Search biometric

As the year comes to a close here are some of the highlights from the Workplace Privacy, Data Management & Security Report with our Top 10 most popular posts of 2022:

1. California Consumer Privacy Act FAQs: Employment Information

As the California Privacy Rights Act moves toward taking effect and exceptions applying to employment-related data expire, employers have questions about handling privacy when it comes to employee information.

2. “Get a Life” – Another Dentist Responds to Patient’s Online Review, This Time Faces a $50,000 OCR Penalty

The Office for Civil Rights (OCR) recently announced four enforcement actions, one against a small dental practice that imposed a $50,000 civil monetary penalty under HIPAA. The OCR alleged the dentist impermissibly disclosed a patient’s protected health information (PHI) when the dentist responded to a patient’s negative online review. 

3. California Tightens Rules on Vehicle Tracking, Fleet Management

In September 2022, Governor Gavin Newsom signed into law AB-984, which becomes effective January 1, 2023. The law builds on other privacy protections in California, such as the California Consumer Privacy Act and Penal Code Sec. 637.7. Section 637.7 prohibits using an electronic tracking device to determine the location or movement of a person; however, it does not apply when the vehicle owner (e.g., the employer) has consented to the use of the device.

4. Does Your Cyber Insurance Policy Look More Like Health Insurance?

Many factors are driving up the cost of cyber insurance policies including increases in ransomware attacks and the cost of business interruption from those attacks. Moreover, carriers are giving more scrutiny to the practices and procedures of the companies they insure. As such, companies need to consider their cyber security controls to assist in obtaining and maintaining coverage.

5. $600,000 Reasons To Review Your SHIELD Act Compliance Program: NY Attorney General Announces Significant Settlement Stemming From Email Data Breach

On January 24, 2022, New York Attorney General Letitia James announced a $600,000 settlement agreement with EyeMed Vision Care, a vision benefits company, stemming from a 2020 data breach compromising the personal information of approximately 2.1 million individuals across the United States, including nearly 99,000 in New York State

6. The RIPTA Data Breach May Provide Valuable Lessons About Data Collection and Retention

There is a basic principle of data protection that when applied across an organization can significantly reduce the impact of a data incident – the minimum necessary principle. A data breach reported late last year by the Rhode Island Public Transit Authority (RIPTA) highlights the importance of this relatively simple but effective tool.

7. From Time Keeping to Dashcams, BIPA Litigation Continues

Litigation under the Illinois Biometric Information Privacy Act (BIPA) continues to heat up, encompassing litigation about timekeeping systems that use fingerprints to dashcams.

8. Utah Becomes Fourth State to Enact A Comprehensive Privacy Law

Utah joined California, Colorado, and Virginia in passing a consumer privacy statute, the Utah Consumer Privacy Act takes effect on December 31, 2023.

9. Does a Poor ESG, Social Responsibility Rating Increase an Organization’s Cyber Risk?

With ransomware and other cyber threats top of mind for most in the c-suite these days, a question frequently raised is whether a particular organization is a target for hackers. Of course, nowadays, any organization is at risk of an attack, but the question is whether some organizations are targeted more than others. An Insurance Journal article discusses a paper published in September 2021 that identifies a factor that could elevate the risk of being targeted, a factor many in cyber might not have expected, “greenwashing.”

10. Connecticut Likely to Become Fifth State to Enact Comprehensive Consumer Privacy Law

Connecticut prepared and eventually passed the “Act Concerning Personal Data Privacy and Online Monitoring” Act which will take effect July 1, 2023.

Jackson Lewis will continue to track information related to privacy regulations and related issues. For additional information on these topics, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

While the federal government attempts to move forward with a more uniform national law, Connecticut joined California, Colorado, Utah, and Virginia in passing a comprehensive consumer privacy law.

The legislation signed by Connecticut’s governor in May 2022, will take effect on July 1, 2023. However, provisions related to a task force to be convened by the state legislature take effect immediately, and the task force is charged with studying issues including information sharing among health care providers, algorithmic decision-making, and possible legislation regarding children’s privacy.

While businesses consider how to comply with Connecticut’s new privacy law, they should also be taking into account some of the data protection laws already in effect in the state. The following is an overview of just some of the other laws to keep in mind.

Obligation to Safeguard Personal Information and SSNs

Connecticut law already obligates businesses possessing “personal information” to

safeguard the data, computer files, and documents containing the information from misuse by third parties.

See Section 42-471. The term “personal information” under this law means

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.

This law also requires businesses that collect Social Security numbers (SSNs) to create and publish a policy that (i) protects the confidentiality of SSNs, (ii) prohibits unlawful disclosure of SSNs, and (iii) limit access to SSNs.

Obligation to Destroy Personal Information

The same law discussed above that requires businesses to safeguard personal information, also requires businesses to “destroy, erase or make unreadable such data, computer files and documents prior to disposal.”  For this reason, a record retention policy should address not only how long personal information (and other confidential business information) should be retained, but also a secure process for destroying it once the retention period has expired.

Data Breach Notification Law

When the safeguards contemplated above fail to prevent an unauthorized access or acquisition of computerized personal information (a “breach of security”), Connecticut’s breach notification law is triggered, which was updated and enhanced in 2021 by An Act Concerning Data Privacy Breaches.

Persons that own, license, or maintain computerized personal information and experience a breach of security involving such information may be required to notify affected Connecticut state residents. This law provides a more specific definition of personal information – an individual’s first name or initial and last name in combination with any one or more of the following:

  • Social security number;
  • driver’s license number or state identification card number;
  • financial account number in combination with any required security code, access code, password that would permit access to such financial account;
  • credit or debit card number;
  • individual taxpayer identification number;
  • identity protection personal identification number issued by the IRS;
  • passport number, military identification number, or other identification number issued by the government that is used to verify identity;
  • medical information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional;
  • health insurance policy number or subscriber identification number, or any unique identifier by a health insurer to identify the individual;
  • biometric information which consists of data generated by electronic measurements of an individual’s unique physical characteristics and used to authenticate or ascertain the individual’s identity, such as a fingerprint, voice print, retina or iris image; or
  • user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.

In general, notice must be made without unreasonable delay but not later than 60 days after the discovery of a breach, which also must include notice to the State’s Attorney General. However, if, after an appropriate investigation the business reasonably determines that the breach will not likely result in harm to the affected individuals whose personal information has been acquired or accessed, notification is not required. If notification is required, and if the breach involved a resident’s SSN or taxpayer identification number, the business shall offer the resident “appropriate identity theft prevention services” for not less than 24 months.

In the unfortunate event that a business experiences a breach of security potentially affecting Connecticut residents, it will need to carefully consider these and other provisions of the law.

The long and short of the requirements above (which also exist in many other states) is that businesses need a comprehensive written information security program, which includes robust incident response and record retention and destruction plans. If you have questions about developing a privacy and data compliance plan for Connecticut law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

The federal government has been trying to reach a consensus on data privacy and thus far has failed to pass legislation. On June 3, 2022, a bipartisan draft bill, titled the American Data Privacy and Protection Act was released by the Committee on Energy and Commerce. The bill intends to provide comprehensive data privacy legislation, including the development of a uniform, national data privacy framework and robust set of consumer privacy rights.

A covered entity for purposes of the draft bill is defined as “any entity or person that collects, processes, or transfers covered data” and is subject to the Federal Trade Commission Act, is a common carrier under the Communications Act of 1934, or is an organization not organized to carry on business for their own profit or that of their members.

Per the draft, the new act would be carried out by a new bureau within the Federal Trade Commission (FTC). Interestingly, the proposed legislation would preempt similar state laws, though excludes the CCPA/CPRA in California and the BIPA and the GIPA in Illinois from that preemption.

The draft bill covers a wide swath of data consumer privacy issues from data collection to civil rights and algorithms. The following are some highlights of note:

Data Collection Requirements

The draft legislation imposes a duty on all covered entities not to unnecessarily collect or use covered data with covered data being defined broadly as “information that identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals, including derived data and unique identifiers”.  The FTC would be charged with issuing additional guidance regarding what is reasonably necessary, proportionate, and limited for purposes of collecting data.

Covered entities would have a duty to implement reasonable policies, practices, and procedures for collecting processing, and transferring covered data. Further, covered entities would be required to provide individuals with privacy policies detailing data processing, transfer, and security activities in a readily available and understandable manner. The policies would need to include contact information, the affiliates of the covered entity that it transfers covered data to, and the purposes of each category of covered data the entitled collects, processes, and transfers.

Covered entities would be prohibited from conditioning or effectively conditioning the provision or termination of services or products to individuals by having individuals waive any privacy rights established under the law.

There would be additional executive responsibility for large data holders, including requiring CEOs and privacy officers to annually certify that their company maintains reasonable internal controls and reporting structures for compliance with the statute.

Individual Rights Created

Individuals would be granted the right to access, correct, delete, and portability of, covered data that pertains to them. These are similar to many of the rights California residents have under the CCPA/CPRA.  The right of access would include obtaining covered data in a human-readable and downloadable format that individuals can understand without expertise, the names of any other entities the data was transferred to, the categories of sources used to collect any covered data and the purposes for transferring the data.

Sensitive covered data, which includes items such as an individual’s health diagnosis, financial account information, biometric information, and government identifiers such as social security information, among other items, is prohibited from data collection without the individual’s affirmative consent.

Civil Rights and Algorithms

Unsurprisingly, algorithms, which were recently addressed by the EEOC and DOJ in guidance are also addressed in this draft legislation. Under the proposed legislation, covered entities may not collect, process, or transfer data in a manner that discriminates based on race, color, religion, national origin, gender, sexual orientation, or disability. This section of the law would require those large data holders that use algorithms to assess their algorithms annually and submit annual impact assessments to the FTC.

While comprehensive national privacy legislation has previously faced difficulties being passed, Jackson Lewis will continue to track the status of this legislation as it moves through Congress. If you have questions about this proposed legislation or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

When the California Consumer Privacy Act of 2018 (CCPA) became law, it was only a matter of time before other states adopted their own statutes intending to enhance privacy rights and consumer protection for their residents. After overwhelming support in the state legislature, Connecticut is about to become the fifth state with a comprehensive privacy law, as SB 6 awaits signature by Governor Ned Lamont.

If signed, the “Act Concerning Personal Data Privacy and Online Monitoring” (Act) will take effect July 1, 2023, the same day as the Colorado Consumer Privacy Act.

Key Elements

As noted, the Act largely tracks the Virginia Consumer Data Protection Act (VCDPA) and has the following key elements:

  • Jurisdictional Scope. The Act would apply to persons that conduct business in Connecticut or that produce products or services that are targeted to residents of Connecticut and that during the preceding calendar year: (i) controlled or processed personal data of at least 75,000 consumers (under the VCDPA this threshold is at least 100,000 Virginians) or (ii) controlled or processed personal data of at least 25,000 consumers and derived over 25 percent of gross revenue from the sale of personal data (50 percent under the VCDPA).
  • Exemptions. The Act provides exemptions at two levels, the entity level and the data level. Entities exempted from the Act include (i) agencies, commissions, districts, etc. of the state or political subdivisions, (ii) nonprofits, (iii) higher education, (iv) national securities associations, (v) financial institutions or data subject to Gramm-Leach-Bliley Act (GLBA), and (vi) covered entities and business associates as defined under HIPAA.

The Act also exempts a long list of categories of information including protected health information under HIPAA and certain identifiable private information in connection with human subject research. The Act also exempts certain personal information under the Fair Credit Reporting Act, Driver’s Privacy Protection Act of 1994, Family Educational Rights and Privacy Act, and other laws. In general, exempt data also includes data processed or maintained (i) in the course of an individual applying to, employed by or acting as an agent or independent contractor to the extent that the data is collected and used within the context of that role, (ii) as emergency contact information, or (iii) that is necessary to retain to administer benefits for another individual relating to the individual in (i) above.

  • Personal Data. Similar to the CCPA and GDPR, the Act defines personal data broadly to include any information that is linked or reasonably linkable to an identified or identifiable individual, but excludes de-identified data or publicly available information. However, maintaining deidentified information is not without obligation under the Act. Controllers that maintain such information must take reasonable measures to ensure that the data cannot be reidentified. They must also publicly commit to maintaining and using de-identified data without attempting to reidentify it. Finally, the controller must contractually obligate any recipients of the de-identified data to comply with the Act.
  • Sensitive Data. Similar to the VCDPA, the Act includes a category for “sensitive data.” This is defined as (i) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (ii) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (iii) personal data collected from a known child, or (iv) precise geolocation data.  Notably, sensitive data cannot be processed without consumer consent. In the case of sensitive data of a known child, the data must be processed according to the federal Children’s Online Privacy Protection Act (COPPA).  Also, controllers must conduct and document a data protection assessment specifically for the processing of sensitive data.
  • Consumer. The Act defines “consumer” as “an individual who is a resident of” Connecticut. Consumers under the Act do not include individuals acting (i) in a commercial or employment context or (ii) as employee, owner, director, officer or contractor of certain entities including a government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with that entity.
  • Consumer Rights. Consumers under the Act would be afforded the following personal data rights:
    • To confirm whether or not a controller is processing their personal data and to access such personal data;
    • To correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of their personal data;
    • To delete personal data provided by or obtained about them;
    • To obtain a copy of their personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows them to transmit the data to another controller without hindrance, where the processing is carried out by automated means and without revealing trade secrets; and
    • To opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) sale, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning them.
  • Reasonable Data Security Requirement. The Act affirmatively requires controllers to establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.
  • Data Protection AssessmentsThe Act imposes a new requirement for controllers: conduct data protection assessments (as mentioned above regarding sensitive data). Controllers must conduct and document data protection assessments for specific processing activities involving personal data that present a heightened risk of harm to consumers. These activities include targeted advertising, sale of personal data, profiling, processing of sensitive data. Profiling activities will require a data protection assessment when it would present a reasonably foreseeable risk of (A) unfair or deceptive treatment of, or unlawful disparate impact on, consumers, (B) financial, physical or reputational injury to consumers, (C) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person, or (D) other substantial injury to consumers. When conducting such assessments controllers must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer. Controllers also can consider how those risks are mitigated by safeguards that can be employed by the controller. Factors controllers must consider include the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.
  • Enforcement. The Connecticut Attorney General’s office would have exclusive enforcement over the Act. During the first eighteen months the Act is effective, until December 31, 2024, controllers would be provided notice of a violation and will have a 60-day cure period. After that, the opportunity to cure may be granted depending on the Attorney General’s assessment of factors such as the number of violations, the size of the controller or processor, the nature of the processing activities, among others. Violations of the Act constitute an unfair trade practice under Connecticut’s Unfair and Deceptive Acts and Practices (UDAP) law. Under the UDAP, violations are subject to civil penalties of up to $5,000, plus actual and punitive damages and attorneys’ fees. The Act expressly excludes a private right of action.

Takeaway

Other states across the country are contemplating ways to enhance their data privacy and security protections. Organizations, regardless of their location, should be assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs.

Welcome to Utah - Life Elevated - Welcome Signs on Waymarking.comJust as businesses are preparing to ensure compliance with similar laws in California, Colorado, and Virginia, they soon will need to consider a fourth jurisdiction, Utah. On March 24, 2022, Governor Spencer Cox signed a measure enacting the Utah Consumer Privacy Act (UCPA). The UCPA is set to take effect December 31, 2023. Note, Georgia and Massachusetts may be the next states to enact similar laws.

Key Elements

Again, as with the Colorado Privacy Act (CPA) and the Virginia Consumer Data Privacy Act (VCDPA), UCPA was modeled in part on the CCPA, CPRA, and the EU General Data Protection Regulation (GDPR). But there are some variations. Key elements of the UCPA include:

  • Jurisdictional Scope. The UCPA apples to controllers or processors that
    • conduct business in Utah or produce a product or service that is targeted to consumers who reside in Utah; and
    • have annual revenue of $25 million or more; and
    • satisfy one or more of the following: (i) during a calendar year, control or process personal data of at least 100,000 consumers, or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

Notably, as indicated above, it is not required that a controller be located in Utah to be subject to the UCPA.

 

  • Exemptions. The UCPA has a long line of entities and data to which the law does not apply. Although not an exhaustive list, some examples of excluded entities include governmental entities and their contractors when working on their behalf, tribes, non-profit corporations, institutions of higher education, HIPAA covered entities and business associates, and financial institutions. The UCPA also excludes certain categories of personal information, such as protected health information under HIPAA, identifiable private information involved in certain human subject research, deidentified information, and personal data regulated by FERPA. The UCPA also exempts personal data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that collection and use of the data are related to the individual’s role. This last exemption generally includes employee and applicant data, including the administration of benefits for individuals relating to employees.

 

  • Personal Data. Using a simpler definition than the CCPA/CPRA, the UCPA defines personal data to mean, “information that is linked or reasonably linkable to an identified individual or an identifiable individual.”

 

  • Sensitive Data. Like both the GDPR and the CPRA, the UCPA addresses a subset of personal data referred to as “sensitive data.” This is defined as personal data that reveals such items as racial or ethnic origin (unless processed by a video communication service); religious beliefs; medical history, mental or physical health, and medical treatment (unless processed by certain health care providers); sexual orientation, or citizenship or immigration status. This category of personal data also includes genetic and biometric data, as well as geolocation data. In general, controllers may not process sensitive data without providing clear notice and an opportunity to opt-out.

 

  • Consumer. A “consumer” under the UCPA is “an individual who is a resident of Utah acting in an individual or household context.” Like the VCDPA, Utah’s law states a consumer does not include a “natural person acting in a commercial or employment context.”

 

  • Consumer Rights. Subject to the exemptions and other limitations set forth under the law, Utah residents will be afforded the following rights with respect to their personal data:
    • To confirm whether or not a controller is processing their personal data and to access such personal data;
    • To delete personal data that the consumer provided to the controller. It is unclear whether this includes data provided to a processor or other third party with respect to the controller;
    • To obtain a copy of their personal data that they previously provided to the controller in a portable and readily usable format that allows them to transmit the data to another controller without impediment, where the processing is carried out by automated means; and
    • To opt out of the processing of the personal data for purposes of (i) targeted advertising, or (ii) sale.

 

  • Controllers. Similar to the CCPA/CPRA, CPA, and VCDPA, controllers must provide an accessible and clear privacy notice that includes, among other things, the categories of personal data collected by the controller and how consumers may exercise a right with respect to their personal data. As with the CPRA, controllers are required to establish, implement, and maintain reasonable administrative, physical, and technical safeguards.

 

  • ProcessorsProcessors are persons that “process” (collect, use, store, disclose analyze, delete, or modify) personal information on behalf of controllers. Before processors may do so, they must enter into a contract that (i) clearly sets forth instructions for processing personal data, the nature and purpose of the processing, the type of data subject to processing, the duration of the processing, and the parties’ rights and obligations; (ii) requires the processor to ensure each person processing personal data is subject to a duty of confidentiality with respect to the personal data; and (iii) requires the processor to engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the same obligations as the processor with respect to the personal data. Businesses with consumers in multiple states will have to compare these required provisions against those required under the CPRA, CPA, and VCDPA, as well as other privacy and security frameworks that may be applicable.

 

  • Enforcement. The Utah Attorney General’s office has exclusive enforcement over the UCPA. In addition, a controller or processor must be provided 30 days’ written notice of any violation, allowing the entity the opportunity to cure the violation. Failure to cure the violation allows the Attorney General to recover actual damages to the consumer and a fine of up to $7,500 per violation. A private right of action is not available under the UCPA.

Takeaway

States across the country are contemplating ways to enhance their data privacy and security protections. Accordingly, organizations, regardless of their location, should be assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs.

The Massachusetts Information Privacy and Security Act (MIPSA) continues to advance through the state legislative process, and is now before the full legislature. While the Act has several hurdles to clear before becoming law, its notable for two reasons. First, the comprehensive nature of the MIPSA exemplifies the direction state data protection laws are heading in the absence of a comprehensive federal consumer data protection law. Second, given the borderless nature of e-commerce, the most robust state consumer data protection law will likely become the de facto national consumer data protection law, and the MIPSA may take that title. This post highlights significant portions of the current version of the Act.

Who is protected? 

The MIPSA protects the personal information of Massachusetts residents.

Who is subject to the MIPSA?

The Act applies to an entity that has annual global gross revenue in excess of 25 million dollars; determines the purposes and means of processing of the personal information of not less than 100,000 individuals; or is a data broker. In addition, the entity conducts business in the state, or if not physically present in the state, processes personal information in the context of offering of goods or services targeted at state residents or monitors the in-state behavior of residents. Where an entity does not otherwise meet these criteria, it may voluntarily certify to the state Attorney General that it is in compliance with and agrees to be bound by the MIPSA.

Are any entities exempt?

Massachusetts state agencies and government bodies, national securities associations and registered futures associations are exempt.

What data is protected?

MIPSA applies to the personal information of a Massachusetts resident, which is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable individual. Personal information does not include de-identified information or publicly available information. For the limited purposes of a sale, personal information also includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable household.

Does the Act include special protections for Sensitive Information?

The Act carves out heightened protections for sensitive information. These include the right to notice of collection and use, and the right to limit use and disclosure to purposes necessary to perform the services or provide the goods requested, and for other controller internal uses as authorized by the Act.

Sensitive information is personal information that reveals an individual’s racial or ethnic origin, religious beliefs, philosophical beliefs, union membership, citizenship, or immigration status. It also includes biometric information or genetic information that is processed for the purpose of uniquely identifying an individual; personal information concerning a resident’s mental or physical health diagnosis or treatment, sex life or sexual orientation; specific geolocation information; personal information from a child; a Social Security Number, driver’s license number, military identification number, passport number, or state-issued identification card number; and a financial account number, credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account.

Is any personal information exempt from the Act?

Protected health information under HIPAA is exempt as is certain data, information, and health records created under HIPAA and Massachusetts state law. Exempt data also includes data collected, processed, or regulated with respect to clinical trials, the Health Care Quality Improvement Act of 1986, the Patient Safety and Quality Improvement Act, FCRA, Driver’s Privacy Protection Act, FERPA, the Farm Credit Act, GLBA, COPPA, the Massachusetts Health Insurance Connector and Preferred Provider Arrangements.

Does the MIPSA apply to employee personal information or information collected in the B2B context?

The Act also exempts personal information collected and processed in the context of an individual acting as a job applicant to, an employee of, or an agent or independent contractor of a controller, processor, or third-party including emergency contact information and information used to administer benefits for another person relating to the individual.

Information collected and used in the course of an individual acting in a commercial context is exempt.

What are the controller’s obligations under the MIPSA?

The Act creates an affirmative obligation to implement appropriate technical and organizational safeguards to ensure the security of the information. In addition, the controller must have a lawful basis to process the personal information. Processing must be done in a fair and transparent manner, which includes providing appropriate privacy notices at or before the point of collection. The controller must collect personal information for an identified and legitimate purpose and processing should be limited to what is necessary to achieve the purpose. The information must be accurate and retained only as long as necessary to achieve the purpose for which it was collected. For processing that may involve a high risk of harm to individuals, the controller may be obligated to conduct a risk assessment. When engaging a processor, the controller must enter into a data processing agreement with the processor that contains mandated provisions designed to ensure the privacy and security of personal information.

What rights do protected individuals have?

Massachusetts residents have the right to know, access, port, delete and correct their personal information, subject to certain limitations. The Act also provides for the right to opt out of the sale of personal information and limit the use and disclosure of sensitive information in particular with respect to targeted advertising. The data controller is prohibited from discriminating against the individual for exercising any of these rights.

Can my organization be sued for violations of the law?

The MIPSA does not include a private cause of action for violations of the Act. However, the proposed bill also amends the state data breach notification law to provide residents with a private right of action where their personal information was subject to a data breach resulting from the entity’s failure to implement reasonable safeguards.

How will the law be enforced?

The state Attorney General is authorized to commence a civil investigation when there is reasonable cause to believe an entity has engaged in, is engaging in, or is about to engage in a violation of the Act. After notice, the entity will have 30 days to cure the violation. In the event the entity fails to cure, the Attorney General may seek a temporary restraining order, preliminary injunction, or permanent injunction to restrain any violations r and may seek civil penalties of up to $7,500 for each violation.

Next steps?

The MIPSA sets a high bar for data protection practices. Whether enacted in whole or part, the Act provides a road map for where data protection laws are headed. Many of the 2022 proposed state laws follow or surpass the protections introduced by the CCPA. Preparing to meet each more comprehensive law will require continued data mapping, ongoing evaluation and development of written information security programs, heightened scrutiny of vendor relationships and agreements, risk assessments, and updated employee data protection and security awareness training.

We will continue monitor the progress of this bill.

Facial recognition, voiceprint, and other biometric-related technology are booming, and they continue to infiltrate different facets of everyday life. The technology brings countless potential benefits, as well as significant data privacy and cybersecurity risks.

Whether it is facial recognition technology being used with COVID-19 screening tools and in law enforcement, continued use of fingerprint-based time management systems, or the use of various biometric identifiers such as voiceprint for physical security and access management, applications in the public and private sectors involving biometric identifiers and information continue to grow … so do concerns about the privacy and security of that information and civil liberties. Over the past few years, significant compliance and litigation risks have emerged that factor heavily into the deployment of biometric technologies, particularly facial recognition. This is particularly the case in Illinois under the Biometric Information Privacy Act (BIPA).

Read our Special Report which discusses these concerns and the growing legislating activity. You can also access our Biometric Law Map

In honor of Data Privacy Day, we provide the following “Top 10 for 2022.”  While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2022.

  1. State Consumer Privacy Law Developments

On January 1, 2020, the CCPA ushered into the U.S. a range of new rights for consumers, including:

  • The right to request deletion of personal information;
  • The right to request that a business disclose the categories of personal information collection and the categories of third parties to which the information was sold or disclosed; and
  • The right to opt-out of sale of personal information; and
  • The California consumer’s right to bring a private right of action against a business that experiences a data breach affecting their personal information as a result of the business’s failure to implement “reasonable safeguards.”

In November of 2020, California voters passes the California Privacy Rights Act (CPRA) which amends and supplements the CCPA, expanding compliance obligations for companies and consumer rights. Of particular note, the CPRA extends the employment-related personal information carve-out until January 1, 2023. The CPRA also introduces consumer rights relating to certain sensitive personal information, imposes an affirmative obligation on businesses to implement reasonable safeguards to protect certain consumer personal information, and prevents businesses from retaliating against employees for exercising their rights.  The CPRA’s operative date is January 1, 2023 and draft implementation regulations are expected by July 1, 2022. Businesses should monitor CCPA/CPRA developments and ensure their privacy programs and procedures remain aligned with current CCPA compliance requirements. For practical guidance on navigating compliance, check out our newly updated CCPA/CPRA FAQS.

In addition to California developments, in 2021, Virginia and Colorado also passed consumer privacy laws similar in kind to the CCPA, both effective January 1, 2023 (together with the CPRA). While the three state laws share common principles, including consumer rights of deletion, access, correction and data portability for personal data, they also contain key nuances, which pose challenges for broad compliance.  Moreover at least 26 states have considered or are considering similar consumer privacy laws, which will only further complicate the growing patchwork of state compliance requirements.

In 2022, businesses are strongly urged to prioritize their understanding of what state consumer privacy obligations they may have, and strategize for implementing policies and procedures to comply.

  1. Biometric Technology Related Litigation and Legislation

There was a continued influx of biometric privacy class action litigation in 2021 and this will likely continue in 2022. In early 2019, the Illinois Supreme Court handed down a significant decision concerning the ability of individuals to bring suit under the Illinois’s Biometric Information Privacy Act (BIPA). In short, individuals need not allege actual injury or adverse effect beyond a violation of his/her rights under BIPA to qualify as an aggrieved person and be entitled to seek liquidated damages, attorneys’ fees and costs and injunctive relief under the Act.

Consequently, simply failing to adopt a policy required under BIPA, collecting biometric information without a release or sharing biometric information with a third party without consent could trigger liability under the statute. Potential damages are substantial as BIPA provides for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation of the Act. There continues to be a flood of BIPA litigation, primarily against employers with biometric timekeeping/access systems that have failed to adequately notify and obtain written releases from their employees for such practices.

Biometric class action litigation has also been impacted by COVID-19. Screening programs in the workplace may involve the collection of biometric data, whether by a thermal scanner, facial recognition scanner or other similar technology. In late 2020, plaintiffs’ lawyers filed a class action lawsuit on behalf of employees concerning their employer’s COVID-19 screening program, which is alleged to have violated the BIPA. According to the complaint, employees were required to undergo facial geometry scans and temperature scans before entering company warehouses, without prior consent from employees as required by law.  This case is still alive and well, at the start of 2022, after significant attempts by the defense, a federal district judge in Illinois declined to dismiss the proposed class action, as the allegations relating to violations regarding “possession” and “collection” of biometric data pass muster at this stage.  Many businesses have been sued under the BIPA for similar COVID related claims in the past year, and 2022 will likely see continued class action litigation in this space.

In 2021, biometric technology-related laws began to evolve at a rapid pace, signaling a continued trend into 2022.  In July 2021, New York City established BIPA-like requirements for retail and hospitality businesses that collect and use “biometric identifier information” from customers.  In September 2021, the City of Baltimore officially banned private use of facial recognition technology. Baltimore’s local ordinance prohibiting persons (including residents, businesses, and most of the city government) from “obtaining, retaining, accessing, or using certain face surveillance technology or any information obtained from certain face surveillance technology”.  Other localities have also established prohibitions on use of biometric technology including Portland (Oregon), San Francisco. State legislatures have also increased focus on biometric technology regulation. In addition to Illinois’s BIPA, Washington and Texas have similar laws, and states including Arizona, Florida, Idaho, Massachusetts and New York have also proposed such legislation. The proposed biometric law in New York state would mirror Illinois’ BIPA, including its private right of action provision. In California, the CCPA also broadly defines biometric information as one of the categories of personal information protected by the law.

Additionally, states are increasingly amending their breach notification laws to add biometric information to the categories of personal information that require notification, including 2021 amendment in Connecticut and 2020 amendments in California, D.C., and Vermont. Similar proposals across the U.S. are likely in 2022.

In response to the constantly evolving legislation related to biometric technology, we have created an interactive biometric law state map to help businesses that want to deploy these technologies, which inevitably require the collection, storage, and/or disclosure of biometric information, track their privacy and security compliance obligations.

  1. Ransomware Attacks

Ransomware attacks continued to make headlines in 2021 impacting large organizations, including Colonial Pipeline, Steamship Authority of Massachusetts, the NBA, JBS Foods, the D.C. Metropolitan Police Department and many more. Ransomware attacks are nothing new, but they are increasing in severity. There has been an increase in frequency of attacks and higher ransomware payments, in large part due to increased remote work and the associated security challenges.  The healthcare industry in particular has been substantially impacted by the onset of the COVID-19 pandemic  – a recent study by Comparitech found that ransomware attacks on the healthcare industry has resulted in a financial loss of over $20 billion in impacted revenue, litigation and ransomware payments and growing.

In fact, the FBI jointly with the Cybersecurity and Infrastructure Security Agency (CISA) went so far as to issue a warning to be on high alert for ransomware attacks for holidays in light of numerous targeted attacks over other holidays earlier in the year.

Moreover in 2021, the National Institute of Standards Technology (NIST)  released a preliminary draft of its Cybersecurity Framework Profile for Ransomware Risk Management. The NIST framework provides steps for protecting against ransomware attacks, recovering from ransomware attacks, and determining you organization’s state of readiness to prevent and mitigate ransomware attacks.

Ransomware continues to present a significant threat to organizations as we move into 2022. Organizations may not be able to prevent all attacks, but it is important to remain vigilant and be aware of emerging trends.

Here are some helpful resources for ransomware attack prevention and response:

  1. Biden Administration Prioritizes Cybersecurity

In large part due to significant threat of ransomware attacks discussed above, the Biden Administration has made clear that cybersecurity protections are a priority. In May of 2021, on the heels of the Colonial Pipeline ransomware attack that snarled the flow of gas on the east coast for days, the Biden Administration issued an Executive Order on “Improving the Nation’s Cybersecurity” (EO). The EO was in the works prior to the Colonial Pipeline cyberattack, however was certainly prioritized as a result. The EO made a clear statement on the policy of the Administration, “It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.  The Federal Government must lead by example.  All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.” This EO will mostly impacts the federal government and its agencies. However, several of the requirements in the EO will reach certain federal contractors, and also will influence the private sector.

Shortly after the Biden Administration issued the EO, it followed in August 2021 with the issuance of a National Security Memo (NSM) with the intent of improving cybersecurity for critical infrastructure systems. This NSM established an Industrial Control Systems Cybersecurity Initiative (the “Initiative”) that will be a voluntary, collaborative effort between the federal government and members of the critical infrastructure community aimed at improving voluntary cybersecurity standards for companies that provide critical services.

The primary objective of the Initiative is to encourage, develop, and enable deployment of a baseline of security practices, technologies and systems that can provide threat visibility, indications, detection, and warnings that facilitate response capabilities in the event of a cybersecurity threat.  According to the President’s Memo, “we cannot address threats we cannot see.”

And most recently, in early January 2022, President Biden issued an additional NSM to improve the cybersecurity of National Security, Department of Defense, and Intelligence Community Systems.  “Cybersecurity is a national security and economic security imperative for the Biden Administration, and we are prioritizing and elevating cybersecurity like never before…Modernizing our cybersecurity defenses and protecting all federal networks is a priority for the Biden Administration, and this National Security Memorandum raises the bar for the cybersecurity of our most sensitive systems,” stated the White House in its issuance of the latest NSM.

The U.S. government will continue to ramp up efforts to strengthen its cybersecurity as we head into 2022, impacting both the public and private sector. Businesses across all sectors should be evaluating their data privacy and security threats and vulnerabilities and adopt measures to address their risk and improve compliance.

  1. COVID-19 privacy and security considerations

During 2020 and 2021, COVID-19 presented organizations large and small with new and unique data privacy and security considerations. And while we had high hopes that increased vaccination rates would put this pandemic in the rearview mirror, the latest omicron strand showed us otherwise. Most organizations, particularly in their capacity as employers, needed to adopt COVID-19 screening and testing measures resulting in the collection of medical and other personal information from employees and others. While the Supreme Court has stayed OSHA’s ETS mandating that employers with 100+ employees require COVID-199 vaccination and the Biden Administration ultimately withdrew the same, some localities have instituted mandates depending on industry, and many employers have voluntarily decided to institute vaccine requirements for employees.  Ongoing vigilance will be needed to maintain the confidential and secure collection, storage, disclosure, and transmission of medical and COVID-19 related data that may now include tracking data related to vaccinations or the side effects of vaccines.

Several laws apply to data the organizations may collect in this instance. In the case of employees, for example, the Americans with Disability Act (ADA) requires maintaining the confidentiality of employee medical information and this may include COVID-19 related data. Several state laws also have safeguard requirements and other protections for such data that organization should be aware of when they or others on their behalf process that information.

Many employees will continue to telework during 2022 (and beyond). A remote workforce creates increased risks and vulnerabilities for employers in the form of sophisticated phishing email attacks or threat actors gaining unauthorized access through unsecured remote access tools. It also presents privacy challenges for organizations trying to balance business needs and productivity with expectations of privacy. These risks and vulnerabilities can be addressed and remediated through periodic risk assessments, robust remote work and bring your own device policies, and routine monitoring.

As organizations continue to work to create safe environments for the in-person return of workers, customers, students, patients and visitors, they may rely on various technologies such as wearables, apps, devices, kiosks, and AI designed to support these efforts. These technologies must be reviewed for potential privacy and security issues and implemented in a manner that minimizes legal risk.

Some reminders and best practices when collecting and processing information referred to above and rolling out these technologies include:

  • Complying with applicable data protection laws when data is collected, shared, secured and stored including the ADA, Genetic Information Nondiscrimination Act, CCPA, GDPR and various state laws. This includes providing required notice at collection under the California Consumer Privacy Act (CCPA), or required notice and a documented lawful basis for processing under the GDPR, if applicable.
  • Complying with contractual agreements regarding data collection; and
  • Contractually ensuring vendors who have has access to or collect data on behalf of the organization implement appropriate measures to safeguard the privacy and security of that data.
  1. “New” EU Standard Contractual Clauses

In July of 2020 the Court of Justice of the European Union (CJUE) published its decision in Schrems II which declared the EU-US Privacy Shield invalid for cross border data transfers and affirmed the validity standard contractual clauses (“SCCs) as an adequate mechanism for transferring person data from the EEA, subject to heightened scrutiny.  However, the original SCCs were unable to adequately address the EU Commission’s concerns about the protection of personal data.

On June 4, 2021, the EU Commission adopted “new” modernized SCCs to replace the 2001, 2004, and 2010 versions in use up to that point – effective since September 27,2021. The EU Commission updated the SCCs to address more complex processing activities, the requirements of the GDPR, and the Schrems II decision. These clauses are modular so they can be tailored to the type of transfer.  if a data exporter transfers data from the EU to a U.S. organization, the U.S. organization must execute the new SCCs unless the parties rely on an alternate transfer mechanism or an exception exists. This applies regardless of whether the U.S. company receives or accesses the data as a data controller or processor. The original SCCs apply to controller-controller and controller-processor transfers of personal data from the EU to countries without a Commission adequacy decision. The updated clauses are expanded to also include processor-processor and processor-controller transfers. While the existing SCCs were designed for two parties, the new clauses can be executed by multiple parties. The clauses also include a “docking clause” so that new parties can be added to the SCCs throughout the life of the contract.

The obligations of the data importer are numerous and include, without limitation:

  • documenting the processing activities it performs on the transferred data,
  • notifying the data exporter if it is unable to comply with the SCCs,
  • returning or securely destroying the transferred data at the end of the contract,
  • applying additional safeguards to “sensitive data,”
  • adhering to purpose limitation, accuracy, minimization, retention, and destruction requirements,
  • notifying the exporter and data subject if it receives a legally binding request from a public authority to access the transferred data, if permitted, and
  • challenging a public authority access request if it reasonably believes the request is unlawful.

The SCCs require the data exporter to warrant there is no reason to believe local laws will prevent the importer from complying with its obligations under the SCCs. In order to make this representation, both parties must conduct and document a risk assessment of the proposed transfer.

If an organization that transfers data cross border has not already done so it should be implementing the new procedures and documents for the SCCs. This is, of course, if they are not relying on an alternate transfer mechanism or an exception exists. Organizations will also need to review any ongoing transfers made in reliance on the old SCCs and take steps to comply. As with new transfers, this will require a documented risk assessment and a comprehensive understanding of the organization’s process for accessing and transferring personal data protected under GDPR. For additional guidance on the new EU SCCs, our comprehensive FAQs are available here.

  1. TCPA

In April 2021, the U.S. Supreme Court issued a monumental decision with significant impact on the future of Telephone Consumer Protection Act (TCPA) class action litigation. The court narrowly ruled to qualify as an “automatic telephone dialing system”, a device must be able to either “store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator”.  The underlying decision of the Ninth Circuit was reversed and remanding.

The Supreme Court unanimously concluded, in a decision written by Justice Sotomayor, that to qualify as an “automatic telephone dialing system” under the TCPA, a device must have the capacity either to store, or to produce, a telephone number using a random or sequential number generator.

“Expanding the definition of an autodialer to encompass any equipment that merely stores and dials telephone numbers would take a chainsaw to these nuanced problems when Congress meant to use a scalpel,” Justice Sotomayor pointed out in rejecting the Ninth Circuit’s broad interpretation of the law.

Moreover, Sotomayor noted that, “[t]he statutory context confirms that the autodialer definition excludes equipment that does not “us[e] a random or sequential number generator.””  The TCPA’s restrictions on the use of autodialers include, using an autodialer to call certain “emergency telephone lines” and lines “for which the called party is charged for the call”. The TCPA also prohibits the use of an autodialer “in such a way that two or more telephone lines of a multiline business are engaged simultaneously.” The Court narrowly concluded that “these prohibitions target a unique type of telemarketing equipment that risks dialing emergency lines randomly or tying up all the sequentially numbered lines at a single entity.”

The Supreme Court’s decision resolved a growing circuit split, where several circuits had previously interpreted the definition of an ATDS broadly  to encompass any equipment that merely stores and dials telephone numbers, while other circuits provided a narrower interpretation, in line with the Supreme Court’s ruling. It was expected the Supreme Court’s decision would help resolve the ATDS circuit split and provide greater clarity and certainty for parties facing TCPA litigation. In the six months following the Supreme Court’s decision, the Institute of Legal Reform documented a 31% drop in TCPA filings, compared to the six months prior to the ruling.  Nonetheless, many claims based on broad ATDS definitions are still surviving early stages of litigation in the lower courts, and some states have enacting (or are considering) “mini-TCPAs” which include a broader definition of ATDS. While the Supreme Court’s decision was considered a win for defendants facing TCPA litigation, organizations are advised to review and update their telemarketing and/or automatic dialing practices to ensure TCPA compliance, as they move into 2022.

  1. Global Landscape of Data Privacy & Security

2021 was a significant year for the global landscape of data privacy and security.  As discussed above, on June 4th, the European Commission adopted new standard contractual clauses for the transfer of personal data from the EU to “third countries”, including the U.S. On August 20, China passed its first comprehensive privacy law, the Personal Information Protection Law (PIPL), similar in kind to the EU’s GDPR.  The law took effect in November of 2021.  In addition, China published 1) Security Protection Regulations on the Critical Information Infrastructure and 2) the Data Security Law which aim to regulate data activities, implement effective data safeguards, protect individual and entity legitimate rights and interests, and ensure state security – both effective September of 2021.  Finally, Brazil enacted  Lei Geral de Proteção de Dados Pessoais (LGPD), its first comprehensive data protection regulation, again with GDPR-like principles. The LGPD became enforceable in August of 2021.

In 2022, U.S. organizations may face increased data protection obligations as a result of where they have offices, facilities, or employees; whose data they collect; where the data is stored; whether it is received from outside the U.S.; and how it is processed or shared. These factors may trigger country-specific data protection obligations such as notice and consent requirements, vendor contractual obligations, data localization or storage concerns, and safeguarding requirements. Some of these laws may apply to data collection activities in a country regardless of whether the U.S. business is located there.

  1. Federal Consumer Privacy Law

Numerous comprehensive data protection laws were proposed at the federal level in recent years. These laws have generally stalled due to bipartisan debate over federal preemption and a private right of action. And while, every year, we ask ourselves whether this will be the year, 2022 may indeed be the year the U.S. enacts a federal consumer privacy law.  2022 has barely begun and a coalition which includes the U.S. Chamber of Congress together with local business organizations in over 20 states have issued a letter to Congress highlighting the importance of enacting a federal consumer privacy law as soon as possible.

“Data is foundational to America’s economic growth and keeping society safe, healthy and inclusive…Fundamental to the use of data is trust,” the coalition noted. “A national privacy law that is clear and fair to business and empowering to consumers will foster the digital ecosystem necessary for America to compete.”

Moreover, with California, Virginia, and Colorado all with comprehensive consumer privacy laws (as discussed above), and approximately half of U.S. states contemplating similar legislation, there is a growing patchwork of state laws that “threatens innovation and create consumer and business confusion,” as stated in the coalition’s letter to Congress.

Will 2022 be the year the U.S. government enacts a federal consumer privacy law? Only time will tell.  We will continue to update as developments unfold.

  1. Cyber Insurance

Over the past several years, if your organization experienced a cyberattack, such as ransomware or a diversion of funds due to a business email compromise (BEC), and you had cyber insurance, you likely were very thankful. However, if you are renewing that policy (or in the cyber insurance market for the first time), you are probably looking at much steeper rates, higher deductibles, and even co-insurance, compared to just a year or two ago. This is dependent on finding a carrier to provide competitive terms, although there are some steps organizations can take to improve insurability.

Claims paid under cyber insurance policies are significantly up, according to Marc Schein*, CIC, CLCS, National Co-Chair Cyber Center of Excellence for Marsh McLennan Agency who closely tracks cyber insurance trends. Mr. Schein identified the key drivers hardening the cyber insurance market: ransomware and business interruption.

According to Fitch Ratings’ Cyber Report 2020, insurance direct written premiums for the property and casualty industry increased 22% in the past year to over $2.7 billion, representing the demand for cyber coverage. The industry statutory direct loss plus defense and cost containment (DCC) ratio for standalone cyber insurance rose sharply in 2020 to 73% compared with an average of 42% for the previous five years (2015-2019). The average paid loss for a closed standalone cyber claim moved to $358,000 in 2020 from $145,000 in 2019.

The effects of these, other increases in claims, and losses from cyberattacks had a dramatic impact on cyber insurance. Perhaps the most concerning development for organizations in the cyber insurance market is the significantly increased scrutiny carriers are applying to an applicant’s insurability.

There are no silver bullets, but implementing administrative, physical and technical safeguards to protect personal information may dramatically reduce the chances of a cyberattack, and that is music to an underwriter’s ears. As an organization heads into 2022, ensuring such safeguards are instituted and regularly reviewed, can go a long way.

*      *     *     *     *

For these reasons and others, we believe 2022 will be a significant year for privacy and data security.

Happy Privacy Day!

Few want to get past the COVID-19 pandemic more than leaders of federal and state unemployment benefit departments. For the last 2 years they have been successfully targeted for fraud and data breaches, racking up billions in losses. Thousands of employees across the country, including yours truly, have had false claims submitted in their name.

Why is this happening? It appears to be a combination of factors, most leading back to one driving force – COVID-19. Congress’ passing rich unemployment compensation benefits to offset the economic carnage stemming from the pandemic created a significant incentive for criminal hackers, specifically the Pandemic Unemployment Assistance (PUA) program. During the same time, the numbers of workers in state unemployment offices went down due to layoffs, while the number of applications for unemployment benefits skyrocketed. Couple that with an expansion of benefits to workers without traditional pay stubs (e.g., gig workers) making verification harder, and data security gaps and challenges regularly facing state agencies and organizations generally, and there is a perfect storm for fraud and data breaches to proliferate.

Here’s a rundown of just some of the losses reported by Yahoo!news:

  • Oregon – $24 million in 2020
  • Washington – $646 million in 2020
  • California – $20 billion, since the start of the pandemic through October 2021
  • Federal – $87.3 billion since the start of the pandemic through September 30, 2021, per the DOL (relying on a historical improper payment rate of 10%).

What are some of the effects? There is, of course, a significant loss of taxpayer dollars, not to mention all the time spent trying to resolve the fraud, getting the much-needed benefits to those whose benefits were delayed due to the fraud, and implementing stronger controls.

With so many employees learning of and reporting false unemployment claims being submitted in their name, employers across the country have had to jump into to help. Frequently, many employees at a single company reported fraud at the same time, making it seem as if the company was the victim of a breach. While it is always important to appropriately investigate suspected data incidents, a compromise to the employer’s systems generally was not the reason for the employees’ reports in these cases.

Is it coming to an end? Maybe not. On Friday, Pennsylvania’s Department of Labor and Industry (L&I) reported it is investigating “sophisticated attacks” on its systems. According to reports,

unemployment recipients stopped receiving their checks, and that L&I telephone agents told they were among numerous Pennsylvanians whose direct-deposit banking information had been changed

What can affected organizations and individuals do? Affected federal and state agencies have been and continue to be taking steps to minimize these attacks and the resulting fraud. One of those steps is to deploy facial recognition technologies to more strongly verify the the identities of claimants. By late summer, more than half of the states in the U.S. have contracted with ID.me to provide ID verification services. For private sector organizations, the deployment of such technologies to verify identities of customers and employees faces a growing web of regulation.  Other efforts to curb this kind of activity includes steps all organizations might consider, like enabling multi-factor authentication (MFA). This is something the PA L&I wished it did. Hopefully, pandemics are not regular occurrences. But planning for business interruption is critical.

For organizations and their employees affected by unemployment fraud, it is important to quickly report incidents and follow recommended steps by the applicable agency. Below are just a few of the online resources that may be helpful.

Efforts to secure systems and data from a cyberattack often focus on measures such as multifactor authentication (MFA), endpoint monitoring solutions, antivirus protections, and role-based access management controls, and for good reason. But there is a basic principle of data protection that when applied across an organization can significantly reduce the impact of a data incident – the minimum necessary principle. A data breach reported late last year by the Rhode Island Public Transit Authority (RIPTA) highlights the importance of this relatively simple but effective tool.

In December 2021, RIPTA sent notification of a data breach to several thousand individuals who were not RIPTA employees. Reports of the incident prompted inquiries from a state Senator in Rhode Island, Louis P. DiPalma, and union officials who represented the affected individuals. According to Rhode Island’s Department of Administration (DOA), a forensic analysis conducted in connection with the incident indicates the affected files included health plan billing records pertaining to State of Rhode Island employees, not RIPTA employees. The DOA goes on to state that:

[s]tate employee data was incorrectly shared with RIPTA by an external third party who had responsibility for administering the state’s health plan billing.

An investigation is underway to confirm exactly what happened. The content of recent conversations between state officials and union representatives reported in the press indicate that an RIPTA payroll clerk received a file containing state employee health plan data in August 2020, stored it on the employee’s hard drive, where it remained until August 2021, when the cyberattack on RIPTA occurred. It is unclear why the employee received the information, from whom, or whether it was appropriate to maintain it.

Regardless, the “minimum necessary” principle, simply stated, requires that organizations take reasonable steps so that confidential and personal information are only accessed, used, maintained, or disclosed to carry out the applicable business functions. Consider, for example, that retention policies are becoming increasingly important from a compliance perspective, such as with regard to the California Privacy Rights Act of 2020 (CPRA), which amends and supplements the California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR), and the Illinois Biometric Information Privacy Act (BIPA).  This principle can be applied at multiple points in the operations of the organization, including without limitation:

  • When requesting information. Think about what elements of information the organization collects from customers, students, patients, vendors, employees, and others. Is it more information than is needed to carry out the purpose(s) for the collection? Can portals, forms, etc. be modified to limit the information collected?
  • When receiving information. Employees cannot always control the information they receive from parties outside the organization. But when they do, what steps or guidelines are in place to determine what is needed and what is not needed? For information that is not needed, what is the process for alerting the sender, if necessary, returning the data, and/or removing it from the systems?
  • When using information. Employees carry out many critical business functions that require the use of confidential and personal information. Do they always need all of it? Are there instances where less information can be sufficient for the processing of an important business function.
  • When storing information. The task at hand has been completed and the question becomes what information should be retained. The answer can be a complex web of legally mandated retention requirements, contractual obligations, business needs, and other considerations. But organizations should carefully analyze these issues an establish protocols for employees to follow. Note that under the CPRA, a covered business may not retain a consumer’s personal information for longer than is reasonably necessary for the stated purpose it was collected.
  • When responding to requests or disclosing information. Whether engaging in billing and collection activities, responding to an attorney demand letter, reporting information to the government, administering benefit plans for employees, or any number of other typical business functions, organizations make disclosures of confidential and personal information. Important questions to ask are (i) what data does the requesting party really need, (ii) what classifications of information are actually in the file being disclosed and are there limitations on the disclosure of that information, and (iii) whether the response or disclosure can have the same effect with less data.

In thinking about these questions, there may not be a clear right or wrong answer to whether the information should or should not have been collected, used, stored, or disclosed. However, from a risk management perspective, it is helpful to review business procedures, practices, operations, forms, etc. for ways to minimize exposure to confidential and personal information. Applying the minimum necessary principle can be an effective way of minimizing the organization’s data footprint so that should it experience a security incident, there is the possibility for less data to be compromised.