Two weeks ago we wrote about proposed legislation, The COVID-19 Consumer Data Protection Act of 2020 (“CCDPA”), introduced by a group of senior Republican senators, which was designed to address privacy issues arising in the wake of the COVID-19 pandemic.  In response, senior Democratic members of the Senate and House of Representatives introduced their own framework for protecting the privacy of individuals in light of the development of tools for tracking and containing the spread of the virus.

The Public Health Emergency Privacy Act

Senators Richard Blumenthal (D-CT) (Ranking Member of the Senate Commerce Committee’s Manufacturing, Trade and Consumer Protection Subcommittee) and Mark Warner (D-VA) (Vice Chairman of the Senate Intelligence Committee) lead a bicameral group of 10 lawmakers on a Democratic version of federal consumer privacy legislation as it relates to the coronavirus pandemic.  The Public Health Emergency Privacy Act (the “PHEPA”), introduced on May 14, seeks to give individuals protection and control over their covered health data by adopting an express affirmative consent regime, along with enumerated requirements for businesses. For a helpful summary of the key similarities and differences between the PHEPA and the CCDPA, please see the Chamber Technology Engagement Center’s (C_TEC) COVID-19 Privacy Bill Comparison Chart.


Continue Reading Privacy vs. Containment, Part 2: The Democratic Answer to a Framework for Federal Privacy Legislation on COVID-19

Since the outbreak of COVID-19, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has issued various notifications of enforcement discretion related to compliance with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, discussed previously. However, OCR issued guidance on May 5, 2020, reminding covered healthcare providers that the HIPAA Privacy Rule remains in force during the COVID-19 public health crisis except as expressly relaxed under OCR’s prior guidance. Specifically, OCR’s most recent guidance addresses the disclosure of patient protected health information (PHI) to the media by allowing the media to film patients in facilities where PHI is accessible.

Continue Reading OCR Warns Providers and Media: Patient Privacy Remains Protected Despite Pandemic

As the federal, state, and local governments and industry grapple with how to respond to and prevent the spread of COVID-19, a group of senior Republican senators recently announced consumer privacy legislation designed to protect personal “covered data” collected from consumers relating to personal health, geolocation, and proximity. The proposed legislation is a response to contact tracing solutions aimed at tracking the virus and those who may have been exposed to it.

The COVID-19 Consumer Data Protection Act of 2020

Senate Commerce Committee Chairman Roger Wicker (R-MS), Communications, Technology, Innovation, and the Internet Subcommittee Chairman John Thune (R-SD), Consumer Protection, Product Safety, Insurance, and Data Security Subcommittee Chairman Jerry Moran (R-KS), and Senator Marsha Blackburn (R-TN), who sits on both the Commerce and Judiciary Committees, introduced the COVID-19 Consumer Data Protection Act of 2020 (the “Act”) on May 7. According to the sponsors, the legislation is intended to provide consumers more transparency, choice, and control over the collection and use of their personal data, and to hold businesses accountable to consumers if these businesses use personal COVID-19-related data for purposes unrelated to the pandemic. As Subcommittee Chairman Moran stated, “while many businesses have taken well-intentioned steps to develop technological solutions to tracking, containing and ending the COVID-19 pandemic, Congress must address potentially harmful practices that could stem from these innovations if not held accountable.”


Continue Reading Privacy vs. Containment: Federal Privacy Legislation Meets COVID-19

The COVID-19 pandemic has impacted nearly every facet of society in unpredictable ways, and the laws and regulations governing calls and text messages are no exception. The Federal Communications Commission (FCC) issued a recent declaratory ruling clarifying when calls and text messages relating to COVID-19 are permissible under the TCPA’s “emergency purposes” exception, but most businesses will not be able to rely on that exception. In certain states, COVID-19 state-of-emergency declarations have triggered widespread restrictions on telemarketing. In non-COVID-19 news, debate continues over what constitutes an “automatic telephone dialing system” (ATDS) under the TCPA, and — in a surprising turn of events — the 2nd U.S. Circuit Court of Appeals has joined the 9th Circuit in adopting a broad definition.


Continue Reading Most COVID-19 Calls Are Not an “Emergency Purpose,” and Other Unexpected Developments

Due to the COVID-19 pandemic, 42 states, Puerto Rico and the District of Columbia have adopted shelter-in-place or similar orders. As a result, more employees than ever before are working from home. This sudden increase in telework has created new challenges for employers, including balancing the need to protect their trade secrets and confidential information, with the need to ensure that employees can work effectively from home. This article discusses the unique risks to trade secret protection created by telework arrangements and suggests ways employers can mitigate those risks.

Continue Reading Protecting Business Information During the COVID-19 Pandemic

The global coronavirus pandemic continues on, and the cyberattacks and scams continue to multiply.  In the midst of the pandemic, hackers are capitalizing on fears surrounding the outbreak by crafting COVID-19-themed attacks aimed at infecting computers with malware or obtaining sensitive, personal information.  Below are some of the latest examples of attacks and vulnerabilities to be aware of:

Continue Reading Update: Coronavirus Cyberscams and Other Attacks – Scammers Are Still at It

While businesses grapple with the COVID-19 crisis, data privacy and data security regulation remains a pressing concern.  Some significant state laws regarding data privacy and security have gone into effect in 2020, such as the California Consumer Privacy Act (“CCPA”) (effective January 1, 2020) and the New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) (effective March 21, 2020).  Regulator expectations for compliance with these new legal requirements seem immune from the virus that has placed strains on business operations and employees responsible for understanding and operationalizing new business processes to comply with these new legal requirements.

As resources are strained and employee focus is diverted to the evolving and unforeseen business demands in addressing COVID-19, the need for focus on data privacy and security appears even greater.  Read on for three data security and privacy recommendations when handling COVID-19 related disruptions to business.


Continue Reading Three Cybersecurity and Privacy Recommendations When Navigating COVID-19

COVID-19 is delaying just about everything these days—except the CCPA.

In letters submitted on March 17 and March 20, a coalition of nearly sixty business and organizations called on California Attorney General Xavier Becerra to temporarily defer CCPA enforcement by six months to January 2, 2021 due to COVID-19. The coalition, which spans a range of industries including tech, telecommunications, advertising, retail, insurance, transportation and real estate, argued that a deferral of enforcement would allow businesses to prioritize the needs of their workforce during the global pandemic. The coalition also pointed to the still-changing nature of the CCPA’s regulations as grounds for a temporary enforcement hiatus, contending that businesses need time to implement the final CCPA requirements.


Continue Reading California Attorney General: CCPA Enforcement on Schedule Despite COVID-19

Since the outbreak of COVID-19, the Department of Health and Human Services Office for Civil Rights (OCR) has issued various guidance documents on compliance with the Health Insurance Portability and Accountability Act of 1996 and its regulations. The topics include OCR’s discretion in enforcing HIPAA with respect to telehealth services, waiving hospital compliance with the HIPAA Privacy Rule in limited circumstances, and Privacy Rule compliance in the absence of specific waiver. The OCR guidance, discussed below, confirms that HIPAA still applies during the pandemic but compliance may be relaxed in certain situations to allow healthcare providers to respond effectively to the current public health emergency.

Continue Reading HHS Limited Waiver and Guidance on HIPAA and the Privacy Rule During COVID-19 Pandemic

In the midst of the coronavirus pandemic, hackers are capitalizing on fears surrounding the outbreak by crafting COVID-19-themed attacks aimed to infect computers with malware or obtain sensitive, personal information.

For example, readers may be familiar with a popular interactive dashboard created by Johns Hopkins University using real-time data from the World Health Organization to track the spread of the virus. It has become a go-to source for many wishing to stay up to date on the virus. Recently hackers have circulated links via social media, email attachments and online advertisements to malicious websites that are disguised as the university’s COVID-19 map. However, the deceptive links open an applet that, when installed, infect the device with malware designed to steal personal data such as login credentials, banking information and other sensitive data. To ensure you are accessing the “real” COVID-19 map, directly access it through Johns Hopkins’ official home page, rather than clicking any unidentified links or searching the internet.


Continue Reading Coronavirus Cyber Scams: Outbreak Map Used to Spread Malware and Cyber Attack Experienced by the HHS