Category Archives: U.S. State Law

Draft CCPA Regulations Expected Fall 2019

As we previously reported, the California Consumer Privacy Act of 2018 (“CCPA”) delays the California Attorney General’s enforcement of the CCPA until six months after publication of the Attorney General’s implementing regulations, or July 1, 2020, whichever comes first. The California Department of Justice anticipates publishing a Notice of Proposed Regulatory Action concerning the CCPA in Fall 2019.

The regulations aim to (1) establish procedures to facilitate consumers’ rights under the CCPA and (2) provide guidance to businesses regarding how to comply. As required under the CCPA, the regulations will address:

  • the categories of personal information;
  • the definition of unique identifiers;
  • any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights;
  • rules and procedures for (1) the submission of a consumer request to opt out of the sale of personal information pursuant to Section 1798.145(a)(1); (2) business compliance with a consumer’s opt-out request; and (3) the development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information;
  • adjusting the monetary threshold in Section 1798.140(c)(1)(A) in January of every odd-numbered year to reflect any increase in the Consumer Price Index;
  • the establishment of rules, procedures and any exceptions necessary to ensure that the notices and information that businesses are required to provide are relayed in a manner that may be easily understood by the average consumer, are accessible to consumers with disabilities, and are available in the language primarily used to interact with the consumer; and
  • the establishment of rules and procedures related to the verification of consumer requests.

Written comments may be submitted by email to privacyregulations@doj.ca.gov or by mail to the California Department of Justice, ATTN: Privacy Regulations Coordinator, 300 S. Spring St., Los Angeles, CA 90013. The deadline to submit written comments is March 8, 2019.

Ten Years Strong: A Decade of Privacy and Cybersecurity Insights

In January 2019, Hunton Andrews Kurth celebrates the 10-year anniversary of our award-winning Privacy and Information Security Law Blog. Over the past decade, we have worked hard to provide timely, cutting-edge updates on the ever-evolving global privacy and cybersecurity legal landscape. Ten Years Strong: A Decade of Privacy and Cybersecurity Insights is a compilation of our blog’s top ten most read posts over the decade, and addresses some of the most transformative changes in the privacy and cybersecurity field.

Read Ten Years Strong: A Decade of Privacy and Cybersecurity Insights.

Illinois Supreme Court Says Biometric-Data Protection Law Does Not Require Allegation of Actual Injury

The Illinois Supreme Court ruled today that an allegation of “actual injury or adverse effect” is not required to establish standing to sue under the Illinois Biometric Information Privacy Act, 740 ILCS 14 (“BIPA”). This post discusses the importance of the ruling to current and future BIPA litigation.

The Illinois Supreme Court rendered a decision on January 25, 2019, that gives the green light to certain plaintiffs seeking redress under the BIPA. BIPA provides a private right of action to Illinois residents “aggrieved” by private entities that collect their biometric data (including retina scans, fingerprints and face geometry) without complying with the statute’s notice and consent requirements. Hundreds of cases have been filed under the law, including many putative class actions, enticed by per-violation statutory damages of $1,000 or more.

In the opinion, the Illinois Supreme Court unanimously found that allegations of a technical violation alone can sustain an action, and that limiting BIPA claims to those individuals who can plead and prove an actual injury would depart from the plain and unambiguous meaning of the law. The case is styled Stacy Rosenbach v. Six Flags Entertainment Corp., No. 123186 (Ill.).

BIPA currently is the most watched statute in the U.S. concerning the collection and use of biometric data because it is the only such law that provides a private right of action. The court’s decision resolves a jurisdictional issue that had derailed some prior lawsuits. Today’s decision promises to ramp up an already steady stream of litigation both in and outside of Illinois.

Use of biometric technology by businesses for employee timekeeping, customer identification, and other applications is increasing. The importance of strict compliance with BIPA for companies operating in Illinois is now unavoidably clear.

Illinois BIPA Suit Dismissed for Lack of Article III Standing

As we previously reported in February 2017, an Illinois federal judge denied a motion to dismiss two complaints brought under the Illinois Biometric Information Privacy Act, 740 ILCS 14 (“BIPA”) by individuals who alleged that Google captured, without plaintiff’s consent, biometric data from facial scans of images that were uploaded onto Google Photos. The cases subsequently were consolidated, and on December 29, 2018, the Northern District of Illinois dismissed the case on standing grounds, finding that despite the existence of statutory standing under BIPA, neither plaintiff had claimed any injury that would support Article III standing.

In Spokeo, Inc. v. Robins, the Supreme Court held that Article III standing requires a concrete and particularized injury even in the context of a statutory violation. The court here likewise concluded that although the plaintiffs in this case had statutory standing under BIPA, the procedural, statutory violation alone was insufficient in satisfying the standing requirement.

In asking whether either plaintiff adequately alleged such requisite injury, the court considered Google’s collection and retention of the facial scans. With respect to the retention issue, the court followed the 7th Circuit ruling in Gubala v. Time Warner Cable, Inc. that, while in violation of the Cable Communications Policy Act, the retention of individual information alone, without information disclosure or sufficient risk of information disclosure, did not confer Article III standing.

Regarding collection, the court considered (1) Patel v. Facebook Inc., a similar case brought in the Northern District of California that was not dismissed, involving a plaintiff who alleged that Facebook’s use of facial recognition for tagging photos violated BIPA’s notice and consent requirements; and (2) common law tort analogues. The Illinois court (1) declined to follow the California court, reasoning that there was an insufficient showing that the Illinois legislature intended to create a cause of action that would arise from the violation of BIPA’s notice and consent requirements alone; and (2) found that the two common law tort analogues bearing the closest relationship to the alleged injury, intrusion upon seclusion and misappropriation, were not appropriate in this case because the harms alleged by the plaintiffs were incompatible with or did not align with the harms of the tort of intrusion upon seclusion or misappropriation. Specifically, the templates that Google created were based on faces, which are regularly publicly exposed, and were not made publicly available or used by Google for commercial purposes. As such, the court dismissed the claim, holding that neither plaintiff in this case had claimed an injury that would support Article III standing.

A number of BIPA actions remain pending in federal and state courts. It remains to be seen whether other courts will agree with the Northern District of Illinois regarding the unavailability of BIPA claims based solely on procedural violations of the act.

Massachusetts Amends Data Breach Law; Imposes Additional Requirements

On January 10, 2019, Massachusetts Governor Charlie Baker signed legislation amending the state’s data breach law. The amendments take effect on April 11, 2019.

Key updates to Massachusetts’s Data Breach Notification Act include the following:

  • The required notice to the Massachusetts Attorney General and the Office of Consumer Affairs and Business Regulation will need to include additional information, including the types of personal information compromised, the person responsible for the breach (if known) and whether the entity maintains a written information security program. Under Massachusetts 201 CMR § 17.03, any entity that owns or licenses personal information about a Massachusetts resident is currently obligated to develop, implement and maintain a comprehensive written information security program that incorporates the prescriptive requirements contained in the regulation.
  • If individuals’ Social Security numbers are disclosed, or reasonably believed to have been disclosed, the company experiencing a breach must offer credit monitoring services at no cost for at least 18 months (42 months, if the company is a consumer reporting agency). Companies also must certify to the Massachusetts attorney general and the Director of the Office of Consumer Affairs and Business Regulation that their credit monitoring services are compliant with state law.
  • The amended law explicitly prohibits a company from delaying notice to affected individuals on the basis that it has not determined the number of individuals affected. Rather, the entity must send out additional notices on a rolling basis, as necessary.
  • If the company experiencing a breach is owned by a separate entity, the individual notice letter must specify “the name of the parent or affiliated corporation.”
  • Companies are prohibited from asking individuals to waive their right to a private action as a condition for receiving credit monitoring services.

California DOJ to Hold Series of Public Forums on CCPA

The California Department of Justice will host six public forums on the California Consumer Privacy Act of 2018 (“CCPA”) to provide the general public an opportunity to participate in the CCPA rulemaking process. Individuals may attend or speak at the events or submit written comments by email to privacyregulations@doj.ca.gov or by mail to the California Department of Justice, ATTN: Privacy Regulations Coordinator, 300 S. Spring St., Los Angeles, CA 90013.

The forums will take place in January and February throughout the state of California. The first event will be held on January 8, 2019, at the Milton Marks Conference Center in San Francisco.  View the full schedule.

Cybersecurity Rules for Insurance Companies to Take Effect in South Carolina

New cybersecurity rules for insurance companies licensed in South Carolina are set to take effect in part on January 1, 2019. The new law is the first in the United States to be enacted based on the data security model law drafted by the National Association of Insurance Commissioners. The law requires licensed insurance companies to notify state insurance authorities of data breaches within 72 hours of confirming that nonpublic information in the company’s (or a service provider’s) system was “disrupted, misused, or accessed without authorization.” The breach reporting requirement is in addition to notification obligations imposed under South Carolina’s breach notification law and applies if the insurance company has a permanent location in the state or if the breach affects at least 250 South Carolina residents, among other criteria. The 72-hour notice requirement takes effect January 1, 2019.

Separately, effective July 1, 2019, the law requires insurance companies licensed in South Carolina to develop and implement a comprehensive, written cybersecurity program. Among other details, the program must be based on a company’s own risk assessments and must include encryption of information in transit, regular testing of systems, and cybersecurity awareness training for employees. The law will also require insurance companies to “exercise due diligence” in choosing third-party service providers and to ensure that service providers have appropriate information safeguards in place no later than July 1, 2020.

Illinois Supreme Court Hears Standing Arguments

On November 20, 2018, the Illinois Supreme Court heard arguments in a case that could shape future litigation under the Illinois Biometric Information Privacy Act (“BIPA”). BIPA requires companies to (i) provide prior written notice to individuals that their biometric data will be collected and the purpose for such collection, (ii) obtain a written release from individuals before collecting their biometric data and (iii) develop a publicly available policy that sets forth a retention schedule and guidelines for deletion once the biometric data is no longer used for the purpose for which it was collected (but for no more than three years after collection). BIPA also prohibits companies from selling, leasing or trading biometric data.

The plaintiff in the case, Stacy Rosenbach v. Six Flags Entertainment Corp., alleged that Six Flags Entertainment Corporation (“Six Flags”) violated BIPA by collecting her son’s fingerprint in connection with the purchase of a season pass, without first notifying her or obtaining her consent to the collection of her son’s biometric data. At the trial level, Six Flags argued that the case should be dismissed for failure to establish standing because the plaintiff did not allege that actual harm resulted from the company’s collection of her son’s fingerprint data. The case was appealed to the Second District Appellate Court, which ruled in Six Flags’ favor, holding that BIPA plaintiffs cannot rely on technical violations of the law, such as failure to obtain consent, to be “aggrieved” and have standing. The plaintiff appealed the case to the Illinois Supreme Court.

In oral arguments heard by the Illinois Supreme Court on Tuesday, Six Flags again argued that the plaintiff must allege more than just a technical violation of BIPA to establish standing. Three of the Court’s seven justices appeared to disagree with this argument, with one, Justice Robert Thomas, countering that “there seems to be at least a logical appeal” to ensuring that individuals are made aware that their biometric data will be collected, and that “the purpose [of BIPA] is so [an actual harm] won’t happen in the first place.” Justice Anne Burke joined, stating that it is “too late to wait” for a violation of the law to occur in the first place because at that point, a plaintiff “may never know [about the violation] and you can’t get your fingerprints back. It’s irreparable harm.”

The Second District Appellate Court’s ruling in favor of Six Flags diverges from a First District Appellate Court opinion in Klaudia Sekura v. Krishna Schaumburg Tan Inc., which held that plaintiffs have causes of action under BIPA even without allegations of actual harm. The Illinois Supreme Court’s ruling in Rosenbach is expected to set the standard for which plaintiffs have standing under BIPA in future litigation.

New Ohio Law Creates Safe Harbor for Certain Breach-Related Claims

Effective November 2, 2018, a new Ohio breach law will provide covered entities a legal safe harbor for certain data breach-related claims brought in an Ohio court or under Ohio law if, at the time of the breach, the entity maintains and complies with a cybersecurity program that (1) contains administrative, technical and physical safeguards for the protection of personal information, and (2) reasonably conforms to one of the “industry-recognized” cybersecurity frameworks enumerated in the law.

The program must additionally be designed to (1) protect the security and confidentiality of the information, (2) protect against any anticipated threats or hazards to the security or integrity of the information, as well as (3) protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud to the individual to whom the information relates. In determining the necessary scale and scope of the program, businesses should consider what is reasonable in light of the size and complexity of the covered entity, the nature and scope of its activities, the resources available to them, the sensitivity of the information to be protected, and the cost and availability of tools to improve information security and reduce vulnerabilities.

While this safe harbor will not apply to breach of contract claims or statutory violations in a breach suit, covered entities may raise this affirmative defense against tort claims that allege a failure to implement reasonable information security controls that result in a data breach. However, the covered entity will bear the burden of demonstrating that its program meets all of the requirements under the law. This may be hard for businesses to prove since many of the frameworks provide generalizations regarding what is required, but not specifics, and since these frameworks do not tend to have formal certification processes. Moreover, because such frameworks are often revised to keep up with new technologies and risks, it may be difficult for businesses to conform to the updates within the statute-mandated, one-year time limit from the revision date.

This law is the first in the U.S. to offer an incentive to businesses that take steps to ensure that there are policies and procedures in place to protect against data breaches. It remains to be seen whether other states will enact similar laws.

California Enacts Blockchain Legislation

As reported on the Blockchain Legal Resource, California Governor Jerry Brown recently signed into law Assembly Bill No. 2658 for the purpose of further studying blockchain’s application to Californians. In doing so, California joins a growing list of states officially exploring distributed ledger technology.

Specifically, the law requires the Secretary of the Government Operations Agency to convene a blockchain working group prior to July 1, 2019. Under the new law, “blockchain” means “a mathematically secured, chronological and decentralized ledger or database.” In addition to including various representatives from state government, the working group is required to include appointees from the technology industry and non-technology industries, as well as appointees with backgrounds in law, privacy and consumer protection.

Under the new law, which has a sunset date of January 1, 2022, the working group is required to evaluate:

  • the uses of blockchain in state government and California-based businesses;
  • the risks, including privacy risks, associated with the use of blockchain by state government and California-based businesses;
  • the benefits associated with the use of blockchain by state government and California-based businesses;
  • the legal implications associated with the use of blockchain by state government and California-based businesses; and
  • the best practices for enabling blockchain technology to benefit the State of California, California-based businesses and California residents.

In doing so, the working group is required to seek “input from a broad range of stakeholders with a diverse range of interests affected by state policies governing emerging technologies, privacy, business, the courts, the legal community and state government.”

The working group is also tasked with delivering a report to the California Legislature by January 1, 2020, on the potential uses, risks and benefits of blockchain technology by state government and California businesses. Moreover, the report is required to include recommendations for amending relevant provisions of California law that may be impacted by the deployment of blockchain technology.

California Enacts New Requirements for Internet of Things Manufacturers

On September 28, 2018, California Governor Jerry Brown signed into law two identical bills regulating Internet-connected devices sold in California. S.B. 327 and A.B. 1906 (the “Bills”), aimed at the “Internet of Things,” require that manufacturers of connected devices—devices which are “capable of connecting to the Internet, directly or indirectly,” and are assigned an Internet Protocol or Bluetooth address, such as Nest’s thermostat—outfit the products with “reasonable” security features by January 1, 2020; or, in the bills’ words: “equip [a] device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure[.]”

According to Bloomberg Law, the Bills’ non-specificity regarding what “reasonable” features include is intentional; it is up to the manufacturers to decide what steps to take. Manufacturers argue that the Bills are egregiously vague, and do not apply to companies that import and resell connected devices made in other countries under their own labels.

The Bills are opposed by the Custom Electronic Design & Installation Association, Entertainment Software Association and National Electrical Manufacturers Association. They are sponsored by Common Sense Kids Action; supporters include the Consumer Federation of America, Electronic Frontier Foundation and Privacy Rights Clearinghouse.

CCPA Amendment Bill Signed Into Law

On September 23, 2018, California Governor Jerry Brown signed into law SB-1121 (the “Bill”), which makes limited substantive and technical amendments to the California Consumer Privacy Act of 2018 (“CCPA”). The Bill takes effect immediately,  and delays the California Attorney General’s enforcement of the CCPA until six months after publication of the Attorney General’s implementing regulations, or July 1, 2020, whichever comes first. 

We have previously posted about the modest changes that SB-1121 makes to the CCPA. As reported in BNA Privacy Law Watch, the California legislature may consider broader substantive changes to the CCPA in 2019.

CCPA Amended: Enforcement Delayed, Few Substantive Changes Made

On August 31, 2018, the California State Legislature passed SB-1121, a bill that delays enforcement of the California Consumer Privacy Act of 2018 (“CCPA”) and makes other modest amendments to the law. The bill now goes to the Governor for signing. The provisions of the CCPA will become operative on January 1, 2020. As we have previously reported, the CCPA introduces key privacy requirements for businesses. The Act was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. The CCPA’s hasty passage resulted in a number of drafting errors and inconsistencies in the law, which SB-1121 seeks to remedy. The amendments to the CCPA are primarily technical, with few substantive changes.

Key amendments to the CCPA include:

  • Enforcement:
    • The bill extends by six months the deadline for the California Attorney General (“AG”) to draft and adopt the law’s implementing regulations, from January 1, 2020, to July 1, 2020. (CCPA § 1798.185(a)).
    • The bill delays the AG’s ability to bring enforcement actions under the CCPA until six months after publication of the implementing regulations or July 1, 2020, whichever comes first. (CCPA § 1798.185(c)).
    • The bill limits the civil penalties the AG can impose to $2,500 for each violation of the CCPA or up to $7,500 per each intentional violation, and states that a violating entity will be subject to an injunction. (CCPA § 1798.155(b)).
  • Definition of “personal information”: The CCPA includes a number of enumerated examples of “personal information” (“PI”), including IP address, geolocation data and web browsing history. The amendment clarifies that the listed examples would constitute PI only if the data “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” (CCPA § 1798.140(o)(1)).
  • Private right of action:
    • The amendments clarify that a consumer may bring an action under the CCPA only for a business’s alleged failure to “implement and maintain reasonable security procedures and practices” that results in a data breach. (CCPA § 1798.150(c)).
    • The bill removes the requirement that a consumer notify the AG once the consumer has brought an action against a business under the CCPA, and eliminates the AG’s ability to instruct a consumer to not proceed with an action. (CCPA § 1798.150(b)).
  • GLBA, DDPA, CIPA exemptions: The original text of the CCPA exempted information subject to the Gramm-Leach-Bliley Act (“GLBA”) and Driver’s Privacy Protection Act (“DPPA”), only to the extent the CCPA was “in conflict” with either statute. The bill removes the “in conflict” qualification and clarifies that data collected, processed, sold or disclosed pursuant to the GLBA, DPPA or the California Information Privacy Act is exempt from the CCPA’s requirements. The revisions also exempt such information from the CCPA’s private right of action provision. (CCPA §§ 1798.145(e), (f)).
  • Health information:
    • Health care providers: The bill adds an exemption for HIPAA-covered entities and providers of health care governed by the Confidentiality of Medical Information Act, “to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information,” as described in the CCPA. (CCPA § 1798.145(c)(1)(B)).
    • PHI: The bill expands the category of exempted protected health information (“PHI”) governed by HIPAA and the Health Information Technology for Economic and Clinical Health Act to include PHI collected by both covered entities and business associates. The original text did not address business associates. (CCPA § 1798.145(c)(1)(A)).
    • Clinical trial data: The bill adds an exemption for “information collected as part of a clinical trial” that is subject to the Federal Policy for the Protection of Human Subjects (also known as the Common Rule) and is conducted in accordance with specified clinical practice guidelines. (CCPA § 1798.145(c)(1)(C)).
  • Notice of right of deletion: The original text of the CCPA stated that a business must disclose on its website or in its privacy policy a consumer’s right to request the deletion of her PI. The bill modifies this requirement, stating that a business must disclose the right to deletion “in a form that is reasonably accessible to consumers.” (CCPA § 1798.105(b)).
  • First Amendment protection: The bill adds a provision to the CCPA, which states that the rights afforded to consumers and obligations imposed on businesses under the CCPA do not apply if they “infringe on the noncommercial activities of a person or entity” as described in Art. I, Section 2(b) of the California constitution, which addresses activities related to the free press. This provision is designed to prevent First Amendment challenges to the law. (CCPA § 1798.150(k)).
  • Preemption:
    • The bill adds to the CCPA’s preemption clause that the law will not apply in the event its application is preempted by, or in conflict with, the U.S. Constitution. The CCPA previously referenced only the California Constitution. (CCPA § 1798.196).
    • Certain provisions of the CCPA supersede and preempt laws adopted by local entities regarding the collection and sale of a consumer’s PI by a business. The bill makes such provisions of the Act operative on the date the bill becomes effective.

The California State Legislature is expected to consider more substantive changes to the law when it reconvenes in January 2019.

California AG Voices Concern About State’s New Privacy Law

On August 22, 2018, California Attorney General Xavier Becerra raised significant concerns regarding the recently enacted California Consumer Privacy Act of 2018 (“CCPA”) in a letter addressed to the CCPA’s sponsors, Assemblyman Ed Chau and Senator Robert Hertzberg. Writing to “reemphasize what [he] expressed previously to [them] and [state] legislative leaders and Governor Brown,” Attorney General Becerra highlighted what he described as five primary flaws that, if unresolved, will undermine the intention behind and effective enforcement of the CCPA.

Most of the issues Attorney General Becerra pointed to were those he claimed impose unnecessary and/or onerous obligations on the Attorney General’s Office (“AGO”). For example, the CCPA requires the AGO to provide opinions, warnings and an opportunity to cure to a business before the business can be held accountable for a CCPA violation. Attorney General Becerra said that this effectively requires the AGO to provide unlimited legal counsel to private parties at taxpayer expense, and creates a potential conflict of interest by requiring the AGO to advise parties who may be violating Californians’ privacy rights.

In a similar vein, Attorney General Becerra noted that the CCPA gives consumers a limited right to sue if they become victims of a data breach, but otherwise does not include a private right of action for consumers to seek remedies to protect their privacy. That framework, Attorney General Becerra wrote, substantially increases the AGO’s need for enforcement resources. Likewise, the CCPA requires private plaintiffs to notify the Attorney General before filing suit. Attorney General Becerra criticized this requirement as both without use, since only courts may decide the merits of a case, and a drain on personnel and administrative resources.

Attorney General Becerra also pointed out that the CCPA’s civil penalty provisions purport to amend and modify the Unfair Competition Law’s civil penalty provision. The latter, however, was enacted by voters through a ballot proposition and thus cannot be amended through legislation. For that reason, Attorney General Becerra argued, the CCPA’s civil penalty provision is likely unconstitutional (the letter noted that the AGO has offered “corrective language” that replaces the CCPA’s current penalty provision with a stand-alone enforcement proposition).

Additionally, Attorney General Becerra took issue with the CCPA’s provision that the AGO has one year to conduct rulemaking for the CCPA. Attorney General Becerra noted that the CCPA did not provide resources for the AGO to carry out the rulemaking nor its implementation thereafter; the Attorney General called the existing deadline “simply unattainable.”

California Lawmakers Consider Additional Resources For Attorney General’s Privacy Act Regulations

As reported in BNA Privacy Law Watch, a California legislative proposal would allocate additional resources to the California Attorney General’s office to facilitate the development of regulations required under the recently enacted California Consumer Privacy Act of 2018 (“CCPA”). CCPA was enacted in June 2018 and takes effect January 1, 2020. CCPA requires the California Attorney General to issue certain regulations prior to the effective date, including, among others, (1) to update the categories of data that constitute “personal information” under CCPA, and (2) certain additional regulations governing compliance (such as how a business may verify a consumer’s request made pursuant to CCPA). The proposal, which was presented in two budget bills, would allocate $700,000 and five staff positions to the California Attorney General’s office to aid in the development of the required regulations. The legislature is expected to pass the relevant funding measure by August 31, 2018. California Attorney General Xavier Becerra has stated that he expects his office will issue its final rules under CCPA in June 2019.

Ohio Law Provides Safe Harbor from Tort Claims Related to Data Breaches

On August 3, 2018, Ohio Governor John Kasich signed into law Senate Bill 220 (the “Bill”), which provides covered entities with an affirmative defense to tort claims, based on Ohio law or brought in an Ohio court, that allege or relate to the failure to implement reasonable information security controls which resulted in a data breach. According to the Bill, its purpose is “to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.” The Bill will take effect 90 days after it is provided to the Ohio Secretary of State.

Equifax Enters Into Consent Order with State Banking Regulators Regarding 2017 Data Breach

As reported in BNA Privacy Law Watch, on June 27, 2018, Equifax entered into a consent order (the “Order”) with 8 state banking regulators (the “Multi-State Regulatory Agencies”), including those in New York and California, arising from the company’s 2017 data breach that exposed the personal information of 143 million consumers.

Equifax’s key obligations under the terms of the Order include: (1) developing a written risk assessment; (2) establishing a formal and documented Internal Audit Program that is capable of effectively evaluating IT controls; (3) developing a consolidated written Information Security Program and Information Security Policy; (4) improving oversight of its critical vendors and ensuring that sufficient controls are developed to safeguard information; (5) improving standards and controls for supporting the patch management function, including reducing the number of unpatched systems; and (6) enhancing oversight of IT operations as it relates to disaster recovery and business continuity.  The Order also requires Equifax to strengthen its Board of Directors’ oversight over the company’s information security program, including regular Board reviews of relevant policies and procedures.

Equifax must also submit to the Multi-State Regulatory Agencies a list of all remediation projects planned, in process or implemented in response to the 2017 data breach, as well as written reports outlining its progress toward complying with the provisions of the Order.

California Consumer Privacy Act Signed, Introduces Key Privacy Requirements for Businesses

On June 28, 2018, the Governor of California signed AB 375, the California Consumer Privacy Act of 2018 (the “Act”). The Act introduces key privacy requirements for businesses, and was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. We previously reported on the relevant ballot initiative. The Act will take effect January 1, 2020.

Key provisions of the Act include:

  • Applicability. The Act will apply to any for-profit business that (1) “does business in the state of California”; (2) collects consumers’ personal information (or on the behalf of which such information is collected) and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information; and (3) satisfies one or more of the following thresholds: (a) has annual gross revenues in excess of $25 million, (b) alone or in combination annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households or devices, or (c) derives 50 percent or more of its annual revenue from selling consumers’ personal information (collectively, “Covered Businesses”).
  • Definition of Personal Information. Personal information is defined broadly as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition of personal information aligns more closely with the EU General Data Protection Regulation’s definition of personal data. The Act includes a list of enumerated examples of personal information, which includes, among other data elements, name, postal or email address, Social Security number, government-issued identification number, biometric data, Internet activity information and geolocation data, as well as “inferences drawn from any of the information identified” in this definition.
  • Right to Know
    • Upon a verifiable request from a California consumer, a Covered Business must disclose (1) the categories and specific pieces of personal information the business has collected about the consumer; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purposes for collecting or selling personal information; and (4) the categories of third parties with whom the business shares personal information.
    • In addition, upon verifiable request, a business that sells personal information about a California consumer, or that discloses a consumer’s personal information for a business purpose, must disclose (1) the categories of personal information that the business sold about the consumer; (2) the categories of third parties to whom the personal information was sold (by category of personal information for each third party to whom the personal information was sold); and (3) the categories of personal information that the business disclosed about the consumer for a business purpose.
    • The above disclosures must be made within 45 days of receipt of the request using one of the prescribed methods specified in the Act. The disclosure must cover the 12-month period preceding the business’s receipt of the verifiable request. The 45-day time period may be extended when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period. Importantly, the disclosures must be made in a “readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance.”
  • Exemption. Covered Businesses will not be required to make the disclosures described above to the extent the Covered Business discloses personal information to another entity pursuant to a written contract with such entity, provided the contract prohibits the recipient from selling the personal information, or retaining, using or disclosing the personal information for any purpose other than performance of services under the contract. In addition, the Act provides that a business is not liable for a service provider’s violation of the Act, provided that, at the time the business disclosed personal information to the service provider, the business had neither actual knowledge nor reason to believe that the service provider intended to commit such a violation.
  • Disclosures and Opt-Out. The Act will require Covered Businesses to provide notice to consumers of their rights under the Act (e.g., their right to opt out of the sale of their personal information), a list of the categories of personal information collected about consumers in the preceding 12 months, and, where applicable, that the Covered Business sells or discloses their personal information. If the Covered Business sells consumers’ personal information or discloses it to third parties for a business purpose, the notice must also include lists of the categories of personal information sold and disclosed about consumers, respectively. Covered Businesses will be required to make this disclosure in their online privacy notice. Covered Businesses must separately provide a clear and conspicuous link on their website that says, “Do Not Sell My Personal Information,” and provide consumers a mechanism to opt out of the sale of their personal information, a decision which the Covered Business must respect. Businesses also cannot discriminate against consumers who opt out of the sale of their personal information, but can offer financial incentives for the collection of personal information.
  • Specific Rules for Minors: If a business has actual knowledge that a consumer is less than 16 years of age, the Act prohibits a business from selling that consumer’s personal information unless (1) the consumer is between 13–16 years of age and has affirmatively authorized the sale (i.e., they opt in); or (2) the consumer is less than 13 years of age and the consumer’s parent or guardian has affirmatively authorized the sale.
  • Right to Deletion. The Act will require a business, upon verifiable request from a California consumer, to delete specified personal information that the business has collected about the consumer and direct any service providers to delete the consumer’s personal information. However, there are several enumerated exceptions to this deletion requirement. Specifically, a business or service provider is not required to comply with the consumer’s deletion request if it is necessary to maintain the consumer’s personal information to:
    • Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated, within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract with the consumer.
    • Detect security incidents; protect against malicious, deceptive, fraudulent or illegal activity; or prosecute those responsible for that activity.
    • Debug to identify and repair errors that impair existing intended functionality.
    • Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
    • Comply with the California Electronic Communications Privacy Act.
    • Engage in public or peer-reviewed scientific, historical or statistical research in the public interest (when deletion of the information is likely to render impossible or seriously impair the achievement of such research) if the consumer has provided informed consent.
    • To enable solely internal uses that are reasonably aligned with the consumer’s expectations based on the consumer’s relationship with the business.
    • Comply with a legal obligation.
    • Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
  • Enforcement
    • The Act is enforceable by the California Attorney General and authorizes a civil penalty up to $7,500 per violation.
    • The Act provides a private right of action only in connection with “certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information,” as defined in the state’s breach notification law, if the business failed “to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”
      • In this case, the consumer may bring an action to recover damages up to $750 per incident or actual damages, whichever is greater.
      • The statute also directs the court to consider certain factors when assessing the amount of statutory damages, including the nature, seriousness, persistence and willfulness of the defendant’s misconduct, the number of violations, the length of time over which the misconduct occurred, and the defendant’s assets, liabilities and net worth.

Prior to initiating any action against a business for statutory damages, a consumer must provide the business with 30 days’ written notice of the consumer’s allegations and, if within the 30 days the business cures the alleged violation and provides an express written statement that the violations have been cured, the consumer may not initiate an action for individual statutory damages or class-wide statutory damages. These limitations do not apply to actions initiated solely for actual pecuniary damages suffered as a result of the alleged violation.

California Assembly Bill Aims to Avert State Ballot Initiative Related to Privacy

On June 21, 2018, California lawmakers introduced AB 375, the California Consumer Privacy Act of 2018 (the “Bill”). If enacted and signed by the Governor by June 28, 2018, the Bill would introduce key privacy requirements for businesses, but would also result in the removal of a ballot initiative of the same name from the November 6, 2018, statewide ballot. We previously reported on the relevant ballot initiative.

The Bill expands some of the requirements in the ballot initiative. For example, if enacted, the Bill would require businesses to disclose (e.g., in its Privacy Notice) the categories of personal information it collects about California consumers and the purposes for which that information is used. The Bill also would require businesses to disclose, upon a California consumer’s verifiable request, the categories and specific pieces of personal information it has collected about the consumer, as well as the business purposes for collecting or selling the information and the categories of third parties with whom it is shared. The Bill would require businesses to honor consumers’ requests to delete their data and to opt out of the sale of their personal information, and would prohibit a business from selling the personal information of a consumer under the age of 16 without explicit (i.e., opt-in) consent.

A significant difference between the Bill and the ballot initiative is that the Bill would give the California Attorney General exclusive authority to enforce most of its provisions (whereas the ballot initiative provides for a private right of action with statutory damages of up to $3,000 per violation). One exception would be that a private right of action would exist in the event of a data breach in which the California Attorney General declines to bring an action.

If enacted, the Bill would take effect January 1, 2020.

Virginia Amends Breach Notification Law Applicable to Income Tax Information

On July 1, 2018, HB 183, which amends Virginia’s breach notification law, will come into effect (the “amended law”). The amended law will require income tax return preparers who prepare individual Virginia income tax returns to notify the state’s Department of Taxation (the “Department”) if they discover or are notified of a breach of “return information.” Under the amended law, “return information” is defined as “a taxpayer’s identity and the nature, source, or amount of his income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld, assessments, or tax payments.”

If an income tax return preparer must notify the Department of a breach, then the preparer must provide the Department with the name and taxpayer identification number of any affected taxpayer, as well as the preparer’s name and preparer tax identification number.

Iowa and Nebraska Enact Information Security Laws

Recently, Iowa and Nebraska enacted information security laws applicable to personal information. Iowa’s law applies to operators of online services directed at and used by students in kindergarten through grade 12, whereas Nebraska’s law applies to all commercial entities doing business in Nebraska who own or license Nebraska residents’ personal information.

In Iowa, effective July 1, 2018, HF 2354 will impose information security requirements on operators of websites, online services, online applications or mobile applications who have actual knowledge that their sites, services or applications are designed, marketed and used primarily for kindergarten through grade 12 school purposes (“Operators”). Under the law, Operators will be required to implement and maintain information security procedures and practices consistent with industry standards and applicable state and federal laws to prevent students’ personal information from unauthorized access, destruction, use, modification or disclosure. Operators also are prohibited from selling or renting students’ information. The law does not apply to “general audience” websites, online services, online applications or mobile applications.

In Nebraska, effective July 18, 2018, LB757 requires commercial entities that conduct business in Nebraska and own, license or maintain computerized data that includes Nebraska residents’ personal information to implement and maintain reasonable security procedures and practices, including safeguards for the disposal of personal information. Under the law, commercial entities also must require, by contract, that their service providers institute and maintain reasonable security procedures and practices (the service provider provision applies to contracts entered into on or after the effective date of the law). A violation of the information security requirements under the law is subject to the penalty provisions of the state’s Consumer Protection Act, but expressly does not give rise to a private cause of action.

California Ballot Initiative to Establish Disclosure and Opt-Out Requirements for Consumers’ Personal Information

On November 6, 2018, California voters will consider a ballot initiative called the California Consumer Privacy Act (“the Act”). The Act is designed to give California residents (i.e., “consumers”) the right to request from businesses (see “Applicability” below) the categories of personal information the business has sold or disclosed to third parties, with some exceptions. The Act would also require businesses to disclose in their privacy notices consumers’ rights under the Act, as well as how consumers may opt out of the sale of their personal information if the business sells consumer personal information. Key provisions of the Act include:

  • Definition of Personal Information. Personal information is defined broadly as “information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device.” The Act includes a list of enumerated examples of personal information, which includes, among other data elements, name, postal or email address, Social Security number, government-issued identification number, biometric data, Internet activity information and geolocation data.
  • Applicability. The Act would apply to any for-profit business that “does business in the state of California” and (1) has annual gross revenues in excess of $50 million; (2) annually sells, alone or in combination, the personal information of 100,000 or more consumers or devices; or (3) derives 50 percent or more of its annual revenue from selling consumers’ personal information (collectively, “Covered Businesses”).
  • Right to Know. The Act would require Covered Businesses to disclose, upon a verifiable request from a California consumer, the categories of personal information the business has collected about the consumer, as well as the categories of personal information sold and/or disclosed for a business purpose to third parties. The Act would also require Covered Businesses to identify (i.e., provide the name and contact information for) the third parties to whom the Covered Business has sold or disclosed, for a business purpose, consumers’ personal information. Covered Businesses would be required to comply with such requests free of charge within 45 days of receipt, and would be required to provide this information only once within a 12-month period.
  • Exemption. Based on a carve-out in the definition of “third party” (which is defined to exclude (1) “the business that collects personal information from consumers under this Act” or (2) “a person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract”), Covered Businesses would not be required to make the disclosures described above to the extent the Covered Business discloses personal information to another entity pursuant to a written contract with such entity, provided the contract prohibits the recipient from selling the personal information, or retaining, using or disclosing the personal information for any purpose other than performance of services under the contract.
  • Disclosures and Right to Opt Out. The Act would require Covered Businesses to provide notice to consumers of their rights under the Act, and, where applicable, that the Covered Business sells their personal information. If the Covered Business sells consumers’ personal information, the notice must disclose that fact and include that consumers have a right to opt out of the sale of their personal information. Covered Businesses would be required to make this disclosure in their online privacy notice and must separately provide a clear and conspicuous link on their website that says, “Do Not Sell My Personal Information” and provides an opt-out mechanism. If a consumer opts out, the Covered Business would be required to stop selling the consumers’ personal information unless the consumer expressly re-authorizes such sale.
  • Liability for Security Breaches. Pursuant to the Act, if a Covered Business suffers a “breach of the security of the system” (as defined in California’s breach notification law), the Covered Business may be held liable for a violation of the Act if the Covered Business “failed to implement and maintain reasonable security procedures and practices, appropriate to the nature of the information, to protect personal information.”
  • Enforcement. The Act would establish a private right of action and expressly provides that a violation of the Act establishes injury-in-fact without the need to show financial harm. The Act establishes maximum statutory damages of $3,000 per violation or actual damages, whichever is higher. Separately, the Act also would be enforceable by the California Attorney General and would authorize a civil penalty of up to $7,500 per violation. The Act also contains whistleblower enforcement provisions.

If passed, the Act would take effect November 7, 2018, but would “only apply to personal information collected or sold by a business on or after” August 7, 2019.

Colorado Amends Data Breach Notification Law and Enacts Data Security Requirements

Recently, Colorado’s governor signed into law House Bill 18-1128 “concerning strengthening protections for consumer data privacy” (the “Bill”), which takes effect September 1, 2018. Among other provisions, the Bill (1) amends the state’s data breach notification law to require notice to affected Colorado residents and the Colorado Attorney General within 30 days of determining that a security breach occurred, imposes content requirements for the notice to residents and expands the definition of personal information; (2) establishes data security requirements applicable to businesses and their third-party service providers; and (3) amends the state’s law regarding disposal of personal identifying information.

Key breach notification provisions of the Bill include:

  • Definition of Personal Information: The Bill amends Colorado’s breach notification law to define “personal information” as a Colorado resident’s first name or first initial and last name in combination with one or more of the following data elements: (1) Social Security number; (2) student, military or passport identification number; (3) driver’s license number or identification card number; (4) medical information; (5) health insurance identification number; or (6) biometric data. The amended law’s definition of “personal information” also includes a Colorado resident’s (1) username or email address in combination with a password or security questions and answers that would permit access to an online account and (2) account number or credit or debit card number in combination with any required security code, access code or password that would permit access to that account.
  • Attorney General Notification: If an entity must notify Colorado residents of a data breach, and reasonably believes that the breach has affected 500 or more residents, it must also provide notice to the Colorado Attorney General. Notice to the Attorney General is required even if the covered entity maintains its own procedures for security breaches as part of an information security policy or pursuant to state or federal law.
  • Timing: Notice to affected Colorado residents and the Colorado Attorney General must be made within 30 days after determining that a security breach occurred.
  • Content Requirements: The Bill also requires that notice to affected Colorado residents must include (1) the date, estimated date or estimated date range of the breach; (2) a description of the personal information acquired or reasonably believed to have been acquired; (3) contact information for the  entity; (4) the toll-free numbers, addresses and websites for consumer reporting agencies and the FTC; and (5) a statement that the Colorado resident can obtain information from the FTC and the credit reporting agencies about fraud alerts and security freezes. If the breach involves a Colorado resident’s username or email address in combination with a password or security questions and answers that would permit access to an online account, the entity must also direct affected individuals to promptly change their password and security questions and answers, or to take other steps appropriate to protect the individual’s online account with the entity and all other online accounts for which the individual used the same or similar information.

Key data security and disposal provisions of the Bill include:

  • Definition of Personal Identifying Information: The Bill defines personal identifying information as “a social security number; a personal identification number; a password; a pass code; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data…; an employer, student, or military identification number; or a financial transaction device.”
  • Applicability: The information security and disposal provisions of the Bill apply to “covered entities,” defined as persons that maintain, own or license personal identifying information in the course of the person’s business, vocation or occupation.
  • Protection of Personal Identifying Information: The Bill requires a covered entity that maintains, owns or licenses personal identifying information to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information it holds, and the nature and size of the business and its operations.
  • Third-Party Service Providers: Under the Bill, a covered entity that discloses information to a third-party service provider must require the service provider to implement and maintain reasonable security procedures and practices that are (1) appropriate to the nature of the personal identifying information disclosed and (2) reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure or destruction. A covered entity does not need to require a third-party service provider to do so if the covered entity agrees to provide its own security protection for the information it discloses to the provider.
  • Written Disposal Policy: The Bill requires covered entities to create a written policy for the destruction or proper disposal of paper and electronic documents containing personal identifying information that requires the destruction of those documents when they are no longer needed. A covered entity is deemed in compliance with this section of the Bill if it is regulated by state or federal law and maintains procedures for disposal of personal identifying information pursuant to that law.

Vermont Enacts Nation’s First Data Broker Legislation

Recently, Vermont enacted legislation (H.764) that regulates data brokers who buy and sell personal information. Vermont is the first state in the nation to enact this type of legislation.

  • Definition of Data Broker. The law defines a “data broker” broadly as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”
  • Definition of “Brokered Personal Information.” “Brokered personal information” is defined broadly to mean one or more of the following computerized data elements about a consumer, if categorized or organized for dissemination to third parties: (1) name, (2) address, (3) date of birth, (4) place of birth, (5) mother’s maiden name, (6) unique biometric data, including fingerprints, retina or iris images, or other unique physical or digital representations of biometric data, (7) name or address of a member of the consumer’s immediate family or household, (8) Social Security number or other government-issued identification number, or (9) other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable security.
  • Registration Requirement. The law requires data brokers to register annually with the Vermont Attorney General and pay a $100 annual registration fee.
  • Disclosures to State Attorney General. Data brokers must disclose annually to the State Attorney General information regarding their practices related to the collection, storage or sale of consumers’ personal information. Data brokers also must disclose annually their practices, if any, for allowing consumers to opt out of the collection, storage or sale of their personal information. Further, the law requires data brokers to report annually the number of data breaches experienced during the prior year and, if known the total number of consumers affected by the breaches. There are additional disclosure requirements if the data broker knowingly possesses brokered personal information of minors, including a separate statement detailing the data broker’s practices for the collection, storage and sale of that information and applicable opt-out policies. Importantly, the law does not require data brokers to offer consumers the ability to opt out.
  • Information Security Program. The law requires data brokers to develop, implement and maintain a written, comprehensive information security program that contains appropriate physical, technical and administrative safeguards designed to protect consumers’ personal information.
  • Elimination of Fees for Security Freezes. The law eliminates fees associated with a consumer placing or lifting a security freeze. Previously, Vermont law allowed for fees of up to $10 to place, and up to $5 to lift temporarily or remove, a security freeze.
  • Enforcement. A violation of the law is considered an unfair and deceptive act in commerce in violation of Vermont’s consumer protection law.
  • Effective Date. The registration and data security obligations take effect January 1, 2019, while the other provisions of the law take effect immediately.

In a statement, Vermont Attorney General T.J. Donovan said, “This bill not only saves [Vermonters] money, but it gives them information and tools to help them keep their personal information secure.”

Louisiana Amends Data Breach Notification Law, Eliminates Fees for Security Freezes

Recently, Louisiana amended its Database Security Breach Notification Law (the “amended law”). Notably, the amended law (1) amends the state’s data breach notification law to expand the definition of personal information and requires notice to affected Louisiana residents within 60 days, and (2) imposes data security and destruction requirements on covered entities. The amended law goes into effect on August 1, 2018.

Key breach notification provisions of the amended law include:

  • Definition of Personal Information: Under the amended law, “personal information” is now defined as a resident’s first name or first initial and last name together with one or more of the following data elements, when the name or the data element is not encrypted or redacted: (1) Social Security Number; (2) driver’s license number or state identification card number; (3) account number, credit or debit card number, together with any required security code, access code or password that would permit access to the individuals’ financial account; (4) passport number; and (5) biometric data, such as fingerprints, voice prints, eye retina or iris, or other unique biological characteristic, that is used to authenticate the individual’s identity.
  • Timing: The amended law requires that notice must be made to affected residents in the most expedient time possible and without unreasonable delay, but no later than 60 days from the discovery of a breach. This timing requirement also applies to third parties who are required to notify the owner or licensee of the personal information of a breach.
  • Delays: Under the amended law, entities must provide written notification to the Louisiana Attorney General within the 60-day period if notification is delayed due to (1) the entity’s determination that “measures are necessary to determine the scope of the breach, prevent further disclosures and restore the reasonable integrity of the system” or (2) law enforcement’s determination that notification would impede a criminal investigation. The Attorney General will allow an extension after receiving a written explanation of the reasons for delay.
  • Substitute Notification: The amended law lowers the bar for substitute notifications in the form of emails, postings on the website and notifications to major statewide media. Specifically, substitute notifications are permitted if (1) the cost of providing notifications would exceed $100,000 (previously the threshold was $250,000); (2) the number of affected individuals exceeds 100,000 (previously the threshold was 500,000); or (3) the entity does not have sufficient contact information.
  • Harm Threshold Documentation: Notification is not required if the entity determines that there is no reasonable likelihood of harm to Louisiana residents. The amended law requires that this written determination and supporting documents must be maintained for five years from the discovery. The Attorney General may request the documentation.

Key data security and destruction provisions of the amended law include:

  • “Reasonable” Security Procedures: The amended law creates a new requirement that entities that conduct business in Louisiana or own or license computerized personal information about Louisiana residents must maintain “reasonable security procedures and practices” to protect personal information. In addition, the security procedures and practices must be “appropriate to the nature of the information.” The amended law does not describe specifically what practices would meet these standards.
  • Data Destruction Requirement: The amended law creates a new requirement that, when Louisiana residents’ personal information owned or licensed by a business is “no longer to be retained,” “all reasonable steps” must be taken to destroy it. For instance, the personal information must be shredded or erased, or the personal information must be otherwise modified to “make it unreadable or undecipherable.”

Separately, on May 15, 2018, SB127 was signed by the governor and took immediate effect. The bill prohibits credit reporting agencies from charging a fee for placing, reinstating, temporarily lifting or revoking a security freeze.

Oregon Amends Data Breach Notification Law

On June 2, 2018, Oregon’s amended data breach notification law (“the amended law”) went into effect. Among other changes, the amended law broadens the applicability of breach notification requirements, prohibits fees for security freezes and related services provided to consumers in the wake of a breach and adds a specific notification timing requirement.

Key Provisions of the Amended Law Include:

  • Definition of Personal Information: Oregon’s definition of personal information now includes the consumer’s first name or initial and last name combined with “any other information or combination of information that a person reasonably knows or should know would permit access to the consumer’s financial account.”
  • Expanded Scope of Application: Instead of applying only to persons who “own or license” personal information that they use in the course of their business, the amended law now also applies to any person who “otherwise possesses” such information and uses it in the course of their business. It also requires notice when an organization receives a notice of breach from another person that “maintains or otherwise possesses personal information on the person’s behalf.” Persons who maintain or otherwise possess information on behalf of another must “notify the other person as soon as is practicable after discovering a breach of security.”
  • Notice Requirements: The amended law adds a new notice deadline. Notice of a breach of security must be given in the “most expeditious manner possible, without unreasonable delay,” and not later than 45 days after discovering or being notified of the security breach. Also, while the amended law exempts entities that are required to provide breach notification under certain other requirements (e.g., federal laws such as HIPAA), such entities are now required to provide the Attorney General with any notice sent to consumers or regulators in compliance with such other requirements.
  • Providing Credit Monitoring Services: If organizations offer consumers credit monitoring services or identity theft prevention or mitigation services in connection with their notice of a breach, they cannot make those services contingent on the consumer providing a credit or debit card number, or accepting another service that the person offers to provide for a fee. The terms and conditions of any contract for the provision of these services must embody these requirements.
  • Prohibiting Fees for Security Freezes: Under the amended law, consumer reporting agencies are prohibited from charging a consumer a fee for “placing, temporarily lifting or removing a security freeze on the consumer’s report,” creating or deleting protective records, placing or removing security freezes on protected records, or replacing identification numbers, passwords or similar devices that the agency previously provided.

Arizona Amends Data Breach Notification Law

On April 11, 2018, Arizona amended its data breach notification law (the “amended law”). The amended law will require persons, companies and government agencies doing business in the state to notify affected individuals within 45 days of determining that a breach has resulted in or is reasonably likely to result in substantial economic loss to affected individuals. The old law only required notification “in the most expedient manner possible and without unreasonable delay.” The amended law also broadens the definition of personal information and requires regulatory notice and notice to the consumer reporting agencies (“CRAs”) under certain circumstances.

Key provisions of the amended law include:

  • Definition of Personal Information. Under the amended law, the definition of “personal information” now includes an individual’s first name or initial and last name in combination with one or more of the following “specified data elements:” (1) Social Security number; (2) driver’s license or non-operating license number; (3) a private key that is unique to an individual and that is used to authenticate or sign an electronic record; (4) financial account number or credit or debit card number in combination with any required security code, access code or password that would allow access to the individual’s financial account; (5) health insurance identification number; (6) medical or mental health treatment information or diagnoses by a health care professional; (7) passport number; (8) taxpayer identification or identity protection personal identification number issued by the Internal Revenue Service; and (9) unique biometric data generated from a measurement or analysis of human body characteristics to authenticate an individual when the individual accesses an online account. The amended law also defines “personal information” to include “an individual’s user name or e-mail address, in combination with a password or security question and answer, which allows access to an online account.”
  • Harm Threshold. Pursuant to the amended law, notification to affected individuals, the Attorney General and the CRAs is not required if breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.
  • Notice to the Attorney General and Consumer Reporting Agencies. If the breach requires notification to more than 1,000 individuals, notification must also be made to the Attorney General and the three largest nationwide CRAs.
  • Timing. Notifications to affected individuals, the Attorney General and the CRAs must be issued within 45 days of determining that a breach has occurred.
  • Substitute Notice. Where the cost of making notifications would exceed $50,000, the affected group is bigger than 100,000 individuals, or there is insufficient contact information for notice, the amended law now requires that substitute notice be made by (1) sending a written letter to the Attorney General demonstrating the facts necessary for substitute notice and (2) conspicuously posting the notice on the breached entity’s website for at least 45 days. Under the amended law, substitute notice no longer requires email notice to affected individuals and notification to major statewide media.
  • Penalty Cap. The Attorney General may impose up to $500,000 in civil penalties for knowing and willful violations of the law in relation to a breach or series of related breaches. The Attorney General also Is entitled to recover restitution for affected individuals.

Alabama Becomes Final State to Enact Data Breach Notification Law

On March 28, 2018, Alabama became the final state in the U.S. to enact a data breach notification law. The Alabama Data Breach Notification Act of 2018 (S.B. 318) (“the Law”) goes into effect on June 1, 2018.

Key Provisions of the Alabama Data Breach Notification Act of 2018:

  • The law applies to “covered entities” and their “third-party agents.” “Covered entity” is defined as “a person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association or other business entity that acquires or uses sensitive personally identifying information.” “Third-party agent” is defined as “an entity that has been contracted to maintain, store, process, or is otherwise permitted to access sensitive personally identifying information in connection with providing services to a covered entity.”
  • The definition of “sensitive personally identifying information” includes health information (i.e., an individual’s medical condition and history, and health insurance identification numbers), as well as username or email address in combination with a password or security question and answer that would permit access to an online account likely to contain sensitive personally identifying information.
  • The law applies to unencrypted computerized data or encrypted computerized data when the encryption key or code is also compromised.
  • Notification is not required if, after a prompt investigation in good faith, it is determined that the breach of security is not reasonably likely to cause substantial harm to the individuals to whom the information relates.
  • Written notice must be made to affected individuals (and to the Alabama Office of the Attorney General if over 1,000 Alabama residents are notified) within 45 calendar days of a determination that the breach of security is reasonably likely to cause substantial harm to affected individuals. Notice to all consumer reporting agencies is also required “without unreasonable delay” if over 1,000 Alabama residents are notified.
  • Third-party agents are required to notify the covered entity within 10 days of discovery of a breach of security.
  • Covered entities that are subject to federal or state laws, rules, regulations, procedures or guidance on data breach notification established or enforced by the federal or state government are exempt from the statute as long as the covered entity (1) maintains procedures pursuant to those laws; (2) provides notice to affected individuals pursuant to those laws; and (3) provides in a timely manner a copy of the notice to the Alabama Office of the Attorney General when the number of individuals the covered entity notifies exceeds 1,000.Covered entities and their third-party agents must implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security, which include:
    • Designation of an employee(s) to coordinate the covered entity’s security measures to protect against a breach of security;
    • Identification of internal and external risks of a breach of security;
    • Adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards;
    • Retention of service providers that are contractually required to maintain appropriate safeguards for sensitive personally identifying information;
    • Evaluation and adjustment of security measures to account for changes in circumstances affecting the security of sensitive personally identifying information; and
    • Keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures.
  • The law also contains a data disposal provision that requires covered entities and third-party agents to shred, erase or otherwise modify sensitive personally identifying information contained in records when the records are no longer to be retained pursuant to applicable law, regulations or business needs.

South Dakota Enacts Breach Notification Law

As reported in BNA Privacy Law Watch, on March 21, 2018, South Dakota enacted the state’s first data breach notification law. The law will take effect on July 1, 2018, and includes several key provisions:

  • Definitions of Personal Information and Protected Information. The law defines personal information as a person’s first name or first initial and last name in combination with any one or more of the following data elements: (1) Social Security Number; (2) driver’s license number or other unique identification number created or collected by a government body; (3) account, credit card or debit card number, in combination with any required security code, access code, password, routing number, PIN or any additional information that would permit access to a person’s financial account; (4) health information; and (5) an identification number assigned to a person by the person’s employer in combination with any required security code, access code, password, or biometric data generated from measurements or analysis of human body characteristics for authentication purposes. The law further defines “protected information” as (1) a username or email address in combination with a password, security question answer, or other information that permits access to an online account; and (2) account number or credit or debit card number, in combination with any required security code, access code, or password that permits access to a person’s financial account. Notably, the definition of “protected information” does not include a person’s name.
  • Breach Notification Requirement. The law requires notification to affected individuals (and, in certain circumstances, the Attorney General, as explained below) in the event of unauthorized acquisition of unencrypted computerized data (or encrypted computerized data and the encryption key) by any person that materially compromises the security, confidentiality or integrity of personal information or protected information.
  • Content and Method of Notice. The law does not contain content requirements for the notice. Notice may be provided (1) in writing; (2) electronically, if the notice is consistent with the provisions of E-SIGN; or (3) via substitute notice if the cost of providing notice would exceed $250,000, the number of affected individuals exceeds 500,000, or the entity does not have sufficient contact information for affected individuals. Substitute notice must consist of (1) email notice, if the entity has an email address for affected individuals; (2) conspicuous posting on the entity’s website; and (3) notification to statewide media.
  • Timing. Notification to affected individuals is required within 60 days of discovery of the breach.
  • Harm Threshold. The law contains a harm threshold, pursuant to which notification is not required if, following an appropriate investigation and notice to the Attorney General, the entity reasonably determines that the breach will not likely result in harm to the affected person(s).
  • Notice to the Attorney General. The law requires notification to the Attorney General of any breach that exceeds 250 South Dakota residents.
  • Notice to the Consumer Reporting Agencies. In the event notification to affected individuals is required, the law also requires notification to the nationwide consumer reporting agencies of the timing, distribution and content of the notice to individuals.
  • Penalties for Non-Compliance. A violation of the breach notification law is considered a deceptive act under the state’s consumer protection laws. The South Dakota Attorney General noted that this violation has the effect of creating a private right of action. In addition, the Attorney General is authorized to enforce the breach notification law and may impose a fine of up to $10,000 per day per violation.

With this enactment, Alabama remains the sole U.S. state without a breach notification law.

Hilton Agrees to Settle Data Breach-Related Claims by NY and VT Attorneys General

On October 31, 2017, the New York and Vermont Attorneys General (“Attorneys General”) announced a settlement with Hilton Domestic Operating Company, Inc., formerly known as Hilton Worldwide, Inc. (“Hilton”), to settle allegations that the company lacked reasonable data security and waited too long to report a pair of 2015 data breaches, which exposed over 350,000 credit card numbers. The Attorneys General alleged that Hilton failed to maintain reasonable data security and waited more than nine months after the first incident to notify consumers of the breaches, in violation of the states’ consumer protection and breach notification laws.

Hilton agreed to pay $400,000 to the New York Attorney General and $300,000 to the Vermont Attorney General to resolve these allegations. In addition, the settlement requires Hilton to provide immediate notice to consumers affected by a breach, maintain a comprehensive information security program and conduct data security assessments, including an annual written assessment of its compliance with the Payment Card Industry Data Security Standard. With respect to the information security program, Hilton must protect consumer cardholder data by:

  • designating an employee to coordinate and supervise its information security program;
  • identifying material internal and external risks to information security that could lead to unauthorized disclosure, misuse, loss, alteration, destruction or other compromise of the information;
  • implementing reasonable safeguards to control those risks, and perform regular testing or monitoring of the safeguards’ effectiveness;
  • developing and using reasonable steps to select and retain service providers capable of appropriately safeguarding cardholder data and contractually require such service providers to also implement and maintain appropriate safeguards for the information; and
  • evaluating Hilton’s information security program and adjust it based on testing or monitoring results or other circumstances (including material changes to Hilton’s operations or business arrangements) that Hilton knows, or an entity acting reasonably under the circumstances would know, may have a material impact on the program’s effectiveness.

Speaking on the settlement, New York Attorney General Schneiderman stated: “Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible. Lax security practices like those we uncovered at Hilton put New Yorkers’ credit card information and other personal data at serious risk. My office will continue to hold businesses accountable for protecting their customers’ personal information.”

Samanage USA, Inc. Agrees to Pay to Settle Vermont AG’s Data Security Investigation

On September 29, 2017, Samanage USA, Inc. (“Samanage”), a North Carolina-based technology company that provided cloud-based IT support services as a subcontractor for Vermont’s health care exchange (“Vermont Health Connect”), agreed to a $264,000 settlement with the Vermont Attorney General in relation to a breach that exposed the Social Security numbers of 660 Vermont Health Connect users.

In June 2016, an employee of a contractor for the State of Vermont attached a spreadsheet with the names and Social Security numbers of Vermont Health Connect users to a job ticket that was part of Samanage’s IT support system. Samanage’s system communicated job tickets through a unique URL that was generated by a hash algorithm. According to the Vermont Attorney General, however, because Samanage did not authenticate an entity that requested information via the URL, anyone could theoretically type the URL into a standard web browser and access the document. As a result, Microsoft Bing’s search index web crawler discovered the URL and posted it to its search results, revealing not only the link to the spreadsheet, but also a preview of the contents of the document, including the personally identifiable information of Vermont Health Connect users. The publicly accessible search result was discovered by a Vermont resident who subsequently notified the Vermont Attorney General.

After receiving notice of the breach, Samanage changed the document’s security settings to require authentication, but nonetheless failed to (1) immediately require authentication of all documents; and (2) notify the contractor of the breach, as required by Vermont’s breach notification law.  According to the terms of the settlement, “[a]bsent intervention by the Attorney General, there is no indication that SaManage planned to inform anyone of the breach.”

The Attorney General brought claims under both Vermont’s Consumer Protection Act and Vermont’s Security Breach Notice Act. Under the terms of the settlement, Samanage agreed to implement a comprehensive written information security program that includes (1) designating an employee to coordinate and be accountable for the company’s information security program; (2) conducting a risk assessment; (3) designing and implementing safeguards to control identified risks; (4) testing and monitoring the effectiveness of the safeguards on an ongoing basis; and (5) evaluation and modification of the security program in light of the results of such testing and monitoring.

The settlement further requires Samanage to implement certain prescribed technical safeguards (e.g., network segmentation, security patching and anti-malware tools, intrusion detection systems or other security monitoring tools, access control measures, log retention, etc.), submit to a full audit of its legal compliance program, and conduct training for its officers and employees.

Delaware Amends Data Breach Notification Law

As reported in BNA Privacy Law Watch, on August 17, 2017, Delaware amended its data breach notification law, effective April 14, 2018. The Delaware law previously required companies to give notice of a breach to affected Delaware residents “as soon as possible” after determining that, as a result of the breach, “misuse of information about a Delaware resident has occurred or is reasonably likely to occur.” The prior version of the law did not require regulator notification.

The amendments include several key provisions:

  • Definition of Personal Information. Under the revised law, the definition of “personal information” is expanded and now includes a Delaware resident’s first name or first initial and last name in combination with any one or more of the following data elements: (1) Social Security number; (2) driver’s license or state or federal identification card number; (3) account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a financial account; (4) passport number; (5) a username or email address in combination with a password or security question and answer that would permit access to an online account; (6) medical history, treatment or diagnosis by a health care professional, or DNA profile; (7) health insurance identification number; (8) biometric data; and (9) an individual taxpayer identification number.
  • Timing. Companies will be required to notify affected individuals of a data breach within 60 days.
  • Notice to the Attorney General. Companies will be required to notify the Delaware Attorney General if a breach affects more than 500 Delaware residents.
  • Harm Threshold. The amendments change the law’s harm threshold for notification. Under the revised law, notification to affected individuals (and the Attorney General, if applicable) is required unless, after an appropriate investigation, the company reasonably determines that the breach is unlikely to result in harm to affected individuals.
  • Credit Monitoring. Companies will be required to offer credit monitoring services to affected individuals at no cost for one year if the breach includes a Delaware resident’s Social Security number. California’s breach notification law contains a similar requirement.

Nationwide Agrees to Pay $5.5 Million to Settle Multistate Data Breach Investigation

On August 9, 2017, Nationwide Mutual Insurance Co. (“Nationwide”) agreed to a $5.5 million settlement with attorneys general from 32 states in connection with a 2012 data breach that exposed the personal information of over 1.2 million individuals. 

The settlement comes on the heels of a multistate investigation into the circumstances surrounding the breach. In October 2012, Nationwide and its affiliate, Allied Property & Casualty Insurance Co. (“Allied”), suffered a breach that resulted in unauthorized access to, and exfiltration of, certain personal information of their customers and other consumers, including names, Social Security numbers, driver’s license numbers, credit scoring data and other data collected to provide quotes to consumers applying for insurance coverage. Attorneys general from the 32 states alleged that the breach occurred when hackers exploited a vulnerability in a third-party web application hosting software used by Nationwide and Allied. According to the attorneys general, Nationwide and Allied had failed to deploy a critical software patch that was released in 2009 to address the vulnerability.

Under the terms of the settlement, Nationwide and Allied agreed to take a series of steps for a period of three years from the effective date of the agreement, including:

  • appointing an individual responsible for managing and monitoring software and application security updates and patches;
  • maintaining an inventory of all systems that process personal information as well as the updates and patches applied to such systems. Nationwide and Allied also must assign a priority level to each new security update and patch under consideration and document the basis for any exceptions;
  • regularly reviewing and updating incident management policies and procedures;
  • maintaining a system management tool that scans systems that process personal information for “common vulnerabilities or exposures” (“CVEs”) and provides near real-time updates regarding known CVEs;
  • purchasing and installing an “automated CVE feed” from a third-party provider;
  • implementing processes and procedures that provide for internal notification, evaluation and documentation of identified CVEs;
  • performing an internal patch management assessment on a semi-annual basis that identifies known CVEs, assigns them a risk rating, confirms appropriate patches have been applied, and documents the basis for any exceptions; and
  • hiring an independent third party to perform a patch management audit on an annual basis.

The settlement further requires Nationwide and Allied to notify consumers that it retains their personal information, even if they do not become insureds.

Nevada Enacts Website Privacy Notice Law

Recently, Nevada enacted an online privacy policy law which will require operators of websites and online services to post a notice on their website regarding their privacy practices. The Nevada law contains content requirements for online privacy notices, specifying that the notice must (1) identify the categories of personally identifiable information (“PII”) collected through the website and the categories of third parties with whom PII may be shared; (2) provide information about users’ ability to review and request changes to PII collected through the website; (3) disclose whether third parties may collect information about users’ online activities from the website; and (4) provide an effective date of the notice.

Nevada is the third state to enact legislation requiring website operators to post a public privacy notice, following California (enacted in 2004) and Delaware (enacted in 2016). The scope of Nevada’s law is narrower than the laws of California and Delaware in several key respects. Namely, the Nevada law limits its jurisdictional application to entities that purposefully direct or conduct activities in Nevada, or consummate some transaction with the state or one of its residents. Additionally, the law is not applicable to website operators whose revenue is derived primarily from other sources than online services and whose website annually receives fewer than 20,000 unique visitors.

The Nevada law does not provide a private right of action, but grants the Nevada Attorney General the power to enforce compliance and provides for injunctive relief and a maximum authorized civil penalty of $5,000. The law is set to take effect on October 1, 2017.

New Jersey Shopper Privacy Bill Signed into Law

On July 21, 2017, New Jersey Governor Chris Christie signed a bill that places new restrictions on the collection and use of personal information by retail establishments for certain purposes. The statute, which is called the Personal Information and Privacy Protection Act, permits retail establishments in New Jersey to scan a person’s driver’s license or other state-issued identification card only for the following eight purposes:

  • to verify the authenticity of the identification card or to verify the identity of the person if the person pays for goods or services with a method other than cash, returns an item or requests a refund or an exchange;
  • to verify the person’s age when providing age-restricted goods or services to the person;
  • to prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service company or system;
  • to prevent fraud or other criminal activity related to a credit transaction to open or manage a credit account;
  • to establish or maintain a contractual relationship;
  • to record, retain or transmit information as required by state or federal law;
  • to transmit information to a consumer reporting agency, financial institution or debt collector to be used as permitted by the Fair Credit Reporting Act or certain other relevant federal laws; or
  • to record, retain or transmit information by a covered entity pursuant to the Health Insurance Portability and Accountability Act of 1996.

In addition, the law limits the information which retail establishments may collect from the scanned identification cards. The information that may be collected from the card includes the person’s name, address, date of birth, the state issuing the identification card and the identification card number. The law also places restrictions on the retention, sale and sharing of such information and establishes security requirements for any information retained from the scanned identification cards. The law emphasizes that retailers must report security breaches of certain information collected from scanned identification cards pursuant to New Jersey’s security breach notification statute.

The law is set to take effect three months from the date of enactment.

Putative Data Breach Class Action Dismissed for the Third Time

On June 13, 2017, Judge Andrea R. Wood of the Northern District of Illinois dismissed with prejudice a putative consumer class action filed against Barnes & Noble. The case was first filed after Barnes & Noble’s September 2012 announcement that “skimmers” had tampered with PIN pad terminals in 63 of its stores and exposed payment card information. The court had previously dismissed the plaintiffs’ original complaint without prejudice for failure to establish Article III standing. After the Seventh Circuit’s decision in Remijas v. Neiman Marcus Group, the plaintiffs filed an almost identical amended complaint that alleged the same causes of action and virtually identical facts. Although the court found that the first amended complaint sufficiently alleged Article III standing, the plaintiffs nevertheless failed to plead a viable claim. The court therefore dismissed the first amended complaint under Rule 12(b)(6). 

The second amended complaint reduced both the number of plaintiffs and claims, advancing causes of action for breach of implied contract and various claims under Illinois’ and California’s consumer protection statutes. Plaintiffs added factual allegations of injuries stemming from emotional distress, loss of PII value, expended time spent with bank and police employees, used cell phone minutes, inability to use payment cards during the replacement period and the cost of credit monitoring services. The court found, however, that none of the alleged damages, including the cost of the credit monitoring services, were cognizable injuries under Rule 12(b)(6). Finding that further amendment would be futile, given the prior and ample amendment opportunities, the court dismissed the case with prejudice.

Washington Becomes Third State to Enact Biometric Privacy Law

On May 16, 2017, the Governor of the State of Washington, Jay Inslee, signed into law House Bill 1493 (“H.B. 1493”), which sets forth requirements for businesses who collect and use biometric identifiers for commercial purposes. The law will become effective on July 23, 2017. With the enactment of H.B. 1493, Washington becomes the third state to pass legislation regulating the commercial use of biometric identifiers. Previously, both Illinois and Texas enacted the Illinois Biometric Information Privacy Act (740 ILCS 14) (“BIPA”) and the Texas Statute on the Capture or Use of Biometric Identifier (Tex. Bus. & Com. Code Ann. §503.001), respectively.

H.B. 1493 defines “biometric identifier” as data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises or other unique biological patterns or characteristics that are used to identify a specific individual. Interestingly, unlike the Illinois and Texas statutes, H.B. 1493’s definition of “biometric identifier” does not reference a record or scan of face geometry (i.e., facial recognition data). The definition also explicitly excludes “physical or digital photographs, video or audio recording or data generated therefrom,” and certain health-related data processed pursuant to Health Insurance Portability and Accountability Act of 1996. Notably, several putative class action lawsuits have been filed against social networking sites, such as Shutterfly, for allegedly using facial recognition technology to scan users’ uploaded photographs in violation of BIPA’s notice and consent requirements. Although it is unclear whether H.B.1493 covers scans of face geometry, the lack of explicit inclusion of such data may be a response to such lawsuits.

Pursuant to H.B.1493, a person may not “enroll” a biometric identifier in a database for a commercial purpose without first providing notice, obtaining consent or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose. In contrast to the Illinois and Texas statutes, which broadly regulate the capture (or, in the case of BIPA, the possession) of biometric identifiers, Washington’s statute is limited to those persons that “enroll” biometric identifiers by capturing the data, converting it into a reference template that cannot be reconstructed into the original output image, and storing it in a database that matches the biometric identifier to a specific individual. Notably, the statute’s limitations on disclosure and retention of biometric identifiers do not apply to biometric identifiers that have been “unenrolled.”

H.B. 1493 contains detailed requirements governing the enrollment of biometric identifiers for a commercial purpose, as well as the subsequent disclosure of such data. In particular:

  • The statute makes it clear that the notice required under the law is separate from, and is not considered, “affirmative consent.”
  • Unlike BIPA, which explicitly requires a written release from the subject before obtaining his or her biometric identifier, H.B. 1493 broadly states that the exact notice and type of consent required to achieve compliance is “context-dependent.” The notice must be given through a procedure reasonably designed to be readily available to affected individuals.
  • A person who enrolls a biometric identifier for a commercial purpose or obtains a biometric identifier from a third party for a commercial purpose may not use or disclose it in a manner that is materially inconsistent with the terms under which the biometric identifier was originally provided without obtaining consent for the new use or disclosure.
  • Unless consent has been obtained, a person who has enrolled an individual’s biometric identifier may not sell, lease or otherwise disclose the biometric identifier to another person for a commercial purpose unless one of certain enumerated statutory exceptions applies, including: (1) where necessary to provide a product or service requested by the individual; or (2) where disclosed to a third party who contractually promises that the biometric identifier will not be further disclosed and will not be enrolled in a database for a commercial purpose that is inconsistent with the notice and consent provided.

Importantly, unlike the Illinois and Texas statutes, H.B. 1493 contains a broad “security exception,” exempting those persons that collect, capture, enroll or store biometric identifiers in furtherance of a “security purpose.”

Similar to the Illinois and Texas statutes, H.B. 1493 also contains data security and retention requirements. In particular, the statute requires (1) reasonable care to guard against unauthorized access to and acquisition of biometric identifiers and (2) retention of biometric identifiers for no longer than necessary to comply with the law, protect against fraud, criminal activity, security threats or liability, or to provide the service for which the biometric identifier was enrolled.

As with the Texas biometric law, H.B. 1493 does not create a private right of action to allow for suits by individual plaintiffs. Instead, only the Washington Attorney General can enforce the requirements. The Illinois biometric law currently is the only state biometric statute that includes a private right of action.

Although Washington is only the third state to enact a biometric privacy law, several other states are considering similar legislation as the commercial collection and use of biometric identifiers becomes more commonplace.

Colorado Publishes Cybersecurity Regulations for Financial Institutions

Recently, the Colorado Division of Securities (the “Division”) published cybersecurity regulations for broker-dealers and investment advisers regulated by the Division. Colorado’s cybersecurity regulations follow similar regulations enacted in New York that apply to certain state-regulated financial institutions.

The regulations obligate covered broker-dealers and investment advisers to establish and maintain written cybersecurity procedures designed to protect “confidential personal information” which is defined to include a Colorado resident’s first name or first initial and last name, plus (1) Social Security number; (2) driver’s license number or identification card number; (3) account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to a resident’s financial account; (4) digitized or other electronic signature or (5) user name, unique identifier or electronic mail address in combination with a password, access code security question or other authentication information that would permit access to an online account.

The cybersecurity procedures must include:

  • an annual assessment by the firm or an agent of the firm of the potential risks and vulnerabilities to the confidentiality, integrity and availability of confidential personal information;
  • the use of secure email for email containing confidential personal information, including use of encryption and digital signatures;
  • authentication practices for employee access to electronic communications, databases and media;
  • procedures for authenticating client instructions received via electronic communication; and
  • disclosure to clients of the risks of using electronic communications.

In determining whether a firm’s cybersecurity procedures are reasonably designed, the Division may consider the firm’s size, relationships with third parties and cybersecurity policies and procedures. The Division may also consider the firm’s (1) authentication practices, (2) use of electronic communications, (3) use of automatic locking mechanisms for devices that have access to confidential personal information and (4) process for reporting lost or stolen devices.

The Colorado Secretary of State will set an effective date for the Colorado regulations after the Colorado Attorney General’s office issues an opinion on the regulations.

Amended Oregon Law Reinforces Importance of Adhering to Privacy Policies

On May 25, 2017, Oregon Governor Kate Brown signed into law H.B. 2090, which updates Oregon’s Unlawful Trade Practices Act by holding companies liable for making misrepresentations on their websites (e.g., in privacy policies) or in their consumer agreements about how they will use, disclose, collect, maintain, delete or dispose of consumer information. Pursuant to H.B. 2090, a company engages in an unlawful trade practice if it makes assertions to consumers regarding the handling of their information that are materially inconsistent with its actual practices. Consumers can report violations to the Oregon Attorney General’s consumer complaint hotline. H.B. 2090 reinforces the significance of carefully drafting clear, accurate privacy policies and complying with those policies’ provisions.

Target and State Attorneys General Resolve Investigation with Largest Multi-State Breach Settlement to Date

On May 23, 2017, various attorneys general of 47 states and the District of Columbia announced that they had reached an $18.5 million settlement with Target regarding the states’ investigation of the company’s 2013 data breach. This represents the largest multi-state data breach settlement achieved to date.

Connecticut Attorney General George Jepsen and Illinois Attorney General Lisa Madigan led the investigation, which found that hackers used credentials stolen from a third-party vendor to access Target’s gateway server and install malware that enabled them to capture consumer data, including names, contact information and payment card information of over 40 million customers. In addition to the monetary settlement, Target will adopt measures to secure and protect consumer information. For example, Target has 180 days to develop and implement a comprehensive information security program to be overseen by an executive reporting to its CEO and Board of Directors. The settlement also requires Target to obtain a third-party assessment of the measures it adopts and submit the assessor’s findings to the states.

Attorney General Madigan described the measures as setting “industry standards for companies that process payment cards and maintain secure information about their customers.” Attorney General Jepsen not only commended Target for its actions in response to the breach, including its cooperation with the states’ investigation and settlement negotiations, but also hoped the settlement would “serve to inform other companies as to what is expected of them in terms of the security of their consumers’ information.”

New York AG Settles with Wireless Lock Maker Over Security Flaws

On May 22, 2017, New York Attorney General Eric T. Schneiderman announced that the AG’s office has reached a settlement (the “Settlement”) with Safetech Products LLC (“Safetech”) regarding the company’s sale of insecure Bluetooth-enabled wireless doors and padlocks. In a press release, Schneiderman indicated that this “marks the first time an attorneys general’s office has taken legal action against a wireless security company for failing to protect their [customers’] personal and private information.”

The Settlement stems from Safetech’s representations that its products would allow users the ability to protect personal belongings inside their homes by turning doors and closets into secure areas. In August 2016, however, a team of independent security researchers discovered that Safetech’s Bluetooth-enabled locks left consumers susceptible to hacking and theft because the locks failed to secure passwords and other security information required for operation. Specifically, the researchers found that Safetech’s locks transmitted passwords between the locks and users’ smartphones in plain text and without encryption, allowing potential perpetrators to intercept the passwords and open the locks. The researchers also discovered that the locks contained weak and insecure default passwords that could easily be solved or discovered through brute force attacks of automated software used to generate a large number of consecutive guesses.

The Settlement requires Safetech to encrypt all passwords, electronic keys or other security credentials in their locks and other Bluetooth-enabled devices, as well as prompt users to change the default password upon the users’ initial setup of wireless communication. The Settlement also requires Safetech to establish and implement a written comprehensive security program reasonably designed to (1) address security risks related to the development and management of new and existing devices that use security information, and (2) protect the privacy, security, confidentiality and integrity of security information, including:

  • designating an employee or employees to coordinate and be accountable for the security program;
  • identifying material internal and external risks to (1) the security of the devices that could result in unauthorized access to or unauthorized modification of the device and (2) the privacy, security, confidentiality and integrity of security information;
  • designing and implementing reasonable safeguards to control the risks identified through the risk assessment;
  • regularly testing or monitoring the effectiveness of the safeguards’ key controls, systems and procedures, including reasonable and appropriate security testing techniques such as vulnerability and penetration testing, security architecture reviews and code reviews;
  • developing and using reasonable steps to select and retain service providers capable of maintaining security practices consistent with the Settlement, and contractually requiring service providers to implement and maintain appropriate safeguards consistent with the Settlement; and
  • evaluating and adjusting Safetech’s security program in light of the results of the testing and monitoring required by the Settlement.

Global Ransomware Attacks Raise Key Legal Considerations

On May 12, 2017, a massive ransomware attack began affecting tens of thousands of computer systems in over 100 countries. The ransomware, known as “WannaCry,” leverages a Windows vulnerability and encrypts files on infected systems and demands payment for their release. If payment is not received within a specified time frame, the ransomware automatically deletes the files. A wide range of industries have been impacted by the attack, including businesses, hospitals, utilities and government entities around the world.

These types of incidents can have significant legal implications for affected entities and industries for whom data access and continuity is critical (health care and finance are particularly vulnerable). As affected entities work to understand and respond to the threat of ransomware, below is a summary of key legal considerations:

  • FTC Enforcement. In a November 2016 blog entry, the FTC noted that “a business’ failure to secure its networks from ransomware can cause significant harm to the consumers (and employees) whose personal data is hacked. And in some cases, a business’ inability to maintain its day-to-day operations during a ransomware attack could deny people critical access to services like health care in the event of an emergency.” The FTC also noted that “a company’s failure to update its systems and patch vulnerabilities known to be exploited by ransomware could violate Section 5 of the FTC Act.” In various FTC enforcement actions (including those against Wyndham Worldwide Corporation and ASUSTeK Computer, Inc.), the FTC has demonstrated its willingness to bring Section 5 enforcement actions against companies who experience data security incidents resulting from malware exploitation of vulnerabilities. In the event of a security compromise, the FTC also may consider the accuracy of consumer promises an organization has made regarding the security of its systems. The FTC has used the unfairness and deception doctrines to pursue companies that misrepresented the security measures used to protect consumers’ personal information from access by unauthorized parties. Nearly all data security actions brought by the FTC have been settled and have resulted in comprehensive settlement agreements that typically impose obligations for up to 20 years.
  • Breach Notification Laws. In the U.S., 48 States, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands have laws that require notification to affected individuals (and in some states, regulators) in the event of unauthorized acquisition of or access to personal information. Certain federal laws, such as the Health Insurance Portability and Accountability Act (“HIPAA”), also require notification for certain breaches of covered information, and there is an increasing number of breach notification laws being adopted internationally. To the extent a ransomware attack results in the unauthorized acquisition of or access to covered information, applicable breach notification laws may impose notification obligations on affected entities.
  • Litigation. In the event that ransomware results in a breach of covered information, litigation is another potential risk. Despite the difficulty in bringing successful lawsuits against affected entities, plaintiffs’ lawyers continue to actively pursue newsworthy breaches, as businesses are paying significant amounts in settlements with affected individuals. Affected entities also may face lawsuits from their business partners whose data is involved in the attack, and often battle insurers over coverage of costs associated with the attack. Businesses must also be cognizant of cyber-related shareholder derivative lawsuits, which increasingly follow from catastrophic security breaches.
  • Data Security Laws. A number of U.S. states have enacted laws that require organizations that maintain certain types of personal information about state residents to adhere to general information security requirements with respect to that personal information. As a general matter, these laws (such as Section 1798.81.5 of the California Civil Code) require businesses that own or license personal information about state residents to implement and maintain reasonable security procedures and practices to protect the information from unauthorized access, destruction, use, modification or disclosure. To the extent a ransomware attack results from a failure to implement reasonable safeguards, affected entities may be at risk of legal exposure under the relevant state security laws.
  • Agency Guidance. Given the evolving nature of ransomware attacks, government agencies are continuously developing recommendations to help businesses respond. For example, the Department of Health and Human Services Office for Civil Rights, which enforces HIPAA, published a fact sheet advising health care entities on methods for preventing, investigating and recovering from ransomware attacks. The FBI has also developed ransomware resources directed towards Chief Information Security Officers and CEOs. This guidance should be carefully considered to help prevent and recover from ransomware attacks and to understand the potential criminal and enforcement implications of such attacks.

Ransomware is a growing concern, and while the recent global attack has been the most high-profile attack to date, it is part of an overall trend in the evolving threat landscape. Businesses and other organizations should take into account the above legal considerations in their efforts to prevent, investigate and recover from these disruptive attacks.

New York Publishes FAQs and Key Dates for Cybersecurity Regulation

Earlier this month, the New York State Department of Financial Services (“NYDFS”) recently published FAQs and key dates for its cybersecurity regulation (the “NYDFS Regulation”) for financial institutions that became effective on March 1, 2017.

The FAQs address topics including:

  • whether a covered entity is required to give notice to consumers affected by a cybersecurity event;
  • whether a covered entity may adopt portions of an affiliate’s cybersecurity program without adopting all of it;
  • whether DFS-authorized New York branches, agencies and representative offices of out-of-country foreign banks are required to comply with the NYDFS Regulation;
  • what constitutes “continuous monitoring” for purposes of the NYDFS Regulation;
  • how a covered entity should submit Notices of Exemption, Certifications of Compliance and Notices of Cybersecurity Events; and
  • whether an entity can be both a covered entity and a third-party service provider under the NYDFS Regulation.

The NYDFS also listed key dates for the NYDFS Regulation, which include:

  • March 1, 2017 – the NYDFS Regulation becomes effective.
  • August 28, 2017 – the 180-day transitional period ends and covered entities are required to be in compliance with requirements of the NYDFS Regulation unless otherwise specified.
  • September 27, 2017 – the initial 30-day period for filing Notices of Exemption ends.
  • February 15, 2018 – covered entities are required to submit the first certification under the NYDFS Regulation on or prior to this date.
  • March 1, 2018 – the one year transitional period ends. Covered entities are required to comply with certain requirements such as those related to penetration testing, vulnerability assessments, risk assessment and cybersecurity training.
  • September 3, 2018 – the eighteen month transitional period ends. Covered entities are required to comply with audit trail, data retention and encryption requirements.
  • March 1, 2019 – the two year transitional period ends. Covered entities are required to develop a third-party service provider compliance program.

In a recent conference of the National Association of Insurance Commissioners, Maria Vullo, the NYDFS superintendent, stated that “The New York regulation is a road map with rules of the road.”

New Mexico Enacts Data Breach Notification Law

On April 6, 2017, New Mexico became the 48th state to enact a data breach notification law, leaving Alabama and South Dakota as the two remaining states without such requirements. The Data Breach Notification Act (H.B. 15) goes into effect on June 16, 2017.

Key Provisions of New Mexico’s Data Breach Notification Act:

  • The definition of “personal identifying information” includes biometric data, defined as an individual’s “fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system or account.”
  • The law applies to unencrypted computerized data or encrypted computerized data when the encryption key or code is also compromised.
  • Notice to the New Mexico Office of the Attorney General and the major consumer reporting agencies is required if more than 1,000 New Mexico residents are notified.
  • Notice must be made to New Mexico residents (and the Attorney General and Consumer Reporting agencies if over 1,000 residents are notified) within 45 calendar days of discovery of a security breach.
    • Third-party service providers are also required to notify the data owner or licensor within 45 days of discovery of a data breach.
  • Notification is not required if, after an appropriate investigation, it is determined that the security breach does not give rise to a significant risk of identity theft or fraud.
  • Entities that are subject to the Gramm-Leach Bliley Act or HIPAA are exempt from the statute.
  • The law also contains a data disposal provision that requires data owners or licensors to shred, erase or otherwise make unreadable personal identifying information contained in records when it is no longer “reasonably needed” for business purposes.
  • In addition, the law requires data owners and licensors to implement and maintain reasonable security procedures and practices designed to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.
    • Contracts with third-party service providers must require that the service provider implement and maintain such security procedures and practices.

Massachusetts AG Settles Geofencing Case

On April 4, 2017, the Massachusetts Attorney General’s office announced a settlement with Copley Advertising LLC (“Copley”) in a case involving geofencing.

Copley used geolocation technology to create a virtual fence around women’s reproductive healthcare facilities. Once the women crossed the virtual fence, Copley then sent targeted advertisements to the women’s phones or other mobile devices. The ads contained messages such as “Pregnancy Help” or “You Have Choices,” and linked to websites with information about alternatives to abortion. Women could also have a live chat with a “pregnancy support specialist.”

The Massachusetts AG alleged that Copley’s use of geofencing violated the Massachusetts Consumer Protection Act because it tracked consumers’ locations and disclosed them to third-party advertisers to target consumers with “potentially unwanted advertising based on inferences about [their] private, sensitive, and intimate medical or physical condition.”

The Assurance of Discontinuance requires Copley to agree to neither directly nor indirectly geofence “the [v]icinity of any Medical Center located in Massachusetts to infer the health status, medical condition or medical treatment of any person.”

In announcing the settlement, Attorney General Healey stated that “[c]onsumers are entitled to privacy in their medical decisions and conditions. This settlement will help ensure that consumers in Massachusetts do not have to worry about being targeted by advertisers when they seek medical care.”

Virginia Adds State Income Tax Provision to Data Breach Notification Law

Recently, Virginia passed an amendment to its data breach notification law that adds state income tax information to the types of data that require notification to the Virginia Office of the Attorney General in the event of unauthorized access and acquisition of such data. Under the amended law, an employer or payroll service provider must notify the Virginia Office of the Attorney General after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a Virginia resident’s taxpayer identification number in combination with the income tax withheld for that taxpayer. 

The amendment contains a harm threshold, requiring notification when such unauthorized access and acquisition compromises the confidentiality of the data and causes, or reasonably will cause, identity theft or fraud. For employers, the amendment applies only to the employer’s Virginia employees, and not to information regarding the employer’s customers or non-employees. Notification to the Virginia Office of the Attorney General must be made “without unreasonable delay” and must include the name and federal employer identification number of the employer that may be affected by the incident. The amendment requires notification only to the Virginia Office of the Attorney General, and not affected individuals. The amendment takes effect on July 1, 2017.

The New Cybersecurity Landscape: What the NYDFS Regulations Really Mean for Your Business

On March 9, 2017, AllClear ID will host a webinar with Hunton & Williams partner and chair of the Global Privacy and Cybersecurity practice Lisa J. Sotto on the new cybersecurity regulations from the New York State Department of Financial Services (“NYDFS”). The NYDFS regulations will impose significant cybersecurity requirements on impacted businesses that will dictate how they plan for, respond to, and recover from data security events. To be compliant, businesses will need to rethink their cybersecurity programs in light of the many granular requirements in the NYDFS regulations. Join Lisa J. Sotto and AllClear ID founder and chief executive officer, Bo Holland, for a discussion on the key areas your business should address first in this new regulatory environment, including best practices for breach readiness, response and recovery.

Register for the webinar now.

New York Updates Cybersecurity Regulation for Financial Institutions

On December 28, 2016, the New York State Department of Financial Services (“DFS”) announced an updated version of its cybersecurity regulation for financial institutions (the “Updated Regulation”). The Updated Regulation will become effective on March 1, 2017.

Key changes from the version that was published in September 2016 include:

  • providing a definition of a “Third-Party Service Provider”;
  • modifying the definition of “Nonpublic Information” to make it consistent with the definition of private information under New York’s state breach notification law;
  • adding “asset inventory and device management” to the list of required components of a covered entity’s cybersecurity policy;
  • permitting a covered entity’s Chief Information Security Officer to be employed by an affiliate of the covered entity or by a service provider;
  • limiting the requirement for a covered entity to maintain audit trails to cover only cybersecurity events “that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity”;
  • eliminating the obligation for covered entities to require multi-factor authentication for employees accessing internal databases; and
  • adding a notice of exemption form that covered entities may complete and file with DFS if they believe they are exempt from specific sections of the regulations.

In announcing the Updated Regulation, DFS Superintendent Maria T. Vullo stated that the Updated Regulation “allows an appropriate period of time for regulated entities to review the rule before it becomes final and make certain that their systems can effectively and efficiently meet the risks associated with cyber threats.”

The Updated Regulation will be finalized in January 2017 following a 30-day notice and public comment period and will become effective on March 1, 2017.

California AG Announces Launch of Online CalOPPA Reporting Form

On October 14, 2016, California Attorney General Kamala D. Harris announced the release of a publicly available online form that will enable consumers to report potential violations of the California Online Privacy Protection Act (“CalOPPA”). CalOPPA requires website and mobile app operators to post a privacy policy that contains certain specific content.

The form asks consumers to state the name of the company being reported and indicate whether the privacy policy (1) is missing or inapplicable, (2) is difficult to locate, (3) is incomplete, (4) has been violated, or (5) has failed to provide notice of a material change. The form enables consumers to provide additional explanation for the alleged violation of CalOPPA as well as any supporting documentation, such as screenshots of the company’s website or app, or correspondence with the company. The form also requests the consumer’s contact information but notes that providing such information is entirely optional.

In addition to the online form, the California Attorney General’s Office announced that it will partner with the Usable Privacy Policy Project at Carnegie Mellon University to develop a tool that will examine differences in a mobile app’s privacy policy and its actual data collection and sharing practices.

In the press release announcing the online form, Attorney General Harris stated, “In the information age, companies doing business in California must take every step possible to be transparent with consumers and protect their privacy.” She further noted that it is critical to “implement robust safeguards on what information is shared online and how.”

Texas AG Settles Suit with Messaging App Over Children’s Data Practices

On October 3, 2016, the Texas Attorney General announced a $30,000 settlement with mobile app developer Juxta Labs, Inc. (“Juxta”) stemming from allegations that the company violated Texas consumer protection law by engaging in false, deceptive or misleading acts or practices regarding the collection of personal information from children.

The Texas Attorney General alleged that Juxta, the developer of the “Jott” messaging app and other apps for gaming and social media, misled consumers regarding the company’s privacy practices and compliance with privacy laws. According to the Texas Attorney General, Juxta’s apps were previously easy for children of any age to access. Many of the company’s apps offered free children’s games, generating revenue from advertisements and in-app purchases. Personal information was transmitted over these apps, including IP addresses and GPS coordinates, which could be used to pinpoint a child’s location.

Under the terms of the Assurance of Voluntary Compliance (“AVC”), approved by the Travis County District Court, Juxta agreed not to misrepresent its privacy practices regarding the personal information it collects from children under the age of 13, and not to engage in such collection through its apps unless the apps are in compliance with the Children’s Online Privacy Protection Act (“COPPA”). The AVC adopts COPPA’s definition of “Personal Information,” which includes data such as online contact information (such as an instant message user identifier); a photograph, video or audio file that contains a child’s image or voice; geolocation information sufficient to identity street name and name of a city or town; and persistent identifiers that can be used to recognize a user over time and across different websites or line services (e.g., IP addresses or a customer number held in a cookie). Juxta must also develop and maintain an up-to-date and accurate privacy policy that is clear, conspicuous and understandable. This privacy policy must be made prominently available on each of its apps and websites, including a hyperlink to the policy in any areas of its apps or websites that collect personal information from children younger than 13.

Additionally, Juxta is required to develop, implement and maintain procedures to ensure its Jott app does not contain any networks that are likely to predominantly include children under the age of 13. In particular, Juxta must refrain from designating any of its networks as an “Elementary School” network within the State of Texas. In the event Juxta seeks to prevent children under the age of 13 from using its apps or providing personal information, Juxta must implement and maintain reasonable neutral age screening mechanisms that discourage children from falsifying their age. Juxta further agreed to delete within 30 days (1) all personal information of children under 13 in its custody or control, and (2) all personal information in its custody or control regarding members of its “Elementary School” networks.

New Jersey Moves Forward With Shopper Privacy Bill

On September 15, 2016, the New Jersey Senate unanimously approved a bill that seeks to limit retailers’ ability to collect and use personal data contained on consumers’ driver and non-driver identification cards. The bill, known as the Personal Information and Privacy Protection Act, must now be approved by the New Jersey Assembly.

Under the bill, retail establishments may scan an individual’s identification card (i.e., use an electronic device capable of deciphering, in an electronically readable format, information electronically encoded on the identification card) only for the following purposes:

  • to verify the authenticity of the identification card or to verify the identity of the person if the person pays for goods or services with a method other than cash, returns an item, or requests a refund or an exchange;
  • to verify the person’s age when providing age-restricted goods or services to the person;
  • to prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the business uses a fraud prevention service company or system;
  • to establish or maintain a contractual relationship;
  • to record, retain or transmit information as required by state or federal law;
  • to transmit information to a consumer reporting agency, financial institution or debt collector to be used as permitted by the Fair Credit Reporting Act, the Gramm-Leach Bliley Act and the Fair Debt Collection Practices Act; or
  • to record, retain or transmit information by a covered entity governed by the medical privacy and security rules pursuant to the Health Insurance Portability and Accountability Act of 1996.

The bill also would limit the types of information that retailers may scan from an individual’s identification card to name, address, date of birth, the state issuing the identification card and the identification card number. In addition, the bill (1) places limitations on retaining the relevant information; (2) imposes a data security requirement; (3) reiterates retailers’ obligation under New Jersey’s data breach notification law to notify affected residents and the relevant New Jersey regulator in the event of any breach of the security of the information; and (4) prohibits retailers from selling the relevant information to third parties.

New York Announces Proposed Cybersecurity Regulation to Protect Consumers and Financial Institutions

On September 13, 2016, New York Governor Andrew Cuomo announced a proposed regulation that would require banks, insurance companies and other financial services institutions to establish and maintain a cybersecurity program designed to ensure the safety of New York’s financial services industry and to protect New York State from the threat of cyber attacks. 

The proposed regulation requires regulated financial institutions to take various actions, including:

  • adopting a written cybersecurity policy;
  • establishing a cybersecurity program;
  • designating a Chief Information Security Officer to oversee and enforce its new program and policy; and
  • implementing policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third parties, along with a variety of other requirements to protect the confidentiality, integrity and availability of information systems.

The proposed regulation is subject to a 45-day notice and public comment period. If adopted, this will be the first regulation of its kind in the U.S.

Lisa Sotto Speaks on Cybersecurity: Evolution of the Practice (Part 2)

As we previously reported, Lisa J. Sotto, partner and head of Hunton & Williams LLP’s Global Privacy and Cybersecurity practice group, spoke at Bloomberg Law’s Second Annual Big Law Business Summit on changes in the privacy and security legal landscape. In Part 2 of her discussion, Lisa speaks about the evolution of privacy laws over the years. The “hundreds of [privacy laws] at the federal and state level,” as well as data protection laws in countries all over the world, is a far cry from the landscape in 1999 when Lisa started the privacy practice at Hunton & Williams. To keep up with the evolution of data privacy, lawyers and regulators alike must understand that its “a 24/7 endeavor,” and one that is global in nature. “Data is not constrained by state or country boundaries,” says Sotto.

View the second segment.

Amended Nebraska Data Breach Notification Law Adds Regulator Notification Requirement

On April 13, 2016, Nebraska Governor Pete Ricketts signed into law LB 835 (the “Bill”), which among other things, adds a regulator notification requirement and broadens the definition of “personal information” in the state’s data breach notification statute, Neb. Rev. Stat. §§ 87-802 to 87-804. The amendments take effect on July 20, 2016.

Specifically, the Bill:

  • requires entities to notify the Nebraska Attorney General in the event of a data breach, and no later than notice is provided to Nebraska residents;
  •  adds to the definition of “personal information” a user name or email address, in combination with a password or security question and answer, that would permit access to an online account; and
  • states that data is not considered “encrypted” for purposes of avoiding notification obligations if the confidential process or key was or is reasonably believed to have been acquired as a result of the breach.

Amended Tennessee Breach Notification Law Tightens Timing Requirement

On March 24, 2016, Tennessee Governor Bill Haslam signed into law S.B. 2005, as amended by Amendment No. 1 to S.B. 2005 (the “Bill”), which makes a number of changes to the state’s data breach notification statute, Tenn. Code § 47-18-2107. The amendments take effect on July 1, 2016.

The Bill:

  • Requires businesses and state agencies to notify affected individuals “immediately, but no later than 45 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement.” Before the amendment, the statute required notification “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.”
  • Eliminates a provision from the statute which triggered notification obligations only where there had been access to, or acquisition of, unencrypted personal information. Under the Bill, notification obligations may be triggered even where the accessed or acquired data elements are encrypted.
  • Defines “unauthorized person” for purposes of triggering notification obligations, to specifically include “an employee of the [business or agency] who is discovered by the [business or agency] to have obtained personal information and intentionally used it for an unlawful purpose.”

California Attorney General Releases Report Defining “Reasonable” Data Security

On February 16, 2016, California Attorney General Kamala D. Harris released the California Data Breach Report 2012-2015 (the “Report”) which, among other things, provides (1) an overview of businesses’ responsibilities regarding protecting personal information and reporting data breaches and (2) a series of recommendations for businesses and state policy makers to follow to help safeguard personal information. Importantly, the Report states that, “[t]he failure to implement all the [Center for Internet Security’s Critical Security] Controls that apply to an organization’s environment constitutes a lack of reasonable security” under California’s information security statute. Cal. Civ. Code § 1798.81.5(b) requires that “[a] business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” The Center for Internet Security’s Critical Security Controls are a set of 20 cybersecurity defensive measures meant to “detect, prevent, respond to, and mitigate damage from cyber attacks.”

The Report also provides the following recommendations:

  • Organizations should make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information.
  • Organizations, particularly in the health care industry, should consistently use strong encryption to protect personal information on laptops and other portable devices, and should consider it for desktop computers.
  • Organizations should encourage individuals affected by a breach of Social Security numbers or driver’s license numbers to place a fraud alert on their credit files and make this option very prominent in their breach notices.
  • State policy makers should collaborate to harmonize state breach laws on some key dimensions. Such an effort could reduce the compliance burden for companies, while preserving innovation, maintaining consumer protections and retaining jurisdictional expertise.

California Attorney General Announces $25 Million Settlement with Comcast

On December 15, 2015, the California Attorney General announced an approximately $25 million settlement with Comcast Cable Communications, LLC (“Comcast”) stemming from allegations that Comcast disposed of electronic equipment (1) without properly deleting customer information from the equipment and (2) in landfills that are not authorized to accept electronic equipment. The settlement must be approved by a California judge before it is finalized.

In its complaint, the California Attorney General alleged that Comcast disposed of “customer records without shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means” in violation of California Civil Code 1798.81 (the “Civil Code”). When disposing of customer records, the Civil Code requires businesses to take “all reasonable steps” to securely dispose of those records containing personal information. The complaint also contained numerous causes of action related to Comcast’s alleged improper disposal of hazardous materials in violation of environmental, health and safety statutes.

In addition to the monetary penalty, the settlement requires Comcast to:

  • Take all reasonable steps to securely delete or destroy customer records containing personal information, before disposing of such records.
  • Prohibit the disclosure of customer records containing personal information to third parties, except in accordance with applicable law.
  • Document the company’s procedures for disposing of customer records containing personal information and provide relevant employees with readily available electronic access to such documents.
  • Post signage regarding the company’s procedures for disposing of customer records in relevant facilities in which the records are handled.
  • Provide employees with at least one written and one verbal communication annually that addresses (1) the company’s procedures for disposing of customer records, (2) information regarding identity theft, including its potential impact on customers, and (3) information regarding relevant California laws about the disposal of customer records.
  • Provide training to relevant employees about the company’s procedures for disposing of customer records.
  • Designate an employee to as serve as the “Customer Records Privacy Officer.”
  • Make available its customer records disposal procedures to the Attorney General.
  • Retain an independent third party auditor to perform three audits over the next five years assessing Comcast’s compliance with its obligations under the settlement related to its disposal of customer records containing personal information.

In the press release announcing the settlement, California Attorney General Kamala D. Harris said, “Comcast’s careless and unlawful hazardous waste disposal practices jeopardized the health and environmental well-being of California communities and exposed their customers to the threat of identity theft.”

Read the settlement with Comcast.

Class Action Filed Against Georgia’s Secretary of State

On November 17, 2015, two plaintiffs filed a putative class action alleging that Georgia’s Secretary of State, Brian Kemp, improperly disclosed the Social Security numbers, driver’s license numbers and birth dates of more than 6.1 million Georgia voters. The lawsuit alleges that the Secretary violated Georgia’s Personal Identity Protection Act by disclosing the voters’ personally identifiable information, failing to provide voters notice of the breach and failing to notify consumer reporting agencies.

The plaintiffs allege that a “Voter File” typically is distributed monthly to political parties and members of the media, but includes only certain data elements such as voter names, addresses, race, gender, registration date and last voting date. In October 2015, a different version of the Voter File was allegedly mailed that also disclosed voters’ Social Security numbers, driver’s license numbers and birth dates.

In public statements, Secretary Kemp has taken responsibility for the mailings. The Secretary has terminated the employee responsible for what is being called a “clerical error,” and claims that all of the discs containing the files have been retrieved or destroyed. The Secretary’s office also has “verified with the media outlets and political parties that they have not copied or otherwise disseminated confidential data.”

Putative Data Breach Class Action Against Uber Dismissed Without Prejudice

The United States District Court for the Northern District of California recently dismissed―without prejudice―a former Uber driver’s class action complaint. The driver, Sasha Antman, was one of roughly 50,000 drivers whose personal information was exposed during a May 2014 data breach. Uber contended the accessed files contained only the affected individuals’ names and drivers’ license numbers.

In the complaint, Antman alleged that the breach resulted in, among other injuries, an unauthorized attempt to open a credit card and ongoing monitoring expenses. He did not, however, allege any fraudulent credit charges or loss of use of credit. Antman brought claims under California law for: (1) unfair competition and (2) the failure to implement and maintain reasonable security procedures. Uber moved to dismiss under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). Below are highlights from the District Court’s ruling.

Lack of Standing under 12(b)(1)

The District Court found that the complaint failed to establish standing under both the “injury-in-fact” and “causal connection” inquiries. Although the court reaffirmed that the Ninth Circuit’s Krottner v. Starbucks decision remained controlling post-Clapper, it nevertheless rejected Antman’s injury-in-fact argument. Specifically, without the exposure of Social Security numbers (“SSN”), financial account numbers or credit card numbers, the court indicated “there is no obvious, credible risk of identity theft that risks real, immediate injury.” Likewise, the court believed that no causal connection existed because Antman did not allege that his SSN, which was required for the unauthorized credit application in question, was breached.

Failure to State a Claim under 12(b)(6)

Additionally, the court found that Antman failed to show a cognizable injury necessary to survive Uber’s 12(b)(6) motion based on statutory standing due to the lack of a causal relationship between the breach and the unauthorized credit card application. Further, while Antman alleged that he was a California resident when he was an Uber driver, he did not allege he was a California resident at the time of the breach. Given the standing rulings, the court declined to opine on the timing of his residency.

Antman will have 28 days to amend his complaint.

California Passes New Digital Privacy Law

On October 8, 2015, California Governor Jerry Brown signed into law the California Electronic Communications Privacy Act (“CalECPA”). The law requires police to obtain a warrant before accessing an individual’s private electronic information, such as text messages, emails, GPS data and online documents that are stored in the cloud and on smartphones, tablets, computers and other digital devices. The government also must obtain a warrant before requiring a business to produce an individual’s electronic information.

The bill’s co-author, State Senator Mark Leno (D-San Francisco), hailed CalECPA as “a carefully crafted law that protects personal information of all Californians,” and noted that the law still ensures that police have the tools they need to battle crime. For example, pursuant to the CalECPA, the government may forego the warrant requirement if it (1) receives consent from the owner or possessor of the device or (2) has a good faith belief that an emergency involving potential death or serious physical injury necessitates access to the information.

The bill was co-sponsored by the American Civil Liberties Union of California, the Electronic Frontier Foundation and the California Newspaper Publishers Association.

California Attorney General’s Settlement with Houzz Inc. Requires Company to Hire CPO

On October 2, 2015, California Attorney General Kamala D. Harris announced that her office settled a lawsuit against home design website, Houzz Inc. (“Houzz”). Houzz was charged with secretly recording incoming and outgoing telephone calls for training and quality assurance purposes without notifying its customers, employees or call recipients, in violation of California eavesdropping and wiretapping laws. As part of the settlement, the Attorney General required Houzz to destroy the recordings, pay a fine of $175,000 and hire a Chief Privacy Officer to supervise its compliance with privacy laws and conduct privacy risk evaluations to assess Houzz’s privacy practices. This is the first time that the Attorney General has required the hiring of a Chief Privacy Officer as part of a settlement.

According to the Attorney General’s press release, the requirement of hiring a Chief Privacy Officer “is a significant step that is aligned with Attorney General Harris’ ongoing efforts to preserve California businesses’ ability to innovate while ensuring that consumers’ right to privacy is protected.”

Target Data Breach Litigation: District Court Certifies Class of Financial Institutions

On September 15, 2015, Judge Magnuson of the U.S. District Court for the District of Minnesota certified a Federal Rule of Civil Procedure 23(b)(3) class of financial services institutions claiming damages from Target Corporation’s 2013 data breach. The class consists of “all entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.”

The plaintiff financial institutions assert claims for negligence, violations of Minnesota’s Plastic Security Card Act (“PSCA”) and negligence per se (based on the alleged violation of the PSCA). The alleged damages include the costs of providing replacement cards, and reimbursing fraud losses and other post-breach remediation expenses.

The focus of Target’s class certification argument and the court’s analysis was on the intertwined concepts of commonality and predominance. Target argued that: (1) choice-of-law issues would overwhelm the other issues; (2) there was no class-wide proof to support the PSCA and negligence claims; and (3) the calculations of damages on a plaintiff-by-plaintiff basis would predominate the litigation.

Choice of Law
The court dismissed Target’s argument that Minnesota law – including the PCSA – should not apply to the claims due to a lack of a significant nexus to Minnesota. Even assuming that conflicts existed between Minnesota and other states’ laws, the court determined that it could apply Minnesota law to the plaintiffs’ claims due to the “legion” contacts with Minnesota: “Target is headquartered in Minnesota; its computer servers are located in Minnesota; [and] the decisions regarding what steps to take or not take to thwart malware were made in a large part in Minnesota.”

Class-wide Proof
The court distinguished the class-wide proof required to establish injury and causation in a data breach for banks or credit unions and those required for consumers. Although future injury has been problematic in consumer cases, the financial institution plaintiffs reissued “nearly every card” that was subject to the breach alert. The court emphasized that this was not a “future harm.”

Judge Magnuson found such costs were not merely a “business decision” as opposed to an injury proximately caused by the breach, even when there is no contract, law or regulation requiring card reissue. Indeed, the court dismissed Target’s suggestion that financial institutions do nothing in reaction to a data breach as “absurd.” The court concluded that whether or not the remedial steps banks took in the wake of the breach to protect their cardholders were reasonable could be decided on a class-wide basis.

Damages
The court acknowledged that there may be difficulties establishing class-wide proof of damages. Such issues generally do not preclude class certification as long as the individual issues do not outweigh the class-wide issues. The court also left open the possibility that after class-wide liability is determined, damages questions may be left open for later resolution. Noting that the case of In re TJX Cos. Retail Sec. Breach Litig., 246 F.R.D. 389 (D. Mass. 2007) was the only financial data-breach case to reach the class certification stage, the court also distinguished the TJX denial of class certification based on that case’s misrepresentation and consumer-fraud claims. “The reliance issue in TJX made proving class-wide liability impossible,” which the court found “very different” from the facts presented in the Target case. The court also rejected Target’s damages arguments under the Seventh Amendment. Additionally, the court found that reissuance and fraud damages could be calculable on a class-wide basis, based on an expert opinion proffered by plaintiffs.

Update: On December 2, 2015, Target agreed to a settlement of $39 million, most of which will be paid directly to class members.

States Writing Biometric-Capture Laws May Look to Illinois

Recent class actions filed against Facebook and Shutterfly are the first cases to test an Illinois law that requires consent before biometric information may be captured for commercial purposes. Although the cases focus on biometric capture activities primarily in the social-media realm, these cases and the Illinois law at issue have ramifications for any business that employs biometric-capture technology, including those who use it for security or sale-and-marketing purposes. In a recent article published in Law360, Hunton & Williams partner, Torsten M. Kracht, and associate, Rachel E. Mossman, discuss how businesses already using these technologies need to keep abreast of new legislation that might affect the legality of their practices, and how businesses considering the implementation of these technologies should consult local rules and statutes before implementing biometric imaging.

Read the full article now.

New Hampshire and Oregon Student Privacy Legislation

Legislators in New Hampshire and Oregon recently passed bills designed to protect the online privacy of students in kindergarten through 12th grade.

On June 11, 2015, New Hampshire Governor Maggie Hassan (D-NH) signed H.B. 520, a bipartisan bill that requires operators of websites, online platforms and applications targeting students and their families (“Operators”) to create and maintain “reasonable” security procedures to protect certain covered information about students. H.B. 520 also prohibits Operators from using covered information for targeted advertising. H.B. 520 defines covered information broadly as “personally identifiable information or materials,” including name, address, date of birth, telephone number and educational records, provided to Operators by students, their schools, their parents or legal guardians, or otherwise gathered by the Operators.

Governor Hassan said that technology “is an essential component of the 21st century innovation economy” and plays an important and growing role in the classroom. She added that H.B. 520 protects New Hampshire students against threats to their privacy while enabling them to participate in that economy. H.B. 520 takes effect on January 1, 2016.

On June 10, 2015, the Oregon legislature passed S.B. 187, providing similar protections to K-12 students’ personal information and restricting the use of that information by Operators. The bill defines “covered information” in the same way as the New Hampshire student privacy bill and applies to the same types of Operators. S.B. 187 prohibits selling student information and presenting students with targeted advertisements. Operators also may not disclose student information to third parties, except in limited circumstances, but may use “de-identified student information” to improve or market the effectiveness of their products. Legislators rejected proposals backed by the technology industry that would have allowed students ages 12 and older to consent to the use and disclosure of covered information.

S.B. 187 grants the Oregon Attorney General enforcement power under the state’s consumer protection statute. Governor Kate Brown (D-OR) is expected to sign the bill, which would take effect on July 1, 2016.

Both New Hampshire and Oregon modeled their student privacy legislation on California’s Student Online Personal Information Protection Act, which was enacted in 2014.

Nevada Expands Definition of Personal Information

On May 13, 2015, Nevada Governor Brian Sandoval (R-NV) signed into law A.B. 179 (the “Bill”), which expands the definition of “personal information” in the state’s data security law. The law takes effect on July 1, 2015. Under the Bill, personal information now includes:

  • a “user name, unique identifier or electronic mail address in combination with a password, access code, or security question and answer that would permit access to an online account;”
  • a medical identification or health insurance identification number; and
  • a driver authorization card number.

In addition, although Nevada’s data security law previously excluded “publicly available information. . . lawfully made available to the general public” from the definition of personal information, the Bill narrows the scope of that exclusion, limiting it to information available “from federal, state or local governmental records.”

View the text of the Bill.

FinCEN Announces First BSA Enforcement Action Against Virtual Currency Exchanger

On May 5, 2015, the Financial Crimes Enforcement Network of the U.S. Treasury Department (“FinCEN”), in coordination with the U.S. Attorney’s Office for the Northern District of California (“USAO”), announced a civil monetary penalty of $700,000 against Ripple Labs, Inc. (“Ripple Labs”) and its subsidiary XRP II, LLC (“XRP II”) for violations of the Bank Secrecy Act (“BSA”). This assessment represents the first BSA enforcement action against a virtual currency exchanger by FinCEN. The fine coincides with a settlement agreement between Ripple Labs, XRP II and the USAO to resolve any criminal and civil liability arising out of these activities, the terms of which include a $450,000 forfeiture and full cooperation by Ripple Labs in the ongoing investigation.

Ripple Labs facilitated transfers of virtual currency and provided virtual currency exchange services. Ripple Labs maintained its own virtual currency, known as XRP, and was the second-largest cryptocurrency after Bitcoin at the beginning of 2015.

The enforcement action follows guidance issued by FinCEN in March 2013 clarifying that the BSA and implementing regulations applied to participants in the virtual currency arena and, more specifically, that “exchangers” and “administrators” of virtual currencies were required to register with FinCEN as “Money Service Businesses” (“MSB”). (See FIN-2013-G0001.) The BSA further requires MSBs to implement anti-money laundering (“AML”) programs, report suspected suspicious transactions over $2,000 and adopt certain “Know-Your-Customer” (“KYC”) procedures.

According to the Settlement Agreement, Ripple Labs operated as an MSB without registering with FinCEN and continued to engage in covered activity after the FinCEN guidance was issued in March 2013. Specifically, Ripple Labs failed to establish an appropriate AML program and failed to adopt adequate policies and procedures to comply with its obligations under the BSA. It was noted that the Ripple Labs subsidiary, XRP II, was registered with FinCEN, but nevertheless failed to adopt an effective AML program and failed to report suspicious transactions.

In an attached “Statement of Facts and Violations” Ripple Labs admitted to specific violations of the BSA. For example, in September 2013, its subsidiary, XRP II, negotiated a $250,000 transaction for the sale of virtual currency by email and agreed to dispense with its KYC requirements when the customer objected to providing information. In November 2013, XRP II rejected a $32,000 transaction because of concerns over the legitimacy of the overseas customer’s source of funds, but failed to file a suspicious activity report (SAR).

The settlement agreement with the USAO requires Ripple Labs to cooperate fully with an ongoing investigation of related criminal violations and offered no “protection from prosecution” to any individuals, to include present or former officers, directors and employees of Ripple Labs. In addition to the civil fine and forfeiture, Ripple Labs and XRP II agreed to engage in remedial steps to ensure future compliance with the BSA, to conduct a three-year “look back audit” for suspicious transactions and to retain external independent auditors to review BSA compliance biannually until 2020.

This action underscores the importance of responding to advisory guidance from FinCEN addressing the application of existing regulations and adapting compliance measures accordingly. Reference in the statement of facts to the previously issued FinCEN guidance demonstrates the government’s view that the advisories put institutions on notice of regulatory requirements. Failure to act following such clarification is evidence of “willfulness” as that term is used in civil enforcement of the BSA. A proactive response to evolving regulatory guidance should be viewed as an investment in risk management, and ultimately more cost effective than a subsequent enforcement action that could result in years of regulatory scrutiny. Banking institutions should take measures to ensure that BSA-covered account holders, subsidiaries and affiliates have the requisite compliance programs and licenses as part of KYC and ongoing due diligence.

View a copy of our client alert.

Florida Passes Drone Surveillance Bill Requiring Individual Consent

On April 28, 2015, the Florida House of Representatives passed a bill (SB 766) that prohibits businesses and government agencies from using drones to conduct surveillance by capturing images of private real property or individuals on such property without valid written consent under circumstances where a reasonable expectation of privacy exists.

The bill expands Florida’s Freedom from Unwarranted Surveillance Act to prohibit the “use [of] a drone equipped with an imaging device to record an image of privately owned real property or of the owner, tenant, occupant, invitee, or licensee of such property with the intent to conduct surveillance on the individual or property captured in the image in violation of such person’s reasonable expectation of privacy without his or her written consent.” Under the bill, there is a presumption that a person has a “reasonable expectation of privacy on his or her privately owned real property if he or she is not observable by persons located at ground level in a place where they have a legal right to be, regardless of whether he or she is observable from the air with the use of a drone.” The term “surveillance” is broadly defined to cover surveillance activities that allow drone operators to observe individuals and real property with sufficient visual clarity to obtain information about an individual’s identity, habits, conduct, movements or whereabouts, or the unique identifying features or occupancy of the property.

Individuals will have a private right of action under the bill to seek compensatory damages, including punitive damages and attorney fees, and injunctive relief for violations of the surveillance prohibition. The bill, however, contains several exceptions to the surveillance prohibition, such as when drones are used for certain surveillance purposes by utilities, state-licensed entities, and businesses delivering cargo, conducting environmental monitoring or engaging in aerial mapping.

The Florida Senate passed the bill in a 37-2 vote on April 23, 2015, and as a result of the recent House vote, the bill will be sent to Florida’s governor for approval.

Update: On May 14, 2015, Florida Governor Rick Scott signed bill SB 766, named the Freedom from Unwarranted Surveillance Act, into law.

Data Security Act Introduced in New York State Assembly

On April 8, 2015, a New York Assemblyman introduced the Data Security Act in the New York State Assembly that would require New York businesses to implement and maintain information security safeguards. The requirements would apply to “private information,” which is defined as either:

  • personal information consisting of any information in combination with one or more of the following data elements, when either the personal information or the data element is not encrypted: Social Security number; driver’s license number or non-driver identification card number; financial account or credit or debit card number in combination with any required security code or password; or biometric information;
  • a user name or email address in combination with a password or security question and answer that would permit access to an online account; or
  • unsecured protected health information (as that term is defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule).

The Data Security Act obligates entities to develop an information security program that includes:

  • administrative safeguards, such as conducting risk assessments, training employees and selecting service providers capable of maintaining appropriate safeguards;
  • technical safeguards, such as assessing risks in network and software design and regularly testing and monitoring the effectiveness of key controls; and
  • physical safeguards, such as disposing of electronic media so that the information cannot be read or reconstructed.

The Data Security Act deems certain specific entities in compliance with the law’s requirements, such as financial institutions that comply with the Gramm-Leach-Bliley Act, HIPAA-regulated entities, and entities that comply with NIST Standards. Entities that comply with the latest version of NIST Special Publication 800-53 are also immune from any civil liability under the Act.

The Data Security Act establishes a rebuttable presumption that an entity that obtains an independent third party certification complies with the requirements of the law. The New York Attorney General is empowered to enjoin any violations of the Data Security Act, and can obtain civil penalties of $250 for each person whose private information was compromised, up to a maximum of $10 million. For knowing and reckless violations, these amounts can increase to $1,000 for each affected person up to a total of the higher of $50 million or three times the aggregate amount of any actual costs and losses.

The Data Security Act also amends New York’s breach notification law by using the expanded definition of “private information” discussed above. Previously, New York’s law did not cover breaches involving biometric information, user names and passwords, or protected health information.

Washington State Senate Approves Amendment to Data Breach Notification Law

On April 13, 2015, the Senate of Washington State unanimously passed legislation strengthening the state’s data breach law. The bill (HB 1078) passed the Senate by a 47-0 vote, and as we previously reported, passed the House by a 97-0 vote.

The bill includes the following amendments to Washington’s existing data breach notification law:

  • Requires notification to the state attorney general in the event of a breach;
  • imposes a 45-day deadline for notification to affected residents and the state attorney general;
  • mandates content requirements for notices to affected residents, which must include (i) the name and contact information of the reporting business, (ii) a list of the types of personal information subject to the breach, and (iii) the toll-free telephone numbers and address of the consumer reporting agencies;
  • expands the current law to cover hard-copy data as well as “computerized” data;
  • introduces a safe harbor for personal information that is “secured,” which is defined to mean the data is encrypted in a manner that “meets or exceeds” the National Institute of Standards and Technology standard or is otherwise “modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person”; and
  • adds federal preemption language that would exempt certain covered entities from having to comply with Washington’s breach law.

The bill will now head to Governor Jay Inslee for consideration.

Update: On April 23, 2015, Governor Jay Inslee signed the bill into law.

Montana and Washington State Propose Amendments to Data Breach Legislation

On March 4, 2015, the House of Representatives of Washington passed a bill (HB 1078), which would amend the state’s breach notification law to require notification to the state Attorney General in the event of a breach and impose a 45-day timing requirement for notification provided to affected residents and the state regulator. The bill also mandates content requirements for notices to affected residents, including (1) the name and contact information of the reporting business; (2) a list of the types of personal information subject to the breach; and (3) the toll-free telephone numbers and address of the consumer reporting agencies. In addition, while Washington’s breach notification law currently applies only to “computerized” data, the amended law would cover hard-copy data as well.

The bill introduces a safe harbor for personal information that is “secured,” which is defined to mean the data is encrypted in a manner that “meets or exceeds” the National Institute of Standards and Technology (“NIST”) standard or is otherwise “modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person.” In addition, notice is not required if the breach is “not reasonably likely to subject consumers to a risk of harm.” The bill adds federal preemption language that would exempt certain covered entities from having to comply with the state breach law. With respect to enforcement, the bill would make an organization’s failure to comply with the state’s breach notification law a violation of the Consumer Protection Act.

The bill, which passed the House of Representatives 97-0, will now face the Washington State Senate. It has broad bipartisan support, and if enacted would strengthen the state’s data breach laws.

The Washington legislation was introduced just over a week after Montana’s governor signed into law HB 74, which amends Montana’s existing data breach notification law to expand the definition of personal information to include medical record information and an “identity protection personal identification number” issued by the IRS. The amended law also requires entities to submit to the state Attorney General’s Consumer Protection Office an electronic copy of the notice to affected individuals, and to indicate the date and method of distribution of the individual notice and the number of residents impacted by the breach. The bill was enacted on February 27, 2015, and will take effect on October 1, 2015.

White House Releases Discussion Draft for a Consumer Privacy Bill of Rights

On February 27, 2015, the White House released a highly-anticipated draft of the Consumer Privacy Bill of Rights Act of 2015 (the “Act”) that seeks to establish baseline protections for individual privacy in the commercial context and to facilitate the implementation of these protections through enforceable codes of conduct. The Federal Trade Commission is tasked with the primary responsibility for promulgating regulations and enforcing the rights and obligations set forth in the Act.

The Act’s baseline of consumer protections would apply broadly (with certain stated exceptions) to the privacy practices of covered entities that collect, create, process, retain, use or disclose personal data in or affecting interstate commerce. “Personal data” is broadly defined under the Act as “any data … under the control of a covered entity, not otherwise generally available to the public through lawful means, and … linked, or as a practical matter linkable by the covered entity, to a specific individual, or linked to a device that is associated with or routinely used by an individual.” The Act carves out from the definition of personal data several types of information, including de-identified data, cybersecurity data and employee data that is collected or used by an employer in connection with an employee’s employment status.

The Act sets forth individual rights for consumers and corresponding obligations of covered entities in connection with personal data. Key examples of the proposed privacy protections and obligations include:

  • Transparency. Covered entities shall provide individuals with clear, timely, conspicuous and easily understandable notice about the entity’s privacy and security practices. The Act sets forth various content requirements for such notices.
  • Individual Control. Individuals must be provided with reasonable means to control the processing of their personal data that are proportionate to the privacy risk to the individual and are consistent with context, which is defined to mean the circumstances surrounding a covered entity’s processing of personal data.
  • Respect for Context. If a covered entity processes personal data in a manner that is not reasonable in light of context, the entity must conduct a privacy risk analysis, and take reasonable steps to mitigate any identified privacy risks. If the privacy risk analysis is conducted under the supervision of an FTC-approved Privacy Review Board, the covered entity may be excused from certain heightened requirements under this section.
  • Focused Collection and Responsible Use. Covered entities may collect, retain and use personal data only in a manner that is reasonable in light of context. This limitation requires businesses to consider ways to minimize privacy risk, as well as to delete, destroy or de-identify personal data within a reasonable time after fulfilling the purposes for which the personal data were first collected.
  • Security. Covered entities are expected to identify reasonably foreseeable internal and external risks to the privacy and security of personal data that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of the information. Based on this analysis, covered entities must establish, implement and maintain safeguards reasonably designed to ensure the security of such personal data, including but not limited to protecting against unauthorized loss, misuse, alteration, destruction, access to, or use of the business’ information.
  • Access and Accuracy. Upon request, a covered entity must provide an individual with reasonable access to, or an accurate representation of, personal data that pertains to the individual and is under the control of the covered entity. This obligation entails providing the individual with a means to dispute and resolve the accuracy and completeness of his or her personal data.
  • Accountability. Covered entities must take measures appropriate to the privacy risks associated with its personal data practices, including training employees, conducting internal or independent evaluations, building appropriate consideration for privacy and data protections into the design of systems and business practices, and contractually binding third parties to comply with similar requirements prior to disclosing personal data to them.

Under the Act, a violation of the relevant requirements constitutes an unfair or deceptive act or practice in violation of Section 5 of the FTC Act. While the attorney general of any state may bring a federal enforcement action for injunctive relief based on an alleged violation causing harm to a substantial number of the state’s residents, the FTC has the right to intervene as a party and assume lead responsibility for the prosecution. In an action brought or prosecuted by the FTC, the covered entity also may be liable for a civil penalty of up to $25 million under certain circumstances. The Act offers covered entities a safe harbor against enforcement actions when they have complied with an FTC-approved code of conduct for data governance that provides equivalent or greater protections for personal data than that of the Act. In addition, the Act does not offer a private right of action to individuals.

Notably, the Act preempts state and local laws to the extent they impose requirements with respect to personal data processing, but it does not preempt states’ general consumer protection laws, health or financial information laws, or data breach notification laws. With respect to federal preemption, the Act does not modify, limit or supersede the privacy or security provisions of federal laws, including the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act of 1996.

As we reported on February 23, 2012, the White House released a report outlining a framework for U.S. data protection and privacy policy that included a Consumer Privacy Bill of Rights.

Read the Consumer Privacy Bill of Rights Act of 2015.

Two Wyoming Bills Amending the State’s Breach Notification Statute Are Headed to the Governor

On February 23, 2015, the Wyoming Senate approved a bill (S.F.36) that adds several data elements to the definition of “personal identifying information” in the state’s data breach notification statute. The amended definition will expand Wyoming’s breach notification law to cover certain online account access credentials, unique biometric data, health insurance information, medical information, birth and marriage certificates, certain shared secrets or security tokens used for authentication purposes, and individual taxpayer identification numbers. The Wyoming Senate also agreed with amendments proposed by the Wyoming House of Representatives to another bill (S.F.35) that adds content requirements to the notice that breached entities must send to affected Wyoming residents. Both bills are now headed to the Wyoming Governor Matt Mead for signing.

Bill S.F.36 would broaden the definition of “personal identifying information” to include an individual’s first name or first initial and last name in combination with any one or more of the data elements below:

  • Social Security number;
  • driver’s license number;
  • account number, credit card number or debit card number in combination with any security code, access code or password that would allow access to a financial account of the individual;
  • tribal identification card;
  • federal or state government issued identification card;
  • shared secrets or security tokens that are known to be used for data based authentication;
  • username or email address, in combination with a password or security question and answer that would permit access to an online account;
  • birth or marriage certificate;
  • medical information;
  • health insurance information;
  • unique biometric data; or
  • individual taxpayer identification number.

Bill S.F.35 would impose content requirements on the notice that breached entities must send affected Wyoming residents. Specifically, if enacted, the bill would require the notice to affected Wyoming residents to include (1) the types of personal identifying information subject to the breach, (2) a general description of the breach, (3) the approximate date of the breach, (4) the remedial actions taken by the entity, (5) advice directing the Wyoming resident to remain vigilant, and (6) whether notification was delayed pursuant to a request from law enforcement.

Both bills are headed to the Governor of Wyoming, Matt Mead, for his consideration.

Update: On March 2, 2015, Wyoming Governor Matt Mead signed both bills into law. The bills will become effective on July 1, 2015.

Proposed Indiana Law Would Raise Bar for Security and Privacy Requirements

Indiana Attorney General Greg Zoeller has prepared a new bill that, although styled a “security breach” bill, would impose substantial new privacy obligations on companies holding the personal data of Indiana residents. Introduced by Indiana Senator James Merritt (R-Indianapolis) on January 12, 2015, SB413 would make a number of changes to existing Indiana law. For example, it would amend the existing Indiana breach notification law to apply to all data users, rather than owners of data bases. The bill also would expand Indiana’s breach notification law to eliminate the requirement that the breached data be computerized for notices to be required.

Most significantly, SB413 would require data users to implement and maintain “reasonable procedures” that prohibit them from “retaining personal information beyond what is necessary for business purposes or compliance with applicable law” and “using personal information for purposes beyond those authorized by law or by the individual to whom the personal information relates.” These requirements are a substantial change from most existing U.S. privacy laws, and designing and implementing the necessary procedures could be a challenge for many companies.

Failure to comply with the bill’s requirements would constitute a deceptive act under state consumer protection law. While only the attorney general may bring an enforcement action, if a court determines that the violation was “done knowingly,” penalties include a fine of $50 for each affected Indiana resident, with a minimum fine of at least $5,000 and maximum fine of $150,000 per deceptive act.

The cap likely will be challenged as being too low during hearings on the bill. In any event, the fines imposed under this new section are cumulative with those available under any other state or federal law, rule or regulation.

SB413 also would require data users to have online privacy policies, and it specifies that that those policies must include information as to:

  • whether personal information is collected through the data user’s Internet website;
  • the categories of personal information collected through the data user’s Internet website, if applicable;
  • whether the data user sells, shares or transfers personal information to third parties; and
  • if applicable, whether the data user obtains the express consent of an individual to whom the personal information relates before selling, sharing or transferring the individual’s personal information to a third party.

The bill would explicitly prohibit data users from making a “misrepresentation to an Indiana resident concerning the data user’s collection, storage, use, sharing, or destruction of personal information,” or from requiring a vendor or contractor to do so.

While the bill may well be amended as it moves through the legislative process before the Indiana Senate adjourns on April 29, 2015, it is widely expected to pass. Assuming it does, it will reflect a further significant evolution in state laws regulating information privacy and security, and will add Indiana to the growing list of states moving ahead of federal law in these areas.

Safeway Reaches Settlement with California District Attorneys Over Allegations of Unlawful Disposal of Medical Records

On January 5, 2015, the Alameda County District Attorney’s Office announced that Safeway Inc. (“Safeway”) has agreed to pay $9.87 million to settle claims that the company unlawfully disposed of customer medical information and hazardous waste in violation of California’s Confidentiality of Medical Information Act and Hazardous Waste Control Law. In a series of waste inspections from 2012 to 2013, a group of California district attorneys and environmental regulators found that Safeway was disposing of both its pharmacy customers’ confidential information and various types of hazardous wastes in the company’s dumpsters. Based on the investigation, 42 California district attorneys and two city attorneys brought a complaint on December 31, 2014, alleging, among other things, that more than 500 Safeway stores and distribution centers engaged in the disposal of their customers’ medical information in a manner that did not preserve the confidentiality of the information.

The settlement calls for Safeway to pay (1) a $6.72 million civil penalty, (2) $2 million for supplemental environmental projects and (3) $1.15 million in attorneys’ fees and costs. In addition, pursuant to the agreement, Safeway must maintain and enhance, as necessary, its customer record disposal program to ensure that customer medical information is disposed of in a manner that preserves the customer’s privacy.

Massachusetts Attorney General Reaches Settlement with Boston Hospital Over Data Security Allegations

On November 21, 2014, Massachusetts Attorney General Martha Coakley announced that Boston hospital Beth Israel Deaconess Medical Center (“BIDMC”) has agreed to pay a total of $100,000 to settle charges related to a data breach that affected the personal and protected health information of nearly 4,000 patients and employees.

In its complaint, the Attorney General alleged that a trespasser entered an unlocked office of a BIDMC physician and stole a personal laptop containing unencrypted names, Social Security numbers and medical information of 4,000 patients and employees. The Attorney General alleged that the breach was a result of BIDMC’s failure to lawfully protect the personal and protected health information of its patients and employees in violation of the Massachusetts Consumer Protection Act, the Massachusetts Data Security Law, and the federal Health Insurance Portability and Accountability Act.

Pursuant to the consent judgment, BIDMC will pay $100,000 to resolve the allegations. $15,000 of the $100,000 settlement will be applied to a fund administered by the Attorney General for data protection educational programs. The consent judgment also requires BIDMC to “take steps to ensure future compliance with state and federal data security laws and regulations,” including the implementation of enhanced device management, encryption and training policies.

In response to the settlement, Massachusetts Attorney General Martha Coakley said that “[t]he healthcare industry’s increased reliance on technology makes it more important than ever that providers ensure patients’ personal information and protected health information is secure,” and that “[t]o prevent breaches like this from happening, hospitals must put in place and enforce reasonable technological and physical security measures.”

Ebola and Other Health Emergencies Create Workplace Privacy Dilemmas

Hunton & Williams Labor & Employment partner Susan Wiltsie reports:

Fears of a worldwide Ebola pandemic appear to have abated, but the tension between workplace safety and employee privacy, thrown into relief by this health emergency, remains an issue relevant to all employers. Any potential health threat created by contagious illness requires employers to plan and put into effect a reasonable response, including policies governing the terms and conditions under which employees may be required to stay away from the workplace, and in which their health care information may be relevant to workplace decisions.

The likelihood of contracting Ebola from employees who may have been exposed to the disease is low, and fears of association with such individuals usually are scientifically unfounded. The decision regarding whether potentially exposed individuals should be barred from the workplace is particularly difficult. Employers do not want to appear hysterical; yet they need to be prudent about protecting co-workers, customers, visitors and vendors. Also, a very real risk exists that an infected employee on a manufacturing floor or otherwise in the chain of commerce could create a panicked boycott of the goods/services of their employer. As one way to address these issues, some employers have adopted policies that those employees who travel to the impacted areas in West Africa will not be able to return to work until 21 days after their last possible exposure. Such policies make particular sense for employers in the health care field. In cases where the employee has not made a choice – for example, when an employee is identified by public health officials as someone who may have been exposed, employers may decide to have any mandated leave time be paid. Telecommuting, if feasible, also is a good option. In unionized workplaces, these issues normally will be mandatory subjects of bargaining; employers who unilaterally implement such procedures may be engaging in unfair labor practices in violation of the National Labor Relations Act.

No approach to these issues will be free from legal risk.  Attempts to limit access to the workplace also expose employers to claims of discrimination under the Americans with Disabilities Act (“ADA”) or (for entities receiving federally funded assistance) the Rehabilitation Act of 1973 (“Rehab Act”). In addition to protecting qualified applicants and employees with disabilities from employment discrimination, these statutes prohibit discrimination based on an employee’s relationship or association with an individual who has a disability. See 42 U.S.C. § 12112(b)(4). Although temporary viral illnesses do not normally meet the definition of “disability” under the ADA, some Ebola-related conditions and long-term side effects may rise to that level, particularly in light of the more expansive definition of the term “disability” under the Americans with Disabilities Act Amendments Act of 2008.

Significantly, there is no requirement under the ADA or the Rehab Act that the employee’s association with a person potentially exposed to Ebola be a family relationship. The key question is whether the employer is motivated by an individual’s relationship or association with any person who has a disability. The Equal Employment Opportunity Commission’s publication entitled “Questions and Answers About the Association Provision of the Americans with Disabilities Act” provides helpful guidance on this issue, implicitly acknowledging a zone of privacy around an individual’s personal associational choices.

Perhaps the thorniest privacy issue facing employers with regard to contagious illnesses is the extent to which they may disclose information about an employee’s medical condition. Media attention to the particulars of each diagnosed case of Ebola outside of West Africa presents employers (particularly health care providers) with the Hobson’s choice of being transparent enough to reassure the public and opaque enough to protect employee privacy.

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), enforced by the Office for Civil Rights of the Department of Health and Human Services, protects the confidentiality of protected health information by generally prohibiting its disclosure in the absence of explicit authorization from a patient. However, HIPAA applies only to health plans, health care clearinghouses, and most health care providers. It does not apply to employers – for instance, if an employer provides a self-insured health plan for employees, the plan, but not the employer, is subject to HIPAA. Moreover, HIPAA specifically exempts disclosures of health information made for purposes of worker’s compensation-related matters.

Thus, the significant amount of employee health information to which employers obtain access by virtue of standard workplace policies and procedures – medical appointment verification forms from physicians, verification of conditions qualifying for family and medical leave, explanations for routine absences, drug testing results, the results of medical examinations that are rationally related to job duties – is not subject to certain HIPAA requirements. Analogous state laws may provide greater protection. California’s Confidentiality of Medical Information Act, for instance, requires employers to protect the privacy and security of any medical information they receive. (Cal. Civ. Code §§ 56.20-56.245.) At bottom, however, most employers are more likely to face liability for disclosure of medical information under common law invasion of privacy theories (e.g., unreasonable intrusion upon seclusion) than under HIPAA or analogous state statutes.

Employee concerns about co-workers with contagious illnesses may be channeled into productive and appropriate efforts to prevent contagion. These may include education and training of employees, medical services such as vaccination and post-exposure medicine, modifying the work environment to provide additional protection, such as installing physical barriers (clear plastic sneeze guards), conducting business through drive-through service windows, improving ventilation, installing additional hand sanitizer dispensers and, where appropriate, providing protective personal equipment such as respirators and surgical masks.

While Ebola does not meet the definition of “pandemic,” OSHA’s general guidance on protecting workers during a pandemic prescribes evaluation of contagion risks based on specific job activities that may expose people to infection. Emergency responders and workers in critical infrastructure and key resource sectors (including employees in the fields of health care, laboratory work, mortuary/death care, emergency transport and airline services) face greater risks of infection than employees who do not regularly interact with the general public. OSHA regulations prescribe safety standards for such individuals, including OSHA’s Bloodborne Pathogens standard (29 CFR 1910.1030), Respiratory Protection standard (29 CFR 1910.134), and Personal Protective Equipment standard (29 CFR 1910.132).

Thoughtful and deliberate planning at the senior levels of an organization, ongoing monitoring of the most recent reports and recommendations from the CDC, the WHO and other health organizations, and investment in employee education and training will allow employers to safely navigate competing concerns about workplace safety and worker privacy.

California Attorney General Releases New Report with Findings and Recommendations on 2013 Data Breaches

On October 28, 2014, California Attorney General Kamala D. Harris announced the release of the second annual California Data Breach Report. The report provides information on data breaches reported to California’s Attorney General in 2012 and 2013. Overall, 167 breaches were reported by 136 different entities to California’s Attorney General in 2013. According to the report, 18.5 million records of California residents were compromised by these reported breaches, up more than 600 percent from the 2.6 million records compromised in 2012. In addition, the number of reported data breaches increased by 28 percent in 2013, rising from 131 in 2012 to 167 in 2013.

Other key findings include:

  • Computer intrusions, such as hacking and malware breaches, comprised over half of all reported breaches in 2013 and over 93 percent of all compromised records (over 17 million records).
  • Retailers reported the most breaches (43), which represented 26 percent of the breaches reported in 2013.
  • In 2012-2013, the majority of breaches in the health care sector (70 percent) were caused by lost or stolen hardware or portable media containing unencrypted data.

The report also contains best practices and recommendations for California retailers, consumers, the health care sector and legislatures to improve the security of personal data. “Data breaches pose a serious threat to the privacy, finances and personal security of California consumers,” Attorney General Harris said. “The fight against these kind of cybercrimes requires the use of innovative strategies by government and the private sector to protect our state’s consumers and businesses. I strongly encourage more use of encryption to significantly reduce the risk of data breaches.” The report made several recommendations to retailers, including updating point-of-sale terminals to enable chip card technology, implementing appropriate encryption and tokenization solutions to devalue payment card data and providing more helpful information in substitute notice regarding payment card breaches. In addition, the report recommends that California legislators consider amending the breach notice law to strengthen the substitute notice procedure, clarify the roles and responsibilities of data owners and data maintainers, and require a final breach report to the Attorney General.

Read the full California Data Breach Report.

TD Bank Agrees to Settlement to Resolve Multistate Investigation into 2012 Data Breach

On October 10, 2014, TD Bank, N.A. entered into an assurance of voluntary compliance (“Assurance”) with a multistate group of nine attorneys general to settle allegations that the company violated state consumer protection and personal information safeguards laws in connection with a 2012 data breach. The breach involved the loss of two unencrypted backup tapes containing the personal information of approximately 260,000 customers. The Assurance requires TD Bank to pay $850,000 to the attorneys general.

In addition to the payment, the Assurance calls for TD Bank to:

  • Notify affected residents of the nine states of any future breach of security or other unauthorized acquisition of personal information in a timely manner;
  • Maintain reasonable security policies and procedures to protect personal information, including a prohibition on transporting unencrypted backup tapes;
  • Assess the company’s internal policies regarding the collection, storage and transfer of consumers’ personal information at least every two years, making changes as needed to more adequately protect the confidentiality and privacy of personal information; and
  • Provide training for its employees on securing backup tapes.

View the Assurance.

California Attorney General Settles Laptop Spying Case with Rent-to-Own Franchisor

On October 14, 2014, rent-to-own retailer Aaron’s, Inc. (“Aaron’s”) entered into a $28.4 million settlement with the California Office of the California Attorney General related to charges that the company permitted its franchised stores to unlawfully monitor their customers’ leased laptops.

The settlement stems from a complaint filed on October 7 in the Superior Court of California County of Los Angeles by the Attorney General of California. The complaint accused Aaron’s of violating its California customers’ constitutional right to privacy when it “turned a blind eye as its franchisees installed spyware on computers rented to unsuspecting customers.” The complaint also accused Aaron’s of violating California’s unfair business practices law by making false and misleading statements in advertisements and by engaging in unlawful billing and rental practices.

Under the settlement, Aaron’s agreed to refund $25 million to California consumers who leased laptops from the company’s franchised stores between April 1, 2010 and March 31, 2014, and to pay $3.4 million in civil penalties and fees. The company also agreed not to use any monitoring technology on its customers’ leased computers without appropriate notice and consent.

In October 2013, Aaron’s entered into a settlement agreement with the FTC over similar charges that the franchisor knowingly assisted its franchisees in spying on consumers. And last month, Vermont’s Attorney General reached a settlement with one of the company’s franchisees, SEI/Aaron’s, Inc., over charges that the franchisee’s spying activities violated Vermont’s debt collection laws.

California Governor Approves New Privacy Legislation

On September 30, 2014, California Governor Jerry Brown announced the recent signings of several bills that provide increased privacy protections to California residents. The newly-signed bills are aimed at protecting student privacy, increasing consumer protection in the wake of a data breach, and expanding the scope of California’s invasion of privacy and revenge porn laws. Unless otherwise noted, the laws will take effect on January 1, 2015.

New Student Privacy Laws 

On September 29, 2014, California Governor Jerry Brown signed into law bill (SB 1177) that places restrictions on the data practices of online educational services for K-12 schools. In general, the new law, the Student Online Personal Information Protection Act (“SOPIPA”), prohibits an “operator” of an online educational services for K-12 students from:

  • Engaging in targeted advertising based on any information the operator acquired from usage of its online service;
  • Assembling student profiles for non-educational purposes from information derived from the operator’s online service;
  • Selling a student’s information; and
  • Disclosing “covered information,” unless an exception applies.

Under SOPIPA, “covered information” is defined as personally identifiable information created or provided by a student or an employee of a K-12 educational institution, or descriptive or identifiable information gathered by an operator through the operation of its online service. The bill also requires operators to implement and maintain reasonable and appropriate security procedures and practices to safeguard covered information, and to delete a student’s covered information upon the request of the relevant educational institution. SOPIPA comes into effect on January 1, 2016.

Another bill (AB 1584) signed into law on September 29 regulates the usage of third party cloud services and other digital services related to student records management by California educational institutions. Under the new law, student records must remain the property of and under the control of the educational agency. The law also sets contractual requirements and restrictions relating to accessing, reviewing, using and securing the student records related these services.

In addition, Governor Brown signed into law on September 29 a bill (AB 1442) that requires school districts to first notify students and their parents before adopting any program that gathers or maintains information obtained from a student’s online social media. The new law also sets requirements related to a student’s right to review, correct and delete such social media information gathered by the school district, and imposes retention restrictions on this information.

Updates to California’s Data Breach Law

On Tuesday, September 30, Governor Brown signed into law a bill (AB 1710) that amends the California’s breach notification law, making three updates to the existing law:

  • For a business providing notification that was the source of the breach, “an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months.”
  • Businesses that maintain personal information about California residents (e.g., service providers) must employ reasonable and appropriate security procedures and practices for the personal information they maintain.
  • The updated law strengthens the current restrictions on the use or disclosure of Social Security numbers by prohibiting businesses from selling, advertising for sale or offering to sell Social Security numbers, with limited exceptions.

Updated Invasion of Privacy Law

Governor Brown signed into law on September 30 a bill (AB 2306) that updates California’s invasion of privacy law. Under the existing law, a person can be liable for a constructive invasion of privacy if he or she uses a visual or auditory enhancing device to capture an unlawful image, sound or recording. The updated law expands the scope of liability for an invasion of privacy by making it unlawful to use any device to unreasonably capture an image, sound or recording of another person engaging in a personal or familial activity under circumstances in which the other person had a reasonable expectation of privacy.

Expansion of Revenge Porn Liability

Governor Brown signed into law on September 30 a bill (AB 2643) that enables victims to bring lawsuits for civil damages against violators of California’s revenge porn law. According to the bill, the updated law creates a “private right of action against a person who intentionally distributes a photograph or recorded image of another that exposes the intimate body parts…without his or her consent, knowing that the other person had a reasonable expectation that the material would remain private, if specified conditions are met.”

Vermont Attorney General Reaches Settlement with Aaron’s Franchisee Over Unlawful Debt Collection Practices

On September 8, Vermont Attorney General William Sorrell announced that SEI/Aaron’s, Inc. has entered into an assurance of discontinuance, which includes $51,000 in total fines, to settle charges over the company’s remote monitoring of its customers’ leased laptops. The settlement stems from charges accusing SEI/Aaron’s, an Atlanta-based franchise of the national rent-to-own retailer Aaron’s, Inc., of unlawfully using surveillance software on its leased laptops to assist the company in the collection of its customers’ overdue rental payments. The Vermont Office of the Attorney General claimed that such remote monitoring of the laptop users’ online activities in connection with debt collection constituted an unfair practice in violation of the Vermont Consumer Protection Act.

Under the settlement, the company agreed to pay a $45,000 civil penalty to the state of Vermont and $2,000 to each of the three Vermont consumers whose leased laptops were monitored by SEI/Aaron’s for allegedly unlawful purposes. The company also agreed to not install any monitoring software on its customers’ leased computers in connection with debt collection activities or in response to delinquent payments.

The Vermont Attorney General’s settlement with SEI/Aaron’s comes nearly a year after the company’s franchisor, Aaron’s Inc., reached a settlement with the FTC over charges that the franchisor knowingly played a vital role in its franchisees’ installation and use of surveillance software on rental computers to secretly monitor consumers.

California Lawmakers Pass Bill to Amend State’s Breach Notification Law

On August 19, 2014, California state legislators made final amendments to a bill updating the state’s breach notification law. The amended bill, which passed the State Senate on August 21 and the Assembly on August 25, is now headed to California Governor Jerry Brown for signature. If signed, the scope of the existing law would extend to apply to entities that “maintain” personal information about California residents. Currently, only entities that “own” or “license” such personal information are required to implement and maintain reasonable security procedures and practices to protect the personal information from unauthorized access, destruction, modification or disclosure.

In addition, the bill would require notifying entities that are the source of a security breach to include in their notification an offer to provide “appropriate identity theft prevention and mitigation services” to affected individuals for not less than 12 months at no cost to the individual. The bill also would strengthen current restrictions on the use or disclosure of Social Security numbers by prohibiting selling, offering to sell, or advertising the sale of, Social Security numbers.

Update: On September 30, 2014, Governor Jerry Brown signed the amended bill AB 1710 into law.

Illinois Becomes the Latest State to “Ban the Box”

As reported in the Hunton Employment & Labor Perspectives Blog:

Illinois recently joined a growing number of states and municipalities that have passed “ban the box” laws regulating when employers can inquire into an applicant’s criminal history.

The Job Opportunities for Qualified Applicants Act was signed into law by Governor Pat Quinn on July 19, 2014. The law provides that private employers with 15 or more employees are not permitted to inquire, consider, or require disclosure of an applicant’s criminal history until (1) the individual has been offered an interview or (2) if there is no interview, the individual has been given a conditional offer of employment.

The law does have several exceptions, most notably, for employers who, pursuant to state or federal law, are required to exclude applicants with certain criminal convictions.

The Illinois Department of Labor is responsible for investigating violations of the Act, which could result in civil fines up to $1,500. The law goes into effect on January 1, 2015.

Illinois is following the lead of several other states – such as Hawaii, Massachusetts, Minnesota, and Rhode Island – that have passed “ban the box” legislation applying to private employers. Several municipalities have passed similar legislation, including the District of Columbia (which is still awaiting approval from the Mayor and Congress) and Newark, New Jersey.

Unless exempted from coverage, Illinois employers should remove from their application materials any inquiries into an applicant’s criminal history and refrain from making any such inquires, whether directly with the applicant or through a criminal background check, until the applicant has been offered either an interview or the position.

Delaware Enacts New Data Destruction Law

On July 1, 2014, Delaware Governor Jack Markell signed into law a bill that creates new safe destruction requirements for the disposal of business records containing consumer personal information. The new law requires commercial entities conducting business in Delaware to take reasonable steps to destroy their consumers’ “personal identifying information” prior to the disposal of electronic or paper records. The law will take effect on January 1, 2015.

Under the new law, destruction requirements apply to a consumer’s “personal identifying information.” The term “consumer” is defined as an individual entering into a transaction “primarily for personal, family, or household purposes” and “personal identifying information” (“PII”) consists of the consumer’s first name or first initial and last name in combination with any of the following data elements:

  • a signature;
  • full date of birth;
  • Social Security number or passport number;
  • driver’s license or state identification card number;
  • insurance policy number;
  • financial services account number, bank account number, credit card number, or “any other financial information;” or
  • confidential health care information.

Notably, a consumer’s information qualifies as “personal identifying information” if either his or her name or the accompanying data element is unencrypted at the time of disposal.

Under the new law, when records are “no longer to be retained,” commercial entities must “take all reasonable steps to destroy or arrange for the destruction of a consumer’s” PII within those records. The statute explicitly calls for “shredding, erasing, or otherwise destroying or modifying” the consumer PII in a manner that makes it “entirely unreadable or indecipherable.”

The new law comes equipped with a number of enforcement mechanisms, including a private right of action for consumers who incur actual damages as a result of a violation. Significantly, the statute enables aggrieved consumers to seek treble damages, which could quickly add up given that “each record unreasonably disposed of constitutes an individual violation” of the statute. Under certain circumstances, the Delaware Attorney General and Division of Consumer Protection of the Department of Justice also may bring enforcement actions for violations of the statute.

The statute does carve out several exemptions for regulated entities, including financial institutions subject to the privacy and security requirements of the Gramm-Leach-Bliley Act, consumer reporting agency subject to the FCRA, and certain covered entities subject to HIPAA’s privacy and security requirements.

Florida Amends Breach Notification Law to Cover Health Data, Tighten Notice Deadline and Require State Regulator Notification

On June 20, 2014, Florida Governor Rick Scott signed a bill into law that repeals and replaces the state’s existing breach notification statute with a similar law entitled the Florida Information Protection Act (Section 501.171 of the Florida Statutes) (the “Act”).

Below is a summary of several key changes the Act makes to the previous breach notification statute:

  • The Act revises the definition of “breach of security” to cover “unauthorized access” of electronic data containing personal information; the previous law defined breach more narrowly to mean “unlawful and unauthorized acquisition” of computerized data that materially compromises the security, confidentiality or integrity of personal information.
  • The Act expands the definition of “personal information” to include “[a]ny information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or an individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.” In addition, the definition of “personal information” now includes a “username or e-mail address, in combination with a password or security question and answer that would permit access to an online account.”
  • The Act requires notice to affected individuals no later than “30 days after determination of the breach or reason to believe a breach occurred.” If good cause is presented in writing to the Department of Legal Affairs (the “Department”) within the 30-day window, the covered entity may receive an additional 15 days to provide notice. The previous law required notification within 45 days.
  • The Act requires notice to the Department for a breach affecting 500 or more Florida residents in accordance with the 30-day timing requirement and 15-day extension period described above. The notification to the Department must include:
    • a synopsis of the events surrounding the breach at the time notice is provided;
    • the number of individuals in Florida who were or potentially have been affected by the breach;
    • any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals, and instructions as to how to use such services;
    • a copy of the notice to affected individuals or an explanation of the other actions taken pursuant to the notification provision; and
    • the name, address, telephone number and email address of the employee or agent of the covered entity from whom additional information may be obtained about the breach.
  • Covered entities also may be required to provide the following information to the Department upon request:
    • a police report, incident report or computer forensics report;
    • a copy of the policies in place regarding breaches; and
    • steps that have been taken to rectify the breach.
  • The Act provides a harm threshold similar to the one contained in the previous law. Pursuant to the Act, however, a covered entity may rely on the harm threshold only “after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies” (emphasis added). In addition, the covered entity must provide the written determination to the Department within 30 days after the determination.

The Act took effect on July 1, 2014. View the amended breach law.

Connecticut Governor Signs Pharmacy Reward Program Authorization Bill into Law

On June 12, 2014, Connecticut Governor Dannel Malloy signed a bill into law that may require retailers to modify their existing Health Insurance Portability and Accountability Act (“HIPAA”) authorizations for pharmacy reward programs. The law, which will become effective on July 1, 2014, obligates retailers to provide consumers with a “plain language summary of the terms and conditions” of their pharmacy reward programs before the consumers may enroll. It also requires retailers to include specific content in their authorization forms that are required pursuant to the HIPAA. If the consumer is required to sign a HIPAA authorization to participate in a pharmacy reward program, the authorization must include the following items “adjacent to the point where the HIPAA authorization form is to be signed:”

  •  The specific uses and disclosures of protected health information (“PHI”) permitted by the HIPAA authorization;
  • Whether PHI will be disclosed to third parties, and that such information will not be protected by federal or state privacy laws;
  • Which third parties will have access to the PHI;
  • How the consumer may revoke his or her HIPAA authorization; and
  • That the consumer is entitled to a copy of the signed HIPAA authorization.

Because the requirements of the Connecticut law go beyond the current content requirements for HIPAA authorizations in the HIPAA Privacy Rule, retailers should consider whether they need to revise existing HIPAA authorizations to comply.

California Attorney General Releases Guidance on Recent Changes to CalOPPA

On May 21, 2014, California Attorney General Kamala D. Harris issued guidance for businesses (“Guidance”) on how to comply with recent updates to the California Online Privacy Protection Act (“CalOPPA”). The recent updates to CalOPPA include requirements that online privacy notices disclose how a site responds to “Do Not Track” signals, and whether third parties may collect personal information about consumers who use the site. In an accompanying press release, the Attorney General stated that the Guidance is intended to provide a “tool for businesses to create clear and transparent privacy policies that reflect the state’s privacy laws and allow consumers to make informed decisions.” The Guidance is not legally binding; it is intended to encourage companies to draft transparent online privacy notices.

The Guidance, Making Your Privacy Practices Public, recommends, among other items, that website operators’ online privacy notices should:

  • conspicuously identify the section of the notice that provides information on the site’s response to “Do Not Track” signals;
  • state whether third parties are collecting personally identifiable information;
  • explain uses of personally identifiable information beyond the uses necessary for fulfilling the basic functionality of the online service;
  • provide links to the privacy policies of third parties with whom the website operator shares personally identifiable information; and
  • describe the choices a consumer has with respect to the collection, use and distribution of his or her personal information.

The guidance clarifies that describing how a website responds to a “Do Not Track” signal is preferable to merely linking to a “choice program” because a description of the site’s specific response provides greater transparency to consumers. In crafting this section of an online privacy notice, website operators should consider whether they (1) treat a visitor differently if his or her browser relays a “Do Not Track” signal, and (2) collect visitors’ personally identifiable information over time and across third party websites. If website operators provide a link to a “choice program” rather than describing their sites’ particular response to a “Do Not Track” signal, the operators should ensure that (1) they comply with the “choice program,” and (2) the link to the “choice program” describes the program’s effects on the consumer and how the consumer can exercise his or her choice offered by the program.

Read the full version of the guidance.

White House Releases Report on Big Data

On May 1, 2014, the White House released a report examining how Big Data is affecting government, society and commerce. In addition to questioning longstanding tenets of privacy legislation, such as notice and consent, the report recommends (1) passing national data breach legislation, (2) revising the Electronic Communications Privacy Act (“ECPA”), and (3) advancing the Consumer Privacy Bill of Rights.

The report states that consumers have a “right to know if [their] information has been stolen or otherwise improperly exposed” and continues that data breaches are currently regulated by a “patchwork” of 47 state laws. The report recommends that Congress pass legislation providing a single data breach standard, similar to the Obama administration’s May 2011 proposal. The data breach legislation should include “reasonable time periods for notification, minimize interference with law enforcement investigations, and potentially prioritize notification about large, damaging incidents over less significant incidents.”

The report also recommends revising ECPA to confirm that online, digital content is protected in the same manner as hard copy materials. For example, the report recommends removing distinctions in ECPA that focus on how long an email has been left unread.

The White House’s Big Data report also recommends advancing the Consumer Privacy Bill of Rights released by the Obama administration in February 2012. Specifically, the report calls on the Department of Commerce to seek public comment on the Consumer Privacy Bill of Rights, and then draft legislation for review by the President and Congress.

Read the White House’s Fact Sheet on the Big Data and Privacy Working Group Review.

Kentucky Enacts Data Breach Notification Law

On April 10, 2014, Kentucky Governor Steve Beshear signed into law a data breach notification statute requiring persons and entities conducting business in Kentucky to notify individuals whose personally identifiable information was compromised in certain circumstances. The law will take effect on July 14, 2014.

Kentucky’s data breach notification law covers “personally identifiable information,” which is defined as an individual’s first name or first initial and last name in combination with any of the following:

  • Social Security number;
  • Driver’s license number; or
  • Account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.

The breach notification law contains a harm threshold: entities are not required to notify affected Kentucky residents unless the breach “actually causes, or leads the [entity] to reasonably believe has caused or will cause identity theft or fraud.”

The law does not require entities to notify the state Attorney General or any other government agencies, but it does require notice to all consumer reporting agencies and credit bureaus if more than 1,000 residents are to be notified at one time.

Alabama, New Mexico and South Dakota are now the only U.S. states that have not yet enacted a data breach notification law.

View an unofficial copy of the statute.

Hunton Global Privacy Update – January 2014

On January 21, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program highlighted some of the key privacy developments that companies will encounter in 2014, including cybersecurity issues in the U.S., California’s Do Not Track legislation, Safe Harbor, the EU General Data Protection Regulation and the CNIL’s new cookie guidance.

Listen to a recording of the January 2014 Hunton Global Privacy Update. Previous recordings of the Hunton Global Privacy Updates may be accessed under the Multimedia Resources section of our privacy blog.

Hunton Global Privacy Update sessions are 30 minutes in length and are scheduled to take place every two months. The next Update is slated for March 18, 2014.

State “Ban the Box” Legislation Gains Momentum

As reported in the Hunton Employment & Labor Perspectives Blog, the “ban the box” movement continues to sweep through state legislatures. “Ban the box” laws, which vary in terms of scope and detail, generally prohibit employers from requesting information about job applicants’ criminal histories. Recent legislation in two states applies “ban the box” prohibitions to private employers in those states:

  • On December 1, 2013, a new North Carolina law went into effect that prohibits employers from inquiring about job applicants’ arrests, charges or convictions that have been expunged. This prohibition applies to requests for information on applications and during interviews with applicants.
  • On January 1, 2014, a new Minnesota law goes into effect that prohibits employers from inquiring into, requiring disclosure of or considering the criminal record or criminal history of an applicant until the applicant has been selected for an interview or, if there is no interview, until after a conditional offer of employment has been made.

Employers should review their applications and hiring practices to ensure compliance with the new laws, and verify that managers involved in the hiring process understand when, and to what extent, they are permitted to inquire about applicants’ criminal histories.

Read the full post on the Hunton Employment & Labor Blog.

FTC Announces Seminars on Mobile Device Tracking, Predictive Scoring and Consumer-Generated Health Data

On December 2, 2013, the Federal Trade Commission announced that it will host a series of seminars to examine the privacy implications of three new areas of technology used to track, market to and analyze consumers: mobile device tracking, predictive scoring and consumer-generated health data. The seminars will address (1) businesses tracking consumers using signals from the consumers’ mobile devices, (2) the use of predictive scoring to determine consumers’ access to products and offers, and (3) consumer-generated information provided to non-HIPAA covered websites and apps. The FTC stated that the intention of the seminars is to bring attention to new trends in big data and their impact on consumer privacy.

In 2011, Senator Chuck Schumer (D-NY) urged companies to obtain opt-in consent from consumers before engaging in mobile device tracking and asked the FTC to examine the issue. In March 2013, Senator Al Franken (D-MN) asked one tracking company to explain how it collects and uses data from consumers. The FTC’s seminar will address the potential benefits of mobile device tracking to consumers, whether mobile device tracking is anonymous, and how companies can implement privacy by design, including notifying consumers and allowing them to choose whether or not to be tracked.

The seminar on predictive scoring will focus on the uses of predictive scores, ranging from identity verification and fraud prevention to marketing and advertising. The panel will discuss questions such as the accuracy of the scores and the underlying data used to create them, the privacy concerns surrounding the use of the scores and what consumer protections should be provided.

The seminar on consumer-generated health data will examine the types of websites, products and services consumers are using to generate and control their health data, the actions companies are taking to protect consumers’ privacy and security and whether advertising networks impose restrictions on tracking health data.

The Mobile Device Tracking seminar will be held on February 19, 2014 and the Alternative Scoring Products seminar will be held on March 19, 2014. The date of the Consumer Generated and Controlled Health Data seminar has not been announced. The FTC has invited comment from the public on the proposed topics, and will issue staff reports following the sessions.