Search right to access

The Massachusetts Information Privacy and Security Act (MIPSA) continues to advance through the state legislative process, and is now before the full legislature. While the Act has several hurdles to clear before becoming law, its notable for two reasons. First, the comprehensive nature of the MIPSA exemplifies the direction state data protection laws are heading in the absence of a comprehensive federal consumer data protection law. Second, given the borderless nature of e-commerce, the most robust state consumer data protection law will likely become the de facto national consumer data protection law, and the MIPSA may take that title. This post highlights significant portions of the current version of the Act.

Who is protected? 

The MIPSA protects the personal information of Massachusetts residents.

Who is subject to the MIPSA?

The Act applies to an entity that has annual global gross revenue in excess of 25 million dollars; determines the purposes and means of processing of the personal information of not less than 100,000 individuals; or is a data broker. In addition, the entity conducts business in the state, or if not physically present in the state, processes personal information in the context of offering of goods or services targeted at state residents or monitors the in-state behavior of residents. Where an entity does not otherwise meet these criteria, it may voluntarily certify to the state Attorney General that it is in compliance with and agrees to be bound by the MIPSA.

Are any entities exempt?

Massachusetts state agencies and government bodies, national securities associations and registered futures associations are exempt.

What data is protected?

MIPSA applies to the personal information of a Massachusetts resident, which is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable individual. Personal information does not include de-identified information or publicly available information. For the limited purposes of a sale, personal information also includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable household.

Does the Act include special protections for Sensitive Information?

The Act carves out heightened protections for sensitive information. These include the right to notice of collection and use, and the right to limit use and disclosure to purposes necessary to perform the services or provide the goods requested, and for other controller internal uses as authorized by the Act.

Sensitive information is personal information that reveals an individual’s racial or ethnic origin, religious beliefs, philosophical beliefs, union membership, citizenship, or immigration status. It also includes biometric information or genetic information that is processed for the purpose of uniquely identifying an individual; personal information concerning a resident’s mental or physical health diagnosis or treatment, sex life or sexual orientation; specific geolocation information; personal information from a child; a Social Security Number, driver’s license number, military identification number, passport number, or state-issued identification card number; and a financial account number, credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account.

Is any personal information exempt from the Act?

Protected health information under HIPAA is exempt as is certain data, information, and health records created under HIPAA and Massachusetts state law. Exempt data also includes data collected, processed, or regulated with respect to clinical trials, the Health Care Quality Improvement Act of 1986, the Patient Safety and Quality Improvement Act, FCRA, Driver’s Privacy Protection Act, FERPA, the Farm Credit Act, GLBA, COPPA, the Massachusetts Health Insurance Connector and Preferred Provider Arrangements.

Does the MIPSA apply to employee personal information or information collected in the B2B context?

The Act also exempts personal information collected and processed in the context of an individual acting as a job applicant to, an employee of, or an agent or independent contractor of a controller, processor, or third-party including emergency contact information and information used to administer benefits for another person relating to the individual.

Information collected and used in the course of an individual acting in a commercial context is exempt.

What are the controller’s obligations under the MIPSA?

The Act creates an affirmative obligation to implement appropriate technical and organizational safeguards to ensure the security of the information. In addition, the controller must have a lawful basis to process the personal information. Processing must be done in a fair and transparent manner, which includes providing appropriate privacy notices at or before the point of collection. The controller must collect personal information for an identified and legitimate purpose and processing should be limited to what is necessary to achieve the purpose. The information must be accurate and retained only as long as necessary to achieve the purpose for which it was collected. For processing that may involve a high risk of harm to individuals, the controller may be obligated to conduct a risk assessment. When engaging a processor, the controller must enter into a data processing agreement with the processor that contains mandated provisions designed to ensure the privacy and security of personal information.

What rights do protected individuals have?

Massachusetts residents have the right to know, access, port, delete and correct their personal information, subject to certain limitations. The Act also provides for the right to opt out of the sale of personal information and limit the use and disclosure of sensitive information in particular with respect to targeted advertising. The data controller is prohibited from discriminating against the individual for exercising any of these rights.

Can my organization be sued for violations of the law?

The MIPSA does not include a private cause of action for violations of the Act. However, the proposed bill also amends the state data breach notification law to provide residents with a private right of action where their personal information was subject to a data breach resulting from the entity’s failure to implement reasonable safeguards.

How will the law be enforced?

The state Attorney General is authorized to commence a civil investigation when there is reasonable cause to believe an entity has engaged in, is engaging in, or is about to engage in a violation of the Act. After notice, the entity will have 30 days to cure the violation. In the event the entity fails to cure, the Attorney General may seek a temporary restraining order, preliminary injunction, or permanent injunction to restrain any violations r and may seek civil penalties of up to $7,500 for each violation.

Next steps?

The MIPSA sets a high bar for data protection practices. Whether enacted in whole or part, the Act provides a road map for where data protection laws are headed. Many of the 2022 proposed state laws follow or surpass the protections introduced by the CCPA. Preparing to meet each more comprehensive law will require continued data mapping, ongoing evaluation and development of written information security programs, heightened scrutiny of vendor relationships and agreements, risk assessments, and updated employee data protection and security awareness training.

We will continue monitor the progress of this bill.

In honor of Data Privacy Day, we provide the following “Top 10 for 2022.”  While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2022.

  1. State Consumer Privacy Law Developments

On January 1, 2020, the CCPA ushered into the U.S. a range of new rights for consumers, including:

  • The right to request deletion of personal information;
  • The right to request that a business disclose the categories of personal information collection and the categories of third parties to which the information was sold or disclosed; and
  • The right to opt-out of sale of personal information; and
  • The California consumer’s right to bring a private right of action against a business that experiences a data breach affecting their personal information as a result of the business’s failure to implement “reasonable safeguards.”

In November of 2020, California voters passes the California Privacy Rights Act (CPRA) which amends and supplements the CCPA, expanding compliance obligations for companies and consumer rights. Of particular note, the CPRA extends the employment-related personal information carve-out until January 1, 2023. The CPRA also introduces consumer rights relating to certain sensitive personal information, imposes an affirmative obligation on businesses to implement reasonable safeguards to protect certain consumer personal information, and prevents businesses from retaliating against employees for exercising their rights.  The CPRA’s operative date is January 1, 2023 and draft implementation regulations are expected by July 1, 2022. Businesses should monitor CCPA/CPRA developments and ensure their privacy programs and procedures remain aligned with current CCPA compliance requirements. For practical guidance on navigating compliance, check out our newly updated CCPA/CPRA FAQS.

In addition to California developments, in 2021, Virginia and Colorado also passed consumer privacy laws similar in kind to the CCPA, both effective January 1, 2023 (together with the CPRA). While the three state laws share common principles, including consumer rights of deletion, access, correction and data portability for personal data, they also contain key nuances, which pose challenges for broad compliance.  Moreover at least 26 states have considered or are considering similar consumer privacy laws, which will only further complicate the growing patchwork of state compliance requirements.

In 2022, businesses are strongly urged to prioritize their understanding of what state consumer privacy obligations they may have, and strategize for implementing policies and procedures to comply.

  1. Biometric Technology Related Litigation and Legislation

There was a continued influx of biometric privacy class action litigation in 2021 and this will likely continue in 2022. In early 2019, the Illinois Supreme Court handed down a significant decision concerning the ability of individuals to bring suit under the Illinois’s Biometric Information Privacy Act (BIPA). In short, individuals need not allege actual injury or adverse effect beyond a violation of his/her rights under BIPA to qualify as an aggrieved person and be entitled to seek liquidated damages, attorneys’ fees and costs and injunctive relief under the Act.

Consequently, simply failing to adopt a policy required under BIPA, collecting biometric information without a release or sharing biometric information with a third party without consent could trigger liability under the statute. Potential damages are substantial as BIPA provides for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation of the Act. There continues to be a flood of BIPA litigation, primarily against employers with biometric timekeeping/access systems that have failed to adequately notify and obtain written releases from their employees for such practices.

Biometric class action litigation has also been impacted by COVID-19. Screening programs in the workplace may involve the collection of biometric data, whether by a thermal scanner, facial recognition scanner or other similar technology. In late 2020, plaintiffs’ lawyers filed a class action lawsuit on behalf of employees concerning their employer’s COVID-19 screening program, which is alleged to have violated the BIPA. According to the complaint, employees were required to undergo facial geometry scans and temperature scans before entering company warehouses, without prior consent from employees as required by law.  This case is still alive and well, at the start of 2022, after significant attempts by the defense, a federal district judge in Illinois declined to dismiss the proposed class action, as the allegations relating to violations regarding “possession” and “collection” of biometric data pass muster at this stage.  Many businesses have been sued under the BIPA for similar COVID related claims in the past year, and 2022 will likely see continued class action litigation in this space.

In 2021, biometric technology-related laws began to evolve at a rapid pace, signaling a continued trend into 2022.  In July 2021, New York City established BIPA-like requirements for retail and hospitality businesses that collect and use “biometric identifier information” from customers.  In September 2021, the City of Baltimore officially banned private use of facial recognition technology. Baltimore’s local ordinance prohibiting persons (including residents, businesses, and most of the city government) from “obtaining, retaining, accessing, or using certain face surveillance technology or any information obtained from certain face surveillance technology”.  Other localities have also established prohibitions on use of biometric technology including Portland (Oregon), San Francisco. State legislatures have also increased focus on biometric technology regulation. In addition to Illinois’s BIPA, Washington and Texas have similar laws, and states including Arizona, Florida, Idaho, Massachusetts and New York have also proposed such legislation. The proposed biometric law in New York state would mirror Illinois’ BIPA, including its private right of action provision. In California, the CCPA also broadly defines biometric information as one of the categories of personal information protected by the law.

Additionally, states are increasingly amending their breach notification laws to add biometric information to the categories of personal information that require notification, including 2021 amendment in Connecticut and 2020 amendments in California, D.C., and Vermont. Similar proposals across the U.S. are likely in 2022.

In response to the constantly evolving legislation related to biometric technology, we have created an interactive biometric law state map to help businesses that want to deploy these technologies, which inevitably require the collection, storage, and/or disclosure of biometric information, track their privacy and security compliance obligations.

  1. Ransomware Attacks

Ransomware attacks continued to make headlines in 2021 impacting large organizations, including Colonial Pipeline, Steamship Authority of Massachusetts, the NBA, JBS Foods, the D.C. Metropolitan Police Department and many more. Ransomware attacks are nothing new, but they are increasing in severity. There has been an increase in frequency of attacks and higher ransomware payments, in large part due to increased remote work and the associated security challenges.  The healthcare industry in particular has been substantially impacted by the onset of the COVID-19 pandemic  – a recent study by Comparitech found that ransomware attacks on the healthcare industry has resulted in a financial loss of over $20 billion in impacted revenue, litigation and ransomware payments and growing.

In fact, the FBI jointly with the Cybersecurity and Infrastructure Security Agency (CISA) went so far as to issue a warning to be on high alert for ransomware attacks for holidays in light of numerous targeted attacks over other holidays earlier in the year.

Moreover in 2021, the National Institute of Standards Technology (NIST)  released a preliminary draft of its Cybersecurity Framework Profile for Ransomware Risk Management. The NIST framework provides steps for protecting against ransomware attacks, recovering from ransomware attacks, and determining you organization’s state of readiness to prevent and mitigate ransomware attacks.

Ransomware continues to present a significant threat to organizations as we move into 2022. Organizations may not be able to prevent all attacks, but it is important to remain vigilant and be aware of emerging trends.

Here are some helpful resources for ransomware attack prevention and response:

  1. Biden Administration Prioritizes Cybersecurity

In large part due to significant threat of ransomware attacks discussed above, the Biden Administration has made clear that cybersecurity protections are a priority. In May of 2021, on the heels of the Colonial Pipeline ransomware attack that snarled the flow of gas on the east coast for days, the Biden Administration issued an Executive Order on “Improving the Nation’s Cybersecurity” (EO). The EO was in the works prior to the Colonial Pipeline cyberattack, however was certainly prioritized as a result. The EO made a clear statement on the policy of the Administration, “It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.  The Federal Government must lead by example.  All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.” This EO will mostly impacts the federal government and its agencies. However, several of the requirements in the EO will reach certain federal contractors, and also will influence the private sector.

Shortly after the Biden Administration issued the EO, it followed in August 2021 with the issuance of a National Security Memo (NSM) with the intent of improving cybersecurity for critical infrastructure systems. This NSM established an Industrial Control Systems Cybersecurity Initiative (the “Initiative”) that will be a voluntary, collaborative effort between the federal government and members of the critical infrastructure community aimed at improving voluntary cybersecurity standards for companies that provide critical services.

The primary objective of the Initiative is to encourage, develop, and enable deployment of a baseline of security practices, technologies and systems that can provide threat visibility, indications, detection, and warnings that facilitate response capabilities in the event of a cybersecurity threat.  According to the President’s Memo, “we cannot address threats we cannot see.”

And most recently, in early January 2022, President Biden issued an additional NSM to improve the cybersecurity of National Security, Department of Defense, and Intelligence Community Systems.  “Cybersecurity is a national security and economic security imperative for the Biden Administration, and we are prioritizing and elevating cybersecurity like never before…Modernizing our cybersecurity defenses and protecting all federal networks is a priority for the Biden Administration, and this National Security Memorandum raises the bar for the cybersecurity of our most sensitive systems,” stated the White House in its issuance of the latest NSM.

The U.S. government will continue to ramp up efforts to strengthen its cybersecurity as we head into 2022, impacting both the public and private sector. Businesses across all sectors should be evaluating their data privacy and security threats and vulnerabilities and adopt measures to address their risk and improve compliance.

  1. COVID-19 privacy and security considerations

During 2020 and 2021, COVID-19 presented organizations large and small with new and unique data privacy and security considerations. And while we had high hopes that increased vaccination rates would put this pandemic in the rearview mirror, the latest omicron strand showed us otherwise. Most organizations, particularly in their capacity as employers, needed to adopt COVID-19 screening and testing measures resulting in the collection of medical and other personal information from employees and others. While the Supreme Court has stayed OSHA’s ETS mandating that employers with 100+ employees require COVID-199 vaccination and the Biden Administration ultimately withdrew the same, some localities have instituted mandates depending on industry, and many employers have voluntarily decided to institute vaccine requirements for employees.  Ongoing vigilance will be needed to maintain the confidential and secure collection, storage, disclosure, and transmission of medical and COVID-19 related data that may now include tracking data related to vaccinations or the side effects of vaccines.

Several laws apply to data the organizations may collect in this instance. In the case of employees, for example, the Americans with Disability Act (ADA) requires maintaining the confidentiality of employee medical information and this may include COVID-19 related data. Several state laws also have safeguard requirements and other protections for such data that organization should be aware of when they or others on their behalf process that information.

Many employees will continue to telework during 2022 (and beyond). A remote workforce creates increased risks and vulnerabilities for employers in the form of sophisticated phishing email attacks or threat actors gaining unauthorized access through unsecured remote access tools. It also presents privacy challenges for organizations trying to balance business needs and productivity with expectations of privacy. These risks and vulnerabilities can be addressed and remediated through periodic risk assessments, robust remote work and bring your own device policies, and routine monitoring.

As organizations continue to work to create safe environments for the in-person return of workers, customers, students, patients and visitors, they may rely on various technologies such as wearables, apps, devices, kiosks, and AI designed to support these efforts. These technologies must be reviewed for potential privacy and security issues and implemented in a manner that minimizes legal risk.

Some reminders and best practices when collecting and processing information referred to above and rolling out these technologies include:

  • Complying with applicable data protection laws when data is collected, shared, secured and stored including the ADA, Genetic Information Nondiscrimination Act, CCPA, GDPR and various state laws. This includes providing required notice at collection under the California Consumer Privacy Act (CCPA), or required notice and a documented lawful basis for processing under the GDPR, if applicable.
  • Complying with contractual agreements regarding data collection; and
  • Contractually ensuring vendors who have has access to or collect data on behalf of the organization implement appropriate measures to safeguard the privacy and security of that data.
  1. “New” EU Standard Contractual Clauses

In July of 2020 the Court of Justice of the European Union (CJUE) published its decision in Schrems II which declared the EU-US Privacy Shield invalid for cross border data transfers and affirmed the validity standard contractual clauses (“SCCs) as an adequate mechanism for transferring person data from the EEA, subject to heightened scrutiny.  However, the original SCCs were unable to adequately address the EU Commission’s concerns about the protection of personal data.

On June 4, 2021, the EU Commission adopted “new” modernized SCCs to replace the 2001, 2004, and 2010 versions in use up to that point – effective since September 27,2021. The EU Commission updated the SCCs to address more complex processing activities, the requirements of the GDPR, and the Schrems II decision. These clauses are modular so they can be tailored to the type of transfer.  if a data exporter transfers data from the EU to a U.S. organization, the U.S. organization must execute the new SCCs unless the parties rely on an alternate transfer mechanism or an exception exists. This applies regardless of whether the U.S. company receives or accesses the data as a data controller or processor. The original SCCs apply to controller-controller and controller-processor transfers of personal data from the EU to countries without a Commission adequacy decision. The updated clauses are expanded to also include processor-processor and processor-controller transfers. While the existing SCCs were designed for two parties, the new clauses can be executed by multiple parties. The clauses also include a “docking clause” so that new parties can be added to the SCCs throughout the life of the contract.

The obligations of the data importer are numerous and include, without limitation:

  • documenting the processing activities it performs on the transferred data,
  • notifying the data exporter if it is unable to comply with the SCCs,
  • returning or securely destroying the transferred data at the end of the contract,
  • applying additional safeguards to “sensitive data,”
  • adhering to purpose limitation, accuracy, minimization, retention, and destruction requirements,
  • notifying the exporter and data subject if it receives a legally binding request from a public authority to access the transferred data, if permitted, and
  • challenging a public authority access request if it reasonably believes the request is unlawful.

The SCCs require the data exporter to warrant there is no reason to believe local laws will prevent the importer from complying with its obligations under the SCCs. In order to make this representation, both parties must conduct and document a risk assessment of the proposed transfer.

If an organization that transfers data cross border has not already done so it should be implementing the new procedures and documents for the SCCs. This is, of course, if they are not relying on an alternate transfer mechanism or an exception exists. Organizations will also need to review any ongoing transfers made in reliance on the old SCCs and take steps to comply. As with new transfers, this will require a documented risk assessment and a comprehensive understanding of the organization’s process for accessing and transferring personal data protected under GDPR. For additional guidance on the new EU SCCs, our comprehensive FAQs are available here.

  1. TCPA

In April 2021, the U.S. Supreme Court issued a monumental decision with significant impact on the future of Telephone Consumer Protection Act (TCPA) class action litigation. The court narrowly ruled to qualify as an “automatic telephone dialing system”, a device must be able to either “store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator”.  The underlying decision of the Ninth Circuit was reversed and remanding.

The Supreme Court unanimously concluded, in a decision written by Justice Sotomayor, that to qualify as an “automatic telephone dialing system” under the TCPA, a device must have the capacity either to store, or to produce, a telephone number using a random or sequential number generator.

“Expanding the definition of an autodialer to encompass any equipment that merely stores and dials telephone numbers would take a chainsaw to these nuanced problems when Congress meant to use a scalpel,” Justice Sotomayor pointed out in rejecting the Ninth Circuit’s broad interpretation of the law.

Moreover, Sotomayor noted that, “[t]he statutory context confirms that the autodialer definition excludes equipment that does not “us[e] a random or sequential number generator.””  The TCPA’s restrictions on the use of autodialers include, using an autodialer to call certain “emergency telephone lines” and lines “for which the called party is charged for the call”. The TCPA also prohibits the use of an autodialer “in such a way that two or more telephone lines of a multiline business are engaged simultaneously.” The Court narrowly concluded that “these prohibitions target a unique type of telemarketing equipment that risks dialing emergency lines randomly or tying up all the sequentially numbered lines at a single entity.”

The Supreme Court’s decision resolved a growing circuit split, where several circuits had previously interpreted the definition of an ATDS broadly  to encompass any equipment that merely stores and dials telephone numbers, while other circuits provided a narrower interpretation, in line with the Supreme Court’s ruling. It was expected the Supreme Court’s decision would help resolve the ATDS circuit split and provide greater clarity and certainty for parties facing TCPA litigation. In the six months following the Supreme Court’s decision, the Institute of Legal Reform documented a 31% drop in TCPA filings, compared to the six months prior to the ruling.  Nonetheless, many claims based on broad ATDS definitions are still surviving early stages of litigation in the lower courts, and some states have enacting (or are considering) “mini-TCPAs” which include a broader definition of ATDS. While the Supreme Court’s decision was considered a win for defendants facing TCPA litigation, organizations are advised to review and update their telemarketing and/or automatic dialing practices to ensure TCPA compliance, as they move into 2022.

  1. Global Landscape of Data Privacy & Security

2021 was a significant year for the global landscape of data privacy and security.  As discussed above, on June 4th, the European Commission adopted new standard contractual clauses for the transfer of personal data from the EU to “third countries”, including the U.S. On August 20, China passed its first comprehensive privacy law, the Personal Information Protection Law (PIPL), similar in kind to the EU’s GDPR.  The law took effect in November of 2021.  In addition, China published 1) Security Protection Regulations on the Critical Information Infrastructure and 2) the Data Security Law which aim to regulate data activities, implement effective data safeguards, protect individual and entity legitimate rights and interests, and ensure state security – both effective September of 2021.  Finally, Brazil enacted  Lei Geral de Proteção de Dados Pessoais (LGPD), its first comprehensive data protection regulation, again with GDPR-like principles. The LGPD became enforceable in August of 2021.

In 2022, U.S. organizations may face increased data protection obligations as a result of where they have offices, facilities, or employees; whose data they collect; where the data is stored; whether it is received from outside the U.S.; and how it is processed or shared. These factors may trigger country-specific data protection obligations such as notice and consent requirements, vendor contractual obligations, data localization or storage concerns, and safeguarding requirements. Some of these laws may apply to data collection activities in a country regardless of whether the U.S. business is located there.

  1. Federal Consumer Privacy Law

Numerous comprehensive data protection laws were proposed at the federal level in recent years. These laws have generally stalled due to bipartisan debate over federal preemption and a private right of action. And while, every year, we ask ourselves whether this will be the year, 2022 may indeed be the year the U.S. enacts a federal consumer privacy law.  2022 has barely begun and a coalition which includes the U.S. Chamber of Congress together with local business organizations in over 20 states have issued a letter to Congress highlighting the importance of enacting a federal consumer privacy law as soon as possible.

“Data is foundational to America’s economic growth and keeping society safe, healthy and inclusive…Fundamental to the use of data is trust,” the coalition noted. “A national privacy law that is clear and fair to business and empowering to consumers will foster the digital ecosystem necessary for America to compete.”

Moreover, with California, Virginia, and Colorado all with comprehensive consumer privacy laws (as discussed above), and approximately half of U.S. states contemplating similar legislation, there is a growing patchwork of state laws that “threatens innovation and create consumer and business confusion,” as stated in the coalition’s letter to Congress.

Will 2022 be the year the U.S. government enacts a federal consumer privacy law? Only time will tell.  We will continue to update as developments unfold.

  1. Cyber Insurance

Over the past several years, if your organization experienced a cyberattack, such as ransomware or a diversion of funds due to a business email compromise (BEC), and you had cyber insurance, you likely were very thankful. However, if you are renewing that policy (or in the cyber insurance market for the first time), you are probably looking at much steeper rates, higher deductibles, and even co-insurance, compared to just a year or two ago. This is dependent on finding a carrier to provide competitive terms, although there are some steps organizations can take to improve insurability.

Claims paid under cyber insurance policies are significantly up, according to Marc Schein*, CIC, CLCS, National Co-Chair Cyber Center of Excellence for Marsh McLennan Agency who closely tracks cyber insurance trends. Mr. Schein identified the key drivers hardening the cyber insurance market: ransomware and business interruption.

According to Fitch Ratings’ Cyber Report 2020, insurance direct written premiums for the property and casualty industry increased 22% in the past year to over $2.7 billion, representing the demand for cyber coverage. The industry statutory direct loss plus defense and cost containment (DCC) ratio for standalone cyber insurance rose sharply in 2020 to 73% compared with an average of 42% for the previous five years (2015-2019). The average paid loss for a closed standalone cyber claim moved to $358,000 in 2020 from $145,000 in 2019.

The effects of these, other increases in claims, and losses from cyberattacks had a dramatic impact on cyber insurance. Perhaps the most concerning development for organizations in the cyber insurance market is the significantly increased scrutiny carriers are applying to an applicant’s insurability.

There are no silver bullets, but implementing administrative, physical and technical safeguards to protect personal information may dramatically reduce the chances of a cyberattack, and that is music to an underwriter’s ears. As an organization heads into 2022, ensuring such safeguards are instituted and regularly reviewed, can go a long way.

*      *     *     *     *

For these reasons and others, we believe 2022 will be a significant year for privacy and data security.

Happy Privacy Day!

Efforts to secure systems and data from a cyberattack often focus on measures such as multifactor authentication (MFA), endpoint monitoring solutions, antivirus protections, and role-based access management controls, and for good reason. But there is a basic principle of data protection that when applied across an organization can significantly reduce the impact of a data incident – the minimum necessary principle. A data breach reported late last year by the Rhode Island Public Transit Authority (RIPTA) highlights the importance of this relatively simple but effective tool.

In December 2021, RIPTA sent notification of a data breach to several thousand individuals who were not RIPTA employees. Reports of the incident prompted inquiries from a state Senator in Rhode Island, Louis P. DiPalma, and union officials who represented the affected individuals. According to Rhode Island’s Department of Administration (DOA), a forensic analysis conducted in connection with the incident indicates the affected files included health plan billing records pertaining to State of Rhode Island employees, not RIPTA employees. The DOA goes on to state that:

[s]tate employee data was incorrectly shared with RIPTA by an external third party who had responsibility for administering the state’s health plan billing.

An investigation is underway to confirm exactly what happened. The content of recent conversations between state officials and union representatives reported in the press indicate that an RIPTA payroll clerk received a file containing state employee health plan data in August 2020, stored it on the employee’s hard drive, where it remained until August 2021, when the cyberattack on RIPTA occurred. It is unclear why the employee received the information, from whom, or whether it was appropriate to maintain it.

Regardless, the “minimum necessary” principle, simply stated, requires that organizations take reasonable steps so that confidential and personal information are only accessed, used, maintained, or disclosed to carry out the applicable business functions. Consider, for example, that retention policies are becoming increasingly important from a compliance perspective, such as with regard to the California Privacy Rights Act of 2020 (CPRA), which amends and supplements the California Consumer Privacy Act (CCPA), the EU General Data Protection Regulation (GDPR), and the Illinois Biometric Information Privacy Act (BIPA).  This principle can be applied at multiple points in the operations of the organization, including without limitation:

  • When requesting information. Think about what elements of information the organization collects from customers, students, patients, vendors, employees, and others. Is it more information than is needed to carry out the purpose(s) for the collection? Can portals, forms, etc. be modified to limit the information collected?
  • When receiving information. Employees cannot always control the information they receive from parties outside the organization. But when they do, what steps or guidelines are in place to determine what is needed and what is not needed? For information that is not needed, what is the process for alerting the sender, if necessary, returning the data, and/or removing it from the systems?
  • When using information. Employees carry out many critical business functions that require the use of confidential and personal information. Do they always need all of it? Are there instances where less information can be sufficient for the processing of an important business function.
  • When storing information. The task at hand has been completed and the question becomes what information should be retained. The answer can be a complex web of legally mandated retention requirements, contractual obligations, business needs, and other considerations. But organizations should carefully analyze these issues an establish protocols for employees to follow. Note that under the CPRA, a covered business may not retain a consumer’s personal information for longer than is reasonably necessary for the stated purpose it was collected.
  • When responding to requests or disclosing information. Whether engaging in billing and collection activities, responding to an attorney demand letter, reporting information to the government, administering benefit plans for employees, or any number of other typical business functions, organizations make disclosures of confidential and personal information. Important questions to ask are (i) what data does the requesting party really need, (ii) what classifications of information are actually in the file being disclosed and are there limitations on the disclosure of that information, and (iii) whether the response or disclosure can have the same effect with less data.

In thinking about these questions, there may not be a clear right or wrong answer to whether the information should or should not have been collected, used, stored, or disclosed. However, from a risk management perspective, it is helpful to review business procedures, practices, operations, forms, etc. for ways to minimize exposure to confidential and personal information. Applying the minimum necessary principle can be an effective way of minimizing the organization’s data footprint so that should it experience a security incident, there is the possibility for less data to be compromised.

Over the past several years, if your organization experienced a cyberattack, such as ransomware or a diversion of funds due to a business email compromise (BEC), and you had cyber insurance, you likely were very thankful. However, if you are renewing that policy (or in the cyber insurance market for the first time), you are probably looking at much steeper rates, higher deductibles, and even co-insurance, compared to just a year or two ago. This is dependent on finding a carrier to provide competitive terms, although there are some steps organizations can take to improve insurability.

What’s going on?

The short answer is what one might expect, claims paid under cyber insurance policies are significantly up, according to Marc Schein*, CIC, CLCS, National Co-Chair Cyber Center of Excellence for Marsh McLennan Agency who closely tracks cyber insurance trends. Mr. Schein identified the key drivers hardening the cyber insurance market: ransomware and business interruption.

  • Ransomware: According to FBI data, adjusted losses from ransomware matters tripled from 2019 to 2020. Further, according to an Allianz Global Corporate & Specialty (AGCS) cyber insights report, cited in Insurance Journal, the U.S. experienced a 62% increase in ransomware incidents during the first six months of 2021 and a 225% increase in ransom demands.
  • Business interruption: Business interruption costs following a ransomware attack more than doubled over the past year, increasing from $761,106 to $1.85 million in 2021, with down time averaging 23 days, according to the same AGCS report.

According to Fitch Ratings’ Cyber Report 2020, insurance direct written premiums for the property and casualty industry Increased 22% last year to over $2.7 billion, representing the demand for cyber coverage. The industry statutory direct loss plus defense and cost containment (DCC) ratio for standalone cyber insurance rose sharply in 2020 to 73% compared with an average of 42% for the previous five years (2015-2019). The average paid loss for a closed standalone cyber claim moved to $358,000 in 2020 from $145,000 in 2019.

The effects of these, other increases in claims, and losses from cyberattacks had a dramatic impact on cyber insurance.

  • Rate increases of 100% to 300% are not uncommon. According to Marsh’s November Cyber Market Report, the average U.S. cyber price per million in coverage increased 174% for the total price per million for the 12 month period ending September 2021.
  • Capacity has decreased dramatically, with $10 million limits becoming challenging to secure.
  • Policy changes, such as increases in deductibles, retention, sublimits, and co-insurance on ransomware payments, are making cyber coverage look more like health insurance.

What can we do?

Perhaps the most concerning development for organizations in the cyber insurance market is the significantly increased scrutiny carriers are applying to an applicant’s insurability. The days of the three-question application process may be over. According to Mr. Schein, before applicants look to procure cyber coverage, an astute buyer should contemplate the following underwriting cyber security controls. Examples of these include:

  • Multi-factor authentication across the applicant’s systems including for email, remote access, vendor access, etc.
  • Adoption of a tested incident response plan.
  • Presence of an endpoint detection solution.
  • Security awareness training, including phishing training.
  • Removing end-of-life software.
  • Closed remote access ports, including remote desktop protocol (RDP).

This is consistent with Mr. Schein’s experience with organizations anxious to bolster information security controls in connection with the underwriting process for cyber insurance. The controls mentioned above are typically best practices underwriters are strongly encouraging which may also improve an organization’s compliance posture. Notably, they are not limited to technical IT fixes, but include broader administrative policies and practices, such as training and breach preparedness.

Indeed, an increasing number of states require businesses to implement “reasonable safeguards“ to protect personal information. In New York, for example, the New York SHIELD Act requires businesses of all sizes to adopt administrative, physical, and technical safeguards to protect the personal information they maintain about New York residents. The statute does not require specific technical safeguards be maintained. The California Privacy Rights Act (CPRA) adds to the California Consumer Privacy Act (CCPA) an affirmative obligation to “implement reasonable security procedures and practices…to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.” Considering what IT experts have been saying about the effectiveness of multifactor authentication, it has been identified as a meaningful control albeit not full-proof tool to help prevent unauthorized access to information systems within the scope of privacy and security regulation.

Of course, there are no silver bullets, but such safeguards may dramatically reduce the chances of a cyberattack, and that is music to an underwriter’s ears. There will be claims, just fewer of them, and perhaps less damaging.

 

I wish to thank Marc Schein for his tireless commitment to educating on these issues and for his valuable contributions to this article.  

The CCPA has reached the two-year mark. This is a good time for businesses to review the success of their compliance programs, recalibrate for the CCPA’s third year, and gear up for the CPRA’s January 1, 2023 effective date.

Here are a few suggestions:

  1. Privacy Policies. The CCPA requires a business to update the information in its privacy policy or any California-specific description of consumers’ privacy rights at least once every twelve months. If your business has not already done so, now is a good time to review both online and offline data collection practices to ensure privacy policies accurately disclose, at a minimum, the categories of personal information (“PI”) collected in the preceding 12 months, the categories of PI sold in the preceding twelve months, and the categories of PI it disclosed for a business purpose in the last 12 months.

Given the challenges of the last few months, your business may be collecting PI beyond what it currently discloses in its privacy policies. For example, the business may need to update its privacy policies to disclose the collection and use of COVID-19 related screening information, biometric information, or PI collected as a result of remote work situations.

If your business needs to update its privacy policy to reflect additional data collection activities, it will likely need to update its “notice at collection”, including employee and job applicant privacy notices.

  1. Employee training. The CCPA requires that a business ensure all employees handling inquiries about consumer rights, the businesses’ privacy practices, or its compliance with the CCPA are informed of applicable CCPA requirements. Businesses will want to
  • review training programs to ensure they include appropriate CCPA related content;
  • determine whether employee handbooks and manuals have been updated accordingly; and,
  • document that relevant employees have received training.
  1. Reasonable Safeguards. The CCPA does not currently create an affirmative obligation to implement reasonable safeguards for protecting consumer PI; however, it provides a private right of action to consumers whose PI has been involved in a data breach resulting from the business’s failure to implement reasonable security safeguards. With this in mind, your business will want to review whether it has
  • performed an annual risk assessment to identify new or enhanced risks, threats, or vulnerabilities to its systems or the PI it collects or maintains;
  • reviewed and updated its written information security program and data retention schedule;
  • practiced its incident response plan; and
  • updated its vendor management program to address cyber-based risk.

CCPA compliance is an ongoing activity, and these action items are worthy of review at the one-year mark. However, further year-end review might also include

  • an assessment of the business’s website’s accessibility;
  • confirmation that service provider agreements have been amended to satisfy the CCPA; and
  • incorporation of relevant CCPA provisions in new service provider contracts.

Although the CCPA does not mandate implementing reasonable safeguards, this will change effective January 1, 2023. The CPRA, which amends the CCPA, creates an affirmative duty to do so. Businesses should use the next year to identify what constitutes reasonable safeguards for their data and systems, begin implementing those safeguards, update internal policies and procedures as necessary, and train staff.

The CPRA also amends the CCPA disclosure requirements to include information relating to the collection and use of “sensitive personal information”. In addition, California consumers will have the right to limit the business’s use of this information in certain circumstances, similar to the right to opt out of the sale of personal information. In order to comply, businesses may need to revisit and expand their data mapping to capture sensitive personal information.

These are just two examples that necessitate reviewing your business’s data protection program and setting in motion processes to prepare for the CPRA. We will continue to post on steps your business can take in anticipation of January 1, 2023.

Earlier this month, New York Governor Kathy Hochul signed into a law a bill that will require New York private sector employers to provide written notice to employees before engaging in electronic monitoring of their activities in the workplace.  Civil Rights (CVR) Chapter 6, Article 5, Section 52-C*2 will take effect six months after enactment, i.e. May 7th, 2022.

Pursuant to the new New York law, electronic monitoring in the workplace includes monitoring of employees’ telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage of or by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio, or electromagnetic, photoelectronic or photo-optical systems. Prior written notice of the electronic monitoring must be issued at the time of hiring and must be acknowledged by the employee in writing or electronically.  In addition, the notice must be posted in a conspicuous place readily available for viewing by employees.

It is important to note that under the new law, a private right of action for employees that are impacted by the law is not available. The New York attorney general has exclusive enforcement authority. Failure to comply with the law’s notice requirements may subject the employer to a civil penalty of $500 for the first offense, $1000 for the second offense, and $3000 for the third and each subsequent offense.

Employer monitoring requirements of this kind are not exclusive to New York. In Connecticut, for example, both private and public sector employers are required to notify employees prior to electronic monitoring, with similar penalties for failure to comply.  Likewise, in Delaware, an employer is not permitted to monitor or intercept an employee’s telephone conversations, email or internet usage without prior notice in writing or alternatively notification, day of, each time the employee accesses the employer-provided email or Internet access services.

Excessive, clumsy, or improper employee monitoring can cause significant morale problems and, worse, create potential legal liability for privacy-related violations of statutory and common law protections, as evidenced by the New York law and others of its kind. Advancements in technology have made it easier to monitor remote employees, and by extension easier to violate the law for employers that are not careful.

When organizations decide to engage in any level of surveillance or search of employees, they should consider what their employees’ expectations are concerning privacy. Whether in a jurisdiction that requires prior notice of employee monitoring or not, in general, it is best practice to communicate to employees a well-drafted acceptable use and electronic communication policy that informs them what to expect when using the organization’s systems, whether in the workplace or when working remotely. This includes addressing employees’ expectations of privacy, as well as making clear the information systems and activities that are subject to the policy.

COVID-19 changed the way many organizations operate, and monitoring and surveillance have become increasingly important, particularly for employers that do not share the same physical workspace with their employees.  When employers implement new monitoring and surveillance tools, they need to plan carefully, have the right team in place, review policies and applicable state and federal law, and be prepared to address problems when they arise.

With health-related data and how to protect it at the forefront of discussion since the start of the COVID-19 pandemic, this week California Governor Gavin Newsom signed into law two bills related to genetic data.  First, AB 825, will expand the definition of personal information to include genetic data, for data breach notification requirements for businesses and government agencies, as well as reasonable safeguard requirements for businesses. Second,  SB 41, will establish the Genetic Information Privacy Act, requiring a direct-to-consumer genetic testing company to provide a consumer with notice and consent regarding its genetic data collection, use and disclosure policies.

Below is a breakdown of each law:

  • AB 825 – Unanimously approved by the Senate on September 8th, and Assembly back in May, AB 825, will expand the definition of personal information to include genetic data and define genetic data to mean any data, regardless of its format, that results from the analysis of a biological sample of an individual, or other source, and concerns genetic material, as specified. This expanded definition of personal information will apply to three existing laws: 1) the Information Practices Act of 1977 which requires an agency that owns or licenses computerized data that includes personal information to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was compromised, 2) Civil Code 1798.81.5 which requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices, and 3) Civil Code  Section 1798.82 which requires a person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, to disclose a breach of the security of the system following discovery or notification of the breach.
  • SB 41 – Also passed unanimously by both the Senate and Assembly in September, SB 41 will establish the Genetic Information Privacy Act, which will require a direct-to-consumer genetic testing company to provide a consumer with certain information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data, and to obtain a consumer’s express consent for collection, use, or disclosure of the consumer’s genetic data. In particular, the new law will provide consumers with the right to revoke consent in accordance with certain procedures, and a requirement for companies to destroy a consumer’s biological sample within 30 days of revocation of consent. The bill will further require a direct-to-consumer genetic testing company to comply with all applicable laws for disclosing genetic data to law enforcement without a consumer’s express consent, implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data. The law will impose civil penalties for violations of the law, and enforcement of such actions will be exclusive to the Attorney General, district attorney, county counsel, city attorney, or city prosecutor.

Both laws will take effect January 1, 2022. Whether an organization is a health care provider, a genetic testing company, an employer, or other company that potentially collects genetic data, it should review its policies and practices concerning genetic tests and genetic information.

The Federal Trade Commission (“FTC”) recently issued an important policy statement to health apps and other connected devices that collect or use consumers’ health information.  The FTC’s policy statement effectively clarified the position that health apps and related connected devices are subject to the Health Breach Notification Rule (“the Rule”), which requires vendors of personal health records (“PHR”) and PHR-related entities to notify U.S. consumers, the FTC, and in cases of certain breaches involving over 500 consumers, the media, if there has been a breach of unsecured identifiable health information.  The FTC’s commissioners voted 3-2 to approve the policy statement.

The FTC’s Rule helps account for entities that are not subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), but nonetheless collect and use sensitive health information.  The FTC notes in its policy statement that while the Rule was established more than a decade ago, “the explosion in health apps and connected devices” particularly with the onset of the COVID-19 pandemic, and a spike in cyberattacks in this space, has made the Rule’s obligations “more important than ever.”  Health apps include everything from fitness, sleep and diet trackers, to apps that help individuals track their disease, diagnosis, medications, mental health, other vital areas and more.

Specifically, the Rule states that:

each vendor of personal health records, following the discovery of a breach of security of unsecured PHR identifiable health information that is in a personal health record maintained or offered by such vendor, and each PHR related entity, following the discovery of a breach of security of such information that is obtained through a product or service provided by such entity, shall:

  • Notify each individual who is a citizen or resident of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of such breach of security; and
  • Notify the Federal Trade Commission.

In addition, the Rule requires third-party service providers of such vendors, following the discovery of a breach of security, to provide notice of the breach to an official of the vendor designated in writing, and if no such designation is made, to a senior official of the vendor.

PHR is defined as an electronic record or individually identifiable health information that can be drawn from multiple sources and that is managed, shared and controlled by or primarily for an individual.

Notably, the policy statement emphasizes that a health app is subject to the Rule if it is capable of drawing information from multiple sources, even if the health information comes from only one source. The FTC provides the example of a blood sugar monitoring app that draws health information only from one source (e.g., a consumer’s inputted blood sugar levels), but also takes non-health information from another source (e.g., dates from your phone’s calendar) – such an app is covered under the Rule.

The FTC’s policy statement further clarifies that when a health app discloses sensitive health information without user consent, a “breach of security” is triggered under the Rule, and such a breach is not limited to “nefarious behavior”.  “While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” said FTC Chair Lina M. Khan. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.” Entities that fail to comply with the Rule are subject to monetary penalties of up to $43,792 per violation, per day.

The Rule has generated significant confusion for entities offering PHRs, particularly since the onset of the COVID-19 pandemic. It is important to emphasize that the FTC’s rule does not apply to HIPAA-covered entities. The preamble of the Rule, for example, addresses whether the Rule would cover PHRs that a HIPAA-covered entity offers its employees. The preamble explicitly notes that “because the FTCs rule does not apply to HIPAA-covered entities, it does not apply to PHRs that such entities offer their employees”.   The overarching goal is to “harmonize” HHS and FTC data breach notification reporting requirements, and compliance with certain HHS rule requirements in turn satisfies compliance under the FTC rule.  There are, however, situations where an entity may have “dual or overlapping” coverage under the HHS and FTC rules.  Here are a couple examples: 1) A vendor with a dual role as both a business associate under HIPAA and a provider of PHRs to the public through its own website (reporting requirements under HHS for its functions related to qualifying as a business associate, and requirements under the FTC rule for its role as a provider of PHRs to the public), 2) PHRs offered to families (a HIPAA covered group health plan would have data breach reporting requirements under HHS Rule for the employee covered by the plan, but not for a spouse who has a PHR under the plan, but is insured by the a different provider, for which the FTC Rule would be applicable). As a result, it is crucial for an entity that provides services and functions to varying categories of individuals, to carefully parse out applicability under each of the rules.

The health app industry is booming. It brings innumerable potential benefits as well as significant data privacy and security risks. Organizations that collect, use, and store medical data face increasing compliance obligations as the law attempts to keep pace with technology, cybersecurity crimes, and public awareness of data privacy and security. Creating a robust data protection program or regularly reviewing an existing one is a critical risk management and legal compliance step.

Consumer privacy issues are as a hot as ever, and on the radar of the state and federal legislature alike.  Following in the footsteps of California, and most recently Virginia and Colorado, Ohio  introduced a comprehensive consumer privacy bill, the Ohio Personal Privacy Act (the “Act”). By introducing the Act, Ohio follows the growing nation-wide trend towards stronger state privacy laws related to consumer rights.

Application

The Act primarily applies to businesses in Ohio or business that collect data about consumers in Ohio which fall into one of the following categories:

  • at least $25 million in gross revenue;
  • with 100,000 customers;
  • derives more than 50% of its gross revenue from the sale of personal data and processes; or
  • controls personal data of 25,000 or more consumers.

The Act provides exceptions for certain business and institutions. Exceptions include institutions of higher education, business to business transactions, a covered entity or business associate under the Health Insurance Portability and Accountability Act, and a financial institution or an affiliate of a financial institution governed by the federal Gramm Leach-Bliley Act.

Consumer Data Rights

Businesses are expected to provide a “reasonably accessible, clear, and conspicuously posted privacy policy” to inform consumers about the data collected.

The Act specifies the following rights for consumers:

  • to ask companies what personal data they’ve collected;
  • to request corrections to the personal data collected;
  • to request that data be deleted subject to exceptions; and

to request that companies stop selling personal data.

It is also important to note, that as with its counterparts in certain other states, the Ohio bills defines “consumer” as a natural person who is a resident of the Ohio acting only in an individual or household context. The Act states that the definition of consumer does not include a “natural person acting in a business capacity or employment context.”

Anti-Discrimination Provision          

The Act prohibits businesses from engaging in discriminatory conduct related to the price of its products against consumers who exercise any of the above rights. Businesses must have legitimate business reasons for any differences in prices or ranges.

Remedies

Unlike many other states that have implemented consumer privacy protections, the Act does not provide for a private right of action. However, consumers may make a complaint to the Attorney General’s Office who has the sole authority to enforce the provisions of the Act. The Attorney General may seek civil penalties of up to $5,000 for each violation.

For more information on common features in the consumer privacy law landscape that should be considered when examining the effects of such laws on an organization, review our post on that topic. State consumer privacy legislative activity is only ramping up, and organizations across all jurisdictions need to be prepared.

 

Consumer privacy issues are as a hot as ever, and on the radar of the state and federal legislature alike.  Following in the footsteps of California, and most recently Virginia and Colorado, Ohio  introduced a comprehensive consumer privacy bill, the Ohio Personal Privacy Act (the “Act”). By introducing the Act, Ohio follows the growing nation-wide