Cybersecurity Implications in Government Contracting Top 2019 End-of-Year Considerations

Barron Avery, leader of BakerHostetler’s national Government Contracts team, was quoted in a Law360 article titled “Top 5 Gov’t Contract Cases of 2019.” Avery’s comments come as a sure reminder for contractors that failing to adhere to cybersecurity requirements can have serious and dire consequences to contractors themselves.

In May 2019, the U.S. District Court for the Eastern District of California held that an alleged failure to meet cybersecurity regulations can form the basis for a False Claims Act suit. This is the first such holding of its kind. The suit involved a relator who claimed rocket and missile propulsion manufacturer Aerojet Rocketdyne (Aerojet) misled the U.S. Department of Defense about Aerojet’s failure to safeguard “unclassified controlled technical information” from cybersecurity threats. In particular, the relator claimed Aerojet misrepresented and only partially disclosed to the U.S. government the extent to which Aerojet was noncompliant with cybersecurity regulations. Based on these claims, the court held the “relator has plausibly pled that defendants’ alleged failure to fully disclose its noncompliance was material to the government’s decision to enter into and pay on the relevant contracts.” Aerojet affirmatively argued that the court should dismiss the case because Aerojet disclosed its noncompliance to its government customers, several government agencies have continued to contract with Aerojet despite a government investigation into these claims, the government decided not to intervene in this action, and Aerojet’s noncompliance does not go to the central purpose of any of the contracts, which pertain to missile defense and rocket engine technology rather than cybersecurity. These defenses did not persuade the court. As a result, the court declined to dismiss the case at this stage, thereby allowing the relator to move forward with his claims against Aerojet. Continue Reading

Congress: Public Companies Need to Get Serious About Cybersecurity

Businessman pressing a security concept button.As businesses of all sizes increase spending on cybersecurity – projected to top $124 billion this year – a bipartisan group of lawmakers in Congress wants public companies to go one step further: Install a cyber expert on their boards of directors.

The Cybersecurity Disclosure Act has been introduced several times in recent years, but now it’s gaining traction on Capitol Hill. The House Financial Services Committee approved an amended version of the bill on Dec. 10. Introduced by Rep. Jim Himes, D-Conn., the bill won committee approval on a party-line vote, with Democrats supporting it and all Republicans opposed.

The measure calls on the Securities and Exchange Commission (SEC) to issue rules requiring public companies to disclose in annual reports or proxy statements whether board members have cybersecurity “expertise.” If no board member has experience or expertise in cybersecurity, the bill would require the company to describe steps it took to recruit directors with an information technology security background and what other steps the company has taken to strengthen its cyber defenses.

The legislation leaves it up to the SEC and the National Institute of Standards and Technology to define cybersecurity expertise. If the bill were enacted, that rulemaking process to define cyber expertise would be subject to a public comment period. Continue Reading

Words Matter: Interpreting the CCPA’s Private-Right-of-Action Provision

Subject to certain exceptions, the California Consumer Privacy Act (CCPA) provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information ….” This provision raises many questions, including what constitutes “reasonable security procedures and practices” and how those “reasonable security procedures and practices” differ based on the information involved. But just as important, if not more important, is what the consumer must show to establish “access and exfiltration, theft, or disclosure.”

How these terms will be interpreted by the courts likely will dictate how cases filed under the CCPA will be litigated. For example, a similar California statute – the Confidentiality of Medical Information Act (CMIA) – requires that the plaintiff establish that his information was “released” before he is eligible to receive statutory damages. Initially, plaintiffs took the position that “released” meant any loss of control of information. But ultimately, California courts interpreted “released” to mean a breach of the confidential nature of the information, not just loss of possession of the information. This interpretation allowed defendants to successfully argue that even if information was, in fact, stolen, the plaintiff had still not alleged a viable cause of action under the CMIA because he could not establish that his information was actually viewed.

Struggles over similarly vague language in the CCPA will undoubtedly impact early CCPA litigation. As an initial matter, because “access” and “exfiltration, theft, or disclosure” are separated by an “and” in the CCPA, it is clear that a plaintiff must always demonstrate access. Additionally, because “exfiltration,” “theft” and “disclosure” are separated by an “or,” plaintiffs will argue that they need only show one of the three. If that is correct, a plaintiff bringing suit under the CCPA’s private-right-of-action provision must demonstrate two things: (1) access to and (2) exfiltration, theft or disclosure of his or her personal information.

The meanings of “access,” “exfiltration,” “theft” and “disclosure” under the CCPA will be hotly contested. The CCPA does not currently define any of these terms, so courts interpreting them might initially look to their ordinary or dictionary definitions. Merriam-Webster, for example, defines access, exfiltrate, theft and disclose as follows:

  • Access: to get at; to be able to use, enter, or get near (something); to open or load (a computer file, an Internet site, etc.).
  • Exfiltrate: to steal (sensitive data) from a computer (as with a flash drive).
  • Theft: the act of stealing; an unlawful taking (as by embezzlement or burglary) of property.
  • Disclose: to make known or public; to expose to view.

Although these definitions seem relatively straightforward, the fact that they overlap makes interpreting them more complicated. Generally, courts interpreting a statute operate under the assumption that the legislature purposefully included each word, and therefore they try to avoid interpreting a statute in a manner that makes certain words superfluous. For example, if a court were to utilize the definitions above, it arguably could read either “exfiltration” or “theft” out of the statute because they mean the same thing. The same is true with “access” and “disclose” because an argument could be made that “to get at” and “to make known” mean the same thing.

With no courts having yet interpreted the CCPA, how these terms will be interpreted by any individual judge in the first instance is anyone’s guess. But it is a near certainty that courts initially will differentiate the terms based on context.

For example, “exfiltrate” is a term that can be used in connection with electronic records, whereas “theft” can be used in connection with both paper records and equipment on which electronic records are stored. Thus, a court may find that the California legislature intended “exfiltrate” to apply to electronic records and “theft” to apply to everything else (i.e., paper records, computers or hard drives containing personal information). Such an interpretation could be one way to give a distinct meaning to each word, depending on the circumstances of the case.

When comparing “access” and “disclosure,” a court may look to the party doing the action. For example, the unauthorized party may be the party doing the “accessing” while the business does the “disclosing.” Under this one possible interpretation, a plaintiff claiming that a business “disclosed” his or her information would have to establish (1) that the business actively disclosed the information and (2) the unauthorized party was capable of viewing it.

This interpretation would also provide distinct definitions to “exfiltration,” “theft” and “disclosure.” For example, “exfiltration” could mean an unauthorized third party obtained electronic records under certain circumstances. “Theft” could mean an unauthorized third party obtained paper records (or equipment containing personal information). And “disclosure” could mean the business affirmatively provided the information to an unauthorized third party.

Again, how these terms will ultimately be interpreted by the courts based on the circumstances of each case is unknown. But the above interpretations provide a few possible ways that courts could interpret the private-right-of action provision without reading out of the provision any of the words the California legislature included in it.

The only thing that is certain is that the language of the CCPA will be subject to significant litigation in the coming months and years, just like the language of other California laws, such as the CMIA.

CCPA Notice Requirements for Statutory Damages

Beginning on Jan. 1, 2020, companies that collect personal information of California residents need to be prepared to prevent and defend against potentially catastrophic litigation if such personal information becomes compromised. Specifically, under the California Consumer Protection Act (CCPA), any California consumer whose nonencrypted or nonredacted personal information is subject to unauthorized access and exfiltration, theft or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

(A) To recover damages in an amount not less than $100 and not greater than $750 per consumer per incident or for actual damages, whichever is greater.

(B) Injunctive or declaratory relief.

(C) Any other relief the court deems proper.

Cal. Civ. Code 1798.150(a)(1). When some security incidents involve the disclosure of personal information of millions of individuals, the potential statutory damages in class litigation can be catastrophic. Continue Reading

BakerHostetler Comments on Draft CCPA Regulations

The California attorney general (the AG) has concluded the first round of public comments on the proposed regulations that would serve to interpret and implement California’s sweeping new privacy law, the California Consumer Privacy Act (the CCPA).

After just under two months since the release of the proposed regulations (the Regs) by the AG and a series of four public hearings across the state in the past week, the final deadline to submit written comments in response to the Regs came and went on Friday, Dec. 6. Now that the first public comment period has ended, there will be revisions to the Regs followed by another wait period, which can be either 15 or 45 days, depending on the extent of changes in response to the first public comment period. In effect, this means that the Regs are subject to further changes, even post-Jan. 1, 2020.

This public comment period provided interested parties with the opportunity to submit written comments regarding the proposed CCPA Regs (set forth at §§ 999.300-999.341 of Title 11, Division 1, Chapter 20 of the California Code of Regulations). While many of our clients sought to convey their comments through their respective trade organizations, more than a dozen other clients asked us to supplement those efforts with a set of aggregate comments, which we filed and which are available here. A summary of our comments is below. Continue Reading

Record-Keeping and Training Requirements in the Proposed Regulations for the CCPA

The California Consumer Privacy Act (CCPA), California Civil Code §1798.100 and following, does not in itself outline specific training and record-keeping requirements that demonstrate business compliance with consumer requests. However, in October 2019, the California attorney general proposed additional CCPA Regulations intended to guide the application of the CCPA, and Section 999.317 of the proposed Regulations aims to detail what additional behaviors (such as training) and records are required under the CCPA for consumer requests.

Specifically, the proposed Regulations require that people who handle inquiries related to a business’s privacy practice or CCPA compliance be trained in all aspects of the CCPA, including the proposed Regulations. This expands a lesser requirement in the CCPA that originally required these individuals to understand only certain applicable portions of the CCPA. The proposed Regulations also require training that includes explanations to consumers of how they can exercise their CCPA rights (which would in turn incorporate the rights in the proposed Regulations). To accomplish this, businesses would therefore be required to develop, document and comply with a CCPA training policy. Continue Reading

Refine CCPA Compliance Plan with the Regulations in Mind

We previously announced the publication of the first set of proposed regulations that will implement the California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020. Partner Alan Friel has authored an article published by OneTrust DataGuidance that details how the proposed regulations – and a half dozen amendments to the CCPA that recently became law – impact CCPA compliance. A copy of the article is available here. The proposed regulations are available here and an initial statement of reasons that explain the thinking behind the proposed regulations is available here.

The attorney general is currently taking written comments on the proposed regulations until December 6. BakerHostetler is preparing comments to file for specific clients, as well as a set of aggregate comments that reflect our clients’ concerns more generally. If you would like to contribute comments or would like assistance in crafting custom comments, contact the author.

 

Children’s Privacy Law Updates: Tricks or Treats?

It’s finally here! Halloween, the day every kid dreams of for months. It’s a scary time in the world of children’s privacy law – what with the California Consumer Privacy Act (CCPA) lurking around the corner and the specter of FTC enforcement still lingering in the air. But this year, you’ve planned. You know exactly which houses offer full-size candy bars and where to go to avoid neighborhood bullies.

You approach the first house: old man COPPA. Many of the other kids are afraid of Mr. COPPA, but you know better. With updates on the horizon, there’s never been a better time to visit.

The FTC’s Workshop on the Future of COPPA

On October 7, the Federal Trade Commission (FTC) hosted a workshop to discuss updates to the regulations promulgated under the Children’s Online Privacy Protection Act (COPPA). Broadly speaking, the FTC’s COPPA Rule requires that web services, including mobile apps, provide notice and obtain parental consent to collect, use, or disclose personal information from children under age 13. Continue Reading

IAB Releases Draft CCPA Compliance Framework for Digital Advertising Industry

The Interactive Advertising Bureau (IAB) publicly released its draft CCPA Compliance Framework for Publishers and Technology Companies (“Framework”) on Oct. 22, 2019. As we reported here, the Framework is being developed by the IAB and the IAB Tech Lab to address the challenges of the CCPA’s Do Not Sell obligation as it relates to interest-based advertising and related activities.

Along with the draft Framework, the IAB Tech Lab released the Framework’s technical specifications, which are to be used by an organization’s product and engineering teams to technically implement and operationalize the Framework.

The IAB will be accepting public comments on the Framework through Nov. 5, 2019. If you would like more information on the Framework, what it means for your organization or how to file comments, contact the author at kfath@bakerlaw.com.

A Balancing Act: A Brief Overview of California Privacy Laws

The California Consumer Privacy Act (“CCPA”) takes effect on January 1, 2020. The CCPA aims to provide consumers with an unprecedented array of rights concerning the control of their personal information and, correspondingly, imposes an unprecedented array of obligations upon businesses concerning consumers’ personal information.

These obligations are not without limitation, however; the CCPA strives to balance the privacy rights it confers onto consumers and the corresponding obligations these rights impose upon businesses. For instance, the CCPA requires businesses that collect a consumer’s personal information to — at or before the point of collection — inform consumers of the categories of personal information to be collected and the purposes for which the categories shall be used. [Cal. Civ. Code § 1798.100(b)]. A business, however, need not disclose the categories and specific pieces of personal information it has collected unless and until a consumer makes a verifiable request for that information. [Cal. Civ. Code § 1798.100(a)].

Similarly, the CCPA empowers consumers to direct businesses not to sell their personal information to third parties. [Cal. Civ. Code § 1798.120]. While businesses must not discriminate against consumers for exercising this right, businesses may charge consumers that do exercise it differently, if that difference reasonably relates to the value provided by those consumers’ data. [Cal. Civ. Code § 1798.125(a)(2)]. Businesses may also offer financial incentives, including payments to consumers as compensation for the collection of personal information, if the consumer provides prior opt-in consent to allow his or her information to be sold to third parties. [Cal. Civ. Code § 1798.125(b)(3)]. Continue Reading

LexBlog