Texas Moves Forward With Updates to Breach Notification Law and Institutes Privacy Council to Study Data Privacy Legislation

Texas is one of the many states that looked to be following in the footsteps of California’s enactment of a broad consumer privacy law (the California Consumer Privacy Act), which has far-ranging implications for businesses and consumers. Two comprehensive data privacy bills, HB 4390 and HB 4518, were filed and heard at the last legislative session. HB 4518, also known as the Texas Consumer Privacy Act, proposed overarching consumer protection legislation that closely resembled the California Consumer Privacy Act. HB 4518 stalled in the Texas House of Representatives in favor of HB 4390. HB 4390, also known as the Texas Privacy Protection Act, was introduced as comprehensive data privacy legislation, but was significantly less detailed than HB 4518. HB 4390 went through several rounds of revisions in both the Texas House and Senate until it was whittled down to the final version, which revises the notification requirements of the Texas Identity Theft Enforcement and Protection Act and creates the Texas Privacy Protection Advisory Council in order to develop recommendations for future data privacy legislation. HB 4390 has passed both the Texas House and Senate and is awaiting signature from the governor to be enacted. Continue Reading

Attempt to Expand CCPA Private Right of Action Fails, While Bills Exempting Employee Data and Otherwise Refining CCPA Advance

Over the past several weeks, the California State Assembly has voted in favor of advancing to the California Senate bills that would narrow the reach of the California Consumer Privacy Act (CCPA). Senate bills did not fare as well and have died. Two of the CCPA amendment bills moving forward have the potential to greatly benefit businesses by providing exemptions for employee data and loyalty programs. These bills will become law if passed by the California Senate and ultimately signed by the governor.

As we have previously reported, California legislators have introduced numerous bills to amend the CCPA since it first passed. The “house of origin” deadline – the last day for each house to pass bills introduced in that house – was May 31, 2019. Most significantly, AB 25 proceeded forward, clarifying that the definition of a consumer does not include employees, and SB 561 died, ending (for now) the notion of an expanded private right of action. We will continue to monitor the bills that are proceeding. A summary of what has happened with CCPA amendment bills follows below. In addition, we note the status of several bills that are not CCPA amendments but address privacy issues. Continue Reading

Nevada Adds “Do Not Sell” Requirement to Privacy Law

Last week, Nevada Governor Steve Sisolak signed new privacy legislation into law in Nevada. Senate Bill 220 (SB-220) updates Nevada Revised State 603A to provide consumers a new right to opt out of the sale of their data. Effective Oct. 1, 2019, the new law will come into effect prior to the more comprehensive California Consumer Privacy Act (CCPA). Accordingly, the Nevada law will be the first law in the United States granting consumers the right to opt out of data sales. Continue Reading

Ad and Publishing Industries Confront CCPA Challenges While Congress Considers Privacy

Sacramento California outside the capital buildingThe California Consumer Privacy Act (CCPA), effective Jan. 1, 2020, will require more privacy transparency and choice for consumers than they have ever had under U.S. law, but its approach to providing consumers with the right to opt out of a sale of their personal information threatens to disrupt the third-party digital advertising ecosystem. Most consumers are aware that adtech has evolved to enable tracking technologies to monitor online usage across time and sites in order to build interest profiles tied to pseudonymous identifiers and thereby permit advertisers to send ads tailored to likely interests. Consumers benefit from getting more relevant ads, which advertisers will pay more to place, which in turn generates more revenue for publishers, thereby fostering free, ad-supported content that also benefits consumers. Win-win, right? Not so fast, some say; tracking and targeting is intrusive, or at least creepy, and consumers should have a choice about who can learn what about them and use that information to advertise to them. In response to that consumer concern, the U.S. advertising industry developed a transparency and choice paradigm that relies on notices and opt-outs. (Learn more about that here and here.) In addition, users of online services can employ techniques such as using ad blockers and limiting cookies. Google recently announced that it will ban device fingerprinting for ad personalization, citing lack of user transparency and control, and will enable users to block third-party cookies, a typical adtech tool, while permitting first-party cookies, a typical publisher tool. However, the CCPA is poised to upset this approach to consumer choice through its “do-not-sell” right, which provides an opt-out choice for consumers age 16 and older, but requires opt-in for youth between 13 and 16, and parental consent for children under 13. Continue Reading

Deeper Dive: GLBA-Regulated Financial Institutions Reduce Your Cybersecurity Risk With Rigorous Oversight of Third-Party Service Providers

Financial institutions that are subject to the Gramm-Leach Bliley Act (GLBA) can find practical tips that address their unique data security challenges in the 2019 Data Security Incident Report (DSIR). It appears that money remains a strong motivating force for many threat actors. According to the 2019 report, finance and insurance remain among the sectors most heavily impacted by data security incidents, with 19% of data at risk involving a financial account. Phishing (responsible for 37% of all incidents, according to our DSIR) and credential stuffing are among the primary ways that hackers can obtain the keys to a consumer’s financial kingdom – the username and password to an individual’s financial accounts. Armed with these credentials, threat actors can purchase goods or wire, transfer or otherwise move funds out of those accounts with remarkable speed and efficiency. Although multifactor authentication has become increasingly standard for money movement and other higher-risk financial account activity at major financial institutions, as reflected in GBLA regulatory guidance relating to authentication in an internet banking environment, threat actors have proven increasingly cunning, often taking over email accounts and spoofing mobile device IDs where financial institutions send one-time-PIN codes, in order to render these multifactor safeguards ineffective.  Continue Reading

Deeper Dive: Security Incident Mitigation Strategy: Effective Negotiation of Technology Contract Limitations of Liability

There is always significant negotiation around caps on liability when negotiating a contract with a technology vendor. If the vendor will have access to the personal information of its customers’ end users (regardless of whether the end users are employees or customers), treatment on caps on liability take on heightened importance. In fact, limitations of liability are a key indicator of the allocation of risk between the parties. Both parties are seeking to insulate themselves from liability and minimize the financial harm in the event of a data security incident. Vendors have become increasingly reluctant to provide unlimited liability to protect customers against harms caused by security incidents, going to great lengths to narrowly tailor the situations under which the vendors will bear risk. Customers have been increasingly reluctant to have a data security incident classified as a regular contract breach and subject to regular contract damages. The resulting compromise, in many instances, is the “super cap.” The super cap is a number greater than the general cap on liability, but less than unlimited liability. It can exist in many forms; for example, as a multiple of fees paid, a multiple against 12 months’ fees paid, a number tied to insurance coverage or a flat dollar amount. Continue Reading

Washington Privacy Act Dies in the House While California Continues to Consider Refinements to the CCPA

Computer security concept. Others in this series.After passing the Senate nearly unanimously, the Washington Privacy Act (SB 5376) has stalled in the House of Representatives. The bill failed to achieve passage out of committee by the April 17 deadline for consideration of bills originating in the opposite house, and was returned to the Senate on April 28. As a result, SB 5376 is unlikely to pass this year.

SB 5376 gained early support from Washington’s technology industry, which helped it achieve easy passage in the Senate. Upon reaching the House, however, the bill met with strong resistance from individual rights groups. The Washington ACLU announced that it would make privacy legislation a focus of the group’s 2019 legislative agenda, sponsoring legislation to place limitations on the use of automated decision-making systems employed by public agencies (see HB 1655 and SB 5527). The group opposed SB 5376 after the ACLU’s legislation failed to gain traction, arguing that exemptions in the bill would create loopholes that would render the legislation’s privacy protections toothless. Opponents also took issue with the fact that the bill lacked a private right of action, leaving enforcement authority exclusively with the Attorney General’s Office. Additionally, detractors worried that the bill’s protections for facial recognition technology were insufficient, noting that the use of facial recognition could lead to law enforcement inequities due to the fact that such technologies can have disparate results when applied to different racial and ethnic groups. Just a day before SB 5376 died in committee, the ACLU, the Electronic Frontier Foundation and four other civil liberty groups issued a joint statement opposing the legislation. Continue Reading

‘Apparent Inconsistency’ in HITECH Language Leads HHS OCR to Significantly Decrease Yearly Fines

Secure and protected medical records. Bar code added to folder, not actual patient information. Concept image. Narrow depth of field.On April 26, 2019, the U.S. Department of Health & Human Services (HHS) issued an announcement that the annual penalty cap for three of the four tiers of HIPAA violations would be reduced significantly to match what HHS called a “better reading” of inconsistent language found in the Health Information Technology for Economic and Clinical Health Act’s (HITECH) penalty scheme. Continue Reading

California Assembly Privacy Committee Votes in Favor of Advancing CCPA Amendments

Sacramento California outside the capital buildingLast Tuesday, the California Assembly’s Committee on Privacy and Consumer Protection (Assembly Privacy Committee), which has jurisdiction over matters related to privacy, the protection of personal information and information technology, held a committee hearing in which it voted in favor of advancing eight industry-backed bills that would amend the California Consumer Privacy Act (CCPA), set to take effect on Jan 1, 2020. To the benefit of businesses, the bills, which now move on to the Assembly’s Appropriations Committee, would clarify the text and limit the scope of the unprecedented, sweeping privacy law that grants consumers a great degree of transparency and choice with respect to their personal information, defined broadly under the act. If the bills survive the Assembly’s Appropriations Committee, they will come before the full Assembly before advancing to the California Senate, and would ultimately become law if signed by the governor. Also of note, two CCPA amendment bills, discussed further below, have been withdrawn from advancement to committee consideration. Continue Reading

Deeper Dive: The Landscape of Healthcare Data Breaches

Healthcare was the industry most affected by data breaches in 2018. We worked on nearly 200 healthcare matters involving multispecialty academic medical centers, hospital systems, small and large physician practices, small and large health insurers, and biotech and pharmaceutical companies.

In 2018, health information alone was just behind Social Security numbers (which can also be protected health information) as the most at-risk data.

Data security incidents are becoming more sophisticated in nature. We’ve noted an uptick in the number of targeted phishing attacks and network intrusion incidents affecting small and large organizations alike. And we’ve observed, along with this increased activity, intensified enforcement efforts by both federal and state regulatory agencies. Continue Reading

LexBlog