Search right to access

2020 may very well be the most impactful year for data privacy and cybersecurity in the United States. In honor of Data Privacy Day, we discuss some of the reasons why that may be the case. In short, as privacy and cybersecurity risks continue to emerge for organizations large and small, the law is beginning to catch up which is prompting a significant uptick in compliance efforts.

The California Consumer Privacy Act and Its Admirers

On January 1, 2020, the long anticipated, hotly debated, and already amended California Consumer Privacy Act (CCPA) went into effect.  According to a survey conducted by ComplianceWeek.com, however, nearly 80% of respondents felt either “somewhat confident,” “uncertain,” or “not confident at all” they would be compliant by the effective date. These results may be due to a variety of reasons: a lack of awareness or resources, reliance on the extended CCPA enforcement date (July 1, 2020), a belief that the California Attorney General enforcement efforts will be directed elsewhere, and/or anticipation of final regulations/further guidance from the California Attorney General.

Nonetheless, many businesses are working on CCPA compliance: mapping consumer data; providing notices at collection to consumers, employees, and applicants; updating websites and privacy policies; building internal procedures to verify and respond to consumer requests; and tightening their safeguards for protecting personal information. These efforts are worthwhile for many businesses as they are likely to yield dividends beyond California.

Following California’s lead, a number of other states have introduced similar measures in 2020 regarding individual privacy rights.  These legislative efforts include: Florida (SB 1670, HB 963); Hawaii (SB 418, SB 2451); Illinois (SB 2330); Maryland (HB 249); Nebraska (LB 746); New Hampshire (HB 1680); New Jersey (S269, S236, A2188); Vermont (H. 899); Virginia (HB 473); Washington HB 2759). Earlier efforts began in 2019: New Mexico (SB 176); New York (A 6351, S 4411); Pennsylvania (HB 1049); Rhode Island (S 234, H 5930); and Texas (HB 4518). All of these measures may fail, but California’s influence on state privacy law is considerable. Remember, the country’s first data breach notification law became effective in 2003 in California, and now all 50 states have such a law, including a number of other countries.

Adoption of Biometric Technology Grows, Along with Regulation

SourceToday.com reports that “by 2025, Zion Market Research expects the global next-generation biometric market to reach $36.8 billion, up from $12.9 billion last year.” The same report cites Deloitte’s 2018 global mobile consumer survey (US edition) which finds that at least one biometric authentication method is used by nearly half of U.S. smartphone owners. The trend for biometrics is on the rise.

Organizations which collect and use biometric identifiers/information (e.g. fingerprints, face scans, etc.) should be mindful of the increasing privacy and data security regulation around biometric technologies and applications.  While biometrics may be helpful in preventing fraud, managing employees’ time, or improving security, these benefits must be considered against the potential legal and compliance risks.

The most critical of these risks exists in Illinois under its Biometric Information Privacy Act (BIPA). Under BIPA a plaintiff is entitled to statutory damages for violations and actual harm is not required in order for an individual to sue.  BIPA is at the heart of hundreds of putative class action lawsuits in Illinois. Compliance steps such as obtaining consent prior to collection or use and establishing a written policy may help mitigate risk.  For more information on the BIPA and biometric information related concerns checkout our FAQs.

Of course, BIPA does not present the only compliance concern. In California, for example, the CCPA includes biometric information as a specific category of personal information, and following a change in 2019, a breach of biometric information could trigger a notification requirement. Other states regulating biometric information in one for or another include without limitation Arkansas, Colorado, Florida, Massachusetts, Nebraska, New York, Texas, and Washington.

Organizations’ Websites Provide a Window Into Compliance

Websites facilitate communication with consumers, constituents, patients, employees, and the general public. They project an organization’s image and promote goodwill, provide information about products and services and allow for their purchase. Websites also inform investors about performance, enable job seekers to view and apply for open positions, and accept questions and comments from visitors to the site or app, among many other activities and functionalities. Because of this vital role, websites have become an increasing subject of regulation making them a growing compliance concern, particularly as they are open to inspection by the public.

CCPA privacy policies, ADA accessibility, HIPAA notice of privacy practices, and COPPA consent mandates are just a few of the compliance requirements affecting websites and online applications or services. In 2020 and beyond, organizations will need to take a closer look at these and other compliance issues concerning their websites and online services.

Telephone Consumer Protection Act (TCPA)

While the Supreme Court did not choose to address whether the Hobbs Act (also known as the Administrative Orders Review Act) requires a district court to accept the Federal Communications Commission (FCC) interpretation of the TCPA (PDR Network, LLC v. Carlton & Harris Chiropractic, Inc., No. 17-1705) there have been a number of other developments impacting the TCPA.  In December 2019, the FCC ruled that online faxes are TCPA exempt and the Supreme Court recently accepted certiorari of a petition to rule on the constitutionality of the TCPA.  In granting certiorari, the Court agreed to review a ruling of the Fourth Circuit which held that a TCPA exemption for government debt collectors was in violation of the First Amendment.   The case could have a significant impact on TCPA claims.  Further, Congress recently proposed the TRACED Act, to combat the increasing number of robocall scams and other intentional violations of telemarketing laws. The TRACED Act, if passed, broadens FCC authority to levy civil penalties and extends the time period for the FCC to catch and take civil enforcement action against intentional violations.  Needless to say, 2020 should be an interesting year for the TCPA.

Cybersecurity, Cybersecurity, and Cybersecurity

A rundown of anticipated, critical cybersecurity risks vying for attention at the upcoming RSA Conference in 2020 (the world’s biggest conference for CISOs) should provide reason enough for organizations to redouble their efforts at tightening security. But that is not all.

Less than two months from now, New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) becomes effective, imposing expansive data security requirements on companies. Among other things, and similar to data security frameworks in other states such as California, Colorado, Massachusetts, and Oregon, the SHIELD Act requires that any person or business, including a small business, that owns or licenses computerized data which includes private information of a resident of New York must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.

Examples of practices considered reasonable administrative safeguards under the law include risk assessments, employee training, selecting vendors capable of maintaining appropriate safeguards and implementing contractual obligations for those vendors, and disposal of private information within a reasonable time period.

Similar frameworks already exist in other states. For example, in 2018, Colorado enacted HB 1128, creating obligations for businesses to maintain “reasonable security procedures and practices” for protecting personal identifying information. Similar rules have been in place since 2010 in Massachusetts. Requirements for reasonable safeguards to protect personal information also exist in numerous other states such as Alabama, Florida, Nevada, Illinois, Indiana, and Utah.

But, we will end where we began, the CCPA. We believe it will be an important driver of “reasonable safeguards” for personal information. This is because similar to BIPA, the CCPA authorizes a private cause of action against a covered business if a failure to implement reasonable security safeguards results in a data breach. If successful, a plaintiff can recover statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper.  As the CCPA provides for statutory damages, Plaintiffs in these lawsuits may not have to show actual harm or injury to recover.

*      *     *     *     *

For these reasons and others, we believe 2020 will be a significant year for privacy and data security.

Happy Privacy Day!

Coronaviruses 004 lores.jpgThe outbreak of a new coronavirus that is believed to have began in central Chinese city of Wuhan and now appears to be spreading to the United States is driving concerns for organizations around preparedness regarding their operations, their customers, and their employees. Both the Center for Disease Control and Prevention (CDC) and the State Department have issued travel advisories, and the CDC asks everyone who traveled to Wuhan in the last 14 days and experiences symptoms to seek medical care immediately.

Many organizations are seeking guidance on how best to respond to these concerns, especially those in certain industries. Business that rely on international travel, such as in the commercial airline and border protection industries must be particularly aware. Organizations must consider a range of issues – travel restrictions, how to identify persons likely to have been exposed to the virus and how to limit that exposure, communication plans in the event an exposure is identified, as well as a range of employment law issues, including under the Americans with Disabilities Act, the Genetic Information Nondiscrimination Act, the National Labor Relations Act, and other federal and state laws. Learn more about these here.

Naturally, however, the spread of infectious disease also raises particular concerns for healthcare workers who want to do their jobs and care for their patients, while also protect themselves and their families. In the healthcare sector, as with prior contagious disease outbreaks, fears about contracting the virus could lead to impermissible “snooping” and sharing of information by healthcare employees. Covered entities and business associates therefore need to take this increased risk seriously and remind members of their workforce members that they may not access or disclose patient records for an impermissible purpose. Healthcare workers also should be reminded that impermissible snooping also can lead to termination, fines, and in some cases criminal prosecution.

In November 2014, during the Ebola outbreak, the Office for Civil Rights issued a bulletin addressing HIPAA privacy in emergency situations. This bulletin provides a good resource and reminder for health care providers when working in this environment.  For some covered entities that may not yet maintain as robust a program for creating HIPAA privacy and security awareness, this would be a good opportunity to communicate some of the basic safeguards required under HIPAA, including when and under what circumstances they can share patient information with family, friends, public health agencies, and the media. All covered entities should also remember to document these efforts, as it is required under HIPAA and will help them to substantiate their compliance efforts.

Healthcare providers also must remember that HIPAA is not the only game in town. They have to also consider more stringent state laws that may apply in these situations. Additionally, for healthcare providers in different settings, such as universities in an educational setting, the Family Educational Rights and Privacy Act (FERPA) may have additional protections for treatment records pertaining to students.

No one knows where the next victim of the coronavirus will show up for care. First and foremost, that provider needs to be prepared to treat that person. But the provider also needs to be sure privacy and security safeguards are in place to avoid a breach of the patient’s privacy and a compliance exposure.

Recently, the U.S. Federal Trade Commission issued an important opinion, concluding that Cambridge Analytica, LLC, the data analytics and consulting company, engaged in “deceptive practices to harvest personal information” of tens of millions social media users, by way of using their data from a company developed app, GSRapp, for voter profiling purposes without the users’ knowledge or consent. In addition, the FTC found that Cambridge Analytica engaged in deceptive practices connected to their EU-US Privacy Shield (“Privacy Shield”) framework participation.

In particular the FTC opinion highlighted that Cambridge Analytica and its then CEO and GSRapp app developer deceived consumers, by falsely telling app users that it would not collect users’ names or other identifiable information, but then collected User IDs which allowed Cambridge Analytica access to users’ social media profiles containing identifiable information.

Regarding Cambridge Analytica’s deceptive Privacy Shield practices, the FTC concluded that Cambridge Analytica continued to claim participation in the Privacy Shield framework, after allowing its certification to pass. Moreover, the company failed to adhere to the Privacy Shield requirement that after ceasing participation in the framework, a company must affirm to the Department of Commerce that the company will continue to apply Privacy Shield protections to personal information that was collected during the time period the company participated in the framework.

The FTC’s Final Order prohibits Cambridge Analytica from making false representations regarding the extent to which it protects the privacy and confidentiality of personal information, and its participation in the Privacy Shield framework as well as other other similar regulatory or standard-setting organizations. Further, the company must continue to apply Privacy Shield framework protection to all personal information collected during the time period the company participated in the program, or alternatively delete or return the information. Finally, Cambridge Analytica must delete all personal information collected by the GSRapp.

The FTC’s opinion and order against Cambridge Analytica is particularly of relevance, as the newly effective California Consumer Privacy Act was a direct response to Cambridge Analytica’s deceptive practices towards user personal information, as well as other similar incidents of late. The CCPA creates extensive obligations for companies that handle consumer personal information, and provides consumers with enhanced control over their data, with the aim of preventing deceptive activity such as that of Cambridge Analytica. Key relevant CCPA provisions include:

Notice Obligations

  • A business that collects a consumer’s personal information must inform consumers, at or before the point of collection, as to the categories of personal information to be collected and the purposes for which the categories of personal information will be used. This does not include specific pieces of personal information.
  • A business must disclose certain information in an online privacy policy or on an internet website, as applicable. This information includes, without limitation, an explanation of the rights consumers have under the CCPA and certain information about the categories of personal information it collected, disclosed, or sold, as applicable. These disclosures must be updated every 12 months.

Consumer Rights

  • A consumer’s right to request information regarding the categories of personal information collected on them, the sources of that information (such as from an online survey or user profile as in the case of Cambridge Analytica), the categories of personal information used for business purposes or sold to third parties, and the “specific pieces” of information collected.
  • A consumer’s right to request that a business deletes personal information collected about them.

The CCPA is here (effective since January 1) and the development of a meaningful data protection program has never been more important. Jackson Lewis has established a CCPA Team that is available to answer questions regarding the CCPA and assist covered businesses in their compliance efforts.

Image result for 2020 california CCPASome business leaders and HR professionals may be waking up this morning not realizing they must provide a “Notice at Collection” to some or all of their employees and applicants under the new California Consumer Privacy Act (CCPA). This is not surprising given the confusion during 2019 about whether this law would reach that far. The passage of AB 25 confirmed that while employees would be temporarily excluded from most of the CCPA’s protections, two areas of compliance remain: (i) providing a notice at collection, and (ii) maintaining reasonable safeguards for personal information driven by a private right of action now permissible for individuals affected by a data breach caused by a business’s failure to do so.

Before addressing these two employment-related aspects of the CCPA, it is helpful to remember which entities are subject to CCPA. The basic rule follows.

In general, the CCPA applies to a “business” that:

A. does business in the State of California,

B. collects personal information (or on behalf of which such information is collected),

C. alone or jointly with others determines the purposes or means of processing of that data, and

D. satisfies one or more of the following: (i) annual gross revenue in excess of $25 million, (ii) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or (iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information.

For more information on this part of the law, please review Does the CCPA Apply to Your Business?

Notice at Collection

A “notice at collection” requires two pieces of information be communicated to the consumer/employee:

  1. The categories of personal information collected by the business. There are eleven categories of personal information, such as identifiers, geolocation data, biometric information, employment-related information, etc. See Cal. Civ. Code Sec. 1798.140(o).
  2. For each category, the uses of personal information by the business.

There are, of course, some questions employers may have about this notice, such as:

    • Who must get it? AB 25 refers to the following categories of “consumers” (natural persons who are California residents) – job applicants to, employees of, owners of, directors of, officers of, medical staff members of, or contractors of the business. Note, the CCPA does not define these terms, and recent proposed regulations do not address AB 25 at all. Guidance may come with final regulations.
    • When must they get it? The statute requires the notice to be provided at or before collection of personal information. In the case of applicants, that might mean providing the notice on the company’s website if, for example, it receives information from applicants on the site concerning open positions. In the case of employees, assuming different notices will be provided because more information is collected from employees, a notice at the beginning of the onboarding process, such as with offer letters, might make sense. Some employers may want to include the notice in employee handbooks, although this may not satisfy the “at or before collection” requirement. Handbooks typically are not provided until after some personal information has been collection from an employee, but it could provide employees a place for easy reference to the business’s practices concerning personal information.
    • Is notice required for current employees? It is true that businesses have already collected personal information about individuals working for the company prior to 2020. However, collection is an ongoing process. One of the categories of personal information, for example, is website browsing activity. Many businesses now continually track this activity if only to safeguard their systems and implement electronic communications and information systems policies.
    • Include information on where employees can go with questions? This is not currently required. Providing employees, applicants, others a place to go with questions, however, might be a good idea. Employees may have not received this kind of notice before and may have a number of questions. Designating individuals in the organization to address those questions, and directing employees and applicants to those individuals, would help to ensure consistent messaging about the business’s practices.

Reasonable Safeguards.

The second issue for employers under the CCPA is safeguarding employee personal information. Under the CCPA, California consumers, including employees and applicants, affected by a data breach can bring an action for statutory damages when the breach is caused by the business’s failure to maintain reasonable safeguards to protect a subset of personal information and following a 30-day cure period. A consumer can recover damages in an amount not less than $100 and not greater than $750 per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper.

There is no regulatory guidance in California concerning what it means to have “reasonable safeguards.” However, former California Attorney General Kamala Harris issued a 2016 data breach report in which she interpreted an existing California statute, Cal. Civ. Code 1789.81.5(b), to mean that businesses must at least satisfy the 20 controls in the Center for Internet Security’s Critical Security Controls in order to be considered reasonable. It is not clear if those controls will be sufficient to meet the CCPA’s standard, but they would be a good place to look for guidance. Note also that the “reasonably safeguard” obligation applies to a subset of personal information, namely:

An individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

  1. Social security number,
  2. Driver’s license number, California identification card number, and government identifiers (i.e. tax identification number, passport number, military identification number),
  3. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account,
  4. Medical information,
  5. Health insurance information, and
  6. Biometric identifiers.

Thus, businesses should be reviewing their data security policies and procedures not just with respect to consumer data, but also employment-related activities – payroll, benefits, recruiting, direct deposit, shared-services, background checks, etc. This also means evaluating what their third-party service providers are doing to protect personal information of employees, applicants, contractors, etc. Note other states also have similar mandates, including Colorado, Massachusetts and New York (coming soon in March 2020).

Businesses that find themselves subject to the CCPA should act quickly to satisfy their AB 25 requirements. Of course, this may be temporary because AB 25 sunsets on January 1, 2021. However, considering the current direction of privacy law, it seems likely that there will be more and not less privacy protections for employees by the end of 2020.

When privacy geeks talk “privacy,” it is not uncommon for them to use certain terms interchangeably –personal data, personal information, personally identifiable information, private information, individually identifiable information, protected health information, or individually identifiable health information. They might even speak in acronyms – PI, PII, PHI, NPI, etc. Blurring those distinctions might be OK for casual conversation, but as organizations develop data privacy and security compliance programs, the meanings of these terms can have significant consequences. A good example exists within the California Consumer Privacy Act (“CCPA”) and its interaction with other laws.

The CCPA, effective January 1, 2020, contains an expansive definition of “personal information.” See Cal. Civ. Code Sec. 1798.140(o). The basic definition is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The definition goes on to enumerate, without limitation, certain categories of information (e.g., identifiers, website activity, biometric information, geolocation) if they identify, relate to, describe, are reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household. With respect to this broad set of data, the CCPA extends to California consumers substantial rights, including the right to request deletion of that data or to opt-out of its sale.

The CCPA’s private right of action for data breaches, however, applies to a much narrower subset of “personal information” defined above. Specifically, the CCPA incorporates another section of California law, Cal. Civ. Code Sec. 1798.81.5(d)(1)(A), to define personal information that, if breached, and which the owner failed to reasonably safeguard, could expose the owner to statutory damages of up to $750 per person. For this purpose, personal information means:

An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements…:

(i) Social security number.

(ii) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

(iv) Medical information.

(v) Health insurance information.

(vi) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual.

Note also that the CCPA excludes certain information from its general definition of personal information, such as “protected health information” maintained by covered entities and business associates under the Health Insurance Portability and Accountability Act (“HIPAA”).

But the PI, PII, PHI…conundrum does not end with the CCPA. An organization with CCPA obligations also may maintain “private information” of New York residents. Under the New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), that organization would have to adopt reasonable safeguards to protect “private information” which is defined to mean, in general, any information concerning a natural person which, because of an identifier, can be used to identify such natural person if it is in combination with any one or more of the following data elements:

  • social security number;
  • driver’s license number or non-driver identification card number;
  • account number, or credit or debit card number, which alone or together with a required code would permit access to an individual’s financial account;
  • biometric information, meaning data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data which are used to authenticate or ascertain the individual’s identity.

Private information also includes a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.

Confused yet? Perhaps your organization is not subject to the CCPA or the NY SHIELD Act, but you own and operate a website that collects personal information from consumers who reside in California and Delaware. Laws in those states require a website private policy that describes certain practices concerning “personally identifiable information” defined in Delaware to mean:

any personally identifiable information…collected online by the operator…from that user…including a first and last name, a physical address, an e-mail address, a telephone number, a Social Security number, or any other identifier that permits the physical or online contacting of the user, and any other information concerning the user collected by the operator…from the user and maintained in personally identifiable form in combination with any identifier described in this paragraph.

A similar definition exists under the California law. These distinctions just scratch the surface and add to the complexity of the emerging patchwork of data privacy and security law in the United States.

So, when thinking about personal information, it is important to remember that not only does the definition extend beyond just one’s name and social security number, but the term itself and its definition likely will differ depending on the particular statutes or regulations you are analyzing. When assessing an organization’s threats and vulnerabilities to personal information, or preparing policies and procedures to safeguard it, be sure to develop an appropriate definition that takes into account the necessary elements of data.

The Washington State Supreme Court ruled recently that state employees’ birthdates associated with their names are not exempt from disclosure pursuant to a freedom of information records request. In so holding, the Court strictly construed the applicable statute that did not expressly exempt birthdates from disclosure. Wash. Pub. Emps. Assn. v. State Ctr for Childhood Deafness & Hearing Loss. Private and public entities across the country that respond to countless requests for information may want to rethink their approach.

In 2016, the Freedom Foundation (Foundation) sent public records access requests to several state agencies seeking disclosure of records for union-represented employees, including their full names, associated birth dates, and agency work e-mail addresses. Upon reviewing the Foundation’s requests, the agencies determined that all of the requested records were disclosable and indicated that, absent a court order, they intended to release the requested records. Several unions filed motions for preliminary and permanent injunctions to prevent disclosure of the requested records based (among other things) on privacy concerns.

In its decision, the Court stated, “We appreciate the Unions’ concern that disclosing birth dates with corresponding employee names may allow . . . requesters or others to obtain residential addresses and to potentially access financial information, retirement accounts, health care records or other employee records. Yet, we cannot judicially expand the [law’s] narrow exemptions beyond the boundaries set by the legislature, lest we step beyond our interpretive role and risk disrupting the balance of public policies the [law] reflects.”

Significantly, the Court noted that it had long ago defined the “right to privacy” by referring to the common law tort of invasion of privacy through public disclosure of private facts citing, Hearst Corp. v. Hoppe (1978). The State legislature subsequently codified a “right to privacy” as being invaded or violated “only if disclosure of information about the person: (1) Would be highly offensive to a reasonable person, and (2) is not of legitimate concern to the public.”

The Court did go on to acknowledge legitimate concerns about the misappropriation of birth dates that echo the concerns related to Social Security numbers. However, the Court ruled that this does not mean that names and associated birth dates have become private—only that this information is personally identifying. The fact that information is personally identifying, alone, is insufficient to warrant its exemption from disclosure.

Ultimately, the Court noted that the Union’s argument was a policy-based one concerned with the wide abuse of personal identifiers for criminal purposes which was not its to make. While the Court was constrained by the statute at issue that specifically exists for the purpose of allowing the public to obtain information about government, the Court did acknowledge concern generally for the misappropriation of personally identifying information. This concern should be instructive for public and private sector entities alike.

Notably, there has been an increase across the country in state laws that have created or expanded on privacy rights (despite Washington’s failed effort earlier this year to pass the Washington Privacy Act, a European-style data protection law). These laws are expanding the categories of personal information that warrant protection – it is no longer just the Social Security number. When not compelled by law, such as a freedom of information law, public and private entities should consider disclosing only what is minimally necessary to respond to a request with particular attention to data elements that facilitate identify theft.

The California Consumer Privacy Act takes effect January 1, 2020. Businesses within the scope of the CCPA are taking steps to prepare, including drafting notices to inform California consumers of their right to opt out of the sale of their personal information. However, California will not be the first state to provide a consumer with the right to opt out of the sale of their personal information. As a result of the recently amended Nevada data protection law, effective October 1, 2019 [here] a Nevada consumer will also have the right to opt out of the sale of personal information collected by an online business.

The existing Nevada Security and Privacy of Personal Information Act, NRS 603A, provides numerous privacy and security protections for the personal information of Nevada residents. These include requiring

  • A business to take reasonable measures to ensure the secure destruction of customer records containing personal information when the business decides that it will no longer maintain the records;
  • A data collector to (i) implement and maintain reasonable security measures to protect personal information it maintains regarding a resident of the state from unauthorized access, acquisition, destruction, use, modification, or disclosure and (ii) contractually obligate third parties to whom it discloses personal information to do the same;
  • A data collector to encrypt data for non-invoice transmissions outside of the business and encrypt data storage devices containing personal information when transported beyond the control of the data collector; and
  • A data collector to disclose a breach of the security of system data which includes personal information of Nevada resident where it was or is reasonably believed to have been acquired by an unauthorized person.

The Act also requires an operator of an Internet website or online service to post an online privacy notice regarding the privacy of “covered information” that it collects from a “consumer.” Covered information means one or more of the following items about a consumer when maintained by an operator in an accessible form:

  • A first and last name
  • A home or physical address including the name of a street and city or town
  • An email address
  • A telephone number
  • A social security number
  • An identifier that allows a specific person to be contacted physically or online
  • Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.

A “consumer,” for the purpose of providing the privacy notice, means a person who seeks or acquires, by purchase or lease, any good, service, money, or credit for personal, family, or household purposes from the Internet website or online service of an operation.

SB 220 recently amended these consumer rights by adding the right to opt out of the sale of personal information collected by an operator of an Internet website or online service. Specifically, SB 220

  • Expands the definition of an operator to include a commercial Internet website or online service that otherwise engages in any activity that constitutes sufficient nexus with the State to satisfy the requirement of the US Constitution. It also expands the categories of entities exempt from this definition to include financial institutions or their affiliates subject to the Gramm-Leach-Bliley Act; entities subject to HIPAA; and manufacturers or persons who service motor vehicles and collect, generate, record, or store certain types of information;
  • Defines the “sale” of consumer personal information as the “exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons;”
  • Requires the operator’s online privacy notice to include a “designated request address” such as an e-mail address, toll-free telephone number or Internet website through which the consumer can submit a verified request; and
  • Requires the operator to respond to a verified consumer request to prohibit the sale of any covered information the operator has collected or will collect about the consumer within 60 days of receipt, subject to a 30-day extension, as reasonably necessary.

While this consumer right to opt out is similar to the CCPA, there are several key differences worth noting. First, SB 220 applies to a much less expansive definition of personal information and a narrower definition of sale. Second, it applies only to personal information collected through online commercial sales. Third, and most significantly, there is no revenue or data collection threshold for determining which businesses are within its scope. It applies to operators of commercial Internet websites or online services who engage in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the US Constitution, regardless of size or revenue.

The effective date for SB 220 is October 1, 2019 and operators should have their opt out notice and designated address ready. For those businesses preparing for the effective date of the CCPA in January, certain compliance preparations can be leveraged for SB 220. This includes data mapping, creating a designated request address, updating the online privacy policy, and drafting and implementing internal policies and procedures to identify, verify, and respond to a consumer request in a timely manner. Implementation of SB 220 will vary, however, based on differences including its limited application to online data collection, response time, and the definitions of sale and covered information. Finally, although not expressly required, best practices suggest preparing and training employees to identify and properly respond to consumers request.

For those businesses not currently subject to the CCPA or SB 220, data mapping, appropriate safeguards, written information security programs, vendor management, and employee training should be at the forefront of any developing data protection program. To borrow a phrase from the data breach environment, its no longer a question of if your jurisdiction will enact a comprehensive data protection law, but when.

The California Consumer Privacy Act is almost here! The groundbreaking law takes effect January 1, 2020. Covered businesses and their service providers have already started preparing, as the CCPA continues to evolve since it was introduced. California’s legislative session ended on September 13th, with some final modifications to bills that would amend certain aspects of the CCPA. Unanimously approved in final form, they now move on to California Governor Gavin Newsom for consideration and final action on the CCPA.

As we’ve reported periodically over the course of the year, businesses and stakeholders have been clamoring to shape the CCPA in a number of ways. In late April, the California Assembly of Privacy and Consumer Protection Committee (“Committee”) introduced several bills addressing a number of issues with the law, such as excluding certain categories of information from personal information or from certain requirements under the law, and clarifying ambiguities. Some survived, and some did not.

Below is a rundown of key substantive amendments:

  • AB 25 (Employee Personal Information Exemption): As we’ve previously reported, AB 25 went through several modifications over the course of the year. In its latest form, employee personal information would be excluded from many of the CCPA’s requirements (including the requirements that permit consumers to request: the deletion of their personal information; the categories of personal information collected; the sources from which personal information is collected; the purpose for collecting or selling personal information; and the categories of third parties with whom the business shares their personal information). But, employees of businesses subject to the CCPA still would be entitled to a privacy notice and able to commence a private right of action in the event affected by a data breach caused by a failure of the duty to maintain reasonable safeguards. Under the privacy notice provision, covered businesses would be required to inform consumers (including employees) as to the categories of personal information they collect and the purposes for which such personal information shall be used. Under the private right of action provision, employees of covered businesses would be permitted to bring an action, including as a class action, in the event their nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures. Note: These changes concerning employee personal information are set to sunset on January 1, 2021, on the understanding that during this one-year period, the Legislature would consider more comprehensive employee privacy legislation.

 

  • AB 874 (Publicly Available Information Exception): AB 874 removes a limitation on the “publicly available information” exception to the definition of personal information. If signed into law, publicly available information will be defined as “information that is lawfully made available from federal, state, or local government”. The bill removes the limitation stating that information is not publicly available if it is used for a purpose not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.

 

  • AB 1355 (Technical Corrections): AB 1355 made a number of noteworthy technical corrections and other changes:
    • Relief for certain “business-to-business” (B2B) communication or transactions. Many businesses have been concerned about how to handle the personal information of business contacts. That is, the personal information about individuals who are not acting as “consumers” in the general sense, but engaging with the business to carry out transactions. AB 1355 would provide relief from certain CCPA requirements such as providing notice and granting access and deletion rights for the following personal information:

“Personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency.”

Note, similar to the temporary treatment of employee personal information in AB 25, this relief also is temporary – it lasts until January 1, 2021.

    • Definition of “personal information.” Part of what makes the CCPA so expansive is its definition of personal information. That definition would cover information that is “capable of being associated with” a particular consumer or household. In an attempt to narrow the reach of personal information, AB 1355 inserts “reasonably” before “capable.” In addition, AB 1355 clarifies that personal information does not include deidentified or aggregate consumer information.
    • Clarification of Fair Credit Reporting Act (FCRA) Exception. AB 1355 makes clear that the FCRA exception applies to activity that is authorized by the FCRA and is not limited solely to the sale of personal information from a consumer report. The exception applies to FCRA authorized “activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency.”

 

  • AB 1146 (Vehicle Information Exemption): AB 1146 exempts from a consumer’s right to opt out, vehicle or ownership information retained or shared between a motor vehicle dealer and the vehicle’s manufacturer, in anticipation of a vehicle repair covered by warranty or recall. It also exempts from a consumer’s right to request deletion, personal information necessary for a business to maintain to fulfill terms of a vehicle warranty or recall.

 

  • AB 1564 (Consumer Requests for Disclosure Methods): AB 1564 provides alternatives to the current requirement that covered businesses make available to consumers a toll-free number to submit requests for information regarding the use of their personal information. If a business operates exclusively online, it may, in lieu of a toll-free number, provide an email address for submitting requests. This bill was recently narrowed limiting the exception to online businesses that have a direct relationship with California residents from which it collects personal information. Moreover, if an online business maintains a website, the business must provide the consumer with a submission request method via the website.

It also is worth noting that one important bill, AB 846, was removed on September 12th from consideration, with plans to be reintroduced next year. AB 846 addressed loyalty reward, discount and similar programs, including prohibitions on the sale of personal information collected as part of those programs, and a limited exception to that prohibition.

It is expected Governor Newsom will sign the Legislature-approved bills into law. Organizations should be doing their best to determine if they have CCPA obligations either directly as a business, because they control or are controlled by a business, or because they have contractual obligations flowing from a business. Efforts toward compliance need to begin now as the CCPA becomes effective January 1, 2020.

As we have observed here, news reports of security risks, hackings and breaches caused by individuals, terror groups or even countries around the world certainly are important and can be unsettling. But, for many organizations, including healthcare providers and business associates, a significant and perhaps more immediate area of data risk is malicious insiders. On August 29, the Office for Civil Right (OCR) published its 2019 summer cybersecurity newsletter entitled, “Managing Malicious Insider Threats,” acknowledging this threat and providing some best practices to neutralize it.

According to the OCR:

The 2019 edition of Verizon’s Data Breach Investigations Report (DBIR) found that trusted insiders were responsible for 59% of all security incidents and breaches (both malicious and inadvertent)…[with] the primary motivation for incidents and breaches perpetrated by insiders was financial gain.

What do malicious insider threats look like?

Threats from insiders can take many forms. If successful, they can cause substantial, sometimes crippling harm to an organization by intentionally modifying, leaking, selling, or destroying sensitive information. Here are some examples:

  • Employees on the move. Planning to end employment with provider A, workforce member copies provider A’s patient list and shares it with new employer, provider B, in the hope of luring patients to the new provider. If the workforce member is successful, in addition to potential notification obligations, provider A likely will find itself responding to a number of angry patients asking why another provider has their protected health information (PHI). Provider A might even wind up being investigated and fined, as was the case for a provider in New York.
  • Poor performing employees. Some workforce members feel they have been wrongly accused by their employers for providing inadequate patient care, especially when they believe their co-workers engage in the same activity without incident. Anticipating they will be fired, they begin copying, downloading, or otherwise collecting information from patient EMRs and sending it to themselves. Their goal is to support wrongful termination claims they anticipate making when their employment ends. In the process, patient data is compromised and may require notification to patients and the OCR.
  • Curious and criminal employees. Curious workforce members might use their employer’s EMR to access certain patient records for personal purposes: (i) accessing the medical records of celebrities for financial gain or to satisfy the member’s curiosity; (ii) examining the records of a former spouse to gain leverage in a custody dispute, (iii) obtaining patient demographic information to commit fraud and identify theft.

How do malicious insiders get the information?

Malicious insiders already have access to patient information on the expectation that they need access to perform their jobs. In some cases, they only need access to do harm. For example, an insider may want to learn if a family member is pregnant or using illegal substances, and only has to view the medical records. In other cases, the insider will want to exfiltrate the information. This can be accomplished in a number of ways: forwarding the information to the insider’s personal email account, taking pictures of the information using the insider’s smartphone, copying information to a mobile or storage device (e.g., cell phone, USB drive), or unauthorized physical removal or theft of equipment. As the OCR notes, transmitted or copied data could be further hidden using subtle means such as by embedding data within other data to hide it (i.e., steganography).

How do HIPAA covered entities and business associates stop malicious insiders?

Detecting and preventing data leakage by malicious authorized is not easy – remember, these are individuals who frequently are supposed to have access to the data. Identifying potential malicious activity as soon as possible is critical, however, and there are some things that organizations can be doing.

  • Know your data. To protect data, organizations need to know the data they have, where it is stored, what format it is in, who has access to it, and how it flows through the organization. With this information, the organization is better able to develop policies and procedures to access and address risks related to the data.
  • Access management. Workforce members should be able to access only the information they need to perform their jobs. This can be accomplished in a number of ways – physical access controls (e.g., locked doors and cabinets) and network access controls (e.g., role-based access controls for devices, applications, administrator accounts, or data stores).
  • Control mobile device usage. Considering how a workforce member needs to interact with data as the organization may be able to limit the unnecessary utilization of mobile devices to prevent copying. If workers do not need thumb drives to perform their jobs, for example, they should not be available. If thumb drives are needed, they should be more closely tracked and managed.
  • Remain vigilant. The steps above will help, but they may not be sufficient. Organizations need to continuously manage their business and their systems to help detect and prevent suspicious activities:
    • Periodically review system event logs, application audit logs, access reports, and security incident tracking reports.
    • Configure alerts for (i) unexpected downloads of large amounts of data by employees not believed to have a need for such volumes of data, (ii) access to certain sites, such as personal cloud storage accounts; (iii) downloads to external devices.
    • Revise employee access privileges immediately on changes to roles and responsibilities.
    • Enhance the organization’s vigilance for employees who expect their employment will soon be terminated.
    • Terminate physical and electronic access data in advance of a workforce member leaving the organization’s employ.

Again, risks to an organization’s data are not solely from external sources. Insiders have reasons to compromise their organizations’ confidential and personal information. Organizations need to take steps to minimize those ongoing risks.

The California Consumer Privacy Act (CCPA), considered the most expansive U.S. privacy laws to date, is set to take effect January 1, 2020. In short, the CCPA places limitations on the collection and sale of a consumer’s personal information and provides consumers certain rights with respect to their personal information. Wondering whether they will have to comply, many organizations are asking if the law will apply to them, hoping that being too small, being located outside of California, or “only having employee information,” among other things, might cause them not to have to gear up for CCPA.

So, we thought we would dig in a little deeper into the question of when the CCPA might apply to a business. However, note that the law is still developing as amendments work their way through the legislature and we await regulations from the California Attorney General intended to further clarify the statute. Organizations will need to continue to monitor these developments to determine if the CCPA will apply to them.

Basic Rule. In general, the CCPA applies to a “business” that:

A. does business in the State of California,

B. collects personal information (or on behalf of which such information is collected),

C. alone or jointly with others determines the purposes or means of processing of that data, and

D. satisfies one or more of the following

(i) annual gross revenue in excess of $25 million,

(ii) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or

(iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information.

Related entities and non-for-profits. Under the CCPA, a “business” can be a “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners.” Thus, for example, a business under this definition generally would not include a not-for-profit or governmental entity. It also would not include a corporation that meets all of the prongs above, other than those listed under D.

However, a “business” under CCPA also includes any entity that controls or is controlled by a business that meets the requirements above and that shares common branding with such a business. “Control,” for this purpose, means either (i) ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; (ii) control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or (iii) the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark. Accordingly, organizations that would not themselves be a “business” under the CCPA could become subject to the law because of the entities that control them or that they control, and with which they share common branding.

Businesses that do not collect “consumer” personal information. It does not appear to be necessary under the CCPA for a business to actually be the one to collect personal information from consumers in order for the law to apply. So long as personal information is collected on behalf of a business (such as through a third party), the business could be covered by the CCPA, assuming the other requirements are satisfied.

Some businesses also may believe that because they do not engage in transactions directly with individual consumers and collect their personal information, they are not subject to the law. The businesses might be thinking this is because their “consumers” are other businesses and not individuals. However, a consumer under the CCPA generally means a natural person who is a California resident. Accordingly, when conducting business with other businesses, a business likely collects personal information from contacts at those other businesses. Similarly, virtually all businesses collect information about their employees. Recent legislative activity indicates that obligations under the CCPA may continue to extend to employee personal information.

Businesses located outside of California. It also does not appear that a business will need to be located in California in order to be subject to the CCPA. While the CCPA is not clear on this point, a business may be considered to be “doing business” in California if it conducts online transactions with persons who reside in California, has employees working in California, or has certain other connections to the state, and is without a physical location in the state. As noted, regulations may help to clarify what “doing business in California” means for purposes of the CCPA.

Businesses that process information on behalf of other businesses. The definition of a business under the CCPA requires that the business must alone or jointly with others “determine the purposes or means of processing” of that data. The CCPA does not expand on this language. However, since nearly identical language in the General Data Protection Regulation (GDPR) is used to define a controller, guidance from the UK’s Information Commissioner may provide some insight – here are some questions you might ask to see if your organization is a controller:

  • The business decides to collect or process the personal data.
  • The business decides what the purpose or outcome of the processing is to be.
  • The business decides what personal data should be collected.
  • The business decides which individuals to collect personal data about.
  • The business obtains a commercial gain or other benefit from the processing, except for any payment for services from another controller.
  • The business decides processes the personal data as a result of a contract between the business and the data subject.
  • The business exercises professional judgement in the processing of the personal data.
  • The business has a direct relationship with the data subjects.

An organization that merely processes personal information for businesses covered by the CCPA might take the position that it is not subject to the CCPA. That organization may be correct, however, its business partners that are subject to the CCPA may be required to push certain CCPA obligations down to the organization by contract.

Consequences of Non-compliance. Organizations on the fence about the application of the CCPA should consider what happens if they fail to comply but are determined later to be subject to the law. A business that violates the CCPA can face injunctions and penalties of not more than $2,500 for each violation, and not more than $7,500 for each intentional violation, in an action brought by the California Attorney General. That said, a business is provided 30 days after receiving written notice of noncompliance to cure the violation, before facing liability. In addition, the CCPA provides consumers a private right of action if their nonencrypted or nonredacted personal information is subject to an unauthorized access, exfiltration, theft, or disclosure because the covered business did not meet its duty to implement and maintain reasonable safeguards to protect that information.  That private action includes statutory damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

A recently survey by ESET found that over 44% of the 625 business owners and company executives polled had never heard of CCPA, and only 11.8% knew if the law applied to their business. Organizations should be doing their best to determine if they have CCPA obligations either directly as a business, because they control or are controlled by a business, or because they have contractual obligations flowing from a business. Efforts toward compliance need to begin now as the CCPA becomes effective January 1, 2020.