Add Washington D.C. Attorney General Karl A. Racine’s recent data security legislative proposal – the Security Breach Protection Amendment Act of 2019 – to the growing list of states and jurisdictions across the country seeking to strengthen privacy and security protections around personal information.

Proposed in response to major data breaches, a frequent catalyst to stronger data privacy and security legislation, AG Racine’s bill would expand legal protections concerning personal information to help prevent and enhance the response to a data breach. Specifically, the bill would:

  1. like legislation being considered in New Jersey, expand the definition of personal information that, if breached, would require notification. However, if passed, the definition of personal information in D.C. would be much broader than New Jersey and many other states, and include – passport numbers, taxpayer identification numbers, military ID numbers, health information, biometric data, genetic information and DNA profiles, and health insurance information;
  2. require businesses that experience a data breach to include specific information in the notifications to affected persons, such as (i) the categories of information that were, or are believed to have been, involved in the breach, (ii) contact information for the person making the notification, as well as the credit reporting agencies, the FTC, and the D.C. Attorney General, and (iii) the right under federal law to obtain a security freeze at no cost and how to obtain such a freeze; and
  3. mandate businesses offer two years of free identity theft protection when a breach involves Social Security numbers. Washington D.C. would join states such as Connecticut, Delaware, and, in April, Massachusetts, in requiring such services be provided following certain breaches.

The bill also would mandate that businesses that handle personal information implement reasonable safeguards to protect that data. Additionally, businesses that obtain services from a nonaffiliated third party and disclose personal information of a DC resident under an agreement with that third party must require the third party by agreement to safeguard that information. Again, these changes put D.C. in the company of other states such as California, Colorado, and Massachusetts.

The legislative screws continue to tighten around data privacy and security.

An increasing number of companies have adopted Bring Your Own Device (“BYOD”) programs. Under a BYOD program, companies permit employees to connect their personal devices (e.g. laptops, smartphones, and tablets) to the company’s networks and systems to complete work-related duties. In contrast, under Corporate Owned Personally Enabled (“COPE”) programs, companies purchase and provide devices and network systems for employees. The two main benefits of BYOD programs are the company’s ability to maximize cost savings and foster positive relationships with employees. The use of personal devices both remotely and in the office can also improve efficiency and work product.

Although BYOD programs offer numerous advantages to companies, there are several business and legal concerns companies should consider when determining whether to implement, continue, or revise an existing BYOD program. The most apparent concern for companies is ensuring security of company data. Personal devices may not be password protected and/or may not operate on secure networks. Security risks prohibit companies from satisfying their obligations under federal and state laws. BYOD programs may also give rise issues related to non-compete laws. The use of personal devices to conduct job-related tasks creates an opportunity for employees to store proprietary company information. Remote work on personal devices exposes companies to liability for additional wage payments and overtime compensation under the Fair Labor Standards Act and similar state laws. Similarly, BYOD programs may create challenges for companies to maintain company data to satisfy electronic discovery requests during litigation. Companies should also consider its potential obligation to reimburse employees for the costs incurred to use their personal devices for work-related duties.

To minimize exposure to business and legal concerns, companies should focus on managing the security of personal devices both in the office and remotely. Check out our post from earlier this week on the National Institute of Standards and Technology’s Guidelines for Managing the Security of Mobile Devices in the Enterprise.

In addition to the considerations for adopting BYOD programs, companies should also consider key issues that arise when implementing and enforcing BYOD policies. It is important for companies to implement well-crafted BYOD policies addressing the several legal and business concerns. These considerations should include permitted and prohibited uses (e.g. devices and software), responsibility for lost, stolen, or damages devices, maintenance of devices and software, data storage requirements, and exit strategies for wiping company data from the device in the event of a separation, among others.

Our Bring Your Own Device (BYOD) Issues Outline offers a more extensive risk analysis on BYOD programs and to determine whether a BYOD program is a suitable option for your company/organization. Key aspects of an effective BYOD policy include addressing access management protocols, data security safeguards, device-wipe policies, employee stipend and reimbursement programs, data breach protocols and related issues.

Just last month, the National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), published guidance for public and private companies to protect mobile devices and help prevent data breaches. The publication, titled “Mobile Device Security: Cloud and Hybrid Build,” is a how to guide for companies to secure mobile devices using commercially available technology. Through collaboration with technology organizations, government agencies, and academic institutes, the publication essentially acts as a practice guide for network architects to ensure employees can access information remotely, while minimizing security risks. It presents a variety of security solutions that can be tailored to a company’s needs and includes instructions for installing security products that meet the NIST’s standards. As stated by the NCCoE, the guide “demonstrates how commercially available technologies can meet your organization’s needs to secure sensitive enterprise data accessed by and/or stored on employees’ mobile devices.”

Companies that permit their employees to use mobile devices benefit from ease of communication and the convenience of allowing data to be accessed practically anywhere. However, security controls have not kept pace with the risks inherent in using mobile devices. As a result, a poorly secured mobile device may present significant security risks to a company.

Stolen or infiltrated mobile devices can be a gateway for wrongdoers to access a company’s sensitive and confidential information, email accounts, contacts, calendars, and other proprietary information. Even worse, a wrongdoer could gain remote access and hold a company’s data and information hostage, a tactic that has gained popularity in recent years. Moreover, not only is a company at risk of having its data compromised, but mobile device security breaches have resulted in significant financial penalties. See HIPAA Enforcement Actions.

With many states recently enacting or proposing consumer privacy and security legislation, companies must be mindful of the security risks presented by using mobile devices and ensure the devices are adequately protected. Moreover, companies must have an effective “Bring Your Own Device” (BYOD) policy in place concerning the use of the device, in addition to the security controls on the device. Be on the look out for our article on the cost – benefit analysis of implementing a BYOD policy, coming later this week.

The California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020, is considered the most expansive state privacy law in the United States. Organizations familiar with the European Union’s General Data Protection Regulation (GDPR), which became effective on May 25, 2018, certainly will understand CCPA’s implications. Perhaps the best known comprehensive privacy and security regime globally, GDPR solidified and expanded a prior set of guidelines/directives and granted individuals certain rights with respect to their personal data. The CCPA seems to have spurred a flood of similar legislative proposals on the state level.

Since the start of 2019, at least six state legislatures have already introduced privacy laws mirrored largely on the CCPA.   Below are some of the highlights of each state legislative proposal:

  • Hawaii – SB 418, introduced on January 24 by two Democrat senators, the Hawaiian bills contains similar consumer rights and requirements for businesses as the CCPA. The current bill text does not include a definition for “business”. Although this will likely be remedied, if left as is, the Hawaiian bill would have a broader reach than the CCPA, which only applies to entities that do business in the state of California.
  • Maryland SB0613, introduced on February 4 by Senator Susan Lee (D), includes similar consumer rights as those in the CCPA, but its right of deletion (popularly known as the “right to be forgotten”) is more extensive as it limits the circumstances under which an organization can deny such a request. Also notable, the bill prohibits discrimination against a consumer for exercising his/her rights and financial incentives for processing personal information.
  • Massachusetts – SD.341, presented by Senator Cynthia Creem in early February, this proposal combines key aspects of the CCPA together with aspects of Illinois’s Biometric Information Privacy Act (BIPA). This bill would allow Massachusetts consumers a private right of action if their personal information or biometric information (referred to separately in the bill) is improperly collected. Moreover, similar to the Illinois Supreme Court’s recent holding regarding the BIPA, under the proposed bill, Massachusetts consumers may not have to demonstrate actual harm to seek damages.
  • Mississippi – HB 2153, a house bill that was quickly squashed, was the closest in structure to the CCPA, pulling direct language from the California law. Although the Mississippi bill did not succeed, it still signifies how state legislators across the U.S. are considering consumer privacy.
  • New Mexico – SB176, introduced on January 19 by Senator Michael Padilla (D), attempts to balance consumer privacy without stifling “innovation and creativity” of companies. Although language differs, key components of the CCPA are present in the New Mexico bill (g. right of access, right of deletion, right to opt out, private right of action).

In addition to the CCPA-like proposals discussed above, other states are also considering unique ways to enhance consumer data privacy for their residents. For example, New York legislators recently introduced at least 4 different consumer privacy related bills, including one on biometric privacy (SB 547) and another that would regulate businesses’ collection and disclosure of personal information (S00224).  And several North Dakota legislators, in mid-January, introduced a consumer privacy bill, HB 1485, exclusively focused on the prohibition of disclosure of an individual’s personal information without “express written consent”.

Finally, a group of senators in Washington State, in January, introduced the “Washington Privacy Act,” SB 5376 (WPA). That bill would establish more GDPR-like requirements on businesses that collect personal information related to Washington residents. In addition to requirements for notice, and consumer rights such as access, deletion, and rectification, the WPA would impose restrictions on use of automatic profiling and facial recognition.

This state level activity could prompt Congress to move more quickly with one of its proposed bills, the latest being the Data Care Act, which proposes to hold large tech companies, specifically “online service providers”, responsible for the protection of personal information. Much of the private sector, including the Internet Association, comprised of the leading tech companies, is pushing for a federal approach to consumer privacy to prevent the “patchwork of state laws” that has arisen in the area of data breach notification law.  Not even three months in, 2019 is already gearing up to be a busy year for consumer privacy law.

 

The Garden State has been updating its data privacy and security laws and you may be wondering why. On October 28, 2018, Attorney General Gurbir S. Grewal and the New Jersey State Police the New Jersey announced statistics on the effects of data breaches in 2017 on New Jersey residents. Based on that report, here are some interesting data points:

  • Reported breaches affecting NJ residents increased 41% from 2016 to 2017 (676 to 958). Remember, these are only reported breaches. Yes, not all breaches are reported, reported properly, or are even discovered.
  • Business sectors most often involved with breaches include finance/banking, health services followed by business services and retail trade. Other areas include education, restaurant, industrial/manufacturing, hotels, non-profits, non-medical insurance, and telecommunications.
  • Phishing attacks were the most popular method used to breach the security of an organization’s information systems, followed by website malware, employee incident, unauthorized email access and ransomware. It is unclear from the report if these are in any particular order. Importantly, note that with phishing attacks, unauthorized email access, and ransomware, employees very likely play a role in making the attacks successful. That is, employees typically are not intentionally causing these attacks, but they are duped into clicking a link or entering information that helps out the bad guys. Training and awareness are critical.
  • The New Jersey’s Attorney General’s Office enforcement activities resulted in $4.8 million in civil settlements with the State.

The announcement also included some tips individuals can take to better protect sensitive personal and business information. Notably, the announcement states that:

this effort is part of a broader effort by Attorney General Grewal to strengthen the state’s cybersecurity protections, and follows an announcement earlier this year the creation of a Data Privacy & Cybersecurity Section within the Division of Law (DOL) to investigate data privacy cases and advise state agencies on related matters.

The tips offered by the NJ Division of Consumer Affairs are directed at individual consumers, but organizations and businesses certainly could adopt these, and require their employees to follow some or all of these best practices:

  • Avoid clicking on e-mail links or attachments from unknown individuals, financial institutions, computer services or government agencies. To check out the message, go to the sender’s legitimate public website, and use the contact information provided.
  • Choose a strong password containing letters, numbers and symbols. If a website offers two-factor authentication security, use it.
  • Before disposing of any electronic device, wipe the hard drive using specialized software that will overwrite your information.
  • Avoid free Wi-Fi, especially for health, financial, and other personal transactions.

Efforts similar to this are underway in a many states as personal information and confidential business information either continue to be under attack or are maintained without adequate safeguards. Organizations need to monitor these developments and strengthen their administrative, physical, technical, and organizational defenses.

Since the start of 2019, New Jersey has shown it is on the forefront of consumer privacy and security law. Last week we reported on Assembly Bill 3245 (AB 3245) that would enhance the state’s data breach notification requirements. In short, if signed, AB 3245, would require businesses to notify consumers of online account security breaches. This week, we are reporting on other related Assembly bills recently introduced including AB 4902which creates new obligations for commercial entities whose online website or services are accessed by individuals, and AB 7974 that regulates the use of a customer’s GPS data.

New Jersey’s proposed consumer privacy and security bills would create significant compliance obligations for companies that collect, use, or store personal data. Companies should consider assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs (WISPs) to prepare.

Check out the full update on some of New Jersey’s latest consumer privacy and security law initiatives including AB 4902 and AB 7974, available here on the Jackson Lewis website.

 

 

 

 

In light of several large-scale breaches of late, the New Jersey General Assembly is taking steps to enhance the state’s data breach notification requirements. In late February, Assembly Bill 3245 (AB 3245), introduced by Assembly Members Ralph Caputo and Carol Murphy, was unanimously approved by both the Assembly and the Senate, and is now headed to Governor Phil Murphy for signing. In short, if signed, AB 3245, would require businesses to notify consumers of online account security breaches.

New Jersey’s data breach notification law requires businesses to notify consumers of a breach of their personal information. Currently the law defines personal information as an individual’s first name or first initial and last name linked with any one or more of the following data elements:

  • Social Security number;
  • driver’s license number or State identification card number;
  • account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

AB 3245 would add to the above list of data elements:

  • user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account. 

This amendment would keep New Jersey in line with other states that have similarly enhanced their data breach notification laws to address online breaches, including Alabama, Arizona, California, Florida, Illinois, Nebraska, Nevada, South Dakota and Wyoming.

“Protecting the security of online accounts is important for consumers, as a breach of security of these accounts can lead to the compromise of personal information and expose consumers to identity theft,” said Caputo (D-Essex). “If an individual’s personal information has become unwillingly available to someone else, they have the right to know as quickly as possible.”

New Jersey is on the forefront of consumer privacy and security law with other related bills recently introduced including AB 4902, which creates new obligations for commercial entities whose online website or services are accessed by individuals, and AB 7974 that regulates the use of a customer’s GPS data.  Be on the look out for our full update on some of New Jersey’s other initiatives, coming later this week.

According to reports, bank customers in Australia (yes, data breach notification requirements exist down under) have been affected by “an industry-wide” data breach experienced by a third-party service provider to the banks – property valuation firm, LandMark White. As expected, the banks are investigating and in some cases notifying customers about the incident. However, there are reports that some of the affected banks are suspending this vendor from the group of valuation firms they use. This is not an unusual reaction by organizations whose third party service providers have or are believed to have caused a data breach affecting the organization’s customers, patients, students, employees, etc. But, it is worth thinking about whether that is the best course of action.

In the United States, there is a growing number of states that require businesses to contractually bind their third party services providers to maintain reasonable safeguards to protect personal information made available to the third parties to perform services. For example, under the Illinois Personal Information Protection Act:

A contract for the disclosure of personal information concerning an Illinois resident that is maintained by a data collector must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.

Personal information under this law includes information such as name coupled with Social Security number, drivers license number, medical information, and unique biometric data used to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data. In connection with obtaining written assurances from a third party vendor, many companies engage their vendors in an assessment process to get a better sense of the security of the vendor’s environment. Assessments can take many forms including interviewing the vendor’s chief information security officer, reviewing policies and procedures, subjecting the vendor to a detailed security questionnaire, penetration tests, and more. When organizations think of best practices for data security, assessment procedures of some kind certainly should be on the list.

But after the assessments and contract negotiations are completed, data breaches can still happen. In many cases, when a third party vendor experiences a breach affecting personal information, the owners of that information are the vendor’s customers. Uncomfortable as it may be, breach notification laws generally require the vendor maintaining the breached personal information to notify the owner, the vendor’s customer(s). At that point, the parties typically work through the incident response process, which in many cases could be driven by contract, although many agreements are silent on this issue.

In any event, organizations will almost invariably begin to think about whether this is a vendor they want on their team going forward. Of course, there are a number of reasons that might support terminating the relationship, such as:

  • The vendor may not have been protecting the information they way it should have under the contract and applicable law, resulting in the breach.
  • The vendor has not been transparent, responsive, or cooperative with the organization during the incident response process.
  • The vendor has not taken sufficient steps to ensure a similar breach will not happen again.
  • The organization is getting pressure from its customers who are serviced or supported, in part, by the vendor.
  • The organization has been unhappy with the vendor for some time (unrelated to the breach) and this is the last straw.

However, there also are reasons for maintaining the relationship, which include:

  • “The grass is always greener on the other side” – it may not be. There is no guarantee that a new vendor will have greater data security, be able to avoid a sophisticated attack, or be willing to work with the owner of the data as transparently as the current vendor.
  • The current vendor arguably is “battle-tested” with data security and incident response more top of mind.
  • There is a long-standing, trusted relationship with the vendor whose products and/or services are too important to the organization.
  • Both the organization and the vendor may be more inclined following a breach to collaborate on enhanced security measures and incident response planning.

The author takes no position here on whether to stay or go, as such a decision requires consideration of a number of factors. Third party service providers play important roles for many organizations, and their selection and continued utilization are decisions that should be made following an appropriate level of due diligence and analysis.

 

In 2018, Delta paved the way in airport terminal development, by introducing the first biometric terminal at the Hartsfield-Jackson Atlanta International Airport where passengers can use facial recognition technology from curb to gate. Delta now offers members of its Sky Club airport lounges to enter using fingerprints rather than a membership card or boarding pass. Other airlines use biometric data to verify travelers during the boarding process with a photo-capture. The photograph is then matched through biometric facial recognition technology to photos that were previously taken of the passengers for their passports, visas, or other government documentation.

Though the use of a fingerprint or facial scan aims to streamline and expedite the travel process and strengthen the security of air travel, it also presents heightened security risks for biometric data on a larger sale. As the use of biometric data increases, the more expansive the effects of the data breach becomes. While it’s possible to change a financial account number, a driver’s license number or even your social security number, you can’t change your fingerprint or your face, easily anyway. Furthermore, in the past, facial recognition software had not been able to accurately identify people of color, raising concerns that individuals may be racially profiled.

Yet, many argue that biometric-based technologies can be used to help solve vexing security and logistics challenges concerning travel. For example, in 2016, Congress authorized up to $1 billion collected from certain visa fees to fund implementation of biometric-based exit technology. That was followed by President Trump’s executive order signed in March 2017 directing the Department of Homeland Security to expedite implementation of biometric entry-exit tracking system for all travelers to the United States. As it stands, we are likely to see a rapid expansion of biometric technology used by airlines and other businesses in the travel industry, so prepare your picture perfect travel face!

Notably, the use of biometric data is growing across all industries and in a variety of different applications – e.g., premises security, time management, systems access management. But, so is the number of state laws intending to protect that data. States such as Illinois, Texas, and Washington are leading the way with others sure to follow. Regulations include notice and consent requirements, mandates to safeguard biometric information, and obligations notify individuals in the event biometric information is breached. And, litigation is increasing. The Illinois Supreme Court recently handed down a significant decision, for example, concerning the ability of individuals to bring suit under the Illinois Biometric Information Privacy Act (BIPA). In short, individuals need not allege actual injury or adverse effect, beyond a violation of his/her rights under BIPA. The decision is likely to increase the already significant number of suits, including putative class actions, filed under the BIPA.

Companies, regardless of industry, should be reevaluating their biometric use practices, and taking steps to comply with a growing body of law surrounding this sensitive information.

On February 25, 2019, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced Senate Bill 561, legislation intended to strengthen and clarify the California Consumer Privacy Act (CCPA), which was enacted in June of 2018. If enacted, this would be the second amendment to the CCPA, following an earlier amendment in September of 2018 that Governor Jerry Brown signed into law Senate Bill 1121, which also clarified and strengthened the original version of the law.

As we reported previously, the CCPA will apply to any entity that does business in the State of California and satisfies one or more of the following: (i) annual gross revenue in excess of $25 million, (ii) alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or (iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information. Under the CCPA, key consumer rights will include:

  • A consumer’s right to request deletion of personal information which would require the business to delete information upon receipt of a verified request;
  • A consumer’s right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and 3rd parties to which the information was sold or disclosed;
  • A consumer’s right to opt-out of the sale of personal information by a business and prohibiting the business from discriminating against the consumer for exercising this right, including a prohibition on charging the consumer who opts-out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.

SB 561’s amendments include:

  • Expands a consumer’s right to bring a private cause of action. Currently, the CCPA provides consumer a private right of action if their nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure because the covered business did not meet its duty to implement and maintain reasonable safeguards to protect that information. The amendment broadens this provision to grant consumers a private right of action if their rights under the CCPA are violated.
  • Removes language that allows businesses the opportunity to cure an alleged violation within 30-days after being notified of alleged noncompliance.
  • Removes language allowing a business or third party to seek the opinion of the Attorney General for guidance on how to comply with the law. Instead, the amendment specifies that the Attorney General may publish materials that provide businesses and others with general guidance on how to comply with the law.

With an effective date of January 1, 2020 (and regulations not yet proposed), it is expected that additional amendments will be negotiated, drafted, and published. Last month, the California Attorney General’s Office began the CCPA rulemaking process with a six-part series of public forums, allowing all interested persons the opportunity to provide their comments on the new law.

SB 561 comes just days after the AG Becerra together with Assemblymember Mark Levine announced Assembly Bill 1130 to strengthen California’s existing data breach notification law. No doubt, California is leading the way in U.S. data privacy and security law.

Below are some of our helpful resources on the CCPA and other key California privacy and security law developments: