In a much-anticipated Supreme Court decision, Barr v. American Association of Political Consultants, sure to impact the future of the Telephone Consumer Protection Act (“TCPA”), the Court addressed the issue of whether the government-debt exception to the TCPA’s automated-call restriction violates the First Amendment, and whether the proper remedy for any constitutional violation is to sever the exception from the remainder of the statute.

The Supreme Court concluded that Congress impermissibly favored government-debt collection speech over political and other speech, in violation of the First Amendment, and thus must invalidate the government-debt collection exception of the TCPA, and sever it from the remainder of the statute. Despite concerns that the Court would address the constitutionality of the TCPA in its entirety, the Court left untouched the TCPA’s general restriction on calls made with an “automatic telephone dialing system” (“ATDS”).

Applying traditional severability principles, seven Members of the Court conclude that the entire 1991 robocall restriction should not be invalidated, but rather that the 2015 government-debt exception must be invalidated and severed from the remainder of the statute. . . . As a result, plaintiffs still may not make political robocalls to cell phones, but their speech is now treated equally with debt-collection speech.

 Addressing the decision to leave the remainder of the TCPA intact, the Court highlighted the “normal rule”, introduced in Free Enterprise Fund v. Public Company Accounting Oversight Bd., where the Court concluded that, “Generally speaking, when confronting a constitutional flaw in a statute, we try to limit the solution to the problem, severing any problematic portions while leaving the remainder intact.”

This is not the first time, of late, that the Supreme Court has been petitioned to address the constitutionality of the TCPA. Back in October of 2019, the Court was petitioned to review the following issues: 1) whether the TCPA’s prohibition on calls made by ATDS is an unconstitutional restriction of speech, and if so whether the proper remedy is to broaden the prohibition to abridge more speech, and 2) whether the definition of “ATDS” in the TCPA encompasses any device that can “store” and “automatically dial” telephone numbers, even if the device does not “us[e] a random or sequential number generator.” The Court has still not announced whether it will accept this petition.

While the impact of the Supreme Court’s decision on the TCPA is limited, given that only the government-debt exception was severed, it still provides greater certainty and clarity for organizations facing TCPA litigation. Organizations are advised to review and update their telemarketing and/or automatic dialing practices to ensure TCPA compliance.

With the California Consumer Privacy Act (CCPA) now in effect (January 1, 2020) and enforceable by California’s Attorney General (“AG”) (July 1, 2020), the AG has published Frequently Asked Questions (FAQs). Designed to aid consumers in exercising their rights under the CCPA, the FAQs also contain helpful reminders for businesses and service providers regarding their obligations under the law.

The FAQs cover several main topics for consumers: general information, “Do Not Sell” requests, “Right to Know” requests, required notices, “Right to Delete” requests, right to nondiscrimination, and information about data brokers. As noted, FAQ responses include information businesses and service providers may want to review.

For example, businesses still not sure if they are covered by the CCPA can review Question 5 under General Information, “What businesses does the CCPA apply to?”:

The CCPA applies to for-profit businesses that do business in California and meet any of the following:

    • Have a gross annual revenue of over $25 million;
    • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
    • Derive 50% or more of their annual revenue from selling California residents’ personal information.

There is more to this analysis, but the response provides a good starting point. One question many businesses have is whether the $25 million gross annual revenue threshold refers only to revenue generated in California. The AG did not answer this question in the regulations or these FAQs, and the statute itself is silent. However, the AG’s responses to comments submitted concerning the regulations can be instructive:

Civil Code § 1798.140(c)(1)(A) does not limit the revenue threshold to revenue generated in California or from California residents. Any proposed change to limit the threshold to revenue generated only in California or from California residents would be inconsistent with the CCPA.

The FAQs help to confirm the role of service providers and explain to consumers why a business might refuse to act on a consumer’s request, such as a request to exercise the right to delete. In that case, under Question 6 of Requests to Delete Personal Information, the AG explains that “service providers” do not have the same obligations under the CCPA that “businesses” do. Requests must be submitted to the business, not its service providers. Of course, a business may require service providers to act on approved and verified requests the business receives from its consumers, such as requests to delete consumer personal information.

The FAQs also inform consumers about what to do if they think a business violated the CCPA. Notably, Question 7 of the General Information section makes clear that consumer “cannot sue businesses for most CCPA violations.” In most cases, only the Attorney General can file an action against a business. The FAQ goes on to explain:

Consumers can only sue a business under the CCPA if there is a data breach, and even then, only under limited circumstances. You can sue a business if your nonencrypted and nonredacted personal information was stolen in a data breach as a result of the business’s failure to maintain reasonable security procedures and practices to protect it. If this happens, you can sue for the amount of monetary damages you actually suffered from the breach or “statutory damages” of up to $750 per incident. If you want to sue for statutory damages, you must give the business written notice of which CCPA sections it violated and give it 30 days to give you a written statement that it has cured the violations in your notice and that no further violations will occur. You cannot sue for statutory damages for a CCPA violation if the business is able to cure the violation and gives you its written statement that it has done so, unless the business continues to violate the CCPA contrary to its statement.

In addition to maintaining “reasonable safeguards,” businesses need to be prepared, following a breach of nonencrypted and nonredacted personal information, to promptly respond to written statements from consumers concerning alleged violations.

Consumers, businesses, and service providers are encouraged to review the FAQs. As the AG notes, the FAQs “are not legal advice, regulatory guidance, or an opinion of the Attorney General.” So, while the FAQs can provide helpful general explanations of certain CCPA requirements, businesses and service providers, in particular, will want to obtain a more complete understanding of the statute and regulations with experienced counsel.

A little more than one year ago, we reported on a settlement (Cassell et al. v. Vanderbilt University, et al.) involving the alleged wrongful use of personal information belonging to retirement plan participants, claimed to be “plan assets.” This year, similar claims have been made against Shell Oil Company in connection with its 401(k) plan. Retirement plan sponsors may begin seeing more of these claims and they might consider some strategies to head them off.

The essence of the allegations is that employers breach their fiduciary duties of loyalty and prudence when they permit plan service providers to profit from the use of plan assets – sensitive personal information of plan participants – for non-plan purposes. Citing several “cross-selling” activities of plan advisors and other service providers, the Shell plaintiffs claim downstream sales opportunities working with retirement plans are more plentiful through better access to plan participant data, and without the need to engage in “cold-calling.”

The Employee Retirement Income Security Act (“ERISA) is the primary federal statute regulating employee benefit plans, including retirement plans. Currently, there are no express provisions in ERISA that prohibit the use of plan participant data for any particular purpose. However, as in the Vanderbilt case, the Shell plaintiffs rely on ERISA’s long-standing fiduciary duty provisions to support their claims concerning plan data:

  • ERISA’s fiduciary duty provisions require plan fiduciaries to discharge their duties with respect to a plan solely in the interest of the participants and beneficiaries and for the exclusive purpose of providing benefits to participants and their beneficiaries. 29 U.S. Code § 1104.
  • ERISA also prohibits plan fiduciaries from engaging in certain prohibited transactions, including transactions between the plan and a party in interest which the fiduciary knows constitutes a direct or indirect transfer to, or use by or for the benefit of a party in interest, of any assets of the plan. 29 U.S.C. §1106(a)(1).

For example, in Count IV of the complaint, the Shell plaintiffs alleged fiduciary duties under § 1104(a)(1) include:

restricting its use of Confidential Plan Participant Data solely to carrying out its Plan recordkeeping role, not using the data for nonplan purposes

Recordkeeping, investment of contributions, and other tasks associated with retirement plan administration require access to large amounts of personal information, usually in electronic format. The risks involving such information are not limited to data breaches. As the Vanderbilt and Shell cases indicate, plan participants have become increasingly aware of the vulnerabilities associated with handling their data, as well as how their data are being used by plan vendors. The California Consumer Privacy Act (CCPA) and similar laws emerging in other states may increase this awareness. At least for the time being, employees of CCPA covered entities are entitled to a “notice at collection” that must outline the categories of personal information collected and the purpose(s) that information is used. Regardless of whether ERISA preempts the CCPA, increased communication about privacy of personal information may cause participants to be more sensitive to the collection and use of their information.

There are some measures plan sponsors can take to minimize the risk of these kinds of claims.

  • Consider relationships with plan service providers more carefully and earlier in the process. ERISA requires plan fiduciaries to “obtain and carefully consider” the services to be provided by plan service providers before engaging the provider. Whether that duty extends to assessing the provider’s data privacy and security practices is not clear. Nonetheless, during the procurement process, consider basic questions such as: Who has access to participants’ data? How much (and what) data does the provider have access to, and what are they doing with that data? Is the service provider sharing data with other third parties?
  • Limit by contract the ability of plan service providers to use plan participant data to market or sell to participants products unrelated to the retirement plan, unless the participants initiate or consent.

Of course, depending on the bargaining power of the sponsor, it may not be able to convince a vendor to agree not to use participant data solely for plan administration purposes. However, sponsors should be sure their process includes these and other factors when making selections and when evaluating the performance of their service providers.

North Dakota’s State Board of Higher Education recently implemented the Student Data Privacy and Security Bill of Rights (the “Policy”). The Policy, which went into effect on May 29, 2020, was created by the North Dakota Student Association to facilitate students’ access to their Personally Identifiable Information (“PII”), and to regulate the North Dakota University System and its institutions’ collection and use of PII.

Key Provisions Under The Policy

The Policy outlines students’ right to know the types of PII collected by the North Dakota University System and its institutions (“NDUS”), including how the data is used and stored. Under the Policy, NDUS must, to the extent possible, make information available concerning the types of PII provided to NDUS vendors and contractors.

Use of PII

NDUS is prohibited from selling, releasing, or disclosing “non-directory” information for commercial or advertisement purposes. Directory information constitutes public record. While NDUS may use student PII for assessments and research related to accreditation, accountability, and policy implementation, NDUS may not subject students to punitive consequences as a result of the findings from such use.

Third-Party Providers and Vendors

NDUS must responsibly engage with third-party providers of educational services and vendors to ensure that student PII disclosed to these third parties are protected by the applicable industry standards. Generally, NDUS may not require students to disclose their PII to third-party service providers as a course requirement.

Record Review and Student Remedies

Students have the right to inspect, review, and challenge the accuracy and completeness of their academic record through a written request based on the NDUS institution’s request process. NDUS may limit the means of access to the educational record to ensure proper security of the record. These provisions are also afforded to students under the Federal Education Rights and Privacy Act (“FERPA”). NDUS is also required to comply with FERPA, which includes adhering to student requests to prevent disclosure of certain PII as “directory information”.

Students have the right to file complaints about violations under the Policy or other possible breaches of student data through an institutional grievance process.

Trends In State Student Privacy Laws

North Dakota follows the growing nation-wide trend towards stronger state privacy laws related to student information. Since 2013, 40 states and Washington D.C. have enacted legislation specific to student privacy issues. Most states, including New York and Vermont have regulated student privacy issues only for K-12. North Dakota joins the few states that regulate the use of student PII in higher education. As K-12 and higher education institutions continue to increase the use of educational technological services to facilitate classroom instruction, the need to strengthen student privacy laws, specifically as to higher education, will also continue to increase. In light of recent large-scale data breaches, educational institutions should continue to assess and enhance their data breach prevention and response procedures.

On January 1, 2020 the California Consumer Privacy Act (CCPA) took effect. Largely considered the most expansive U.S. privacy law to date, there has been much anticipation over the impact the law will have on the privacy litigation landscape. Although the California Attorney General’s (“AG”) enforcement authority only begins on July 1, this has not stopped plaintiffs from already pursuing CCPA litigation in light of the January 1 effective date.

The CCPA authorizes a private cause of action against a covered business if a failure to implement reasonable security safeguards results in a data breach. The definition of personal information for this purpose is much narrower than the general definition of personal information under the CCPA. If successful, a plaintiff can recover statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper. This means that plaintiffs in these lawsuits likely do not have to show actual harm or injury to recover.

As of today, there have been approximately 25 CCPA-related claims filed in state and federal court. Thus far, there are three common types of CCPA-related litigation:

  • Reasonably Security Safeguards. Unsurprisingly, given the limited nature of the CCPA’s private cause of action, most claims to-date have been on the basis of an alleged failure to implement reasonable security safeguards resulting in a data breach. For example, in February a putative class action was filed in the Northern District of California, San Francisco Division, against a supermarket and its e-commerce platform provider, alleging negligence and a failure to maintain reasonable safeguards, among other things, leading to a data breach. The complaint specifically seeks recovery under the CCPA –  Civ. Code § 1798.100, et seq. It is worth noting that several complaints on the basis of an alleged failure to implement reasonable security safeguards were filed in light of the increase in videoconferencing platform usage in response to COVID-19. In addition, at least one complaint is based on a data breach that occurred before January. And, yet, another claim (the first CCPA case filed in federal court), was brought by a non-California resident. While many of these cases may face viability issues moving forward, they indicate the eagerness of plaintiffs and their counsel to pursue relief under the CCPA, and the likely uptick in CCPA litigation in the coming years.
  • Consumer Rights. The CCPA does not provide consumers with a private cause of action if their rights (g. right to notice, right to delete, right to opt out) under the statute are violated. This, however, has not stopped plaintiffs from filing claims on the basis that their rights under the CCPA have been violated. For example, in one case, the plaintiff alleged that the defendant violated the CCPA by failing to provide consumers notice of their right to opt out of sale of their personal information to a third party, and failure to provide notice of their collection and use of personal information practices.
  • CCPA References.  In several cases, although the plaintiff is not seeking relief on the basis of a CCPA violation, the CCPA is still mentioned in connection with a different violation. For example, in a case against a videoconference provider, the CCPA is mentioned in a claim regarding a violation of the Cal. Bus. Code – Unfair Competition law, highlighting that the defendant failed to provide accurate disclosures to users on their data sharing practices and failed to implement reasonable security measures, but never explicitly alleged that the defendant violated the CCPA.

CCPA litigation is only ramping up, and organizations need to be prepared. As data breaches continue to plague businesses across the country, including those subject to the CCPA, ensuring reasonable safeguards are in place may be the best defense. To learn more about the CCPA’s obligations and how to implement policies and procedures to ensure compliance, check out Jackson Lewis’s CCPA FAQS for Covered Businesses. For more information on what businesses can be doing to ensure they have reasonable safeguards to protect personal information, review our post on that topic.

As we recently reported, the privacy-right activist group that sponsored the California Consumer Privacy Act (“CCPA”) – Californians for Consumer Privacy – is pushing for an even more stringent privacy bill, the California Privacy Rights Act (“CPRA”). The CRPA has now qualified for the November 3, 2020 ballot, gathering more than 600,000 valid signatures as required, according to the memorandum circulated by the California Secretary of State. If California voters approve the initiative in November, the CPRA would significantly expand the rights of Californians under the current California Consumer Privacy Act (“CCPA”) starting on January 1, 2023, with certain provisions going into effect immediately.

What are some of the key provision of the CPRA?

  • Establish the California Privacy Protection Agency (“CPPA”): – CPRA would establish the first agency of its kind in the United States. The Agency will be governed by a five-member board, including the Chair, and will have full administrative power, authority and jurisdiction to implement and enforce the CCPA, instead of the California Attorney General.
  • “Sensitive Personal Information” vs. “Personal Information”: – CPRA defines “sensitive personal information” stricter than personal information. The definition is broad, but it includes government-issued identifiers (i.e. SSN, Driver’s License, Passport), account credentials, financial information, precise geolocation, race or ethnic origin, religious beliefs, contents of certain types of messages (i.e. mail, e-mail, text), genetic data, biometric information, and others.

The CPRA creates new obligations for companies and organizations processing sensitive personal information. It would also allow consumers to limit the use and disclosure of their sensitive personal information.

  • Additional Consumer Rights: – In addition to the rights under CCPA, consumers will have additional rights under the CPRA, including, a) right to correct personal information, b) right to know length of data retention, c) right to opt-out of advertisers using precise geolocation, and d) right to restrict usage of sensitive personal information.
  • Employee Data: Expanded Moratorium from until January 1, 2023: In general, most of the provisions of the CCPA does not cover employee data until at least January 1, 2021. CPRA will expand that moratorium until at least January 1, 2023.
  • Expanded Breach Liability: In addition to the CCPA’s private right of action for breaches of nonencrypted, nonredacted personal information, the CPRA would expand that to the unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security.

The CCPA has not even celebrated its anniversary nor started its enforcement (July 1, 2020), and companies doing business in California will soon have to grapple with the nuances brought by the CPRA. Jackson Lewis will continue to monitor any developments with the CPRA as it marches to the ballots come November 2020.

 

 

As many have learned over the last several years, ransomware is a type of malware that denies affected users access to critical data by encrypting it. Attackers profit handsomely by requiring victims to pay substantial sums, typically tendered in a cryptocurrency such as Bitcoin. A look at some of the numbers over the past two years is troubling. And, perhaps even more troubling, as in all “industries,” products evolve and there are new entrants to the marketplace.

MAZE and Sodinokibi

A comprehensive report by Coveware analyzing ransomware developments during the first quarter of 2020 highlights several interesting trends. In addition to calling attention to the uptick following the coronavirus COVID-19 outbreak, the report explains the rise in average ransom payments and the most common attack types and vectors. It also points to a disturbing new trend – data exfiltration.

For some time, the general view of ransomware has been that attackers encrypt their victims’ systems and files believing that many will be without good backups, increasing pressure to pay the ransom in order to recover critical business information, despite the risks that come with such transactions. That view is shifting. According to the Coveware report, and what we are seeing in our own experience:

Data exfiltration, where data is downloaded from victim computers and is threatened to be released publicly, became a prevalent tactic during ransomware attacks in [the first quarter of 2020]. This was a big change from the previous quarter where it was virtually non-existent.

Two popular variants driving this new trend in ransomware attacks are MAZE and Sodinokibi. Tactics include auctioning off stolen data and/or publicly shaming victims into paying the ransom. (This Krebsonsecurity post includes a snapshot showing such an auction on the dark web by the REvil ransomware group). The expectation is that these kinds of attacks will continue.

“WASTED”

As part of managing the data breach response services we provide to our clients around the country, we maintain relationships with forensic experts, such as Arete Advisors, LLC. These experts work with us to support our clients’ incident response needs, while tracking emerging threats. Arete recently reported on a new variant, “WASTED,” that appears to have certain features to be aware of:

  • Ransom demands have been nonnegotiable, and have been in the range of 40 BTC to 1,000 BTC. As of this writing, that means between approximately $360,000 to over $900,000, and the attackers threaten to increase the ransom every 24 hours.
  • The attackers sometimes enter through VPN with compromised credentials. As Arete suggests, using multifactor authentication on VPN connections can help prevent these and other attacks.
  • Ransomware payloads are customized to the victim’s environment. The file extension will have 3 characters that represent the victim’s company name along with a reference to the variant, e.g., “abcwasted.”
  • The attackers can be slow to respond, 12+ hours in some cases.

Organizations may not be able to prevent all attacks, but it is important to remain vigilant and be aware of emerging trends. There also are several steps organizations can take to minimize the chance and impact of a successful attack.

In late-March and April 2020, the Equal Employment Opportunity Commission (EEOC) released guidance addressing various questions with answers concerning COVID-19 and related workplace disability-related issues under the Americans with Disabilities Act (ADA). Recently, on June 17th, the EEOC updated its guidance to include a new question regarding antibody testing.

Most of the questions concern general employee rights and privacy and employer obligations during the current state of the COVID-19 pandemic. A few of the questions relate to the anticipated gradual return to the office of employees temporarily working remotely due to the pandemic as the crisis subsides.

The EEOC’s April update, inter alia, included a determination that employers can administer COVID-19 testing (i.e. testing for active virus), and recommended that employers do the following:

  • Determine that tests are accurate and reliable.
  • Review guidance from the Food and Drug Administration (FDA), U.S. Centers for Disease Control and Prevention (CDC), and other public health authorities and regularly check those authorities for updates.
  • Consider incidences of false positives and false negatives associated with particular tests.
  • Keep in mind that a negative test does not mean an employee will not contract the virus in the future.
  • Require that employees continue infection control practices, including social distancing, handwashing, and other cleanliness and disinfecting measures.

The April update was silent on whether its determination regarding COVID-19 testing also included antibody testing. Antibody testing (i.e. serological testing), is able to detect antibodies from a previous infection. However, the test can take one to three weeks for antibodies to develop following onset of symptoms, and it is not certain that antibodies provide immunity or, if so, how long immunity would last – the current reliability and utility of these tests is in question.

The June 17th update to the EEOC guidance weighs in on antibody testing in the workplace. Specifically, the EEOC provides an answer to the following question:

CDC said in its Interim Guidelines that antibody test results “should not be used to make decisions about returning persons to the workplace.” In light of this CDC guidance, under the American with Disabilities Act (ADA) may an employer require antibody testing before permitting employees to re-enter the workplace? 

 The EEOC concludes that antibody testing constitutes a medical examination under the ADA, and employers cannot require antibody testing before permitting employees to re-enter the workplace.

In light of CDC’s Interim Guidelines that antibody test results “should not be used to make decisions about returning persons to the workplace,” an antibody test at this time does not meet the ADA’s “job related and consistent with business necessity” standard for medical examinations or inquiries for current employees. Therefore, requiring antibody testing before allowing employees to re-enter the workplace is not allowed under the ADA.”

 It is important to note that as with other types of COVID-19-related guidance, the EEOC will continue to monitor the CDC’s recommendations, and update its discussion on this topic in response to changes in the CDC’s recommendations.

Takeaway

 In general COVID-19 testing methods come with administrative burdens to implement and ensure compliance. Such testing presents privacy implications, particularly with respect to testing that requires a blood sample or swab. Moreover, any information collected should be protected with access appropriately limited, particularly if the organization is using a third party. As issues and concerns around COVID-19 unfold daily, employers must prepare to address the threat as it relates to the health and safety of their workforce.

 

 

 

The Department of State (DOS) has been collecting (and maintaining) information on social media use from all visa applicants (immigrant and non-immigrant) since June 2019. The DOS’s collection and maintenance of this information is the subject of a lawsuit. Despite claims of being part of the vetting process, concerns about privacy and misuse of information remain. Our analysis of these issues here.

Most companies continue to grapple with compliance with the California Consumer Privacy Act (“CCPA”), which went into effect in January. Companies have overhauled their privacy programs and policies and designed new systems to comply with the CCPA.

Now, the privacy-right activist group that sponsored the CCPA – Californians for Consumer Privacy – is pushing for an even more stringent privacy bill, the California Privacy Rights Act (“CPRA”). The group recently announced it secured the 900,000 signatures needed to qualify for a place on the state’s November 2020 ballot.

If this appears on the ballot and passes, companies will have to once again review their privacy programs and likely amend further to comply. Many other states are also attempting to pass new legislation, so this could all create a complex regime of multiple states with different laws.

The CPRA, as drafted, would amend the CCPA, which has been criticized for over broad definitions and ambiguous language. It would expand the privacy rights of California residents and increase compliance obligations for companies. The CPRA would, as written and among other things:

  • New data category. Add a new category of information, known as “sensitive personal information”, which would include health, financial, and geolocation collected, and allow California consumers to block businesses from using this information. Much of this information is covered by federal privacy laws, like HIPAA and GLBA.
  • Privacy for children’s data. Enhance children’s privacy rights and triple fines for collecting and selling information of minors under 16 years of age.
  • Enforcement Arm. Establish new enforcement authority to protect data privacy rights.
  • Correction of data. Give Californians the right to ask businesses to correct inaccurate personal information.
  • More breach liability. Update data breach liability, specifically for breaches of a consumer’s email with password or security question. In such cases, hackers would be able to access the consumer’s account, and the CPRA would result in liability for the company experiencing the breach.

However, one thing the CPRA does that may help businesses is provide an additional two-year extension to exemptions for employee and business-to-business data. The current exemption is set to expire at the end of 2020. It is important to note that under the current exemption, while employees are temporarily excluded from most of the CCPA’s protections, two areas of compliance remain: (i) providing a notice at collection, and (ii) maintaining reasonable safeguards for personal information driven by a private right of action now permissible for individuals affected by a data breach caused by a business’s failure to do so.

While the CPRA may have enough signatures to qualify it for the upcoming ballot, the California Secretary of State and local election officials will have to certify the signatures by June 25, 2020. Of the 900,000 signatures submitted, 675,000 must be certified as valid for the CPRA to be included on the November ballot.

We will continue to monitor CPRA developments and provide guidance on compliance with CCPA and new regulations and guidance from the California Attorney General.