Search biometric

As we recently reported, the privacy-right activist group that sponsored the California Consumer Privacy Act (“CCPA”) – Californians for Consumer Privacy – is pushing for an even more stringent privacy bill, the California Privacy Rights Act (“CPRA”). The CRPA has now qualified for the November 3, 2020 ballot, gathering more than 600,000 valid signatures as required, according to the memorandum circulated by the California Secretary of State. If California voters approve the initiative in November, the CPRA would significantly expand the rights of Californians under the current California Consumer Privacy Act (“CCPA”) starting on January 1, 2023, with certain provisions going into effect immediately.

What are some of the key provision of the CPRA?

  • Establish the California Privacy Protection Agency (“CPPA”): – CPRA would establish the first agency of its kind in the United States. The Agency will be governed by a five-member board, including the Chair, and will have full administrative power, authority and jurisdiction to implement and enforce the CCPA, instead of the California Attorney General.
  • “Sensitive Personal Information” vs. “Personal Information”: – CPRA defines “sensitive personal information” stricter than personal information. The definition is broad, but it includes government-issued identifiers (i.e. SSN, Driver’s License, Passport), account credentials, financial information, precise geolocation, race or ethnic origin, religious beliefs, contents of certain types of messages (i.e. mail, e-mail, text), genetic data, biometric information, and others.

The CPRA creates new obligations for companies and organizations processing sensitive personal information. It would also allow consumers to limit the use and disclosure of their sensitive personal information.

  • Additional Consumer Rights: – In addition to the rights under CCPA, consumers will have additional rights under the CPRA, including, a) right to correct personal information, b) right to know length of data retention, c) right to opt-out of advertisers using precise geolocation, and d) right to restrict usage of sensitive personal information.
  • Employee Data: Expanded Moratorium from until January 1, 2023: In general, most of the provisions of the CCPA does not cover employee data until at least January 1, 2021. CPRA will expand that moratorium until at least January 1, 2023.
  • Expanded Breach Liability: In addition to the CCPA’s private right of action for breaches of nonencrypted, nonredacted personal information, the CPRA would expand that to the unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security.

The CCPA has not even celebrated its anniversary nor started its enforcement (July 1, 2020), and companies doing business in California will soon have to grapple with the nuances brought by the CPRA. Jackson Lewis will continue to monitor any developments with the CPRA as it marches to the ballots come November 2020.

 

 

As the COVID-19 pandemic presses on, privacy and security matters continue to be at the forefront for federal and state legislature. We recently reported that Washington D.C. updated its data breach notification law. Now, the Vermont legislature also amended its data breach notification law, with significant overhauls including expansion of its definition of personal information, and the narrowing of permissible circumstances under which substitute notice may be applied. Bill S.110 amending Vermont’s Security Breach Notice Act, V.S.A §§ 2330 & 2335, b23-0215, was signed into law by Governor Phil Scott, and will take effect July 1, 2020.  In addition Bill S.110, creates a new duties and prohibitions with respect to student privacy directed towards educational technology services (similar to a law first enacted in California, and later adopted by over 20 states).

Key updates to Vermont’s Security Breach Notice Act include:

  • Expansion of Personally Identifiable Information (PII)

Following many other states, the new law will add to the data elements that if breached could trigger a notification obligation.  Prior to this amendment, the definition of PII in Vermont was limited to four basic data elements that when unencrypted, a consumer’s first name or first initial and last name in combination with:

    • Social Security number;
    • Driver license or nondriver identification card number; • Financial account number or credit or debit card number, if circumstances exist in which the number could be used without additional identifying information, access codes, or passwords; or
    • Account Passwords, personal identification numbers, or other access codes for a financial account.

The amended law includes these elements, and adds the following when combined with a consumer’s first name or first initial and last name:

    • Individual taxpayer identification number, passport number, military identification card number, or other identification number that originates from a government identification document that is commonly used to verify identity for a commercial transaction;
    • Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee of the data to identify or authenticate the consumer, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;
    • Genetic information; and
    • Health records or records of a wellness program or similar program of health promotion or disease prevention; a health care professional’s medical diagnosis or treatment of the consumer; or a health insurance policy number.

The amended law will also include notification requirements for breaches of “login credentials”. The amendment defines “login credentials” as “a consumer’s user name or e-mail address, in combination with a password or an answer to a security question, that together permit access to an online account.” If a breach is limited to “login credentials” (and no other PII), the data collector is only required to notify the Attorney General or Department of Finance, as applicable, if the login credentials were acquired directly from the data collector or its agent.

  • Substitute Notice

Previously, substitute notice was permitted where the cost of Direct Notice via writing or telephone would exceed $5,000, more than 5,000 consumers would be receiving notice, or the data collector does not have sufficient contact information.

Under the amended law, substitute notice is only permitted where the lowest cost of providing Direct Notice via writing, email, or telephone would exceed $10,000, or the data collector does not have sufficient contact information. It is no longer permitted to provide substitute notice where the number of consumers exceed a certain threshold.

Student Privacy Law 

Finally, Bill S.110 also includes the Student Online Personal Information Protection Act, which prohibits an “operator” from sharing student data and using that data for targeted advertising on students for a non-educational purpose. Under the new law, “operator” means the operator of an Internet website, online service, online application, or mobile application used primarily for K-12 purposes, and designed and marketed as such. The passage of this law is particularly relevant during the COVID-19 pandemic, as student use of education technology services has dramatically increased.

Conclusion

This amendment keeps Vermont in line with other states across the nation currently enhancing their data breach notification laws in light of recent large-scale data breaches and heightened public awareness.  Organizations across the United States should be evaluating and enhancing their data breach prevention and response capabilities.

 

In the midst of COVID-19 challenges, privacy and security matters continue to be at the forefront for federal and state legislature. In late March, the Washington D.C. (“D.C.”) legislature amended its data breach notification law, with significant overhauls including expansion of its definition of personal information, updates to notification requirements and new credit monitoring obligations. The Security Breach Protection Amendment Act of 2019, b23-0215, passed the 12-member D.C. Council unanimously and was signed by D.C. Mayor Muriel Bowser on March 26. The new law became effective on May 19, 2020.

Key updates to D.C.’s new law include:

  • Expansion of personal information

Following many other states, the new law will add to the data elements that if breached could trigger a notification obligation.  Currently, personal information is defined as (1) any number or code or combination of numbers or codes, such as account number, security code, access code, or password, that allows access to or use of an individual’s financial or credit account, (2) or an individual’s first name or first initial and last name, or phone number, or address, and any one or more of the following data elements: Social Security Number; Driver license number or DC identification card number; or Credit card number or debit card number.

The amendment significantly expands the definition of personal information to include the following new data elements:

  • Identifiers including taxpayer identification number, passport number, military identification number and other unique identification numbers issued on a government document;
  • medical information;
  • genetic information and DNA profile;
  • health insurance information, including a policy number, subscriber information number, or any unique identifier used by a health insurer that permits access to an individual’s health and billing information;
  • biometric data; and
  • any combination of data elements listed above, that would enable a person to commit identity theft without reference to the individual’s name.

Personal information also includes “a user name or email address in combination with a password, security question and answer, or other means of authentication, or any combination of data elements [listed above] that permits access an individual’s email account.”

  • Notification to Attorney General

Notification to the Office of the Attorney General is now required for any breach affecting 50 or more D.C. residents. Notice must be provided in the “most expedient manner possible, without unreasonable delay, but in no event later than when notice is provided”. There are also several specific content requirements for notice to the Attorney General, including whether there is knowledge of any foreign country involvement.

  • GLBA/HIPAA Exemption

The new law exempts entities subject to GLBA or HIPAA if those entities maintain breach notification procedures and provide notification as required under those law, as applicable. However those entities must still notify the Attorney General of any breach that requires notification by GLBA or HIPAA.

  • Risk of Harm Threshold

If a person or entity reasonable determines, after reasonable investigation and consultation with the Office of the Attorney General and federal law enforcement agencies, that the breach likely will not result in harm to affected individuals, notice is not required.

  • Free Mitigation Services for Affected Residents

D.C. joins California, Connecticut, Delaware and Massachusetts in requiring companies to provide identity theft protection or credit monitoring services to residents affected by a breach at no cost. The new D.C. law requires that a person or entity that experiences a breach that includes Social Security numbers and/or taxpayer identification numbers, must offer affected individuals at least 18 months of identity theft protection services at no cost.

Data Security Requirements

Finally, the new law, notably, establishes data security requirements for covered businesses. In short, any business that owns, licenses, maintains, handles or otherwise possesses personal information of D.C. residents must implement and maintain reasonable security safeguards, including procedures and practices that are appropriate to the nature of the personal information and nature and size of the entity of the operation. Further, covered entities must enter written agreements with their third party service providers requiring the service provider to implement and maintain similar security procedures and practices.

This amendment keeps Washington D.C. in line with other states across the nation currently enhancing their data breach notification laws in light of recent large-scale data breaches and heightened public awareness.  Organizations across the United States should be evaluating and enhancing their data breach prevention and response capabilities.

As organizations work feverishly to return to business in many areas of the country, they are mobilizing to meet the myriad of challenges for providing safe environments for their workers, customers, students, patients, and visitors. Chief among these challenges are screening for COVID19 symptoms, observing social distancing, contact tracing, and wearing masks. Fortunately, innovators are rising to meet this need, developing a range of technologies – wearables, apps, devices, kiosks, AI, etc. – all designed to support these efforts. But, for many organizations, the question is what technologies are out there and what should they be thinking about in deciding to adopt one or more of them.

Wading through the wide variety of COVID19-related technologies can be like scrolling through your cable provider’s movie guide – lots of time spent, not sure what to choose. So, to help you get a quick, bird’s eye view of some of the kinds of technologies being developed and which may be available, please see our table of “Selected COVID19 Distancing, Screening, Contact Tracing, and Other Technologies” (Table)*

Needless to say, compiling, implementing, enforcing, and documenting extensive and sometimes conflicting federal, state, and local mandates and recommendations for screening, distancing, contact tracing, and mask wearing requires a significant and on-going effort. Technologies, such as those listed in the Table, can help.  Some of the features of these technologies include:

  • Wearables that alert the wearer that he or she is getting too close to a colleague may boost an organization’s efforts to adhere to distancing requirements.
  • Kiosks with thermal scanning capabilities may facilitate temperature screening in a faster more efficient way while minimizing contact that might further spread of COVID19.
  • Apps that track the locations of individuals could automate otherwise laborious manual contact tracing activities.

The advantages of these technologies can be substantial, quickening the path to compliance and opening the organization’s doors to business. However, organizations should proceed carefully to examine not only whether the particular solution will have the desired effect, but whether it can be implemented in a compliant manner with minimal legal risk. Below are some questions organizations should be considering:

  • What is the organization’s goal for the technology? If the goals of the organization is keep workers who may have COVID19 from entering its facility, then screening technologies are something the organization may consider.  However, if the goal is the identify other workers who may have been exposed to a COVID19 positive co-worker, the contact tracing technologies may be more appropriate.  To this end, it is important to consider the organizations goals prior to selecting technologies for implementation.
  • Does the technology work? For temperature taking/scanning technology, this may mean validation of the accuracy of the device.  When looking at contact tracing, accuracy will similarly be key in your efforts to identify co-workers who may be potentially impacted by COVID19.
  • Will the technology require employees to incur expenses that must be reimbursed? In some states, the implementation of this technology may require reimbursement if workers must incur costs or expenses as part of the implementation. For example, if an app requires an employee to have a mobile device for work purposes, expense reimbursement obligations with respect to that device may exist.
  • Is bargaining with the union required? As organizations look to these technologies, there may be numerous instances where the organization will need to consult, and possibly engage in bargaining with, the applicable union(s).  Depending on which technology is being contemplated may dictate whether the organization’s efforts are supported or challenged.
  • Is notice/consent required? This may be a difficult question to answer without having an understanding of the data that the technology is collecting. For example, collecting the geolocation of employees as well as their COVID status, and interactions with others all are likely elements of personal information under the California Consumer Privacy Act (CCPA) which applies to employees that reside in California if the organization is subject to the law.   Similarly, electronic tracking of workers or the collection of worker’s biometric information (facial scans, etc.) may require notice and/or consent depending on the state of implementation.  If the technology requires access to an employee’s personally-owned device, notice and consent are likely required, but most certainly a best-practice.  While many think HIPAA is implicated in the collection of workers’ temperature or responses to screening questions, this is often not the case unless a third-party provider or lab (i.e., a covered entity) is performing the screening, in which case an authorization is needed to share the results with the employer.
  • Will workers participate? Determining whether technology implementation may require notice or consent is discussed above.  However, if implementation and/or usage is voluntary the effectiveness of the technology in meeting the organizations goals may be substantially impacted. Regardless of whether implementation is voluntary or required, it is important for organizations to communicate with their workers to explain the goals of the technology, answer questions regarding same, and address concerns over privacy and relates issues in order to ensure buy-in and effectiveness.
  • How is data collected, shared, secured, returned? Understanding the answers to these questions are imperative in order to help ensure compliance. This is especially true as there are numerous laws which may be implicated when data is collected from workers.  These include the Americans with Disabilities Act (ADA), the Genetic Information Nondiscrimination Act (GINA), state laws, CCPA, and the General Data Protection Regulation (GDPR).  In addition to statutory or regulatory mandates, organization will also need to consider existing contracts or services agreements which may provide for or limit the collection, sharing, storage, or return of data.  Finally, whether mandated by law or contract, organizations should still consider best practices to help ensure the privacy and security of the data it is responsible for.
  • Are employees implementing the technology capable, trained? Should “managers” be viewing dashboards which provide extensive information about many of the organization’s workers? In these uncertain times an organization may be left with no choice other than to expand the list of individuals who may have access to workers’ personal information. However, when doing so organizations still need to be mindful of the ADA’s confidentiality requirements, discrimination, as well as state laws protecting against discrimination for lawful off-duty conduct (that may be discovered during the monitoring process). Addressing privacy and security obligations through a confidentiality agreement may be one way to help address these concerns.
  • What is the relationship with the vendor? The organization’s relationship with the vendor is established way of contract or service agreement. It is important for these contracts/agreements to include confidentiality, data security, and similar provisions.   This is most important if the vendor will be maintaining, storing, accessing, or utilizing the information collected about the organization’s workers.
  • When should we stop using the technology? The Equal Employment Opportunity Commission (EEOC) has said that currently COVID19 meets the ADA’s direct threat standard and thus organizations may screen, take the temperatures of, and test workers prior to permitting those workers onsite. The EEOC has not yet expressly addressed contact tracing.  As organizations look to the future, and the hopeful end to the COVID19 pandemic, they will need to consider when the state of the pandemic no longer supports the use of these technologies.  The EEOC may provide that guidance, however, organizations may still have reasons to continue utilizing some of these technologies.  For example, contract tracing may continue to help slow/limit spread within an organization.  Similarly, organizations may face contractual demands from customers or clients who are looking to limit future risks or outbreaks related to COVID19.  At points during this process, organizations also will need to consider whether and how long to retain the data collected.

In short, in 2020 we have extensive technology at our disposal and/or in development which may play a crucial role in helping organizations address COVID19, ensuring a safe and health workplace and workforce, and preventing future pandemics.  Nevertheless, organizations must consider the legal risks, challenges, and requirements with any such technology prior to implementation.

 

*As noted, the Table is for general information purposes only. We have sampled none of these products or services. Neither the selection of these products and services nor the exclusion of others is in any way intended as an endorsement of, or opposition to, any type of product, service, application, or any manufacturer. The listing is intended solely to provide readers with a general, high-level overview of the kinds of products being developed to address certain aspects of COVID19 remediation. This is by no means an exhaustive list. All readers must carefully evaluate their own specific needs for COVID19 mitigation and compliance, review the specific features and specifications of any technology being considered, configure and install same with qualified information systems specialists, and obtain experienced and informed legal counsel concerning the applicable legal and compliance requirements concerning the selection and implementation of any technology solution.  

Over the past few months, businesses across the country have been focused on the California Consumer Privacy Act (CCPA) which dramatically expands privacy rights for California residents and provides a strong incentive for businesses to implement reasonable safeguards to protect personal information. That focus is turning back east as the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), becomes effective in less than two weeks. With the goal of strengthening protection for New York residents against data breaches affecting their private information, the SHIELD Act imposes more expansive data security and updates its existing data breach notification requirements.

This post highlights some features of the SHIELD Act. Given the complexities involved, organizations would be well-served to address their particular situations with experienced counsel.

When does the SHIELD Act become effective?

The SHIELD Act has two effective dates:

  • October 23, 2019 – Changes to the existing breach notification rules
  • March 21, 2020 – Data security requirements

Which businesses are covered by the SHIELD Act?

The SHIELD Act’s obligations apply to “[a]ny person or business which owns or licenses computerized data which includes private information” of a resident of New York. Previously, the obligation to provide notification of a data breach under New York’s breach notification law applied only to persons or businesses that conducted business in New York.

Are there any exceptions for small businesses?

As before the SHIELD Act, there are no exceptions for small businesses in the breach notification rule. A small business that experiences a data breach affecting the private information of New York residents must notify the affected persons. The same is true for persons or businesses that maintain (but do not own) computerized data that includes private information of New York residents. Persons or businesses that experience a breach affecting that information must notify the information’s owner or licensee.

However, the SHIELD Act’s data security obligations include some relief for small businesses, defined as any person or business with: Continue Reading New York SHIELD Act FAQs

The much anticipated California Consumer Privacy Act (“CCPA”) is now in effect (as of January 1, 2020), and as we’ve recently reported, class action litigation under the CCPA has already begun.  Organizations should have already assessed whether their business is subject to the new law and if so, taken steps to ensure compliance.  Likely, one of the most difficult compliance areas of the CCPA is responding to consumer requests to know the personal information a business collects about them.  Under the CCPA consumers have the right to know what personal information a business is collecting about them.  The information must be made available, free of charge, within 45 days, although extensions are available in limited circumstances. The business’s response to a request to know must be in a “readily useable format that allows the consumer to transmit this information to another entity without hindrance.” In addition, in October of 2019, as required by the CCPA, Attorney General Xavier Becerra announced Proposed Regulations that operationalize the new law and provide clarity and specificity to assist in implementation of the CCPA. The Proposed Regulations, which were recently updated, have yet to be finalized, but as is, have a technical and substantive impact on the consumer request to know process.

The CCPA defines “personal information” very broadly, which is the reason consumer requests to know are particularly cumbersome for businesses. Per the statute, personal information is that which “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”   This definition includes the types of personal information we are used to seeing, including Social Security numbers and driver’s license numbers, it also includes a person’s name and address (physical and email). In addition, it may include less obvious things like the person’s browsing history, biometric data, and geolocation data.

The following are practical tips for handling consumer requests to know:

Preparing for compliance

  • Identification of process owner: Organizations should designate a person or team to handle requests to know.
  • Develop an effective process: Organizations should have clear internal policies and procedures for responding to requests. Like the discovery process in litigation, reviewing data in response to a request can be incredibly burdensome. Personal information must be transmitted securely and all deleted information must be permanently erased, deidentified or aggregated. Organizations may want to employ technology and outside partners to make this process more efficient. For example, current technology is available to make files more easily searchable, to extract key metadata, and to remove duplicate files to eliminate redundancy. In addition, organizations must maintain records of consumer requests for at least 24 months, and these records generally cannot be used for any other purpose.
  • Training: The response team (which may include third party service providers if applicable), and other key staff and management involved in handling requests must receive training on what a consumer may request and the organization’s policies and procedures for responding to requests.
  • Data mapping: Organizations should have an easy-to-access file of what personal data it is storing, why it has the data, how it uses the data, with whom it shares the data, how long it retains the data, and where it is located.
  • Provide a method for requests: Under the CCPA, organizations are required to create at least two designated methods for submitting disclosure requests, including, at minimum, a toll-free number and another acceptable method, such as an email address. Organizations should provide clear direction on how to submit requests to know and should not make the process difficult, as this could lead to fines for non-compliance.

Responding to a request

  • Ensure request is valid: To comply with requests to know, organizations need verification and authentication processes to confirm the identity of the consumer making the request and the validity of the request. A request made by a third party on behalf of someone else should be refused without written authority. The Proposed Regulations require organizations to establish, document and comply with reasonable methods for verifying the identity of the consumer. There are also several factors for determining the “reasonable” identity verification method:
    • The type, sensitivity and value of the personal information collected;
    • The risk of harm to the consumer posed by unauthorized access or deletion;
    • The likelihood that fraudulent or malicious actors would seek the personal information;
    • Whether the personal information the consumer must provide in order to verify their identity is easily spoofed or fabricated;
    • The manner in which the business interacts with the consumer; and
    • Available technology for verification.

If the identity of the consumer cannot be verified, the individual submitting the request must be informed that the request cannot be verified. Moreover organizations must implement reasonable security measures to detect fraudulent identity verification activity and prevent unauthorized access to these records. Note that there are separate verification requirements if the organization maintains a password-protected account with the consumer. Organizations should not collect additional data during the verification process. Instead, they should rely on existing credentials. For example, if, during the period it collected the data, the organization required a dedicated user name, it should use this to verify the requester. We will be addressing some of these issues in other posts; check out one of our recent blog posts on the topic available here.

  • Narrow the search: Ideally, requests to know should be as specific as possible, and organizations should work with the requestor to narrow the scope as much as possible. For example, if a consumer requests all personal information ever collected by the organization, the search could be vast. But if the organization works with the consumer to determine the specific matter of the consumer’s concern, the requesting consumer may agree to narrow the scope of the request.
  • Determine universe of data that should be searched: This may include electronic records, emails, archived information, information stored on organizational databases and paper files. The CCPA requires disclosure of certain information in response to a request to know, including the source, the purpose for collection and any third parties with which the data is shared, among others; organizations should ensure they are disclosing all required information.
  • Ensure response is timely: Organizations must confirm receipt of a request within 10 business days and respond to the request within 45 calendar days from the time the request is received, not from when the request is verified although an extension may be possible. It can take a considerable amount of time to respond to a request, and this is a short timeframe. Thus, organizations should begin work on the request as soon as it is received.
  • Review response to ensure it does not contain the personal information of others: The individual is only entitled to their own personal data, and organizations must redact any documents or information related to another individual, unless that individual has provided consent. This becomes complicated in the context of joint household requests. Under the CCPA, all members of a household can jointly request to know or delete specific pieces of personal information for the household. While the household request was referenced in the CCPA, only in the update to the Proposed Regulations has procedures for this request been addressed – businesses may respond to household requests only if all consumers of the household jointly make the request, the business verifies the identity of each consumer, and verifies that each is current household member. If a member of the household is under 13 years of age, there must be verifiable parental consent before compliance with the request.
  • Monitor compliance: Compliance with company policies and procedures for responding to requests should be periodically audited.

It should be noted that under the CCPA consumers are allotted several rights in regards to their personal information, including, for example the “right to delete” the information businesses have collected about them, and while the practical tips described above are particularly geared towards a consumer’s “right to know”, the underlying principles generally can be applied to other forms of consumer requests as well.

In addition, as of now, businesses are exempt from most CCPA obligations in regards to their employees – the exclusion includes information collected “by a business in the course of the natural person acting as a job applicant to, an employee of, director of, officer of, medical staff member of, or contractor of that business” (see more on this in a recent blog post discussing employees under the CCPA). As of now, however, this exemption sunsets on January 1, 2021, and while it is not clear what will be, considering the current direction of privacy law, it seems likely that there will be more and not less privacy protections for employees by the end of 2020.

Check out some of our other CCPA resources for more practical insights and tips:

Image result for CCPA class actionAs reported by Bloomberg Law, data breach class action litigation has begun under the California Consumer Privacy Act (CCPA). Filed in the Northern District of California, San Francisco Division, a putative class action lawsuit against Hanna Andersson, LLC and its ecommerce platform provider, Salesforce.com, alleges negligence and a failure to maintain reasonable safeguards, among other things, leading to a data breach. The complaint specifically seeks recovery under the CCPA – Cal. Civ. Code § 1798.100, et seq.

The complaint alleges a familiar story – in the latter part of 2019, hackers compromised the retailer’s website with malware enabling the hackers to scrape names, billing and shipping addresses, payment card numbers, CVV codes, and credit card expiration dates of thousands of the retailer’s customers. Hanna Andersson notified affected persons of the breach on January 15, 2020, and the complaint was filed on February 3, 2020.

Whether the complaint alleges sufficient harm for the case to proceed will be for the court to determine, but under the CCPA that may not be necessary.  The new California law authorizes a private cause of action against covered businesses if a failure to implement reasonable safeguards to protect personal information results in a data breach. Cal. Civ. Code § 1798.150. If successful, a plaintiff can recover statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper.

To bring an action for statutory damages under the CCPA, consumers must first notify the business of the alleged violation. The business then has thirty days to cure the violation and provide the consumer with “an express written statement that the violations have been cured and that no further violations shall occur.” It does not appear an opportunity to cure was provided in this case. Also, the breach reportedly occurred in 2019, before the CCPA became effective (January 1, 2020).

Regardless of the outcome of this case, certainly one we will be watching, it should serve as an important reminder for businesses to ensure they have reasonable safeguards in place to protect personal information. Under California law,

A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Cal. Civ. Code § 1798.81.5(b).

But, the meaning of “reasonable safeguards” is not entirely clear in California.  One place to look is in the California Data Breach Report (Report) former California Attorney General, Kamala D. Harris, issued in February, 2016. According to the Report, an organization’s failure to implement all of the 20 controls set forth in the Center for Internet Security’s Critical Security Controls constitutes a lack of reasonable security.

It is not clear that adherence to those controls will provide a sufficient basis to defend a business from an action under the CCPA relating to a data breach. But, those controls might be a good place to start. It also is important to understand how those safeguards should be applied.

First, the CCPA’s private right of action for data breaches applies with respect to personal information of consumers and employees, applicants, officers, etc. Personal information of consumers and employees often resides on different systems, subject to access by different users, and collected, processed, and stored by different third party service providers. Thus, it is important to think broadly when safeguarding personal information that could trigger a class action under this section.

Second, “personal information” for purposes of the “reasonable safeguards” requirement is much narrower than the general definition of personal information for CCPA purposes. Specifically, the private right of action under Cal. Civ. Code § 1798.150 extend only to personal information, “as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5.” This means:

(A)  An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

(i) Social security number.

(ii) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

(iv) Medical information.

(v) Health insurance information.

(vi) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.

similar cause of action exists under an Illinois privacy law that you might have heard about, the Illinois Biometric Information Privacy Act or “BIPA.” That provision has resulted in a flood of litigation, including putative class actions, seeking to recover statutory damages for plaintiffs who allege their biometric information has been collected and/or disclosed in violation of the statute. As data breaches continue to plague businesses across the country, including those subject to the CCPA, ensuring reasonable safeguards are in place may be the best defense.

With the California Consumer Privacy Act (CCPA) effective for nearly one month, businesses continue to grapple with the many components of this new privacy framework. A key component of the CCPA is granting consumers the right to request information about and to exercise some control over their personal information. Developing sufficient mechanisms to receive, process and respond to these requests is a central and complex area of compliance for businesses. One aspect of processing consumer requests requires verifying the identity of the individuals making the requests, and their authority to be making the request.

The CCPA directed the State’s Attorney General to establish rules and procedures to govern a business’s determination that certain requests received from a consumer is a “verifiable consumer request.” In fact, the statute provides that businesses are not obligated to provide information to consumers if the business cannot verify the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer. On October 10, 2019, the California Attorney General’s (AG) office issued proposed regulations which, among other things, begin to address how businesses can structure procedures for verifying consumers when they seek to exercise their “Right to Know” and “Right to Delete.”

So how does a company verify a consumer’s identity? In this post, we address the general rules, bearing in mind they may change when the Attorney General’s office finalizes its regulations.

General Rules

Currently, businesses have some flexibility in determining the method by which they verify a consumer’s identity, although there are some basic guidelines they must follow:

  • Where they can feasibly do so, businesses should match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business.
  • Businesses should avoid collecting certain types of sensitive personal (e.g. SSN, government IDs, financial information, medical and health information, and biometric data), unless it is necessary to verify. See Civ. Code Sec. 1798.81.5(d).
  • Shape the verification method based on certain factors, such as: 1) type, sensitivity or value of personal information, 2) risk of harm to the consumer posed by unauthorized access or deletion, 3) likelihood that bad actors would seek the information, 4) vulnerability to being spoofed or fabricated, 5) manner in which the business interacts with the consumer, and 6) available technology for verification.
  • If the business uses a third-party identity verification service, be sure it complies with the CCPA rules for verification. Additionally, businesses should ensure these service providers maintain reasonable safeguards to protect the personal information they process in the course of verification.

Takeaways

The guidelines proposed by the AG’s office regarding verification boils down to “reasonableness” as it gives businesses a wide range of discretion and flexibility to establish a workable method that fits the business’ operation and financial capabilities. After establishing a “reasonable” method, the business has to document and comply with the method they have established.

Depending on the business’ capabilities, they can match the categories of information the consumer provides with the information the business already possesses or utilize a third-party verification service provider. Either way, businesses should refrain from requesting additional information for verification, unless doing so is necessary to protect the consumer.

Once the business has considered these items, they can get to work on shaping specific procedures for verification taking into account issues such as:

  • Who can make requests
  • Account holders versus non-account
  • “Requests to Know” versus “Requests to Delete”
  • Requests for categories of information versus specific pieces of information
  • Use of Authorized Agents

Please stay tuned as we address these in future blog posts.

2020 may very well be the most impactful year for data privacy and cybersecurity in the United States. In honor of Data Privacy Day, we discuss some of the reasons why that may be the case. In short, as privacy and cybersecurity risks continue to emerge for organizations large and small, the law is beginning to catch up which is prompting a significant uptick in compliance efforts.

The California Consumer Privacy Act and Its Admirers

On January 1, 2020, the long anticipated, hotly debated, and already amended California Consumer Privacy Act (CCPA) went into effect.  According to a survey conducted by ComplianceWeek.com, however, nearly 80% of respondents felt either “somewhat confident,” “uncertain,” or “not confident at all” they would be compliant by the effective date. These results may be due to a variety of reasons: a lack of awareness or resources, reliance on the extended CCPA enforcement date (July 1, 2020), a belief that the California Attorney General enforcement efforts will be directed elsewhere, and/or anticipation of final regulations/further guidance from the California Attorney General.

Nonetheless, many businesses are working on CCPA compliance: mapping consumer data; providing notices at collection to consumers, employees, and applicants; updating websites and privacy policies; building internal procedures to verify and respond to consumer requests; and tightening their safeguards for protecting personal information. These efforts are worthwhile for many businesses as they are likely to yield dividends beyond California.

Following California’s lead, a number of other states have introduced similar measures in 2020 regarding individual privacy rights.  These legislative efforts include: Florida (SB 1670, HB 963); Hawaii (SB 418, SB 2451); Illinois (SB 2330); Maryland (HB 249); Nebraska (LB 746); New Hampshire (HB 1680); New Jersey (S269, S236, A2188); Vermont (H. 899); Virginia (HB 473); Washington HB 2759). Earlier efforts began in 2019: New Mexico (SB 176); New York (A 6351, S 4411); Pennsylvania (HB 1049); Rhode Island (S 234, H 5930); and Texas (HB 4518). All of these measures may fail, but California’s influence on state privacy law is considerable. Remember, the country’s first data breach notification law became effective in 2003 in California, and now all 50 states have such a law, including a number of other countries.

Adoption of Biometric Technology Grows, Along with Regulation

SourceToday.com reports that “by 2025, Zion Market Research expects the global next-generation biometric market to reach $36.8 billion, up from $12.9 billion last year.” The same report cites Deloitte’s 2018 global mobile consumer survey (US edition) which finds that at least one biometric authentication method is used by nearly half of U.S. smartphone owners. The trend for biometrics is on the rise.

Organizations which collect and use biometric identifiers/information (e.g. fingerprints, face scans, etc.) should be mindful of the increasing privacy and data security regulation around biometric technologies and applications.  While biometrics may be helpful in preventing fraud, managing employees’ time, or improving security, these benefits must be considered against the potential legal and compliance risks.

The most critical of these risks exists in Illinois under its Biometric Information Privacy Act (BIPA). Under BIPA a plaintiff is entitled to statutory damages for violations and actual harm is not required in order for an individual to sue.  BIPA is at the heart of hundreds of putative class action lawsuits in Illinois. Compliance steps such as obtaining consent prior to collection or use and establishing a written policy may help mitigate risk.  For more information on the BIPA and biometric information related concerns checkout our FAQs.

Of course, BIPA does not present the only compliance concern. In California, for example, the CCPA includes biometric information as a specific category of personal information, and following a change in 2019, a breach of biometric information could trigger a notification requirement. Other states regulating biometric information in one for or another include without limitation Arkansas, Colorado, Florida, Massachusetts, Nebraska, New York, Texas, and Washington.

Organizations’ Websites Provide a Window Into Compliance

Websites facilitate communication with consumers, constituents, patients, employees, and the general public. They project an organization’s image and promote goodwill, provide information about products and services and allow for their purchase. Websites also inform investors about performance, enable job seekers to view and apply for open positions, and accept questions and comments from visitors to the site or app, among many other activities and functionalities. Because of this vital role, websites have become an increasing subject of regulation making them a growing compliance concern, particularly as they are open to inspection by the public.

CCPA privacy policies, ADA accessibility, HIPAA notice of privacy practices, and COPPA consent mandates are just a few of the compliance requirements affecting websites and online applications or services. In 2020 and beyond, organizations will need to take a closer look at these and other compliance issues concerning their websites and online services.

Telephone Consumer Protection Act (TCPA)

While the Supreme Court did not choose to address whether the Hobbs Act (also known as the Administrative Orders Review Act) requires a district court to accept the Federal Communications Commission (FCC) interpretation of the TCPA (PDR Network, LLC v. Carlton & Harris Chiropractic, Inc., No. 17-1705) there have been a number of other developments impacting the TCPA.  In December 2019, the FCC ruled that online faxes are TCPA exempt and the Supreme Court recently accepted certiorari of a petition to rule on the constitutionality of the TCPA.  In granting certiorari, the Court agreed to review a ruling of the Fourth Circuit which held that a TCPA exemption for government debt collectors was in violation of the First Amendment.   The case could have a significant impact on TCPA claims.  Further, Congress recently proposed the TRACED Act, to combat the increasing number of robocall scams and other intentional violations of telemarketing laws. The TRACED Act, if passed, broadens FCC authority to levy civil penalties and extends the time period for the FCC to catch and take civil enforcement action against intentional violations.  Needless to say, 2020 should be an interesting year for the TCPA.

Cybersecurity, Cybersecurity, and Cybersecurity

A rundown of anticipated, critical cybersecurity risks vying for attention at the upcoming RSA Conference in 2020 (the world’s biggest conference for CISOs) should provide reason enough for organizations to redouble their efforts at tightening security. But that is not all.

Less than two months from now, New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) becomes effective, imposing expansive data security requirements on companies. Among other things, and similar to data security frameworks in other states such as California, Colorado, Massachusetts, and Oregon, the SHIELD Act requires that any person or business, including a small business, that owns or licenses computerized data which includes private information of a resident of New York must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.

Examples of practices considered reasonable administrative safeguards under the law include risk assessments, employee training, selecting vendors capable of maintaining appropriate safeguards and implementing contractual obligations for those vendors, and disposal of private information within a reasonable time period.

Similar frameworks already exist in other states. For example, in 2018, Colorado enacted HB 1128, creating obligations for businesses to maintain “reasonable security procedures and practices” for protecting personal identifying information. Similar rules have been in place since 2010 in Massachusetts. Requirements for reasonable safeguards to protect personal information also exist in numerous other states such as Alabama, Florida, Nevada, Illinois, Indiana, and Utah.

But, we will end where we began, the CCPA. We believe it will be an important driver of “reasonable safeguards” for personal information. This is because similar to BIPA, the CCPA authorizes a private cause of action against a covered business if a failure to implement reasonable security safeguards results in a data breach. If successful, a plaintiff can recover statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper.  As the CCPA provides for statutory damages, Plaintiffs in these lawsuits may not have to show actual harm or injury to recover.

*      *     *     *     *

For these reasons and others, we believe 2020 will be a significant year for privacy and data security.

Happy Privacy Day!

Image result for 2020 california CCPASome business leaders and HR professionals may be waking up this morning not realizing they must provide a “Notice at Collection” to some or all of their employees and applicants under the new California Consumer Privacy Act (CCPA). This is not surprising given the confusion during 2019 about whether this law would reach that far. The passage of AB 25 confirmed that while employees would be temporarily excluded from most of the CCPA’s protections, two areas of compliance remain: (i) providing a notice at collection, and (ii) maintaining reasonable safeguards for personal information driven by a private right of action now permissible for individuals affected by a data breach caused by a business’s failure to do so.

Before addressing these two employment-related aspects of the CCPA, it is helpful to remember which entities are subject to CCPA. The basic rule follows.

In general, the CCPA applies to a “business” that:

A. does business in the State of California,

B. collects personal information (or on behalf of which such information is collected),

C. alone or jointly with others determines the purposes or means of processing of that data, and

D. satisfies one or more of the following: (i) annual gross revenue in excess of $25 million, (ii) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or (iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information.

For more information on this part of the law, please review Does the CCPA Apply to Your Business?

Notice at Collection

A “notice at collection” requires two pieces of information be communicated to the consumer/employee:

  1. The categories of personal information collected by the business. There are eleven categories of personal information, such as identifiers, geolocation data, biometric information, employment-related information, etc. See Cal. Civ. Code Sec. 1798.140(o).
  2. For each category, the uses of personal information by the business.

There are, of course, some questions employers may have about this notice, such as:

    • Who must get it? AB 25 refers to the following categories of “consumers” (natural persons who are California residents) – job applicants to, employees of, owners of, directors of, officers of, medical staff members of, or contractors of the business. Note, the CCPA does not define these terms, and recent proposed regulations do not address AB 25 at all. Guidance may come with final regulations.
    • When must they get it? The statute requires the notice to be provided at or before collection of personal information. In the case of applicants, that might mean providing the notice on the company’s website if, for example, it receives information from applicants on the site concerning open positions. In the case of employees, assuming different notices will be provided because more information is collected from employees, a notice at the beginning of the onboarding process, such as with offer letters, might make sense. Some employers may want to include the notice in employee handbooks, although this may not satisfy the “at or before collection” requirement. Handbooks typically are not provided until after some personal information has been collection from an employee, but it could provide employees a place for easy reference to the business’s practices concerning personal information.
    • Is notice required for current employees? It is true that businesses have already collected personal information about individuals working for the company prior to 2020. However, collection is an ongoing process. One of the categories of personal information, for example, is website browsing activity. Many businesses now continually track this activity if only to safeguard their systems and implement electronic communications and information systems policies.
    • Include information on where employees can go with questions? This is not currently required. Providing employees, applicants, others a place to go with questions, however, might be a good idea. Employees may have not received this kind of notice before and may have a number of questions. Designating individuals in the organization to address those questions, and directing employees and applicants to those individuals, would help to ensure consistent messaging about the business’s practices.

Reasonable Safeguards.

The second issue for employers under the CCPA is safeguarding employee personal information. Under the CCPA, California consumers, including employees and applicants, affected by a data breach can bring an action for statutory damages when the breach is caused by the business’s failure to maintain reasonable safeguards to protect a subset of personal information and following a 30-day cure period. A consumer can recover damages in an amount not less than $100 and not greater than $750 per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper.

There is no regulatory guidance in California concerning what it means to have “reasonable safeguards.” However, former California Attorney General Kamala Harris issued a 2016 data breach report in which she interpreted an existing California statute, Cal. Civ. Code 1789.81.5(b), to mean that businesses must at least satisfy the 20 controls in the Center for Internet Security’s Critical Security Controls in order to be considered reasonable. It is not clear if those controls will be sufficient to meet the CCPA’s standard, but they would be a good place to look for guidance. Note also that the “reasonably safeguard” obligation applies to a subset of personal information, namely:

An individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

  1. Social security number,
  2. Driver’s license number, California identification card number, and government identifiers (i.e. tax identification number, passport number, military identification number),
  3. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account,
  4. Medical information,
  5. Health insurance information, and
  6. Biometric identifiers.

Thus, businesses should be reviewing their data security policies and procedures not just with respect to consumer data, but also employment-related activities – payroll, benefits, recruiting, direct deposit, shared-services, background checks, etc. This also means evaluating what their third-party service providers are doing to protect personal information of employees, applicants, contractors, etc. Note other states also have similar mandates, including Colorado, Massachusetts and New York (coming soon in March 2020).

Businesses that find themselves subject to the CCPA should act quickly to satisfy their AB 25 requirements. Of course, this may be temporary because AB 25 sunsets on January 1, 2021. However, considering the current direction of privacy law, it seems likely that there will be more and not less privacy protections for employees by the end of 2020.