Workforce

Tweaking Your Incident Response Plan to Address A Distributed Workforce

With the sudden, drastic increase of distributed workforces came implementation of new practices and access solutions, which in turn created more surface area for bad actors to attack and more potential gaps for them to exploit.  

A business’s Incident Response Plan is its playbook for deploying a rapid, proportional response to a potential security threat, with the goal of complying with applicable data privacy and security laws while maintaining client services. Such a plan generally lists the roles and responsibilities of staff positions as they work through phases of Detection, Analysis, Containment and Eradication, Recovery, and Reporting. The collection of key staff members is commonly understood to be the Incident Response Team (IRT) and their familiarity with the plan and preparation in advance of a potential incident are often key to successful responses.  

Here are some important considerations in evaluating your current Incident Response Plan:

Communication

Communication is always key, but now it may need to be handled without face-to-face meetings or assembling the IRT in a conference room. An Incident Response Plan, similar to a Disaster Recovery Plan or Business Continuity Plan, should plainly state the methods of communication IRT members will rely on, in order of preference, in response to a potential incident. Thought should be given to what forms of communication are likely to be interrupted or compromised in an incident, and what back up communication method(s) will be relied on. With IRT members working from home, which communication methods yield lower risk of interruption, are more secure, and are available to all IRT members? Be careful of using free platforms or apps to communicate.  Many are not secure, there is no expectation of privacy, and the data stored can be discoverable or subject to subpoena.

Relatedly, does the Plan identify which leaders are responsible for internal or external communications regarding an incident? For example, in an office setting business phone lines and clustering of staff could allow a team to efficiently direct all inbound questions or concerns about an incident to a VP of Communications. Pick a title not a department. Now, with cell phones serving as a primary tool of communication, does your team need a refresher of how to address communication from external parties or a reminder of professional responsibilities when confronting a potential incident? Also remember, during an incident, systems are likely not accessible because they are encrypted. So, does every member of the IRT have a printed version of the Incident Response Plan at home with everyone’s contact information?

Resource Allocation

The first phase of most Incident Response Plans revolves around detection – identifying what is happening and collecting details about a potential incident. Your Incident Response Plan might implicitly assume that IT staff or others with specialized knowledge related to identifying a security or privacy issue are on hand or available at the same location as a point of compromise. When considering your new work from home environment, it is time to consider how your IT staff will be available in the earliest moments after a potential incident is reported. Where possible, it may be time to consider end point detection and response solutions – an addition to your IT management environment that can provide remote insight and management of laptops being used by employees from their homes. Such a solution can speed the collection of important forensic details while hastening the containment and wider response.  

Role Adaptation

Work from home environments may change a member of the IRT’s ability to address the role or responsibilities they were previously assigned. Often times Incident Response requires confidential conversations, privileged communication and/or discussion about sensitive data and it is important to address with members of the IRT whether they can meaningfully, and responsibly participate in incident response when working from home. There are often more competing interests in a homebound setting than in an office and when updating and reviewing an Incident Response Plan, your company has the chance to address with each member of the IRT whether they can still satisfy their role while potentially handling such competing interests.  Such review can allow for updates and edits to IRT members’ roles and responsibilities in advance of a potential incident, instead of in the midst of one, saving valuable time, energy and focus.

Practice

An Incident Response Plan best serves its purpose when it is regularly reviewed as part of a tabletop exercise.  Such an exercise promotes clarifying questions amongst members of an IRT and familiarizes everyone involved with their roles and expectations for others. Additionally, an Incident Response Plan rehearsal reminds all IRT members of the importance of communication and how critical legal determinations, such as what constitutes a data breach, must be considered when discussing or communicating about an incident.

Now that your IRT is working from home, how will they make use of your Incident Response Plan? The best way to find out is to schedule time to run a remote tabletop exercise. The updated exercise can provide insight into new strengths or weaknesses created by a distributed IRT.  Such practice can highlight the differences created by an at-home response, such as does everyone on the IRT have a hard copy of the Incident Response Plan in the event one is not accessible online?

Coordinated Vigilance

Updating your Incident Response Plan is key, but it should be done in coordination with improvement to other safeguards.  In parallel with rolling out new work-from-home measures, companies should consider adjusting relevant policies, such as the Acceptable Use Policy, and assess how new access controls or encryption measures, such as virtual private networks, can mitigate risks to security. While employees are adjusting to an array of new norms, it may be less disruptive to add a few more, including multi-factor authorization, new password complexity standards, and other access control measures. By remaining vigilant and keeping continuous focus on the issues of security and privacy, companies stitch best practices into the cultural fabric of their team.

If you have questions about creating a legally defensive Incident Response Plan contact sophisticated tech counsel, we would be happy to help. Beckage is a law firm focused only on tech, data security and privacy. Its lawyers are also technologist and former tech business owners. Beckage is also proud to be a certified Minority and/or Women Owned Business Enterprise (MWBE).

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Coronavirus

Digital Transformation in the Time of COVID-19

In response to the COVID-19 pandemic, businesses around the globe have made a major pivot to online or virtual operations, hitting fast forward on digital transformations that usually take time and careful planning. Everything from university classes to corporate board meetings to wine tasting at your local bar have jumped online, opening a whole new world of possibilities—and potential data security and privacy risks that should not be overlooked. With privacy and data security concerns more important than ever before, it is important to remember that even emergency digital transformations must use a “measure twice cut once” strategy that factors in Privacy by Design at the outset.

Why Privacy Considerations Can’t Wait Until Later

In the rush to move business online, it may seem like a necessity to gloss over privacy risks and deal with them later. However this approach is inefficient at best and can be disastrous if there’s a security breach. Digital transformation has to start without an intentional focus on data protection and a solid understanding of the regulatory landscape.

This understanding is becoming increasingly important as privacy laws like the GDPR and CCPA, along with a host of new regulations on the horizon, highlight Privacy by Design principles in their consumer privacy guidelines. That means in many cases, putting consumer privacy first isn’t just good business—it’s a legal requirement. In fact, article 25 of the GDPR demands that organizations practice “privacy by design and by default,” meaning organizations must integrate data protection up front in any design or business practice and maintain those protections throughout the data lifecycle.

How to Make Privacy a Cornerstone of Digital Transformation

A good digital transformation strategy will define goals, identify appropriate technologies, establish leadership and educate staff on the new technologies and protocols. But each of those steps should be driven by data privacy and security considerations.

Therefore even if the digital transformation needs to happen quickly, it’s critical to make sure privacy is the cornerstone of the plan. At Beckage our experienced team of attorneys can work with you to assess potential privacy pitfalls and blind spots, especially in this ever-shifting legal landscape. Beckage attorneys provide on-site and around-the-clock counsel to clients on data protection and information security practices required under state or federal law, for example, or advise on security risks and responsibilities. Taking the time to employ Privacy by Design is an upfront investment that will help ensure your digital transformation strategy is built on solid ground.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

0
COVID-19

Insights Into the COVID-19 Health Data Bill

This update concerns the COVID-19 Health Data Bill, recently introduced to the New York State Senate by State Senator Kevin Thomas (S8448A), and in the State Assembly by Assemblywoman Linda B. Rosenthal (AB 10583). The COVID 19 Bill could have significant implications on businesses that collect information as part of their federal and state COVID-19 compliance measures, including the NYS-Required Safety Plans.  

The COVID-19 Bill applies to any company/person that collects, uses, or discloses “emergency health data,” which is defined to include data that is “linked or reasonably linkable to an individual or device, including data inferred or derived about an individual or device from other collected data” and that “concerns the public COVID-19 health emergency.”  

Emergency health data includes information that reveals past, present, or future physical or behavioral health or condition of, or provision of healthcare to, an individual including:

• data derived from testing or examination;

• whether or not an individual has contracted or been tested for, or an estimate of the likelihood that a particular individual may contract, such disease or disorder; or

• genetic data, biological samples, and biometrics.

Emergency health data also includes “other data collected in conjunction with other emergency health data that can be used to infer health status, health history, location or associations”. This includes: geolocation data, proximity data, demographic data, contact information, and other data collected from a personal device.  

The Bill requires businesses that collect, process, or use emergency health data in connection with the COVID-19 crisis to:

1. Obtain Affirmative Opt-In Consent: The Bill requires that businesses obtain an individual’s “freely given specific, informed, and unambiguous opt-in consent” to process individual emergency health data and prohibits collection without such consent except in certain narrow circumstances.

2. Comply with Data Retention Requirements: The Bill contains rigid data retention time periods (30 days or 14 days for proximity tracing or exposure notification data). If a business stores emergency health data for more than 30 days, The Bill requires the business to “reengage consent” from the individual from whom the information was collected in the first instance.

3. Maintain Written Privacy Policies and Transparency Reports: The Bill requires the posting of Privacy Policies which detail the business’s collection and use of emergency health data and the preparation of written Transparency Reports describing the business’s collection of emergency health data every 90 days.  

4. Limit Use: Data collected for responding to the COVID-19 public health emergency (e.g., tracking, screening, monitoring, contact tracing) must be collected “at a minimum level of identifiability reasonably needed for tracking COVID-19”. The Bill clarifies that for covered entities using proximity tracing or exposure notification, this includes changing temporary anonymous identifiers “at least once in a 10-minute period.” The Bill also prohibits the use of emergency health data for any purpose beyond what is adequate, relevant, and necessary to perform the transaction consented to by the individual, or for any purpose not authorized by The Bill (e.g., commercial purposes, advertising, selling, etc.).

5. Provide Individual Right to Access and Correction: The Bill gives individuals the right to access and correct their emergency health data.

6. Maintain Reasonable Security Measures: An entity that collects emergency health data must have reasonable administrative, physical, and technical controls in place to safeguard the information from misuse and unauthorized disclosure.

7. Maintain Minimum Necessary Access Restrictions: The entity must have access restrictions in place limiting access to the emergency health data to authorized essential personnel only.

8. Complete Compliance Audits: Covered entities are subject to data protection audits, which include the requirement for risk assessments and evaluation of the technologies used in connection with the information gathering. The results of the compliance audits shall be made available to the public.

The Bill also has notable enforcement teeth, authorizing the State Attorney General to bring enforcement actions and seek civil penalties of up to $25,000 per violation or up to 4% of a business’s annual revenue. As The Bill is for the purposes of the COVID-19 public health crisis, it purports to expire and be repealed on January 1, 2023.

To date, the bill is not on a committee agenda and there is no scheduled testimony for the COVID-19 Health Data Bill. It is not clear whether the bill will move through committee to the floor for a vote before the legislative session ends. However, we anticipate that legislators will be back in Albany at least a few more times this year, and Senator Thomas has been vocal in his desire to make progress on the Bill.

Beckage will monitor the progress on this and other relevant data privacy bills. Beckage is in communication with lobbyists and is closely monitoring for opportunities to provide input on behalf of the business community. Please do not hesitate to reach out if you are interested in discussing the bill’s potential impact on your business. Beckage is privileged to work with clients in a variety of sectors and industries in building efficient, repeatable, and scalable privacy and security programs.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

CCPA

The First Six Months of the CCPA: Final Regulations, AG Enforcement and Plaintiff Lawsuit Trends

The California Consumer Privacy Act (CCPA) is about to hit the 6-month milestone, and oh what a long, strange trip it’s been. Although the CCPA’s effective date was January 1, 2020, the California Attorney General (AG) has still not issued final regulations for the Act, to the frustration of many businesses seeking to implement CCPA compliance programs, but the AG has repeatedly affirmed that enforcement of the Act will commence on July 1, 2020. Furthermore, plaintiff attorneys have brought a range of CCPA related lawsuits – some under the CCPA’s private right of action provision for data breaches are more expected, with other lawsuits attempting to leverage the CCPA to bring a range of non-CCPA claims.  We explore all this and more, below.

I. Status of CCPA Regulations: Likely Delayed

There is a procedural process that the AG has to follow to finalize the CCPA regulations. In short, the AG has to submit the proposed final CCPA regulations to the CA Office of Administrative Law (OAL) for review for compliance with the State Administrative Procedures Act. After that, OAL typically has 30 working days to conduct a review and either approve and file with the Secretary of State (SOS) or disapprove. Governor Newsome recently extended this timeframe by an additional 60 days due to COVID-19 pandemic.

Regulations generally become effective once a quarter based on when the final regulations are approved and filed with the SOS. In order for the CCPA final regulations to become effective by July 1, they have to be filed with OAL, approved by OAL and submitted to the SOS by May 31.

As the AG has not submitted the final CCPA regulations to OAL as of this writing, it is unlikely that the OAL will have time procedurally to expedite review and get approval, pushing the potential effective date to the next quarter. This has led to speculation that final regulation will be delayed until October.  

Technically there is still time to meet the July 1 date, and the AG could also potentially submit late and ask for earlier enforcement. We continue to monitor the status of the CCPA final regulations and will update this blog when additional information is forthcoming.

II. Attorney General Enforcement: Still Anticipated  

Despite a delay in the CCPA final regulations, the California AG has repeatedly affirmed his intent to commence enforcement of the CCPA on July 1, 2020. Indeed, the AG’s office has rejected requests by a consortium of business and trade associations to delay enforcement of the CCPA in light of the COVID-19 pandemic, stating that they are “committed to enforcing the CCPA upon finalizing the regs or July 1, whichever comes first.” Consequently, businesses should still anticipate that regulatory enforcement of the CCPA will commence July 1.

While the AG has committed to enforcing the CCPA starting July 1, unfortunately the lack of final regulations for a regulation full of contradictions and ambiguities creates additional challenges for businesses working towards CCPA compliance. Nevertheless, our Beckage attorneys recommend that businesses do not wait for the promulgation of final regulations to finish preparing for compliance. Instead, it is advised that where the CCPA is unclear on its own requirements, businesses should consider reviewing past interpretations and enforcement of other privacy laws for guidance.

III. CCPA Lawsuits: From Data Breach to Wrongful Collection

A range of CCPA-related lawsuits have been filed in California in the first six months following the enactment of the CCPA, leading to many questions about the scope of the CCPA’s private right of action.  

Initially, the CCPA’s private right of action provision, as written, is narrow: it applies only to the CCPA’s data security provision. Cal. Civ. Code. 1798.150. This provision authorizes consumers to commence civil proceedings against a business whose failure to implement and maintain “reasonable security procedures” resulted in the unauthorized access or exfiltration, theft, or disclosure or consumer non-encrypted and nonredated personal information. Further, the definition of “personal information” in this section of the Act is narrower than the definition of PI applicable to other CCPA provisions, applying only to an individual’s name together with another identifying data element such as SSN, driver’s license number, or medical information. (Note: The California Privacy Rights Act, dubbed CCPA 2.0, which we profiled elsewhere, would expand this definition to include email addresses, usernames and passwords).

As written, the CCPA private right of action provides for the possibility of injunctive, declarative relief, actual damages or statutory penalties for qualifying incidents. But before bringing suit that seeks statutory damages, a plaintiff must provide the business with “notice and cure” opportunity, with the “cure” part of this provision is not defined.  

What the CCPA private right of action clearly does not provide, however, is the opportunity for plaintiffs to leverage the CCPA as a basis to bring other claims under other laws. Indeed, the CCPA explicitly prohibits consumers from using alleged CCPA violations “to serve as the basis for a private right of action under any other law,” thus prohibiting a plaintiff from alleging that a CCPA violation constitutes a violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq. or other statutes.

But, not unexpectedly, plaintiffs have not heeded this statutory prohibition, and are trying to leverage the CCPA for a range of non-data breach related claims, as described below.

Initially, the majority of CCPA related lawsuits filed to date have been brought in federal courts under the Class Action Fairness Act, 28 U.S.C. § 1332(d), which provides for federal jurisdiction for class-action claims that meet certain thresholds. Because this trend may result in a cannon of federal court CCPA jurisprudence before state courts are called to adjudicate CCPA matters, many anticipate this dynamic may result in even more rigorous state-court enforcement by the California AG post-July 1.

1. Substantive CCPA Privacy Claims

Although CCPA’s private right of action is explicitly limited to allegations of failure to provide injury “reasonable security” resulting in a data breach, plaintiffs have brought claims for violations of the substantive privacy provisions of CCPA.

For example, in the class action filed as Sweeney v. Life on Air, Inc. et al., No. 3:20-cv-00742 (S.D. Cal. Apr. 17, 2020) (Sweeney), the plaintiffs alleged violations of (i) Cal. Civ. Code § 1798.100(b), requiring notice at or before the point at which personal information is collected and limiting additional uses of personal information; (ii) Cal. Civ. Code §1798.120(b), requiring a business to provide notice of the right to opt-out of sales of personal information; (iii) Cal. Civ. Code § 1798.135(a)(1), requiring a “Do Not Sell My Personal Information” link on a business’s homepage and (iv) Cal. Civ. Code § 1798.135(a)(6), requiring a business using information collected in connection with an opt-out request solely to comply with the opt-out request. (Sweeney Complaint, ¶¶ 102-105.)

On its face, these claims do not appear to be sustainable under the plain text of CCPA, but its remains for the court, the Southern District of California, to clarify the scope of the CCPA private right of action.

2. Leveraging CCPA to State Unfair Competition and Other Claims

Also as expected, plaintiffs are attempting to do that which the CCPA appears to disallow – to use purported violations of the CCPA to state claims under other California statutes. For example, in Hurvitz v. Zoom Video Communications, Inc. et al., No. 2:20-cv-03400 (C.D. Cal. Apr. 13, 2020), plaintiffs allege that defendant Zoom Video Communications (Zoom) violated the provision of CCPA requiring a business to provide notice to consumers of the categories and uses of personal information it collects at or before the point of collection, and prohibiting the business from collecting additional categories of personal information or using personal information for additional purposes without providing additional notice. (See Cal. Civ. Code § 1798.100(b); Hurvitz Complaint, ¶ 213.)

Because substantive CCPA privacy claims may not be brought as private claims under the CCPA, or under other statutes based on the CCPA’s prohibition, the Hurvitz plaintiffs have instead alleged that the violation of the CCPA’s provisions constitutes an unlawful practice in violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq. Whether these claims are validly stated and the CCPA can be leveraged in this manner, especially in light of the CCPA’s facially clear prohibition described above, remains a determination for the courts.

3. CCPA Actions with Privacy Tort Claims

As expected, CCPA data breach claims are not being brought as straight CCPA actions, but are accompanied by a range of other privacy tort or statutory claims. For example, in Fuentes v. Sunshine Behavioral Health Group LLC, No. 8:20-cv-00487 (C.D. Cal. Mar. 10, 2020) (Fuentes), the plaintiffs brought 11 claims in addition to the CCPA claim, both statutory and common law. These including claims of negligence, negligence per se, breach of contract, and breach of implied contract arising from a data breach. Plaintiffs frequently bring multiple common law tort claims in data breach actions nationwide, and this trend was anticipated here. Ultimately it means that defense of a CCPA action will almost certainly include defense of other tort claims, for which additional discovery and damages may be available.  

The commencement of a CCPA private right of action and related claims present a meaningful risk to businesses doing business in California. Until judicial decisions provide clarity on the scope of the CCPA private right of action and the CCPA’s prohibition, the scope of these risks is substantial and not fully known. With the assistance of our experience Beckage team, a comprehensive CCPA compliance program, in addition to other risk mitigation strategies, should be considered. We can work with your company, regardless of size, to determine the best approach to build a proactive, buildable and defensible program that makes sense for your business.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.