Data Privacy
Subscribe to Data Privacy's Posts

Data Protection During and After the Pandemic: Consolidate, Update and Innovate

Having adapted products, processes, services, facilities and IT systems in response to Coronavirus (COVID-19), businesses should now refocus on their legal and business fundamentals as they move towards returning to the office. Compliance policies should be updated, Brexit contingency plans reinvigorated, and upcoming legal and regulatory changes anticipated.

While taking these steps, businesses should bear in mind a number of key data protection and IT/cybersecurity fundamentals, and take the opportunities afforded by the return to work period to kick-start new initiatives.

Click here to read the full article, and many more in our latest International News: Focus on Global Privacy and Cybersecurity.

 




Brazil’s LGPD Takes Effect—With Early Enforcement

Brazil represents over half of all IT spend in Latin America, has the largest regional market for software outsourcing, employs a sizable IT workforce, manufactures consumer goods (including commercial airplanes and cars) and has an active consumer market of social media operated by global data aggregators. At a time when data privacy is becoming increasingly important to consumers, it seems only fitting that Brazil would adopt comprehensive privacy legislation to protect data privacy rights.

The General Data Protection Law, the first law of its kind in Brazil, is now in effect, and we are already seeing enforcement. Streamlining the legal framework on data protection, the law sets forth a number of requirements addressing legal bases for processing, individual rights, governance and accountability and data transfers.

Access the article.




The Uncertain “State” of US Data Protection Law: California Leads the Way

The California Consumer Privacy Act of 2018 (CCPA), which took effect this year, introduced a complicated data protection framework for the personal information of California residents, imposing a variety of new obligations on affected businesses. Although the interpretation of many of the CCPA’s provisions remains unsettled—and proposed regulations are still pending— the CCPA’s original architects have already advanced another proposed law, the California Privacy Rights Act (CPRA), which will be decided in a statewide referendum this November. If enacted, the CPRA would substantially amend the CCPA, granting consumers additional rights and imposing further liability on businesses.

Whether or not it passes, the proposed CPRA highlights the fluid state of the US legal environment for data protection, which has left businesses around the world struggling to account for the uncertain risks and compliance costs posed by these developments.

It did not have to be this way. The developments in California are due in part to the failure of the US Congress to enact comprehensive federal data protection legislation. Despite widespread support, compromise on a federal standard remains elusive, with legislators unable to agree on critical questions, such as whether or not the law will pre-empt state laws like the CCPA.

Click here to read the full article, and many more in our latest International News: Focus on Global Privacy and Cybersecurity.




Privacy Considerations for COVID-19 Digital Contact Tracing

Generally, contact tracing refers to an effort by public health officials to identify individuals with whom a patient who has tested positive for an infectious disease has been in close proximity. Public health officials will inform these individuals that they were exposed to a contagious patient and encourage them to monitor their symptoms and quarantine for a period of time.

In response to COVID-19, governments around the world have explored using digital contact tracing, by which smartphone users download an application (app) to enable public health officials to track infected individuals’ contacts. In addition, private sector companies are exploring how digital technologies can be used for contact tracing on employees as they reenter the workplace.

(more…)




Uber Criminal Complaint Raises the Stakes for Breach Response

On August 20, 2020, a criminal complaint was filed charging Joseph Sullivan, Uber’s former chief security officer, with obstruction of justice and misprision of a felony in connection with an alleged attempted cover-up of a 2016 data breach. These are serious charges for which Mr. Sullivan has the presumption of innocence.

At the time of the 2016 data breach, Uber was being investigated by the US Federal Trade Commission (FTC) in connection with a prior data breach that occurred in 2014. According to the complaint, the hackers behind the 2016 breach stole a database containing the personal information of about 57 million Uber users and drivers. The hackers contacted Uber to inform the company of the attack and demanded payment in return for their silence. According to the complaint, Uber’s response was to attempt to recast the breach as a legitimate event under Uber’s “bug bounty” program and pay a bounty. An affidavit submitted with the complaint portrays a detailed story of deliberate steps undertaken by Mr. Sullivan to allegedly conceal the 2016 breach from the FTC, law enforcement and the public.

Contemporaneous with the filing of the complaint, the Department of Justice (DOJ) submitted a press release quoting US Attorney for the Northern District of California David L. Anderson:

“We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”

The press release also quoted Federal Bureau of Investigation (FBI) Deputy Special Agent in Charge Craig Fair:

“Concealing information about a felony from law enforcement is a crime. While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”

Collectively, the case and statements from the DOJ are probably a unicorn based on, if the facts as alleged are true, a case involving a deliberate cover-up of a data breach in the course of an active FTC investigation. However, many of the statements from the DOJ and the specific allegations in the complaint appear to have potentially far-reaching implications (for companies, their executives and cybersecurity professionals) that breach response counsel must seriously consider in future incidents.

A common question when responding to a ransomware or other cyberattack is whether and when to inform law enforcement. The criminal complaint has the potential to make this an even more difficult decision for future cyberattack victims. Further, while the alleged conduct at issue may seem particularly egregious, the DOJ’s statements could cause a blurring of the lines between what the government may contend is illegal concealment of a security incident and activities generally thought to be legitimate security incident risk and exposure mitigation. We explore these and other key takeaways from the criminal complaint in more detail below.

[...]

Continue Reading



The Toughest Problem Set: Navigating Regulatory and Operational Challenges on University Campuses

When the academic year ended in the spring of 2020, many US university students assumed that a return to campus would be straightforward this fall. However, it is now clear—at least in the near term—that a return to the old “normal” will not be possible. Some universities have concluded that their best course of action is to offer only distanced learning for the time being. Other universities, however, are welcoming students back onto campus, and into residence and dining halls, classrooms, labs and libraries. Each of those universities is developing its own approach to retain the benefits of on-campus student life while reducing risk to the greatest extent possible; nevertheless, some have had to adjust their plans to pivot to remote learning when faced with clusters of positive cases on campus. One thing is clear: The fall semester will be a real-time, national learning laboratory.

Because widespread, rapid testing remains unavailable in many locations, universities have had to find innovative ways to implement testing, tracing and isolation protocols to reduce the risk of transmission among students, faculty and staff. There is no one perfect protocol—all universities are in unchartered waters. But there are a few key components university administrators may want to consider and address:

  • Apps: Symptom checkers, contact tracing and other apps can be useful in identifying and focusing attention on the onset of symptoms, fostering accountability and identifying high-risk exposure. In considering whether to incorporate apps and related technologies into their back to campus plans, universities must anticipate and address considerations related to privacy, security and reporting of results, and will need to consider how such apps are hosted (for example, through Apple’s App Store) and whether any third parties will have access to the personal data collected.
  • Contact Tracing: In addition to the issues noted above, contact tracing efforts also present other challenges, including managing reliability, over/under inclusiveness and liability (for both false positives and false negatives). In addition, the effectiveness of contact tracing is closely tied to its speed and comprehensiveness; to implement a successful contact tracing program, universities will need to balance effectiveness with privacy and autonomy.
  • CLIA: The Clinical Laboratory Improvement Act (CLIA) will require that many of the tests be performed in CLIA-certified (and state-licensed, where required) space. Universities will need to consider how best to handle building out additional compliant space, creating additional “point of care” testing or specimen collection sites if needed to test students, faculty and staff where they are and validating the test(s) being offered. Tests that are not yet validated likely cannot be used to return patient-specific results that inform student and staff care or be used to prompt “official” testing.
  • FDA/Emergency Use Authorizations (EUA): In general, the Food and Drug Administration (FDA) expects developers of molecular, antigen and (in the case of test kit manufacturers) antibody tests to obtain an EUA. However, under FDA enforcement policies during the pandemic, many of these same tests—if validated and offered with appropriate agency-mandated disclaimers—can be offered before [...]

    Continue Reading



Schrems II Special Report: What Does the CJEU’s Decision Mean for Transfers From the EEA to the US?

For our Schrems II Practical Guidance special report, members of McDermott’s internationally recognized Global Privacy & Cybersecurity group have outlined practical guidance and next steps to ensure your business is prepared for what’s next following the final ruling in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems.

As your organization navigates the post-Schrems II landscape following the CJEU’s recent decision, consider McDermott your first point of call. We have deep experience advising global clients on compliance with the complex array of privacy and cybersecurity obligations affecting data that crosses borders or relates to foreign employees and individuals.

Practical Guidance for Businesses (US Edition)

Practical Guidance for Businesses (Global – EEA/UK Edition)




Key Issues We’re Tracking as CCPA Enforcement Nears

Although 2020 has already provided more than its share of surprises for businesses, one thing appears to remain unchanged: the California attorney general’s commitment to enforcing the California Consumer Privacy Act beginning July 1, 2020. As companies work to ensure compliance with this legislation, we explore several key issues.

No one will disagree that a lot has happened since the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Despite the Coronavirus (COVID-19) pandemic, the invasion of murder hornets and a number of other not-entirely pleasant surprises that 2020 has brought us thus far, it appears that the California attorney general is still committed to enforcing the CCPA starting on July 1, 2020. As your business prepares for CCPA enforcement, there are a number of issues to keep in mind:

1. The CCPA regulations still have not been finalized and are unlikely to take effect until October 2020.

The attorney general’s regulations, which aim to interpret and implement the important provisions of the CCPA, still have not been finalized. March 27, 2020, marked the end of the comment period for the current draft regulations (which was the second set of modifications released by the attorney general). We are now waiting to see whether the attorney general will issue yet another set of proposed modifications, or submit the current version to the California Office of Administrative Law (OAL) for approval. For the regulations to take effect July 1, the OAL would need to receive and approve the final regulations by May 31, which appears to be an unlikely scenario. Accordingly, the regulations likely will not take effect until October 1, and could potentially be delayed until 2021. As a result, companies should be prepared for CCPA enforcement to begin before the regulations take effect.

2. We’ve started to see the effects of the private right of action.

California consumers have begun to file lawsuits seeking to enforce their (purported) rights under the CCPA. The cases present a first opportunity for courts to examine the private right of action created by the law. One case, in particular, presents a potentially unanticipated theory of harm, and could prove fundamental in establishing the extent of liability for businesses subject to the CCPA. We describe these lawsuits in greater detail here. Because these lawsuits will begin to define the contours and scope of the CCPA, businesses subject to the CCPA should keep a close eye on their progress.

3. The Office of the Attorney General lacks enforcement resources.

As we wrote in a previous article, despite significant enforcement expenditures by the Office of the Attorney General (OAG), it is still an agency with limited resources. This is even more true now that more of the OAG’s resources are likely devoted to COVID response and related urgent priorities. Many expect that the OAG will only be able to pursue a limited number of CCPA enforcement actions, particularly if, as expected, it takes on large and well-funded companies. Media reports continue to indicate that the attorney [...]

Continue Reading




Importance of CCPA Compliance Highlighted by First Round of Private Actions

The first wave of California Consumer Privacy Act litigation has begun to roll in, and the complaints are already raising interesting questions about the scope of CCPA’s private right of action. The actions assert a variety of claims under numerous theories and present a broad range of potential risks to businesses subject to CCPA. In light of the many questions that surround CCPA’s private right of action, the extent of possible liability from private litigation is still largely unknown and potentially significant.

The first wave of private lawsuits filed under the California Consumer Privacy Act (CCPA) has begun to roll in, and the complaints are already raising interesting questions about the scope of CCPA’s private right of action. The recent explosion in popularity of video conferencing and social media software in response to the COVID-19 pandemic—and the technical issues some of these products have experienced—has inspired its own wave of litigation, with several cases alleging violations of CCPA along with other laws. The flurry of litigation activity makes clear the importance of CCPA compliance, particularly in the current challenging business environment. Although it’s too early to tell how these lawsuits will play out, some themes are emerging.

Refresher on CCPA Private Right of Action

Businesses are now familiar with the long list of privacy obligations imposed by CCPA and enforceable by the California attorney general. Although CCPA contains a private right of action, that right is applicable only to CCPA’s sole data security provision. Cal. Civ. Code § 1798.150 authorizes consumers to institute a civil action against a business whose failure to implement and maintain reasonable security procedures resulted in the unauthorized access and exfiltration, theft or disclosure of the consumer’s nonencrypted and nonredacted personal information. The definition of “personal information” in the context of § 1798.150 is narrower than the expansive definition applicable to other CCPA provisions, applying only to an individual’s name together with an identifying data element, such as a Social Security number, driver’s license number or medical information. A plaintiff may seek injunctive or declaratory relief, actual damages or statutory damages in an amount not less than $100 and not greater than $750 per consumer, per incident. Before seeking statutory damages, however, the consumer must provide the business 30 days’ written notice to cure the alleged violation. The “notice and cure” provision is the subject of some controversy, because CCPA does not explain how a violation that resulted in a data breach can be “cured.” CCPA also explicitly prohibits consumers from using alleged violation of its provisions “to serve as the basis for a private right of action under any other law,” thus, in theory, prohibiting a plaintiff from alleging that a CCPA violation constitutes a violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq. or other statutes. That hasn’t stopped plaintiffs from trying, as described below.

Theme #1: Suits Brought as Class Actions

Most, if not all, of the lawsuits brought under CCPA thus far have been brought as [...]

Continue Reading




New California Privacy Ballot Initiative Would Expand the CCPA

A proposed ballot initiative in California known as the California Privacy Rights Act, which is likely to pass if placed on the 2020 ballot, would both clarify and expand the existing California Consumer Privacy Act. Companies doing business in the state should closely monitor these developments and prepare for compliance, as we outline in this article.

A California ballot initiative known as the California Privacy Rights Act (CPRA) would clarify and expand the California Consumer Privacy Act (CCPA), granting significant new rights to consumers and imposing additional liability risks on companies doing business in the state. The CPRA is an update to the California Privacy Rights and Enforcement Act (CPREA) ballot initiative, which was proposed in late 2019 by the Californians for Consumer Privacy, which also sought to broadly amend and prevent changes to the CCPA that would undermine its consumer protections.

The proposed ballot initiative, submitted by the architects of the CCPA, garnered 900,000 signatures, far more than the roughly 625,000 necessary for certification on the 2020 ballot. Early polling reportedly shows strong support for the measure, so assuming the signatures are approved and the CPRA is placed on the ballot, it is considered likely to pass and to take effect on January 1, 2023.

The CPRA proposes a myriad of changes, and this article will not address them all. What follows is a discussion of the most significant changes for businesses and consumers in California, followed by enforcement and implementation considerations.

New Clarifications, Rights and Responsibilities

In a number of areas, the CPRA would modify the current CCPA in ways that are likely to be welcomed by companies grappling with the often ambiguous and unclear obligations under the current law:

  • “Personal information” would no longer include information that is manifestly made public by the individual or the media.
  • Businesses that receive deletion requests would be expressly permitted to maintain records of these requests for compliance purposes.
  • Consumers could no longer require a business to generate a list of “the categories of personal information it has collected about that consumer” in response to access requests.
  • “Service providers” and “contractors” (a new term that appears to replace the “third party” contract provisions) would not need to respond directly to consumer requests to access or delete information.

However, these changes are largely overshadowed by the initiative’s imposition of significant new rights for consumers and responsibilities for businesses subject to the CCPA. These include the following requirements:

  • Businesses would need to contend with a new opt-out right to “Limit the Use of My Sensitive Personal Information,” which would require enhanced scrutiny of business practices involving certain “sensitive” categories of information. These sensitive categories of information are reminiscent of (but broader than) the categories of information typically regulated by US data breach notification statutes or are considered “special categories” under the EU General Data Protection Regulation. For purposes of the CPRA, “sensitive” categories will include certain government identifiers (Social Security number, driver’s license, state identification card or passport number); a [...]

    Continue Reading



STAY CONNECTED

TOPICS

ARCHIVES