Search right to access

When the California Privacy Rights Act (CPRA) was enacted, it created the California Privacy Protection Agency (CPPA) and delegated to the CPPA significant regulatory authority. One of the areas of that authority is cybersecurity, which includes performing cybersecurity audits annually. On September 8, 2023, the CPPA considered a draft set of regulations that would establish rules for conducting cybersecurity audits.

It is important to note that California currently mandates certain businesses to maintain reasonable security procedures and practices to protect personal information.

  • Civil Code Section 1798.100(e), under the CCPA, provides:

A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.

  • Civil Code Section 1798.81.5, provides:

(b) A business that owns, licenses, or maintains personal information3 about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

(c) A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to subdivision (b) shall require by contract that the third  party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification or disclosure

A couple of observations about these provisions:

  • Section 1798.100 which is part of the CCPA, applies to “businesses” that are subject to the CCPA. Section 1798.80(a) defines “business” more broadly to include “a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit.” For example, while the CCPA generally applies to for-profit entities, this section of the Civil Code applies to businesses whether or not organized for profit.
  • As the CPPA begins to establish regulations around a set of personal information for one set of “businesses,” those covered under the CCPA, there is also guidance in California for businesses covered by Civil Code Section 1798.81.5 which includes audit requirements as well. In February 2016, the then-California Attorney General and now Vice President, Kamala D. Harris, issued a California Data Breach Report. According to that report, a business’s failure to implement all of the controls set forth in the Center for Internet Security’s Critical Security Controls constitutes a lack of reasonable security. Of course, the CCPA appears to incorporate the requirements of Civil Code Section 1798.81.5. Nonetheless, businesses will need to figure out which cybersecurity standard applies to them.

So, what do the draft CCPA cybersecurity audit regulations say? Here is a summary of just some of the proposed requirements for such audits:

  • The requirement for a covered business to complete the audit will be based on whether the business’s processing of personal information presents a significant risk to consumers’ security. The draft regulations are beginning to craft the factors for determining when there will be a significant risk. One factor that would trigger the audit requirement is that the business derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information. However, the CPPA is considering other factors, such as the business having more than a to-be-determined amount of gross revenue or number of employees.  
  • Cybersecurity audits would be required to be performed by “qualified, objective, independent professional [auditor] using procedures and standards generally accepted in the profession of auditing.” However, the auditor would not need to be external to the business, provided such an auditor can exercise impartial judgment – e.g., such an auditor should not be auditing the cybersecurity program the auditor helped to create.  The audit would need to include the auditor’s name, affiliation, and relevant qualifications to complete the cybersecurity audit in such detail as necessary to fully describe the nature of their qualifications; and the number of hours that each auditor worked on the cybersecurity audit.
  • The cybersecurity audit would need to:
    • Assess, document, and summarize each applicable component of the business’s cybersecurity program;
    • Specifically, identify any gaps or weaknesses in the business’s cybersecurity program;
    • Specifically, address the status of any gaps or weaknesses identified in any prior cybersecurity audit; and
    • Specifically, identify any corrections or amendments to any prior cybersecurity audits.
  • The audit would have to assess and document certain components of the cybersecurity program with “specificity.” One such component is the safeguards the business has in place, such as multi-factor authentication, encryption, zero trust architecture, access management, audit log management, response to security incidents, etc. If a component is not available, the audit would be required to document and explain why it is not necessary and how other safeguards provide at least equivalent security; a standard not too dissimilar to the “addressable” rule for implementation specifications under the HIPAA Security Rule.
  • The cybersecurity audit would need to be reported to the business’s board of directors or governing body, or if no such board or equivalent body exists, to the highest-ranking executive in the business responsible for the business’s cybersecurity program. Notably, the audit would need to include certain statements, such as a certification that such governing body or highest-ranking executive has reviewed the cybersecurity audit and understands its findings.
  • If the business provided notifications to affected consumers under California’s breach notification law for businesses, the cybersecurity audit would have to include a description of those notifications and, where applicable, a description of the notification to the California Attorney General.
  • Service providers and contractors would be required to cooperate with businesses completing such audits, including making available all “relevant information that the auditor deems necessary for the auditor to complete the business’s cybersecurity audit.”
  • A written certification of completion of the audit would be required to be submitted to the CPPA, signed by a member of the board or highest-ranking executive.

If you have questions about the CPPA Cybersecurity Draft Regulations or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

What do ransomware, Yelp, and website tracking technologies all have in common? They are troubling areas of concern for HIPAA covered entities and business associates, according to one official from the federal Office for Civil Rights (OCR) which enforces the HIPAA privacy and security rules. Recently, the Executive Editor of Information Security Media Group’s (ISMG’s) HealthcareInfoSecurity.com media site, Marianne Kolbasuk McGee, sat down with Susan Rhodes, the OCR’s acting deputy for strategic planning and regional manager to discuss these issues.

We briefly summarize the discussion below, but you can access the short interview here (~10 min.). It is worth a listen.

Ms. Rhodes outlined three troublesome areas that OCR is watching closely:

  • Hacking/ransomware. Obviously, this continues to be a significant problem for the healthcare sector. According to Ms. Rhodes, ransomware attacks are up 278% in the last 5 years. Developing, maintaining, and practicing an incident response plan is one important tool for dealing with these and other attacks.
  • Online reviews. Negative comments made by customers/patients on popular online review services, such as offered by Yelp and Google, can be upsetting for any small business. Practitioners in the health care sector, such as physicians, dentists, etc. have to be particularly careful when responding to patient complaints on such platforms, if they respond at all. Their responses could result in the wrongful disclosure of protected health information of their patients, resulting in significant OCR enforcement actions such as occurred here and here.
  • Website tracking technologies. Calling this a “hot” area and referencing OCR investigations across the country, Ms. Rhodes directed listeners to the OCR guidance on tracking technologies issued in December 2022. Specifically, she reminded HIPAA covered entities of key considerations when using website tracking technologies including, without limitation, the potential need for business associate agreements and patient consent.

Ms. McGee also inquired about areas where covered entities and business associates’ HIPAA compliance frequently falls short. Ms. Rhodes mentioned a few:

  • Risk analysis – which is foundational to the policies and procedures adopted by covered entities and business associates.
  • Access controls – in short, making sure employees and other workforce members at the covered entity or business associate only have access to the PHI needed to perform their job.
  • Audit controls – regularly reviewing system activity, log files, etc. to identify irregular activity or potential compromises to PHI.

The HIPAA privacy and security rule continue to raise significant compliance challenges for covered entities and business associates. It is important to those that those challenges do not just exist in the physician’s office, but must be managed on line as well, including on organizations’ website.

On July 18, 2023, Oregon’s Governor signed Senate Bill 619 which enacts Oregon’s comprehensive consumer data privacy statute. Oregon joins California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia in enacting a comprehensive consumer privacy law. Most of the sections of the law are scheduled to take effect on July 1, 2024, with a delayed effective date of July 1, 2025, for non-profit organizations.

When does the law apply?

The statute applies to any person that conducts business in the State of Oregon or that provides products or services to residents of the state and who during a calendar year, controls, or processes:

  • The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or,
  • The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.

The following are some of the types of businesses that are exempted from the statute:  

  • A public corporation
  • Covered entities or business associates processing protected health information under the Health Insurance Portability and Accountability Act (HIPAA)
  • Organizations subject to the Gramm-Leach-Bliley Act.

Who is protected by the law?

The law protects consumers defined as a natural person who resides in the State of Oregon and acts in any capacity other than in a commercial or employment context.

What data is protected by the law?

Personal data that is protected under the statute is defined as “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.”

It does not include:

  • Deidentified data
  • Data that is lawfully available through federal, state, or local government records or through widely distributed media
  • Data the controller reasonably understood to have been lawfully made available to the public by the consumer.

The statute also includes biometric data under personal data. Under the legislation biometric data is defined as personal data generated by automatic measurements of a consumer’s biological characteristics, such as the consumer’s fingerprint, voice print, iris pattern, gait, or other unique biological characteristics that allow or confirm the unique identification of a consumer.

What are the rights of consumers?

Under the new legislation, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal data and to access the personal data;
  • Correct inaccuracies in the consumer’s personal data;
  • Delete personal data provided by or obtained about the consumer;
  • Obtain a digital copy of the data the consumer previously provided, if available; and
  • Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
  • Obtain a list of “specific third parties” to whom a controller discloses personal data.

What obligations do businesses have?

The legislation requires that businesses post a privacy policy that describes the categories of personal information it collects, the purpose of the collection, the categories of third parties with whom the personal information is shared, and an explanation of the consumer’s rights.

Covered businesses must also include a “clear and conspicuous” description of any processing done for the purpose of targeted advertising.

Eventually, covered businesses will be required to recognize universal opt-out mechanisms, though that portion of the statute does not take effect until January 1, 2026.

How is the law enforced?

The State Attorney General has exclusive authority to enforce the statute and it does not allow for a private right of action to enforce.

If you have questions about Oregon’s privacy law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

On June 26, 2023, the Governor of Connecticut signed Senate Bill (SB) 3 which set forth new requirements related to consumer health data and protections for minors online.

As Connecticut’s comprehensive consumer privacy law took effect on July 1, 2023, the state has expanded privacy requirements under SB 3. Similar to Washington and Nevada, Connecticut sets standards for accessing and sharing consumer health data by private entities. The health data portions of the legislation took effect July 1, 2023.

Health Data Defined

Under the new legislation, consumer health data is defined as personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis and includes but is not limited to gender-affirming health data and reproductive or sexual health data.

Certain types of information are excluded from coverage including protected health information under the Health Insurance Portability and Accountability Act (HIPAA).

Protections for Health Data

Covered entities are prohibited from collecting or sharing health data without a consumer’s consent. And health data may not be sold without a consumer completing a specified consent form.

The law also prohibits anyone from implementing a geofence to identify, track, collect data from, or send notifications or messages to a consumer that enters the virtual perimeter around a healthcare provider or facility.

Protections for Minors

Under the legislation, certain social media platforms are prohibited from establishing accounts for a minor under the age of 16 without a parent’s or guardian’s consent.

Moreover, covered platforms must delete a minor’s social media account and cease processing personal data within 10 days of receiving a request.

Some of the protections pertaining to minors do not take effect until October 1, 2024.

Enforcement

Under the legislation, any violation of either the consumer health data or online service provisions are enforced solely by the state attorney general. There is no private right of action created.

If you have questions about the changes to Connecticut’s Privacy Law or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On June 18, 2023, Texas’ Governor signed House Bill (HB) 4 which enacts the Texas Data Privacy and Security Act. Texas joins California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Utah, and Virginia in enacting a comprehensive consumer privacy law. Most of the sections of the law are scheduled to take effect July 1, 2024.

When does the law apply?

In general, the law applies to businesses (referred to as “controllers”) that:

  • Conduct business in the state of Texas or produce a product or service consumed by Texas residents; and
  • Processes or engages in the sale of personal data.

The law does not apply to small businesses (as defined by the Small Business Administration) and along with several categories of personal data that are excluded from coverage under the law, the following entities are specifically exempted:

  • State agencies or political subdivisions;
  • Financial institutions subject to Title V of the Gramm-Leach-Bliley Act;
  • Covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA);
  • Non-profit organizations;
  • Institutions of higher education; and
  • Electric utilities.

Who is protected by the law?

Consumers that are protected under the law are defined as an individual who is a resident of the state of Texas acting only in an individual or household context. A consumer does not include an individual acting in a commercial or employment context.

What data is protected by the law?

Personal data is protected under the legislation and defined as any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, but does not include de-identified data or publicly available information.

Under the law, sensitive data includes any data revealing a consumer’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, citizenship or immigration status, as well as any genetic or biometric data used for identifying an individual, any personal data collected from a known child, or any precise geolocation data.

What are the rights of consumers?

Under the new legislation, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal data and to access the personal data;
  • Correct inaccuracies in the consumer’s personal data;
  • Delete personal data provided by or obtained about the consumer;
  • Obtain a digital copy of the data the consumer previously provided, if available; and
  • Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

What obligations do businesses have?

Limitations on Collection

Covered controllers must limit the collection of personal data to only what is adequate, relevant, and reasonably necessary for the purpose for which the personal data is being processed and disclosed to the consumer. They must also implement “reasonable” security practices to protect the confidentiality and integrity of the data.

Consent

In addition, controllers must obtain a consumer’s consent before (1) processing personal data for any other purpose than what was disclosed or (2) processing the sensitive data of a consumer. Controllers are barred from using the data to discriminate against consumers.

Notice to Consumers

Controllers must also provide consumers with a reasonably accessible and clear privacy notice that includes:

  • The categories of personal data processed by the controller;
  • The purpose of processing personal data;
  • How consumers may exercise their rights;
  • If applicable, the categories of personal data shared with third parties; and
  • If applicable, the categories of third parties with whom the controller shares personal data
  • A description of the methods through which consumers can submit requests to exercise rights.

In addition, controllers who engage in the sale of sensitive data or biometric personal data must give specific notices (posted in the same location and manner as the privacy notice):

  • “NOTICE: We may sell your sensitive personal data.”
  • “NOTICE: We may sell your biometric personal data.”

Data protection assessments

Whenever a controller processes any sensitive data or processes personal data for targeted advertising, the sale of personal data, specific forms of profiling, or any activity that presents a heightened risk of harm to consumers, the controller is required to prepare a detailed data protection assessment.

Consumer Rights

Controllers must also make available two or more secure and reliable methods to enable consumers to submit a request to exercise their rights under the legislation, as well as establish an appeal process that is “conspicuously available” and similar to the process established for initially exercising their rights. When a consumer seeks to exercise their rights, the controller must respond to the request without undue delay, but no later than 45 days after the receipt of the request (but may, in some circumstances, extend the response deadline once by an additional 45 days). If the controller declines the consumer’s request, it must provide justification for its decision and instructions on how to appeal the decision. If the controller denies the appeal, the controller must provide the consumer with the online mechanism to submit the complaint to the Attorney General.

How is the law enforced?

Under the law, there is no private cause of action for consumers. Instead, the Attorney General has exclusive authority to enforce the new restrictions and must establish an online mechanism through which a consumer may submit a complaint.

If the Attorney General has “reasonable cause” to believe someone has violated the law, it may issue a civil investigative demand and require a controller to disclose any relevant data protection assessment to facilitate its investigation. If the Attorney General identifies violations of the law, it must send a notice of violation to the controller at least 30 days before bringing the action and allow the controller an opportunity to cure. If the controller cures the violation within the 30-day period, the Attorney General may not bring an action against the controller.

If the Attorney General brings such an action, it may seek both civil penalties, injunctive relief, and recover attorney’s fees and expenses incurred both during the initial investigation and subsequent legal action.

Texas’ new consumer privacy law is comprehensive, and the summary above reflects only the highlights of the new obligations and risks presented to businesses operating in Texas. For more information or if you have questions or concerns or require guidance on how to bring your operations into compliance with the new law, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

It is not the first time we have written about complaints, OCR settlements, and even jail time following snooping by hospital employees into patient records. For example, as COVID raged, an investigation showed that for approximately 10 months ending in February, 2021, an employee at a California state hospital improperly accessed approximately 2,000 individuals’ COVID-19 related data including test results. Preventing these kinds of breaches can be difficult especially when system assess is needed to facilitate the efficient and often urgent delivery of health care.

Yesterday, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), announced a settlement with a not-for-profit community hospital under HIPAA. As many do, the settlement resulted from an investigation of a data breach report submitted by the hospital. According to the report, 23 security guards working in the hospital’s emergency department used their login credentials to access patient medical records maintained in hospital’s electronic medical record (EMR) system without a job-related purpose. The information accessed included names, dates of birth, medical record numbers, addresses, certain notes related to treatment, and insurance information. The breach affected 419 individuals.  

“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Health care organizations must ensure that workforce members can only access the patient information needed to do their jobs,” said OCR Director Melanie Fontes Rainer. “HIPAA covered entities must have robust policies and procedures in place to ensure patient health information is protected from identify theft and fraud.”

In addition to agreeing to pay $240,000, the hospital also agreed to be monitored under a two-year corrective action plan (CAP). The CAP included the following steps:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information.
  • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
  • Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures;
  • Enhance its existing HIPAA and Security Training Program to provide workforce training on the updated HIPAA policies and procedures;
  • Review all relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.

Digging into the details of the settlement and CAP, it is clear OCR is focused on access management – ensuring appropriate access between systems, ensuring access only to those that need it, providing training about access, etc. Another consideration, prudent for any kind of surveillance, is monitoring the monitors. That is, for example, regularly reviewing access logs to assess appropriateness of the activity.

Organizations, whether covered by HIPAA or not, engaged in monitoring and surveillance activities should be thinking about how to control the nature and extent of that monitoring and surveillance to avoid unintended consequences. This includes assessing the safeguards implemented by third party vendors supporting the systems, devices, and activities. Data security should not be focused only on systems designed to prevent external hackers, but also what can be done internally to prevent unauthorized access, uses, and disclosures of confidential and sensitive personal information by insiders, employees.

FTC Safeguards Law (and Car Dealerships)

June 9th marked the deadline for financial institutions, including certain non-banking institutions that collect or maintain sensitive customer information (e.g., car dealerships), to implement a comprehensive information security program to comply with the Federal Trade Commission’s updated Safeguards Rule. For additional information, see our post: Reminder: The FTC “Safeguards Rule” Compliance Date is Next Month.

State Consumer Data Protection Laws

Enforcement of the California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA) begins July 1, 2023. For more information, see our post: Employers Get Ready – CCPA Employee and B2B Exemptions End, Expanded Privacy Compliance Begins in 2023.

The Colorado Privacy Act goes into effect on July 1, 2023, and applies to a “controller” that conducts business in the State of Colorado, determines the purposes and means of processing personal data, and satisfies at least one of the following requirements: controls or processes the personal data of more than 100,000 Colorado residents per year or derives revenue from selling the personal data of more than 25,000 Colorado residents. For additional information, see our post: Version 2 Proposed Draft Rules for the Colorado Privacy Act.

The Connecticut Act Concerning Personal Data Privacy and Online Monitoring also goes into effect on July 1, 2023, and applies to a “controller” that conducts business in Connecticut or produces products or services that are targeted to residents of Connecticut and, during the preceding calendar year, either: controlled or processed personal data for at least 75,000 Connecticut residents, or controlled or processed personal data of at least 25,000 Connecticut residents and derive over 25 percent of gross revenue from the sale of personal data. For more information, see our post: Connecticut Likely to Become Fifth State to Enact Comprehensive Consumer Privacy Law.

The Florida “Digital Bill of Rights” provision prohibiting government employees and entities from using their position and/or state resources for the purpose of moderating content on social media platforms, including requesting removal of content, goes into effect on July 1, 2023. For additional information, see our post: Florida Passes “Digital Bill of Rights”.

State Data Breach Notification Laws

The amended Texas Data Breach Notification law goes into effect on September 1, 2023. The amended law revises the deadline for businesses to notify the Texas Attorney General of any data breach affecting at least 250 Texas residents from 60 days to “as soon as practicable and not later than 30 days” and now requires such persons to submit the notification via an electronic form accessible on the Attorney General’s website. For additional information, see our post: Texas Tightens State’s Data Breach Notification Law.

Florida Telephone Solicitation Act

On May 25, 2023, the Governor of Florida signed a bill amending the Florida Telephone Solicitation Act (FTSA). The amendments become effective immediately upon signing by the Governor and apply retroactively to any class action not certified on or before May 25, 2023. For additional information on these amendments, see our post: Amendments to Florida Telephone Solicitation Act Provides Relief for Businesses.

Social Security Numbers

The Virginia law prohibiting employers from using an employee’s Social Security number or any derivative as an employee’s identification number takes effect July 1, 2023. You can find more information on the law in our post: Virginia Passes Legislation Prohibiting the Use of Employees’ Social Security Numbers as Identifiers.  

AI and Automated Employment Decision Tools

The New York City “AI Law” (New York City Local Law 144), which prohibits employers from using automated employment decision tools for screening applicants and employees within New York City unless a bias audit has been conducted and notice provided, takes effect July 5, 2023. For more information, see our post: Employer Alert: New York City Issues Final Rules on Automated Employment Decision Tools Law.

Cross Border Transfers of Personal Data

June 1, 2023, marked the effective date for implementing the “Standard Contract” in appropriate circumstances for transfers of personal data, including employee data, out of China to third countries in accordance with China’s Personal Information Protection Law. For more information see our webinar: Transferring Employee and Customer Data from China to the United States: Using the Appropriate Transfer Mechanism.

Complying with these new or amended laws may require multiple steps including reviewing your organization’s data collection activities, updating relevant notices as well as internal policies and procedures, and conducting employee training.

If you have questions about data protection laws, cybersecurity, or related issues, contact a member of our Privacy, Data, and Cybersecurity practice group to discuss.

At the start of 2023, the New York State legislature introduced several privacy-related bills.  One of those bills, S365, appears to be gaining momentum. It was reported and committed to the Internet and Technology Committee on April 25, was amended on May 18, and was further amended and recommitted to the Finance Committee on June 4. 

If it becomes law, S365 would require organizations to make disclosures regarding their data processing practices, impose limitations on sharing personal information, require data protection impact assessments in certain situations, and grant consumers an array of rights, including to access, correct, and/or delete their personal information. 

Among the other data privacy and security bills under consideration are the following:

  • A417 would restrict the disclosure of personal information and require that organizations make available to customers, free of charge, access to or copies of their personal information.
  •  A1366 would require advertising networks to post a clear and conspicuous notice on the home pages of their websites regarding their privacy policies and the data collection and use practices associated with their advertising delivery activities.
  •  S2277  would require any entity that conducts business in the state and maintains the personal information of 500 or more individuals to provide meaningful notice of their use of personal information. The law would also prohibit unlawful discriminatory practices relating to targeted advertising.
  • S3162, which would grant consumers the right to request that organizations disclose the categories of any specific personal information they collect, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.

Along with this flurry of legislative activity, State enforcement agencies have, in recent months, announced several notable data breach settlements.  For instance, lender and mortgage servicer OneMain agreed to pay $4.25M to resolve a New York State Department of Financial Services enforcement action and healthcare professional services provider PracticeFirst agreed to pay $550,000 – and to implement a variety of measures to bolster its data security program – to resolve an enforcement action by the State Attorney General.     

As is evident from the above, organizations that collect and process personal information related to New York residents need to be proactive in managing their data privacy and security risk.  The web of compliance obligations in this space is expanding quickly and the consequences of non-compliance are becoming more and more significant.

Jackson Lewis will continue to monitor the fast-changing landscape in New York and similar developments across the country and internationally.  If you have questions about New York’s proposed legislation or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On May 19, 2023, Montana’s Governor signed Senate Bill 384, the Consumer Data Privacy Act. Montana joins  CaliforniaColoradoConnecticut, IndianaIowaTennessee, Utah, and Virginia in enacting a comprehensive consumer privacy law.  The law is scheduled to take effect on October 1, 2024.

When does the law apply?

The law applies to a person who conducts business in the state of Montana and:

  • Controls or processes the personal data of not less than 50,000 consumers (defined as Montana residents), excluding data controlled or processed solely to complete a payment transaction.
  • Controls and processes the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

Hereafter these covered persons are referred to as controllers.

The following entities are exempt from coverage under the law:

  • Body, authority, board, bureau, commission, district, or agency of this state or any political subdivision of this state;
  • Nonprofit organization;
  • Institution of higher education;
  • National securities association that is registered under 15 U.S.C. 78o-3 of the federal Securities Exchange Act of 1934;
  • A financial institution or an affiliate of a financial institution governed by Title V of the Gramm- Leach-Bliley Act;
  • Covered entity or business associate as defined in the privacy regulations of the federal Health Insurance Portability and Accountability Act (HIPAA);

Who is protected by the law?

Under the law, a protected consumer is defined as an individual who resides in the state of Montana.

However, the term consumer does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit, or government agency.

What data is protected by the law?

The statute protects personal data defined as information that is linked or reasonably linkable to an identified or identifiable individual.

There are several exemptions to protected personal data, including for data protected under HIPAA and other federal statutes.

What are the rights of consumers?

Under the new law, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal data
  • Access Personal Data processed by a controller
  • Delete personal data
  • Obtain a copy of personal data previously provided to a controller.
  • Opt-out of the processing of the consumer’s personal data for the purpose of targeted advertising, sales of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

What obligations do businesses have?

The controller shall comply with requests by a consumer set forth in the statute without undue delay but no later than 45 days after receipt of the request.

If a controller declines to act regarding a consumer’s request, the business shall inform the consumer without undue delay, but no later than 45 days after receipt of the request, of the reason for declining.

The controller shall also conduct and document a data protection assessment for each of their processing activities that present a heightened risk of harm to a consumer.

How is the law enforced?

Under the statute, the state attorney general has exclusive authority to enforce violations of the statute. There is no private right of action under Montana’s statute.

For additional information on Montana’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On May 11, 2023, Tennessee’s Governor signed Senate Bill 0073, the Tennessee Information Protection Act, making the state the eighth state to pass consumer privacy legislation. Tennessee joins  CaliforniaColoradoConnecticutIndiana, IowaUtah, and Virginia which have previously passed consumer privacy statutes.

Tennessee’s law will take effect July 1, 2025.

When does this law apply?

The law will apply to persons that conduct business in the state of Tennessee or produce products or services that are targeted to Tennessee residents and that:

  • During the calendar year, control or process personal information of at least 100,000 consumers; or,
  • Control or process the personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.

Covered persons hereafter are referred to as controllers.

Are there exemptions?

Among the entities not subject to the Act include Tennessee and state agencies, financial institutions, HIPAA-covered entities and business associates, not-for-profit organizations, and institutions of higher education.

There also are several categories of personal information exempted from the Act, including without limitation personal information protected by the Family Educational Rights and Privacy Act (FERPA) and the Driver’s Privacy Protection Act.

Who is protected by the law?

Under the statute, individuals referred to as “consumers” are protected. A consumer is defined as a natural person who is a resident of the state of Tennessee and acts only in a personal context.

What personal information is protected by law?

Under the statute, personal information is protected, which includes:

  • Identifiers such as a real name, alias, unique identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Information that identifies, relates to, describes, or could be associated with, a particular individual, including, but not limited to, signature, physical characteristics or description, address, telephone number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or other financial, medical, or health insurance information
  • Characteristics of protected classifications under state or federal law;
  • Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
  • Biometric data;
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information;
  • Education information that is not publicly available information

Personal information also includes “sensitive data” which means:

  • Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  • The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
  • The personal information collected from a known child; or
  • Precise geolocation data.

Personal information does not include information that is:

  • Publicly available
  • De-identified or aggregate consumer information

What are the rights of consumers?

Under the statute, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal information and to access the personal information.
  • Correct inaccuracies in the consumer’s personal information.
  • Delete personal information provided by or obtained about the consumer.
  • Obtain a copy of the consumer’s personal information that the consumer previously provided to the controller.
  • Request information about personal information the controller sold or disclosed to third parties.
  • Opt-out of the controller selling the personal information of the consumer.

What obligations do controllers and processors have?

Under the statute, a controller shall respond to requests from a consumer without undue delay, but no later than 45 days from the date of receipt of the request. If the controller declines to take action upon a consumer’s request, the controller shall inform the consumer without undue delay but no later than 45 days from receipt.

The controller is required to take certain steps to ensure transparency of its processing including:

  • Limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purpose for which the data is processed
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices.
  • Not process “sensitive data” without obtaining the consumer’s consent, provided that in the case of a child, the controller does so in accordance with the federal Children’s Online Privacy Protection Act.  

Controllers shall conduct and document a data protection assessment of each of the following processing activities:

  • The processing of personal information for purposes of targeted advertising
  • The sale of personal information
  • The processing of personal information for purposes of profiling where the profiling presents a foreseeable risk
  • The processing of sensitive data
  • The processing of personal information presents a heightened risk of harm to consumers.

Upon receipt of an authenticated consumer request, a controller must provide a “reasonably accessible, clear, and meaningful privacy notice” the contents of which are similar to but not as expansive as the California Consumer Privacy Act (CCPA).

With respect to processors, the Act requires they adhere to the instructions of controllers, such as assisting the controller with responding to consumer requests. Contracts between controllers and processors are required and must include certain provisions, such as (i) instructions for processing personal information, (ii) the nature, purpose, and duration of the processing, and (iii) the type of data subject to the processing. Other required provisions include (i) a requirement for processors to make available all information in the processor’s possession to demonstrate the processor’s compliance with the Act, (ii) cooperating with reasonable assessments of compliance by the controller (or arrange for a qualified and independent assessor), and (iii) obligating the processor to push the Act’s required provisions down to the processor’s subcontractors.

How is the law enforced?

The attorney general and reporter have exclusive authority to enforce the statute, which may include bringing an action in a court of competent jurisdiction.

The Act requires controllers or processors to create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.” Among the requirements for a privacy, program is that it discloses the commercial purposes for which the controller or processor collects, controls, or processes personal information. Maintaining such a program is not only important for compliance purposes, but it also provides an affirmative defense to a cause of action for a violation of the law.

For additional information on Tennessee’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.