As we discussed in Part I, the United States does not have a single, comprehensive federal law governing biometric data.  However, we have recently seen an increasing number of states focusing on this issue.  Part I summarized legislative activity on this issue in 2020.  In this Part II, we discuss noteworthy legislation to monitor in 2021.

What to Expect in 2021

At least two states—New York and Maryland—have already introduced biometrics legislation in this first month of 2021.

New York – AB 27

On January 6, 2021, the New York Assembly introduced the Biometric Privacy Act (BPA), a New York state biometric law aimed at regulating businesses handling biometric data.  BPA will prohibit businesses from collecting biometric identifiers or information without first receiving informed consent from the individual, prohibit profiting from the data, and will require a publicly available written retention and destruction policy.  As proposed, the statute contains a private right of action; and if passed, it will permit consumers to sue businesses for improperly collecting and using their biometric data.  The statute follows Illinois’s BIPA, allowing recovery of $1,000 per negligent violation and $5,000 per intentional violation, or actual damages, whichever is greater, along with attorney’s fees and costs, and injunctive relief.


Continue Reading U.S. Biometrics Laws Part II: What to Expect in 2021

Data privacy laws have made significant breakthroughs in recent years, making it a top priority for businesses.  From the adoption of the European Union’s General Data Protection Regulation (GDPR) in 2016 to the enactment of the California Consumer Privacy Act (CCPA) in 2018 and the latest ballot approval of the California Privacy Rights Act (CPRA) in 2020, we continue to see data privacy laws develop and garner interest from consumers, businesses, and legislators alike.

Specific biometric privacy laws, in particular however, are often overshadowed by more general data privacy laws.  As we discussed in our prior article, biometrics are physical and behavioral human characteristics (i.e., face, eye, fingerprint, and voice features) that can be used to digitally identify a person.  As the collection and use of biometric data become more common in daily life and its applications in different industries continue to expand, new privacy considerations will emerge in this field.  Biometrics laws, in their own right, require separate recognition because of the nuanced application of these specific laws.

The United States does not have a single, comprehensive federal law governing biometric data.  Recently, we have seen an increasing number of individual states focus on this issue, and the recent introduction of legislation in a number of states specifically aimed at protecting the collection, retention, and use of biometric data.  In Part I, we summarize some of the legislative activity on biometric laws from 2020.  We will describe other noteworthy legislation to monitor for 2021 in Part II.


Continue Reading U.S. Biometrics Laws Part I: An Overview of 2020

Data privacy is a top concern for many in-house legal professionals – and for good reason – data privacy and cybersecurity legal requirements are complex and continually evolving. Data Privacy Day is a great day to start addressing your organization’s data privacy and cybersecurity needs.

On Data Privacy Day 2021, here is what is top of mind for some of our Data Privacy & Security Team members:

  • Andrew Konia – A Federal Privacy Law: “Calls (pleas?) for federal privacy legislation are nothing new, and last year we came close, with both parties presenting draft bills for consideration (surprise, neither passed!).  But now, with the White House and both chambers of Congress under Democratic control, there appears to be renewed (and more serious) interest in a federal privacy law. We have seen (admittedly narrow) hints of the federal government taking a stronger stance on cybersecurity standards with the IoT Cybersecurity Improvement Act of 2020, which applies to federal agency purchases. But you take the recent and intense backlash on “Big Tech’s” use/sharing of data and perceived lack of data transparency, and mix in the Biden Administration’s prioritization of consumer protection generally, and you have the recipe – and a strong political appetite – for a comprehensive federal privacy law.”
  • Bethany Lukitsch – California: “CPRA will be here before we know it, and most companies are going to have a lot to do to get ready. Updating privacy policies and adding ‘do-not-share’ links are one thing, but as with CCPA, it’s the behind-the-scenes work that is really going to take some time.  It’s certainly not too early to get started.”


Continue Reading Data Privacy Day 2021: Privacy and Cybersecurity Are On Our Minds, Too

Healthcare providers and other covered entities are not required by HIPAA regulations to have “bulletproof” protections for safeguarding patient information stored in electronic form, according to a January 14, 2021 decision of the 5th U.S. Circuit Court of Appeals. In University of Texas M.D. Anderson v. U.S. Department of Health and Human Services, the 5th Circuit vacated a $4.3 million civil monetary penalty imposed by the U.S. Department of Health and Human Services (HHS) against the University of Texas’ M.D. Anderson Cancer Center.

The case arises from three separate incidents where M.D. Anderson employees lost laptops and USB thumb drives that contained unencrypted protected health information (PHI) for more than 34,000 patients. M.D. Anderson reported the breach incidents to HHS’ Office for Civil Rights (OCR), the office tasked with enforcing HIPAA. As a result of the reported breaches, OCR ordered M.D. Anderson to pay $4.3 million in civil monetary penalties (CMPs). M.D. Anderson appealed the decision to an HHS administrative law judge and to the HHS Departmental Appeals Board (DAB), both of which upheld OCR’s penalties. M.D. Anderson argued that the HIPAA regulations do not require encryption, that it complied with the regulations and employed other effective measures to safeguard electronic protected health information (ePHI), that the three incidents were the fault of staff who violated M.D. Anderson’s policies, and that the proposed CMPs were excessive.


Continue Reading 5th Circuit Weakens HHS’ Ability to Enforce HIPAA Safeguards

The end of the Brexit transition period on 31 December 2020 means the UK now has full autonomy over its data protection policies. As of 1 January 2021 the UK is recognised as a ‘third country’ under EU General Data Protection Regulation (GDPR) rules. The EU-UK Trade and Cooperation Agreement, which is an agreement in principle between the EU and UK, does not yet include a provision for the vast flow of personal data being transferred between the two jurisdictions. The transfer of personal data will be subject to a separate adequacy decision from the EU due in early 2021. This separate adequacy decision will determine whether the EU will allow the ongoing free flow of data from EU/EEA countries to the UK. If an adequacy decision is not granted, then organizations who transfer personal data from the EU/EEA to the UK will have to take additional steps to ensure data being transferred is provided equivalent protections to those under the EEA. The UK has already determined that it considers all EEA/ EU states to be adequate which means that personal data flows from the UK to the EU/EEA will remain unaffected.

Continue Reading The Status of EU–UK Data Flows Following Brexit

In Part II of this series, California-based Ali Baiardo, and London-based Alice O’Donovan, continue their comparison of the GDPR and California privacy law. To view Part I in the series, click here.

NEW DATA PROTECTION PRINCIPLES AND OBLIGATIONS ON BUSINESSES

a. Key data protection principles

The GDPR revolves around seven key data protection principles:

  1. Lawfulness, fairness and transparency;
  2. Purpose limitation;
  3. Data minimisation;
  4. Accuracy;
  5. Storage limitation;
  6. Integrity and confidentiality (security); and
  7. Accountability


Continue Reading California Privacy Rights Act: A Move Closer to GDPR? Part II

The November 2020 election left a lot of questions.  Among them, companies doing business in California are now asking about compliance with yet another California data privacy law, this time the California Privacy Rights and Enforcement Act of 2020 (the “CPRA”).  This article gives an overview addressing the what, when, and how of the CPRA.  (We won’t hazard a guess as to the why—we leave that to the backers of the new law.)

What is the CPRA?

The CPRA builds on the California Consumer Privacy Act of 2018 (the “CCPA”) in a number of key ways.  It includes: new consumer rights, new requirements for businesses, and a number of other miscellaneous changes.  Some parts of the CCPA will remain in effect, and others are rephrased or clarified.  We provide below a high-level overview of topics we believe businesses should be thinking about now as they look ahead to building-out their CPRA compliance programs.


Continue Reading You’re CCPA Compliant. So Now What? Top Tips for Companies Looking Ahead to the Recently-Passed CPRA

On July 21, the New York Department of Financial Services (NYDFS) filed charges against First American Title Insurance Company (First American) for violating multiple sections of the New York Cybersecurity Regulation,  23 NYCRR 500.00, et seq.  The significance of the NYDFS enforcement action cannot be overemphasized.  This is the first action filed under the Cybersecurity Regulation, signaling a more aggressive enforcement stance by the regulator.  The good news is the filings provide important guidance on best practices and red flags to avoid agency sanctions.

The NYDFS Statement of Charges alleges that First American knowingly exposed tens of millions of documents containing consumer sensitive personal information (e.g., bank account numbers, bank statements, mortgage records, Social Security numbers, wire transaction receipts, drivers’ license images, etc.). The charges further allege that for almost 5 years (from October 2014 through May 2019) these records were available on First American’s public-facing website to anyone with a web browser.  The fact that First American failed to remediate the vulnerability, even after it was discovered by a penetration test in December 2018, was particularly troublesome for the regulators.  The charges state that, “Remarkably, [First American] allowed unfettered access to the personal and financial data of millions of its customers for six more months. . .”   Clearly, the NYDFS found this treatment of sensitive consumer data unconscionable and that First American demonstrated a total disregard for the Cyber Regulations.


Continue Reading NYDFS State of Mind: Regulator Focus and Enforcement Trends

Artificial intelligence (AI) refers to the ability of a computer or a computer-enabled robotic system to process information and produce outcomes in a manner similar to the thought processes of humans in learning, decision making and problem solving.  As a result of rapid advances in AI, pre-pandemic, McKinsey Global Institute estimated that between 75 and 375 million people around the world will need to change jobs or acquire new skills by 2030.  AI both holds promise of innovation and disruption, as does the legal framework that is developing to rein in its risks without hindering its progress.

In May 2019, the US Government joined the OECD (Organisation for Economic Co-operation and Development) in setting forth principles to improve the innovation and trustworthy development and application of AI.  At the same time, the bipartisan Artificial Intelligence Initiative Act (AIIA) was introduced in the US Senate to organize a national strategy for developing AI and provide a $2.2 billion federal investment over five years to build an AI-ready workforce, accelerating the delivery of AI applications from government agencies, academia, and the private sector over the next 10 years.


Continue Reading The Evolving World of AI

On March 11th, 2020, Virginia Governor Northam signed the Insurance Data Security Act (the “Act”) — HB 1334 — imposing requirements on all entities regulated by the Virginia Bureau of Insurance (“BOI” or the “Bureau”) to:

  • maintain an information security program,
  • investigate all cybersecurity events,
  • notify the Commissioner of Insurance of cybersecurity events, and
  • notify consumers affected by cybersecurity events.


Continue Reading The Virginia Insurance Data Security Act – What You Need to Know