Additional 6-Month CCPA Extension Sought in Wake of COVID-19

On March 18, we filed a request to the California Attorney General, as part of the CCPA rulemaking process, seeking an additional six month delay in the enforcement of the CCPA to allow our clients time to better focus on business continuity and the safety of consumers and employees in response to the national COVID-19 state of emergency. CCPA enforcement is set to begin July 1, 2020, but the State of California has yet to even complete the rulemaking process for the implementing regulations.  The full filing is available here.

HHS Issues Two Important Bulletins Waiving HIPAA Sanctions During the COVID-19 National Emergency

The HHS Office for Civil Rights (OCR) issued two important bulletins this week regarding the novel coronavirus disease (COVID-19) outbreak. On Mar. 16, OCR issued a limited waiver of HIPAA sanctions and penalties for noncompliance with certain provisions of the HIPAA Privacy Rule, including the requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care and the requirement to distribute a Notice of Privacy Practices to patients. Currently, the waiver applies only to those hospitals located in the emergency area identified in the public health emergency declaration that have instituted a disaster protocol, and then only for 72 hours from the time at which the disaster protocol was implemented. It is unclear if OCR will extend the time period for this waiver given the widespread and potentially prolonged nature of the COVID-19 outbreak. The bulletin also reminds providers that affirmative reporting to the media or the public about any identifiable patient may not be done without the written authorization of the patient or the patient’s personal representative. A copy of the bulletin can be found here.


COVID-19 Cybersecurity Exposure

Risk scenarios and recommendations

History tells us that unscrupulous actors will exploit any crisis, and COVID-19 is no exception. Attackers wasted no time building coronavirus-themed phishing emails and malware-laden websites purporting to track the coronavirus’s spread across the globe. These opportunistic attacks were an expected variation on well-known themes that use fear to engineer an individual’s behavior. But unlike the typical crisis – a natural disaster or terrorist attack contained in time and space – the pandemic’s effects are global and protracted and stoke paranoia in ways that terrorist organizations only dream of.

While there are many ways to exploit a global pandemic, cyberattacks are an obvious and particularly combustible option. Cyberattacks can be deployed quickly, globally and with virtually no risk to the attacker. They can support any motive, from financial gain to espionage, sabotage and terrorism. And they can exploit new fractures in our already weak cyber defenses fueled by global distraction and fear, and an unprecedented level of remote work. Likewise, a distracted workforce coping with working in unfamiliar places is more likely to make mistakes when handling sensitive data. Continue Reading

FERPA Disclosures in Response to COVID-19

The United States Department of Education (ED) Student Privacy Policy Office (SPPO), on March 13, 2020, issued Frequently Asked Questions related to the serious novel coronavirus disease (COVID-19) that the world is now grappling with. This FAQ document mirrors in large part the same line of advice found in ED’s prior Joint Guidance with Health and Human Services related to student health and permitted disclosure (see our prior blog post on that guidance here), but the FAQ is targeted with specific questions that educational institutions and entities are facing in addressing and supporting their students and communities in light of the pandemic.

With K-12 schools and institutions of higher education at the forefront of community response to the pandemic, and playing a pivotal role not only in education but also in feeding students, providing facilities for the community, and other important facets of community life, schools, districts and institutions need to be able to respond to the pandemic while also ensuring that the provisions of the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. Section 1232g; 34 C.F.R. Part 99, relating to unauthorized disclosure of an education record are not implicated. Specifically, FERPA prohibits an educational agency or institution from disclosing personally identifiable information (PII) from a student’s education record without the prior written consent of a parent or non-minor student unless an exception applies. One exception is the “health or safety emergency,” which allows disclosure in an emergency to public health agencies, medical personnel, law enforcement officials or even parents if such disclosure is necessary to protect the health and safety of other students or individuals. There must be an actual emergency, not a future or unknown one. In areas where COVID-19 has been declared a public health emergency this requirement would arguably be met. However, ED notes that public health departments typically can have education records disclosed under this exception even in the absence of a formally declared health emergency. Continue Reading

New HHS Rules Give Patients ‘Unprecedented’ Digital Access to Their Own Health Data but May Put Privacy at Risk

On Monday, the U.S. Department of Health and Human Services (HHS) issued what it calls “transformative” rules that will govern how healthcare providers, insurers and technology vendors must design their systems to give patients safe and secure access to their health data. Issued by two different agencies within HHS – the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS) – the rules implement the interoperability and patient access provisions of the bipartisan 21st Century Cures Act.

The new rules are aimed at putting patients in charge of their own health records and allowing them to share their sensitive health data with others, including smartphone application developers. But with these new rules come growing concerns over the risk they pose to patient privacy.

Interoperability and Patient Access

The ONC final rule requires that health providers, developers of certified health information technology (IT) products, health information exchanges and other health information networks give patients secure, electronic access to their health records at no cost, and it creates new measures to prevent information-blocking practices and anti-competitive behavior. In addition, the rule establishes new provisions to ensure that providers have the ability to communicate about health IT usability, user experience, interoperability and security, including (with limitations) the ability to document issues using screenshots and video, which ONC says are critical forms of visual communication. Continue Reading

CCPA Class Actions: Can They Include a Blast From the Past?

Our Digital Assets and Data Management teams have been tracking all aspects of the CCPA, so when Fuentes v. Sunshine Behavioral Health Group, LLC (Case No. 8:20-cv-00487, Central District of California) was filed on March 10, 2020, alleging a direct claim for violation of the CCPA, we were interested to see how CCPA allegations are being alleged directly, rather than as predicate violations for other claims. The lawsuit alleges that on Sept. 4, 2019, Sunrise learned it was experiencing an incident involving approximately 3,500 patients. This filing confirms our earlier predictions about how the CCPA would likely result in more filings related to incidents involving relatively few persons due to the statutory penalties potentially available.

Assuming the allegations in the complaint are true, this case may be one testing ground for the retroactivity question relating to the CCPA. We previously discussed this issue, noting that Section 1798.150 of the CCPA is not expressly retroactive and does not expressly apply to conduct that took place prior to Jan. 1, 2020, but that the CCPA’s 12-month lookback, combined with entrepreneurial plaintiffs’ counsel, could lead to lawsuits over data incidents predating 2020. Continue Reading

California AG Releases Second Set of Modified CCPA Regulations

On March 11, 2020, the California Attorney General published a third version of the proposed regulations to implement the California Consumer Protection Act available here. A redline showing changes against both the initial draft regulations (published October 11, 2019) and the first modified draft (published February 10, 2020) is available here. Notably, the latest regulations have removed guidance on the definition of “personal information” as well as guidance on the standard opt-out button. A new public comment period is now open until 5 pm Pacific on March 27, 2020. A summary of proposed changes in the implementing regulations is forthcoming. For more information on the CCPA generally, see our Consumer Privacy Resource Center.

Ad Industry Split on Cookies and CCPA

Owners of websites and mobile applications that utilize cookies and other tracking technologies, e.g., pixels, app SDKs (tracking technologies), for interest-based advertising and other activities inherently share data across the digital ecosystem and will have to address these activities as part of their greater California Consumer Privacy Act (CCPA) compliance approach. In particular, the CCPA’s novel “do not sell” right and broad definition of “personal information” (PI) (which includes but is not limited to IP addresses, device IDs, cookie IDs and other unique identifiers) is directly implicated in these types of data transfers. With respect to tracking technologies under the CCPA, various approaches are emerging to take certain PI transfers outside the scope of a “sale” by the publisher and for complying with a consumer’s do-not-sell opt-out request if necessary, although there remains no industry consensus and the California attorney general (AG) has provided no direct guidance on the issue. This post discusses the emerging approaches to CCPA compliance for tracking technologies, and in particular the CCPA frameworks developed by the Internet Advertising Bureau (IAB), the Digital Advertising Alliance (DAA) and Google. Whether you adopt one or more of these framework approaches, integrate a do-not-sell tool to shut down all cookies that are not strictly acting as service providers or take the position that third-party tracking technologies’ data activities are simply not a sale by you, it is recommended that your privacy notice and consumer rights request messaging clearly explain the approach(es) you are taking and the scope and limitation of consumer choice offered thereby. Until there is further guidance from the AG, the biggest risk would seem to be a claim that you are being deceptive with regard to how you are treating tracking technologies under the CCPA. Continue Reading

Surviving the Pandemic: Yes, You May Have to Pay a Ransom

We are in the midst of a global pandemic. This scourge is easily transmitted, and infections are difficult to eradicate. It learns from our defenses and then mutates into new variants. It comes in various forms, with exotic names such as Sodinokibi, GandCrab and Ryuk. Sometimes its effects are mild, but in many cases it can cause extreme disruption and panic and has devastating consequences. But this plague, also known as ransomware, can’t be treated with a vaccine or avoided by wearing masks or washing hands.

So how bad is this pestilence? Ransomware has infected government entities, large corporations, healthcare providers, universities and businesses of all types and sizes. And the ransom amounts paid have only been increasing.

According to a company that negotiates ransom payments for victims, attackers at the end of 2019 collected more than double the ransom amounts paid earlier in the year – with the high end at $780,000 and the low end at $1,500. The average payment is now $84,116, and organizations had on average 16 days of downtime (up from about 12 days). And the publicly available information, mostly relating to government entities, shows payments in 2019 of $500,000 by one Florida city, $600,000 by another and $400,000 by a Georgia county. In many instances, private entities have received demands of over $1 million. Continue Reading

The Washington Privacy Act Is Back

Computer security concept. Others in this series.After the Washington Privacy Act (“WPA”) failed to pass in 2019, state legislators promised to renew their efforts in the 2020 legislative session. Lawmakers kept this promise last month, introducing three bills targeted at an array of consumer privacy issues. The first bill, SB 6281, or the Washington Privacy Act, introduced in the Senate on January 14, is a comprehensive privacy bill modeled after the European Union’s General Data Protection Regulation (“GDPR”) with aspects of the California Consumer Privacy Act (“CCPA”) sprinkled in. The second bill, HB 2485, introduced on January 15 in the House, would regulate data collection and use practices of consumer genetic-testing companies. HB 2644, introduced a day later in the House, seeks to regulate the use of artificial intelligence-enabled profiling. While HB 2485 and HB 2644 target discrete privacy issues, SB 6281 attempts to set general guardrails for the permissible collection, use and disclosure of Washington residents’ personal data. Here, we delve into the details of the first and most comprehensive privacy bill introduced yet this legislative session: SB 6281. Continue Reading