Search right to access

It goes without saying that November 3rd 2020 was an important day for the future of the nation, but it was also a significant day for the future of California privacy law.  On Tuesday, a strong majority of California voters supported Proposition 24, a ballot measure which aims to expand and enhance the California Consumer Privacy Act (“CCPA”).  The CCPA took effect in January and companies are still grappling with its compliance. Companies have overhauled their privacy programs and policies and designed new systems to comply with the CCPA, but now it looks like they will be back to the drawing board.

Proposition 24, titled the California Privacy Rights Act of 2020 (CPRA) (unofficially dubbed CCPA 2.0), amends the CCPA, which has been criticized for over broad definitions and ambiguous language. The CPRA expands the privacy rights of California residents and increases compliance obligations for companies.

Here are a few key aspects of the CPRA:

  • New type of personal information – “sensitive personal information”. This new subset of personal information includes data elements such as social security number, driver license number, and financial account number. However, perhaps following the General Data Protection Regulation (GDPR) in the European Union, the term also includes, without limitation, a consumer’s racial or ethnic origin, religious beliefs, union membership, the contents of a consumer’s email and text messages (unless the business is an intended recipient), genetic information, and a consumers sex life and sexual orientation.
  • New rights for consumers: limiting uses and disclosures and correcting inaccurate personal information.  For the new subset of personal information, sensitive personal information, California consumers will have the right to request limitations on the use and disclosure of that information. Also, consumers also will have the right to ask businesses to correct inaccurate personal information maintained by the business.
  • Changes to the Notice at Collection. Several changes and clarifications were made to the requirement to provide consumers a notice at collection. For example, the notice must now include a retention period for each category of personal information and sensitive personal information, or include criteria for determining the retention period if setting a retention period is not possible.
  • Enhanced protections for children’s data. The CPRA triples fines for collecting and selling information of minors under 16 years of age.
  • Creates enforcement arm. Establishes the California Privacy Protection Agency that, in addition to the California Department of Justice, will enforce and implement consumer privacy laws and impose fines.
  • Adds data retention requirement. Prohibits businesses’ retention of personal information or sensitive personal information for longer than reasonably necessary for the disclosed purpose for which the information was collected.
  • Adds a specific data security requirement. Prior to the CPRA, the CCPA did not expressly require businesses to maintain reasonable safeguards to protect personal information, although it added a private right of action for data breaches cause by a failure to maintain reasonable safeguards. The CPRA expressly requires businesses to implement reasonable security procedures and practices to protect personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Cal. Civ. Code 1798.81.5.
  • Expands written agreement requirements. Businesses collecting personal information and then sharing/selling it to a third party, or disclosing it to a contractor or service provider will need to enter into written agreements that contain certain required provisions. A couple of the required provisions include (i) obligating the third party, contractor, or service provider to comply with CCPA/CPRA as applicable, and (ii) granting the business the right to take reasonable steps to ensure the third party, contractor, service uses the personal information consistent with CCPA/CPRA.
  • Increased exposure to liability in the event of a data breach. The CCPA included a private right of action in the event a business experienced a data breach affecting a subset of personal information due to the failure to have reasonable safeguards to protect that information, and the failure to cure following notice. The CPRA adds a consumer’s email with password or security question to the subset of personal information that, if breached, could trigger a private right of action, if a hacker was able to access a consumer’s email account. Also, the CPRA clarifies that implementing and maintaining reasonable security procedures and practices to protect personal information under Cal. Civ. Code 1798.81.5 following a breach will not be a cure with respect to that breach.
  • Extension of the employee personal information and “B2B” (business to business) exemptions. In September the California assembly passed AB1281, which extended the CCPA’s exemptions for employee personal information and “B2B” personal information to January 1, 2022 (both exemptions were set to sunset on January 1, 2021). The CPRA now extends that exemption until January 1, 2023. Note, that some employee and “B2B” personal information remains subject to the CCPA’s private right of action, if that personal information is involved in a data breach and reasonable safeguards were not put in place.

The CPRA becomes effective on or after January 1, 2022 (other than for access requests), but will not be operative until January 1, 2023.

“We are at the beginning of a journey that will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data,” Alastair Mactaggart, chair of Californians for Consumer Privacy and Proposition 24 sponsor, said in a statement.

Companies will have to once again review their privacy programs and likely amend further to comply with CPRA’s new requirements. That said, the CPRA generally becomes operative January 1, 2023, and during that time California regulators are expected to provide additional information on compliance and enforcement implications of the new law.

Companies should continue to monitor CCPA/CPRA developments, and ensure their privacy programs and procedures remain aligned with current compliance requirements.

Over the past few years, and particularly during the COVID-19 pandemic, the Department of Health and Human Services Office for Civil Rights in Action (OCR) has made countless efforts to enhance its Health Insurance Portability and Accountability Act (HIPAA) guidance and other related resources on its website. Last week, the OCR launched a new feature on their website HHS.gov, entitled Health Apps, which updates and renames  the OCR’s previous Health App Developer Portal, and is available here.

The new site features the OCR’s helpful guidance on “when and how” HIPAA regulations may be applicable to mobile health applications, acutely relevant during the COVID-19 pandemic as many aspects of the healthcare industry shift to telehealth.

Here are the key features of the OCR’s new Health Apps:

  • Mobile Health Apps Interactive Tool
    • The Federal Trade Commission (FTC), in conjunction with OCR, the HHS Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA), created a web-based tool to help developers of health-related mobile apps understand what federal laws and regulations might apply to them.
  • Health App Use Scenarios & HIPAA
    • Provides various use scenarios for mHealth applications, and explains when an app developer may be acting as a business associate under the HIPAA Rules.
  • FAQs on the HIPAA Right of Access, Apps & APIs
    • Provides helpful insight on how the HIPAA Rules apply to covered entities and their business associates with respect to the right of access, apps, and application programming interface (APIs).
  • FAQs on HIPAA & Health Information Technology
    • Provides helpful insight on the relationship between HIPAA and Health IT.
  • Guidance on HIPAA & Cloud Computing
    • Assistance for HIPAA covered entities and business associates, including cloud service providers, in how to effectively utilize cloud computing while still maintain HIPAA compliance.

As telehealth has increasingly become the norm, and the US continues to implement and consider various forms of contact tracing apps, patient privacy and maintaining HIPAA privacy and security obligations has never been more important.   The increased use of mobile health applications and other related tools to assist healthcare providers with facilitation of telehealth capabilities, also comes with an increased risk of data breaches and improper disclosures of protected health information (PHI) to unauthorized individuals.  The features of OCR’s new Health apps are a great starting point for HIPAA covered entities and businesses associates that utilize mobile health apps, and want to ensure compliance with their HIPAA obligations.

Below are some of our additional resources on OCR HIPAA related initiatives of late:

 

 

 

Privacy and security continue to be at the forefront for legislatures across the nation, despite (or perhaps because of) the COVID-19 pandemic.  In late May, with back-to-back amendments, Washington D.C. and Vermont significantly overhauled their data breach notification laws, including expansion of the definition of personal information, and heightened notice requirements.  Now, Michigan may follow suit.

Earlier this month, the Michigan House of Representatives voted to advance House Bills 4186-87, sponsored by state Rep. Diana Farrington, of Utica, which create the Data Breach Notification Act, and exempt entities subject to the new act from similar provisions of Michigan’s previous Identity Theft Protection Act. Unlike other states that have expanded on already existing data breach notification laws, this bill would effectively replace Michigan’s prior law in its entirety.

This proposal puts Michigan consumers first when there are instances of compromised data,” said Farrington, who chairs the House Financial Services Committee. “Consumer protections are always important – and now many people across Michigan and in Macomb County have been put in dire financial straits through no fault of their own due to COVID-19. They don’t need the additional stress that is brought on when your personal information is potentially in someone else’s hands.

Below are highlights of Michigan’s new data breach notification bill:

  • Expansion of the definition of “sensitive personally identifying information” (PII). Following many other states, the new bill expands the definition of PII to include a state resident’s first name or first initial and last name in combination with one or more of the following data elements that relate to the resident:
    • A nontruncated  Social  Security  number,  driver  license  number,  state  personal identification  card  number,  passport  number,  military  identification  number,  or other unique identification number issued on a government document.
    • A financial account number.
    • A  medical  or  mental  history,  treatment,  or  diagnosis  issued  by  a  health  care professional.
    • A  health  insurance  policy  number  or  subscriber  identification  number  and  any unique identifier used by a health insurer.
    • A username or email address, in combination with a password or a security question and answer, that would allow access to an online account that is likely to have or is used to obtain sensitive personally identifying information.
  • Notification requirements to affected state residents. A covered entity would be required to provide notice to state residents whose PII was acquired in the breach, as expeditiously as possible and without unreasonable delay, taking into account the time necessary to conduct an investigation, and determine scope of breach, but not more than 45 days of its determination that a breach has occurred (unless law enforcement determines that such notification could interfere with a criminal investigation/national security). Written notice must at least include the following:
    • The date, estimated date, or estimated date range of the breach.
    • A description  of  the  PII acquired as part of the breach.
    • A   general   description   of   the   actions   taken   to   restore   the   security   and confidentiality of the PII involved in the breach.
    • A general description of steps a state resident can take to protect against identity theft, if the breach creates a risk of identity theft.
    • Contact information that the state resident can use to ask about the breach.
  • Notification requirements to state agency. If the number of state residents to be notified exceeds 750, the entity would have to provide written notice to Michigan’s Department of Technology, Management & Budget within the same time frame as notification to affected residents. Written notice must at least include a synopsis of events surrounding the breach, approximate number of state residents notified, any related services the covered entity is offering to state residents, and how the state resident can obtain additional information.
  • Substitute Notice. Under the bill, a covered entity required to provide notice could instead provide substitute notice, if direct notice is not feasible due to excessive cost or lack of sufficient contact information. For example, the cost of direct notification would be considered excessive if it exceeded $250,000.
  • Reasonable Security Measures. Michigan would join many other states that mandate businesses implement and maintain reasonable security measures designed to protect PII against a breach. When developing security measures, entities may consider the size of their entity, the amount of PII owned or licensed and its surrounding activity, and the cost to maintain such measures relative to the entity’s resources.
  • Data Disposal. Covered entities and third-party agents would be required to take reasonable measures to dispose of or arrange to dispose of PII when retention is no longer required by law. Disposal requires shredding, erasing or otherwise modifying PII to make it unreadable or undecipherable.
  • Penalties. The new law in its current form would not create a private right of action. However, a person that knowingly violates a notification requirement could be ordered to pay a fine of up to $2,000 for each violation or not more than $5,000 per day for each consecutive day the covered entity fails to take reasonable action to comply with the requirements, up to $250,000. The attorney general would have exclusive enforcement authority.

The bill now moves on to the Michigan Senate for further consideration. This amendment would keep Michigan in line with other states across the nation currently enhancing their data breach notification laws in light of the significant uptick in number and scale of data breaches and heightened public awareness.  Organizations across the United States should be evaluating and enhancing their data breach prevention and response capabilities.

Since March of this year, the Equal Employment Opportunity Commission (EEOC) has released guidance on a near-monthly basis addressing various FAQs concerning COVID-19 issues. The guidance has focused on disability-related inquiries, confidentiality, hiring, and reasonable accommodations under the Americans with Disabilities Act (ADA), as well as issues under Title VII of the Civil Rights Act and the Age Discrimination in Employment Act (ADEA). In its latest FAQ update posted yesterday, the EEOC covers some more practical questions employers have on several COVID-19 issues, such as testing, telecommuting, and sharing employee medical information.

COVID-19 Testing

As COVID-19 testing capabilities and resources have expanded, many employers across the country have been working on establishing testing protocols. Some still have concerns, however, about whether they are permitted to test, particularly considering the general ADA requirement that any mandatory medical test of employees be “job related and consistent with business necessity.”

The EEOC has already confirmed that employers may opt to administer COVID-19 testing to employees before initially permitting them to enter the workplace.  In the updated FAQs, the EEOC further clarified that periodic testing to determine if the employees  presence in the workplace is permissible to determine if the employee poses a direct threat to others. In its updated FAQs, the EEOC also sought to address updates to CDC guidance. Specifically, the EEOC made clear that employers administering COVID-19 viral testing consistent with current CDC guidance will meet the ADA’s “business necessity” standard, and that following recommendations by the CDC or other public health authorities regarding whether, when, and for whom testing or other screening is appropriate. The EEOC acknowledged that the CDC and FDA may revise their recommendations based on new information, and reminded employers to stay up to date.

More on What Employers Can Ask Employees, and If Employees Refuse to Answer

For several months, employers have been building COVID-19 screening programs – taking employee temperatures and asking questions about COVID-19 symptoms and travel, among other things – before permitting employees to enter the employer’s facilities. Some employers have continued to wonder whether they are permitted under the ADA to ask employees whether they have had a COVID-19 test. The EEOC confirmed in the updated FAQs that employers may ask if employees have been tested for COVID-19. Presumably, this also means that employers may ask if the employee’s test was positive or negative, but this is not clear in the updated EEOC FAQs.

Because the permissibility of certain COVID-related requests are based on the existence of a direct threat, asking employees about COVID-19 testing does not extend to employees who are teleworking and not physically interacting with coworkers or others (for example, customers). Asking employees about COVID-19 testing also does not extend to whether the employee’s family members have COVID-19 or symptoms associated with COVID-19. This is because the Genetic Information Nondiscrimination Act (GINA) generally prohibits employers from asking employees medical questions about family members. But, the EEOC clarified employers may ask employees whether they have had contact with anyone diagnosed with COVID-19 or who may have symptoms associated with the disease.

The EEOC also further addressed whether employers may focus screening efforts on a single employee – e.g., asking only one employee COVID-19 screening questions. In this case, the employer must have a reasonable belief based on objective evidence that this person might have the disease, such as a display of COVID-19 symptoms. However, employees working regularly or occasionally onsite and who report feeling ill or who call in sick may be asked questions about their symptoms as part of workplace screening for COVID-19, according to the EEOC.

During the summer, several states began to implement mandatory and recommended quarantines for persons arriving in their states from other states with high levels of community spread. The EEOC confirmed that employers do not have to wait until employees experienced COVID-19 symptoms before they may ask employees where they traveled as such questions would not be disability-related inquiries.

As several employers have learned, not all employees cooperate with employer-administered screening programs. When they object, employers should consider their options carefully and whether an accommodation may be necessary. The EEOC acknowledges that the ADA allows employers to bar employees from physical presence in the workplace if they refuse to have their temperature taken or refuse to confirm whether they have COVID-19, symptoms associated with COVID-19, or have been tested for COVID-19. Some employers desire to make compliance with screening programs a condition of employment, subjecting employees to termination from employment if they fail to comply. The EEOC did not discuss that option, however, the agency reminded employers they can gain cooperation by asking employees the reasons for their refusal. They also can offer information and/or reassurance that they are taking steps to ensure workplace safety, that the steps are consistent with health screening recommendations from CDC, and that the employer is careful about maintaining confidentiality.

Managers Sharing Information About Employees with COVID

It is not uncommon for managers to learn about the medical condition of employees they supervise. Because the ADA requires all employee medical information to be maintained confidentially, managers who discover an employee has COVID-19 may be unsure about what they may and/or should do with that information. The EEOC FAQS make clear that managers may report this information to appropriate persons in the organization in order to then comply with public health authority guidance, such as contact tracing. Employers should consider directing managers on where to report this information in order to minimize who receives it, and what to report. However, the EEOC clarified that it would not violate the ADA if a worker reported to her manager the COVID-19 status of a coworker in the same workplace.

Recognizing that coworkers in small workplaces might be able to identify which worker(s) triggered contact tracing efforts, the EEOC reminds employers they still may not confirm or reveal the employee’s identity. For employees that have a need to know this information about other employees, they should be specifically instructed to maintain the confidentiality.

Telework

Many employees continue to telework, particularly in occupations where it is feasible to do so. Being away from the office, however, does not eliminate these COVID-19 issues. For example, managers still have to maintain the confidentiality of employee medical information when they are working from home. This includes, where necessary, taking steps to limit access to the information until the manager can return to the office to store the information according to normal protocols. It also includes not disclosing the reason an employee may be teleworking or on leave if the reason is COVID-19.

 

While many questions remain, these updated FAQs provide some helpful guidance for employers. Of course, certain situations can present additional issues for employers to consider. And, state and local law also may modify the employer’s analysis for those jurisdictions. Employers need to keep up to date and should consult experienced counsel when navigating these issues.

Whether it is facial recognition technology being used in connection with COVID-19 screening tools and in law enforcement, continued use of fingerprint-based time management systems, or the use of various biometric identifiers for physical security and access management, applications involving biometric identifiers and information in the public and private sectors continue to grow. Concerns about the privacy and security of that information continue to grow as well. Several states have laws protecting biometric information in one form or another, chief among them Illinois, but the desire for federal legislation remains.

Modeled after Illinois’s Biometric Information Privacy (BIPA), the National Biometric Information Privacy Act (Act), proposed by Sens. Jeff Merkley and Bernie Sanders, contains three key provisions:

  • A requirement to obtain consent from individual prior to collecting and disclosing their biometric identifiers and information.
  • A private right of action against entities covered by the Act that violate its protections which entitles aggrieved individuals to recover, among other things, the greater of (i) $1,000 in liquidated damages or (ii) actual damages, for negligent violations of the protections granted under the law.
  • An obligation to safeguard biometric identifier or biometric information in a manner similar to how the organization safeguards other confidential and sensitive information, such as Social Security numbers.

The Act would apply to “private entities,” generally including a business of any size in possession of biometric identifiers or biometric information of any individual. Federal, state, and local government agencies and academic institutions are excluded from the Act.

Under the Act, private entities would be required to:

  • Develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. That schedule may not extend one year beyond an individual’s last interaction with the entity, but destruction could be required earlier;
  • Collect biometric identifiers or biometric information only when needed to provide a service to the individuals or have another valid business reason;
  • Inform individuals their biometric identifiers or biometric information is being collected or stored, along with the purpose and length of the collection, storage, or use, and must receive a written release from individuals which may not be combined with other consents, including an employment agreement;
  • Obtain a written release immediately prior to the disclosure of any biometric identifier or biometric information that includes the data to be disclosed, the reason for the disclosure, and the recipients of the data; and
  • Maintain the information using a reasonable standard of care.

Readers familiar with the BIPA in Illinois will find these requirements familiar. Readers familiar with the California Consumer Privacy Act (CCPA) will find the following “Right to Know” familiar as well. The Act would grant individuals the right to request certain information about biometric identifiers or biometric information collected by a covered entity within the preceding 12-month period. This information includes “specific pieces of personal information” and “the categories of third parties with whom the business shares the personal information.” The Act uses “personal information” but does not define it, leaving it unclear if it pertains only to biometric identifiers and biometric information.

Most troubling is the private right of action provision referenced above. The Act uses language similar to the language in the BIPA, which has led to a flood of class action litigation, including a decision by the IL Supreme Court finding plaintiffs need not show actual harm to recover under the law. The legislative process likely will result in some modification to the law, assuming it even survives, a fate privacy laws tend to have at the federal level. Nonetheless, we will continue to monitor the track of this and similar laws.

North Dakota’s State Board of Higher Education recently implemented the Student Data Privacy and Security Bill of Rights (the “Policy”). The Policy, which went into effect on May 29, 2020, was created by the North Dakota Student Association to facilitate students’ access to their Personally Identifiable Information (“PII”), and to regulate the North Dakota University System and its institutions’ collection and use of PII.

Key Provisions Under The Policy

The Policy outlines students’ right to know the types of PII collected by the North Dakota University System and its institutions (“NDUS”), including how the data is used and stored. Under the Policy, NDUS must, to the extent possible, make information available concerning the types of PII provided to NDUS vendors and contractors.

Use of PII

NDUS is prohibited from selling, releasing, or disclosing “non-directory” information for commercial or advertisement purposes. Directory information constitutes public record. While NDUS may use student PII for assessments and research related to accreditation, accountability, and policy implementation, NDUS may not subject students to punitive consequences as a result of the findings from such use.

Third-Party Providers and Vendors

NDUS must responsibly engage with third-party providers of educational services and vendors to ensure that student PII disclosed to these third parties are protected by the applicable industry standards. Generally, NDUS may not require students to disclose their PII to third-party service providers as a course requirement.

Record Review and Student Remedies

Students have the right to inspect, review, and challenge the accuracy and completeness of their academic record through a written request based on the NDUS institution’s request process. NDUS may limit the means of access to the educational record to ensure proper security of the record. These provisions are also afforded to students under the Federal Education Rights and Privacy Act (“FERPA”). NDUS is also required to comply with FERPA, which includes adhering to student requests to prevent disclosure of certain PII as “directory information”.

Students have the right to file complaints about violations under the Policy or other possible breaches of student data through an institutional grievance process.

Trends In State Student Privacy Laws

North Dakota follows the growing nation-wide trend towards stronger state privacy laws related to student information. Since 2013, 40 states and Washington D.C. have enacted legislation specific to student privacy issues. Most states, including New York and Vermont have regulated student privacy issues only for K-12. North Dakota joins the few states that regulate the use of student PII in higher education. As K-12 and higher education institutions continue to increase the use of educational technological services to facilitate classroom instruction, the need to strengthen student privacy laws, specifically as to higher education, will also continue to increase. In light of recent large-scale data breaches, educational institutions should continue to assess and enhance their data breach prevention and response procedures.

In late-March and April 2020, the Equal Employment Opportunity Commission (EEOC) released guidance addressing various questions with answers concerning COVID-19 and related workplace disability-related issues under the Americans with Disabilities Act (ADA). Recently, on June 17th, the EEOC updated its guidance to include a new question regarding antibody testing.

Most of the questions concern general employee rights and privacy and employer obligations during the current state of the COVID-19 pandemic. A few of the questions relate to the anticipated gradual return to the office of employees temporarily working remotely due to the pandemic as the crisis subsides.

The EEOC’s April update, inter alia, included a determination that employers can administer COVID-19 testing (i.e. testing for active virus), and recommended that employers do the following:

  • Determine that tests are accurate and reliable.
  • Review guidance from the Food and Drug Administration (FDA), U.S. Centers for Disease Control and Prevention (CDC), and other public health authorities and regularly check those authorities for updates.
  • Consider incidences of false positives and false negatives associated with particular tests.
  • Keep in mind that a negative test does not mean an employee will not contract the virus in the future.
  • Require that employees continue infection control practices, including social distancing, handwashing, and other cleanliness and disinfecting measures.

The April update was silent on whether its determination regarding COVID-19 testing also included antibody testing. Antibody testing (i.e. serological testing), is able to detect antibodies from a previous infection. However, the test can take one to three weeks for antibodies to develop following onset of symptoms, and it is not certain that antibodies provide immunity or, if so, how long immunity would last – the current reliability and utility of these tests is in question.

The June 17th update to the EEOC guidance weighs in on antibody testing in the workplace. Specifically, the EEOC provides an answer to the following question:

CDC said in its Interim Guidelines that antibody test results “should not be used to make decisions about returning persons to the workplace.” In light of this CDC guidance, under the American with Disabilities Act (ADA) may an employer require antibody testing before permitting employees to re-enter the workplace? 

 The EEOC concludes that antibody testing constitutes a medical examination under the ADA, and employers cannot require antibody testing before permitting employees to re-enter the workplace.

In light of CDC’s Interim Guidelines that antibody test results “should not be used to make decisions about returning persons to the workplace,” an antibody test at this time does not meet the ADA’s “job related and consistent with business necessity” standard for medical examinations or inquiries for current employees. Therefore, requiring antibody testing before allowing employees to re-enter the workplace is not allowed under the ADA.”

 It is important to note that as with other types of COVID-19-related guidance, the EEOC will continue to monitor the CDC’s recommendations, and update its discussion on this topic in response to changes in the CDC’s recommendations.

Takeaway

 In general COVID-19 testing methods come with administrative burdens to implement and ensure compliance. Such testing presents privacy implications, particularly with respect to testing that requires a blood sample or swab. Moreover, any information collected should be protected with access appropriately limited, particularly if the organization is using a third party. As issues and concerns around COVID-19 unfold daily, employers must prepare to address the threat as it relates to the health and safety of their workforce.

 

 

 

Most companies continue to grapple with compliance with the California Consumer Privacy Act (“CCPA”), which went into effect in January. Companies have overhauled their privacy programs and policies and designed new systems to comply with the CCPA.

Now, the privacy-right activist group that sponsored the CCPA – Californians for Consumer Privacy – is pushing for an even more stringent privacy bill, the California Privacy Rights Act (“CPRA”). The group recently announced it secured the 900,000 signatures needed to qualify for a place on the state’s November 2020 ballot.

If this appears on the ballot and passes, companies will have to once again review their privacy programs and likely amend further to comply. Many other states are also attempting to pass new legislation, so this could all create a complex regime of multiple states with different laws.

The CPRA, as drafted, would amend the CCPA, which has been criticized for over broad definitions and ambiguous language. It would expand the privacy rights of California residents and increase compliance obligations for companies. The CPRA would, as written and among other things:

  • New data category. Add a new category of information, known as “sensitive personal information”, which would include health, financial, and geolocation collected, and allow California consumers to block businesses from using this information. Much of this information is covered by federal privacy laws, like HIPAA and GLBA.
  • Privacy for children’s data. Enhance children’s privacy rights and triple fines for collecting and selling information of minors under 16 years of age.
  • Enforcement Arm. Establish new enforcement authority to protect data privacy rights.
  • Correction of data. Give Californians the right to ask businesses to correct inaccurate personal information.
  • More breach liability. Update data breach liability, specifically for breaches of a consumer’s email with password or security question. In such cases, hackers would be able to access the consumer’s account, and the CPRA would result in liability for the company experiencing the breach.

However, one thing the CPRA does that may help businesses is provide an additional two-year extension to exemptions for employee and business-to-business data. The current exemption is set to expire at the end of 2020. It is important to note that under the current exemption, while employees are temporarily excluded from most of the CCPA’s protections, two areas of compliance remain: (i) providing a notice at collection, and (ii) maintaining reasonable safeguards for personal information driven by a private right of action now permissible for individuals affected by a data breach caused by a business’s failure to do so.

While the CPRA may have enough signatures to qualify it for the upcoming ballot, the California Secretary of State and local election officials will have to certify the signatures by June 25, 2020. Of the 900,000 signatures submitted, 675,000 must be certified as valid for the CPRA to be included on the November ballot.

We will continue to monitor CPRA developments and provide guidance on compliance with CCPA and new regulations and guidance from the California Attorney General.

As they work to combat the surging COVID-19 virus, healthcare providers recently were reminded by legislators and regulators of the importance of data security and privacy protections.

On the data security front, U.S. Senators Richard Blumenthal, Tom Cotton, David Perdue, and Mark Warner recently wrote to the Director of the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency (“CISA”) and the commanding general of the U.S. Cyber Command to express their “profound concerns” that healthcare providers are “facing an unprecedented and perilous campaign of sophisticated hacking operations from state and criminal actors amid the coronavirus pandemic,” which “pose an alarming risk of disrupting or undermining our public health response at this time of crisis.” The Senators urged CISA and the Cyber Command to issue guidance and provide technical resources to deter these threats.

Beyond their general call for action, the Senators offered specific measures CISA and the Cyber Command should adopt to protect healthcare providers’ data security:

  1. Provide private and public cyber threat intelligence information, such as indicators of compromise (IOCs), on attacks against the healthcare, public health, and research sectors, including malware and ransomware.
  2. Coordinate with the Department of Health and Human Services, the Federal Trade Commission, and the Federal Bureau of Investigation on efforts to increase public awareness on cyberespionage, cybercrime, and disinformation targeting employees and consumers, especially as increased telework poses new risks to companies.
  3. Provide threat assessments, resources, and additional guidance to the National Guard Bureau to ensure that personnel supporting state public health departments and other local emergency management agencies are prepared to defend critical infrastructure from cybersecurity breaches.
  4. Convene and consult partners in the healthcare, public health, and research sectors, including its government and private healthcare councils, on what resources and information are needed to reinforce efforts to defend healthcare IT systems, such as vulnerability detection tools and threat hunting.
  5. Consider issuing public statements regarding hacking operations and disinformation related to the coronavirus for public awareness and to put adversaries on notice, similar to the joint statement on election inference issued on March 2nd.
  6. Evaluate further necessary action to defend forward in order to detect and deter attempts to intrude, exploit, and interfere with the healthcare, public health, and research sectors.

On the heels of this call for action on data security, the Office for Civil Rights (“OCR”) at the U.S Department of Health and Human Services issued additional guidance reminding covered health care providers that the HIPAA Privacy Rule does not permit them to give media and film crews access to facilities where patients’ protected health information will be accessible without the patients’ prior authorization. In this guidance, the OCR reiterated that “it is not sufficient for a covered health care provider to require the media to mask patients’ identities when airing recorded video (such as by blurring, pixelation, or voice alteration), after the fact. Prior, express authorization from the patient is always required.” While this guidance does not break new ground, it serves as a timely reminder as newscasts focus daily on the efforts of healthcare providers to treat COVID-19 patients.

These are difficult times for healthcare providers, but even as they tackle the clinical demands of the COVID-19 pandemic, the developments discussed above demonstrate the importance of continuing to be vigilant in the enforcement of data security and privacy policies.

For more on recent privacy and cybersecurity updates for healthcare providers, check out some of our past blog posts:

Maintain High Service Levels to Support for Work From HomeJust over a month ago, we provided a high-level checklist to help organizations think about critical issues as employees begin working from home to reduce the spread of COVID19. Consistent with “shelter-in-place”/”stay at home” orders, millions of workers that can are now working from home. However, out of sight is not out mind as many organizations want to be sure these workers remain productive. Periodic office visits to chat are not an option right now, but spyware and keylogging technologies are. Some employers are considering these technologies as they balance employee privacy with the need to manage their team and monitor productivity.

Distractions are easy to come by these days – the daily Gov. Cuomo briefing, kids also “working” from home, the latest firetruck birthday party, and the status of toilet paper deliveries.  For many workers, the idea of telecommuting itself is a distraction as they simply are not used to it on a regular basis. These and other distractions raise employers’ suspicion that workers are not being productive or as productive as they could be. But, productivity may not be the employer’s only goal. Protecting trade secrets, avoiding data breaches, finding ways to make remote work easier, and generally dissuading improper behavior are just some of the other drivers for increasing surveillance on remote workers.

Excessive, clumsy, or improper employee monitoring, however, can cause significant morale problems and, worse, create potential legal liability for privacy-related violations of statutory and common law protections. Advancements in technology have made it easier to monitor remote employees, and by extension easier to violate the law for employers that are not careful.

Spyware and keylogging are technologies that have been around for some time and can be attractive options for employers. In general, spyware is software that enables a user to obtain covert information about another’s computer activities by transmitting data covertly from their hard drive. This information could include screenshots from the other user’s computer. Screenshots could include, for example, text of “private” messages the employee believes she is sending to a social media friend. “Keyloggers” can be devices but are most often software designed to monitor and log all keystrokes. Like spyware, keylogging can covertly track a user’s keystrokes and obtain in the process private account credentials or confidential communications, and transfer that information to another computer.

This level of surveillance raises a number of legal and employee relations risks. Here are just a few.

  • California Consumer Protection Act (CCPA). Effective January 1, 2020, the CCPA currently applies to personal information of employees, at least until December 31, 2020. It requires that employees be provided a “notice at collection” – this is, a notice describing the categories of personal information (including network activity) that the company collects and the purposes that information is used. Businesses subject to the CCPA will need to be sure that this surveillance activity is appropriately covered in notices of collection for employees who reside in California.
  • State Social Media Password Protection Laws. Over 25 states have laws that prohibit employers from requesting or requiring employees to provide credentials to their online personal accounts. Deploying spyware or keylogging technologies arguably are not requests or requirements in the general sense. However, employers should consider how these laws may be interpreted and shape their approach accordingly.
  • Stored Communications Act. Accessing personal social media communications or other personal online account communications may run up against protections under the Stored Communications Act.
  • Taking action based on information obtained though the surveillance
    • Credit protection laws. Several states, such as California, Maryland, Nevada, have laws prohibiting employment discrimination on the basis of poor credit or payment histories. These laws were passed in reaction to the great recession and likely have increased relevance again today as more than 20 million workers have filed for unemployment.
    • Genetic Information Nondiscrimination Act (GINA). Learning about an employee’s family member suffering from a debilitating health condition or a contagious disease through spyware could raise issues under GINA. EEOC regulations except obtaining this genetic information through inadvertence, but if it was reasonably likely that such data would be collected or if the recipient continues to examine it or look for related information there is risk of a violation. Thus, just the collection of such information could be problematic under GINA, as well as using it for a discriminatory purpose.
    • ADA/State Protections for Medical Information. A similar analysis applies for medical information obtained through monitoring. However, the regulations are less specific under the ADA compared to GINA.
    • Safeguarding the Information Collected. A growing number of states have stringent requirements to maintain reasonable safeguards to protect personal information. The definition of personal information is not limited to SSNs. Medical information, online account credentials, credit card numbers, dates of birth all can be captured and stored using spyware, keylogging, and other surveillance tools.

What can organizations do?

  • Understand the technology. Organizations should avoid having their IT departments deploy these technologies without a careful review, one that involves appropriate persons outside the IT department. Input from HR and the Legal Department can be invaluable for minimizing legal risk and maintaining good employee relations and trust.
  • Acceptable Use and Electronic Communications Policy. When organizations decide to engage in any level of surveillance or search of employees, they should consider what their employees’ expectations are concerning privacy. In general, it is best practice to communicate to employees a well-drafted acceptable use and electronic communication policy that informs employees on what they can expect when using the organization’s systems, whether in the workplace or when working remotely. This includes addressing employees’ expectation of privacy, as well as making clear the information systems and activity that are subject to the policy.
  • Monitoring the monitors. Employees asked to perform monitoring using these technologies can sometimes feel empowered and, believing they are helping the organization, make it easier for them to go too far in their surveillance, creating legal risk. For this reason and others, it is recommended that organizations maintain guidelines for these employees to help make clear boundaries that the organization has determined with counsel to be appropriate, and review compliance with those guidelines from time to time.
  • Be prepared to investigate. Surveillance may uncover nonperformance, irregular activity, malicious insiders, and other problematic activity that the organization needs to address. The time to lay out that process and how to further investigate is not when evidence of the activity is discovered. Organizations should be prepared to react to findings with a comprehensive investigation plan that involves the appropriate persons at the earliest time.

It may be that this high level of remote work will continue for a while, or considering this forced experiment, certain organizations will realize that they can remain very productive in some or all parts of their business while deriving enormous savings from utilizing this new “workplace.” Either way, managing that work will raise new challenges for management. When more advanced monitoring and surveillance tools are deployed, organizations need to plan carefully, have the right team in place, review policies and applicable state and federal law, and be prepared to address problems when they arise.