Co-Author: Gabrielle Bruno

Government agencies, businesses, hospitals and universities are the frequent targets of staggering data breaches that can affect millions of individuals. But K-12 schools are also at risk for cyber attacks as they rely more on technology for day-to-day operations and typically maintain a wealth of sensitive information about their students, teachers, administrators and other staff.

News reports of cyber attacks on schools surface regularly. A phishing attack on San Diego Unified School District in California enabled hackers to steal Social Security numbers and addresses of more than 500,000 students and district staff. Discovered in October 2018, this far-reaching incident occurred between January 2001 and November 2018. And generally, data breaches are on the rise – a recent report found that nearly half a billion consumer records containing sensitive personal information were hacked in 2018, in comparison to 198 million sensitive records in 2017.

To address these gathering cyber threats against schools, the New York State Department of Education (“SED”) recently proposed new regulations that will, once adopted, require school districts and state-supported schools to develop and implement robust data security and privacy programs to protect any personally identifiable information (“PII”) relating to students, teachers and principals.

The SED’s regulation is comprised of a number of key sections, including:

  • Parent’s Bill of Rights. Each school must publish a parent’s bill of rights on its website. Schools must also include the bill of rights in every third party contract where a third party contractor will receive PII. Schools will be required to establish a clear path for parents to communicate and file complaints about breaches or unauthorized releases of student data, including a challenge to the accuracy of the student data.
  • Data Security and Privacy Standard and Plan. The National Institute for Standards and Technology Cybersecurity Framework (“NIST CSF”) is the standard for school security policies. Additionally, each time a school enters into a third party contract with an entity that will receive PII, a data security and privacy plan must be provided. The plan must outline, among other things, how the third-party contractor will safeguard PII consistent with the school’s data security and privacy program. All officers or employees of the third-party contractor who have direct access to PII must receive training on applicable federal and state law.
  • Training for Educational Agency Employees. Information privacy and security awareness training, online or in person, must be provided annually by schools to their officers and employees that have access to PII.
  • Data Protection Officer Appointment. Every school is required to appoint a Data Protection Officer (“DPO”), filled by a new or existing employee, that is responsible for implementing all required security and privacy policies and procedures. The DPO will serve as the point of contact within the school on all data security and privacy matters.
  • Reports and Notifications of Breach and Unauthorized Release. Regarding any breach or unauthorized release of PII, third-party contractors must report to all affected schools without unreasonable delay but in no case no more than seven calendar days from the date of discovery. After a third-party breach notification, or after independent discovery by the school itself, the affected school must notify SED within 10 calendar days. Regardless of where the breach or unauthorized release was discovered, the school must notify affected individuals without unreasonable delay but in no case no more than 14 calendar days from the date of discovery. If, however, notification would expose an ongoing vulnerability or interfere with a law enforcement investigation, the notification may be delayed until no later than seven calendar days after the vulnerability has been remedied or the investigation has concluded.
  • Chief Privacy Officer’s Powers and Responsibility. The Chief Privacy Officer (“CPO”) of SED will have access to all records, audits, and documents within a school regarding the PII of individuals. Additionally, the CPO will have the authority to require schools to perform privacy and security risk assessments at any given time.
  • Third Party Contractor Civil Penalties. After each breach or unauthorized release of PII by a third-party contractor, the civil penalty will be up to $10 per affected student, teacher, and principal. It will be the CPO’s responsibility to investigate each breach or unauthorized release from a third party entity.

After the required 60 day public comment period for the proposed regulation, it will likely be presented for permanent adoption to the Board of Regents during its May 2019 meeting. If adopted by the Board of Regents, the regulation will be effective July 1, 2019.

Happy Data Privacy Day from the Jackson Lewis Privacy, Data and Cybersecurity Team!

In Honor of National Privacy Day, we are focused on what is sure to be one of the hottest issues of 2019 and present our FAQs for employers on the California Consumer Privacy Act (CCPA).

As you know, data privacy and security regulation is growing rapidly around the world, including in the United States. In addition to strengthening the requirements to secure personal data, individuals are being given an increasing array of rights concerning the collection, use, disclosure, sale, and processing of their personal information. Meanwhile, organizations’ growing appetite for more data, and more types of data, persists, despite mounting security risks and concerns about permissible use. The recently enacted CCPA is intended to address some of these risks and concerns. The CCPA, which becomes effective on January 1, 2020, is in some ways the most expansive privacy law currently in the United States.

With the CCPA’s effective date fast approaching, regulations being prepared by California Attorney General Xavier Becerra’s office, and considering that certain provisions may reach back prior to the effective date, businesses need to begin preparing as soon as possible. These FAQs are intended to call attention to some of the pressing issues relating to the CCPA’s application to employee personal information, and highlight action items that can help businesses’ compliance efforts.

One of the most common questions is how the CCPA’s will apply to employment data.  We hope you will find these FAQs helpful in answering this and related questions.

 

 

Earlier today, the Illinois Supreme Court handed down a significant decision concerning the ability of individuals to bring suit under the Illinois Biometric Information Privacy Act (BIPA). In short, individuals need not allege actual injury or adverse effect, beyond a violation of his/her rights under BIPA, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages, attorneys’ fees and costs, and injunctive relief under the Act.  Potential damages are substantial as the BIPA provides for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation of the Act.  To date, no Illinois court has interpreted the meaning of “per violation,” but the majority of BIPA suits have been brought as class actions seeking statutory damages on behalf of each individual affected.

If they have not already done so, companies should immediately take steps to comply with the statute. That is, they should review their time management, point of purchase, physical security, or other systems that obtain, use, or disclose biometric information (any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry used to identify an individual) against the requirements under the BIPA. In the event they find technical or procedural gaps in compliance – such as not providing written notice, obtaining a release from the subject of the biometric information, obtaining consent to provide biometric information to a third party, or maintaining a policy and guidelines for the retention and destruction of biometric information – they need to quickly remedy those gaps.  For additional information on complying with the BIPA, please see our BIPA FAQs.

Companies were hoping that the Illinois Supreme Court would ultimately conclude, consistent with the underlying appellate decision, that in order for a plaintiff to bring a claim under the BIPA (i.e. in order for the plaintiff to be considered “aggrieved”) the plaintiff would have to allege actual harm or injury, and not just a procedural or technical violation of the statute.  In reversing and remanding the case, the Illinois Supreme Court held:

The duties imposed on private entities by section 15 of the Act (740 ILCS 14/15) regarding the collection, retention, disclosure, and destruction of a person’s or customer’s biometric identifiers or biometric information define the contours of that statutory right. Accordingly, when a private entity fails to comply with one of section 15’s requirements, that violation constitutes an invasion, impairment, or denial of the statutory rights of any person or customer whose biometric identifier or biometric information is subject to the breach. Consistent with the authority cited above, such a person or customer would clearly be “aggrieved” within the meaning of section 20 of the Act (740 ILCS 14/20) and entitled to seek recovery under that provision. No additional consequences need be pleaded or proved. The violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.

The decision is likely to increase the already significant number of suits, including putative class actions, filed under the BIPA.  In the words of the Illinois Supreme Court, “[c]ompliance should not be difficult; whatever expenses a business might incur to meet the law’s requirements are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded; and the public welfare, security, and safety will be advanced.”

Recently, Business Roundtable, an association for over 200 CEOs of America’s largest companies, released a detailed framework for a national consumer data privacy law that would provide uniformity in an area currently governed by an amalgam of state statutes and regulations. Business Roundtable is hopeful that it has the ear of the Administration and the Legislature to see progress on this effort in the 2019 Session.

The CEOs leading this effort come from a wide variety of industries, including: technology, communications, retail, financial services, health, manufacturing, hospitality, insurance and others. “There is an unprecedented opportunity to establish an innovative privacy landscape and underscore the need for a national privacy law,” said Julie Sweet, Chief Executive Officer – North America of Accenture and Chair of the Business Roundtable Technology Committee. “Consumers do not feel in control of their personal data and how it is collected, used and shared. U.S. laws to protect consumer privacy are highly fragmented, inconsistent and are nonexistent for much of the U.S. economy. A comprehensive national standard that details individual data privacy rights and provides clear obligations for how companies handle personal data is crucial for consumers, business and the U.S. economy.”

            The Business Roundtable legislative framework outlines four fundamental privacy rights for consumers:

  • The right to transparency regarding a company’s data practices, including the types of personal data that a company collects, the purposes for which this data is used and whether and for what purposes personal data is shared.
  • The right to exert control over their data, including the ability to control whether companies sell their personal data.
  • The right to access and correct inaccuracies in their personal data
  • The right to delete their personal data.

The proposal invokes federal preemption of state and local regulations and also addresses uniformity for data breach notifications. Currently all 50 states, Puerto Rico, the Virgin Islands, and Guam have a variety of requirements related to notification after data breaches or potential breaches. Despite having common threads, businesses operating in several states currently have to be wary of variance in notification requirements dependent on the number of affected residents, what constitutes “unreasonably delay,” and whether breaches may be pursued by private individuals or only the state’s attorney general. The proposal encompasses regulation by the FTC to ensure uniformity across industries and does not provide for a private right of action.

We will continue to track this issue, which addresses the balance that must be struck between the need for protection of the privacy of consumers and employees with the business community’s need for consistency and predictability in data privacy protection.

 

 

According to SC Magazine, an escalating number of victims of data breaches in 2017 have led Attorney General Josh Stein and state Rep. Jason Saine to propose updates to the state’s existing data breach notification law – “Act to Strengthen Identity Theft Protections.”

The Act would make a number of changes to the existing law, including:

  • Expand the definition of “security breach” to include “ransomware” attacks. Ransomware attacks generally result in the encryption of an organization’s system files, preventing the owner from accessing the files unless the owner buys (usually through some form of cryptocurrency) a valid encryption code from the attackers, which may never be delivered. In many cases, the malware deployed by the attackers does not enable them to access or acquire the organization’s information. However, sponsors of the law change would like the victim organization to notify both the affected consumers and the Attorney General’s office, empowering the affected person and the Attorney General’s Office to determine the risk of harm – not the breached organization.
  • Mandate reasonable safeguards. The Act would require businesses that own or license personal information to implement and maintain reasonable security procedures and practices – appropriate to the nature of personal information – to protect the personal information from a security breach. It does not appear that the new law would provide specific requirements for safeguarding personal information. States such as Massachusetts and Colorado have provided more specific requirements for the safeguards covered entities must put in place.
  • Update definition of personal information. The Act would update the definition of personal information to include medical information and insurance account numbers.
  • Shorter (15-day) notification period. The Act would require notification to the affected consumer(s) and the Attorney General’s office within 15 days. The hope is this would give consumers more time to freeze their credit across all major credit reporting agencies and take other preventative measures to prevent identity theft before it occurs.
  • Free credit freezes and credit reports. The Act would permit consumers to place and lift a credit freeze on their credit report at any time, for free. They also would be able to access three free credit reports from each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis. Notably, if consumer reporting agencies experience a security breach, they will have to provide five years of free credit monitoring to affected consumers.
  • Penalty clarification. The Act would provide that businesses that suffer a breach and that failed to maintain reasonable security procedures will have committed a violation of the state’s Unfair and Deceptive Trade Practices Act and each person affected by the breach would constitute a separate and distinct violation of the law triggering a penalty.

If the Act is passed into law, North Carolina would join a number of other states that have and continue to update and strengthen their state laws requiring notification following a breach, and that have added obligations requiring reasonable safeguards to protect personal information. All organizations should be reviewing these developments and take appropriate steps to safeguard personal information they maintain about individuals, as well evaluating and enhancing their breach response readiness.

 

Late last year, the U.S. Supreme Court granted certiorari in PDR Network, LLC v. Carlton & Harris Chiropractic (No. 17-1705), addressing the issue of whether the Hobbs Act requires the district court to accept the Federal Communication Commission’s (FCC’s) legal interpretation of the Telephone Consumer Protection Act (TCPA). In 1991, Congress passed the TCPA to restrict telephone solicitations and use of automated telephone equipment, charging the FCC with interpretation and rulemaking authority over the Act. In 2005, the TCPA was amended to include the Junk Fax Prevention Act (JFPA) that restricted the use of the fax machines to deliver unsolicited advertising. Shortly after, the FCC issued 2006 FCC Rule, which inter alia, provided guidance on the 2005JFPA amendment.   At issue before the Court, is the FCC’s interpretation of the definition of “unsolicited advertisements” in the context of the JFPA, found in the 2006 FCC Rule.

The Fourth Circuit, in PDR Network, held that the district court erred in refusing to defer to the FCC’s interpretation of the definition of “unsolicited advertisement” under the TCPA. Specifically, the district court ruled that a fax advertisement for free services did not qualify as an “unsolicited advertisement” under the law, despite the 2006 FCC Rule which stated that “even at no cost”, a fax message promoting good and services qualified as an unsolicited advertisement”.

Although PDR Network centers on a dispute over “junk faxes”, its implications extend far beyond. The Court will address a broad range of issues dealing with the scope of deference under the Hobbs Act and its interplay with the Chevron doctrine. The Hobbs Act provides exclusive jurisdiction to the Court of Appeals, in challenges to final orders issued by six federal agencies, including the FCC. To complicate matters, the Chevron doctrine, an administrative law principle derived from the Supreme Court case, compels federal courts, regardless of level, to adhere to agency interpretation of a statute it administers unless the court finds Congress’s language in the statute “clear and unambiguous”. Thus, a dilemma arises when a district court is adjudicating a case involving a final ordered issued by one of the six federal agencies regulated by the Hobbs Act. Does the Hobbs Act strip the district court of its ability to apply the Chevron deference?

Ultimately, the Court will conclude whether the district court is automatically bound by federal agency interpretation under the Hobbs Act, or has some leeway to ignore such interpretation, as allotted under Chevron when it deems statutory language “clear and unambiguous”. The Court’s ruling is timely, as the FCC is scheduled to issue rules regarding several significant TCPA issues in the coming year.

On a practical level, if the Court rules in favor of greater district court discretion, TCPA litigation will likely become much more unpredictable and costly. With regulatory, legislative, and judicial developments imminent, 2019 is shaping up to be an interesting year for the TCPA. We will continue to update as TCPA developments unfold. Stay tuned for our upcoming TCPA post on the circuit split over what constitutes an “Automatic Dialing Telephone System” (ATDS).

Through its actions and publications, the Security and Exchange Commission (SEC) has shown an increased focus on cybersecurity and the public disclosure of cybersecurity risks and incidents. In early 2018, the SEC issued a statement and an interpretative guide to assist companies with understanding and carrying out the agency’s disclosure obligations concerning cybersecurity risks and incidents. In the accompanying statement, the SEC explained “the scope and severity of risks that cyber threats present have increased dramatically, and constant vigilance is required to protect against intrusions.”

This SEC guidance follows a guide released by the SEC Division of Corporation Finance in 2011. The interpretative guide outlines the SEC’s view on cybersecurity disclosures as required under federal law. It also touches on the importance of public companies maintaining cybersecurity policies and procedures and discusses prohibited insider trader activities related to cybersecurity breaches.

The interpretive guide essentially puts public companies on notice regarding disclosure requirements for material cybersecurity risks and incidents. It explains that some reports required under the Securities Act and Exchange Act may prompt disclosure of cybersecurity risks facing a company as they relate to financial, legal, or reputational consequences. Importantly, the guide cautions that disclosures should be “timely” and warns that ongoing investigations, by themselves, do not provide a basis for avoiding the disclosure of a material cybersecurity incident.

Signaling an emphasis on enforcement actions, SEC chairman Jay Clayton warned “issuers and other market participants must take their periodic and current disclosure obligations regarding cybersecurity risks seriously, and failure to do so may result in an enforcement action.”

True to its words, after releasing the interpretative guide, the SEC brought multiple enforcement actions over cybersecurity disclosures. See SEC Enforcement Actions. Many of these actions have resulted in settlements with fines ranging in the millions, coupled with agreements by companies to improve their cybersecurity policies and procedures. The SEC appears to be focused on companies that, in the agency’s view, have made misleading statements or omissions pertaining to a cybersecurity breach and failed to properly assess whether the breach should have been incorporated into its public disclosures.

Moreover, in its strategic plan for 2018-2022, the SEC highlighted an expanded focus on cybersecurity and data protection to address the agency’s belief that “cybersecurity threats to the complex system that helps the markets function are constant and growing in scale and sophistication.” As one of the goals outlined, the SEC stated its intention to examine strategies to address cybersecurity risks facing capital markets.

These collective efforts likely foreshadow greater SEC involvement in cybersecurity and disclosure requirements. Going forward, companies must be sure that they have a cybersecurity policy and plan in place and must quickly evaluate if a cybersecurity incident requires public disclosure.

Over the past thirty days, the Office for Civil Rights (“OCR”) has reached three HIPAA breach resolutions, signaling to organizations that are covered entities and business associates under HIPAA, the importance of instituting basic best practices for data breach prevention and response.

On November 26th, the OCR announced a settlement with Allergy Associations of Hartford, P.C. (Allergy Associations), a health practice specializing in allergies, due to alleged HIPAA violations resulting from a doctor’s disclosure of patient information to a reporter. A doctor from Allergy Associations was questioned by a local television station regarding a dispute with a patient, and disclosed the patients’ protected health information (PHI), the investigation found. The OCR concluded that such disclosure was a “reckless disregard for the patient’s privacy rights”. Allergy Associations agreed to a monetary settlement of $125,000 and corrective action plan that includes two years of monitoring HIPAA compliance.

» A well thought out media relations plan together with regular security and awareness training, even for doctors, would go a long way toward reducing these risks.

Again on December 4th, the OCR announced that it had reached a settlement with the physician group, Advanced Care Hospitalists PL (ACH) in Florida, over alleged HIPAA violations resulting from the sharing of protected health information (PHI) with a vendor. According to OCR’s announcement, ACH engaged an unnamed individual to provide medical billing services without first entering into a business associate agreement (BAA). While it appeared the individual worked for Doctor’s First Choice Billing (“First Choice”), First Choice had no such record of this individual or his activities. ACH later became aware that the patient’s PHI was visible on First Choice’s website, with nearly 9,000 patients’ PHI potentially vulnerable. In the settlement ACH did not admit liability, but agreed to adopt a robust corrective action plan including the adoption of business associate agreements, a complete enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA rules. In addition ACH agreed to a $500,000 payment to the OCR.

» This is not the first time the OCR has reached settlements with covered entities over not having business associate agreements in place. Covered entities should consider a more formal vendor assessment and management. That is, certainly make sure there is a BAA in place, but also assess the business associate’s policies, procedures, and practices.

And finally, on December 11th, the OCR announced a settlement with Pagosa Springs Medical Center (PSMC), a critical access hospital in Colorado, for potential HIPAA privacy and security violations. The settlement is in response to a complaint that a former employee of PSMC continued to have remote access to the hospital’s scheduling calendar which included patients’ electronic protected health information (ePHI), after termination of his employment relationship. OCR’s investigation revealed that PSMC did not have a business associate agreement in place with its web-based scheduling calendar vendor, or with the former employee. PSMC agreed to implement a two-year corrective action plan which includes updates to its security management and business associate agreement, policies and procedures, and workforce training. In addition, PSMC agreed to an $111,400 payment to the OCR.

“It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” said OCR Director Roger Severino.  “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”

»This is a lesson for all businesses – when employees leave the organization (or are moved from a position that permits access to certain protected information), immediate changes should be made to their access – this includes physical and electronic access.

This series of recent settlements serves as a reminder of the seriousness in which the OCR treats HIPAA violations. In October, in honor of National Cybersecurity Awareness Month, the OCR together with the Office of the National Coordinator for Health Information Technology jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool to help covered entities and business associates comply with the HIPAA Security Rule. This is an excellent tool to help organizations conduct an enterprise-wide risk analysis. Alternatively, our HIPAA Ready product provides a scaled approach for midsized and smaller healthcare practices and business associates. In the end, healthcare organizations and their business associates need to address basic best practices including: terminating employee access in a timely manner, maintaining proper business associate agreements, and having a plan for media relations.

A new bill in the Senate proposes to hold large tech companies, specifically “online service providers”, responsible for the protection of personal information in the same way banks, lawyers and hospitals are held responsible. The Data Care Act of 2018, which was introduced on December 12, 2018, is designed to protect users information online and penalize companies that do not properly safeguard such data.

Personal data under the bill includes:

  • Social Security number,
  • Driver’s license number,
  • Passport or military identification number
  • Financial account number, credit or debit card number with the access code or password necessary to permit access to the financial account
  • Unique biometric data, including a fingerprint, voice print, retina image or other unique physical representation
  • Account information such as user name and password or email address and password
  • First and last name of an individual or first initial and last name, in combination with data of birth.

The bill would also protect personal information from being sold or disclosed unless the end user agrees.

The bill is seen as part of a broader push to enact federal privacy legislation, in part to prevent more states from enacting their own privacy legislation, similar to recent moves in California and Illinois.

The bill was introduced by Senator Brian Schatz (D-HI), the Ranking Member of the Communications, Technology, Innovation, and the Internet Subcommittee. The bill was co-sponsored by 14 Senate Democrats.

Senator Schatz stated in a press release that people “have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them. Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same.”

The bill would be defined and enforced by the Federal Trade Commission. It would establish three basic duties, including the duty of care, the duty of loyalty and the duty of confidentiality. If passed, the FTC would go through the normal notice and comment rulemaking process to further establish how authorities will define, implement and enforce concepts like “reasonable” security measures.

There have been no shortage of federal initiatives seeking heightened protection for consumer personal data in the past couple of years, in particular since enactment of the EU’s GDPR, and it’s only a matter of time before one of them finally sticks. We will continue to report on the Data Care Act of 2018 and other similar initiatives as developments unfold.