If you are a retailer with locations in New Jersey, you will need to review your procedures in anticipation of a new law effective October 1, 2017. 

New Jersey Governor Chris Christie has signed the Personal Information Privacy and Protection Act (we can now add #PIPPA to the alphabet soup of privacy acronyms…..), which limits the ability of retailers to collect PII scanned from customer driver’s licenses and identification cards and restricts the usage of any PII collected for the purposes identified in the Act.

Within recent years, retailers have commonly started a practice of scanning the barcodes on customer ID cards to verify the authenticity of an ID presented, verify identity when credit cards are used, or to prevent and control fraudulent merchandise return practices (or to identify consumers who abuse return policies).

Under PIPPA, retailers will only be permitted to scan ID cards to:

  • Verify the card’s authenticity or the person’s identity, if the customer pays for goods or services with a method other than cash; returns an item; or requests a refund or exchange.
  • Verify the customer’s age when providing age-restricted goods or services to the customer.
  • Prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the retailer uses a fraud prevention company or service.
  • Establish or maintain a contractual relationship.
  • Record, retain, or transmit information as required by state or federal law.
  • Transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by federal laws, including the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Fair Debt Collection Practices Act.
  • Record, retain, or transmit information by a covered entity under HIPAA and related regulations.

PIPPA prohibits retailers from sharing the information with marketers or other third parties that are unknown to consumers.   It is unlikely that an online privacy notice describing sharing of scanned ID information with third parties would comply with PIPPA.  In-store notice of any such practices will likely be required.

The big “however” in this legislation is the restrictions on retention of the information when collected for the permitted purposes.  Under PIPPA businesses cannot retain information related to how the customer paid for the goods, whether the customer returned an item or requested a refund, and cannot store ages.   Retailers will only be permitted to collect the customer’s name, address, and date of birth; the issuing state; and the ID card number.    Any of this information collected from scanned ID cards Is required to be “securely stored” and PIPPA makes it clear that any security breach of this information is subject to New Jersey’s data breach notification law and must be reported to any affected individual and the New Jersey State Police.

And there are penalties.   PIPPA provides civil penalties of $2,500 for a first offense, and $5,000 for any subsequent offices.   Further the law allows for “any person aggrieved by a violation” to bring an action in NJ Superior Court to recover damages.

 

State legislatures are not waiting for Congressional action on a national data breach notification standard.

Montana — Montana has amended its 10-year old breach notification law (see Mintz Matrix) to expand the definition of “personal information” and require notice to the state attorney general’s consumer protection office.  H.B. 74, signed into law by Governor Bullock, adds medical record information and “identity protection personal identification number” issued by the Internal Revenue Service to the definition of “personal information.”   The amended statute takes effect October 1.

New Jersey — Governor Christie recently signed legislation into law requiring health insurance companies in that state to encrypt personal information of policyholders.  All health insurance carriers that compile computer records that contain personal information must protect those records through encryption or “by any other method or technology rendering it unreadable, undecipherable, or otherwise unusable by an unauthorized person.”    In November 2013, two laptops with unencrypted information about 840,000 policyholders were stolen from an office at Horizon Blue Cross Blue Shield of New Jersey in Newark. The Barnabas Health Medical Group’s Pediatric branch in Livingston and the Inspira Medical Center in Vineland also had breaches in 2013, according to a NJ Advance Media report in September.

Connecticut — In the aftermath of the massive Anthem data breach, legislation has been introduced in the Connecticut General Assembly requiring a wide swath of insurance businesses to implement data security technology that encrypts personal information of insureds. The covered entities include health insurers, healthcare centers – similar to an HMO under Connecticut’s insurance laws, and “other entities licensed to do health insurance business in Connecticut,” pharmacy benefits managers, third-party administrators that administer health benefits, and utilization review companies.   The requirement is similar to that of New Jersey’s new law, except that the bill requires that entities subject to the law update their technology as necessary to ensure compliance.   Anthem is one of Connecticut’s largest health insurers, and reportedly that breach impacted more than 1 million people in the state. See “Act Concerning the Security of Consumer Data”.

Washington — The Washington House has unanimously passed a bill that would make the failure to notify consumers of a breach as required by the state’s data breach notification law (again, see the Mintz Matrix) a violation of the state’s Consumer Protection Act.  Washington’s House of Representatives has passed a bill (H.B. 1078) that would make the failure to notify consumers of a breach in the security of their personal information a violation of the state Consumer Protection Act. The measure would require notification to consumers — and the state’s AG — as quickly as possible and no later than 45 days after discovery of a breach of personal information such as a person’s name in combination with a Social Security number, driver’s license number or payment card number and payment card access code or password. Under the bill, the attorney general could bring an action on behalf of the state or consumers living in Washington.

New Mexico — New Mexico is only one of three holdouts from the state data breach notification crazy quilt (again, see the Mintz Matrix), but HB 217, the Data Breach Notification Act, is working its way through the state legislature.   The bill only applies to computerized data, and uses an “acquisition” trigger for breach notification.   “Personal information” under HB 217 is defined as the “usual suspects” and does not include username/password or other login credentials. The bill requires “reasonable security” and includes disposal provisions that apply to paper records as well as electronic.   Similar legislation failed in the 2014 session of the legislation, thus it remains to be seen whether New Mexico will join the Mintz Matrix this year.

 

Good Monday – The East Coast prepares for Apocalypse (Sn)ow.

In the meantime, here are three privacy-related tidbits for your day.

Privacy Concerns Cause Scale Back of Release of HealthCare.gov Data

We spend a fair amount of time warning about third party vendors and the risk that such vendors can pose to sensitive data.   Just ask Target.   Last week, the Associated Press revealed that the healthcare insurance exchange, HealthCare.gov, was connecting with third party analytics sites and others and operating much like any commercial website — except that it is not.  The AP reported over the weekend that the Obama Administration has “reversed itself” and scaled back the release of (or access to) consumer data — including anonymized data.     According to the AP’s Saturday follow-up, an analysis of the Federal exchange showed that the number of third party companies with connections embedded in the site, thus giving them access to consumer data, “dropped from 50 to 30.”

Read more:

The Hill — The Centers for Medicare and Medicaid Services will encrypt additional data when customers use the Window Shopping feature on HealthCare.gov.

New York Times — Is the data usage “industry standard” and much ado about SOP?

CNN Money

 

Continue Reading Privacy Monday – January 26, 2015

Written by Amy Malone

Digital marketing company, PulsePoint  entered into a Consent Order with the New Jersey Attorney General and agreed to pay $1 million, following an investigation of claims that PulsePoint bypassed privacy setting of Apple’s Safari browser to allow tracking of consumer activity.

Last year, Google settled similar claims with the Federal Trade Commission for $22.5 million (see our blog post here).  The allegations against PulsePoint mirror those that the FTC brought against the search engine giant:  the NJ AG’s complaint alleged that PulsePoint placed cookies on Apple Safari web browsers without the knowledge or consent of New Jersey consumers.  PulsePoint allegedly did this by bypassing privacy settings that were chosen by Safari users.  The Safari settings allow users to select between “always” accepting cookies, “never” accepting cookies, or accepting cookies only from “sites I visit-block cookies from third parties and advertisers.”

According to the complaint, PulsePoint circumvented the user settings by using a form that made the Safari browser act as if the user had clicked on the advertisement, when in fact the user had not.   Once the form was sent, the Safari browser allowed PulsePoint to set their cookies on the browser, even when the user had opted to block cookies.

This activity occurred between June 2009 and February 2012 and in the press release, the state claims that PulsePoint may have placed up to 215 million targeted ads on the browsers of New Jersey consumers.

The $1 million settlement includes (1) a civil penalty of $556,196.96, (2) reimbursement of the state’s attorneys’ fees in the amount of $32,048.00, (3) reimbursement of the state’s investigative costs in the amount of $1,755.04, (4) a payment of $150,000.00 to be used in the state’s discretion for the promotion of consumer privacy programs and (5) a payment of $250,000.00 to be used by the state for in-kind advertising services.

PulsePoint also agreed to, among other things; implement numerous privacy controls and procedures to protect the privacy and confidentiality of consumer information.   PulsePoint agreed to not override or change a consumer’s browser settings without her affirmative consent.  And, PulsePoint must provide information on its website explaining what information it collects and how it uses that information.

The future may be a difficult one for PulsePoint as more attorneys general may engage in their own investigations.

The decision we blogged about in this space last week is creating quite a bit of buzz in both privacy and employment law circles. My employment law colleagues in our New York office have authored an analysis of the decision here: Employment Alert: New Jersey Supreme Court Finds Privacy Rights in Employee E-Mails

And, the International Association of Privacy Professionals’ Daily Dashboard quoted my partner, Jen Rubin:

PRIVACY LAW — U.S.
Employee E-mail Decision Spurs More Questions
Last week’s New Jersey Supreme Court decision that employees should have an expectation of privacy when they use personal e-mail accounts on corporate computers is raising new questions, NetworkWorld reports. The court’s decision specified that when it comes to monitoring employees’ actions online, “employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy.” Jen Rubin, attorney at Mintz Levin in New York, says the decision brings up new questions about employer ownership of e-mail created on company-issued computers and is likely to have businesses taking much closer looks at their e-mail policies. Full Story

This is an important decision with wide-reaching implications. If you are an employer and you have not looked at your “Acceptable Use Policy” or other such electronic systems policy in a while (or worse, if you don’t have one at all…..), this case should motivate you to pull it out and look again.

In a precedent-setting decision, the New Jersey Supreme Court today ruled that a company should not have read e-mails a former employee sent to her lawyer from a private Web account through her employer’s computer (See November 5, 2009 Privacy and Security Information blog post). According to the Star-Ledger, the court, which determined the company’s policy regarding e-mail use was vague, upheld the sanctity of attorney-client privilege in electronic communications.

Given the importance of this decision to both privacy issues and employer/employee workplace issues, we will provide a complete analysis.