Cybersecurity and Privacy Law Developments in Q3 of 2020

Attorneys of the Cybersecurity and Privacy Practice Group

Robinson Bradshaw Publication

Oct. 22, 2020

Cybersecurity and privacy law is evolving rapidly as lawmakers, government agencies and plaintiffs respond to the growth of new technologies, privacy concerns and cyberattacks. Businesses are facing new compliance obligations, greater legal uncertainty, and expanding liability risk from data breaches and privacy scandals. This trend will only increase as social-distancing measures in response to the COVID-19 public health emergency drive people and businesses to greater reliance on digital and telecommunications services. Keeping track of the many legal developments can be challenging, but Robinson Bradshaw attorneys are here to help. We publish quarterly updates to highlight noteworthy developments of cybersecurity and privacy law from the previous quarter. Click here to subscribe to our Cybersecurity and Privacy list and receive future updates via email, and click here to view all of our quarterly updates.

The third quarter of 2020 began with the landmark Schrems II decision by the Court of Justice for the European Union, which invalidated the EU-U.S. Privacy Shield as a basis for transferring personal data from the EU to the United States under the General Data Protection Regulation (GDPR). Some guidance on next steps was issued by European regulators, and the U.S. Commerce Department quickly began negotiating a new “enhanced” Privacy Shield, but plenty of new challenges remain for U.S. businesses needing to transfer personal data from Europe. Indeed, adding yet another challenge the following month, Brazil’s new GDPR-like privacy law went into effect earlier than expected. Meanwhile, back in the United States, the California Consumer Privacy Act (CCPA) remained top of mind as the California attorney general began enforcement, the implementing regulations were finalized, and exceptions for employee and business-to-business records were extended to Jan. 1, 2021. Of course, the next quarter may bring yet more change as Californians prepare to vote on the California Privacy Rights Act ballot initiative. Another major development came from the New York Department of Financial Services, which announced their first ever enforcement action under its Cybersecurity Regulation 23 NYCRR Part 500. Also, new cybersecurity and breach notification laws took effect in Vermont, Virginia and Indiana. In case we needed reminding, the third quarter of 2020 shows how state governments remain a driving force in cybersecurity and privacy law for the United States.

If you have questions about any of the legal developments highlighted in this quarterly update, please contact any member of our Cybersecurity and Privacy Practice Group for assistance.

State Law Developments

California; CCPA. On July 1, California’s attorney general was able to begin enforcement of the California Consumer Privacy Act and soon issued noncompliance notices to businesses for alleged failure to implement CCPA requirements. Under the CCPA, businesses that receive such notices have 30 days to fix the alleged violations. If they fail to do so, then the attorney general can bring a civil action against them to enforce the CCPA. During a panel discussion about this initial round of notices, Supervising Deputy Attorney General Stacey Schesser confirmed a few enforcement trends: (i) these noncompliance notices targeted multiple industries, (ii) they focused on business operating online that were missing required statements, such as a “Do Not Sell My Personal Information” link on their homepage; and (iii) the attorney general identified the businesses in part by reviewing their websites and consumer complaints, including complaints made on social media. For comprehensive guidance to help businesses comply with the CCPA, please see our CCPA Practice Tip Series.[1]
Indiana; Cybersecurity. On July 1, Indiana’s new data security law H.B. 1372 became effective and introduced data security standardization in the insurance industry. This law requires Indiana insurers to implement a data security system, risk assessments, and procedures to investigate and remedy cybersecurity incidents involving non-public information of Indiana residents. Additionally, under this law, insurance licensees must notify the Indiana Insurance Commissioner within 72 hours of any cybersecurity breach involving 250 or more Indiana residents. Indiana insurers must also notify the state’s insurance commissioner of any cybersecurity incident that causes material harm to the insurer or an Indiana resident. This law follows the model data security law created by the National Association of Insurance Commissioners, which states like South Carolina and Delaware have also implemented.[2]
Virginia; Cybersecurity. On July 1, Virginia’s H.B. 1334, the Insurance Data Security Act, became effective. Like Indiana, Virginia’s law follows the model law set forth by NAIC. It requires Virginia insurers to implement a data security system, risk assessments, and procedures to investigate and remedy cybersecurity incidents involving non-public information of Virginia residents. Unlike Indiana’s law, Virginia insurance licensees only need to notify the state’s insurance commissioner of cybersecurity incidents which materially impact the insurer. This reflects how states have taken varied approaches to adopting cybersecurity legislation based on the NAIC model law.[3]
Vermont; Breach Notification. On July 1, Vermont’s amended data breach notification law took effect. The amendments changed the definition of personally identifiable information to cover more types of data, including an individual’s passport number, military identification card number, identification number associated with a government identification document, certain biometric information, genetic data, health insurance policy number, health records, health provider’s medical diagnosis or treatment, and health insurance policy number. Additionally, the amended law expanded the definition of a security breach to include unauthorized access to a user’s login information – defined to be a username or email address and a password or security question answer. The new amended law also limits the use of substitute notice of a data breach to the following two circumstances: when direct notice would cost more than $10,000 or when the covered entity lacks sufficient contact information of the affected consumers.[4]
New York; Facial Recognition. On July 22, the New York legislature passed A06787-D/S05140-B, a bill that imposes a moratorium on the use of biometric identification, including facial recognition, in elementary and secondary schools. This bill came after the New York Civil Liberties Union brought suit against a New York school system that implemented biometric identification technology earlier this year. Gov. Andrew Cuomo still must sign the bill into law to effectuate the moratorium, which would last until July 1, 2022. This would be the first law that bans biometric identification technology from schools.[5]
California; CCPA. On Aug. 14, the CCPA regulations went into effect after their approval by the California Office of Administrative Law and filing with the California Secretary of State. The final regulations included a number of nonsubstantive and substantive changes. The Office of the Attorney General made four substantive revisions by removing the following four provisions from the regulations: (1) Section 999.305(a)(5), which required businesses to have express consumer consent to use information collected for a materially different purpose than originally disclosed; (2) Section 999.306(b)(2), which required businesses that substantially interacted offline with consumers to give notice using an offline mechanism; (3) Section 999.315(c), which required businesses to implement opt-out mechanisms that were easy to use and contained few steps; and (4) Section 999.326(c), which allowed businesses to reject an authorized agent’s request if the agent did not send proof of the consumer’s agent authorization.[6] On Oct. 12, the attorney general issued a third round of modifications to the CCPA regulations for public comment.[7]
Portland; Facial Recognition. On Sept. 9, the Portland City Council unanimously passed a city ordinance to ban municipal departments and private entities from using facial recognition technology in public spaces. The ordinance took effect immediately against public entities and will not take effect against private entities until Jan. 1, 2021. The ordinance includes a private right of action to recover damages for those injured by material violations or $1,000 for each day of noncompliance. Currently, Portland’s ordinance is the nation’s most expansive ban against facial recognition technology.[8]
California; CCPA. On Sept. 29, California Gov. Gavin Newsome signed AB 1281 into law to extend the CCPA’s exceptions for HR and B2B records to Jan. 1, 2022. Otherwise, both exemptions were set to expire on Jan. 1, 2021. Notably, on Nov. 3, 2020, California voters can choose to extend these exemptions further to Jan. 1, 2023, under the California Privacy Rights Act ballot initiative. Accordingly, as explained in our CCPA Practice Tip Series, most CCPA requirements will continue not to apply to personal information about a business’s own employees or job applicants (HR exemption) or the personnel of business-entity customers or third parties (B2B exemption).[9]

[1] The California attorney general’s statement at the outset of CCPA enforcement can be found here: https://oag.ca.gov/news/press-releases/attorney-general-becerra-issues-statement-day-one-ccpa-enforcement-know-your.

[2] The text of Indiana’s H.B. 1372 can be found here: http://iga.in.gov/legislative/2020/bills/house/1372#document-6351a8b8.

[3] The text of Virginia’s H.B. 1334 can be found here: https://lis.virginia.gov/cgi-bin/legp604.exe?201+ful+CHAP0264+pdf.

[4] Vermont’s Office of the Attorney General issued a letter explaining the amended breach notification law which may be found here: https://www.robinsonbradshaw.com/assets/htmldocuments/Vermont%20letter.pdf

[5] The text of New York’s A06787-D/S05140-B is available here: https://www.nysenate.gov/legislation/bills/2019/a6787.

[6] The text of the finalized CCPA regulations is available here: https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oal-sub-final-text-of-regs.pdf.

[7] The third set of modifications to the CCPA regulations is available here: https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-notice-of-third-mod-101220.pdf.

[8] The text of the Portland ordinance is available here: https://static1.squarespace.com/static/5967c18bff7c50a0244ff42c/t/5f3ad787ba3fd27776e444af/1597691785249/Ordinance+to+ban+use+of+FRT+in+Places+of+Public+Accommodation+plus+code+amendment+-Final.pdf.

[9] The text of California’s AB 1281 is available here: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB1281.

Federal Law Developments

FCC; Robocalls. On July 16, the Federal Communications Commission approved a rule that allows and encourages voice carriers to block malicious robocalls that enter their network. The rule creates two safe harbors to protect voice carriers that follow the agency’s guidelines in blocking robocalls which the carrier has reason to suspect are illegal or unwanted. The FCC indicated that this new rule will protect providers that “block traffic from bad-actor voice service providers that, either negligently or intentionally, continue to allow unwanted calls to traverse their networks.” The new rule comes in the wake of numerous FCC actions against robocalls recently. In this effort, on July 27, the FCC designated the USTelecom Industry Traceback Group as the official consortium for coordinating industry-led efforts to trace back the origin of suspected unlawful robocalls.[10]
Federal Privacy Bill. On Sept. 20, Sen. Wicker (R-Miss.), chairman of the Senate Committee on Commerce, Science and Transportation, and Sens. Thune (R-S.D.), Fischer (R-Neb.) and Blackburn (R-Tenn.) introduced a comprehensive privacy bill entitled the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act. The SAFE DATA Act is an updated version of the draft U.S. Consumer Data Privacy Act of 2019 (USCDPA) that was circulated by Sen. Wicker last November. Notable updates include a number of revised definitions and the inclusion of provisions from two previously proposed bills: the Filter Bubble Transparency Act (prohibiting the use of “opaque algorithms” that determine the manner information is provided to a user based on user-specific data not collected expressly for that purpose) and the Deceptive Experiences to Online Users Reduction (DETOUR) Act (prohibiting user interfaces that obscure, subvert or impair user autonomy, decision-making or choice when obtaining consent or user data; prohibiting user interfaces that encourage compulsive usage by children; and requiring disclosures about behavioral or psychological research based on user data). The SAFE DATA Act also includes provisions that would empower the Federal Trade Commission to seek a permanent injunction and other equitable remedies for violations. Like the draft USCDPA, the SAFE DATA Act includes broad federal preemption of state laws and does not provide a private right of action.[11]
DOD; Cybersecurity. On Sept. 29, the Department of Defense issued an interim rule requiring almost all defense contractors and subcontractors to implement cybersecurity programs that are certified under the Cybersecurity Maturity Model Certification framework. For this process, an accredited third-party assessor must certify a cybersecurity program at one of five cumulative levels (meaning a higher level includes the lower levels). Level 1 identifies 17 basic requirements for “basic cyber hygiene” that are equivalent to the general government contractor cybersecurity requirements spelled out in Federal Acquisition Regulation 48 CFR 52.204-21; Level 2 includes additional practices to support “intermediate cyber hygiene”; Level 3 aligns with full adherence to the familiar National Institute of Standards and Technology (NIST) SP 800-171 Rev 1 requirements; and levels 4 and 5 require “proactive” and “progressive” cybersecurity programs, respectively, with additional practices derived from Draft NIST SP 800-171B and various other heightened cybersecurity standards. The DOD’s contract solicitations will specify the certification level required by each contractor and subcontractor. Such requirements are expected to be in almost all DOD contracts by 2025.[12]

[10] The FCC’s new rule can be found here: https://docs.fcc.gov/public/attachments/FCC-20-96A1.pdf.

[11] The text of the SAFE DATA Act is available here: https://www.commerce.senate.gov/services/files/BD190421-F67C-4E37-A25E-5D522B1053C7.

[12] The DOD’s interim rule can be found here: https://www.govinfo.gov/content/pkg/FR-2020-09-29/pdf/2020-21123.pdf. More details about the CMMC framework can be found here: https://www.acq.osd.mil/cmmc.

Foreign Law Developments

Europe; Schrems II. On July 16, in its long-awaited Schrems II decision, the Court of Justice for the European Union (CJEU) held that the U.S.-EU Privacy Shield is no longer a valid basis for transferring personal data from the EU to the United States. The CJEU’s specific concern was that U.S. law does not adequately protect personal data against access and use by law enforcement and other government agencies. Data can still be transferred from the EU to the United States on the basis of consent by the data subject and, as the decision noted, pursuant to the EU-approved Standard Contractual Clauses (SCCs). But the opinion also stated that a data exporter that relies on the SCCs bears the burden of assessing and taking “supplementary measures” to protect against excessive U.S. government access – though it gave no guidance on what that might mean. The U.S. Commerce Department and the EU Commission quickly announced the beginning of negotiations on an “enhanced” Privacy Shield, but no substantive developments have yet been reported.[13]
Europe; Post-Schrems II Guidance. On July 23, the European Data Protection Board (EDPB) published FAQs about the Schrems II decision by the CJEU mentioned above. These FAQs did little more than summarize the decision, providing no concrete guidance on the critical question of how an EU data exporter relying on SCCs should assess and attempt to protect against potential surveillance by the U.S. government. On Sept. 4, the EDPB announced the formation of a task force to “prepare recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures.” Then, on Sept. 7, the Commissioner for Data Protection and Freedom of Information for the German state of Baden-Württemberg issued the first binding guidance from any data protection authority in the EU about complying with Schrems II. The guidance provides a lengthy checklist for assessing the risk of data transfer to the United States and mandates – at least for some unspecified transfers – encryption which “cannot be broken” by U.S. authorities and similarly unbreakable anonymization.[14]
Europe; GDPR. On Sept. 2, the EDPB issued guidelines on the concepts of controller and processor under the GDPR. Key points include the definitions of controller and processor, their respective duties and obligations, and the meaning and significance of joint controllership. The guidelines emphasize that the concepts are functional and “autonomous,” meaning that they should be defined solely with reference to the GDPR and not to other sources of law.[15]
Brazil; LGPD. On Aug. 26, following a year of maneuvering by Brazil’s Congress and president, an amended bill passed by the Senate gave immediate effect to Brazil’s new privacy law, the Lei Geral de Proteção de Dados Pessoais (LGPD). Government enforcement and administrative sanctions will not begin until Aug. 1, 2021. The LGPD was initially passed in 2018 and designed to be similar, though not identical, to the EU’s GDPR. For example, the law calls for similar access and deletion rights for data subjects, contract provisions between controllers and processors of personal data, and data impact assessments. In addition, the LGPD will have extraterritorial application to those who collect or process personal data in Brazil or who offer or provide goods or services to individuals in Brazil.[16]

[13] The CJEU’s press release about Schrems II, with a link to the full decision, can be found here: https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf.

[14] The EDPB’s FAQs about Schrems II can be found here: https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118.pdf. The announcement of the EDPB taskforce can be found here: https://edpb.europa.eu/news/news/2020/european-data-protection-board-thirty-seventh-plenary-session-guidelines-controller_en. Finally, the Baden-Württemberg guidance (in German) can be found here: https://www.baden-wuerttemberg.datenschutz.de/wp-content/uploads/2020/08/Orientierungshilfe-Was-jetzt-in-Sachen-internationaler-Datentransfer.pdf.

[15] The EDPB’s controller-processor guidelines can be found here: https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf.

[16] The announcement of the Senate action (in Portuguese) to effectuate the LGPD can be found here: https://www12.senado.leg.br/noticias/materias/2020/08/26/aprovada-mp-que-regula-pagamento-de-auxilio-emergencial.

Litigation and Enforcement

TCPA; U.S. Supreme Court. On July 6, the Supreme Court of the United States upheld most of the Telephone Consumer Protection Act’s (TCPA) ban on autodialed calls to cellphones, but struck down an exemption which prevented the TCPA from applying to debt collection calls for government-backed debts. The Court found this exemption to be an unjustified content-based restriction on speech in violation of the First Amendment. However, the Court chose not to invalidate the TCPA, and instead severed the unconstitutional provision from the statute. The TCPA remains the subject of debate as the U.S. Courts of Appeals split over what constitutes an automatic telephone dial system that would be subject to the TCPA.[17]
Fourth Amendment; E.D.N.C. On July 20, in United States v. Walker, a North Carolina federal court ruled that a law enforcement request under 18 U.S.C. § 2703(d) for “tower dump” data from a telecommunications provider – that is, all historical cell site records from a particular cell tower – to help determine a suspect’s location during two jewelry store robberies did not violate the Fourth Amendment. Distinguishing Carpenter v. United States, 138 S.Ct. 2206 (2018), the court reasoned that in Walker law enforcement received cell tower information for a “particular place at a limited time,” whereas in Carpenter the cell tower information “targeted [an] individual for an extended time, chronicling that individual’s private life for days.” The court added that tower-dump records were “more akin to ‘conventional surveillance techniques’ and tools, such as security cameras and fingerprint collections, which capture data from every individual who came into contact with the crime scene in the manner revealed by the technology at issue.”[18]
NYDFS; Cybersecurity. On July 22, the New York Department of Financial Services (NYDFS) charged First American Title Insurance Company with violating NYDFS’s Cybersecurity Regulation, 23 NYCRR Part 500. NYDFS alleged that First American had a system vulnerability that exposed consumers’ private data over the past few years. Additionally, NYDFS claimed that First American did not timely remedy or adequately investigate this data exposure when it first became aware of the vulnerability in December 2018. This is NYDFS’s first enforcement action for a violation of the Cybersecurity Regulation, which was effective in March 2017 and implemented by March 2019. The Cybersecurity Regulation requires covered entities to follow certain cybersecurity protocols, standards and procedures.[19]
Assault by Tweet; D. Md. On Sept. 14, John Rivello reached a $100,000 settlement of a federal lawsuit by journalist Kurt Eichenwald. The lawsuit concerned a 2016 incident when Rivello sent a message via Twitter to Eichenwald, who has epilepsy. The message displayed an animated strobe GIF along with the message, “You deserve a seizure for your post.” The strobe GIF induced a severe seizure in Eichenwald, who then sued Rivello for assault, battery and intentional infliction of emotional distress. On an earlier motion to dismiss, the court previously determined that the light waves being omitted from the GIF image sent by Rivello constituted physical contact for purposes of assault and battery. The court reasoned that while the particular mode of the alleged assault (light rays) did not have a robust history, courts had routinely ruled in the past that other forms of more intangible items could also constitute physical contact (e.g., secondhand smoke and loud noises). Criminal charges are also pending against Rivello in Texas for the same conduct.[20]
HHS; HIPAA. On Sept. 15, the Office for Civil Rights of the U.S. Department of Health and Human Services announced five more settlements of investigations related to the OCR’s HIPAA Right of Access Initiative. This initiative, announced in 2019, focuses on ensuring patients have the ability to access their health records easily and with minimal cost to them. The five settlements range in value from $3,500 to $70,000. In many instances, the providers failed to provide the patient with access to the health record even after the OCR had provided technical assistance to the provider and completed an initial investigation into the matter. Added to the monetary penalties, the providers also had to enter into corrective actions plans.[21]
DOJ; Cybercrime. On Sept. 16, the Department of Justice announced federal grand jury indictments of five nationals of the People’s Republic of China – a threat group variously labeled by security researchers as “APT41,” “Barium,” “Winnti,” “Wicked Panda” or “Wicked Spider” – with computer hacking offenses which affected over 100 victim companies in the United States and abroad, including software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, nonprofit organizations, universities, think tanks and foreign governments. The group’s computer intrusion activity involved the theft of source code, software code signing certificates, customer account data and valuable business information, as well as enabled other criminal schemes, including ransomware and “crypto-jacking” (using a victim’s computer to mine cryptocurrency). In addition to arrest warrants, a District of Columbia federal court issued seizure warrants that enabled law enforcement to seize hundreds of accounts, servers, domain names and command-and-control “dead drop” web pages used by the defendants to conduct their illegal activity.[22]
Anthem; Data Breach Litigation. On Sept. 30, Anthem agreed to pay $39.5 million to resolve claims from 42 states and the District of Columbia arising from a 2015 data security breach. The security breach arose from a cyberattack that began in February 2014 and ultimately led to the exposure of personal information of nearly 80 million of Anthem’s customers. The $39.5 million paid to settle the state law claims is in addition to the $16 million fine that Anthem paid to U.S. Department of Health and Human Service’s Office of Civil Rights in 2018 for breaches of HIPAA related to the 2015 security breach. At the time, it was the largest fine the OCR had imposed for HIPAA noncompliance. In addition to the settlement amount, Anthem also agreed to implement an information security program and comply with specific information security requirements.[23]

[17] The U.S. Supreme Court opinion for this case can be found at William P. Barr et al. v. American Association of Political Consultants Inc. et al., 140 S.Ct. 2335, 2020 WL 3633780 (2020).

[18] The North Carolina federal court’s decision may be found at United States v. Walker, Case No. 2:18-CR-37-FL-1, 2020 WL 4065980 (E.D.N.C. Jul. 21, 2020).

[19] NYDFS’s announcement of the First American enforcement action may be found here: https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202007221.

[20] A copy of the final order can be found here: https://www.robinsonbradshaw.com/assets/htmldocuments/Eichenwald.pdf.

[21] The OCR’s announcement of the settlements and copies of the corrective action plans can be found here: https://www.hhs.gov/about/news/2020/09/15/ocr-settles-five-more-investigations-in-hipaa-right-of-access-initiative.html.

[22] The Department of Justice press release and links to the indictments may be found at https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer.

[23] A copy of the Anthem data breach settlement can be found here: https://www.robinsonbradshaw.com/assets/htmldocuments/Anthem.pdf.