Privacy

Data Breach Compliance Under the CCPA – What You Need to Know

The California Consumer Privacy Act (“CCPA”) went into effect on January 1, 2020 and with it came expanded data breach laws and an increased risk of litigation. Attorney General enforcement of privacy-related suits cannot be initiated until six months after final regulations are approved by the California Attorney General or July 1 (whichever comes first), however data breaches are subject to enforcement via plaintiff private right of action now.

In fact, substantial data breach litigation has already begun under the CCPA, primarily in the form of consumer class actions brought in federal courts in California.

Businesses should be aware and prepared to comply with the data breach compliance requirements of the CCPA in the event of a data breach incident, as discussed below, or risk facing litigation.

Breach Defined

The CCPA provides consumers with a limited private right of action when “nonencrypted and nonredacted personal information…is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Violations are subject to penalties of $100 to $750 per incident, actual damages, and injunctive relief.

Personal Information Defined

In order for a data breach to be actionable, the information breached must be personal information as narrowly defined by California’s data breach notification law, Section 1798.81.5, not the broad definition included in the CCPA.  For the private right of action for data breaches, personal information means:

An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements…:

(i) Social security number.

(ii) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

(iv) Medical information.

(v) Health insurance information.

(vi) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual.

This narrower definition of personal information should work to limit the availability of CCPA’s private right of action.

What Constitutes “Reasonable Security?”

The CCPA does not define “reasonable security” and the California Attorney General has not yet offered guidance on the subject. However, some California regulators have endorsed certain security measures as providing “reasonable security” in contexts outside of the CCPA.  

For example, the former California Attorney General, Senator Kamala Harris, provided clear guidance on what she considered reasonable security in the February 2016 California Data Breach Report. As highlighted in the report, covered entities should look to the Center for Internet Security’s list of 20 Critical Controls (“CIS Controls”) as a potential baseline security standard for reference. The CIS Controls consist of twenty key actions, including authentication, incident-response plans, data-protection policies, and other security safeguards. Although these CIS Controls are not prescriptive safeguards for CCPA compliance, they are a good place to start.

Notice and Cure Period

Before bringing an action for a security breach, the CCPA requires consumers to provide covered businesses with 30 days written notice, identifying the specific provisions the business allegedly violated. Businesses then have 30 days to address and resolve the violations without penalty. Businesses who fail to cure the violation open themselves up to civil action for monetary damages, injunctive relief, and any other relief the court deems proper.

CCPA Prohibition

The CCPA does appear to prohibit the commencement of lawsuits which leverage the CCPA to state other claims. The CCPA explicitly prohibits consumers from using alleged CCPA violations “to serve as the basis for a private right of action under any other law,” thus prohibiting a plaintiff from alleging that a CCPA violation constitutes a violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq. or other statutes. However, as described in other blogs, this has not stopped plaintiffs from bringing just these types of claims. Judicial decisions are required on the scope and enforceability of the CCPA’s prohibition on non-CCPA claims.

Takeaway

Businesses should continue to follow CCPA developments and carefully monitor related litigation in the coming months for further clarity on enforcement and compliance. CCPA data breach litigation is expected to considerably increase as plaintiffs take advantage of the CCPA’s private right of action for data breaches resulting from a company’s failure to implement and maintain “reasonable” security measure. Beckage will continue to provide updates as they become available. Additionally, AG enforcement of the CCPA data breach and privacy provisions is expected to commence soon, providing an additional layer of enforcement activity that businesses must be aware of. The Beckage team will continue to provide timely updates on the CCPA landscape and potential claims, and is available to discuss practical low-cost, high-impact tips for mitigating CCPA litigation risk.  

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Cybersecurity

Some Proactive Measures to Improve Cybersecurity Preparedness

The impact of ongoing ransomware events in the healthcare and broader business communities compel us both professionally and personally to self-reflect and to ask tough questions like “how ready are we?” “can we really do anything to prevent it from happening to us?” and “what if it happens, then what?”.

There is no one-size-fits-all approach, but there are some relatively easy proactive measures that can help narrow an organization’s attack surface, despite their cyber-maturity. These measures can additionally mitigate the likelihood of falling subject to a ransomware event.

Resource Allocation

Organizations should focus on allocating resources to create robust incident response, disaster recovery, and business continuity plans and effective governance structures to support them. In addition, organizations should audit their existing network security as there are many opportunities for vulnerabilities. Luckily, these potential vulnerabilities can be prevented if your organization takes the proper steps. Some key points to consider regarding the security of your organization are:

• Proper segmentation or end point encryption

• Remote Desktop Protocol (one of the most dominant attack vectors)

• Explore running services on a non-default port for higher security

• Controls around change management and patching processes

• Data retention & data loss prevention

• Identifying access management and vendor management.

• Unsecure servers hosted by third parties.

Evaluate and Improve Patch Management Process

In addition to monitoring network security and keeping systems and applications up to date, organizations should address their “end of life” problem. If it is impractical or even impossible to update systems, it is critical to take additional steps to mitigate your risks. If your business has technology that is embedded in the fabric of your operations, segment end-of-life systems and software and develop a minimum-necessary access policy. This is particularly important with regard to medical devices, as many are still running outdated operating systems that simply cannot be updated. Remember, where preventative controls are not possible, develop detective controls and perform real-time monitoring to mitigate risks.

Backups and Testing are an Essential

Another measure your organization can take are restorable backups. Restorable backups may appear to be an easy process but there are many seemingly mature organizations that do not have a full backup of all critical data. Although restorable backups require data categorization or classification effort, it is equally important that an organization maintain an off-line, 100% off-network back-up instance. A good place for this is in an organization’s asset inventory. Organizations should also test the ability to restore their backups. In a worst-case scenario, a victim organization will have to rely on the availability of backed-up data.  Restorable backups are something every security framework requires. Do you align with an industry recognized framework? If you have not adopted a security framework, it is critical to do so as soon as possible.

Policies are Living Documents

Your organization should have well documented policies and procedures that meet legal requirements and provide a legally defensible posture. Every organization has different needs and different legal standards which they need to abide by, therefore it is bad security hygiene to copy and paste policies found online. You may be subjecting yourself to laws and standards that do not apply or leaving your company legally exposed. Every well-planned policy taxonomy will have both a sustainable governance framework that serves to keep your policies current and relevant, and a mechanism in place to enforce the policies.

Our Beckage team leverages their deep experience to assist organizations of various sizes and complexities in building efficient, longstanding and scalable IT due diligence programs. Our team of attorneys are seasoned technology professionals with backgrounds that include risk management, in-house counsel, governmental agencies, and information security and technology leadership.  We work with businesses across channels and industries to facilitate the design and implementation of enterprise-wide security programs and perform ongoing “health checks” to evaluate the appropriateness of controls and alignment with business requirements. As we continue through 2020, there has never been a better time to operationalize a risk-based methodology.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

CCPA

The California Privacy Rights Act: The Who, What, Where, When, and How of the “CCPA 2.0

While most business are still waiting on final regulations for the California Consumer Privacy Act (“CCPA”), which are likely to be delayed, and Attorney General enforcement on July 1 of this year, the same group behind the CCPA has proposed a new ballot initiative, the California Privacy Rights Act of 2020 (“CPRA”), dubbed “CCPA 2.0.” That group announced last week that it had gained enough signatures for the CPRA to be considered by California consumers on November 2020 ballot, where the initiative is believed to have a high chance of being passed.  

As described below, businesses suffering fatigue from implementing the CCPA may have to make further changes to their practices and updates to their privacy policies to address the CPRA.  

Who: Californians For Consumer Privacy, the consumer privacy organization that successfully initiated the “Consumer Right To Privacy Act” ballot initiative in California in 2018, which was then withdrawn in a compromise to allow the California State Legislature to pass the CCPA. The CCPA is effective as of January 1, 2020, with final regulations from the Office of the Attorney General expected immediately.  

What: The California Consumer Privacy Act, a ballot initiative by Californians For Consumer Privacy that seeks to significantly expand and amend the CCPA, with a one-year look back to January 2022.

Where: While the CCPA was passed in California, it purports to apply to all businesses with annual revenue of over $25 million which “do business in California,” where this threshold has been interpreted broadly to include business which collect and process California consumer personal information including, for example, by e-commerce sales or IP address (in connection with other data points), among other thresholds.  

While the CPRA has basically the same applicability thresholds of the CCPA, it does double the 50,000 data threshold in one provision of the CCPA applicability section, applying now to businesses with under $25 million in annual revenue that “alone or in combination, buys or sells or shares the personal information of 100,000 or more [California] consumers or households.”

When: If the CPRA initiative passes sampling, it will be on the ballot before California voters this November. As written, the CPRAhas a January 2023 effective date, with a one year look-back to January 2022. 

How: The CPRA creates additional privacy rights and obligations pertaining to certain category of personal information – sensitive personal information. Specifically, the CPRA proposes the following changes to the CCPA:

Sensitive Personal Information: The CPRA imposes limits on businesses’ use of “sensitive personal information,” a newly defined category of personal information that includes things like social security number, driver’s license, passport number, sexual orientation, biometric, health and financial information, and precise geolocation. The definition of “sensitive” PI under the CPRA is broader than the definition of sensitive categories of data under the European GDPR but the CPRA does not prohibit collection of this information altogether. Rather, the CPRA gives consumers additional rights to limit the processing and use of their sensitive data to specified purposes.

Data Correction: The CPRA gives consumers the right to request and require businesses to correct inaccurate personal information. These requirements are subject to reasonableness standards, require authentication, and there are specified exemptions. Service providers and contractors are required to assist businesses in complying with these requirements.

Expanded Breach Liability: By adding 21 words, the CPRA seeks to expand the data breach liability created by the CCPA. In addition to the private right of action for breaches of nonencrypted, nonredacted personal information under the CCPA, the CPRA would add a private right of action for unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security. This is an important change, given the high frequency of data breaches and incidents, and the inclusion of email addresses and related information in those breaches.  

Automated Decision Making: Automated decision making is a hot topic, stemming in part from the GDPR’s requirements around these types of actions. The CPRA attempts to address automated decision by regulating it as “profiling” and providing new rights of access and opt-outs.  

Specifically, the CPRA defines “profiling” as the automated processing of personal information to evaluate personal aspects of an individual and to make predictions concerning that individual’s performance at work, economic situation, health, preferences, interests, reliability, behavior, location or movements. The Act then requires promulgation of regulations to provide consumers with access and opt‐out rights for the profiling, including requiring businesses to disclose to them the logic and algorithmic underlying the decision-making process.  

Service Provider Provisions: The CPRA increases the contractual obligations of service providers (which are defined as in the CCPA) as currently exist under the CCPA, now requiring them to allow businesses to monitor the provider’s compliance with the contract provisions, certify that it understands and will comply with the contractual obligations.

The CPRA also seeks to impose data protection obligations directly on service providers, contractors and third parties. Specifically, it requires businesses that send personal information to third parties, service providers or contractors to enter into an agreement binding the recipient to the same level of privacy protection as provided by the act, granting the business rights to take reasonable and appropriate steps to remediate unauthorized use, and requiring the recipient to notify the business if can no longer comply.

Finally, the CPRA clarifies what the CCPA regulations do not: it requires service providers to cooperate with and assist businesses in providing requested personal information in response to verifiable data subject requests, as well as correcting or deleting information or limiting the use of sensitive personal information in response to such requests, though exceptions exist.

Enforcement Agency: Lastly, before the 2023 effective date, the CPRA requires the California state government to create a new agency, the California Privacy Protection Agency, to oversee and enforce data privacy.

Again, the CRPA, if passed by ballot initiative in November will not be effective until 2023, with a look back to 2022, giving businesses ample time to plan implementation.

In the meantime, businesses await the California Attorney General’s final CCPA regulations, which are now understood to be delayed, and the start of AG enforcement of the CCPA, which may still commence on July 1, 2020.

Beckage’s dedicated CCPA attorneys routinely counsel clients on implementation of CCPA policies and procedures, including assisting businesses to operationalize Data Subject Request (DSR) processes, perform CCPA training and record keeping, manage third party vendor relationships, and make CCPA required breach notifications. Our clients include major E-commerce retailers, international news media companies, consumer goods manufacturers and retailers, health care organizations and financial entities.

For more information about the CCPA, CPRA and its impact on your business, contact: Myriah V. Jaworski, Esq., CIPP/US, CIPP/E and Nicole Smith Esq..

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Doctor

Legal and Practical Implications of the CMS and ONC Interoperability Rules – Part One

Beckage attorneys have been busy helping clients understand and prepare for the two rules concerning interoperability issued on March 9, 2020 by the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) (collectively referred to as the “Final Rules”). The Final Rules implement interoperability and record access requirements intended to help patients obtain health records and payment data so they can make informed decisions about healthcare. To help de-mystify these technical rules, Beckage will be releasing a blog series outlining how the Final Rules will impact different organizations in the health sector.  

While future blogs will tackle some of the technical nuances of the Final Rules, this blog will provide some context by answering a few high-level questions:

1. Who should pay attention to these Final Rules? Healthcare providers, health IT developers, health information exchanges, health information networks, electronic health record (EHR) vendors, and insurers participating in CMS programs (for purposes of this blog, these stakeholders are collectively referred to as “health care organizations,” although as discussed in future posts, they often have different interests and obligations under the Final Rules).

2. What is an API? ”API” stands for application programming interface. An API is essentially a software intermediary that allows two applications to talk to each other using standardized language.

3. What does the CMS Final Rule cover? The CMS Final Rule requires states and certain health care organizations to develop APIs that allow patients, medical providers, and insurers to access specific categories of data. The rule is intended to improve patient access to health information and standardize the types of health information that can be shared. For example, patients will be able to request access to their medical records via third-party apps, and payers may deny access only under specific circumstances. The CMS Rule also requires payers to provide information about in-network providers and exchange information with other insurers in the event a patient enrolls with a new insurance company.

4. What does the ONC Final Rule cover? The ONC Final Rule imposes standardized protocols to allow networks and software applications to talk to one another. Basically, the ONC Final Rule requires insurers, medical providers, IT vendors, and health exchanges to speak the same language. This is accomplished through updated and standardized health IT certification requirements, data classifications, and systematic requirements for APIs. The ONC Rule also implements the information blocking provisions of the 21st Century Cures Act.

5. When will the rules take effect? United States Department of Health and Human Services (HHS) recently issued guidance stating that it was extending some enforcement deadlines. Below are just a few of the new compliance deadlines relevant to hospital and payer organizations:

·        Spring 2020: Hospitals must be able to demonstrate that they comply with patient admission, discharge, andtransfer (ADT) event notification procedures required by the CMS Rule.

·        July 1, 2021: Payers must make a PatientAccess API available so patients’ third-party apps can access medical records via the API.

·        July 1, 2021: Payers must make a Provider Directory API available, so patients know which providers are in network.

The Final Rules represent a complete overhaul of well-established standards and an introduction of new and highly technical requirements with compliance deadlines as early as Spring 2021. Now is the ideal time for health care organizations to assess compliance requirements, contract with vendors, and develop a compliance framework. Beckage attorneys are uniquely experienced to help health organizations and tech companies of all sizes to navigate the complicated maze of legal and practical considerations raised by these and other health law regulations. Be sure to check back regularly for part two of this blog. 

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Website

Website Accessibility Under the ADA: What You Need to Know

Many of us are familiar with the Americans with Disabilities Act, otherwise known as the ADA. It is a landmark civil rights legislation that was signed into law by President George H.W. Bush in 1990. It works to guarantee that individuals with disabilities have equal opportunities to participate in mainstream American life, from finding employment opportunities to shopping at the mall or entering a public library.  But “mainstream” life has changed a lot over the past 30 years, especially with the tremendous growth we have seen with the advent of the internet. More and more companies with or without brick and mortar stores have some type of online presence. As such, the past few years there has been a tremendous amount of litigation surrounding how the ADA should be applied to websites.  

Current Status of the ADA

When the ADA was first enacted, Congress could not have anticipated just how far the internet would reach into everyday life. As a result, the ADA focuses on accessibility and discrimination issues that would happen in person—for example, standards for accessibility for brick-and-mortar business locations and employment setting. The ADA does not specifically provide guidance regarding the accessibility standards applicable to internet or online businesses nor does it expressly exclude online businesses either.  

Title III of the ADA requires that every owner, lessor, or operator of a “place of public accommodation” provide equal access to users who meet ADA standards for disability. Over more recent years, the argument arose that this concept applied to websites, prompting a wave of litigation by plaintiff’s claiming that accessibility barriers experienced on a website violated the ADA because it denied them full access to and equal enjoyment of the goods, services, and accommodations of the website. But with no formal guidelines or laws in place outlining what online ADA compliance actually means for online businesses (with or without a connection to a brick-and-mortar business), it has been largely left up to the courts to decide what compliance looks like.  

As we reported at the end of last year, the United States Supreme Court denied a petition filed by the pizza conglomerate Domino’s, sending a relatively clear statement that Title III of the ADA does in fact apply to websites. But the Supreme Court’s denial of cert still leaves businesses hoping for actual guidelines in limbo, waiting for either another case to reach the Supreme Court or the Department of Justice to issue guidance in this area.

Recommended Steps for Addressing Website Accessibility  

In the meantime, Beckage has proactively monitored this area of the law over the past few years and recommends clients take intentional and protective measures to address website accessibility sooner rather than later. As either part of litigation defense strategy or proactive website remediation measures, we generally recommend implementing a comprehensive, phased approach to website accessibility, including the following measures:  

Working with Beckage or a trusted third-party vendor that we together vet and retain to perform an independent website-accessibility audit for conformance with the Web Content Accessibility Guidelines (WCAG), the prevailing set of guidelines that set forth website accessibility standards.  

Implementing a forward-facing website accessibility notice that is prominently and directly linked from the website home page that provides individuals with disabilities who are experiencing technical difficulties the ability to request assistance. Those staffing the phone line and receiving e-mails regarding this should be knowledgeable about the statement and be trained on how to help users that are experiencing technical difficulties navigating the website.

Deploying an internal website accessibility policy that guides the organization’s decision making and processes and procedures for designing, developing, and procuring accessible content on the website. Most websites are regularly updated and modified and accordingly there should be procedures in place as part of this internal policy for regularly reviewing the website for new accessibility barriers.  

We also recommend regularly testing your website with assistive technology used by the disability community to access your content such as the JAWS screen reader. This process can provide valuable intel on potential and unforeseen barriers that may occur to users.  

Even without specific guidelines or a clear understanding of what compliance looks like, there are several low-cost, high impact steps companies can take to address website accessibility.  We recommend clients work on website accessibility alongside their larger public-facing disclosure compliance work, such as regularly updating their Website Privacy Policy and Terms of Use to comply with the evolving paradigm of privacy legislation and regulations such as the California Consumer Protection Act (CCPA) and GDPR.  While the legal standards of website accessibility are still murky, the technology to support accessibility online is only getting stronger. Beckage’s Accessibility Team, made up of web developers and a former web design business owner, is here to help you navigate ADA website compliance and make your online presence more welcoming and accessible to everyone. From litigation defense to proactive website remediation, our experienced team is uniquely positioned to partner with your business and assist with your ADA compliance efforts.  

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.