Just How Far Does California’s New IoT Security Law Reach?

Group of people standing in line and looking at their smart phonesOn January 1, 2020, California’s new Internet of Things (IoT) Security Law goes into effect. The law is the first IoT-specific security law in the United States and, simply put, requires all IoT devices sold in California to be equipped with reasonable security measures.

There has been a significant amount of discussion regarding exactly what types of devices are covered by the new regulations and what “reasonable security measures” entail.

Who is covered?

Any “manufacturers” of connected devices that sell their products in California will be required to incorporate reasonable security features into their devices. It does not matter where the product is made. It is also important to note that “manufacturers” include not only those companies that perform the manufacturing themselves, but also companies that “contract with” others to manufacture devices on their behalf. The law does contain several exclusions, including security vulnerabilities caused by user installation of third-party software and devices already regulated by certain healthcare statutes. However, since the interconnectivity of third-party software may be the source of a security breach, the question arises whether to consider how a covered device interacts with such third-party software. Continue Reading

Less Than a Month to Go Until Nevada Privacy Law Effective Date

As discussed in our previous blog post on the topic, Nevada’s amendments to its privacy law are set to go into effect Oct. 1, 2019. Less comprehensive in scope than the much-heralded CCPA, the Nevada privacy law amendment has received significantly less attention than its California counterpart. Even so, the new Nevada privacy law presents its own compliance challenges that companies shouldn’t overlook in the CCPA compliance scramble.

To see a countdown clock and find resources on how to prepare for Nevada’s SB 220 and the CCPA, see our U.S. Consumer Privacy Resource Center.

Inconsistencies and Compliance Challenges

The amended Nevada privacy law establishes a requirement that “operators” of internet websites or online services set up a procedure whereby Nevada residents are given the opportunity to opt out of data sales. Specifically, organizations must establish a “designated request address”—which can be a toll-free phone number, email address, or internet website—where Nevada residents may submit requests to opt out of data sales. Companies must cease the sale of a Nevada resident’s data upon receipt of a “verified request,” defined as a “request submitted by a consumer … for which an operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.”

Continue Reading

Risk Management Strategies to Reduce Risk Associated with Telehealth

The use of technology to provide healthcare has existed for decades; however, recent advances in technology and changes in reimbursement have increased the prevalence of telehealth for diagnosing and treating patients. Telehealth is an emerging and promising method of providing healthcare in areas where healthcare may be limited or unavailable. Telehealth provides quality, cost-effective healthcare and can reach individuals in remote or underserved locations. It has also been shown to increase patient satisfaction.

The Health Resources and Services Administration of the U.S. Department of Health & Human Services defines telehealth as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, public health and health administration, and may include non-clinical services.” The Centers for Medicare & Medicaid Services and all 50 states have regulations governing the use of and reimbursement for telehealth services, and commercial payers are increasingly covering these services. Reimbursement policies for telehealth services vary and may limit or restrict the type of facilities and providers who may seek reimbursement, setting geographical limitations on reimbursement for certain medical conditions. Because of the surge in the use of telehealth, healthcare providers need to be aware of the risks associated with the use of this technology and implement mitigation strategies to reduce these risks.

Continue Reading

Summer Is Over – It’s CCPA and NV Crunch Time

It is less than 120 days until California’s ground-shifting new privacy regimen – the California Consumer Privacy Act (CCPA) – goes into effect. There is only a week left for the Legislature to pass the handful of amendment bills that still survive, and we should have the attorney general’s proposed regulations published for public comment within weeks. Furthermore, the digital advertising industry has decided on a way to address the CCPA and future laws that may give consumers the ability to opt out of data disclosures that are not necessary to provide core services to the consumer. Hopefully, many unanswered questions will be at least partially answered in the next two months. In the meantime, here are some previews.

Last Thursday night I co-hosted an event for Attorney General Xavier Becerra in Los Angeles. There was a lively conversation with the AG; these are some of the highlights:

  • The AG’s office has been, as we know, consulting with stakeholders to help develop the regs. However, the AG reported that they have also consulted with EU data protection authorities to get the benefit of their experiences.
  • The upcoming regulatory public comment period will be meaningful, and the AG is particularly interested in hearing about compliance challenges, inadvertent consequences and constructive suggestions for refinements. He encourages written comments with specific recommendations for edits or additional regulations.
  • The AG is particularly concerned with the lack of meaningful transparency and choice for consumers regarding their personal information (PI) and will likely be concentrating on pre-collection notice and the breadth of opt-out, both in the regulations and in enforcement priorities.
  • Previously an advocate against the right to cure, the AG expressed doubt that many types of violations could be capable of cure given that consumers’ rights would have been injured and the resulting damage already done. That said, he indicated that a good faith effort to interpret and comply would be met with a better response than outright noncompliance.
  • While promising not to be in the “gotcha” business, and seeking to work with industry to develop sound approaches to interpretation of the title, the AG indicated that his office’s mandate is enforcement and consumer protection, and the first cases brought will be “must wins” so that examples can be made for industry, both as to the substantive issues involved and the risk of noncompliance.

Continue Reading

Maryland Insurance Administration Issues Breach Notification Bulletin

On Aug. 29, 2019, the Maryland Insurance Administration (MIA) issued Bulletin 19-14. The purpose of the bulletin is to inform insurers, nonprofit health service plans, health maintenance organizations, managed care organizations, managed general agents and third-party administrators of a new security breach reporting requirement to the Compliance & Enforcement Unit at the MIA.

Effective Oct. 1, 2019, pursuant to Insurance Article § 4-406, carriers are required to notify the insurance commissioner of a breach of the security of a system if the carrier (1) conducts an investigation required under § 14-3504(b) or (c) of the Commercial Law Article; and (2) determines that the breach of security of the system creates a likelihood that personal information has been or will be misused. The notice needs to be provided at the same time that the Maryland attorney general is notified pursuant to § 14-3504(h) of the Commercial Law Article.

The notice to the commissioner must include (1) a brief description of the circumstances of the security breach, (2) a copy of any notifications sent to consumers and (3) a copy of the notice submitted to the Maryland attorney general. The MIA has created an online form that can be used to submit the notice.

The MIA has thus joined a growing number of insurance departments that have issued bulletins, guidance or regulations on reporting security breaches. See our previous blog posts here and here.

CCPA Amendment Progress Report: July Update

As we reported in April, May and June, a number of potentially significant amendments to the California Consumer Privacy Act (CCPA) continue to make their way through the state legislative process. Below we provide a summary of recent developments from earlier this month, including changes that may materially affect how businesses approach their CCPA compliance efforts.

Bills That Passed With Amendments

AB 25: Changes to the Employee Exception

This bill has been closely watched since its introduction, as the inclusion of employees in the definition of “consumers” covered by the CCPA could represent a serious compliance burden for certain companies. Initially, the bill would have amended the definition of “consumer” to exclude job applicants, employees, contractors and agents whose personal information was collected and used in the context of the employment relationship, essentially removing HR data from the scope of the CCPA. That exception has now been limited, and it will expire entirely following a one-year grace period. Specifically:

  • The exception does not apply to the private right of action set forth in Section 1798.150. Employees may bring civil actions for data security breaches affecting personal information maintained by their employers.
  • The notice requirement in Section 1798.100(b) will apply to these individuals as of January 1, 2020.
  • The entire exception will become inoperative as of January 1, 2021.

Accordingly, businesses must prepare to provide their employees with CCPA-compliant notice regarding the collection and use of personal information as they would for any other consumer. It appears the delay with respect to other CCPA requirements was inserted in the latest amendments to allow stakeholders time to address concerns regarding employee surveillance. Continue Reading

EU Updates: ePrivacy Regulation Inches Forward, EDPB Issues Guidance on Interplay Between GDPR and ePrivacy Directive

Adoption of the ePrivacy Regulation

Introduced in 2017, and originally slated to go into effect with the GDPR (on May 25, 2018), it now appears the ePrivacy Regulation will not be implemented before late 2021. With the Romanian Presidency’s oversight of the Council of the European Union passing to Finland as of July 1, and in view of forthcoming EU parliamentary elections and procedural considerations, it is possible that the adoption of the ePrivacy Regulation may be delayed even further.

Key concepts currently up for debate and the subject of amendments in the Regulation’s latest draft include:

  • Conditioning access to website content on a user consenting to advertising cookies: The current draft states this would not be “disproportionate” unless the site is provided by public authorities. Notably, this position contradicts those taken in Article 29 Working Party Guidance from April 2018, and in enforcement actions by supervisory authorities (see our post here on the UK ICO’s enforcement in this regard).
  • No consent needed to process electronic communications data for information security reasons: Previous drafts would not have provided as much leeway on this point as the current draft allows.
  • To what extent metadata can be processed by end users after receipt, or by a third party entrusted by them, without consent: One practical implication of this is that it may regulate aggregated and anonymized data that some companies rely on for analytics. Otherwise, this type of data may fall outside the scope of regulation (i.e., GDPR) since it may not be considered personal data.
  • Expansion of the definition of “direct marketing communications”: The proposed definition would cover communications using new technologies (including voice over IP calls and electronic message applications), bringing these and other popular mobile applications within the scope of the ePrivacy Regulation.
  • How the ePrivacy Regulation will interact with new technologies, in particular in the machine-to-machine, “internet of things” and artificial intelligence contexts.
  • Enforcement by supervisory authorities: The latest draft requires cooperation with other supervisory authorities, as under the GDPR.

For more information, view the Romanian Presidency’s May 22, 2019 Progress Report. The Council of the European Union only briefly discussed the ePrivacy Regulation during its meeting on June 6 and 7, 2019.

We will continue to monitor and provide updates on the progress of the ePrivacy Regulation. Continue Reading

FTC Announces Enforcement Action, Warning Letters for Companies Falsely Claiming Privacy Shield Participation

Press enter button on the keyboard computer Shield cyber Key lock security system abstract technology world digital link cyber security on hi tech Dark blue background, Enter password to log in. lock finger KeyboardThe Federal Trade Commission (FTC) recently announced a compliance sweep of companies claiming to be in compliance with the U.S.-EU Privacy Shield and U.S.-Swiss Privacy Shield Frameworks. The U.S.-EU Privacy Shield and the U.S.-Swiss Privacy Shield programs enable companies to self-certify that they have adopted a number of data protection practices to bring their businesses in line with European data protection law. Because the U.S. lacks a generally-applicable federal data protection law, and because the standards for data protection in the U.S. are less stringent than those in the EU, the U.S. is considered to be an “inadequate” jurisdiction under European law, and data transfers to the U.S. are generally barred. However, if a company adopts data protection practices consistent with the requirements of European law, it may self-certify compliance with the U.S.-EU Privacy Shield and U.S.-Swiss Privacy Shield with the U.S. Department of Commerce. Adherents to the Privacy Shield frameworks can then represent their data protection practices as “adequate” under EU law, enabling free and legal transfer of personal data regarding EU data subjects to the U.S. under the European Union’s General Data Protection Regulation and Swiss Data Protection Act. Continue Reading

Texas Moves Forward With Updates to Breach Notification Law and Institutes Privacy Council to Study Data Privacy Legislation

Texas is one of the many states that looked to be following in the footsteps of California’s enactment of a broad consumer privacy law (the California Consumer Privacy Act), which has far-ranging implications for businesses and consumers. Two comprehensive data privacy bills, HB 4390 and HB 4518, were filed and heard at the last legislative session. HB 4518, also known as the Texas Consumer Privacy Act, proposed overarching consumer protection legislation that closely resembled the California Consumer Privacy Act. HB 4518 stalled in the Texas House of Representatives in favor of HB 4390. HB 4390, also known as the Texas Privacy Protection Act, was introduced as comprehensive data privacy legislation, but was significantly less detailed than HB 4518. HB 4390 went through several rounds of revisions in both the Texas House and Senate until it was whittled down to the final version, which revises the notification requirements of the Texas Identity Theft Enforcement and Protection Act and creates the Texas Privacy Protection Advisory Council in order to develop recommendations for future data privacy legislation. HB 4390 has passed both the Texas House and Senate and is awaiting signature from the governor to be enacted. Continue Reading

Attempt to Expand CCPA Private Right of Action Fails, While Bills Exempting Employee Data and Otherwise Refining CCPA Advance

Over the past several weeks, the California State Assembly has voted in favor of advancing to the California Senate bills that would narrow the reach of the California Consumer Privacy Act (CCPA). Senate bills did not fare as well and have died. Two of the CCPA amendment bills moving forward have the potential to greatly benefit businesses by providing exemptions for employee data and loyalty programs. These bills will become law if passed by the California Senate and ultimately signed by the governor.

As we have previously reported, California legislators have introduced numerous bills to amend the CCPA since it first passed. The “house of origin” deadline – the last day for each house to pass bills introduced in that house – was May 31, 2019. Most significantly, AB 25 proceeded forward, clarifying that the definition of a consumer does not include employees, and SB 561 died, ending (for now) the notion of an expanded private right of action. We will continue to monitor the bills that are proceeding. A summary of what has happened with CCPA amendment bills follows below. In addition, we note the status of several bills that are not CCPA amendments but address privacy issues. Continue Reading

LexBlog