Everything Data!

Thank you to our clients and relationships, as well as to the BakerHostetler team who made the creation of the new Digital Assets and Data Management (DADM) Practice Group possible.

In a world dependent on data, this group takes a 360-degree approach to the delivery of services and counsel to clients on how they manage and use information, comply with regulations, incorporate new technology and defend against internal and external threats. For more than a decade, different teams at BakerHostetler have been at the forefront of helping clients leverage data and technology to transform their products and services. Following our own advice of using an enterprise approach to address these issues, we prioritized the importance of “data” as it affects the practice of law, and merged these teams into a unique multidisciplinary practice group to help clients address the spectrum of issues in this area.

Our new practice group brings preeminent teams together to provide comprehensive counsel on the full range of complex and evolving issues associated with data and technology, including digital innovation, e-commerce, fintech, cybersecurity, consumer privacy, transactions, governance, risk management and more. Our services are structured to reflect the business life cycle of data.

The DADM Practice Group marshals the strength of six service delivery teams of diverse attorneys, technologists and support professionals from the firm’s highly regarded IncuBaker program to help clients navigate the intersection of digital business, emerging technologies and the law. Nearly 50% of the practice group members are women and diverse attorneys. Four of the six teams are led by women and diverse attorneys. Continue Reading

California AG Press Release Emphasizes CCPA’s Jan. 1 Effective Date and Data Broker Registry, Provides No Update on Draft Regulations

On Jan. 6, 2020, the California attorney general (AG) released a CCPA advisory press release and reiterated what we already know – that “businesses subject to CCPA [are] required to begin complying with the law on January 1, 2020” and that California residents are afforded new data privacy rights under the CCPA.

Unfortunately, the advisory did not provide any details regarding when the next round of draft regulations will be released or when the regulations may be finalized. The first public comment period, during which the AG held seven public forums around the state and received more than 300 written comments (including from BakerHostetler, detailed here), ended on Dec. 6, 2019. There will be a second public comment period of either 15 or 45 days following revisions to the draft regulations , depending on the extent of changes in response to the first public comment period. Continue Reading

Steps to Develop a Mature Third-Party Risk Management Program With High-Risk Third Parties

This blog is the first in a series exploring how organizations can prevent or mitigate the severity of a third-party data breach or cyber exploit by implementing a variety of cybersecurity risk management controls such as assessing compliance with regulations, vetting third-party security practices, and establishing data breach and cyber exploit incident response procedures. While the complexity of cyber risks intensifies, together with an increasingly challenging privacy and security regulatory environment, the overall maturity of third-party risk management programs is barely keeping up. Resource constraints, a lack of standardization of risk assessment processes and the difficulty of determining the “source of truth” of data held by third parties continue to dog many organizations.

Part 1 – Ensuring Compliance With Data Protection and Privacy Regulations

As states continue to promulgate new data privacy and security regulations, including the California Consumer Privacy Act (CCPA), it is increasingly vital that organizations ensure that third parties providing critical infrastructure or operational support, or with access to personal and other sensitive information such as financial, health and other regulated data (sensitive data), comply with not only such states’ laws but also federal and international prescriptive regulatory controls and processes, by considering the following steps: Continue Reading

Cybersecurity Remains a Top SEC Examination Priority in the New Decade

It may be a new decade, but the focus of the Securities and Exchange Commission (SEC) on cybersecurity has not shifted. In particular, the SEC noted in its 2020 Examination Priorities that the Office of Compliance Inspections and Examinations (OCIE) “will continue to prioritize cyber and information security risks across the entire examination program.” This pronouncement and other recent regulatory guidance underscore the risk of potentially far-reaching harm that breaches and security incidents pose to market participants and retail investors. Building on its earlier guidance (previously covered here), OCIE emphasized a cooperative approach to help firms identify and address these risks, bolster compliance programs to protect against them, and encourage engagement with regulators and law enforcement.

OCIE also indicated that SEC exam staff will continue to focus on investment advisers’ policies, procedures and controls with respect to:

  • Governance and risk management
  • Access controls
  • Data loss prevention
  • Vendor management
  • Training
  • Incident response and resiliency

Continue Reading

Hoping for a New Year’s Resolution: Clarity on the Sale of Personal Information of California Minors

Those who keep an eye on privacy laws may be familiar with how monumental the Children’s Online Privacy Protection Act (COPPA) was when it first became effective in 1998. COPPA requires online services that directly target children under the age of 13, or reasonably know that children visit the online service, to obtain verifiable parental consent before collecting personal information from the children. COPPA is meant to bring extra protections to children, but with the European Union’s General Data Protection Regulation (GDPR) giving protections to minors under the age of 16 beginning May 25, 2018, U.S. policymakers questioned whether there was a gap in online privacy laws that address young teens.

Nearly two decades after COPPA, the California Consumer Privacy Act (CCPA) and its amendments, which became effective this year on Jan. 1, are disrupting U.S. privacy law, including as it relates to young teens, by giving California residents who are at least age 13, but not yet 16, the right to opt in to the sale of their personal information. With the CCPA’s broad definition of “sale,” which many have argued occurs when advertising cookies share data for building cross-service profiles for tailored advertising, this new right threatens ad revenues for publishers that may serve a teen population.

The CCPA generally gives California residents, herein referenced as consumers, the right to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. The CCPA defines a sale broadly, including any “making available” of personal information for monetary or nonmonetary valuable consideration. The California Attorney General, in charge of enforcing the CCPA, has deemed this right the “right to opt-out” in its Proposed Text of Regulations, which acts as guidance for interpreting the CCPA and contains additional requirements. Continue Reading

Is the CCPA’s Private Right of Action Provision Retroactive?

With the California Consumer Privacy Act (CCPA) – the strictest privacy law in the nation – now in effect, an important question for businesses to consider is whether it applies to conduct that occurred prior to the law’s effective date of Jan. 1. This question is particularly relevant to the private right of action section of the CCPA, Section 1798.150.

Section 1798.150 provides consumers with a private right of action based on a “business’s violation of the duty to implement and maintain reasonable security procedures” resulting in “unauthorized access and exfiltration, theft, or disclosure” of the consumer’s nonencrypted and nonredacted personal information. Cal. Civil Code § 1798.150. A “business” is defined as any entity that (1) has annual gross revenue of over $25 million; (2) buys, sells or shares the personal information of 50,000 or more consumers per year; or (3) derives 50 percent or more of its annual revenue from selling consumers’ personal information. Id. at § 1798.140. Under Section 1798.150, a consumer may recover damages of between $100 and $750 per violation or their actual damages, whichever is greater. They can also seek injunctive or declaratory relief or any other relief the court deems proper. Id. at § 1798.150.

Section 1798.150 is not expressly retroactive; that is, it does not expressly apply to conduct that took place prior to Jan. 1. A retroactive law is one that “affects rights, obligations, acts, transactions and conditions which are performed or exist prior to the adoption of the statute.” Aetna Cas. & Sur. Co. v. Indus. Accident Comm’n, 182 P.2d 159, 161 (Cal. 1947) (internal quotations and citations omitted). Under California law, “[i]t is an established canon of interpretation that statutes are not to be given a retrospective operation unless it is clearly made to appear that such was the legislative intent.” Id. Further, Section 3 of the California Civil Code, which governs the CCPA, provides that “[n]o part of [this code] is retroactive, unless expressly so declared.” Cal. Civ. Code § 3. Continue Reading

New Year Brings Trio of U.S. Breach Notification Amendments

Along with the California Consumer Privacy Act, the new year brought us a trio of updated breach notification laws, in Oregon, Texas and Illinois. The Oregon law is of the most interest because it is the first to require that vendors notify the state’s attorney general of breaches in some cases. It also requires a vendor to notify a data owner within 10 days of discovering a breach. These new requirements could alter the typical relationship that data owners and vendors develop contractually, and organizations should examine how they expect to interact with their business partners in light of the new law.

New Vendor Notice Requirements

The amendments now clearly differentiate between “covered entities” (virtually any person or organization that collects data) and “vendors” that provide data services to those entities. The law’s first vendor requirement is generally consistent with most service contracts and other state laws that address vendor responsibilities: Once a vendor “discovers a breach of security or has reason to believe that a breach of security has occurred,” it must notify the covered entity within 10 days, or sooner if practicable. But the amendments go further and now require vendors to notify the Oregon attorney general of breaches affecting more than 250 Oregon residents (or where the number of affected residents cannot be determined), unless the covered entity “has notified” the attorney general. The vendor is not required to notify individuals; that requirement is imposed only on the covered entity. Continue Reading

Cybersecurity Implications in Government Contracting Top 2019 End-of-Year Considerations

Barron Avery, leader of BakerHostetler’s national Government Contracts team, was quoted in a Law360 article titled “Top 5 Gov’t Contract Cases of 2019.” Avery’s comments come as a sure reminder for contractors that failing to adhere to cybersecurity requirements can have serious and dire consequences to contractors themselves.

In May 2019, the U.S. District Court for the Eastern District of California held that an alleged failure to meet cybersecurity regulations can form the basis for a False Claims Act suit. This is the first such holding of its kind. The suit involved a relator who claimed rocket and missile propulsion manufacturer Aerojet Rocketdyne (Aerojet) misled the U.S. Department of Defense about Aerojet’s failure to safeguard “unclassified controlled technical information” from cybersecurity threats. In particular, the relator claimed Aerojet misrepresented and only partially disclosed to the U.S. government the extent to which Aerojet was noncompliant with cybersecurity regulations. Based on these claims, the court held the “relator has plausibly pled that defendants’ alleged failure to fully disclose its noncompliance was material to the government’s decision to enter into and pay on the relevant contracts.” Aerojet affirmatively argued that the court should dismiss the case because Aerojet disclosed its noncompliance to its government customers, several government agencies have continued to contract with Aerojet despite a government investigation into these claims, the government decided not to intervene in this action, and Aerojet’s noncompliance does not go to the central purpose of any of the contracts, which pertain to missile defense and rocket engine technology rather than cybersecurity. These defenses did not persuade the court. As a result, the court declined to dismiss the case at this stage, thereby allowing the relator to move forward with his claims against Aerojet. Continue Reading

Congress: Public Companies Need to Get Serious About Cybersecurity

Businessman pressing a security concept button.As businesses of all sizes increase spending on cybersecurity – projected to top $124 billion this year – a bipartisan group of lawmakers in Congress wants public companies to go one step further: Install a cyber expert on their boards of directors.

The Cybersecurity Disclosure Act has been introduced several times in recent years, but now it’s gaining traction on Capitol Hill. The House Financial Services Committee approved an amended version of the bill on Dec. 10. Introduced by Rep. Jim Himes, D-Conn., the bill won committee approval on a party-line vote, with Democrats supporting it and all Republicans opposed.

The measure calls on the Securities and Exchange Commission (SEC) to issue rules requiring public companies to disclose in annual reports or proxy statements whether board members have cybersecurity “expertise.” If no board member has experience or expertise in cybersecurity, the bill would require the company to describe steps it took to recruit directors with an information technology security background and what other steps the company has taken to strengthen its cyber defenses.

The legislation leaves it up to the SEC and the National Institute of Standards and Technology to define cybersecurity expertise. If the bill were enacted, that rulemaking process to define cyber expertise would be subject to a public comment period. Continue Reading

Words Matter: Interpreting the CCPA’s Private-Right-of-Action Provision

Subject to certain exceptions, the California Consumer Privacy Act (CCPA) provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information ….” This provision raises many questions, including what constitutes “reasonable security procedures and practices” and how those “reasonable security procedures and practices” differ based on the information involved. But just as important, if not more important, is what the consumer must show to establish “access and exfiltration, theft, or disclosure.”

How these terms will be interpreted by the courts likely will dictate how cases filed under the CCPA will be litigated. For example, a similar California statute – the Confidentiality of Medical Information Act (CMIA) – requires that the plaintiff establish that his information was “released” before he is eligible to receive statutory damages. Initially, plaintiffs took the position that “released” meant any loss of control of information. But ultimately, California courts interpreted “released” to mean a breach of the confidential nature of the information, not just loss of possession of the information. This interpretation allowed defendants to successfully argue that even if information was, in fact, stolen, the plaintiff had still not alleged a viable cause of action under the CMIA because he could not establish that his information was actually viewed.

Struggles over similarly vague language in the CCPA will undoubtedly impact early CCPA litigation. As an initial matter, because “access” and “exfiltration, theft, or disclosure” are separated by an “and” in the CCPA, it is clear that a plaintiff must always demonstrate access. Additionally, because “exfiltration,” “theft” and “disclosure” are separated by an “or,” plaintiffs will argue that they need only show one of the three. If that is correct, a plaintiff bringing suit under the CCPA’s private-right-of-action provision must demonstrate two things: (1) access to and (2) exfiltration, theft or disclosure of his or her personal information.

The meanings of “access,” “exfiltration,” “theft” and “disclosure” under the CCPA will be hotly contested. The CCPA does not currently define any of these terms, so courts interpreting them might initially look to their ordinary or dictionary definitions. Merriam-Webster, for example, defines access, exfiltrate, theft and disclose as follows:

  • Access: to get at; to be able to use, enter, or get near (something); to open or load (a computer file, an Internet site, etc.).
  • Exfiltrate: to steal (sensitive data) from a computer (as with a flash drive).
  • Theft: the act of stealing; an unlawful taking (as by embezzlement or burglary) of property.
  • Disclose: to make known or public; to expose to view.

Although these definitions seem relatively straightforward, the fact that they overlap makes interpreting them more complicated. Generally, courts interpreting a statute operate under the assumption that the legislature purposefully included each word, and therefore they try to avoid interpreting a statute in a manner that makes certain words superfluous. For example, if a court were to utilize the definitions above, it arguably could read either “exfiltration” or “theft” out of the statute because they mean the same thing. The same is true with “access” and “disclose” because an argument could be made that “to get at” and “to make known” mean the same thing.

With no courts having yet interpreted the CCPA, how these terms will be interpreted by any individual judge in the first instance is anyone’s guess. But it is a near certainty that courts initially will differentiate the terms based on context.

For example, “exfiltrate” is a term that can be used in connection with electronic records, whereas “theft” can be used in connection with both paper records and equipment on which electronic records are stored. Thus, a court may find that the California legislature intended “exfiltrate” to apply to electronic records and “theft” to apply to everything else (i.e., paper records, computers or hard drives containing personal information). Such an interpretation could be one way to give a distinct meaning to each word, depending on the circumstances of the case.

When comparing “access” and “disclosure,” a court may look to the party doing the action. For example, the unauthorized party may be the party doing the “accessing” while the business does the “disclosing.” Under this one possible interpretation, a plaintiff claiming that a business “disclosed” his or her information would have to establish (1) that the business actively disclosed the information and (2) the unauthorized party was capable of viewing it.

This interpretation would also provide distinct definitions to “exfiltration,” “theft” and “disclosure.” For example, “exfiltration” could mean an unauthorized third party obtained electronic records under certain circumstances. “Theft” could mean an unauthorized third party obtained paper records (or equipment containing personal information). And “disclosure” could mean the business affirmatively provided the information to an unauthorized third party.

Again, how these terms will ultimately be interpreted by the courts based on the circumstances of each case is unknown. But the above interpretations provide a few possible ways that courts could interpret the private-right-of action provision without reading out of the provision any of the words the California legislature included in it.

The only thing that is certain is that the language of the CCPA will be subject to significant litigation in the coming months and years, just like the language of other California laws, such as the CMIA.