Search biometric

The much anticipated California Consumer Privacy Act (“CCPA”) is now in effect (as of January 1, 2020), and as we’ve recently reported, class action litigation under the CCPA has already begun.  Organizations should have already assessed whether their business is subject to the new law and if so, taken steps to ensure compliance.  Likely, one of the most difficult compliance areas of the CCPA is responding to consumer requests to know the personal information a business collects about them.  Under the CCPA consumers have the right to know what personal information a business is collecting about them.  The information must be made available, free of charge, within 45 days, although extensions are available in limited circumstances. The business’s response to a request to know must be in a “readily useable format that allows the consumer to transmit this information to another entity without hindrance.” In addition, in October of 2019, as required by the CCPA, Attorney General Xavier Becerra announced Proposed Regulations that operationalize the new law and provide clarity and specificity to assist in implementation of the CCPA. The Proposed Regulations, which were recently updated, have yet to be finalized, but as is, have a technical and substantive impact on the consumer request to know process.

The CCPA defines “personal information” very broadly, which is the reason consumer requests to know are particularly cumbersome for businesses. Per the statute, personal information is that which “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”   This definition includes the types of personal information we are used to seeing, including Social Security numbers and driver’s license numbers, it also includes a person’s name and address (physical and email). In addition, it may include less obvious things like the person’s browsing history, biometric data, and geolocation data.

The following are practical tips for handling consumer requests to know:

Preparing for compliance

  • Identification of process owner: Organizations should designate a person or team to handle requests to know.
  • Develop an effective process: Organizations should have clear internal policies and procedures for responding to requests. Like the discovery process in litigation, reviewing data in response to a request can be incredibly burdensome. Personal information must be transmitted securely and all deleted information must be permanently erased, deidentified or aggregated. Organizations may want to employ technology and outside partners to make this process more efficient. For example, current technology is available to make files more easily searchable, to extract key metadata, and to remove duplicate files to eliminate redundancy. In addition, organizations must maintain records of consumer requests for at least 24 months, and these records generally cannot be used for any other purpose.
  • Training: The response team (which may include third party service providers if applicable), and other key staff and management involved in handling requests must receive training on what a consumer may request and the organization’s policies and procedures for responding to requests.
  • Data mapping: Organizations should have an easy-to-access file of what personal data it is storing, why it has the data, how it uses the data, with whom it shares the data, how long it retains the data, and where it is located.
  • Provide a method for requests: Under the CCPA, organizations are required to create at least two designated methods for submitting disclosure requests, including, at minimum, a toll-free number and another acceptable method, such as an email address. Organizations should provide clear direction on how to submit requests to know and should not make the process difficult, as this could lead to fines for non-compliance.

Responding to a request

  • Ensure request is valid: To comply with requests to know, organizations need verification and authentication processes to confirm the identity of the consumer making the request and the validity of the request. A request made by a third party on behalf of someone else should be refused without written authority. The Proposed Regulations require organizations to establish, document and comply with reasonable methods for verifying the identity of the consumer. There are also several factors for determining the “reasonable” identity verification method:
    • The type, sensitivity and value of the personal information collected;
    • The risk of harm to the consumer posed by unauthorized access or deletion;
    • The likelihood that fraudulent or malicious actors would seek the personal information;
    • Whether the personal information the consumer must provide in order to verify their identity is easily spoofed or fabricated;
    • The manner in which the business interacts with the consumer; and
    • Available technology for verification.

If the identity of the consumer cannot be verified, the individual submitting the request must be informed that the request cannot be verified. Moreover organizations must implement reasonable security measures to detect fraudulent identity verification activity and prevent unauthorized access to these records. Note that there are separate verification requirements if the organization maintains a password-protected account with the consumer. Organizations should not collect additional data during the verification process. Instead, they should rely on existing credentials. For example, if, during the period it collected the data, the organization required a dedicated user name, it should use this to verify the requester. We will be addressing some of these issues in other posts; check out one of our recent blog posts on the topic available here.

  • Narrow the search: Ideally, requests to know should be as specific as possible, and organizations should work with the requestor to narrow the scope as much as possible. For example, if a consumer requests all personal information ever collected by the organization, the search could be vast. But if the organization works with the consumer to determine the specific matter of the consumer’s concern, the requesting consumer may agree to narrow the scope of the request.
  • Determine universe of data that should be searched: This may include electronic records, emails, archived information, information stored on organizational databases and paper files. The CCPA requires disclosure of certain information in response to a request to know, including the source, the purpose for collection and any third parties with which the data is shared, among others; organizations should ensure they are disclosing all required information.
  • Ensure response is timely: Organizations must confirm receipt of a request within 10 business days and respond to the request within 45 calendar days from the time the request is received, not from when the request is verified although an extension may be possible. It can take a considerable amount of time to respond to a request, and this is a short timeframe. Thus, organizations should begin work on the request as soon as it is received.
  • Review response to ensure it does not contain the personal information of others: The individual is only entitled to their own personal data, and organizations must redact any documents or information related to another individual, unless that individual has provided consent. This becomes complicated in the context of joint household requests. Under the CCPA, all members of a household can jointly request to know or delete specific pieces of personal information for the household. While the household request was referenced in the CCPA, only in the update to the Proposed Regulations has procedures for this request been addressed – businesses may respond to household requests only if all consumers of the household jointly make the request, the business verifies the identity of each consumer, and verifies that each is current household member. If a member of the household is under 13 years of age, there must be verifiable parental consent before compliance with the request.
  • Monitor compliance: Compliance with company policies and procedures for responding to requests should be periodically audited.

It should be noted that under the CCPA consumers are allotted several rights in regards to their personal information, including, for example the “right to delete” the information businesses have collected about them, and while the practical tips described above are particularly geared towards a consumer’s “right to know”, the underlying principles generally can be applied to other forms of consumer requests as well.

In addition, as of now, businesses are exempt from most CCPA obligations in regards to their employees – the exclusion includes information collected “by a business in the course of the natural person acting as a job applicant to, an employee of, director of, officer of, medical staff member of, or contractor of that business” (see more on this in a recent blog post discussing employees under the CCPA). As of now, however, this exemption sunsets on January 1, 2021, and while it is not clear what will be, considering the current direction of privacy law, it seems likely that there will be more and not less privacy protections for employees by the end of 2020.

Check out some of our other CCPA resources for more practical insights and tips:

Image result for CCPA class actionAs reported by Bloomberg Law, data breach class action litigation has begun under the California Consumer Privacy Act (CCPA). Filed in the Northern District of California, San Francisco Division, a putative class action lawsuit against Hanna Andersson, LLC and its ecommerce platform provider, Salesforce.com, alleges negligence and a failure to maintain reasonable safeguards, among other things, leading to a data breach. The complaint specifically seeks recovery under the CCPA – Cal. Civ. Code § 1798.100, et seq.

The complaint alleges a familiar story – in the latter part of 2019, hackers compromised the retailer’s website with malware enabling the hackers to scrape names, billing and shipping addresses, payment card numbers, CVV codes, and credit card expiration dates of thousands of the retailer’s customers. Hanna Andersson notified affected persons of the breach on January 15, 2020, and the complaint was filed on February 3, 2020.

Whether the complaint alleges sufficient harm for the case to proceed will be for the court to determine, but under the CCPA that may not be necessary.  The new California law authorizes a private cause of action against covered businesses if a failure to implement reasonable safeguards to protect personal information results in a data breach. Cal. Civ. Code § 1798.150. If successful, a plaintiff can recover statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper.

To bring an action for statutory damages under the CCPA, consumers must first notify the business of the alleged violation. The business then has thirty days to cure the violation and provide the consumer with “an express written statement that the violations have been cured and that no further violations shall occur.” It does not appear an opportunity to cure was provided in this case. Also, the breach reportedly occurred in 2019, before the CCPA became effective (January 1, 2020).

Regardless of the outcome of this case, certainly one we will be watching, it should serve as an important reminder for businesses to ensure they have reasonable safeguards in place to protect personal information. Under California law,

A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Cal. Civ. Code § 1798.81.5(b).

But, the meaning of “reasonable safeguards” is not entirely clear in California.  One place to look is in the California Data Breach Report (Report) former California Attorney General, Kamala D. Harris, issued in February, 2016. According to the Report, an organization’s failure to implement all of the 20 controls set forth in the Center for Internet Security’s Critical Security Controls constitutes a lack of reasonable security.

It is not clear that adherence to those controls will provide a sufficient basis to defend a business from an action under the CCPA relating to a data breach. But, those controls might be a good place to start. It also is important to understand how those safeguards should be applied.

First, the CCPA’s private right of action for data breaches applies with respect to personal information of consumers and employees, applicants, officers, etc. Personal information of consumers and employees often resides on different systems, subject to access by different users, and collected, processed, and stored by different third party service providers. Thus, it is important to think broadly when safeguarding personal information that could trigger a class action under this section.

Second, “personal information” for purposes of the “reasonable safeguards” requirement is much narrower than the general definition of personal information for CCPA purposes. Specifically, the private right of action under Cal. Civ. Code § 1798.150 extend only to personal information, “as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5.” This means:

(A)  An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

(i) Social security number.

(ii) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

(iv) Medical information.

(v) Health insurance information.

(vi) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.

similar cause of action exists under an Illinois privacy law that you might have heard about, the Illinois Biometric Information Privacy Act or “BIPA.” That provision has resulted in a flood of litigation, including putative class actions, seeking to recover statutory damages for plaintiffs who allege their biometric information has been collected and/or disclosed in violation of the statute. As data breaches continue to plague businesses across the country, including those subject to the CCPA, ensuring reasonable safeguards are in place may be the best defense.

With the California Consumer Privacy Act (CCPA) effective for nearly one month, businesses continue to grapple with the many components of this new privacy framework. A key component of the CCPA is granting consumers the right to request information about and to exercise some control over their personal information. Developing sufficient mechanisms to receive, process and respond to these requests is a central and complex area of compliance for businesses. One aspect of processing consumer requests requires verifying the identity of the individuals making the requests, and their authority to be making the request.

The CCPA directed the State’s Attorney General to establish rules and procedures to govern a business’s determination that certain requests received from a consumer is a “verifiable consumer request.” In fact, the statute provides that businesses are not obligated to provide information to consumers if the business cannot verify the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer. On October 10, 2019, the California Attorney General’s (AG) office issued proposed regulations which, among other things, begin to address how businesses can structure procedures for verifying consumers when they seek to exercise their “Right to Know” and “Right to Delete.”

So how does a company verify a consumer’s identity? In this post, we address the general rules, bearing in mind they may change when the Attorney General’s office finalizes its regulations.

General Rules

Currently, businesses have some flexibility in determining the method by which they verify a consumer’s identity, although there are some basic guidelines they must follow:

  • Where they can feasibly do so, businesses should match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business.
  • Businesses should avoid collecting certain types of sensitive personal (e.g. SSN, government IDs, financial information, medical and health information, and biometric data), unless it is necessary to verify. See Civ. Code Sec. 1798.81.5(d).
  • Shape the verification method based on certain factors, such as: 1) type, sensitivity or value of personal information, 2) risk of harm to the consumer posed by unauthorized access or deletion, 3) likelihood that bad actors would seek the information, 4) vulnerability to being spoofed or fabricated, 5) manner in which the business interacts with the consumer, and 6) available technology for verification.
  • If the business uses a third-party identity verification service, be sure it complies with the CCPA rules for verification. Additionally, businesses should ensure these service providers maintain reasonable safeguards to protect the personal information they process in the course of verification.

Takeaways

The guidelines proposed by the AG’s office regarding verification boils down to “reasonableness” as it gives businesses a wide range of discretion and flexibility to establish a workable method that fits the business’ operation and financial capabilities. After establishing a “reasonable” method, the business has to document and comply with the method they have established.

Depending on the business’ capabilities, they can match the categories of information the consumer provides with the information the business already possesses or utilize a third-party verification service provider. Either way, businesses should refrain from requesting additional information for verification, unless doing so is necessary to protect the consumer.

Once the business has considered these items, they can get to work on shaping specific procedures for verification taking into account issues such as:

  • Who can make requests
  • Account holders versus non-account
  • “Requests to Know” versus “Requests to Delete”
  • Requests for categories of information versus specific pieces of information
  • Use of Authorized Agents

Please stay tuned as we address these in future blog posts.

2020 may very well be the most impactful year for data privacy and cybersecurity in the United States. In honor of Data Privacy Day, we discuss some of the reasons why that may be the case. In short, as privacy and cybersecurity risks continue to emerge for organizations large and small, the law is beginning to catch up which is prompting a significant uptick in compliance efforts.

The California Consumer Privacy Act and Its Admirers

On January 1, 2020, the long anticipated, hotly debated, and already amended California Consumer Privacy Act (CCPA) went into effect.  According to a survey conducted by ComplianceWeek.com, however, nearly 80% of respondents felt either “somewhat confident,” “uncertain,” or “not confident at all” they would be compliant by the effective date. These results may be due to a variety of reasons: a lack of awareness or resources, reliance on the extended CCPA enforcement date (July 1, 2020), a belief that the California Attorney General enforcement efforts will be directed elsewhere, and/or anticipation of final regulations/further guidance from the California Attorney General.

Nonetheless, many businesses are working on CCPA compliance: mapping consumer data; providing notices at collection to consumers, employees, and applicants; updating websites and privacy policies; building internal procedures to verify and respond to consumer requests; and tightening their safeguards for protecting personal information. These efforts are worthwhile for many businesses as they are likely to yield dividends beyond California.

Following California’s lead, a number of other states have introduced similar measures in 2020 regarding individual privacy rights.  These legislative efforts include: Florida (SB 1670, HB 963); Hawaii (SB 418, SB 2451); Illinois (SB 2330); Maryland (HB 249); Nebraska (LB 746); New Hampshire (HB 1680); New Jersey (S269, S236, A2188); Vermont (H. 899); Virginia (HB 473); Washington HB 2759). Earlier efforts began in 2019: New Mexico (SB 176); New York (A 6351, S 4411); Pennsylvania (HB 1049); Rhode Island (S 234, H 5930); and Texas (HB 4518). All of these measures may fail, but California’s influence on state privacy law is considerable. Remember, the country’s first data breach notification law became effective in 2003 in California, and now all 50 states have such a law, including a number of other countries.

Adoption of Biometric Technology Grows, Along with Regulation

SourceToday.com reports that “by 2025, Zion Market Research expects the global next-generation biometric market to reach $36.8 billion, up from $12.9 billion last year.” The same report cites Deloitte’s 2018 global mobile consumer survey (US edition) which finds that at least one biometric authentication method is used by nearly half of U.S. smartphone owners. The trend for biometrics is on the rise.

Organizations which collect and use biometric identifiers/information (e.g. fingerprints, face scans, etc.) should be mindful of the increasing privacy and data security regulation around biometric technologies and applications.  While biometrics may be helpful in preventing fraud, managing employees’ time, or improving security, these benefits must be considered against the potential legal and compliance risks.

The most critical of these risks exists in Illinois under its Biometric Information Privacy Act (BIPA). Under BIPA a plaintiff is entitled to statutory damages for violations and actual harm is not required in order for an individual to sue.  BIPA is at the heart of hundreds of putative class action lawsuits in Illinois. Compliance steps such as obtaining consent prior to collection or use and establishing a written policy may help mitigate risk.  For more information on the BIPA and biometric information related concerns checkout our FAQs.

Of course, BIPA does not present the only compliance concern. In California, for example, the CCPA includes biometric information as a specific category of personal information, and following a change in 2019, a breach of biometric information could trigger a notification requirement. Other states regulating biometric information in one for or another include without limitation Arkansas, Colorado, Florida, Massachusetts, Nebraska, New York, Texas, and Washington.

Organizations’ Websites Provide a Window Into Compliance

Websites facilitate communication with consumers, constituents, patients, employees, and the general public. They project an organization’s image and promote goodwill, provide information about products and services and allow for their purchase. Websites also inform investors about performance, enable job seekers to view and apply for open positions, and accept questions and comments from visitors to the site or app, among many other activities and functionalities. Because of this vital role, websites have become an increasing subject of regulation making them a growing compliance concern, particularly as they are open to inspection by the public.

CCPA privacy policies, ADA accessibility, HIPAA notice of privacy practices, and COPPA consent mandates are just a few of the compliance requirements affecting websites and online applications or services. In 2020 and beyond, organizations will need to take a closer look at these and other compliance issues concerning their websites and online services.

Telephone Consumer Protection Act (TCPA)

While the Supreme Court did not choose to address whether the Hobbs Act (also known as the Administrative Orders Review Act) requires a district court to accept the Federal Communications Commission (FCC) interpretation of the TCPA (PDR Network, LLC v. Carlton & Harris Chiropractic, Inc., No. 17-1705) there have been a number of other developments impacting the TCPA.  In December 2019, the FCC ruled that online faxes are TCPA exempt and the Supreme Court recently accepted certiorari of a petition to rule on the constitutionality of the TCPA.  In granting certiorari, the Court agreed to review a ruling of the Fourth Circuit which held that a TCPA exemption for government debt collectors was in violation of the First Amendment.   The case could have a significant impact on TCPA claims.  Further, Congress recently proposed the TRACED Act, to combat the increasing number of robocall scams and other intentional violations of telemarketing laws. The TRACED Act, if passed, broadens FCC authority to levy civil penalties and extends the time period for the FCC to catch and take civil enforcement action against intentional violations.  Needless to say, 2020 should be an interesting year for the TCPA.

Cybersecurity, Cybersecurity, and Cybersecurity

A rundown of anticipated, critical cybersecurity risks vying for attention at the upcoming RSA Conference in 2020 (the world’s biggest conference for CISOs) should provide reason enough for organizations to redouble their efforts at tightening security. But that is not all.

Less than two months from now, New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) becomes effective, imposing expansive data security requirements on companies. Among other things, and similar to data security frameworks in other states such as California, Colorado, Massachusetts, and Oregon, the SHIELD Act requires that any person or business, including a small business, that owns or licenses computerized data which includes private information of a resident of New York must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.

Examples of practices considered reasonable administrative safeguards under the law include risk assessments, employee training, selecting vendors capable of maintaining appropriate safeguards and implementing contractual obligations for those vendors, and disposal of private information within a reasonable time period.

Similar frameworks already exist in other states. For example, in 2018, Colorado enacted HB 1128, creating obligations for businesses to maintain “reasonable security procedures and practices” for protecting personal identifying information. Similar rules have been in place since 2010 in Massachusetts. Requirements for reasonable safeguards to protect personal information also exist in numerous other states such as Alabama, Florida, Nevada, Illinois, Indiana, and Utah.

But, we will end where we began, the CCPA. We believe it will be an important driver of “reasonable safeguards” for personal information. This is because similar to BIPA, the CCPA authorizes a private cause of action against a covered business if a failure to implement reasonable security safeguards results in a data breach. If successful, a plaintiff can recover statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper.  As the CCPA provides for statutory damages, Plaintiffs in these lawsuits may not have to show actual harm or injury to recover.

*      *     *     *     *

For these reasons and others, we believe 2020 will be a significant year for privacy and data security.

Happy Privacy Day!

Image result for 2020 california CCPASome business leaders and HR professionals may be waking up this morning not realizing they must provide a “Notice at Collection” to some or all of their employees and applicants under the new California Consumer Privacy Act (CCPA). This is not surprising given the confusion during 2019 about whether this law would reach that far. The passage of AB 25 confirmed that while employees would be temporarily excluded from most of the CCPA’s protections, two areas of compliance remain: (i) providing a notice at collection, and (ii) maintaining reasonable safeguards for personal information driven by a private right of action now permissible for individuals affected by a data breach caused by a business’s failure to do so.

Before addressing these two employment-related aspects of the CCPA, it is helpful to remember which entities are subject to CCPA. The basic rule follows.

In general, the CCPA applies to a “business” that:

A. does business in the State of California,

B. collects personal information (or on behalf of which such information is collected),

C. alone or jointly with others determines the purposes or means of processing of that data, and

D. satisfies one or more of the following: (i) annual gross revenue in excess of $25 million, (ii) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or (iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information.

For more information on this part of the law, please review Does the CCPA Apply to Your Business?

Notice at Collection

A “notice at collection” requires two pieces of information be communicated to the consumer/employee:

  1. The categories of personal information collected by the business. There are eleven categories of personal information, such as identifiers, geolocation data, biometric information, employment-related information, etc. See Cal. Civ. Code Sec. 1798.140(o).
  2. For each category, the uses of personal information by the business.

There are, of course, some questions employers may have about this notice, such as:

    • Who must get it? AB 25 refers to the following categories of “consumers” (natural persons who are California residents) – job applicants to, employees of, owners of, directors of, officers of, medical staff members of, or contractors of the business. Note, the CCPA does not define these terms, and recent proposed regulations do not address AB 25 at all. Guidance may come with final regulations.
    • When must they get it? The statute requires the notice to be provided at or before collection of personal information. In the case of applicants, that might mean providing the notice on the company’s website if, for example, it receives information from applicants on the site concerning open positions. In the case of employees, assuming different notices will be provided because more information is collected from employees, a notice at the beginning of the onboarding process, such as with offer letters, might make sense. Some employers may want to include the notice in employee handbooks, although this may not satisfy the “at or before collection” requirement. Handbooks typically are not provided until after some personal information has been collection from an employee, but it could provide employees a place for easy reference to the business’s practices concerning personal information.
    • Is notice required for current employees? It is true that businesses have already collected personal information about individuals working for the company prior to 2020. However, collection is an ongoing process. One of the categories of personal information, for example, is website browsing activity. Many businesses now continually track this activity if only to safeguard their systems and implement electronic communications and information systems policies.
    • Include information on where employees can go with questions? This is not currently required. Providing employees, applicants, others a place to go with questions, however, might be a good idea. Employees may have not received this kind of notice before and may have a number of questions. Designating individuals in the organization to address those questions, and directing employees and applicants to those individuals, would help to ensure consistent messaging about the business’s practices.

Reasonable Safeguards.

The second issue for employers under the CCPA is safeguarding employee personal information. Under the CCPA, California consumers, including employees and applicants, affected by a data breach can bring an action for statutory damages when the breach is caused by the business’s failure to maintain reasonable safeguards to protect a subset of personal information and following a 30-day cure period. A consumer can recover damages in an amount not less than $100 and not greater than $750 per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper.

There is no regulatory guidance in California concerning what it means to have “reasonable safeguards.” However, former California Attorney General Kamala Harris issued a 2016 data breach report in which she interpreted an existing California statute, Cal. Civ. Code 1789.81.5(b), to mean that businesses must at least satisfy the 20 controls in the Center for Internet Security’s Critical Security Controls in order to be considered reasonable. It is not clear if those controls will be sufficient to meet the CCPA’s standard, but they would be a good place to look for guidance. Note also that the “reasonably safeguard” obligation applies to a subset of personal information, namely:

An individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

  1. Social security number,
  2. Driver’s license number, California identification card number, and government identifiers (i.e. tax identification number, passport number, military identification number),
  3. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account,
  4. Medical information,
  5. Health insurance information, and
  6. Biometric identifiers.

Thus, businesses should be reviewing their data security policies and procedures not just with respect to consumer data, but also employment-related activities – payroll, benefits, recruiting, direct deposit, shared-services, background checks, etc. This also means evaluating what their third-party service providers are doing to protect personal information of employees, applicants, contractors, etc. Note other states also have similar mandates, including Colorado, Massachusetts and New York (coming soon in March 2020).

Businesses that find themselves subject to the CCPA should act quickly to satisfy their AB 25 requirements. Of course, this may be temporary because AB 25 sunsets on January 1, 2021. However, considering the current direction of privacy law, it seems likely that there will be more and not less privacy protections for employees by the end of 2020.

When privacy geeks talk “privacy,” it is not uncommon for them to use certain terms interchangeably –personal data, personal information, personally identifiable information, private information, individually identifiable information, protected health information, or individually identifiable health information. They might even speak in acronyms – PI, PII, PHI, NPI, etc. Blurring those distinctions might be OK for casual conversation, but as organizations develop data privacy and security compliance programs, the meanings of these terms can have significant consequences. A good example exists within the California Consumer Privacy Act (“CCPA”) and its interaction with other laws.

The CCPA, effective January 1, 2020, contains an expansive definition of “personal information.” See Cal. Civ. Code Sec. 1798.140(o). The basic definition is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The definition goes on to enumerate, without limitation, certain categories of information (e.g., identifiers, website activity, biometric information, geolocation) if they identify, relate to, describe, are reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household. With respect to this broad set of data, the CCPA extends to California consumers substantial rights, including the right to request deletion of that data or to opt-out of its sale.

The CCPA’s private right of action for data breaches, however, applies to a much narrower subset of “personal information” defined above. Specifically, the CCPA incorporates another section of California law, Cal. Civ. Code Sec. 1798.81.5(d)(1)(A), to define personal information that, if breached, and which the owner failed to reasonably safeguard, could expose the owner to statutory damages of up to $750 per person. For this purpose, personal information means:

An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements…:

(i) Social security number.

(ii) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

(iv) Medical information.

(v) Health insurance information.

(vi) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual.

Note also that the CCPA excludes certain information from its general definition of personal information, such as “protected health information” maintained by covered entities and business associates under the Health Insurance Portability and Accountability Act (“HIPAA”).

But the PI, PII, PHI…conundrum does not end with the CCPA. An organization with CCPA obligations also may maintain “private information” of New York residents. Under the New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), that organization would have to adopt reasonable safeguards to protect “private information” which is defined to mean, in general, any information concerning a natural person which, because of an identifier, can be used to identify such natural person if it is in combination with any one or more of the following data elements:

  • social security number;
  • driver’s license number or non-driver identification card number;
  • account number, or credit or debit card number, which alone or together with a required code would permit access to an individual’s financial account;
  • biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity.

Private information also includes a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.

Confused yet? Perhaps your organization is not subject to the CCPA or the NY SHIELD Act, but you own and operate a website that collects personal information from consumers who reside in California and Delaware. Laws in those states require a website private policy that describes certain practices concerning “personally identifiable information” defined in Delaware to mean:

any personally identifiable information…collected online by the operator…from that user…including a first and last name, a physical address, an e-mail address, a telephone number, a Social Security number, or any other identifier that permits the physical or online contacting of the user, and any other information concerning the user collected by the operator…from the user and maintained in personally identifiable form in combination with any identifier described in this paragraph.

A similar definition exists under the California law. These distinctions just scratch the surface and add to the complexity of the emerging patchwork of data privacy and security law in the United States.

So, when thinking about personal information, it is important to remember that not only does the definition extend beyond just one’s name and social security number, but the term itself and its definition likely will differ depending on the particular statutes or regulations you are analyzing. When assessing an organization’s threats and vulnerabilities to personal information, or preparing policies and procedures to safeguard it, be sure to develop an appropriate definition that takes into account the necessary elements of data.

After years of data breaches, mass data collection, identity theft crimes, and failed attempts at broad-based federal legislation, 2020 may be the year that state privacy and data security legislation begins to take hold in the U.S. For example, the California Consumer Privacy Act (“CCPA”) and the New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), both effective in 2020 and with application outside their respective states, are already spurring more active compliance efforts. This rapidly developing area of law presents a dizzying challenge for “compliance” personnel whose plates are already filled with an alphabet soup of regulation. The challenge tends to fall particularly hard on in-house counsel and human resources professionals and their IT counterparts whose teams (many times of only one or two) are frequently spread too thin.

The CCPA and SHIELD Act are by no means the only laws on the books. Other state legislatures, such as New Jersey, are advancing comprehensive data privacy and security laws. And, of course, many states have enacted similar laws – all 50 states enacted data breach notification laws, several states (e.g., Colorado, Florida, Illinois, Maryland, Massachusetts, Nevada, Oregon) require businesses to have reasonable safeguards to protect personal information, including written contracts with vendors that access personal information. On top of that, certain organizations must comply with industry-specific federal mandates, such as the Health Insurance Portability and Accountability Act (“HIPAA”) and the Gramm-Leach-Bliley Act (“GLBA”), while others are balancing international regulation, the most popular one being the European Union’s General Data Protection Regulation (“GDPR”).

Meeting this challenge can seem overwhelming, but there are some strategies and best practices that can help in 2020 and beyond.

  1. Set expectations. Compliance is not a one-time endeavor. It is an on-going effort, a marathon, not a sprint. Building a strong compliance and risk management program is necessary, but it will take time, resources, and commitment. The support of organization leadership is critical, so get them on board, apprise them of the costs of building an achievable program, and the costs of doing nothing.
  2. Build your team. The data privacy and security challenge cannot be solved by the IT department alone. Technology safeguards are critical, but they do not replace strong administrative, physical, and organizational controls. In-house counsel and HR professionals should work on eliminating silos and push for an interdisciplinary team – sales, finance, R&D, marketing, operations, legal, HR, IT. Collectively, the team should have deep institutional knowledge; a strong understanding of the business, its need for and uses of data, and threats and vulnerabilities to data; an awareness of industry expectations, and the capacity to influence new practices and procedures for processing data.
  3. Maintain a Written Information Security Program. It is not enough to say, “We are doing that.” From a compliance perspective, data privacy and security policies and procedures need to be in writing. And, written policies and procedures also help to maintain consistency in the organization’s practices and better support discipline for violations of the rules.
  4. Vendors – trust but verify. Third-party vendors provide critical support to organizations often involving access to sensitive information. The idiom “a chain is no stronger than its weakest link” is quite appropriate considering many organizations have experienced data breaches because of their vendors’ security incidents. Organizations simply must have a better understanding of the strength of their vendors’ safeguards for protecting information. They should maintain strong vendor management programs that begin to apply at procurement and continue until the service agreement terminates and the organization’s data is secured.
  5. Communications About Your Program Should be Accurate and Accessible. Increasingly, the law requires organizations to post website statements summarizing their data privacy and security practices. Examples include HIPAA and laws in California, Delaware, and Nevada. These statements should be accurate and accessible. Inaccurate statements, such as those that overstate security safeguards, can lead to deceptive trade practice claims. As required by the CCPA and urged by the flood of litigation under Title III of the Americans with Disabilities Act, the statements also need to be accessible to persons with disabilities.
  6. Know the Law and Stay in Touch. An organization’s compliance team need not and should not be comprised of lawyers. But it should maintain a keen awareness of applicable legal mandates and a general sense of where the law is headed as it relates to the organization. Active participation in trade and similar associations can be particularly helpful, as can subscribing to dedicated legal resources, blogs, etc.
  7. Training and Awareness. Employees falling victim to phishing attacks is one of the most frequent causes of a data breach. Regular, role-based training on the organization’s policies and procedures along with general security awareness training can substantially reduce this and other data risks.
  8. Embrace technology…carefully. The latest devices and software applications can benefit the organization’s business enormously. However, they may not have been developed or designed with data privacy and security in mind, or at least as needed to address the organization’s compliance needs. Consider biometric technologies that tout stronger identity verification for applications such as POS system access and worker time management. If not rolled out or configured carefully, these devices can cause significant legal exposure relating to the collection, disclosure, and destruction of personal information.
  9. Less is more. Some organizations pride themselves on their comprehensive recordkeeping systems, for example, claiming to have retained all records since inception. Such practices may not be necessary, and in many cases are not prudent. Retaining massive amounts of data may be needed in certain contexts, but it should be carried out strategically and deliberately, with a plan to shed the data once its usefulness has ceased.
  10. Be reasonable. Perhaps this should be first on the list. But it is last to serve as a reminder that whatever steps are taken, they should be reasonable. Indeed, most regulatory data privacy and security frameworks require “reasonable” safeguards. Of course, this is not easy to define, but reasonableness should be a fundamental principle guiding your program.

 

With 2020 poised to bring more acuity to the direction of privacy and security law in the U.S., adopting some or all of the above strategies and best practices will help support a strong, adaptive, ongoing, and reasonable privacy and information security program.

State and local governments have increasingly become targets of cybersecurity attacks. This year cybersecurity attacks on Baltimore and Lincoln County, North Carolina reportedly will cost those government entities $18.2 million and as much as $400,000, respectively to recover from the attacks. Last year, Atlanta spent more than $7 million to recover from a ransomware attack. A report by cybersecurity firm Coveware shows that governments paid almost 10 times as much money on average in ransom as their private-sector counterparts over the second quarter of 2019.

Recognizing this risk, Massachusetts Governor Charlie Baker announced a new program to help cities and towns develop strategies to prevent cyberattacks. “The more capable the public realm becomes, the greater the challenges and the greater the risks associated with trust,” Baker said. “We need to do things to help.”

During the first Massachusetts Cybersecurity Week, at the state’s third annual Cybersecurity Forum capstone event, Governor Baker introduced an expansive cybersecurity program, including statewide workshops for municipalities to work together to enhance their cybersecurity capabilities, which will be lead by the MassCyberCenter at the MassTech Collaborative.

Governor Baker discussed the “smart” future – a world of smart buildings, autonomous cars and smart communities that is not too far away, and emphasized that states and municipalities need to be prepared. “We have a long way to go in the public sector to digitize our assets. I don’t think that’s a really big surprise to anybody in this room,” Baker said at a recent State House event, addressing a group of 200 executives from the private, public, and R&D sectors.

Baker’s Cybersecurity Program complements a similar program led by the National Governors Association (NGA), announced in July, in which the NGA will collaborate with cyber-related state agencies to help improve cybersecurity strategies in the public sector across the nation. Massachusetts was one of seven states selected by the NGA for the first phase of this program, to help develop an action plan and identify key priorities in cybersecurity.

Cyberattacks continue to be a major risk for private companies as well. Coveware reported that the average size of private companies targeted by ransomware in the second quarter of 2019 was 925 employees. . McAfee Labs reported that ransomware attacks grew by 118% in the first quarter of 2019. Government entities and private companies alike should conduct risk assessments to develop appropriate security measures to protect them from the risk of cyberattacks.

This cybersecurity program is just another example of how Massachusetts continues to lead the way for other states on privacy and security matters. Check out other Massachusetts initiatives discussed on the blog:

 

Illinois continues to lead the way in privacy and security legislation. The Prairie State is home to the Biometric Information Privacy Act, first of its kind legislation regulating the collection and possession of biometric information, and also the Personal Information Protection Act, considered one of the more expansive data breach notification laws in the nation. And now, in what has been described as “the momentous legislative session in decades”, the Illinois state legislature unanimously passed the Artificial Intelligence Video Interview Act (“the AIVI Act”), HB2557, which imposes consent, transparency and data destruction requirements on employers that implement AI technology during the job interview process. The AIVI Act, the first state law to regulate AI use in video interviews, will take effect January 1, 2020.

Below are several key obligations the AIVI Act imposes on employers:

  • Notification – The employer must notify the job applicant that AI will be used during the video interview for the purpose of analyzing the applicant’s facial expressions and consider the applicant’s fitness for the position. An applicant must also be provided with an information sheet prior to interview detailing how AI works and the characteristics it uses to evaluate applicants.
  • ConsentEmployers must obtain written consent from any applicant that is evaluated by an AI program. It is worth noting that an employer is not required to consider an applicant that refuses to provide consent for the use of AI.
  • Limitations on AI Use – An employer may not use AI to evaluate applicants who have not consented to the use of AI analysis. In addition an employer may not share applicant videos, except with persons whose expertise is necessary in order to evaluate an applicant’s fitness for a position.
  • Data Destruction – If an applicant requests the destruction of a video interview, the employer must comply within 30 days upon receiving the request. Further, the employer must instruct all persons that have received a copy of the applicant’s video interview to destroy the footage.

The AIVI Act does not contain a “definitions” section, and is vague on several key matters. For example, the law is silent on penalties and enforcement, and there is no definition of AI or guidance on how notification should be provided. AI use in the hiring process is still in its early stages and the AIVI Act will likely be amended as necessary, particularly as the practice becomes more commonplace.

While there is no other state legislation to serve as a comparison, as early as 2014 the EEOC has been taking notice of “big data” technologies and the potential that the use of such technology may be in violation of existing employment laws such as Title VII of the Civil Rights Act of 1964, the Age Discrimination in Employment Act, the American with Disabilities Act and the Genetic Information Nondiscrimination Act. While the EEOC does not yet have an official policy on AI-based tools in the workplace, it has emphasized that the employer must assess the benefits of AI-based tools against increased exposure and risk of privacy and security issues. For more on the EEOC’s stance on AI, check out this interesting podcast episode with Dr. Romella El Kharzazi of the EEOC, “The EEOC and AI Based Assessments – the Inside Scoop” on the podcast Science 4-Hire.

Only time will tell the impact the AIVI Act will have on employment practices. But if the AIVI Act is treated in a similar manner to the BIPA, which the Illinois Supreme Court has held does not require a showing of actual injury to sue, employers should tread carefully with AI usage in the workplace. Moreover, it will likely not be long before other states enact similar legislation. Employers, regardless of jurisdiction, should be evaluating their hiring practices and procedures, particularly to ensure that written consent is obtained before the use of any technology that collects the sensitive information of a job applicant or employee.

On February 21, 2019, California Attorney General Xavier Becerra and Assemblymember Marc Levine (D-San Rafael) announced Assembly Bill 1130 which intended to strengthen and expand California’s existing data breach notification law. On September 11, 2019, the bill passed both houses of the legislature and was presented to Governor Gavin Newsom. Last Friday, October 11, 2019, the Governor signed AB 1130, together with 6 additional California Consumer Privacy Act of 2018 (“CCPA”) related bills into law.

Prior to AB 1130, California’s breach notification law defined personal information in Cal Civil Code Sec. 1798.81.5(d)(1)(A) to include a covered person’s first name (or first initial) and last name coupled with sensitive personal information such as Social Security numbers, driver’s license numbers, financial account numbers, and medical and health information. AB 1130 expands the types of personal information in that section to include biometric information (i.e. fingerprint, retina scan data, iris image) and government identifiers (i.e. tax identification number, passport number, military identification number).

In addition to expanding the elements of personal information that are subject to a notification obligation in the event of a data breach, the change also increases litigation risk following a data breach. This is because, under the CCPA, consumers affected by a data breach can bring an action for statutory damages when the breach is caused by the business’ failure to maintain reasonable safeguards. And, the CCPA specifically incorporates Civil Code Sec. 1798.81.5(d)(1)(A), which AB 1130 expanded. Now, a broader set of personal information that, if breached and not reasonably safeguarded, could expose businesses subject to the CCPA to substantial damages. A consumer can recover damages in an amount not less than $100 and not greater than $750 per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper.

Thus, in addition to the costs of notifications a covered business may have to incur under the state’s breach notification law, which could include providing ID theft resolution and credit monitoring services, class action lawsuits brought pursuant to this provision of the CCPA could be very costly. The expansion of the definition of personal information to include biometric information and government identifiers only increases these risks. It would be prudent for businesses subject to the CCPA to ensure reasonable safeguards are in place to protect all of these elements of personal information, and make sure their third-party service providers are doing the same.