As we near the end of a year that has seen more than its share of massive data breaches, two bills have been introduced (one re-introduced) in the U.S. Senate. Continue Reading Two Data Breach Bills Introduced in US Senate
Recently proposed legislation in Ohio could provide businesses with special protection from lawsuits in the event of a hack under certain circumstances. Senate Bill 220 would shelter businesses that have been proactive in instituting defenses to guard against data breaches. The idea is to encourage firms to voluntarily enact privacy protections by promising them the ability to later claim an affirmative defense in court should a hack still occur.
Other states already require businesses to meet specific standards with regard to providing cyber security protections and preventing data breaches. In New York, businesses licensed by the Department of Financial Services (DFS) must meet compliance standards in accordance with DFS cybersecurity regulations. These standards require licensees to have a written cybersecurity program in place, maintain a cybersecurity policy that covers 14 regulation-specific areas, designate a qualified employee as a Chief Information Security Officer, and implement an incident response plan, among additional imperatives. Similarly, states differ with regard to their requirements of businesses in providing data breach notices. For example, in Massachusetts, notices must be provided to the affected resident, the Attorney General’s office, and to the Office of Consumer Affairs and Business Regulation (OCABR).
Ohio’s Senate Bill 220 is interesting in that it does not lay out a minimum set of standards that, if not met, could serve as grounds for litigation in the event of a breach. Businesses will be tasked with instituting their own cybersecurity programs using one of eight industry-specific frameworks developed by the National Institute of Standards and Technology. The legislation provides for an evolving standard, which means lawmakers won’t have to continually revisit the issue to update a minimum set of standards. Whether or not a business qualifies for the safe harbor provision will be up to a judge to determine if such business has met its burden. Ultimately, the key takeaway is that this new legislation will provide for compliance as an affirmative defense for businesses facing a lawsuit as a result of a data breach.
The Mintz Levin team will continue to monitor this pending legislation and update our readers as it develops.
The clock is ticking down to May 25, 2018 , the date that the European Union’s General Data Protection Regulation (GDPR) goes into effect. The GDPR is likely to be a game-changer for US companies doing business with the European Union, and many are racing against the clock to figure out exactly what their compliance obligations are.
We are presenting an in-person seminar in three cities to help make sure your company is on the right course to GDPR compliance.
Join us in either Boston, New York or Washington, DC for a look at GDPR Essentials and GDPR Hot Topics. Register here.
Mintz Levin is an approved CLE provider and this seminar is accredited in California and New York. We are also approved by the International Association of Privacy Professionals for IAPP CPE credit.
If you are a retailer with locations in New Jersey, you will need to review your procedures in anticipation of a new law effective October 1, 2017.
New Jersey Governor Chris Christie has signed the Personal Information Privacy and Protection Act (we can now add #PIPPA to the alphabet soup of privacy acronyms…..), which limits the ability of retailers to collect PII scanned from customer driver’s licenses and identification cards and restricts the usage of any PII collected for the purposes identified in the Act.
Within recent years, retailers have commonly started a practice of scanning the barcodes on customer ID cards to verify the authenticity of an ID presented, verify identity when credit cards are used, or to prevent and control fraudulent merchandise return practices (or to identify consumers who abuse return policies).
Under PIPPA, retailers will only be permitted to scan ID cards to:
- Verify the card’s authenticity or the person’s identity, if the customer pays for goods or services with a method other than cash; returns an item; or requests a refund or exchange.
- Verify the customer’s age when providing age-restricted goods or services to the customer.
- Prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the retailer uses a fraud prevention company or service.
- Establish or maintain a contractual relationship.
- Record, retain, or transmit information as required by state or federal law.
- Transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by federal laws, including the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Fair Debt Collection Practices Act.
- Record, retain, or transmit information by a covered entity under HIPAA and related regulations.
PIPPA prohibits retailers from sharing the information with marketers or other third parties that are unknown to consumers. It is unlikely that an online privacy notice describing sharing of scanned ID information with third parties would comply with PIPPA. In-store notice of any such practices will likely be required.
The big “however” in this legislation is the restrictions on retention of the information when collected for the permitted purposes. Under PIPPA businesses cannot retain information related to how the customer paid for the goods, whether the customer returned an item or requested a refund, and cannot store ages. Retailers will only be permitted to collect the customer’s name, address, and date of birth; the issuing state; and the ID card number. Any of this information collected from scanned ID cards Is required to be “securely stored” and PIPPA makes it clear that any security breach of this information is subject to New Jersey’s data breach notification law and must be reported to any affected individual and the New Jersey State Police.
And there are penalties. PIPPA provides civil penalties of $2,500 for a first offense, and $5,000 for any subsequent offices. Further the law allows for “any person aggrieved by a violation” to bring an action in NJ Superior Court to recover damages.
As our readers know we maintain a summary of U.S. state data breach notification laws, which we refer to as the “Mintz Matrix.” Our latest update is available here, and it should be part of your incident response “toolbox” and part of your planning.
During 2016, amendments to breach notification laws in five states went into effect (California, Nebraska, Oregon, Rhode Island and Tennessee). And by the end of last year, well over twenty states had introduced or were considering new regulations or amendments to their existing security breach laws. We expect there to continue to be significant regulatory activity in the data security space during 2017. As always, we will keep you abreast of changes and will release updated versions of our Mintz Matrix to keep pace with developments in the states.
We are keeping an eye out for signs of support for a national breach notification law. So far, there does not appear to be much political motivation for undertaking this effort. A key sticking point is anxiety among a number of states that a federal law would offer less protection than their existing state law. This is a valid concern since a national standard will only alleviate the significant burden of complying with the present patchwork of state laws if it has broad pre-emptive effect. Only time will tell if state and federal lawmakers can work together to develop a comprehensive nationwide regime for security breach notification and remediation.
In the meantime, we must keep tabs on the forty-seven states (along with the District of Columbia, Guam, Puerto Rico and the Virgin Islands) with their own security breach laws. Here is what’s been happening since our previous update in the Fall:
California amended its security breach law in order to require disclosure to affected residents (and to the Attorney General if more than 500 Californians are affected) when encrypted personal data is acquired by an unauthorized person together with an encryption key or security credential that could render the personal data readable or useable.
We note also that former Congressman Xavier Becerra recently took over as Attorney General in California, replacing Kamala Harris who aggressively pursued regulation in the privacy arena during her tenure as AG and who now serves California as one of its U.S. Senators. Given this change in leadership, it will be interesting to see if the state continues to be a leader in pushing for stringent data security and privacy measures at the state and federal level.
Last summer Illinois passed an amendment to its Personal Information Protection Act (“PIPA”) that significantly broadened protections for personal information and the obligations imposed on businesses that handle such data. The amendment became effective on January 1, 2017 and made several key changes to PIPA:
- Definition of Personal Information. PIPA’s definition of “personal information” has now been expanded to include medical information, health insurance information, and unique biometric data used for authentication purposes (examples cited in the statute are a fingerprint, retina or iris image, or unique physical representations or digital representations of biometric data). The amended definition also encompasses a user name or email address in combination with a password or security question and answer that would permit access to an online account when either the user name or email address, or password or security question and answer, are not encrypted or redacted.
- Encryption Safe Harbor. While PIPA already provided a safe harbor for data collectors if data disclosed due to a security breach was fully encrypted or redacted, the amendment clarified that the safe harbor does not apply if the keys to unencrypt or unredact or otherwise read compromised encrypted or redacted data have also been acquired in connection with the security breach.
- Nature of Notification. For security breaches involving a user name or email address in combination with a password or security question and answer, data collectors may now provide notice in electronic or other form to affected Illinois residents. Such notice must direct individuals to promptly change their user name or password and security question and answer, or to take other appropriate steps to protect all online accounts for which the affected resident uses the same user name or email address/password or security question and answer. The amended statute also provides an additional option for substitute notice when residents affected by a security breach are confined to one geographic area.
- New Exemptions. The amendment added an exemption for data collectors who meet their obligations under applicable provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”). Any data collector that provides notice of a security breach to the Secretary of Health and Human Services pursuant to its obligations under HITECH must also provide this notification to the Illinois Attorney General within five business days of notifying the Secretary. This exemption will primarily apply to certain entities operating in the healthcare space. The amended statute also deems financial institutions subject to applicable provisions of the Gramm-Leach-Bliley Act in compliance with PIPA’s data security requirements.
- Security Requirements. Beyond addressing breach notification, the amendment requires covered entities to implement and maintain reasonable security measures to protect records containing personal information of Illinois residents and to impose similar requirements on recipient parties when disclosing such personal information pursuant to a contract. The amended statute also requires state agencies to report security breaches affecting more than 250 Illinois residents to the Illinois Attorney General.
For those information junkies out there! The Office of Consumer Affairs and Business Regulation (the “OCABR”) in Massachusetts has created a public web-based archive of data breaches reported to the OCABR and the Massachusetts Attorney General since 2007. The data breach notification archive is available at www.mass.gov/ocabr and includes information about which entity was breached, how many Massachusetts residents were affected, if the breach was electronic or involved paper, and the nature of remediation services offered to affected residents.
It is always a good time to review your incident response plan and data privacy policies to bring everything in line with changes happening on the state level.
And now for the disclaimer: The Mintz Matrix is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of the Mintz Levin privacy team or other experienced legal counsel when reviewing options and obligations in responding to a particular data security breach.
Make sure to get your February 2017 Mintz Matrix! Available here for downloading and always linked through the blog’s right-hand navigation bar.
Even president-elect Donald Trump has been the victim of a data breach. Several times actually. The payment card system for his Trump Hotel Collection was infected by malware in May 2014 and 70,000 credit card numbers were compromised by the time the hack was discovered several months later. The hotel chain paid a penalty to the State of New York for its handling of that incident. The hotel chain also experienced at least two additional breaches during this past year affecting various properties. From a business perspective, Mr. Trump certainly understands the high costs of cybersecurity in dollars and distraction. But from the Oval Office, it is far less clear what the Trump Administration might do to secure our country’s digital infrastructure and prosecute cybercriminals. Equally uncertain are Mr. Trump’s views on privacy rights and how his presidency might affect federal protections for personal information and cross-border transfers of data. We do not have a crystal ball, but offer some thoughts. Continue Reading The Cyber President? What To Expect From the Trump Administration On Cybersecurity And Privacy
Sophisticated phishing scams and muscular hacking efforts continue to compromise personal and sensitive information held by insurers, hospital systems, and businesses large and small. In response, many states have strengthened their data breach notification and have enacted data security laws to enhance data protection obligations imposed on data collectors and to ensure that residents and state regulators receive prompt and adequate notice of security breaches when they do occur. By mid-summer, a range of new measures will be going into effect in Nebraska, Nevada, Rhode Island and Tennessee. Be sure to review the latest edition of the Mintz Matrix for these new measures. Continue Reading Illinois Joins the Fray: Strengthens its Laws Around Data Breach Notification and Data Security
In a decision favorable to the airline industry—but not helpful to other companies—the California Court of Appeal said that a privacy enforcement action against Delta is not going to fly. On May 25, 2016, the Court of Appeal tossed the California Attorney General’s CalOPPA enforcement action against Delta Airlines, affirming the lower court’s 2013 dismissal of the case with prejudice.
As we previously wrote, California AG’s office has been taking incremental steps toward ensuring that mobile applications comply with CalOPPA. As early as 2012, its office began sending notices of non-compliance to mobile application developers. When some companies failed to respond, the Attorney General chose Delta as its pilot case, promptly filing its first-ever enforcement action under CalOPPA. Over the past three years, we have followed the Attorney General’s CalOPPA compliance campaign, including the Delta case. Continue Reading Delta Wins CalOPPA Case – But Your Mobile App May Not Fly
Last week, we discussed the Federal government’s first steps toward implementing the Cybersecurity Information Sharing Act (CISA). Among the guidance documents released by the Department of Homeland Security and the Department of Justice were the Privacy and Civil Liberties Interim Guidelines. This guidance is designed to apply Fair Information Practice Principles (FIPPs) to Federal agency receipt, use and dissemination of cyber threat indicators consistent with CISA’s goal of protecting networks from cybersecurity threats.
FIPPs form the core of many federal and state privacy laws as well as the basis for privacy best practices across numerous industries and government agencies. This guidance applies them to federal agency collection of cyber threat indicators as described below. In practice, the government intends that application of some FIPPs to cyber threat indicators shared via the Department of Homeland Security’s Automated Indicator Sharing (AIS) tool, which we referenced here, will be effectuated via capabilities embedded within the AIS mechanism. Continue Reading CISA Guidelines: Privacy and Civil Liberties Interim Guidelines for Federal Agencies
This week, the Federal government took the first steps toward implementation of the The Cybersecurity Information Sharing Act (CISA), enacted into law last December. CISA aims to encourage sharing of cyber threat indicators and defensive measures among private companies and between the private sector and the Federal government by providing liability protection for sharing such information in accordance with the Act. The DHS Federal Register notice was published this morning here.
As required by the Act, the government has released four pieces of guidance designed to assist companies and Federal agencies with respect to sharing, receiving and handling cyber threat information. Continue Reading Cyber Threat Information Sharing Guidelines Released by DHS