Cybersecurity and Privacy Law Developments in Q1 of 2020
PDFProfessionals
Practice Areas
Cybersecurity and privacy law is evolving rapidly as lawmakers, government agencies and plaintiffs respond to the growth of new technologies, privacy concerns and cyberattacks. Businesses are facing new compliance obligations, greater legal uncertainty, and expanding liability risk from data breaches and privacy scandals. This trend will only increase as COVID-19 social-distancing measures drive people and businesses to greater reliance on digital and telecommunications services. Keeping track of the many legal developments can be challenging, but Robinson Bradshaw attorneys are here to help. We publish quarterly updates to highlight noteworthy developments of cybersecurity and privacy law from the previous quarter. Click here to subscribe to our Cybersecurity and Privacy list and receive future updates via email, and click here to view all of our quarterly updates.
Introduction
The start of 2020 marked a watershed moment in U.S. privacy law with the groundbreaking new California Consumer Privacy Act going into effect. However, several other major developments in cybersecurity and privacy law also occurred during the first quarter of 2020. The first state laws to regulate the security of connected devices – known as the "Internet of Things" – went into effect, and a number of states beyond California also strengthened their requirements for data security and breach notification, such as New York's strikingly detailed requirements to safeguard personal data of New York residents. In a similar trend, the Federal Trade Commission announced a new model consent order for data security cases designed to add teeth and specificity; the Securities and Exchange Commission's Office of Compliance Inspections and Examinations published detailed observations of cybersecurity best practices for securities market participants; and the Department of Defense unveiled the new Cybersecurity Maturity Model Certification framework designed to strengthen and standardize cybersecurity obligations across all defense contracts. Beyond data security, last quarter two states and the European Commission tackled privacy concerns arising from the use of artificial intelligence – with a new Illinois law regulating the use of artificial intelligence in video interviews of job applicants, and a new Oregon law regulating the government's use of facial recognition services. As for litigation, the wave of class action lawsuits under the Illinois Biometric Information Privacy Act has continued apace – with a record-breaking $550 million settlement by Facebook – and the first class action lawsuit under the CCPA has already been filed. Federal courts also tackled tricky issues under both the Telephone Consumer Protection Act and the Computer Fraud and Abuse Act that have split circuits and are likely to reach the Supreme Court.
By the end of the first quarter of 2020, the spread of COVID-19 was declared a pandemic by the World Health Organization and became a human, economic and social crisis in the U.S. and across the world. The Office of Civil Rights in the Department of Health and Human Services has announced temporary relaxation of enforcement of certain HIPAA security requirements during the COVID-19 crisis to facilitate telemedicine. Other government authorities responsible for cybersecurity and privacy law may well take similar steps during the crisis – such as relaxing protections to help leverage electronic surveillance technology in order to trace the spread of infections. However, the California attorney general has rejected calls to delay the enforcement of the CCPA currently set to begin on July 1.
If you have questions about any of the legal developments highlighted in this quarterly update, please contact any member of our Cybersecurity and Privacy Practice Group for assistance.
State Law Developments
- California; CCPA. On Jan. 1, the much-anticipated CCPA went into effect, creating an array of new obligations and legal risk regarding the personal information of California consumers for businesses across the U.S. covered by the law. In particular, the new law gives consumers the right to request specific information about what personal information a business collects, uses, discloses and sells about that consumer ("request to know"); the right to request the deletion of that consumer's personal information collected by the business ("request to delete"); and the right to opt-out of the sale of that personal information by the business ("request to opt-out"). The law also creates a private right of action enabling consumers to sue the business regarding a data breach arising from the failure to maintain reasonable data security measures. The California attorney general will not begin enforcing the CCPA until July 1, but consumers have already begun submitting requests to know, delete and opt-out, as well as filing lawsuits under the law. Also, the California attorney general could later take action regarding CCPA violations from before July. Please see our CCPA Practice Tip Series for comprehensive guidance to help businesses comply with this new law.[1]
- California; Internet of Things. On Jan. 1, a new California law went into effect that imposes security obligations on manufacturers of connected devices – the so-called "Internet of Things" (IoT). Signed on Sept. 28, 2018, as the first state law of its kind, S.B. 327 requires that manufacturers of devices or other physical objects that connect directly or indirectly to the internet and have an IP address or Bluetooth address ("connected devices"), and which are sold or offered for sale in California, must equip the devices with reasonable security. Specifically, each connected device must be equipped with "a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure …." For connected devices allowing remote access (from outside a local area network), the law specifies that having a preprogrammed password unique to each device or requiring users to generate new means of authentication before connecting for the first time would be considered a "reasonable security feature." S.B. 327 can be enforced by the California attorney general and local government authorities in California, but the law has no private right of action to enable consumer lawsuits.[2]
- Oregon; Internet of Things. On Jan. 1, a new Oregon law went into effect concerning IoT device security. This new law, H.B. 2395, is the second state law of its kind – having been signed into law seven months after California's S.B. 327. In Oregon's H.B. 2395, "connected device" means a device or other physical object that connects directly or indirectly to the internet; is used primarily for personal, family or household purposes; and is assigned an IP address or another address or number for the purpose of making a short-range wireless connection. H.B. 2395 requires that a person who makes a connected device and sells or offers to sell the device in Oregon must equip it with "reasonable security features." These are defined as "methods to protect a connected device, and any information the connected device stores, from unauthorized access, destruction, use, modification or disclosure that are appropriate for the nature and function of the connected device and for the type of information the connected device may collect, store or transmit." Like California's law, H.B. 2395 further specifies that a "reasonable security feature" includes a means for authentication from outside a local area network by having a preprogrammed password unique to each connected device or by requiring users to generate new means of authentication before connecting for the first time. H.B. 2395 states that a violation of this law constitutes an unlawful trade practice under Oregon Statute 646.607, which may be enforced by Oregon's regulator with investigative actions, injunctive mandates and civil penalties of up to $25,000 per violation for willful violations.[3]
- Oregon; Breach Notification. On Jan. 1, Oregon's S.B. 684 went into effect, amending the Oregon Consumer Identity Theft Protection Act, now renamed the Oregon Consumer Information Protection Act (OCIPA). The amendment expands the law's data breach notification obligations to cover third-party vendors in addition to "covered entities" – defined as one who owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of business, vocation, occupation or volunteer activities. As amended, the OCIPA now requires a vendor to notify the covered entity with which the vendor contracts (and likewise a subcontractor to notify the vendor) as soon as practicable, but not later than 10 days after discovering a security breach compromising the personal information of an Oregon resident or having reason to believe that such a breach occurred. The vendor also must notify the Oregon attorney general of a security breach impacting more than 250 Oregon residents. Furthermore, S.B. 684 expanded the scope of "personal information" to include "a user name or other means of identifying a consumer for … access to the consumer's account, together with any other method necessary to authenticate the user name or means of identification."[4]
- Texas; Breach Notification. On Jan. 1, Texas' H.B. 4390 amending the Texas Identity Theft Enforcement and Protection Act (TITEPA) took effect, imposing more stringent requirements for data breach notification by organizations conducting business in Texas. Whereas before the TITEPA required that affected individuals be notified about a breach of their sensitive personal information "as quickly as possible," the amended law requires notification "without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred." Furthermore, the amended TITEPA requires notification to the Texas attorney general for data breaches involving at least 250 Texas residents. This notification must include (1) a detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach; (2) the number of Texas residents affected; (3) the measures taken by the person regarding the breach; (4) any measures the person intends to take regarding the breach after the notification under this subsection; and (5) information about whether law enforcement is engaged in investigating the breach. With an eye to potential future legislation, H.B. 4390 also created the Texas Privacy Protection Advisory Council to study U.S. and relevant foreign data privacy laws and recommend specific legislative changes to the Texas legislature by Sept. 1.[5]
- Illinois; Breach Notification. On Jan. 1, an amendment to the Illinois Personal Information Protection Act (PIPA) went into effect imposing greater notice requirements for large data breaches. Specifically, where an organization would be required by PIPA to notify more than 500 Illinois residents concerning a single security breach, now the organization must also notify the Illinois attorney general and include a description of the nature of the breach of security or unauthorized access or use, the number of Illinois residents affected and any steps the data collector has taken or plans to take relating to the incident. If the date of the breach has not yet been determined, the organization is required to supplement this notice as soon as possible once the date of the breach is known. The amendment to PIPA further provides that, upon receiving such notice, the Illinois attorney general may publish the name of the data collector that suffered the breach, the types of personal information compromised in the breach and the date range of the breach.[6]
- Illinois; Artificial Intelligence. On Jan. 1, a new Illinois law went into effect called the Artificial Intelligence Video Interview Act (AIVIA). The law applies to any employer that asks applicants to record video interviews and uses an artificial intelligence analysis of the applicant-submitted videos for a position based in Illinois. The AIVIA provides that, before asking applicants to submit video interviews, the employer must (1) notify each applicant that artificial intelligence may be used to analyze the applicant's video interview and consider the applicant's fitness for the position; (2) provide each applicant with information before the interview explaining how the artificial intelligence works and what general types of characteristics it uses to evaluate applicants; and (3) obtain, before the interview, consent from the applicant to be evaluated by the artificial intelligence program as described in the information provided. Conversely, the AIVIA states that an employer may not use artificial intelligence to evaluate applicants who have not consented to the use of artificial intelligence analysis. Also, an employer may not share applicant videos except with persons whose expertise or technology is necessary to evaluate an applicant's fitness for a position. Finally, the AIVIA provides that, upon the request of an applicant, and within 30 days, the employer must delete the applicant's video interview and instruct any other persons who received copies to delete them.[7]
- California; CCPA. On Feb. 10 and again on Mar. 11, the California attorney general released revisions to his proposed regulations implementing the CCPA – California's privacy law discussed above. Among a variety of changes to the proposed regulations released on Oct. 10, 2019, the revisions include clarifications regarding the form and content of required notices from businesses; the logistics for receiving and processing consumers' requests to know, delete or opt-out under the CCPA; and the guidelines for businesses offering preferred pricing or other financial incentives in exchange for greater use of consumers' personal information. For more details, please see our client alert about the revisions. As the period of public comment has closed, the California attorney general could release further revisions or move to finalize the regulations. To be finalized, the text of the proposed regulations would be sent to the Office of Administrative Law – which generally has up to 30 days for review but would now have up to 60 days for review because of the California governor's Executive Order N-40-20 responding to the COVID-19 crisis. Thereafter, the final regulations would be filed with the secretary of state for adoption. Absent an exception to normal procedure, the CCPA regulations would take effect on July 1 or Oct. 1, depending on whether they were filed before or after June 1. Regardless, the California attorney general may enforce the CCPA beginning July 1. As mentioned, please see our CCPA Practice Tip Series for comprehensive guidance to help businesses comply with this new law.[8]
- Washington; Breach Notification. On March 1, Washington's H.B. 1071 amending its data breach notification law took effect, expanding the definition of "personal information" and otherwise increasing the requirements for data breach notification. The scope of personal information whose breach, along with the name of the individual, would trigger an obligation to notify the individual affected previously included a Social Security number, state identification card number, or financial account or credit or debit card number with access information. Now, the amended law also includes full date of birth; private key to authenticate or sign electronic records; student, military or passport identification number; health insurance policy or identification number; any information about medical history or mental or physical condition or a health care professional’s medical diagnosis or treatment; and certain biometric data such as fingerprint or voiceprint used to identify someone. The expanded definition of personal information requiring notification of a breach also includes, even without the name of the individual, a username or email address in combination with a password or security questions and answers allowing account access, or any of the above data elements if not encrypted or redacted, or if they would enable someone to commit identify theft. Furthermore, H.B. 1071 reduced the period of time from 45 days to 30 days for notification to affected individuals and the Washington attorney general (for breaches affecting over 500 Washington residents), and added further requirements for the contents of these notifications. For example, the disclosure to the Washington attorney general must include a list of the types of personal information involved, a timeframe of exposure, a summary of steps taken to contain the breach, and a sample of the notification sent to affected individuals.[9]
- New York; Cybersecurity. On March 21, the data security requirements of New York's Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) went into effect. Under the new law, a person or business that owns or licenses computerized data that includes certain "private information" of a New York resident – such as Social Security and driver's license numbers, financial account access credentials and biometric information – must develop, implement and maintain "reasonable safeguards to protect the security, confidentiality and integrity of the private information." The law goes on to state that the person or business shall be deemed in compliance if they implement a data security program that includes various administrative, technical and physical safeguards which are spelled out in the law – such as designating a security program coordinator; training and managing employees regarding data security, including data security requirements in vendor contracts; conducting various security risk assessments; detecting and responding to cyber incidents; and disposing of private information when no longer needed for business purposes. Notably, the SHIELD Act applies differently to small businesses with fewer than 50 employees or with revenues or assets that fall below certain thresholds, stating that they shall be deemed in compliance if their security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers. The law also has a carve-out for those who are subject to and comply with other New York or federal data security requirements, such as the Cybersecurity Requirements for Financial Services Companies issued by New York's Department of Financial Services.[10]
- Washington; Facial Recognition. On March 31, Washington Gov. Jay Inslee signed into law S.B. 6280, establishing a legal framework for the use of facial recognition services by state and local government agencies. Passed on March 12 with the backing of Microsoft Corp., S.B. 6280 requires that prior to using facial recognition services, state and local government agencies must file a notice of intent to use such service and prepare an accountability report that would be subject to a notice-and-comment period and community consultation meetings. The accountability report would disclose important details around the proposed facial recognition service, including its purpose and proposed use; other "reasonably foreseeable" ways the service could be used; the service's rate of false matches; and potential impact on protected classes. The law also includes restrictions on certain uses of facial recognition services that pose a higher likelihood of infringing civil rights. Notably, the new legal framework requires a provider of facial recognition services to make its platform available for independent testing for accuracy and unfair performance across protected classes.[11]
[1] The text of the California Consumer Privacy Act and related materials may be found via the California attorney general's website at this location: https://oag.ca.gov/privacy/ccpa.
[2] The text of California's S.B. 327 concerning IoT security may be found here: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327.
[3] The text of Oregon's H.B. 2395 concerning IoT security may be found here: https://olis.oregonlegislature.gov/liz/2019R1/Downloads/MeasureDocument/HB2395.
[4] The text of Oregon's S.B. 684 amending the renamed Oregon Consumer Information Protection Act may be found here: https://olis.oregonlegislature.gov/liz/2019R1/Downloads/MeasureDocument/SB684.
[5] The text of Texas' H.B. 4390 amending the Texas Identity Theft Enforcement and Protection Act may be found here: https://legiscan.com/TX/text/HB4390/2019. Information about the Texas Privacy Protection Advisory Council may be found here: https://senate.texas.gov/cmte.php?c=990.
[6] The text of Illinois' S.B. 1624 amending the Illinois Personal Information Protection Act may be found here: http://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=101-0343.
[7] The text of Illinois' Artificial Intelligence Video Interview Act may be found here: http://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=101-0260.
[8] The California attorney general's revised proposed regulations under the CCPA and information about the rulemaking process may be found here: https://oag.ca.gov/privacy/ccpa. The California governor's executive order N-40-20 may be found here: https://www.gov.ca.gov/wp-content/uploads/2020/03/3.30.20-N-40-20.pdf.
[9] The text of Washington's H.B. 1071 amending its breach notification law may be found here: http://lawfilesext.leg.wa.gov/biennium/2019-20/Pdf/Bills/House Passed Legislature/1071-S.PL.pdf.
[10] The text of New York's Stop Hacks and Improve Electronic Data Security Act may be found here: https://www.nysenate.gov/legislation/bills/2019/s5575.
[11] The text of Washington's S.B. 6280 concerning the government's use of facial recognition services may be found here: http://lawfilesext.leg.wa.gov/biennium/2019-20/Pdf/Bills/Senate%20Passed%20Legislature/6280-S.PL.pdf?q=20200413073638.
Federal Law Developments
- FTC; Cybersecurity. On Jan. 6, the Federal Trade Commission released a blog post highlighting several changes to its consent orders that will be used in data security cases. First, the orders will be more specific than before – a response to the decision in LabMD, Inc. v. FTC, No. 16-16270 (11th 2018), striking down the consent order as unenforceably vague. Rather than simply a broad mandate to implement a comprehensive, process-based data security program, the FTC's consent orders will also require specific safeguards to address problems alleged in the complaint, such as yearly employee training, access controls, monitoring systems for data security incidents, patch management systems and encryption. Second, the FTC will demand increased thoroughness and accountability from the third-party assessor that a company hires to review compliance with the consent order. These assessors must now identify specific evidence to support their conclusions, such as employee interviews, independent sampling and document review. They must also retain certain documentation generated in their review, and they cannot refuse to provide those documents to the FTC on the basis of certain privileges. The FTC will have authority to re-approve or withhold approval from assessors every two years under the new scheme. Finally, the FTC's new consent orders in data security cases will require companies to elevate data security considerations to the C-suite and board level, such as requiring senior officers to provide annual certification of compliance to the FTC.[12]
- SEC; Cybersecurity. On Jan. 27, the Securities and Exchange Commission's Office of Compliance Inspections and Examinations (OCIE) published guidance entitled Cybersecurity and Resiliency Observations, which summarizes cybersecurity practices of a wide range of securities market participants observed in the OCIE's examinations. The observations are grouped into seven general categories: governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. Within these categories, the OCIE discussed a variety of cybersecurity and resiliency measures employed by securities market participants, such as comprehensive information security policies, mapping computer systems and sensitive data assets, conducting cyber risk assessments, implementing user access management procedures, utilizing encryption and network segmentation, establishing vulnerability and patch management programs, and many more. The OCIE's summary of observations demonstrates its continued focus on information security as a key risk for securities market participants and a key element in its examination program. Although presented as a guide to help enhance cybersecurity preparedness and operational resiliency, the OCIE's observations could well become a benchmark against which securities market participants will be judged in the future.[13]
- DoD; Cybersecurity. On Jan. 31, the Department of Defense released Version 1.0 of the new Cybersecurity Maturity Model Certification (CMMC) framework, followed by a slightly revised Version 1.02 on Mar. 18 to correct some minor errors. The CMMC framework marks the DoD's highly anticipated next step to enhance the protection of government data and to standardize cybersecurity requirements across all DoD acquisitions. Under the framework, once it is fully implemented, all defense contractors and subcontractors will be required to undergo a third-party assessment of their cybersecurity practices and processes, resulting in certification at one of five cumulative levels (meaning a higher level includes the lower levels) or in no certification. Level 1 identifies 17 basic requirements for "basic cyber hygiene" that are equivalent to the general government contractor cybersecurity requirements spelled out in Federal Acquisition Regulation 48 CFR 52.204-21; Level 2 includes additional practices to support "intermediate cyber hygiene"; Level 3 aligns with full adherence to the familiar National Institute of Standards and Technology (NIST) SP 800-171 Rev 1 requirements; and levels 4 and 5 require "proactive" and "progressive" cybersecurity programs, respectively, with additional practices derived from Draft NIST SP 800-171B and various other heightened cybersecurity standards. The CMMC framework is scheduled to be implemented in defense contracts beginning on July 1, and the DoD has announced that the COVID-19 crisis will not delay this planned implementation.[14]
- Federal Privacy Bill. On Feb. 13, Sen. Kirsten Gillibrand (D-NY) announced the Data Protection Act of 2020. This proposed legislation does not propose new federal privacy standards but would create a new executive agency, the Data Protection Agency. This new federal agency would have significant rule-making authority and would lead and coordinate all federal agency enforcement of privacy and data protection laws and regulations. It would be charged with ensuring fairness for consumer-facing contract terms, monitoring certain high-risk data practices and taking other measures for consumer data protection. The proposed agency would also have supervisory authority over certain "very large" covered entities. Notably, the proposed act would only preempt state laws inconsistent with its terms and would allow state attorneys general to bring enforcement actions for violations of various federal privacy laws and the new agency's regulations.[15] For a related discussion of proposed federal data protection laws introduced in 2019, please see our quarterly legal update for Q4 of 2019.
- HHS; Health Privacy. On March 9, the Department of Health and Human Services, Office of National Coordinator for Health Information Technology (ONC) and Centers for Medicare and Medicaid Services (CMS) finalized two rules that are designed to increase patient access to their health care records and prevent information blocking. The ONC Final Rule, as required by the 21st Century Cures Act, establishes new rules to prevent information blocking practices by health care providers, developers of certified health IT, health information exchanges and health information networks. The ONC Final Rule also updates certification requirements for health IT developers and establishes secure, standards-based application programming interface requirements to support patients' access to and control of their electronic health information. This will allow patients to require their providers to send medical data directly to third-party applications, making it simpler for patients to access their health information. Privacy advocates have expressed concern, noting that federal privacy protections no longer apply once patients transfer their data to consumer applications. The CMS Final Rule requires health plans in Medicare Advantage, Medicaid, CHIP and through the federal exchanges to share claims data electronically with patients.[16]
- U.S. Government; Cybersecurity. On March 11, the official report of the Cyberspace Solarium Commission (CSC) was released. A bicameral, bipartisan, intergovernmental body of 14 commissioners, chaired by Sen. Angus King (I-MA) and Rep. Mike Gallagher (R-WI), the CSC was chartered by Congress last year to "develop a consensus on a strategic approach to defending the United States in cyberspace against cyberattacks of significant consequences." The 182-page report makes over 80 recommendations designed to (1) reform the U.S. government's organization for cyberspace; (2) strengthen cybersecurity norms and nonmilitary tools; (3) promote national resilience from major cyberattacks; (4) reshape the cyber ecosystem toward greater security; (5) operationalize cybersecurity collaboration with the private sector; and (6) enhance the military's cyber capability. Among a number of noteworthy proposed legal reforms, the CSC calls upon Congress to pass a national data security and privacy protection law; a national breach notification law; and a law establishing that final goods assemblers of software, hardware and firmware are liable for damages from incidents that exploit known and unpatched vulnerabilities.[17]
- Federal Privacy Bill. On March 18, Sen. Jerry Moran (R-KS) introduced the Consumer Data Privacy and Security Act of 2020, which would create an overarching federal standard to protect personal data and would preempt state laws on this topic. The proposed law would apply to all businesses regulated by the FTC as well as nonprofits and common carriers, but small businesses would be exempt from certain requirements. Covered entities would be required to follow various privacy and security standards to protect the personal data of individuals residing in the U.S., and those individuals would have certain rights with respect to their personal data, such as rights of access, accuracy and correction, erasure and portability. The law would also create special accountability requirements for companies that annually process the personal data of over 20 million individuals or the sensitive data of 1 million individuals. Regarding enforcement, the proposed law would require the FTC to hire over 400 additional staff members to enforce federal privacy laws, would authorize the FTC to impose first-time civil penalties and would allow state attorneys general to enforce violations as well. However, there would be no private right of action to enable civil lawsuits by consumers.[18] For a related discussion of proposed federal data protection laws introduced in 2019, please see our quarterly legal update for Q4 of 2019.
- HHS; Health Privacy. From February to April, the Office of Civil Rights (OCR) issued numerous bulletins and guidance related to the enforcement of HIPAA during the COVID-19 crisis. In particular, OCR announced that it will use its enforcement discretion and waive potential penalties for HIPAA violations against health care providers that provide telehealth services to patients through "everyday" (i.e., nonsecure) nonpublic-facing communications platforms, such as FaceTime or Skype. Providers are not permitted to use public-facing video communications, such as Facebook Live, Twitch or TikTok. In addition, under the telehealth notice, OCR stated that it will not impose penalties against providers for the lack of a business associate agreement with video communications vendors. OCR has also issued additional guidance to business associates, first responders and community-based testing sites regarding HIPAA enforcement during the COVID-19 crisis.[19]
[12] The FTC's blog post about new consent orders in data security cases may be found here: https://www.ftc.gov/news-events/blogs/business-blog/2020/01/new-improved-ftc-data-security-orders-better-guidance?utm_source=govdelivery.
[13] The Cybersecurity and Resiliency Observations published by the Securities and Exchange Commission's Office of Compliance Inspections and Examinations may be found here: https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf.
[14] Information about the Cybersecurity Maturity Model Certification framework from the Office of the Under Secretary of Defense for Acquisition and Sustainment may be found here: https://www.acq.osd.mil/cmmc.
[15] At the time this article was published, the text of the proposed Data Protection Act of 2020 was available at: https://www.gillibrand.senate.gov/imo/media/doc/2.11.2020_Data%20Protection%20Act.pdf.
[16] The ONC Final Rule may be found here: https://healthit.gov/curesrule. The CMS Final Rule may be found here: https://www.cms.gov/Regulations-and-Guidance/Guidance/Interoperability/index.
[17] The Cyberspace Solarium Commission's report may be downloaded at https://www.solarium.gov/report.
[18] The text of the proposed Consumer Data Privacy and Security Act of 2020 may be found here: https://www.moran.senate.gov/public/_cache/files/a/e/ae6c623f-1c01-4f14-88c2-3ff8e8312ea3/15902DF0B294E025216BED39DD7317AF.lyn20111.pdf.
[19] A clearinghouse of OCR guidance related to the COVID-19 crisis may be found here: https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19.
Foreign Law Developments
- U.K.; Children's Privacy. On Jan. 21, the U.K. Information Commissioner's Office published its final Age Appropriate Design Code, imposing a set of 15 standards that online services should meet to protect children's privacy. Mandated by the UK's Data Protection Act of 2018 and "rooted in" Europe's data protection law, the Code requires online services "to automatically provide children with a built-in baseline of data protection whenever they download a new app, game or visit a website," and provides practical guidance to achieve that end. The Code will take effect only after receiving Parliamentary approval.[20]
- U.K.; GDPR. On Jan. 31, the date the U.K. withdrew from the EU, the European Commission issued a brief statement on the consequences for data protection law. According to that statement, the EU and U.K. have entered into a transition period in which EU law, including the General Data Protection Regulation (GDPR), will continue to apply in the U.K. until at least Dec. 31. This means that personal data will continue to be able to be transferred freely between the U.K. and EU countries. The parties will have the option of extending this transition period for a second year, but they must agree by July 1. When the transition period ends, then EU law will cease to apply and the U.K. will become like any other non-EU country for purposes of data transfers under the GDPR.[21]
- Europe; Artificial Intelligence. On Feb. 19, the European Commission published a guidance document entitled "White Paper on Artificial Intelligence: A European Approach to Excellence and Trust," which outlines a policy framework for the regulation of artificial intelligence in Europe. The Commission's planned policy framework seeks to promote the use of AI while simultaneously building trust among consumers and businesses. The white paper identifies one area of particular concern to be the "opacity" of some AI algorithms, which may threaten privacy and other fundamental rights. The Commission proposes, however, that future European legislation should avoid "overly prescriptive regulation by adopting a risk-based approach."[22]
- China; Online Privacy. On March 3, a new directive in China on internet content regulation and governance went into effect, requiring organizations hosting websites in China to make changes to their website governance. In particular, the new law broadens the scope of content whose online publication is prohibited; requires website hosts to implement a mandatory government mechanism in order to maintain a "healthy online ecosystem," and requires website hosts to appoint an officer responsible for publishing and monitoring content. Chinese authorities have also announced that they will introduce a new personal data protection law and a new data security law in 2020, although details have not been made public yet.
[20] The Age Appropriate Design Code of the U.K. Information Commissioner's Office was available here at the time of publishing: https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-code/.
[21] The European Commission's statement on the consequences of Brexit for data protection law may be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/brexit_en.
[22] The European Commission's White Paper on Artificial Intelligence may be found here: https://ec.europa.eu/info/publications/white-paper-artificial-intelligence-european-approach-excellence-and-trust_en.
Litigation and Enforcement
- FTC; Cybersecurity. On Jan. 6, the FTC announced a settlement with InfoTrax Systems, L.C. and its former CEO Mark Rawlins reflecting the changes to data security orders discussed in the FTC’s blog post that day. The FTC's complaint alleged that a failure to use reasonable, low-cost and readily available security protections to safeguard personal information enabled a cybercriminal to carry out a series of data breaches from May 2014 to March 2016 that compromised consumers' sensitive personal information, including Social Security numbers. As part of the settlement, InfoTrax and Rawlins may not collect, sell, share or store personal information unless they implement an information security program addressing the security failures identified in the complaint. For this program, the consent order spells out a variety of specific safeguards related to data management, cyber risk assessment, cyber incident detection, user access management, network segmentation and data encryption. The consent order also calls for third-party information security assessments and annual certification of compliance to the FTC.[23]
- FTC; Cybersecurity. On Jan. 7, the FTC announced a settlement with Mortgage Solutions FCS, Inc., a California-based mortgage broker, and its sole owner Ramon Walker. A complaint filed by the Department of Justice on behalf of the FTC alleged that Mortgage Solutions and Walker violated Section 5 of the FTC Act, the Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLBA) when they responded to consumers posting negative reviews on Yelp by revealing their credit histories, debt-to-income ratios, taxes, health, sources of income, family relationships and other personal information. The complaint also alleged that they violated the FTC Act and GLBA by failing to implement an information security program until September 2017 and by not subsequently testing the program. As part of the consent order with the FTC, Mortgage Solutions and Walker must pay a $120,000 penalty for violating the FCRA; they are prohibited from misrepresenting their privacy and data security practices, misusing credit reports and improperly disclosing personal information to third parties; and they must implement a comprehensive data security program, obtain third-party assessments of the program every two years and provide annual certification of compliance to the FTC.[24]
- FTC; Privacy Shield. On Jan. 16, the FTC announced settlements with five companies regarding allegations that they violated Section 5 of the FTC Act by deceiving customers about their participation in the EU-U.S. Privacy Shield, a program to allow the transfer of personal data from Europe to the United States under Europe's data protection laws. Three of the companies – Thru, Inc., LotaData, Inc., and 214 Technologies, Inc. – were alleged to have falsely claimed on their websites to being certified under the Privacy Shield framework, despite never obtaining certification. The other two companies – DCR Workforce, Inc., and EmpiriStat, Inc. – were alleged to have falsely claimed continued participation in the Privacy Shield framework even after certifications had lapsed. EmpiriStat also allegedly failed to comply with certain Privacy Shield principles while in the program, including failing to verify the accuracy of statements about its Privacy Shield practices. Under its settlement, EmpiriStat must continue to apply Privacy Shield protections to the personal information collected while participating in the program, or otherwise return or delete that information.[25]
- Insurance Coverage; D.Md. On Jan. 27, in National Ink and Stitch, LLC v. State Auto Insurance Companies, a Maryland federal court rejected an insurance carrier’s motion to dismiss a lawsuit to recover losses resulting from a ransomware attack under a business’s property policy. Suffering a ransomware attack affecting its data and computer system, the plaintiff National Ink tried paying the ransom (whereupon the attacker demanded more Bitcoin) and then hired a cybersecurity firm to reinstall design software and also install new cybersecurity software to prevent reinfection by the ransomware. The computer system functioned again, albeit more slowly due to the new cybersecurity software, but art files and other data were lost. National Ink later sued State Auto to enforce a claim under the property-damage clause of its business-owner insurance policy for losses resulting from the ransomware attack. State Auto’s motion to dismiss argued that because the company lost only data, an intangible asset, there could be no "direct physical loss of or damage to Covered Property" under the terms of the policy. In denying the motion, the court reasoned that "Covered Property" must be read to include electronic data and also that "direct physical loss of or damage to" included the slowness of National Ink's computer system after installation of the new cybersecurity software. This decision is a significant milestone in the recent trend of courts allowing businesses to recover cyber-related losses under insurance policies that were not specifically designed to cover cyber risk, such as property and crime policies.[26]
- TCPA; Eleventh and Seventh Circuits. On Jan. 27, in Glasser v. Hilton Grand Vacations Co., the Eleventh Circuit weighed in on a topic dividing federal courts by holding that devices which merely make calls using a stored list of phone numbers are not illegal under the Telephone Consumer Protection Act (TCPA). The TCPA forbids making certain phone calls using an "automatic telephone dialing system" (ATDS), defined as "equipment which has the capacity—(A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers." The Eleventh Circuit ruled that, to meet this definition, a device may "store" or "produce" numbers, but in either case must do so “using a random or sequential number generator." On Feb. 19, only a few weeks later, the Seventh Circuit came to the same conclusion in Gadelhak v. AT&T Services, Inc. These decisions have now widened a circuit split and increased the chance of the Supreme Court taking up this issue in the future. Currently, the Third, Seventh and Eleventh Circuits have held that randomly or sequentially generating numbers is a central aspect of an ATDS, whereas the Ninth Circuit has determined that a device that merely calls a stored list of numbers fits the statutory definition.[27]
- BIPA; N.D.Ca. On Jan. 29, Facebook, Inc., announced its agreement to pay $550 million to settle a class action lawsuit filed by users in a California federal court under Illinois' Biometric Information Privacy Act (BIPA), which governs the use, collection, storage, protection and retention of biometric information. The $550 million payment will be used to compensate Illinois users who claimed that Facebook violated BIPA by using facial recognition information without consent to suggest tags for photos. The settlement reflects a continuing trend of private litigation under BIPA, with a number of new lawsuits already filed in 2020, including actions against grocery giant Aldi, Inc., in Sedory v. Aldi, Inc. and resort company Great Wolf Lodge in Allen v. GWR Ill. Prop. Owner.[28]
- CCPA; N.D.Ca. On Feb. 3, in Barnes v. Hanna Andersson, LLC, the first data breach class action lawsuit to expressly reference the CCPA was filed in a California federal court. The proposed class action alleges that children’s apparel retailer Hanna Andersson "did not use reasonable security procedures and practices" to protect sensitive information – something the CCPA requires – and that this failure resulted in a "widespread" data breach in the fall of 2019. The Barnes complaint does not assert an express claim under the CCPA but rather alleges "deprivation of rights … under the California Unfair Competition Law … and California Consumer Privacy Act" among the injuries suffered by the plaintiffs.[29]
- Standing; D.Md. On Feb. 21, in In re Marriott Int'l, Inc., a federal court in Maryland declined to dismiss the majority of claims brought by a class of consumers against Marriott International, Inc., holding that the consumers had adequately alleged injuries traceable to the four-year-long data breach that Marriott inherited when it acquired Starwood Hotels and Resorts Worldwide in 2016. On the central issue of standing, the court reasoned that the targeted nature of the data breach, in combination with actual cases of identity theft suffered by some plaintiffs, made the threat of further identity theft "sufficiently imminent" to give plaintiffs standing to sue Marriott. The court also held that the time and money that plaintiffs spent mitigating potential harm, the diminished value of their personal information because of the data breach, and their loss of the benefit of an explicit or implicit bargain for protection of their personal data were additional injuries that allowed the plaintiffs to bring the lawsuit.[30]
- CCPA; C.D.Ca. On Mar. 10, in Fuentes v. Sunshine Behavioral Health Group LLC, the first-ever class action lawsuit asserting a claim for violation of the CCPA was filed in a California federal court, seeking injunctive relief and damages. The complaint alleges that Sunshine, a company operating drug and alcohol rehabilitation facilities in several states, suffered a data breach beginning in 2017 that led to the compromise of unencrypted personal and medical data of approximately 3,500 patients. According to the complaint, Sunshine's cloud-based storage system was misconfigured so that patients' personal and medical data were available to the public using internet search engines such as Google and Bing. The complaint also alleges that, despite learning of the data breach on Sept. 4, 2019, Sunshine failed to provide notice to affected individuals until January 2020. Plaintiffs' CCPA claim asserts that Sunshine’s conduct and omissions constitute a violation of the CCPA and seeks damages and injunctive relief.[31]
- CFAA; D.D.C. On Mar. 27, in Sandvig v. Barr, a federal court in the District of Columbia ruled that the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, does not criminalize a mere violation of the terms of service of consumer websites. In this case, two professors planning to create fake job postings and fake job-seeker profiles on online hiring websites for purposes of academic research into potential online discrimination sought declaratory relief that such use of those websites, in violation of their terms of service, would not constitute an offense under the CFAA, which prohibits "access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] … information from any protected computer." 18 U.S.C. § 1030(a)(2). Granting the requested declaratory relief, the district court rejected the government's argument to the contrary and aligned with the recent Ninth Circuit decision in hiQ Labs, Inc. v. LinkedIn Corp., that addresses this language in the context of civil litigation. The District of Columbia federal court ruled that an individual should be deemed to have "access[ed] a computer without authorization" only when the user bypasses an authenticating permission requirement such as a password restriction requiring the user to demonstrate his access rights to the information. On the thornier issue of "exceed[ing] authorized access," the court invoked the rule of lenity and potential First Amendment concerns so as to construe the CFAA's unclear language narrowly and avoid criminalizing the violation of a website's terms of service. In the same breadth, however, the court declined to weigh in on the circuit split which has developed over this issue for an employee violating his employer's computer-use policy. Just a few weeks later, however, the Supreme Court signaled that it will take up this question by agreeing to hear the appeal of the Eleventh Circuit's decision in United States v. Van Buren that affirmed a police officer's CFAA conviction for "exceeding authorized access" by accessing police databases for personal gain.[32]
[23] The FTC's announcement of the settlement with InfoTrax Systems, L.C., including links to the consent order and underlying complaint, may be found here: https://www.ftc.gov/news-events/press-releases/2020/01/ftc-finalizes-settlement-utah-company-its-former-ceo-over.
[24] The FTC's announcement of the settlement with Mortgage Solutions FCS, Inc., including links to the consent order and underlying complaint, may be found here: https://www.ftc.gov/news-events/press-releases/2020/01/mortgage-broker-posted-personal-information-about-consumers?utm_source=govdelivery.
[25] The FTC's announcement of settlements with five companies regarding the EU-U.S. Privacy Shield may be found here: https://www.ftc.gov/news-events/press-releases/2020/01/ftc-finalizes-settlements-five-companies-related-privacy-shield?utm_source=govdelivery.
[26] The decision may be found at National Ink and Stitch, LLC v. State Auto Insurance Companies, No. 18-2138 (D. Md. Jan. 27, 2020).
[27] The two decisions may be found at Glasser v. Hilton Grand Vacations Co., No. 18-14499 (11th Cir. 2020), and Gadelhak v. AT&T Services, Inc., No. 19-1738 (7th Cir. 2020).
[28] The two complaints may be found at Sedory v. Aldi, Inc., No. 2020-ch-02768 (Ill. Cir. Ct. Mar. 2, 2020), and Allen v. GWR Ill. Prop. Owner, LLC, No. 2020-ch-02983 (Ill. Cir. Ct. Mar. 10, 2020).
[29] The complaint may be found at Barnes v. Hanna Andersson, LLC, No. 3:20-cv-00812-DMR (N.D. Cal. Feb. 3, 2020).
[30] The court's decision may be found at In re Marriott Int'l, Inc., No. 19-md-2879 (D. Md. 2020).
[31] The complaint may be found at Fuentes v. Sunshine Behavioral Health Grp., LLC, No. 8:20-cv-00487-JLS-JDE (C.D. Cal. Mar. 10, 2020).
[32] The cited decisions interpreting the CFAA may be found at Christian Sandvig et al. v. William Barr, No. 16-1368 (D.D.C. 2020); hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019); and United States v. Van Buren, 940 F. 3d 1192 (11th Cir. 2019).