Alston & Bird Consumer Finance Blog

Privacy and Cybersecurity

California Privacy Rights Act (CPRA) Will be on November Ballot

By

The California Secretary of State has announced that the California Privacy Rights Act (CPRA) will be on California’s November 3, 2020 ballot.  If approved by California voters, the CPRA would significantly update and amend the California Consumer Privacy Act (CCPA) that went into effect at the beginning of this year.  The organization that submitted the CPRA for inclusion on the ballot has stated its polling shows 88% of Californians would support a ballot measure expanding privacy protections.

We published a summary of the CPRA’s key business impacts here.  The most recent version of the CPRA can be view downloaded here.

As a ballot initiative, the CPRA could only be placed on California’s November ballot if a sufficient number of signatures of registered voters were collected and validated.  Until last night, the California Secretary of State was still working with California counties to determine whether Alastair Mactaggart’s organization – which submitted the CPRA for placement on the ballot – had collected sufficient qualifying signatures.  As we reported, Mactaggart had petitioned California courts to compel the placement of the CPRA on this year’s California ballots.  The Secretary of State’s announcement confirms the CPRA will be voted on this year.

Proposed Federal Privacy Legislation Tackles COVID-19 Data

By

Data collection and analysis is becoming a key weapon in the fight against COVID-19 both here in the United States and around the globe.  But as governments and tech companies roll out a variety of applications and contact tracing tools, legislators from both sides of the political aisle are questioning how to handle the data being collected, analyzed, and shared. The following is a short summary of two recently-proposed pieces of federal legislation.

The COVID-19 Consumer Data Protection Act

On May 7, 2020, a group of Republicans introduced the COVID–19 Consumer Data Protection Act of 2020 (“CCDPA”).  Assigned to the Senate Committee on Commerce, Science, and Transportation, the CCDPA has several key features.

What The CCDPA Covers:
  • It covers to a wide range of organizations, including businesses under the Federal Trade Commission’s jurisdiction as well as non-profits and common carriers (“covered entities”).
  • It covers a variety of types of data, including geolocation data, proximity data, persistent identifiers such as IP addresses or device IDs, and personal health information (“covered data”).
  • It covers certain purposes or use cases, including the collection, processing, or transfer of covered data to (1) track the spread, symptoms, or signs of COVID-19; (2) measure compliance with social distancing guidelines; and (3) conduct contact tracing (“covered purposes”).
  • It does not cover, among other things, data that is already protected by HIPAA and data collected by employers to determine whether employees may enter a physical location.
What The CCDPA Requires:

It makes it unlawful for a covered entity to collect, use, or transfer covered data for a covered purpose unless three requirements are met:

  1. Individuals receive notice prior to collection, use, or transfer of the data;
  2. Individuals give affirmative express consent; and
  3. The covered entity publicly commits to not collect, use, or transfer the data for any purpose.

The CCDPA also requires covered entities to update their privacy policies, to use reasonable security to protect the covered data, to use principles of data minimization, to provide an opt-out mechanism for individuals who previously consented, and to delete the data when it is no longer needed for the covered purposes.

Who Enforces The CCDPA:

The CCDPA does not include a private right of action and would be enforced by either the Federal Trade Commission or state attorneys general.

The Public Health Emergency Privacy Act

On May 14, 2020, members of the House and Senate introduced the Public Health Emergency Privacy Act (“PHEPA”).  PHEPA has been referred to the House Energy and Commerce Committee as well as the Senate Health, Education, Labor and Pensions Committee.

What The PHEPA Covers:

Generally speaking, PHEPA would apply to certain entities that collect “emergency health data” (“EHD”).  Importantly, “EHD” means (in brief) data that concerns the public COVID-19 public health emergency, which means the “outbreak and public health response pertaining to [COVID-19], associated with the emergency declared” by HHS in January of 2020, and “any renewals” or “subsequent declarations…related to the coronavirus.”

What The PHEPA Requires:

The PHEPA imposes restrictions and compliance obligations similar to those set forth in CCDPA.  It limits the permissible purposes for collecting, using, and disclosing EHD, including reasonable safeguards to prevent unlawful discrimination based on EHD; requires reasonable security to protect EHD; requires reasonable measures to ensure EHD accuracy and a mechanism to correct inaccuracies; requires certain privacy policy disclosures and, if an organization has collected data of at least 100,000 individuals, certain additional disclosures every 90 days; and requires deletion of EHD upon the occurrence of specified events.  The PHEPA generally also requires affirmative express consent prior to the collection, use, or disclosure of EHD (subject to limited exceptions) and requires a mechanism for individuals to revoke consent.

Who Enforces the PHEPA:

PHEPA would not preempt or supersede any requirements or authorizations under applicable federal or state laws and contemplates rule making by the FTC regarding EHD collected prior to the law’s enactment.  PHEPA expressly does not apply to a covered entity or business associate under HIPAA, though PHEPA directs HHS to promulgate guidance on the applicability of similar requirements.

In addition to rule making authority, the FTC would have the authority to enforce the law along with state attorneys general.

Unlike the CCDPA, the PHEPA provides a private right of action for violations that constitute a concrete and particularized injury in fact to the individual.

The PHEPA Applies To The Government, Not Just Private Entities

Unlike the CCDPA, the PHEPA is not limited to private entities and would also regulate some governmental use, collection, and disclosure of EHD.

PHEPA also includes provisions focused on protecting voters’ rights.  It prohibits government entities from denying, restricting, or interfering with (or attempting to do so), or retaliating against someone for, voting in an election, on the basis of EHD, an individual’s medical condition, or participation or non-participation in a program to collect EHD.  PHEPA also prohibits covered organizations from knowingly facilitating such activities.

Six Practical Tips for Practicing Cyberhygiene in the Middle of a Global Pandemic

By ,

Businesses large and small are encouraging (or requiring) employees to work remotely or cancel work travel as part of the response to COVID-19. But suddenly expanding the number of employees working remotely comes with increased cybersecurity and information technology risks. A cybercriminal (including malicious insiders) will have a target-rich environment during this time since more devices will be used for company business and more company data will be sent, located, or stored outside the protections of the company infrastructure and activity logging. It will also be easier for devices to be lost, stolen, or compromised, particularly if employees are not familiar with company policies on how to securely work from home. Information Security and IT teams should consider the following practical tips as they prepare for these risks.

1. Prepare for a Strain on Existing Resources

Increasing the number of remote employees increases the number of people or devices using your remote access resources, such as virtual desktop environments and virtual private networks. Continue to actively monitor these resources to ensure that they are properly updated and resourced (bandwidth, computing power, and storage capacity). This is a unique opportunity to fully test your infrastructure and remote capabilities. Also, companies may want to reevaluate how employees will be authenticated when connecting remotely. Utilizing multifactor authentication should be the goal. The Department of Homeland Security’s recent alert on enterprise VPN security may also be a useful resource here.

Consider also expanding your help desk staffing. More employees working from home will likely result in increased calls for IT support since these employees may have connectivity or other technical issues in a remote environment. Similarly, some employees may be forced to use personal devices during this period. It will be important to have help desk staff and software resources available to ensure that antivirus software can be downloaded to personal devices and that the devices are encrypted.

2. Review and Update Business Continuity, Disaster Recovery, and Incident Response Plans

The coronavirus pandemic is unlikely to directly impact your IT infrastructure. However, it is possible that a severe outbreak will impact the availability of personnel assigned to monitor or use that infrastructure. Companies should review their business continuity and disaster recovery plans (with their related IT and Security roles and responsibilities) to ensure they appropriately cover scenarios that might arise if multiple key personnel are ill or incapacitated. Similarly, if you use Managed Security Service Providers or other security vendors for critical parts of your program, you should verify that those vendors have similar plans, redundancies, and current capacity to help (you may want to verify and secure this help now while we are still in the early stages of this crisis). Ultimately, this is the perfect opportunity to ensure that all key players have recently reviewed these plans, there is necessary expertise redundancy, and staff have engaged in tabletop simulations relating to business continuity.

Companies should also consider conducting a similar assessment for their incident response plans as well as their cyber insurance, crime fraud, technical E&O, or network interruption policies. Such policies or plans may need to be revised to include backup personnel if key personnel such as a CTO, CISO, or privacy officer are incapacitated or otherwise unavailable. Also, you may want to consider cross-training appropriate personnel in all aspects of the incident response, reporting, and claims process, including the location of core documents and notice templates that would be used in an incident. If you have not already, consider what key elements of your incident response plan could be reduced to a diagrammed flow for your team to have in front of them in a crisis.

3. Warn Employees of the Security Risks of Working from Home

In times of crisis, increased work, or nonstandard work routines, personnel are more likely to forget to use recommended cybersecurity practices, but warning them now may help with security awareness during unfamiliar times. This will be particularly true for mission-critical services since employees may feel pressure to forgo security to get work done. All employees should be reminded of the corporate resources that are available, such as cloud storage or other applications, the need for increased vigilance, and the following basic security principles:

  • Secure home wireless networks with strong passwords and avoid using unsecured public networks when possible. If using an unsecured public network, be on the lookout for any certificate errors or warnings that a site may be misconfigured.
  • Do not use personal devices for work without prior approval because these may lack the security controls that protect work devices.
  • Do not use personal email or cloud storage accounts to transfer or store business information.
  • Avoid downloading or printing sensitive information from email or other IT services to personal computers or other personal devices even if authorized to use the device for work purposes. If you must download data to personal devices, confirm with IT help desk staff that antivirus software is installed on your device and that it is properly encrypted.
  • Practice good physical document management by only taking documents offsite if necessary and ensuring all materials are returned to the office for proper destruction.

4. Be Wary of Scams and Phishing Attacks

Scammers and cyber threat actors have always followed the headlines, using the public’s heightened fear and desire for information or solutions as leverage to gain access to systems, data, and money. The current pandemic is no different. There are reports of schemes where malicious actors are stealing credentials from remote workers by supposedly offering updated company guidance on the COVID-19 response. And cyber researchers recently discovered a website of a map showing COVID-19 cases on a global scale that contained a hidden code that could steal usernames, passwords, credit card numbers, and other data stored in the user’s browser. While the Food and Drug Administration (FDA) and Federal Trade Commission (FTC) are working to crack down on phony COVID-19 cures and requests for “donations” from fake charities, employees must be on the lookout for scams and phishing attacks. All employees should be reminded of the following recommended practices:

  • Be careful opening attachments and links from distrusted or unknown sources. Phishing or other malicious emails can easily be disguised as alerts about COVID-19.
  • Try to use only trusted sources, for example, the CDC’s official COVID-19 website, for receiving up-to-date information about the outbreak.
  • Never respond to emails or phone calls asking for personal or financial information, usernames, or passwords.
  • Be careful making donations and reject any request for donations in cash, by gift card, or by wiring money.

This is also an excellent opportunity to remind employees of how to report security incidents within the company. Consider creating a short checklist for all employees detailing tips for how to detect suspicious activity, and what to do and who to contact if they believe they have been the victim of a security incident, scam, or phishing attack.

Additional resources from the FTC and U.S. Office of Personnel Management on working remotely and how to avoid scams and phishing attacks can be found here and here.

5. Be Aware of Applicable Industry-Specific Guidelines

Some heavily regulated industries (e.g., banking, financial services, and health) will have additional considerations at play. For example, FINRA has just released guidance that addressed telework arrangements with a section specifically related to cybersecurity risks posed by those arrangements. Additional commentary on this guidance can be found here. Similarly, HIPAA covered entities and business associates may face an increased risk of violating the HIPAA Privacy and Security rules. Best practices on how to address these risks and other HIPAA-specific guidance can be found here.

6. If Security Exceptions Must Occur Temporarily, Take Steps to Document Them

Your company may have no choice but to make security exceptions to get work done, especially if your industry is on the front lines of this crisis (e.g., health care and necessities supply chains). If this is the case, take steps to ensure that Security and IT document any security exceptions made so the company can resume its full security measures once volumes return to normal. If security exceptions are not documented, there is the potential for these items to be forgotten once the crisis passes.

Alston & Bird has formed a multidisciplinary task force to advise clients on the business and legal implications of the coronavirus (COVID-19). You can view all our work on the coronavirus across industries and subscribe to our future webinars and advisories.

High Profile Settlements, Strengthened Data Security Orders, and COPPA: The FTC’s 2019 Privacy and Data Security Update

By

A&B ABstract

Each year the Federal Trade Commission (the “FTC” or “Commission”) publishes a report on its activities with respect to consumer privacy and data security during the prior year.  On February 25, 2020, the Commission released its 2019 Privacy and Data Security Update. The update contains a summary of the FTC’s enforcement, advocacy, and rulemaking actions as well as its activities with respect to its privacy and security-related workshops, consumer education and business guidance, and international engagement.  The update is a useful way to see what the FTC focused on in the prior year and where to expect continued interest. Some highlights from the update are provided below.

 Discussion

In the enforcement space, the FTC update spotlights its two most high-profile settlements to date: Facebook and Equifax.  First, in July 2019 the FTC and the Department of Justice’s announced a joint settlement with Facebook based on allegations that the company’s misrepresentations and consumer privacy failures violated its 2012 order.  The 2019 settlement order imposed a record-setting $5 billion penalty and included a number of provisions designed to change Facebook’s overall approach to privacy.  The settlement is currently pending approval by the United States District Court for the District of Columbia. Also, in July 2019, the FTC announced a settlement with Equifax for alleged data security violations, including Gramm-Leach-Bliley Act violations, that affected 147 million people.  The settlement included a payment of up to $700 million to help consumers affected by the breach and was part of a global resolution with a consumer class action, the Consumer Financial Protection Bureau, and 50 states and territories.

Data Security Orders

The FTC’s enforcement actions over the past year with respect to data security incidents also highlight the Commission’s efforts to strengthen its data security orders, including through increased specificity, increased accountability of third- party assessors, and improved corporate governance on data security issues.  Each category of improvement is reflected in seven data security orders issued by the FTC over the past year against companies in a range of industries: ClixSense (pay-to-click survey company), i-Dressup (online games for kids), DealerBuilt (car dealer software provider), D-Link (Internet-connected routers and cameras), Equifax (credit bureau), Retina-X (monitoring app), and InfoTrax (service provider for multilevel marketers).

COPPA

The FTC’s update also makes clear the FTC’s continued focus on the Children’s Online Privacy Protection Act (“COPPA”) in 2019 and beyond.  In September 2019, the FTC and New York Attorney General settled with Google, and its subsidiary YouTube over allegations it collected personal information, including in the form of persistent identifiers, from viewers of child-directed channels without first notifying parents and getting their consent.  The $170 million judgment is the largest civil penalty under COPPA. In 2019 he FTC also settled charges against Musical.ly, now known as TikTok, for $5.7 million for illegally collecting personal information from children on a child-directed app.  The FTC also announced it was seeking comments on the effectiveness of the 2013 amendments to the COPPA Rule and hosted a workshop in October 2019 to discuss whether additional changes are needed.

Other Concerns

The FTC update describes other areas of focus, including credit reporting and financial privacy, Do Not Call and telemarketing, and international enforcement. You can read the entire update here.

The Updated CCPA Regulations: Alston & Bird Detail the 30 Key Business Impacts

By

On February 7, California Attorney General Xavier Becerra released updated regulations to the California Consumer Privacy Act (CCPA).  The updates contain a number of material modifications to the initial CCPA regulations that AG Becerra’s office released in October 2019.

Alston & Bird has compiled a privacy briefing summarizing the 30 key modifications to the Regulations that potentially impact businesses. These include modifications to rules regarding:

  • Notices companies must provide (there are new types!);
  • How companies must intake and process consumer requests to access or delete data;
  • “Do Not Sell My Info” requests;
  • How B2B service providers can use customer data; and
  • Data-mediated financial incentive programs.

To read the full Privacy Briefing on the Updated Regulations, click here.

For further information, contact Kathleen BenwayDavid KeatingAmy Mushahwar, or Daniel Felz.