Two U.S. Circuit Courts of Appeals recently weighed in on what it takes to establish standing to pursue a Telephone Consumer Protection Act (TCPA) claim. The 5th Circuit held that receipt of one unwanted text message is enough to satisfy Article III, which deviates from a prior 11th Circuit decision holding that one text message does not confer standing. On the other hand, the 3rd Circuit held that a TCPA plaintiff did not have standing where the plaintiff alleged only a TCPA violation, but no harm. Finally, the 11th Circuit issued an opinion interpreting the Fair Debt Collection Practices Act (FDCPA) that has important implications for debt collectors using vendors to place calls or text messages.
Starting at the Beginning: California Privacy Protection Agency Board Meets for the First Time
On June 14, 2021, the Board of the newly-formed California Privacy Protection Agency (“CPPA”) held its first public meeting. The Board had an extensive agenda, covering topics such as the laws affecting the Board and CPPA, initial hiring strategy for the CPPA, policies and practices on delegations of authority and conflicts of interest, establishment of subcommittees of the Board, notice to the Attorney General regarding the assumption of rulemaking under the California Privacy Rights Act (the “CPRA”), and setting future agenda items and a meeting schedule for the Board. (As a refresher, when the CPRA passed as a ballot measure last Fall, it established the CPPA as a first-of-its-kind agency solely devoted to the regulation and enforcement of consumer privacy. The CPPA is tasked with enforcing the CPRA and developing a set of regulations providing guidance for businesses on how to comply with that new law. For more on the CPRA, please see our post here.)
While the CPPA Board’s June 14 full-day meeting covered a lot of ground, it is clear there is much work to be done for the CPPA to emerge as an independent, fully-functional agency, let alone promulgating regulations in time to meet the CPRA’s July 1, 2022 deadline for final regulations. Overall, the Board members appeared to be committed to working through these challenges, but acknowledged that they are under a lot of time pressure.
Federal Law Won’t Protect Your Organization from Bad User Access Control Practices
Yesterday, the Supreme Court resolved a circuit split on the scope of the Computer Fraud and Abuse Act of 1986 (CFAA) in a decision that emphasizes the importance of how organizations manage access to their systems. Employees with access to information at work sometimes access that information with improper motives, and in violation of office policies. This inappropriate use of access has led to federal criminal prosecution for some. In Van Buren v. United States, No. 19-783, the United States Supreme Court held that the CFAA is not properly applied to justify those prosecutions.
Nathan Van Buren was a police officer who accepted $6,000 from Andrew Albo, a participant in an FBI sting operation, to search a police database to determine whether a woman Albo professed interest in was an undercover police officer. Van Buren ran a search for the woman’s license plate in the Georgia Crime Information Center database. For doing so, Van Buren was charged and convicted of violating the CFAA, because he had “exceeded” his authority to access that database.
Continue Reading Federal Law Won’t Protect Your Organization from Bad User Access Control Practices
As HIPAA, HITECH Undergo Modernization, NIST Seeks Comment on Security Standard Guidance
On January 21, 2021, the Department of Health and Human Services (HHS) published proposed modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), discussed in a previous McGuireWoods’ post. The comment period for these proposals recently ended on May 6, 2021, and HHS received almost 1500 comments from interested stakeholders. If finalized, these proposals will require HIPAA-covered entities and business associates to implement many changes, including updates to their policies, procedures, security standards, notices of privacy practices, authorization and disclosure forms, and business associate agreements. In the age of digital targeting and ransomware, possibly the most important of these is a change to security standards.
Biden Administration Orders Improvements to Cybersecurity and Federal Networks Amid Cyberattacks
On May 12, President Biden signed an executive order mandating that the federal government significantly improve cybersecurity within its networks and modernize federal cyber defenses. This move follows a series of cyberattacks on private companies and federal government networks over the past year, including a recent incident that resulted in gasoline shortages along the U.S. East Coast.
To learn about new standards for federal information systems, which will trigger wide-reaching changes for federal contractors and private sector industry participants, see the full alert on our website.
DOL’s New Cybersecurity Guidance
On April 14, 2021, the United States Department of Labor (the “DOL”) issued for the first time guidance to retirement plan sponsors, fiduciaries, record keepers, service providers and plan participants guidance on cybersecurity issues. The DOL’s press release includes three pieces of guidance, including: (1) Tips for Hiring Service Providers; (2) Cybersecurity Program Best Practices; and (3) Online Security Tips.
The Employee Benefits Security Administration, a sub-agency of the DOL (the “EBSA”) long ago stated that addressing cybersecurity has been on the agency’s “to do” list and even published a report in 2016 reflecting the need for such guidance, which we previously covered here.
The Employee Retirement Income Security Act of 1974, as amended (“ERISA”), includes fiduciary standards that require a retirement plan to be administered in accordance with a standard of care for a prudent person who is familiar with such matters. Common sense dictates that ERISA fiduciaries administer their plans in accordance with industry standards for cybersecurity, safeguard plan assets and ensure that appropriate controls are in place to avoid financial losses to plans that may result from a cybersecurity breach. However, the legal issues concerning who is responsible (plan participant, plan sponsor or record keeper) remain open questions in many jurisdictions.
Tech Investing Part 1: Zero Hour
The technology sector runs the gamut from artificial intelligence (AI), the Internet of Things (IoT) to SaaS companies or cybersecurity, and from the biggest household names to the smallest companies being operated out of garages. The rise of AI and traps for the unwary were previously covered here. Risks of investing in SaaS Solutions can be found here and here. Technology is everywhere in 2021, even in the smallest brick and mortar shops around. Technology investing offers lucrative opportunities for investors large and small, but there are many traps for the unwary, such as “zero-day exploits.”
Colleges Should Brace for Next Phase of COVID-19 Class Actions
Almost exactly a year ago, the first COVID-19 tuition reimbursement lawsuits were filed against higher education institutions across the United States and we warned of the continued onslaught of such litigation. With the filing of those reimbursement class actions decreasing, higher education institutions should be cognizant of a potential new wave of COVID-19 class actions: privacy class action lawsuits related to the COVID-19 vaccine.
Continue Reading Colleges Should Brace for Next Phase of COVID-19 Class Actions
U.S. Supreme Court Adopts Narrow Autodialer Definition in 9-0 Defense Victory
On April 1, 2021, the U.S. Supreme Court issued its long-awaited opinion in Facebook v. Duguid, which resolved a circuit split regarding the meaning of “automatic telephone dialing system” (autodialer or ATDS) under the Telephone Consumer Protection Act (TCPA). In a decision authored by Justice Sonia Sotomayor, the court adopted the narrow, pro-defendant definition of autodialer.
Continue Reading U.S. Supreme Court Adopts Narrow Autodialer Definition in 9-0 Defense Victory
HHS Extends Public Comment Period for Proposed HIPAA Privacy Rule Changes
On March 9, the Department of Health and Human Services announced it was extending until May 6, 2021, the comment period for proposed changes to regulations implementing the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009.
Read our complete alert to learn more about this development and the proposed rule, expected to draw significant interest and comment from stakeholders in the healthcare industry.