Fall 2018 Data Privacy Update

Client Alerts · October 26, 2018

With new information breaking almost daily on cybersecurity, data hacks, and new laws, Prince Lobel provides you with an update on the latest in Data Privacy and Security news.

California Consumer Protection Act: You may have heard that California shook up the privacy landscape with its new law this summer. Here are two highlights regarding California’s Consumer Protection Act (CCPA):

  • CCPA departs from previous data breach statutes by introducing a duty of care.  Data breaches are only actionable if the business has violated “reasonable security procedures and practices.” Cal. Civ. Code § 1798.150(a)(1). Read this article by Bloomberg for more information.
  • In addition, CCPA state’s consumers are entitled to statutory damages regardless of actual damage by a data breach. Experts believe this will likely decide what constitutes an actual actionable injury when a data breach has occurred, but no known actual fraud or financial injury has yet been suffered.
The Federal Trade Commission:
  • The Federal Trade Commission (FTC) has stated it will hold a series of public hearings to examine whether broad-based changes in the economy, evolving business practices, new technologies, or international developments might require adjustments to competition and consumer protection enforcement priorities of the Commission. “Privacy, Big Data, and Competition” and “Algorithms, AI, and Predictive Analytics” will be discussed in early November. See the link above for more information.
Europe’s General Data Protection Regulation Updates:
  • In late September, Facebook disclosed that it discovered a security bug that allowed cyber attackers access to the personal information from about 29 million accounts. Ireland’s Data Protection Commissioner is now investigating this and may very well set some more concrete guidelines for compliance with Europe’s General Data Protection Regulation (GDPR).
  • The EU Court of Human Rights found a violation of Article 8 (right to respect for private life) and Article 10 (freedom of the press) of the GDPR in Big Brother Watch and Others v. the United Kingdom. The complaint concerned three surveillance tactics used by the U.K. government: 1) bulk interception of communications, 2) intelligence-sharing with foreign governments and 3) acquisition of communications data from communications service providers.
  • Reported by the International Association of Privacy Professionals (IAPP), Austria announces the first GDPR fine against a retail establishment with an interior surveillance camera capturing a sidewalk. This resulted in a fine of 4,800€ for monitoring a public space without proper transparency and notice.
  • Right-to-be-Forgotten: The Court of Justice of the European Union heard arguments on the right-to-be-forgotten case between Google and French regulators, which might impact free-speech over the internet. Its decision is expected in 2019.
  • Facebook: The EU Commissioner for Justice warned Facebook to change its “misleading terms of service” by the end of the year, or she will call on consumer-protection authorities in EU countries to impose sanctions. She says Facebook’s Terms of Service do not sufficiently explain the ways in which the tech company monetizes users’ data.
  • Equifax: The U.K. Information Commissioner’s Office fined Equifax 500,000 £ for violating the Data Protection Act (1998) after they discovered 15 million unique records belonging to British citizens were affected in the breach.  If the same violations were analyzed under the GDPR, which became active only a few months later, fines could have been up to 17 million £ or 4% of global turnover. Businesses with a presence in the U.K. should keep this difference in mind for future data breaches that may require GDPR enforcement.
U.S. News:
  • The Ohio Data Protection Act (SB220) will go into effect on November 2, 2018, focusing on cybersecurity threats.  This bill is unique in that it offers a breach litigation safe harbor to covered entities that meet the law’s cybersecurity standards.
  • A bill introduced in the New York Assembly (Bill 11332) would prohibit the state from creating any database containing aggregate surveillance data including automated license plate recognition and audio, video, and facial recognition records; and it would bar state agencies and departments, as well as contractors engaged in business with the state, from using any database as a repository of, a storage system for, or a means of sharing facial recognition functionality. In effect, Bill 11332 would prohibit the creation of any comprehensive database storing surveillance data.
  •  The Trump Administration releases its National Cyber Strategy to 1) protect government networks, 2) protect critical infrastructure, 3) develop a cyber group, and 4) combat malicious cyberattacks from foreign actors. The Trump Administration will work to expand the U.S. Department of Homeland Security’s oversight of federal civilian networks and place an emphasis on sharing more threat data with telecoms. For more information, view this article.
  • Pennsylvania will start imposing criminal penalties on those who use drones to spy.
  • The U.S. House Financial Services Committee introduced the Consumer Information Notification Requirement Act, requiring financial institutions to alert consumers when their information is compromised in a data breach. The bill will need to pass the House to proceed forward.
U.S. Data Breaches:
  • On November 1, 2018, the new amendments to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) will go into effect. This sets ground rules for how businesses must handle personal information in the course of commercial activity when there is a data breach that may be a “real risk of significant harm.” One of the primary changes introduced by PIPEDA is to report the incident to the Office of the Privacy Commissioner and any affected persons.
  • Anthem agreed to pay $16 million to the U.S. Department of Health and Human Services after largest U.S. health data breach in history that violated the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. As a result of the data breach in January of 2015, the electronic protected health information of almost 79 million people were exposed.
  • The Pentagon announced it has been hit by a data breach potentially impacting 30,000 employees. Personal data and credit card information of U.S. military and civilian personnel has been compromised due to a cyberattack.
  • The Massachusetts Attorney General’s Office filed a complaint against UMass Memorial Health Care Entities for violating HIPAA, as well as the Consumer Protection Act and the Massachusetts Data Security Law, when it allegedly failed to adequately protect patient data.
  •  Eventbrite is facing a class-action complaint filed in Illinois for failing to notify more than 25 million consumers of a data breach that occurred in May.
  • Yahoo will pay a total of $47 million to settle three lawsuits related to data breaches.  IAPP reports the three settlements cover a case with the U.S. Securities and Exchange Commission, a case alleging the tech company misled shareholders about its practices, and a class-action lawsuit.  Both the consumer class-action lawsuit and the shareholder lawsuit are still subject to court approval.
Health and Biometrics:

 

  • Wendy’s is accused of breaking the Illinois Biometric Information Privacy Act (BIPA) by scanning and storing employee fingerprints via a biometric clock that takes impressions when they arrive and leave work and use the cash register systems.  Fingerprints are unique, permanent biometric identifiers and retaining them leaves employees vulnerable to serious privacy risks.  However…
  • In a separate action, the Illinois Supreme Court is expected to decide whether legal standing as an “aggrieved party” for lawsuits under BIPA require proof of injury or adverse effect, or if mere violation of the law is enough.  The plaintiff-mother claims the latter; specifically, Six Flags Great America scanning, without written consent, her son’s thumbprint for his season pass entry is enough to sue the park. If the court holds otherwise, the plethora of lawsuits alleging violation of BIPA could be significantly impacted (and reduced).
  • The U.S. Department of Health and Human Services’ Office for Civil Rights fined three Boston-area hospitals a combined $1 million for violating HIPAA when they allowed TV crews to film patients without their consent for the “Boston Med” series.