In BIPA’s Wake, a Wave of New Biometric Privacy Proposals

Over the past year, a host of new national, state and local laws have been introduced to regulate the collection and use of biometric information. Although these proposals vary in their requirements, certain elements appear to be inspired in part by the Illinois Biometric Information Privacy Act (BIPA), which has been the subject of significant litigation in recent years. Below we provide an overview of notable proposed legislation.

U.S. Federal Law

On March 14, 2019, Senators Brian Schatz (D-Hawaii) and Roy Blunt (R-Mo), introduced the Commercial Facial Recognition Privacy Act. The act focuses on providing notice and obtaining affirmative consent whenever facial recognition technology is used to collect or process facial recognition data for certain purposes.

  • “Facial recognition data” is defined as “any unique attribute or feature of the face of an end user that is used by facial recognition technology to assign a unique, persistent identifier or for the unique personal identification of a specific individual.”
  • “Facial recognition technology” is defined as technology that “analyzes facial features in still or video images” and is used “to assign a unique, persistent identifier” or “for the unique personal identification of a specific individual.”

Continue Reading

Bill to Expand CCPA Private Right of Action Moves Forward

We have previously written about California SB 561 here, introduced by Senator Jackson (D) and supported by the California Attorney General (AG), that among other things would vastly expand the CCPA’s private right of action and remove the right to cure before the AG can seek civil penalties.  On April 9 the California Senate Judiciary Committee held a hearing on the bill, a recording of which is available here.  The committee voted 6 to 2 to refer the bill to the Senate Appropriations Committee.  There was concern expressed by some members of the committee, including some that voted in favor of moving the bill forward, as to the scope of the private right of action, its impact on businesses and the ambiguity of the current text.  Senator Jackson promised to work with stakeholders to explore potential refinement of the private right of action so long as it maintained the ability for consumers whose CCPA privacy rights are violated (the current law restricts the private right of action to certain types of data security breaches) to seek meaningful redress and not have to rely on the AG to enforce the CCPA.  It was noted that the restriction of the private right of action was fundamental to the compromise that lead to the bill, however, Senator Jacksons and others rejected that as not relevant, or at least not binding.  We had previously encouraged further limitation of the private right of action.  It appears that quite the opposite may be on its way to fruition.  We will continue to monitor its progress.

Deeper Dive: The Scourge of O365 Incidents

A Growing Menace

2018 saw a continuation of companies moving toward cloud-based email systems. Phishing incidents targeting those systems followed suit. Fully one-third of incidents addressed by our incident response team in 2018 involved unauthorized access to an online email account.

Phishing attacks continued to dominate the types of cyberattacks organizations experienced in 2018, owed, in no small part, to phishing’s low sophistication, easy replication and high profitability for the hackers. Attackers routinely defraud organizations with spoofing emails requesting phony wire transfers or switching the bank information for employees’ or vendors’ direct deposit accounts. Employees acting on fraudulent requests risk the loss of thousands, and in some cases millions, of dollars, not to mention the cost of forensic investigations, notifications to individuals and regulators, and reputational fallout.

Download the 2019 BakerHostetler Data Security Incident Response Report >> Continue Reading

Deeper Dive: GDPR a Game-Changer for Data Breach Notification

When the EU General Data Protection Regulation (GDPR) took effect on May 25, 2018, it dramatically changed the way multinationals manage the reporting of personal data breaches. It also substantially raised the stakes: Entities found to have violated the GDPR’s data security and breach reporting obligations could face much steeper regulatory fines than those available under U.S. laws.

Among the challenges facing companies responding to a personal data breach in the European Economic Area (EEA) are both the scope of what constitutes a notifiable breach and the tight time frame for providing notification. “Personal data” protected under the GDPR is defined much more broadly than is “personally identifiable information,” under U.S. laws, and under the GDPR an entity affected by a personal data breach must notify regulators within 72 hours of becoming aware of such a breach, unless it is “unlikely to result in a risk to the rights and freedoms of natural persons.” In addition, entities must notify affected individuals in the EEA where the breach is “likely to result in a high risk” to those rights and freedoms. Failure to implement appropriate data protection policies or to properly notify regulators or individuals is punishable by fines of up to 4% of a company’s global annual turnover. Continue Reading

Deter Workforce Snooping in Electronic Medical Records Through Education and Training

On March 6, 2019, the U.S. Department of Justice (DOJ) announced that Linda Sue Kalina pled guilty to wrongfully disclosing the protected health information (PHI) of another individual in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Kalina was a patient information coordinator with the University of Pittsburgh Medical Center (UPMC) and its affiliate, Tri Rivers Musculoskeletal Centers (TRMC). From March 7, 2016, through June 23, 2017, Kalina improperly accessed the health information of 111 UPMC patients who had never been provided services at TRMC. In her capacity as a patient information coordinator, Kalina was authorized to access patient information contained in UPMC’s electronic medical record system as necessary to provide services to patients. Among others, Kalina accessed and disclosed the health information involving two individuals who worked at Kalina’s former employer.  Continue Reading

Additional California Bill, AB 25, Proposed to Further Amend the CCPA

Sacramento California outside the capital buildingOn March 25, Assembly Member Chau introduced Assembly Bill 25 (AB 25), which proposes to amend a section of the California Consumer Privacy Act (CCPA), set to take effect on Jan. 1, 2020. This amendment would expressly exclude employees from the definition of a “consumer” under the CCPA.

As currently drafted, the CCPA governs the personal information (PI) of “consumers,” who are broadly defined as California residents. This would, in effect, provide California employees (if their employer is a covered business under the CCPA) a broad range of European-like rights when it comes to their PI. These rights would include the right to request that their employer provide them with a transportable copy of their PI, delete their PI, and provide them with specific information about the collecting and sharing practices for their PI (subject to certain exceptions).

AB 25 proposes to amend the CCPA by creating a carve out to the definition of a consumer. AB 25 would clarify that the meaning of “consumer” under the CCPA does not include a “natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or as an employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of that person’s activities for the business as a job applicant, employee, contractor, or agent of the business.”

Fifth Annual Data Security Incident Response Report Released – Managing Enterprise Risks in a Digital World

We are excited to release the fifth edition of our annual Data Security Incident Response Report. This year’s report provides metrics from the 750+ potential incidents our team led clients through in 2018, as well as “Take Action” segments that feature insights from our team on key response items. Because it is our Report’s fifth year, we included a special section that provides a five-year trend summary on core incident response metrics.

When we started, our goal in publishing the Report was to allow our clients to leverage the metrics and insights from our incident response experience to identify practical steps to reduce risk profiles, build cyber resilience, and facilitate incident response preparedness. Along the way, we learned that capturing and checking the data continuously throughout the year enabled us to spot emerging risks and trends faster, which we then convert into our “Cyber Response Intelligence” to improve our delivery of incident response services to our clients. A recent change in ransom demand amounts that occurred in the beginning of 2019 is an example of this intelligence – that change is covered in this Report.

Our 2019 Report continues to draw focus on the basic elements of incident response. For incident response, experience shows that focusing on the basics pays dividends. We leverage experience drawn from thousands of incidents to help entities identify and prioritize key areas to enable incremental improvement in their risk posture and incident response preparedness status.

We will host a webinar to provide more in-depth commentary on the metrics and insights from the Report on April 16 at 11:30 a.m. EDT. Register now >>

For more in-depth analysis on key items in the report, watch for our “DSIR Deeper Dive” posts in the coming weeks.

Download the Report >>

The California Consumer Privacy Act: Frequently Asked Questions

The California Consumer Privacy Act (CCPA) is a comprehensive new consumer protection law set to take effect on January 1, 2020. In the wake of the CCPA’s passage, approximately 15 other states introduced their own CCPA-like privacy legislation, and similar proposals are being considered at the federal level.

Among the many differences between the CCPA and existing U.S. privacy legislation, the definition of personal information under the new law is very broad and includes data elements not previously considered personal information under any U.S. law. In addition, the CCPA introduces new privacy rights for Californians, such as the right to know what personal information a business has collected about them, details on how the business uses and discloses the data, and the right to request that the business delete that information. Continue Reading

Increased Scrutiny on Notice and Choice for Use of AD Profiling, Especially Using Mobile Location Data

Group of people standing in line and looking at their smart phonesAre you an app publisher or do you advertise via mobile apps or obtain marketing data that originates from them?  If so, you need to beware that regulators and consumer protection authorities are taking action against companies with regard to the notice and choice, or lack thereof, they are providing to consumers for the collection of their precise location data on mobile devices. The Digital Advertising Alliance (DAA) recently held a presentation (DAA Presentation) which highlighted what transparency and choice consumers should be provided in connection with the collection of such location data. Among the speakers was Jon Brescia, Director of Adjudications and Technology of the Advertising Self-Regulatory Council (ASRC) Online Interest-Based Advertising Accountability Program (OIBAAP), which enforces the DAA’s self-regulatory principles. For one, the DAA requires that consumers be provided enhanced notice of location awareness for advertising purposes during the process of downloading the mobile application (pre-install), at the time the application is opened, or at the time such data is collected and in the application’s settings or any privacy policy. Based on conversations we have had with the OIBAAP, and suggestions made during the DAA Presentation, enhanced notice can be provided ether in the precise location data permission box of the mobile application or in a pop-up that appears immediately before the permission box is displayed. This is consistent with the position taken by the Los Angeles city attorney in a lawsuit regarding a commercial mobile application discussed below. Companies should evaluate the adequacy of the notice and choice they are providing to consumers and supplement their practices where necessary to meet self-regulatory best practices and avoid becoming the subject of an enforcement action or a lawsuit. Continue Reading

Washington Privacy Act Clears Senate

Computer security concept. Others in this series.On March 6, SB 5376, the Washington Privacy Act, passed the Washington Senate in an overwhelming 46-1 vote (with two members excused). Prior to its passage, the Senate adopted important revisions and clarifications that would provide important relief for businesses from some of the more onerous provisions of the legislation. As we reported in our blog post discussing the recently introduced legislation, the Washington Privacy Act anticipates that businesses will accord consumers certain GDPR-style rights and conduct risk assessments to weigh the potential privacy and security implications of data-processing activities. The revised legislation places important limitations and clarifications on the envisioned requirements of both consumer rights and risk assessments. In short, data processed for “business purposes” will be exempt from deletion, and such processing activities are presumptively permissible. Importantly, the legislation as amended still does not permit a private right of action, and still requires the attorney general to provide notice of alleged noncompliance and give businesses an opportunity to cure before bringing an enforcement action. Continue Reading