Privacy and Data Security

As we recently reported on this blog, the California Attorney General (AG) released long awaited draft regulations to the California Consumer Privacy Act (CCPA). The regulations provided clarity on several provisions in the law, while also failing to answer some open questions. In a series of upcoming blog posts, we will discuss the regulations most directly relevant to companies as they determine whether they are covered under the law and how to comply. This first post discusses the notices and privacy policies described in detail in the proposed regulations.

Last month, the Food & Drug Administration (FDA) issued a long-awaited revision to its Policy for Device Software Functions and Mobile Medical Applications Medical App - Guidance for Industry and Food and Drug Administration Staff (the Guidance).  The revised Guidance was among several newly announced policies aimed at advancing the FDA’s digital health initiative that promotes innovation, while also permitting efficient and up-to-date regulatory oversight.

As readers of the Data Security Blog will know, the California Consumer Privacy Act (“CCPA”) becomes operative on January 1, 2020.  The CCPA is the most sweeping consumer privacy law in the United States, covering most for-profit businesses that do business in California and collect the personal information of “consumers,” meaning California residents. 

This past week, The Home Depot, Inc. became the latest business hit with a class action lawsuit for their use of facial recognition security cameras allegedly in violation of the Illinois Biometric Information Privacy Act.  If successful, Home Depot faces statutory damages of up to $5,000 for each time a shopper’s information was collected in violation of BIPA.

On May 6, 2019, Magistrate Judge Gorenstein issued an order that should be a wake-up call for attorneys contemplating hiring and sharing privileged communications with an outside public relations firm.  This decision also has wider implications, especially for companies engaging a forensic consultant to assist in responding to a cyber incident or data breach.

Last Thursday, Governor Cuomo signed New York’s latest data security bill – the Stop Hacks and Improve Electronic Data Security, or “SHIELD” Act.  The Act, which we have followed on this blog since November 2017, imposes new notification obligations on businesses managing private data when a security breach occurs.  Capital One’s recent breach underscores the significance of the changing regulatory landscape, as both businesses and the government attempt to navigate and protect against large-scale cybersecurity attacks, and the importance of understanding notification obligations, should those efforts fail.

The U.S. Office of Personnel Management (“OPM”) made headlines when several hacks of confidential data came to light in 2015, intrusions that compromised the personal data of over 20 million individuals. On July 21, 2019, in AFGE v. OPM (In re United States OPM Data Sec. Breach Litig.), Nos. 17-5217, 17-5232, 2019 U.S. App. LEXIS 18609 (D.C. Cir. June 21, 2019), a divided panel of the United States Court of Appeals for the D.C. Circuit breathed new life into litigation stemming from those breaches and injected yet another piece into the growing puzzle surrounding constitutional standing in breach litigation. The case had previously been dismissed after a district court held that the plaintiffs lacked standing based on their failure to allege concrete injuries. In a divided opinion, the D.C. Circuit panel reversed, holding that the plaintiffs’ allegations of potential future harm were sufficient for the case to move forward.

As we’ve written about in the past, the SAFETY Act has the potential to help companies mitigate their risk from cyber-terrorism.  As previously noted, the statute has never been fully tested in courts, so the full contours of its protection remain uncertain. Nonetheless, the benefits of SAFETY Act approval may extend well beyond those mandated by Congress: to the right company, SAFETY Act approval could be a significant market differentiator and, in the right circumstances, could be a powerful tool in litigation even when the Act does not itself apply.

It’s been a tough week for the healthcare industry.

Just days after Quest Diagnostics reported a breach at a third-party vendor affecting approximately 11.9 million of its patients, LabCorp disclosed that a breach at the same vendor exposed the personal and financial data of 7.7 million of its customers.

Today, New York’s top financial regulator, the Department of Financial Services, announced the formation of a dedicated “Cybersecurity Division.” In a news release issued earlier today, the agency said the new division “will focus on protecting consumers and industries from cyber threats ….”

Last week President Trump issued an executive order targeted at improving the quality of the federal government’s cybersecurity workforce. The executive order—which acknowledges the shortage of qualified employees for cybersecurity jobs—would implement a number of steps to strengthen and expand cyber knowledge within the federal government.

The FBI’s Internet Crime Complaint Center, better known as IC3, released its 2018 Internet Crimes Report.  For those unfamiliar with the IC3, it was established by the FBI in May 2000 as a central repository for public complaints of internet-based crimes. Since its inception, IC3 has received more than 4 million complaints. To facilitate law enforcement efforts and promote public awareness, IC3 analyzes the complaints it receives and disseminates information to the public and law enforcement. Among other things, it identifies trending scams, refers scams that do not meet federal law enforcement thresholds to state and local law enforcement, and provides victim services. New in 2018, IC3 created the Recovery Asset Team to help victims of internet-facilitated schemes recover funds and the Victim Specialist-Internet Crime position to provide crisis intervention, needs assessments, and referrals.

The Securities and Exchange Commission is warning investment firms to step up their game when it comes to following the agency’s privacy rules. In a Risk Alert issued by the Office of Compliance Inspections and Examinations (OCIE), a laundry list of compliance “deficiencies or weaknesses” were identified in recent examinations of SEC-registered investment advisers and broker dealers.

In our third and final installment on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information,” we look at other sections of the CCPA that either limit the applicability of the law’s “personal information” definition or exclude information from coverage under the law.

Our three-part series on the California Consumer Privacy Act’s (CCPA) expansive definition of “personal information” is designed to help businesses identify whether they hold information covered under the law, while also highlighting the potential pitfalls in the definition as we await interpretative regulations from the California Attorney General and potential amendments from the state’s legislature. In Part I, we explored the breadth of the definition. We now turn to the law’s two explicit exclusions from the definition of “personal information.” 

The California Consumer Privacy Act (CCPA) is set to become “operative” on January 1, 2020. As we have written in earlier blog posts, the CCPA is the most sweeping consumer privacy law in the country.

Companies from California to New York are already scrambling to comply with a growing patchwork of privacy laws covering both businesses and consumers.

When New York’s far-reaching cybersecurity law for financial institutions was enacted more than two years ago, some predicted it would serve as a national blueprint for future data security laws. Now, as the U.S. Federal Trade Commission considers changes to two privacy rules designed to safeguard customer information held by financial institutions, the proposed changes to one law – the Safeguards Rule – hue closely to a handful of requirements already in place in New York.

Before investing in a company, would you want to know whether the board of directors had cybersecurity expertise?

A bipartisan group of senators have proposed a bill, Senate Bill 592, that would require every public company to disclose the cybersecurity background of its directors, and, if none exists, explain why the company doesn’t believe it is necessary.

The use of biometric technology is fast becoming the next big thing in privacy litigation. There was last month’s decision by the Illinois Supreme Court that upheld a consumer’s right to sue companies for collecting biometric data – such as fingerprints and iris scans – without first disclosing how such information will be used. See our blog on that ruling here.

It’s been almost two years since New York’s top banking regulator implemented one of the nation’s most stringent cybersecurity regulations.  Since then, thousands of financial institutions have recruited chief information security officers, implemented cybersecurity programs, performed penetration testing, and imposed encryption requirements on their most sensitive information.

It’s a marathon month for the thousands of financial institutions and insurance companies covered by New York’s landmark cybersecurity regulation. In little more than a week, these businesses must file their second annual certification of compliance with the State’s Department of Financial Services. Two weeks later, they must also come into compliance with the regulation’s third-party vendor requirements, the final milestone in the two-year roll out of the cybersecurity regulation.

An obscure federal law called the SAFETY Act recently captured national headlines when MGM Resorts International invoked it in a series of pre-emptive, declaratory judgment law suits against the victims of the 2017 Harvest Festival Las Vegas shooting. MGM sued the victims in an effort to avoid liability in connection with the tragedy. MGM owns the Mandalay Bay hotel, where Stephen Paddock, from his 32nd floor suite, shot and killed 58 people and wounded hundreds more who were attending a music festival next door.

The New York Times featured an op-ed last week written by Craig A. Newman, Chair of Patterson Belknap’s Privacy and Data Security Practice, entitled “Lessons for Corporate Boardrooms From Yahoo’s Cybersecurity Settlement.” In the op-ed, Mr. Newman discusses how the January 2019 settlement “marked the first time that shareholders have been awarded monetary damages in a derivative lawsuit related to a data breach.” Mr. Newman notes, “the settlement signals that director and officer liability for cybersecurity oversight is entering new and potentially perilous territory.”

To read the full article, click here.