Beginning in 2020, California residents will have the right to opt out of the sale of their personal information under the California Consumer Privacy Act of 2018 (CaCPA or also called CCPA). It is time to revisit your third-party service provider agreements. Companies now have two reasons to ensure that service provider agreements restrict the use or sale of personal information: to comply with CaCPA and to reduce risk of an FTC enforcement action. Continue Reading Preparing for 2020: Check In On Your Vendors
Effective October 1, 2018, Connecticut has the most stringent requirement—24 months—for free mitigation services that must be provided to those affected by a data breach of personally identifiable information (in the case of Connecticut: (A) Social Security number; (B) driver’s license number or state identification card number; (C) credit or debit card number; or (D) financial account number in combination with any required security code, access code or password that would permit access to such financial account).
With a new high-water set, it is likely that other states will quickly follow suit. In the meantime, for entities that are responding to a multi-state data breach that includes Connecticut, there will now be a business decision of whether or not to offer 24 months of services to all affected individuals regardless of state law requirements (some of which are silent and the rest of which require 12 months of services).
The convergence of the General Data Protection Regulation and the investigation into Russian interference in the 2016 election has created a perfect privacy storm. Social media platforms’ complacency on this front, and the resulting public backlash, have further amplified the pressure on legislatures to react. Although state legislatures have been quick to do so (most notably California, which passed a sweeping new privacy law in June), Congress has not.
Recently, Senator Mark Warner (D-VA) issued a draft white paper proposing 20 policy approaches to combat these issues. The proposals seek to enhance user privacy, increase transparency, and dam the deluge of misinformation that, to date, has run through social media platforms largely unchecked.
Personal information has become the prey of relentless poachers. In light of the influx of data breaches, state legislatures are taking action. Not surprisingly, now every state has enacted data breach notification laws, which are triggered when personal information is breached. Read below for a summary of relevant state legislation recently adopted or laws recently amended that pertaining to data breach notification.
Arizona amended its data breach notification law, effective July 21, 2018. This amendment requires companies to notify affected consumers within a 45-day window upon discovery of a data breach. If the data breach impacts more than 1,000 consumers, companies must also notify the state attorney general as well as the three largest consumer credit reporting agencies. The state attorney general can also impose up to $500,000 in penalties for a company’s non-compliance.
On August 1, 2018, NIST will withdraw eleven SP 800 publications that are considered out of date. These publications will not be revised. According to NIST the following publications will be withdrawn:
- SP 800-13 (October 1995), Telecommunications Security Guidelines for Telecommunications Management Network
- SP 800-17 (February 1998), Modes of Operation Validation System (MOVS): Requirements and Procedures
- SP 800-19 (October 1999), Mobile Agent Security
- SP 800-23 (August 2000), Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
- SP 800-24 (April 2001), PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
- SP 800-33 (December 2001), Underlying Technical Models for Information Technology Security
- SP 800-36 (October 2003), Guide to Selecting Information Technology Security Products
- SP 800-43 (November 2002), Systems Administration Guidance for Securing Windows 2000 Professional System
- SP 800-65 (January 2005), Integrating IT Security into the Capital Planning and Investment Control Process
- SP 800-68 Rev. 1 (October 2008), Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist
- SP 800-69 (September 2006), Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist
More information about these publications and the reason for withdrawal can be found here.
Yesterday Gov. Jerry Brown signed California Consumer Privacy Act of 2018, which grants California residents unprecedented control over the collection, use, and sale of personal information. Many have already speculated that other state legislatures will follow suit and adopt a similar law in their own states, as has occurred in the wake of past California laws on data privacy and security. A copy of the law can be found here.
After 25 May 2018, data protection will be a high-risk issue for all retailers who fall within the scope of the GDPR. Organizations can be fined up to 4% of annual worldwide turnover or 20 million euros (whichever is greater) for violations of the GDPR. Moreover, the GDPR applies to any business that targets goods or services at individuals located in the EU – so retailers can be caught by the GDPR even if they have no physical presence in the Union.
Retailers should pay particular attention to how they obtain customers’ consent to marketing. The GDPR requires a high standard for consent to use personal data, and violation of the consent is a serious infringement.
The 2018 Regular Session of the Virginia General Assembly recently concluded after considering approximately 3700 bills and resolutions during the 60-day session. Several privacy-related bills were on the legislative agenda, but few were enacted into law.
Tax Return Data
As highlighted in January, the General Assembly this year continued its efforts to address the growing problem of criminals filing fraudulent tax returns using stolen identities of unsuspecting taxpayers. Last year, Virginia adopted legislation that requires employers and payroll service providers to provide breach notification to the Attorney General of Virginia when those entities experience an unauthorized access or acquisition of unredacted and unencrypted data containing a taxpayer’s identification number and certain payroll information. Virginia Code Ann. § 18.2-186.6(M).
This year, Virginia enacted legislation aimed at imposing certain obligations on state tax return preparers. Tax return preparers are not required to comply with Virginia’s data breach notification statute. However, effective July 1, 2018, Virginia tax return preparers are required to notify the Virginia Department of Taxation:
“without unreasonable delay after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted return information that compromises the confidentiality of such information maintained by such signing income tax return preparer and that creates a reasonable belief that an [unprotected] version of such information was accessed and acquired by an unauthorized person and that causes, or such preparer reasonably believes has caused or will cause, identity theft or other fraud.” Acts of Assembly, Chapter 283
Additionally, if a breach occurs, the state tax return preparer is required to provide the Department information concerning the taxpayers whose information was accessed or obtained by unauthorized persons and certain information about the preparer. It is estimated that the enactment of this legislation will save Virginia approximately $300,000 by avoiding the issuance of unrecoverable fraudulent refunds.
Other Privacy-Related Legislation
Additional bills related to privacy include (partial listing):
- PASSED: Clarifying that certain student directory information held by institutions of higher education may only be released in limited circumstances in response to Freedom of Information Act requests. HB1
- PASSED: Reduction in the amount a credit reporting agency may charge a consumer to place a security freeze on his credit report from $10 to $5. 1027 SB16
- DEFEATED: Eliminating the ability of a credit reporting agency to charge a consumer a fee to place a security freeze on the consumer’s credit report. HB6; HB86; HB1232; SB18; SB22; (partial listing)
- DEFEATED: Prohibiting companies providing broadband internet access services in the Commonwealth from blocking, throttling, engaging in paid prioritization and interfering or unreasonably disadvantaging a users’ ability to access broadband internet access. The bill also would have limited a broadband service providers’ disclosure of personally identifiable information about consumers to circumstances involving certain court orders, subpoenas or for authorized law-enforcement activities. SB948
- DEFEATED: Limiting state contracts for internet access services only to those services providers that agree to protect certain personally identifiable information and adhere to certain internet neutrality provisions. Proposed to prohibit internet access service providers that provide such service to a public body from blocking, throttling or providing preference to entities that pay for the optimization of data transfer rates. Additionally, the bill proposed to prohibit such service providers from knowingly disclosing personally identifiable information about users unless such disclosure is pursuant to certain court orders, subpoenas or for authorized law-enforcement activities. SB949
- DEFEATED: Requiring consumer reporting agencies to disclose within 15 days a breach of the security of a computerized data system, when such disclosure is required by Virginia’s data breach notification statute, § 18.2-186.6. The bill provides that failure to report is a violation of the Virginia Consumer Protection Act. HB1588
- DEFEATED: Prohibiting state agency employment applications, under certain circumstances, from inquiring whether a prospective employee has been arrested or charged with, or convicted, of any crime (a.k.a. “ban-the-box”). SB252; HB1357
- DEFEATED: Prohibiting a prospective employer (i) from requiring a prospective employee to disclose his wage or salary history or (ii) attempting to obtain such information from the person’s current or previous employers. HB240
- DEFEATED: Allowing the use of drones by law-enforcement without obtaining a warrant under certain circumstances. HB1290
- DEFEATED: Prohibiting a provider of electronic communication or remote computing service from disclosing location data to an investigative or law-enforcement officer except pursuant to a search warrant. HB604
- DEFEATED: Directing a legislative commission to study how local governments report data breaches, identify ways to promote efficient and timely reporting of such breaches by local governments and to develop best practices to assist localities with cyber security. HJ39
Virginia’s approach on privacy issues this past session reflects its approach on most issues – a measured response in response to actual problems. This approach is in contrast to some states enacting policies in anticipation of future issues or without a solid indication of potential harm to consumers. In the case of the security freeze legislation, the enacted bill was in response to a significant data breach last year involving one of the big three credit reporting agencies. With regard to protecting certain student directory information, the General Assembly acted in response to the perceived misuse of such information by political campaigns. Finally, the legislature continued its efforts to address the continuing problem of tax fraud by attempting to cut off avenues for would be identity thieves to file false state income tax returns.
U.S. Senate leaders may be close to reaching an agreement on a legislative proposal that would establish a national data breach notification and security standard (the Data Acquisition and Technology Accountability and Security Act) which would streamline nationwide reporting requirements for businesses. However, there are a plethora of reasons it may not make much progress through Congress this year. The current 49-state, soon to be 50-state, patchwork of breach notification laws that are all different in various meaningful ways makes compliance with a nationwide breach (which is what typically occurs in companies) quite tedious. This proposed federal legislation would set a national standard for securing customer data and reporting data breaches.
Similar legislation has stalled in Congress for nearly a decade, but recent events, including numerous high profile data breaches and other events where data was misused, the EU Parliament’s approval of the General Data Protection Regulation (GDPR) with an enforcement date of May 25, 2018, and California’s proposed ballot initiative on privacy (improving consumers’ rights regarding collection and usage of their data), have catalyzed Congress once more. Last week, senators introduced legislation called Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT Act). The bill requires explicit opt-in consent from users to share, use, or sell any personal information, notification any time data is collected, shared, or used, and new security and breach reporting requirements. The CONSENT Act relies on the Federal Trade Commission to enforce any violations of those new rules.
There are many obstacles to enacting federal data privacy and security legislation, including disputes over preemption of state law, reasonable security standards, penalties, and exemptions. After Republicans took control of the White House and both chambers of Congress last year, federal regulatory activity diminished, and cities and states have stepped in to fill the void. The attorneys general of 31 states are pressing lawmakers to scrap the Data Acquisition and Technology Accountability and Security Act, arguing that it waters down more stringent state laws requiring prompt notification of breaches to consumers. Since South Dakota passed a new law in March, every state but Alabama has data breach laws in effect which require companies to notify consumers when their personal information hacked. And last week Alabama’s governor signed the final state data breach law which goes into effect on May 1, 2018. The attorneys general argue that these state laws have catalyzed greater transparency about data breaches and improved steps companies can take to prevent breaches from occurring again.
In addition to state laws, some cities have taken affirmative steps regarding data security. NYC Mayor de Blasio announced the launch of a cybersecurity initiative, NYC Secure, which is supposed to defend New Yorkers from malicious cyber activity on mobile devices, public Wi-Fi networks, and beyond. The first program is a smartphone protection app which issues warnings to users when suspicious activity is detected on their mobile devices.
Stay tuned to see who wins the state versus federal power struggle over data privacy and security—exciting times are ahead!
Nearly two and a half years following the appeal of the Federal Communications Commission’s (FCC) July 2015 Order, the U.S. Court of Appeals for the District of Columbia issued a ruling on March 16, 2018. On appeal, over a dozen entities sought review of the 2015 Order, in which the FCC interpreted various aspects of the Telephone Consumer Protection Act (TCPA). The appeal addressed four issues: (1) which devices constitute an automatic telephone dialing system (ATDS or “autodialer”); (2) whether a call to a reassigned phone number violates the TCPA; (3) whether the FCC’s approach to revocation was too broad; and (4) whether the FCC’s exemption for certain healthcare related calls was proper.
In short, the court set aside the FCC’s definition of an ATDS and vacated the FCC’s approach to calls placed to reassigned numbers. The court upheld, however, the FCC’s broad approach to a party’s revocation of consent and sustained the scope of the FCC’s exemption for time-sensitive healthcare calls.
The FCC’s 2015 Order held that the analysis of whether equipment constitutes an ATDS is not limited to its present capacities, but also includes its “potential functionalities”—therefore having the apparent effect of encompassing ordinary smartphones. On appeal, the D.C. Circuit concluded that the FCC’s approach could not be sustained in light of the “unchallenged assumption that a call made with a device having the capacity to function as an autodialer can violate the statute even if autodialer features are not used to make the call.” The court reasoned that if a device’s capacity includes functions that could be added through app downloads and software additions, and if smartphone apps can introduce ATDS functionality into the device, then all smartphones would meet the statutory definition of an autodialer—and therefore, the TCPA’s restrictions on autodialer calls “assume an eye popping sweep.” Accordingly, the court found the FCC’s interpretation that all smartphones qualify as autodialers is unreasonably and impermissibly expansive.
Regarding functionality, the FCC identified a basic function of an ATDS as the ability to “dial numbers without human intervention,” but declined to clarify this point, apparently suggesting that a device might still qualify as an autodialer even if it cannot dial numbers without human intervention. The FCC further said that another basic function of an ATDS is to dial thousands of numbers in a short period of time, but the ruling provides no additional guidance on whether that is a necessary, sufficient, or relevant condition, leaving affected parties “in a significant fog of uncertainty.” In addressing these questions, the court found the FCC’s guidance gave no clear answer and in many ways provided contradictory interpretations. The court seemed particularly concerned with the practical implications that the FCC ruling seemingly imposed liability even if a system was not used to randomly or sequentially generate a call list, as “[a]nytime phone numbers are dialed from a set list, the database of numbers must be called in some order—either in a random or some other sequence.” The court set aside the FCC’s ruling on what type of functionality a device must employ to qualify as an autodialer, finding that the FCC could not promote competing interpretations in the same order.
- Reassigned numbers and consent
If a call is made to a consenting party’s number, but that number has been reassigned to a nonconsenting party, the FCC’s 2015 Order stated that this situation violates the TCPA—except in the instance of a one-call safe harbor, which enables a caller to avoid liability for the first call to a wireless number following reassignment. The court found that the FCC’s limitation of the safe harbor to only the first call was arbitrary, questioning why a caller’s “reasonable reliance” on the previous subscriber’s consent necessarily stops being reasonable after there has been only one call, as the first call may give the caller no indication of a possible reassignment. The court set aside the FCC’s treatment of reassigned numbers in its entirety, finding it could not, without consequence, excise the one-call safe harbor, but leave in place the FCC’s interpretation that the “called party” refers to the current subscriber, and not the intended recipient. This, the court found, would mean a caller is strictly liable for all calls made to the reassigned number, even without knowledge of the reassignment.
- Revocation of consent
The FCC, in declining to unilaterally prescribe the exclusive means for consumers to revoke their consent, instead concluded that a called party may revoke consent at any time and through any reasonable means that clearly expresses a desire to receive further messages. In upholding the FCC’s approach to revocation, the court found that the FCC’s ruling absolves callers of any responsibility to adopt a system that would entail undue burdens, like training every retail employee on the “finer points of revocation.” And, under this approach, callers have every incentive to avoid TCPA liability by making available clearly-defined and easy-to-use opt-out methods, therefore making a call recipient’s unconventional and idiosyncratic revocation requests unreasonable. Finally, the court concluded that nothing in the 2015 Order “should be understood to speak to the parties’ ability to agree upon revocation procedures”—thereby leaving open the possibility of contractually specified revocation methods.
- Healthcare-related exemption
The final challenge concerns the scope of the FCC’s exemption of certain healthcare related calls from the TCPA’s prior-consent requirement for calls to wireless numbers. The exemption is limited to calls that have a healthcare treatment purpose, and excludes calls related to telemarketing, solicitation, or advertising. The court rejected the argument that any partial exemption of healthcare related communications is unlawful because HIPAA supersedes any TCPA prohibition, finding that the two statutes provide separate protections and, therefore, there is no obstacle to complying with both. Moreover, the court found that the FCC did not act arbitrarily in affording a narrower exemption for healthcare related calls made to wireless callers, finding that the TCPA assumes the fact that residential and wireless numbers warrant different treatment. Finally, the court rejected the argument that the FCC erred in failing to recognize that all healthcare related calls satisfy the TCPA’s “emergency purposes” exception to the consent requirement, reasoning that it is implausible to conclude that calls related to telemarketing, solicitation, or advertising are made for emergency purposes. Therefore, the court upheld the way in which the FCC narrowly fashioned the exemption for healthcare related calls.
Without question, the long-awaited ruling will significantly impact TCPA compliance and litigation. Stay tuned for additional analysis on the impact of the D.C. Circuit’s ruling.