California AG Releases Proposed CCPA Regulations

This week, California Attorney General (AG) Xavier Becerra released the draft regulations for the California Consumer Privacy Act (CCPA). The rules set forth procedures for businesses covered under the CCPA to follow for compliance. The rules can be found here.

Nevada Consumer Privacy Law – In Effect

As previously reported, Nevada Senate Bill 220 (SB-220), which offers consumers the ability to opt out of the sale of their personal information, has become effective as of October 1, 2019. Analysis of the law and what it means for you business can be found here.

European Court of Justice Rules Active Consent Needed For Tracking Cookies

The European Court of Justice (CJEU) decided that companies must get active consent from internet users before using cookies to track browsing activity. “Passive” acceptance of cookies is not an acceptable form of consent. This includes using prechecked boxes, or posting a cookies banner and assuming the user has consented via their continued use of the website. The ruling can be found here.

DOD Seeks Input From Nonprofits For Cyber Accreditation Program

The U.S. Department of Defense (DOD) is seeking information from nonprofits regarding an accreditation body for its pending Cybersecurity Maturity Model Certification, (CMMC), program.  DOD said, “[t]his RFI seeks information on how to define the long-term implementation, functioning, sustainment, and growth of the CMMC accreditation body.” The CMMC will build on DOD cybersecurity requirements by incorporating existing cybersecurity standards including the NIST’s Special Publication 800-171.

According to Rosenworcel,  FCC Must Take Greater Role In Cybersecurity

During remarks at a NIST event, Rosenworcel stated that the FCC should work with NIST to help fortify IoT devices against cyber-attacks. “If we want to make sure that no one company can undermine our national security, it’s time for the United States to develop policies that help spur its creation,” she said.

Welcome to a three-part series that provides an overview of the California Invasion of Privacy Act (CIPA), examines recent CIPA litigation involving smart speakers, and proposes defenses in response to an alleged violation.

CIPA in the Age of Smart Devices

The California Invasion of Privacy Act (CIPA)[1]—traditionally used by law enforcement and the plaintiffs’ bar to address illegal recording/eavesdropping on phone calls—has seen renewed interest in the age of smart speakers. Smart speakers, such as Amazon’s Alexa, Google Home and Apple’s Siri, are voice-enabled devices where the user utters a “wake word” to activate a “virtual assistant”.  A number of putative class actions have recently been filed over these “virtual assistants” and whether they illegally record individuals without their consent.  This recent spate of lawsuits highlights CIPA-compliance risks associated with these new technologies. This article provides an overview of CIPA’s history and features, addresses recently filed CIPA smart-device cases, and recommends defenses for responding to a smart device CIPA action. Continue Reading The Revitalization of CIPA Claims in the New Age of “Smart” Speakers (Part I)

Social media posts have become so common and reflexive that people often fire off posts without appropriately considering the consequences.  This can be costly on multiple fronts.  In the health care context, beyond the risk of losing patients (and the revenue they bring), inappropriate posts can result in Health Insurance Portability and Accountability Act (HIPAA) violations.  Indeed, as the Director of the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has stated, “Social media is not the place for providers to discuss a patient’s care… [doctors] and dentists must think carefully about patient privacy before responding to online reviews.”  Of course, this warning is not limited to dentists; all health care providers should take heed.  Continue Reading From Yelp to YIKES! Dental Practice’s Social Media Posts Result in $10,000 HIPAA Settlement

October 1st marks the beginning of National Cybersecurity Awareness Month (NCSAM). During October, government and industry work together to raise awareness of cybersecurity issues and help promote educational materials. This year, the Department of Homeland Security (DHS) is focusing on, “citizen privacy, consumer devices, and ecommerce security.” To assist with NCSAM efforts, the DHS has provided a NCSAM 2019 Toolkit with cybersecurity information and helpful tips. In honor of NCSAM, Password Protected will highlight cybersecurity developments throughout the month of October. See below for some of the most recent cyber headlines.

NY Attorney General Sues Dunkin’ Over Cyberattacks

Attorney General Letitia James recently brought suit against Dunkin’ over cyberattacks. Specifically, the lawsuit focuses on customer accounts created via the Dunkin’ website or mobile app.  In 2015, these customer accounts were subjected to “brute force attacks,” during which there were repeated attempts to gain access to the accounts. AG James states, “Dunkin’ failed to protect the security of its customers…[a]nd instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk.”

Senate Passes Cyber Hunt Bill To Help Combat Ransomware Attacks

This week, the Senate passed the DHS Cyber Hunt bill. Under the “DHS Cyber Hunt and Incident Response Teams Act,” DHS would develop “incident response teams” to combat ransomware attacks.  These teams would help recover and restore infrastructure that was shut down or negatively affected by ransomware attacks.

PROTECT Act Meant to Increase Electric Grid Cybersecurity

Last week, the “Protecting Resources On The Electric grid with Cybersecurity Technology ” (PROTECT) Act, was introduced into the Senate. The bill is aimed at helping protect the security of our nation’s electric grid. The bill enables the Federal Energy Regulatory Commission (FERC) to incentivize cybersecurity investments by electric utilities. It also creates a program for advanced cybersecurity technology at the Department of Energy (DOE). You can read more about the PROTECT Act here.

In 2016, the Department of Health and Human Services’ Office for Civil Rights (OCR) provided a variety of guidance to address the importance of honoring the right of patients to have access to their medical information and not to be over-charged for exercising that right.

Earlier this week, the OCR announced an enforcement action and settlement under its Right of Access Initiative against Bayfront Health St. Petersburg (Bayfront) in Florida. This settlement, the first of its kind under OCR’s initiative to enforce patients’ rights to promptly receive copies of their medical records without being overcharged, has cost Bayfront $85,000. The 480-bed hospital is also required to undertake a corrective action plan that includes a one-year period of monitoring by OCR. Continue Reading OCR Proves it is Serious About HIPAA’s Right of Access

As discussed here, the California Consumer Privacy Act of 2018 (CCPA), in its current state, likely applies to businesses that collect the personal information of their employees.  AB 25, which passed in the California Assembly on May 29, 2019, sought to address this issue by removing employees and job applicants from the CCPA’s definition of “consumer.”  This amendment was slated to exclude businesses from having to comply with the CCPA if their only connection to the “big data” world is collecting the personal information of employees and job applicants.

Recently, however, AB-25 underwent significant revisions when it made its way to the Senate Judiciary Committee for hearing on July 9, 2019.  The bill’s author, Assembly Member Ed Chau, agreed to amend AB-25 before it unanimously passed.  The amended version now states that businesses collecting personal information from job applicants, employees, owners, directors, officers, medical staff members or contractors of the business are exempt from the CCPA only until January 1, 2021.  Moreover, businesses are not completely off the hook under the one-year exemption.  They must still comply with the disclosure obligations under Sections 1798.100, and remain subject to a private right of action under the CCPA if there is a data breach based on a business’s failure to implement and maintain reasonable security procedures and practices.

It remains to be seen if AB-25 will be signed into law in its current iteration.  The addition of the sunset clause suggests that this amendment may be a placeholder until proponents on both sides of this issue negotiate legislation that, on the one hand, alleviates the CCPA’s burden on employers who do not collect or sell typical consumer data, and on the other hand, adequately protects employee privacy and information.

With relatively minimal fanfare, Nevada passed Senate Bill 220 (SB-220), making it the second state to offer consumers the ability to opt out of the sale of their personal information.  SB-220 is narrower than California’s Privacy Law (CCPA), but it becomes effective on October 1, 2019 –before CCPA.

Continue Reading Privacy and Cybersecurity State Law Tracker: Nevada Consumer Privacy Law

Governor Mills signed, “An Act To Protect the Privacy of Online Customer Information,” (LD- 946) which requires Internet service providers (ISPs) to obtain opt-in consent prior to, “using, disclosing, selling or permitting access to [a consumer’s] prohibited personal information.”  LD- 946, goes into effect July 2020.

Continue Reading Privacy and Cybersecurity State Law Tracker: Maine Consumer Privacy Law

New York Governor Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The law amends the existing data breach notification law and adds new cybersecurity requirements. The SHIELD Act takes effect in March 2020.

The Governor also signed into law the Identity Theft Prevention and Mitigation Services Act (Act). The Act requires that credit reporting agencies suffering a breach involving Social Security numbers must provide five years of identity theft prevention and mitigation services to affected consumers. The Act becomes effective in September 2019.

Continue reading for a summary of the SHIELD Act and how it could impact your business. Continue Reading Privacy and Cybersecurity State Law Tracker: NY SHIELD Act and Information Governance

On April 30, 2019, the United States Department of Health and Human Services (HHS) published a notice of enforcement discretion that lowers most of the annual caps on civil money penalties (CMP). HHS may assess against Covered Entities and Business Associates for violating the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA).  Specifically, HHS will apply a different cumulative annual CMP limit for each of the four penalty tiers that progressively increases from the first to the fourth penalty tier and maxes out at $1.5 million per violation per year. Continue Reading HHS Lowers Annual Caps on Most HIPAA CMPs