The Texas Legislature, which meets every other year, pushed a change to its data breach notification law at the end of the session in late May, and yesterday Governor Greg Abbott signed the bill into law. It follows a growing trend of changes to privacy and cybersecurity laws at the state level.
Texas House Bill
UPDATE: On June 16, Gov. Ned Lamont signed HB 5310 into law which becomes effective October 1, 2021.
State legislatures across the nation are prioritizing privacy and security matters, and Connecticut is no exception. This week, Connecticut Attorney General William Tong announced the passage of An Act Concerning Data Privacy Breaches, a measure that
In late May, New York Attorney General Letitia James announced a $200,000 settlement agreement with Filters Fast, an online water filtration retailer, stemming from a 2019 data breach compromising the personal information of over 300,000 consumers across the U.S., including nearly 17,000 in New York state. The settlement also requires the online retailer to strengthen
In a recent post, we highlighted the need for a privacy and cybersecurity training program, one not solely focused on spotting phishing attempts (although that is quite important as well). A primary reason, quite simply, is that employees continue to be a leading cause of data breaches. This fact was reaffirmed for the Wyoming
In mid-March, Utah Governor Spencer Cox signed into law the Cybersecurity Affirmative Defense Act (HB80) (“the Act”), an amendment to Utah’s data breach notification law, creating several affirmative defenses for persons (defined below) facing a cause of action arising out of a breach of system security, and establishing the requirements for asserting such
The 11th Circuit recently weighed in on the hottest issue in data breach litigation, whether a demonstration of actual harm is required to have standing to sue. Joining several other circuit courts, the 11th Circuit in Tsao v. Captiva MVP Rest. Partners, concluded that the plaintiff had failed to allege either that
The California Privacy Rights Act (CPRA), passed in November, 2020, added to the California Consumer Privacy Act (CCPA) an express obligation for covered businesses to adopt reasonable security safeguards to protect personal information. The CPRA also clarified the CCPA’s private right of action for consumers whose personal information is breached due to a failure to
In honor of Data Privacy Day, we provide the following “Top 10 for 2021.” While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2021.
During 2020, COVID-19 presented organizations large and small with new and unique data privacy and security considerations. Most organizations, particularly in their capacity as employers, needed to adopt COVID-19 screening and testing measures resulting in the collection of medical and other personal information from employees and others. This will continue in 2021 with the addition of vaccination programs. So, for 2021, ongoing vigilance will be needed to maintain the confidential and secure collection, storage, disclosure, and transmission of medical and COVID-19 related data that may now include tracking data related to vaccinations or the side effects of vaccines.
Several laws apply to data the organizations may collect. In the case of employees, for example, the Americans with Disability Act (ADA) requires maintaining the confidentiality of employee medical information and this may include COVID-19 related data. Several state laws also have safeguard requirements and other protections for such data that organization should be aware of when they or others on their behalf process that information.
Many employees will continue to telework during 2021. A remote workforce creates increased risks and vulnerabilities for employers in the form of sophisticated phishing email attacks or threat actors gaining unauthorized access through unsecured remote access tools. It also presents privacy challenges for organizations trying to balance business needs and productivity with expectations of privacy. These risks and vulnerabilities can be addressed and remediated through periodic risk assessments, robust remote work and bring your own device policies, and routine monitoring.
As organizations work to create safe environments for the return of workers, customers, students, patients and visitors, they may rely on various technologies such as wearables, apps, devices, kiosks, and AI designed to support these efforts. These technologies must be reviewed for potential privacy and security issues and implemented in a manner that minimizes legal risk.
Some reminders and best practices when collecting and processing information referred to above and rolling out these technologies include:
On January 1, 2020, the CCPA ushered in a range of new rights for consumers, including:
The CCPA carves-out (albeit not entirely) employment-related personal information from the CCPA’s provisions. It limits employee rights to notice of the categories of personal information collected by the business and the purpose for doing so, and the right to bring a private right of action against a business that experiences a data breach affecting their personal information.
In November, California voters passes the California Privacy Rights Act (CPRA) which amends and supplements the CCPA, expanding compliance obligations for companies and consumer rights. Of particular note, the CPRA extends the employment-related personal information carve-out until January 1, 2023. The CPRA also introduces consumer rights relating to certain sensitive personal information, imposes an affirmative obligation on businesses to implement reasonable safeguards to protect certain consumer personal information, and prevents businesses from retaliating against employees for exercising their rights. The CPRA’s operative date is January 1, 2023 and draft implementation regulations are expected by July 1, 2022. Businesses should monitor CCPA/CPRA developments and ensure their privacy programs and procedures remain aligned with current CCPA compliance requirements.
In 2021, businesses can expect various states, including Washington, New York, and Minnesota to propose or enact CCPA-like legislation.
There was a continued influx of biometric privacy class action litigation in 2020 and this will likely continue in 2021. In early 2019, the Illinois Supreme Court handed down a significant decision concerning the ability of individuals to bring suit under the Illinois’s Biometric Information Privacy Act (BIPA). In short, individuals need not allege actual injury or adverse effect beyond a violation of his/her rights under BIPA to qualify as an aggrieved person and be entitled to seek liquidated damages, attorneys’ fees and costs and injunctive relief under the Act.
Consequently, simply failing to adopt a policy required under BIPA, collecting biometric information without a release or sharing biometric information with a third party without consent could trigger liability under the statute. Potential damages are substantial as BIPA provides for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation of the Act. There continues to be a flood of BIPA litigation, primarily against employers with biometric timekeeping/access systems that have failed to adequately notify and obtain written releases from their employees for such practices.
Like many aspects of 2020, biometric class action litigation has also been impacted by COVID-19. Screening programs in the workplace may involve the collection of biometric data, whether by a thermal scanner, facial recognition scanner or other similar technology. In late 2020, plaintiffs’ lawyers filed a class action lawsuit on behalf of employees concerning their employer’s COVID-19 screening program, which is alleged to have violated the BIPA. According to the complaint, employees were required to undergo facial geometry scans and temperature scans before entering company warehouses, without prior consent from employees as required by law. More class action lawsuits of this nature are likely on the horizon.
The law in this area is still lagging behind the technology but starting to catch up. In addition to Illinois’s BIPA, Washington and Texas have similar laws, and states including Arizona, Florida, Idaho, Massachusetts and New York have also proposed such legislation. The proposed biometric law in New York would mirror Illinois’ BIPA, including its private right of action provision. In California, the CCPA also broadly defines biometric information as one of the categories of personal information protected by the law.
Additionally, states are increasingly amending their breach notification laws to add biometric information to the categories of personal information that require notification, including 2020 amendments in California, D.C., and Vermont. Similar proposals across the U.S. are likely in 2021.
A report released by Global Market Insights, Inc. in November 2020 estimates the global market valuation for voice recognition technology will reach approximately $7 billion by 2026, in main part due to the surge of AI and machine learning across a wide array of devices including smartphones, healthcare apps, banking apps and connected cars, just to name a few. Voice recognition is generally classified as a biometric technology which allows the identification of a unique human characteristic (e.g. voice, speech, gait, fingerprints, iris or retina patterns), and as a result voice related data qualifies biometric information and in turn personal information under various privacy and security laws. For businesses exploring the use of voice recognition technology, whether for use by their employees to access systems or when manufacturing a smart device for consumers or patients, there are a number of privacy and security compliance obligations to consider including the CCPA, GDPR, state data breach notification laws, BIPA, COPPA, vendor contract statutes, statutory and common law safeguarding mandates.
During 2020, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services was active in enforcing HIPAA regulations. The past year saw more than $13.3 million recorded by OCR in total resolution agreements. OCR settlements have impacted a wide array of health industry-related businesses, including hospitals, health insurers, business associates, physician clinics and mental health/substance abuse providers. Twelve of these settlements where under the OCR’s Right to Access Initiative, which enforces patients’ rights to timely access of medical records at reasonable cost. It is likely this level of enforcement activity will continue in 2021.
The past year produced a significant amount of OCR-issued guidance relating to HIPAA. In March OCR issued back-to-back guidance on COVID-19-related issues, first regarding the provision of protected health information (PHI) of COVID-19 exposed individuals to first responders, and next providing FAQs for telehealth providers. In July, the director of the OCR issued advice to HIPAA subject entities in response to the influx of recent OCR enforcement actions: “When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.” Finally in September, the OCR published best practices for creating an IT asset inventory list to assist healthcare providers and business associates in understanding where electronic protected health information (ePHI) is located within their organization and improve HIPAA Security Rule compliance, and shortly after it issued updated guidance on HIPAA for mobile health technology.
In December, Congress amended the Health Information Technology for Economic and Clinical Health Act to require the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determination, and for other purposes. In 2021, businesses will want to review their information security practices in light of applicable recognized security practices in an effort to demonstrate reasonable safeguards and potentially minimize penalties in the event of a cybersecurity incident.
The past year was marked by an escalation in ransomware attacks, sophisticated phishing emails, and business email compromises. Since many of these attacks were fueled in part by vulnerabilities due to an increased remote workforce, 2021 will likely be more of the same.
Continue Reading Top 10 for 2021 – Happy Data Privacy Day!
One of the last things pension plan participants would want to learn as they get ready to celebrate the Christmas holiday is that personal data from their pension accounts may have been compromised. This is the case, unfortunately, for approximately 30,000 Now:Pensions customers whose names, postal and email addresses, birth dates and the equivalent of
A proposal by Indiana’s Attorney General Curtis Hill on Wednesday would add a significant step in the incident response process for responding to breaches of security affecting Indiana residents. On Wednesday, during a U.S. Chamber of Commerce virtual event, he announced his proposed rule designed to better protect Hoosiers from cyberattacks. It is expected that