of Justice (“Department”) announced approval of modifications to the California Consumer Privacy Act’s (CCPA) regulations, originally introduced in December of 2020.  The new regulations mainly modify provisions related to a consumer’s right to opt out of sale of their personal information, with the aim of “protecting consumers from unlawful business practices that may be deceptive or misleading”.  The changes to the regulations are effective immediately.

“California is at the cutting edge of online privacy protection, and this newest approval by OAL clears even more hurdles in empowering consumers to exercise their rights under the California Consumer Privacy Act,” said Attorney General Becerra in the press release announcing the latest modifications to the CCPA regulations. “These protections ensure that consumers will not be confused or misled when seeking to exercise their data privacy rights.”

Right to Opt-Out Modifications

  • Ban on Dark Patterns that Delay or Obscure Opt-Outs. The newly approved regulations prohibit what AG Becerra references as “dark patterns” that cause ambiguity in the process of a consumer’s opting out of sale of their personal information. The regulations provide five examples of prohibitive measures related to opt-out methods including developing confusing language such as “double negatives” or unnecessary steps such as requiring consumers to click through multiple screens before opting out. A business’s methods for submitting requests to opt-out must be easy for consumers to execute and require minimal steps to allow the consumer to opt-out.
  • Offline Opt-Out Methods. A business that sells personal information that it collects in the course of interacting with consumers offline shall also inform consumers by an offline method of their right to opt-out and provide instructions on how to submit a request to opt-out. For example, a brick-and-mortar store may inform consumers via paper forms or by posting signage in the area where personal information is collected and directing consumers to where opt-out information can be found online.
  • Privacy Icon. In addition, the latest regulations also provide covered businesses with an optional privacy options icon, which can be used in addition to posting the notice of right to opt out, but not in lieu of any related requirements. The icon should be the approximately the same size as any other icon used by the business on its webpage. The icon was developed by Carnegie Mellon University’s Cylab jointly with the University of Michigan’s School of Information by testing the icon against other icons to determine the most effective design for communicating to the consumer its right to opt out. The icon is available for download here.

Authorized Agent.

The latest regulations also address the use of an authorized agent. When a consumer uses an authorized agent to submit a request to know or a request to delete, a business may require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. Previously, this requirement was placed on the consumer.

That said, a business may still require a consumer to verify their own identity directly with the business or directly confirm with the business that they provided the authorized agent permission to submit the request.

Takeaway

 AG Becerra’s press release reminds companies that enforcement of the law is alive and well, but that the Department has been pleased to see widespread compliance by companies doing business in California, particularly in response to “notice to cure”, which provides companies a 30-day window to remedy their noncompliance.  Companies should continue to monitor CCPA developments and ensure their privacy programs and procedures remain aligned with current compliance requirements.

 

 

 

 

 

 

On Tuesday, March 2nd, Virginia Governor Ralph Northam signed into law the Consumer Data Protection Act (CDPA), officially joining California as the second state with a comprehensive consumer privacy law, intended to enhance privacy rights and consumer protection for state residents.  We provide an in-depth analysis of the CDPA here, along with legislative activity in several other states that seem likely to pass, including in Florida. The CDPA will take effect January 1, 2023, the same day as the California Privacy Rights Act (CPRA), which expanded the protections provided by the California Consumer Privacy Act (CCPA) and was approved by California voters under Proposition 24 in the November election.

Originally introducing the CDPA in the Virginia Senate, State Senator David Marsden highlighted,

It is time that we find a meaningful way of protecting the citizens of the Commonwealth of Virginia’s data .… Virginia is in a unique position to be a leader on this issue. There’s a huge amount of the data on the internet that flows through the commonwealth. Privacy is not a new issue.

Unsurprisingly, Virginia’s CPDA was modeled on the CCPA, CPRA, and the EU General Data Protection Regulation (GDPR).  Key features of the CPDA include expansive consumer privacy rights (right to access, right of rectification, right to delete, right to opt out, right of portability, right against automatic decision making), a broad definition of “personal information”, the inclusion of a “sensitive data” category, and data protection assessment obligations for data controllers.

Virginia may be the first state to follow California’s lead on consumer privacy legislation, but it certainly will not be the last. As the International Association of Privacy Professionals (IAPP) observed, “State-Level momentum for comprehensive privacy bills is at an all-time high.” Since the start of 2021, at least 10 states have already introduced consumer privacy bills similar in kind to Virginia’s CDPA and the CCPA. And while some bills will likely fail to become law, this legislative activity is an indication of the priority states are placing on privacy and security matters as we move into 2021.

For more information on common features in the consumer privacy law landscape that should be considered when examining the effects of such laws on an organization, review our post on that topic. State consumer privacy legislative activity is only ramping up, and organizations across all jurisdictions need to be prepared.

The U.S. Food and Drug Administration (FDA) named University of Michigan Associate Professor Kevin Fu Acting Director of Medical Device Security in its Center for Devices and Radiological Health. This is a newly created 12-month post in which Fu will “work to bridge the gap between medicine and computer science and help manufacturers protect medical devices from digital security threats.” Fu stated that his primary activities will include

  • Envisioning a strategic roadmap for the future state of medical device cybersecurity.
  • Assessing opportunities to fully integrate cybersecurity principles through the lens of the center’s total product life cycle model.
  • Training and mentoring CDRH staff for premarket and postmarket technical review of medical device cybersecurity.
  • Engaging multiple stakeholders across the medical device and cybersecurity ecosystems.
  • Fostering medtech cybersecurity collaborations across the federal government, including the National Institute of Standards and Technology, National Science Foundation, National Security Agency, Department of Health and Human Services, National Telecommunications and Information Administration, Cybersecurity and Infrastructure Security Agency, Department of Veterans Affairs, Department of Defense, Federal Trade Commission and others.

Fu also noted that “the FDA is working closely with federal partners — HHS and CISA — on sector incident and emergency response. The FDA’s 2021 efforts for the cybersecurity focal point program will further increase the review consistency of premarket submissions.”

The creation of this new post is the latest in the FDA’s ongoing efforts to promote cybersecurity in medical devices. As we previously reported, the FDA has published draft guidance for medical device manufacturers outlining steps that can be taken in the premarket process to better protect medical devices from cybersecurity threats. We expect this focus to continue especially as we see a rise in ransomware attacks and other hacking activity.

The FDA’s increasing focus on cybersecurity is yet another reason relevant employers and medical device manufacturers should continue to assess and address potential data security risks.

On January 13, House Delegate Sara Love Introduced the “Biometric Identifiers and Biometric Information Privacy Act” (the “Act”) substantially modeled after the Biometric Information Privacy Act in Illinois, 740 ILCS 14 et seq. (the “BIPA”). Enacted in 2008, the Illinois BIPA only recently triggered an avalanche of class actions in Illinois, spurring other legislative activity, including in New York. If enacted, Maryland’s Act would become effective January 1, 2022.

Just like the BIPA and the proposed law in the Empire State, the Act would establish rules for “private entities” possessing “biometric identifiers” and “biometric information” of a person, such as:

  • Development of a publicly available policy establishing retention and destruction guidelines,
  • Mandated reasonable safeguards relating to the storage, transmission, and disclosure of such information in a manner at least as protective as for “confidential and sensitive information,” such as social security numbers and account numbers,
  • Prohibiting private entities from profiting from the information, and
  • Limited right to disclose without consent.

Unlike the BIPA, the Maryland bill would clarify the policy need not be publicly available when it applies only to employees and is used only for internal operations.

Most important, the Act also would create a private right of action for persons “aggrieved” by violations of the Act, using language similar to the BIPA, permitting persons to recover the greater of (i) statutory damages of at least $1,000 for each negligent violation, or $5,000 for each intentional or reckless violation, and (ii) actual damages.

We know the Illinois Supreme Court decided that, in general, persons bringing suit under the BIPA do not need to allege actual injury or adverse effect, beyond a violation of their rights under the BIPA, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages, attorneys’ fees and costs, and injunctive relief under the BIPA. See Rosenbach v. Six Flags Entertainment Corp.

As with the proposed BPA in New York, Maryland’s Act is not yet the law. However, if enacted, private entities covered by the Act should promptly take steps to comply. That is, they should review their time management, point of purchase, physical security, or other systems that obtain, use, or disclose biometric identifiers or biometric information against the requirements under the Act. Biometric identifiers under the Act include data of an individual generated by automatic measurements of that individual’s biological characteristics such as fingerprint, voiceprint, genetic print, retina or iris image, or any other unique biological characteristic that can be used to uniquely authenticate the individual’s identity. In this respect, the Act would be broader than the BIPA – in Illinois, a biometric identifier is limited to a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. There are, however, exclusions from biometric identifiers under the Act, such as writing samples, photographs, demographic data, physical descriptions (such as height and weight), and protected health information covered by HIPAA.

In the event private entities find technical or procedural gaps in compliance – such as not having a retention and destruction policy concerning such information or obtaining consent to provide biometric information to a third party – they should quickly remedy those gaps.

It is unclear whether courts in Maryland will interpret the availability of remedies under the Act, if enacted, the same as the Illinois Supreme Court in Rosenbach. However, if they do, the duties imposed on private entities subject to the law regarding the possession, retention, disclosure, safeguarding, and destruction of a person’s biometric identifiers or biometric information will define the statutory rights of persons protected by the law. Accordingly, when a private entity fails to comply with one of the Act’s requirements, that violation could constitute an invasion, impairment, or denial of a right under the Act resulting in the person being “aggrieved” and entitled to seek recovery.

Virginia may be the first state to follow California’s lead on consumer privacy legislation, but it certainly will not be the last. The International Association of Privacy Professionals (IAPP) observed, “State-Level momentum for comprehensive privacy bills is at an all-time high.” The IAPP maintains a map of state consumer privacy legislative activity, with in-depth analysis comparing key provisions. We discuss the Virginia legislation here, along with legislative activity in several other states that seem likely to pass. It was California that enacted the first data breach notification law which became effective in 2003. In about 15 years’ time, all U.S. states have such a law, as well as many jurisdictions around the world.

Whether it is the pending Virginia Consumer Data Protection Act (VCDPA), the California Consumer Privacy Act (CCPA), or a similar framework, there are several features that should be considered when examining the effects of such laws on an organization:

  • Does the law apply? Neither the CCPA nor the VCDPA apply to all organizations doing business in the state. But, they may apply more broadly than initially assumed, including organizations without locations in the particular state. Also, some entities that control or are controlled by covered businesses also could become subject to one of these laws even if such entities would not otherwise fall into the law’s scope. Finally, data privacy and security laws increasingly reach third-party service providers to covered organizations either directly or indirectly through contracts that covered organizations must put in place.
  • Are we exempt? Perhaps just as important as whether an organization is covered by one of these laws is the question of whether an exemption applies. It is important to know that while an organization may not be exempt as a whole, certain classifications data it maintains may be. For example, under the CCPA, “protected health information” covered by the Health Insurance Portability and Accountability Act (HIPAA) is generally exempt from the law. Of course, that information comes with its own compliance obligations!
  • What is Personal Information? Assuming an organization is covered by the law, the next question it may want to ask is what data is covered. As we have discussed, there are various definitions and understandings of personal information.  Similar to the CCPA and General Data Protection Regulation (GDPR), the VCDPA would define personal data broadly to include “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Again, this broad definition should be read together with potential exemptions to obtain a firm understanding of the information within the scope of the law’s protections. In some cases, such as under the GDPR, and the amendment to the CCPA, the California Privacy Rights Act, there is a subset of personal information that comes with even more protections. Often referred to as “sensitive personal information,” this category can include personally identifiable information such as racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, and geolocation data. Of course, covered organizations with these categories of data would need to understand those additional requirements.
  • Who is protected? It is not enough to know what kind of information that is “personal information,” covered organizations also need to know whose personal information is protected under the law. Several of these laws protect “consumers” defined generally as natural persons who reside in the jurisdiction. Basing the analysis solely on the word “consumer” and assuming that does not include employees, students, website visitors, etc. might be a mistake. Some frameworks have specific exclusions for these and other categories, others do not.
  • What rights do protected persons have? Ostensibly, a key purpose for this kind of privacy legislation is to empower individuals with respect to their personal information. That is, to give them more access to and control over their data that is collected, used, disclosed, maintained, and sold . To effectively comply with these measures, covered organizations need to understand the kinds of rights granted. These rights can include:
    • The right to know what personal information is collected and processed, why, and to access such personal information
    • To right to correct inaccuracies in the personal information
    • To right to delete personal information
    • The right to limit processing of personal information
    • The right to opt out of the processing or sale of personal information
  • Can my organization be sued for violations of the law? It is important to understand the consequences of failing to comply with any law. The flood of litigation under the Illinois Biometric Information Privacy Act (BIPA) which permits substantial recovery for failing to comply with notice and other requirements, even without a showing of actual harm, confirms the importance of examining this issue. Several of these privacy frameworks, including the CCPA and legislation supported by Governor DeSantis in Florida, include a private right of action in connection with data breaches.
  • How will the law be enforce? Related to the question of whether consumers can sue for violations is how the law will be enforced, what are the potential penalties, and how are they measured. In most cases, enforcement rests with the state’s Attorney General’s office. Often, the law requires covered organizations be provided written notice of any violation and a period of time to cure the violation. Compliance can be challenging so covered organizations should be aware of a law’s enforcement scheme so that in cases where their compliance efforts may not be perfect, they have a plan in place for quickly acting on such notices and curing any violations.

Answering these questions is certainly not the end of the analysis. For example, if covered, there are a whole host of additional questions organizations need to ask in order to evaluate compliance needs, allocate resources, identify affected business units, weigh risk management objectives, manage vendor compliance, and implement new policies and procedures, as needed. However, these questions can help to sharpen the big picture on the effect one or more of these privacy laws may have on your organization.

 

The California Privacy Rights Act (CPRA), passed in November, 2020, added to the California Consumer Privacy Act (CCPA) an express obligation for covered businesses to adopt reasonable security safeguards to protect personal information. The CPRA also clarified the CCPA’s private right of action for consumers whose personal information is breached due to a failure to implement such safeguards. But, remember, reasonable security safeguards are already required under California law, and that requirement is not limited to businesses subject to the CCPA/CPRA.

The CPRA adds subsection (e) to Cal. Civ. Code 1798.100, as follows:

A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.

California Civil Code section 1798.81.5 requires a business that:

owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Unlike the CCPA/CPRA, section 1798.81.5 defines “business” more broadly to include “a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit.” Thus, even if the CCPA, as amended by the CPRA, does not apply to your business, California law still may require the business to have reasonable security safeguards.

The meaning of “reasonable safeguards” is not entirely clear in California.  One place to look, however, is in the California Data Breach Report former California Attorney General and now Vice President, Kamala D. Harris, issued in February, 2016. According to that report, an organization’s failure to implement all of the 20 controls set forth in the Center for Internet Security’s Critical Security Controls constitutes a lack of reasonable security.

So, although the CPRA generally is operative on January 1, 2023, California businesses might look to the 20 CIS controls at least as a starting point for securing personal information. With regard to which personal information to secure to minimize exposure under the CCPA/CPRA’s private right of action, the law is a bit more clear.

The CCPA extended the private right of action for data breaches only to personal information “defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5”:

(A)  An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

(i) Social security number.

(ii) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

(iv) Medical information.

(v) Health insurance information.

(vi) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.

The CPRA added to this list, a consumer’s “email address in combination with a password or security question and answer that would permit access to the account.”

In the event a CCPA-covered business experiences a data breach involving personal information, the CCPA authorized a private cause of action against the business if a failure to implement reasonable security safeguards caused the breach. If successful, a plaintiff can seek to recover statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper. This means that plaintiffs generally do not have to show actual harm to recover. In case you were wondering, CCPA data breach litigation has already commenced.

To bring such an action under the CCPA, a consumer must provide the business 30 days’ written notice specifying the violation and giving the business an opportunity to cure. If cured under the CCPA, no action may be initiated against the business for statutory damages. However, the CPRA clarifies that businesses cannot cure a failure to have reasonable safeguards before the breach:

implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach.

The CPRA also calls for additional regulations requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to (i) perform a cybersecurity audit on an annual basis, and (ii) submit to the California Privacy Protection Agency on a regular basis a risk assessment concerning the processing of personal information.

There is more to come following the passage of the CPRA, and businesses should be monitoring CCPA/CPRA developments. However, it is critical to ensure reasonable security safeguards are in place to protect personal information.