Search biometric

And now it’s Louisiana’s turn! After several states recently enacted or strengthened existing data breach notification laws (Colorado, Arizona, South Dakota and Alabama just to name a few…), on May 20th , Louisiana Governor John Edwards signed an amendment to the state’s Database Security Breach Notification Law (Act 382) which will take effect August 1, 2018.

As with the recent overhaul of Colorado’s Data Breach Notification Act, the amendments to Louisiana’s law are significant.

Key updates to Louisiana’s new law include:

  • Expansion of personal information.

 Personal information was previously defined under the law as an individual’s first name or initial and last name in combination with any of the following additional data elements when the name or data element is not encrypted or redacted: (1) social security number; (2) driver’s license number; or (3) account number, credit or debit card number, in combination with the applicable password, security code, or access code that would allow access to an individual’s financial account.  The new law specifies its application to “an individual resident of this state” and expands the definition of ‘personal information’ to include a state identification card number; passport number; and “biometric data.”  “Biometric data” is defined as “data generated by automatic measurements of an individual’s biological characteristics such as fingerprints, voice prints, eye retina or iris, or other unique biological characteristics that are used to authenticate an individual’s identity when accessing a system or account”.

  • Breach notification requirements.

Previously, businesses were required to notify affected residents of a breach in the “most expedient time possible and without unreasonable delay”. The new law now requires that this be done “not later than sixty (60) days from the discovery of a breach”. In comparison to other states’ recent amendments, a 60-day notice period is fairly long. Colorado recently included a 30-day notice period, and both Arizona and Alabama a 45-day notice period. Notably, when required notification is delayed at the request of law enforcement or due to a determination by the business that measures are necessary to determine the scope of the breach, prevent further disclosures, and restore the integrity of the data system, the business is required to provide the Louisiana Attorney General the reasons for the delay in writing within the sixty day notification period to obtain a reasonable extension of the time to notify impacted individuals.

In addition, the new law lowers the bar for allowing substitute notification (notification by e-mail, posting to the business’s Internet site and statewide media). Whereas before substitute notice was only permitted if providing notification would exceed $250,000 or notifying more than 500,000 affected residents, the amended law allows for notification where providing notification would exceed $100,000 or notifying more than 100,000 affected residents.

  • Requirements for reasonable security procedures and data disposal.

The new law requires that any person that conducts business in the state or owns or licenses computerized data that includes personal information shall:

  • Implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure;
  • Take all reasonable steps to destroy or arrange for the destruction of the records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.

This is a significant expansion to Louisiana’s law, particularly regarding its emphasis on reasonable security practices and procedures and data destruction. It is also worth noting, that Oregon’s similar amendment to its Data Breach Notification Law that we reported on back in April, took effect on June 2nd.

Today’s nationwide patchwork of state breach notification laws continues to evolve, and requires data holders operating in multiple states or maintaining personal information of residents of multiple states to keep up with the requirements across many jurisdictions. Our recently published State Data Breach Notification Laws: Overview of the Patchwork is a great resource for understanding common provisions, and trends in state statutory amendments.

Back in January, Colorado lawmakers on both sides of the aisle introduced a groundbreaking new bill requiring “reasonable security procedures and practices” for protecting personal identifying information, limiting the time frame to notify affected Colorado residents and the Attorney General of a data breach, and imposing data disposal rules, HB 1128. Now, Colorado Governor John Hickenlooper has signed the bill into law, marking Colorado as a leader in data protection. The new law will take effect September 1, 2018, and has significant implications for certain private and public sector entities in Colorado.

HB 1128 was sponsored by Rep. Cole Wist (R), Rep. Jeff Bridges (D), Senator Kent Lambert (R) and Senator Lois Court (D), and was passed unanimously by the Legislature, signifying the bipartisan understanding that, in today’s climate, data security is a key issue that must be addressed. Nonetheless, the bill was initially met with opposition by large businesses that argued the certain heightened requirements were already obligatory under federal law, and that notification to the Attorney General within 7 days, was too short a timeframe to determine if misuse of data had occurred, which could result in fear over identity theft even when not present. The bill was then given an overhaul, taking into consideration the businesses’ concerns.

Key updates to Colorado’s new law include:

  • Expansion of breach notification requirements.

The bill expands the definition of information that, if breached, would require notification to affected Colorado residents. Under the new law, “personal information” (PI) means a Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: social security number; student, military, or passport identification number; driver’s license number of identification card number; medical information; health insurance identification number; or biometric data. PI also includes a Colorado resident’s username or e-mail address, in combination with a password or security questions and answers that would permit access to an online account. Finally, PI includes a Colorado resident’s account number or credit/debit card number in combination with any required security code, access code or password that would permit access to the account.

In addition, businesses that have to report a data breach affecting Colorado residents will have to notify affected residents and, if more than 500 Colorado residents are affected by the incident, the state’s Attorney General not later than 30 days after the date of determination that a security breach occurred. Currently, this is the shortest time frame of any U.S. state (Florida also has 30-day notification period, but allows an additional 15 days under certain circumstances). Specific content requirements also were added to the state’s existing data breach notification law. Of note, the law does not create exemptions for entities subject to reporting requirements under HIPAA or the Gramm-Leach-Bliley Act, and if a conflict exists between the 30-day notice period and a time period under another state or federal law, the shortest notice period applies.

  • Requirements for reasonable security procedures and data disposal.

The new law adds requirements for businesses to implement reasonable safeguards to protect personal identifying information (PII), as well as to have procedures for disposing of PII that is no longer needed.

More specifically, covered entities in Colorado that maintain paper or electronic documents that contain personal identifying information must to develop and maintain a written policy for the destruction and proper disposal of those documents. Additionally, covered entities that maintain, own, or license personal information, including those that use a nonaffiliated third party as a service provider, shall implement and maintain reasonable security procedures and practices to protect PII that are appropriate to the nature of the PII and the nature and size of the business and its operations. Moreover, unless the covered entity agrees to provide its own security protection for the information it discloses to a third party, the covered entity “shall require” the third party service provider to implement and maintain reasonable security procedures and practices as appropriate. Thus, as required in other states such as Massachusetts and California, businesses need to be reviewing services agreements with their third party vendors to ensure they include appropriate language to meet these requirements.

Note that with respect to the reasonable safeguard and data disposal requirements, PII is defined to include a social security number; personal identification number; password; passcode; official state or government-issued driver’s license or identification card number; government passport number; biometric data; employer, student, or military identification number; or financial transaction device. This definition is not the same as the definition of “personal information” or “PI” with respect to the law’s breach notification requirement.

The Attorney General’s office has authority to enforce the new requirements, and may bring an action in law or equity to address violations of the law, and for other relief that may be appropriate to ensure compliance with the law or to recover direct economic damages resulting from the violation, or both.

This is a significant expansion of Colorado’s data breach notification law and the state’s rules for safeguarding personal data. Covered entities are advised to develop and implement practices and procedures appropriate for the PII and PI they own, license, or maintain including administrative, technical and physical safeguards.

For more information on data breach notification law developments, see our recent articles:

Last month, South Dakota and Alabama became the final two states to enact a data breach notification law. In addition, many other states, in response to trends, heightened public awareness, and a string of large-scale data breaches, have continued amending their existing laws. Arizona is the latest state to update its data breach notification law to reflect recent trends.

Introduced in January and signed into law recently by Arizona Governor Doug Ducey, the new law has several key updates, including:

  • Expands the definition of personal information to encompass:
    • information about an individual’s medical or mental health treatment or diagnosis by a healthcare professional;
    • a private key that is unique to an individual and is used to authenticate or sign an electronic record;
    • an individual health insurance identification number;
    • a passport number;
    • a taxpayer identification number or an identity protection personal identification number issued by the IRS;
    • unique biometric data used for online authentication purposes; or
    • an individual’s username or email address, in combination with password or security question and answer, that allows access to an online account.
  • Sets a 45-day notification requirement for consumers affected by the breach.
  • Risk of harm analysis: notification not required if a third-party forensic investigator or law enforcement agency determines that the “breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.”
  • Types of notice: notice may be accomplished via email if the entity providing notice has email addresses for individuals subject to notification.
  • Notification content requirement: notice must contain the date of the breach, a brief description of the information disclosed, and contact information for the three largest consumer credit reporting agencies, and the Federal Trade Commission.
  • If the breach affects more than 1,000 people, notice must be provided to the consumer credit reporting agencies and the state Attorney General.
  • The Attorney General can impose civil penalties on violators of $10,000 per affected individual or the total economic loss sustained by affected individuals up to a max of $500,000.

Today’s nationwide patchwork of state breach notification laws continues to evolve, and requires data holders operating in multiple states or maintaining personal information of residents of multiple states to keep up with the requirements across many jurisdictions. Our recently published State Data Breach Notification Laws: Overview of the Patchwork is a great resource for understanding common provisions, and trends in state statutory amendments. Please contact your Jackson Lewis attorney to discuss these developments and specific state breach notification laws and reasonable safeguard requirements.

On March 28th, Alabama Governor Kay Ivey (R) signed into law the Alabama Data Breach Notification Act, Act No. 2018-396, making Alabama the final state to enact a data breach notification law. South Dakota Governor Dennis Daugaard signed into a law a similar statute one-week prior. The Alabama law will take effect June 1, 2018. Being the last state to enact a breach notification law, Alabama had the benefit of examining the approach in just about all of the other states and apparently drew provisions from many other state laws, including relatively detailed requirements for covered entities (as defined within the statute) and their third-party service providers to maintain reasonable requirements to protect “sensitive personally identifying information.”

Breach Notification Requirements

The Alabama Data Breach Notification Act requires covered entities to notify any Alabama resident whose sensitive personally identifying information was, or the covered entity “reasonably believes,” to have been acquired by an unauthorized person as a result of a data breach that is reasonably likely to cause substantial harm to the individual to whom the information relates.

Similar to South Dakota and recent amendments to other state data breach notification laws, the Alabama law includes an expansive definition of personal information. Notably, however, “biometric information” is not included in Alabama’s definition of personal information, as has been a typical inclusion for other states of late.

Personal information or “sensitive personally identifying information” as it is called by the Alabama law, is defined as an Alabama resident’s first name or first initial and last name in combination with one or more of the following with respect to the same Alabama resident:

  • A non-truncated social security number or tax identification number;
  • A non-truncated driver’s license number, state-issued identification card number, passport number, military identification number, or other unique identification number issued on a government document used to verify the identity of a specific individual;
  • A financial account number, including a bank account number, credit card number, or debit card number, in combination with any security code, access code, password, expiration date, or PIN, that is necessary to access the financial account or to conduct a transaction that will credit or debit the financial account;
  • Any information regarding an individual’s medical history, mental or physical condition, or medical treatment diagnosis by a health care professional;
  • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual;
  • A user name or email address, in combination with a password or security question and answer that would permit access to an online account affiliated with the covered entity that is reasonably likely to contain or is used to obtain sensitive personally identifying information.

The law requires a covered entity that experiences a data breach to notify affected Alabama residents “as expeditiously as possible and without unreasonable delay,” taking into account a reasonable time to conduct an appropriate investigation, but not later than 45 days from the determination that a breach has occurred and is reasonably likely to cause substantial harm, with certain exceptions. Notably, if a covered entity’s third party agent experiences a breach of security in the agent’s system, the agent shall notify the covered entity as expeditiously as possible and without unreasonable delay, but no later than 10 days following the determination of the breach or reason to believe the breach occurred. Covered entities should be reviewing their services agreements with third party vendors to ensure they are consistent with these requirements.

In addition, if more than 1,000 state residents are impacted by the breach, the state attorney general and consumer reporting agencies must be notified. Following a number of other states, the Alabama law also sets forth specific content requirements for the notices to individuals and the Attorney General. For example, if notification to the Attorney General is required, it must include (i) a summary of events surrounding the breach, (ii) the approximate number of individuals in the Alabama affected by the breach, (iii) information about any services, such as ID theft prevention or monitoring services, being offered or scheduled to be offered, without charge, to individuals and instructions on how to use the services, and (iv) contact information for the covered entity or its agent.

Reasonable Safeguard Requirements

The Alabama law also imposes a reasonable security requirement for covered entities and their third party vendors. Under the law covered entities and third parties are required implement and maintain reasonable security measures to protect sensitive personally identifying information (see definition above) against a breach of security. This provision is significant not only because it reaches third party agents as well as covered entities, but also because of the scope of the information to which it applies. For example, the similar requirement under often cited Massachusetts regulations currently does not apply to medical information; the Alabama reasonable safeguard requirement appears to reach this category of personal information.

Security measures include:

  • Designation of an employee(s) to coordinate the reasonable security measures;
  • Identification of internal and external risks of a breach of security;
  • Adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards;
  • Retention of service providers, if any, that are contractually required to maintain appropriate safeguards;
  • Keeping management of a covered entity, including its board of directors, appropriately informed of the overall status of its security measures;

Notably, the law also requires covered entities to conduct an assessment of its security based upon the entity’s security measures as a whole and placing an emphasis on data security failures that are multiple or systemic, including consideration of all the following:

  • The size of the covered entity.
  • The amount of sensitive personally identifying information and the type of activities for which the sensitive personally identifying information is accessed, acquired, maintained, stored, utilized, or communicated by, or on behalf of, the covered entity.
  • The covered entity’s cost to implement and maintain the security measures to protect against a breach of security relative to its resources.

Enforcement

A violation of the Alabama Data Breach Notification Act is also considered a violation of the Alabama Deceptive Trade Practices Act, however criminal penalties are not available. The Office of the Attorney General maintains the exclusive authority to bring an action for civil penalties – there is no private right of action. Failure to comply with the Alabama law could result in fines of up to $5,000 per day, with a cap of $500,000 per breach. Of note, such penalties are reserved for failure to comply with the law’s notification requirements, and it is not clear to what extent such penalties would apply for failure to comply with the law’s reasonable security requirements.

As each state now has a data breach notification law, and many states continue to amend those laws, it is imperative for companies operating in multiple states and/or maintain personal information about residents of multiple states to be aware of the requirements across several jurisdictions. Companies should regularly review and update the measures they are taking to better secure the data they hold and appropriately response to any potential data incident.

It’s official! Alabama is the only remaining state lacking a data breach notification statute. On March 21, 2018 South Dakota Attorney General Marty Jackley announced that Governor Dennis Daugaard signed into law the state’s first data breach notification law, after unanimous approval by both chambers of the state legislature a couple weeks prior. The law will take effect July 1, 2018.

 South Dakota’s new law creates a breach notification requirement for any person or business conducting business in South Dakota that owns or retains computerized personal or protected information of South Dakota residents. On trend with recent amendments to other state data breach notification laws, the South Dakota law includes an expansive definition of personal information.

The law defines personal information as a person’s first name or first initial and last name in combination with any one or more of the following data elements:

  • Social Security Number;
  • driver’s license number or other unique identification number created or collected by a government body;
  • account, credit card or debit card number, in combination with any required security code, access code, password, routing number, PIN or any additional information that would permit access to a person’s financial account;
  • health information; and
  • an identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes.

In addition, protected information is defined as:

  • a username or email address in combination with a password, security question answer, or other information that permits access to an online account; and
  • account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account.
  • NOTE: “protected information” does not include a person’s name.

The law requires an information holder to disclose a breach to any South Dakota resident whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person. This disclosure must be made within 60 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement.

Further, breaches affecting more than 250 South Dakota residents must be reported to the state’s Attorney General. Note that if the information holder reasonably believes the breach will not likely result in harm to the affected person, the information holder is not required to make a disclosure so long as the information holder first conducts an appropriate investigation and provides notice to the attorney general. This determination needs to be documented in writing and maintained for at least three years.

The South Dakota law makes each failure to disclose a breach an unfair or deceptive practice under South Dakota’s Deceptive Trade Practices And Consumer Protection law, which imposes criminal penalties for violations. In addition, the law authorizes the state Attorney General to impose a civil penalty of up to $10,000 per day per violation and to recover attorneys’ fees and costs associated with an action brought against the information holder.

A string of large-scale breaches made clear that additional protections for South Dakota consumers were needed. Alabama is now the only state without a data breach notification law, but that will likely change in the coming weeks. A house-amended version of Senate Bill 318, the Alabama Data Breach Notification Act sponsored by Senator Arthur Orr (R-Decatur), passed the House of Representatives unanimously on March 22nd, but requires concurrence from the Senate before being sent to the Alabama governor for signing.

 

This Sunday, January 28, is Data Privacy Day, which Congress recognized on Jan. 27, 2014, when it adopted S. Res. 337, supporting the designation. As noted by the National Cyber Security Alliance, Data Privacy Day began in the United States and Canada in January 2008, an extension of the Data Protection Day celebration in Europe. Don’t count on any days off soon, but awareness about data privacy and security issues affecting our lives and businesses has grown in recent years, and certainly will continue well into the foreseeable future.  In honor of Data Privacy Day, we again prepared our thoughts on some key issues to be on the look out for in 2018. We call it “Top 10 for 2018.”  The topics are below, and a more expansive discussion of them can be accessed here.

1. Greater Focus on EU Data Protection Requirements

2. Biometric Data – Emerging Law and Litigation

3. Analytics in the Workplace – Privacy Vulnerabilities

4. Enhanced Connectivity – GPS plus IoT

5. Ransomware and Phishing Attacks Continue

6. Insider Threats

7. Privacy and Data Breach Class Actions

8. Data Breach Readiness

9. Increased Data Privacy and Security Legislation

10. Vendor Management

 

With the continuing parade of high profile data security breaches, the concern U.S. organizations have about the security of their systems and data has been steadily growing. And rightly so. Almost every organization processes (collects, uses, stores, or transmits) individually identifiable data. Much of this data is personal data, including employee data, which brings heightened privacy and security responsibilities and obligations.

For certain entities, these responsibilities and obligations are about to increase significantly. On May 25, 2018, the EU General Data Protection Regulation (GDPR) goes into effect. This is a game changer for those organizations subject to the jurisdiction of the GDPR, and not just because of its new data breach notification provision. The GDPR contains expanded provisions for data collection, retention, and access rights unlike those they are used to in the U.S. that will create substantial challenges for U.S. employers processing their EU employee data.

To effectively meet these challenges, U.S. employers need to take stock of the data they process concerning individuals relating to EU operations (and not just about employees, although that is our focus here). What categories of EU employee data are processed? Where does it comes from? In what context and where is it processed and maintained? Who has access to it? Are the uses and disclosures being made of that information permitted? What rights do EU employees have with respect to that information? The answers to these questions are not always self-evident. Employee data may cover current, former, or prospective EU employees as well as interns and volunteers. It may come from assorted places and be processed in less traditional contexts. And, it may be processed in the cloud, the U.S., or elsewhere outside the EU.

Starting with the source of EU employee data, the U.S. employer should review its connections with the EU. Does it have a EU branch or office, a subsidiary or affiliate? An EU franchise, agent, or representative? Has it recently merged or acquired an organization with EU locations or connections? Any one of these connections is a potential source of EU employee or comparable internal personal data, regardless of how small.

Next, how does the U.S. employer process its EU employee or internal personal data? This data can be processed in traditional contexts – HRIS, benefits, payroll, Active Directory or contact information, and recruitment or talent management. It can be processed in other contexts – Customer Relationship Management, software applications, IT maintenance and security review activity, surveillance images, remote log in, business-related travel and event attendance support, professional development, training and certification, and external facing websites simulating annual reports or collecting job applications. Even if the U.S. employer outsources payroll, benefits administration, or HR, it may still process EU employee or internal personal data in other contexts.

For a specific example of employee data processing, consider the internal facing website or employee that facilitates business travel or conference registration. This service collects the EU employee’s personal data in the form of name, address, phone number, work title and work address. However, it may also collect the EU employee’s special hotel and dining accommodations needs. This additional information may reveal health, disability, or religious beliefs information about the EU employee, all of which are subject to heightened protections. In another example, the organization’s training portal may use video presentations featuring internal trainers. These videos contain employee personal data – the trainer’s photo and, perhaps, work contact information. Locating and identifying all forms of EU employee data processing is critical.  However, knowing what actually constitutes EU employee personal data is key.

Identifying employee personal data in the context of the GDPR is challenging. The GDPR definition, especially when applied to an EU employee, can be expansive. And for U.S. employers, often surprising. EU employee personal data includes “any information relating to an identified or identifiable” EU employee. Identifiable simply means the employee can be “identified directly or indirectly… by reference to an identifier… or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.” This may include name, address, driver’s license number, date of birth, passport number, vehicle registration plate number, phone number, photos, email address, id card, workplace or school, and financial account numbers. With respect to employees, it may also encompass – gender, personnel reports (including objective and subjective statements), recruitment data, job title and position, work address and phone number, salary information, health and sickness records, monitoring and appraisals, criminal records, rent, retirement or severance data, and online identifiers such as dynamic IP addresses, metadata, social media accounts and posts, cookie identifiers, radio frequency tags, location data, mobile device IDs, web traffic surveillance that identifies the machine and its user, and CCTV images.  ‘Special categories’ of employee data – racial and ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning an employee’s health, sex life, or sexual orientation, and biometric and genetic data – require heightened levels of protection under the GDPR. Given the broad interpretation of personal data under the GDPR, a determination of what constitutes employee personal information is often based on relevant facts and circumstances.

May 2018 is approaching quickly. The GDPR may bring new and enhanced obligations for U.S. employers. Significant among these is employee consent to processing personal data. With this in mind, employers should begin evaluating their organizations through the lens of employee data collection and processing, keeping in mind applicable national laws.

In a ruling that may have significant impact on the recent wave of biometric privacy suits, an Illinois state appeals court held that plaintiffs must claim actual harm to be considered an “aggrieved person” covered by Illinois’ Biometric Information Privacy Act (BIPA), in a dispute arising from the alleged unlawful collection of fingerprints from a Six Flags season pass holder. Rosenbach v. Six Flags Entertainment Corp., 2017 IL App (2d) 170317 (Ill. App. Ct. Dec. 21, 2017).

The plaintiff, whose son’s fingerprint was collected by Six Flags after purchasing a season pass for one of its Great America amusement parks, filed suit on behalf of her son and similarly situated class members, against Great America LLC and Six Flags Entertainment Corp. for allegedly violating Illinois’ BIPA by failing to obtain proper written consent or disclosing their plan for the collection, use, storage, or destruction of her son’s biometric information. The plaintiff further claimed that had she known of Six Flags’ collection of fingerprints, she would not have allowed her son to purchase a season pass.

Six Flags argued in a motion to dismiss that the BIPA allows only “aggrieved” individuals to sue for all alleged violations, and that the plaintiff’s son and other similar plaintiffs who had not suffered actual harm have not met the necessary threshold to bring a claim.

After a lower court denied Six Flags’ motion to dismiss, the Illinois’ state appeals court three-judge panel held that in order for a plaintiff to meet the definition of “aggrieved person” under the BIPA, a plaintiff must demonstrate actual harm.

If the Illinois legislature intended to allow for a private cause of action for every technical violation of the act, it could have omitted the word ‘aggrieved’ and stated that every violation was actionable,” the panel ruled. “A determination that a technical violation of the statute is actionable would render the word ‘aggrieved’ superfluous. Therefore, a plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person under … the act.

Employment BIPA Class Actions

With over 30 employment class actions filed against employers in Illinois state court since July 2017 claiming BIPA violations for implementation of biometric technology, the Six Flags ruling represents a significant victory. We recently reported on a putative class action filed by employees against their employer, Oak Park Rehabilitation & Nursing Center LLC, alleging that mandatory daily biometric fingerprint scans violate employees’ privacy rights under the BIPA. Similar to the suit against Oak Park, the recent flood of employee class actions allege employer misuse of timekeeping systems that collect fingerprint scans. They claim the employer failed to provide proper notification and obtain written consent or neglected to institute a valid use policy.

Although the Six Flags decision represent a win for employers, plaintiffs will likely continue to attempt alternative legal arguments to claim that an individual is an “aggrieved person” under the BIPA. Accordingly, companies that want to implement technology that uses employee or customer biometric information (for timekeeping, physical security, validating transactions, or other purposes) need to be prepared.

Below are additional resources to help navigate biometric information protection laws:

Primarily motivated by several recent massive data breaches, Senate Democrats recently introduced a bill geared toward protecting Americans’ personal information against cyber attacks and to ensure timely notification and protection when data is breached.

The Consumer Privacy Protection Act of 2017 provides that companies that collect and hold data on at least 10,000 Americans would be required to implement “a comprehensive consumer privacy and data security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity, and the nature and scope, of the activities of the covered entity.”

The legislation protects broad categories of data, including: Social Security, drivers’ license, and passport numbers, financial account numbers or debit/credit card numbers in combination with a security code or PIN, online usernames and passwords, unique biometric data such as fingerprints and retina or iris scans, physical and mental health data, geolocation data, and private digital photographs and videos.

The bill would also allow the United States Attorney General, state attorneys general, and the Federal Trade Commission to enforce alleged violations of the breach notification or security rules, which could subject companies to civil penalties of at least $16,500, depending on the number of records that were breached. The bill does not provide for a private right of action.

The legislation would require notification to be made “as expediently as possible and without unreasonable delay following the discovery by the covered entity of a security breach.”

The law would also require companies to provide “five years of appropriate identity theft prevention and mitigation services” at no cost to any individual who asks for it, and prohibits automatic enrollment in the identity theft prevention and mitigation services without their consent.

The text of the bill can be found here.

It is worth noting that shortly following the introduction of the Consumer Privacy Protection Act, three Democrat senators introduced the Data Security and Breach Notification Act that would require companies to report data breaches within 30 days of becoming aware of a breach. An individual who conceals a data breach could face a penalty of up to five years in prison. This bill comes on the heels of Uber’s recent data breach announcement that hackers stole 57 million records in 2016, and that Uber paid the hackers $100,000 to destroy the documents.

We will continue to report on the status of these bills and other legislative proposals for heightened data security at the federal level, in light of the massive data breaches of late, as developments unfold.

 

On November 2nd, New York Attorney General Eric T. Schneiderman announced his proposal of the SHIELD Act – Stop Hacks and Improve Electronic Data Security Act – a bill that would heighten data security requirements for companies and better protect New York residents from data breaches of their personal information.

“It’s clear that New York’s data security laws are weak and outdated. The SHIELD Act would help ensure these hacks never happen in the first place. It’s time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl,” said Attorney General Eric Schneiderman.

Key aspects of the proposed SHIELD ACT include:

  • Covering any business that holds sensitive data of New York residents. Interestingly, the proposed legislation would amend the existing breach notification requirement to remove language currently limiting application of the notification rule to persons or businesses that conduct business in New York
  • Requiring all covered businesses to implement “reasonable” administrative, technical, and physical safeguards to protect sensitive data
  • Businesses that are already regulated by and comply with certain applicable state or federal cybersecurity laws (e.g., HIPAA, NY DFS Reg 500, Gramm-Leach-Bliley Act) are considered “compliant regulated entities” under the SHIELD Act. These entities and others that are annually certified by an authorized and independent third party to be compliant with certain data security standards, such as the most up to date version of the ISO /NIST standards, are called “certified compliant entities.” These entities are deemed to be compliant with the proposed law’s reasonable safeguard requirements, and a safe harbor from state enforcement actions would apply to “certified compliant entities”
  • A more flexible standard would exist for small businesses (less than 50 employees and under $3 million in gross revenue; or less than $5 million in assets)
  • Data breach notification obligations would become broader by (i) adding “access to” (in addition to the current trigger “acquisition”) as a trigger for notification, and (ii) expanding the data elements that if breached would require notification to include username-password combination, biometric data, and HIPAA covered health data
  • Deeming inadequate security to be a violation of General Business Law § 349 and permitting the Attorney General to bring suit and civil penalties under General Business Law § 351

AG Schneiderman’s proposed bill comes on the heels of several massive data breaches and ransomware attacks (e.g., Wanncry). The proposed SHIELD Act has the support of two major sponsors in the State Legislature: Senator David Carlucci (D-Clarkstown) of the Independent Democratic Conference and Assemblyman Brian Kavanaugh (D-Manhattan) who led their chamber’s consumer protection committees.

Although the SHIELD Act is a significant step forward for the Empire State, it does not come as a surprise. Attorney General Schneiderman has been vocal and proactive in the pursuit of heightened data security. Following a recent massive credit reporting agency breach, Schneiderman sent formal inquiries to the two other major credit reporting agencies, asking them to detail their security measures, steps they have taken since learning the breach and how they will further assist consumers in protection of their personal information.

In addition, AG Schneiderman has issued several enforcements actions in 2017 against companies that have failed to effectively protect consumer information. In January, Schneiderman announced a settlement with Acer Service Corporation, a computer manufacturer in Taiwan, after a data breach of its website exposed 35,000 credit card numbers. An investigation by the AG office revealed that sensitive customer information had not been protected for almost a full year. Acer agreed to pay $115,000 in penalties and improve data security practices. In April, Schneiderman announced that TRUSTe, Inc., agreed to settle allegations that it failed to properly verify that customer websites aimed at children did not run third-party software to track users. TRUSTe agreed to pay $100,000 and “adopt new measures to strengthen its privacy assessment”. In June, Schneiderman issued his first enforcement action against a wireless security company, Safetech Products LLC, for failing to implement adequate security in its Internet of Things (IoT) devices. It was found that Safetech did not force users to reset default passwords, and did not encrypt passwords sent over the network. As part of the settlement agreement, Safetech agreed to implement a written comprehensive security program.

AG Schneiderman did not begin enforcing New York’s data security laws and regulations in 2017; the issue has been a growing area of concern in his office for some time. In January of 2015, on the heels of former President Obama’s announcement of a cybersecurity legislative proposal, AG Schneiderman indicated his own plans to propose legislation to heighten New York’s data security laws.

The SHIELD Act, if enacted, would have far reaching effects, as any business that holds sensitive data of a New York resident would be required to comply.  Moreover, given the nation’s heightened awareness of cybersecurity in the wake of the recent massive data breaches, other states may also consider similar legislation.