Beckage Blog

Important Privacy Developments in New York State

**Alert Update: The SHIELD Act has been signed into law, and is effective in New York State on March 22, 2020.

As always, Beckage lawyers are available to assist in addressing any questions you may have regarding data security developments. Please feel free to contact us.

There are two important privacy developments in New York State that companies should take note of: the Stop Hacks and Improve Electronic Data Security (SHIELD) Act and the New York Privacy Act (NYS5642).  If passed, these pieces of legislation will impose more stringent data security requirements on companies that collect information from New York residents.

1.       THE SHIELD ACT

Passed by the State's legislature, the SHIELD Act updates New York’s general business law (GBL 899-aa) governing notification requirements, consumer data protection obligations, and broadens the Attorney General’s oversight regarding data breaches impacting New Yorkers.

Specifically, the Act purports to:

  • Expand the scope of information subject to the current data breach notification law to include biometric information, email addresses, and corresponding passwords or security questions and answers;  
  • Broaden the definition of a data breach to include unauthorized "access” to private information from the current “acquired” standard;
  • Apply the notification requirement to any person or entity with private information of a New York resident, not just to those that conduct business in New York State;  
  • Update the notification procedures companies and state entities must follow when there has been a breach of private information; and
  • Create reasonable data security requirements tailored to the size of a business.

STATUS

Passed by the legislature, awaiting signature by the Governor. Additionally, amendments to the Act are currently pending. 

**Alert Update: The SHIELD Act has been signed into law, and is effective in New York State on March 22, 2020.

2.       THE NEW YORK PRIVACY ACT (NYS5642)

This bill, which has passed the Senate, was proposed by State Senator Thomas and is currently pending before the Senate Consumer Protection Committee. It has been compared to the General Data Protection Regulation and California Consumer Protection Act but differs in certain respects. Among other things, it purports to apply to most entities doing business in New York State, and includes those businesses outside the state that produce products or services targeted to NYS residents. Unlike the CCPA, there is no monetary or revenue threshold that must first be met to be included in the Act's jurisdictional scope. 

This Act governs (and in some instances, limits) the collection and use of personal data by those entities. It requires consent, provides for certain data subject rights (correction, deletion), and includes a private right of action against companies processing jurisdictional PD. The bill does purport to exempt from its reach data sets governed by HIPPA/HITECH.

STATUS

Pending in Senate Consumer Protection Committee.  

PREDICTION

This bill is likely to pass the Senate.  However, as there is no same-as bill in the Assembly, the bill likely will not be passed this session. That said, it is a priority bill for Sen. Thomas and we expect more pressure next year to pass it.

Beckage PLLC continues to monitor privacy bills and regulations pending in New York State, including:

  • Proposed NYS Biometric Privacy Act;
  • Department of Financial Services regulations impacting credit reporting agencies;
  • New York Department of State Emergency Regulations on Identify Theft prevention and mitigation;
  • Proposed legislation relating to the New York State Cyber Security Advisory Board, a Cyber Security Action Plan for the State, and Periodic Cyber Security Reports.

Have questions? Our team at Beckage is uniquely positioned to advise on emerging privacy laws at both the state and national level. Contact us today for a consultation.

*Attorney Advertising: Prior results do not guarantee a similar outcome.

What Does PrivacyCon Say About the FTC’s Data Privacy and Security Enforcement?

On June 27, 2019 the Federal Trade Commission (FTC) hosted its fourth annual privacy conference PrivacyCon. Tasked with protecting consumers against privacy and security violations, at PrivacyCon the FTC brings together privacy stakeholders to discuss privacy issues that businesses encounter when providing innovative technologies to customers.

PrivacyCon and FTC Privacy Enforcement

According to former FTC Chairwoman Edith Ramirez, the FTC seeks to increase its engagement with the technology community in order to more effectively encourage innovation that is protective of consumer privacy and security. While reiterating the agency’s goal is to stay up-to-date with emerging technologies, current Chairman Joseph Simons in this year’s opening remarks, shared the following three ways PrivacyCon benefits the agency:

·        helps to identify potential areas for enforcement,

·        fashions remedies in the agency’s orders, and

·        highlights areas in which the FTC can provide business and consumer education.

For businesses, PrivacyCon provides insight into the directions that the FTC may be considering in addressing its current privacy and security priorities of vigorous enforcement, improving business accountability and promoting deterrence.

PrivacyCon 2019 FTC Online Privacy Issues

This year, the FTC requested research on privacy and security issues in emerging technologies and sought to understand the greatest threats to consumer privacy today. The FTC also sought research on the economic impact of privacy and security issues on the market, as well as ways to incentivize manufacturers and developers to implement privacy and security in their products and practices. In response, the PrivacyCon featured almost thirty speakers in four sessions divided into four key privacy and security areas:

·        Privacy Policies, Disclosures, and Permissions,

·        Vulnerabilities, Leaks, and Breach Notifications,

·        Consumer Preferences, Expectations, and Behaviors, and

·        Tracking and Online Advertising.

The first two sessions noted above stood out as having immediate consequences for businesses. Presenters in the area of privacy policies, disclosures and permissions touched on the privacy principle of “notice and choice” and its provision.  

Notably, remarks suggested that readability and ambiguity in privacy policies continue to frustrate researchers and users. Therefore, companies may need to review whether their privacy policies are adequate to obtain user consent and inform them of company data practices. On a parallel path, speakers represented the expectation that the FTC will continue to pursue the creation of policies that are easier for consumers to read and comprehend.

The Vulnerabilities, Leaks, and Breach Notifications session reported that businesses may not be aware that their mobile applications are leaking customer data and current permissions may be insufficient to notify users of data and security practices. Another topic was the potential incorporation of artificial intelligence in risk assessments in order to help businesses identify and remedy high risk vulnerabilities. This step is a potentially cost-friendly aid to companies in mitigating data security risks.

PrivacyCon 2019 Key Takeaways

The FTC is a strong advocate for business self-regulation on privacy and security issues that arise when implementing emerging technologies. However, the agency will not hesitate to exercise its enforcement powers when improper data practices put consumers at risk. Businesses should look to resources provided by the FTC to help guide alignment with their privacy policies and practices – a great starting point is the FTC website, at www.ftc.gov/tips-advice/business-center/privacy-and-security. Generally, businesses can seek to mitigate security risks by using proactive steps to identify and remedy vulnerabilities, while looking for up-to-date ways to effectively communicate data practices with customers. Working with legal counsel to help formulate a legally-defensible position will be important in developing these steps and practices.

Have questions? Our team at Beckage is uniquely positioned to advise on emerging privacy laws at both the state and national level. Contact us today for a consultation. 

*Attorney advertising. Prior results to not guarantee a similar outcome.

Drones, Growth & Data

Officially known as unmanned aerial vehicles or unmanned aerial systems, drones are now mainstream. The Federal Aviation Administration (FAA), who enforces federal drone laws, forecasts rapid growth in the commercial drone industry. New, non-recreational drone registrations are expected to exceed 800k in 2023. Businesses are using drones to augment business logistics, reduce shipping costs, automate certain business operations, increase customer satisfaction and advance socially beneficial ventures. As drone uses are expanding, drone operators, especially in commercial applications, must be aware of drone flying laws.

What Are Drone Laws in The United States?

As legislators struggle to keep up with evolving drone uses, drone laws around the U.S. remain tough to navigate. In addition to the FAA's Part 107 drone regulation, many state and local municipalities have enacted measures that mean any business with multiple locations should be conscious of varying laws. Currently, state laws alone cover a range of considerations, including regulation on:

  • registration of drones
  • renewal of drone operation licenses
  • training required to fly drones
  • inspection of drones to ensure airworthiness
  • time and place for flying drones
  • the height and speed for operating drones

Some of these rules may not always apply. Businesses may be exempt or may qualify for a waiver from one or more of these legal requirements. Therefore, business owners should seek expert advice before, during and after incorporating drone technology in their business operations.

 

Who Uses Drones: Company Utilization of Unmanned Aerial Systems

According to the FAA, top industries for commercial drone use include education, agriculture and construction. However, investment and research and development in healthcare, manufacturing and in retail industries are expanding.

  • Drones in healthcare can be used for delivering medication, equipment and supplies. Drones can be used to collect and deliver blood and to locate lost and injured people. Drone exploration in healthcare is also aimed at reducing the time to deliver care and reaching patients with limited access to health providers.
  • In education drones are being used for academic research, instruction and data collection.
  • Drones in agriculture, manufacturing and infrastructure can be used to collect data, inspect facilities, track project progress and improve communication among workers.
  • In retail drones deliver packages.

 

What about Drones’ Data?

Drones are mapping and measuring buildings, taking and transmitting photographs, generating readings of geographies, delivering medicines and otherwise performing tasks that create, process and distribute data of wide variety – including highly sensitive data. When implementing drone usage, whether by contract or in-house, businesses must consider the implications around data management and how to balance the rewards of drone use with the responsibility for the data drones generate and utilize. 

 

Key Takeaways

Drone technology is expected to flourish across industries. Businesses should monitor and explore the trends of drone applications in their industries. While keeping an eye on drone market trends, companies should have legal experts on their team to navigate the legal drone landscape and assess proper data management protocols for drone data.

Have questions? Our team at Beckage is uniquely positioned to advise on emerging technology and privacy laws at both the state and national level. Contact us today for a consultation.

*Attorney Advertising: Prior results do not guarantee a similar outcome.

Biometric Law Compliance: What do State Biometric Laws Require of Businesses?

An increasing number of companies—in healthcare, education, finance, retail, technology and manufacturing—are implementing biometric identifiers.  This trend is growing in popularity as some argue that biometrics can be considered more stable over time, since passwords can be compromised and changed, resulting in security challenges for businesses, while biometrics cannot.

While biometrics streamline the identification process privacy concerns may arise.  To address potential privacy risks, several states have passed or proposed biometric laws.  

What Are Biometric Identifiers?

Biometrics can be defined as unique measurable behavioral or physiological characteristics that describes a person.  Essentially biometrics work by using these unique characteristics to enhance personal authentication with easier, faster and more secure processes.  Common examples of biometrics are:

·        Voice

·        Fingerprint

·        Palm vein

·        Face recognition

·        Palm print

·        Hand geometry

·        Iris recognition

·        Typing rhythm

·        Gait

·        DNA


Implementing biometric identifiers present businesses with new opportunities. For example, biometrics can be used to:

·        Improve student success in education by measuring and tracking student engagement

·        Save time in administrative processes by quickly identifying individuals with reduced human intervention

·        Help prevent unauthorized access to physical and digital environments

States with Biometric Laws

Illinois, Texas and Washington State are among the first states to pass laws to regulate biometric data.  Other states such as Arizona, Florida, Massachusetts and New York have proposals pending.  These laws regulate the collection, use, storage and retention of biometric data.  In response, businesses’ biometric compliance policies tend to emphasize the following:

·        Obtaining consent from individuals before collecting or disclosing personal biometric identifiers

·        Storing biometric data securely

·        Destroying biometric identifiers in a timely manner

·        Outlining separate biometric data policies for employees and customers

It’s important to understand each state’s law and its requirements.  For instance:

Definition: Some state biometric laws broadly define biometric identifiers as behavioral and physiological characteristics while others and specify the type of biometrics as outlined in the common examples of biometrics list above.

Enforcement: Many states give their attorney general the power to enforce these laws.  However, differences exist.  For instance, Illinois law allows individual or class action lawsuits.  Violation of Illinois biometric law could result in fines between $1,000 and $5,000 per incident of noncompliance.

As more companies incorporate biometrics into business operations, states will continue to pass laws to guide business practices.  Companies should be cognizant of biometric law requirements, differences and to ensure that policies and practices align with these legal obligations.

DISCLAIMER:  This alert is for general information purposes only.  It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem.  Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.  If you have any questions, please contact an attorney at Beckage: www.beckage.com or info@beckage.com.

Attorney Advertising: Prior results do not guarantee a similar outcome.

Vendor Contracts and Legal Requirements Regarding Pen Testing and Vulnerability Assessments

More and more frequently, penetration testing and vulnerability assessments are making it into news headlines and advertisements.  Let’s examine a few questions you should ask before signing up for a pen test or vulnerability assessment:

·        What are they?

·        How frequently should they be run?

·        Who offers these tests?

·        Contractual terms to consider?

What Are They?

Pen tests test security from the outside or inside.  Some regulations require them, such as the New York State Cybersecurity Regulation (23 NYCRR500; the “Regulation”).  The Regulation defines penetration testing as a “methodology in which assessors attempt to circumvent or defeat the security features of an Information System by attempting penetration of databases or controls from outside or inside” the system.  Imagine it’s a basketball practice or hockey scrimmage and the coach’s focus is on gauging the strength and reliability of the defense in preventing the goals or baskets.  The intention is to identify the vulnerabilities and then try to exploit them, i.e., try to exploit the system.

By contrast, a vulnerability assessment is systematic review of information systems in order to identify cybersecurity vulnerabilities, quantify and/or consider the reasonable risk posed by vulnerabilities and potentially prioritize the levels of threat.  The goal is to identify potential risks.  The Regulation defines a vulnerability assessment as “systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities” in the Information Systems.

How Frequently Should They Be Run?

Under the Regulation, penetration testing must be performed annually, focusing on the relevant risks identified in your Risk Assessment.

Vulnerability assessments must be performed biannually, based on the Risk Assessment results.

NIST (National Institute for Standards and Technology) provides various vulnerability validation techniques, which include pen testing and vulnerability assessments.

Who Offers These Tests?

Who doesn’t?  Nearly every company in any way related to technology will offer this service.  Why?  It is inexpensive, a good first step to understanding a company, and the tests are relatively easy to perform.  It is important to find trusted, experienced vendors who know the purpose and goals of these tests.  Some parts of the tests are automated, and others require a sufficient degree of skill – so experience and knowledge will be important in selecting a vendor.

Contractual Terms to Consider

Because an organization must share a lot about their business and expose their systems during pen testing and vulnerability assessments, a vendor should be chosen thoughtfully, and contracts entered into carefully.

Initially, what is the purpose of performing the tests, are they legally required, are they part of a larger risk assessment and analysis?  What should the end product report look like?

Confidentiality is a must-have provision.  The scope of the project should be well defined and planned so as not to harm business operations or create new vulnerabilities.  Make sure the vendor has the appropriate insurance in place.  Most importantly, there must be well-defined risk allocation provisions.  Plan also for what the end of the project will look like and results and next steps.

Again, key ingredients of a vendor contract are confidentiality, scope, vendor insurance, risk allocation provisions and results/next steps.

The bottom line?  Know your vendor, get referrals from trusted persons in the space, and make sure the right legal obligations are in place.  The attorneys at Beckage PLLC can help you navigate through pen testing and vulnerability assessment from drafting the vendor agreement to performing a gap analysis of your current practices and policies and updating them accordingly.

DISCLAIMER:  This alert is for general information purposes only.  It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem.  Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.  If you have any questions, please contact an attorney at Beckage: www.beckage.com or info@beckage.com.

Attorney Advertising: Prior results do not guarantee a similar outcome.

Important Clarifications Initiated on California Consumer Protection Act

The California Consumer Protection Act (CCPA) will impact global companies. The CPPA aims to sets forth landmark privacy rights for Californians and becomes effective January 1, 2020. Last week the California Assembly Privacy and Consumer Protection Committee began clarifying important ambiguities in the CCPA through a serious of amendment bills. These amendment bills are not law just yet.  These bills were actions taken by the Committee to advance proposed changes through the legislative process. Some of the most notable clarification from the amendment bills include:    

  • Updating the current CCPA to make it clear that employees are not “consumers” for purposes of the CCPA and addressing some of the concerns with household data.
  • Clarifying personal and de-identified information by adding a reasonableness standard to make it clear that not all information capable of being associated with an individual or household will be considered personal information. Further, the de-identification standard would be shifted to the FTC “reasonably linkable” de-identification definition which is better understood. 
  • Redefining “publicly available” to mean information that is lawfully made available from federal, state, or local records to ensure there is a public record exemption from the     definition of “personal information.” 
  • Adding amendments that make loyalty programs exempt from the CCPA’s “non-discrimination” restrictions. 
  • General cleanup of mistakes and confusion in the current language.  
  • Updating the current CCPA requirement that businesses must establish a toll-free number to receive CCPA requests, to a requirement that they must provide a toll-free number or an email address.   

Two amendment bills were withdrawn that would have dramatically expanded the CCPA requirements.  Notably, it included the bill that extended the private right of action to all privacy violations, extended the opt-out to all sharing of personal information (not just “sales”), added data minimization requirements, and expanded the CCPA right-to-know requirement to require accounting to consumers the specific third parties to whom personal information was shared. 

What’s next? These amendment bills head to the Senate leadership. However, these initial steps suggest that some legislative clarifications of CCPA requirements may pass this year.  It is important to balance compliance with this state law with other data privacy and security laws across the globe.  Taking a practical approach with experienced legal teams will be critical.

DISCLAIMER: This alert is for general information purposes only. It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used or relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where the advice is sought.

Attorney Advertising: Prior results do not guarantee a similar outcome.

Reminder - March 1, 2019 Deadline for Third-Party Vendor Policies

Once again, March 1st nears. And with it comes a cybersecurity compliance milestone for those entities operating under New York’s insurance, finance and banking laws. This date now looms large thanks to the New York State Department of Financial Services (“DFS”) and its Cybersecurity Regulation (“Regulation”) first put into effect on March 1, 2017. Let’s breakdown what this means.

Who?

“Covered Entities” under the Regulation, includes those entities that are operating or are required to operate under the New York insurance, finance and banking laws.

What?

The next compliance milestone pertains to putting in place policies for Third Party Service Providers. The policies and procedures need to address the security of vendors who are accessing a Covered Entity’s systems or “non-public information” as addressed under the Regulation.

The policies shall be based upon a risk assessment and address, to the extent applicable:

1.     The identification and risk assessment of Third-Party Service Providers (as defined under the Regulation);

2.     Minimum cybersecurity practices required to be met by such Third-Party Service Providers in order for them to do business with the Covered Entity;

3.     Due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third-Party Service Providers; and

4.     Periodic assessment of such Third-Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices.

Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to Third-Party Service Providers including to the extent applicable guidelines addressing:

1.     The Third-Party Service Provider’s policies and procedures for access controls, including its use of Multi-Factor Authentication, as required by section 500.12, to limit access to relevant Information Systems and Nonpublic Information;

2.     The Third-Party Service Provider’s policies and procedures for use of encryption as required by section 500.15 of this Part to protect Nonpublic Information in transit and at rest;

3.     Notice to be provided to the Covered Entity in the event of a Cybersecurity Event directly impacting the Covered Entity’s Information Systems or the Covered Entity’s Nonpublic Information being held by the Third-Party Service Provider; and

4.     Representations and warranties addressing the Third-Party Service Provider’s cybersecurity policies and procedures that relate to the security of the Covered Entity’s Information Systems or Nonpublic Information.

Note, the DFS has advised that it is insufficient to rely solely on the Certification of Compliance submitted by the Third-Party Service Providers to the DFS under the Regulation as their only means of evaluating their compliance with this milestone.  

What else?

There have been a number of milestones for Covered Entities to address since the Regulation went into effect on March 1, 2017.  

When?

The process of developing and implementing Third Party Service Provider policies can be cumbersome and time-consuming given to the complexity of the relationships your company may have with a variety of Third-Party Service Providers.

Begin as soon as possible, as there are often several components to the analysis and March 1, 2019 is nearing.

Why?

Because the DFS Regulation says so.

The contents of the Regulation,23 NYCRR Part 500, can be found here: https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf.

How (to take Next Steps)?

Consult legal counsel to confirm whether your policies comply with the Regulation and other applicable laws.

The attorneys at Beckage PLLC can help you navigate through policy drafting the Third-Party Service Provider risk assessment and other regulatory compliance matters by offering practical legal advice that will help arm your company with the knowledge to assist in making sound business decisions.  

DISCLAIMER: This alert is for general information purposes only.  It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem.  Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.  If you have any questions, please contact an attorney at Beckage: www.beckage.com or info@beckage.com.

Attorney Advertising: Prior results do not guarantee a similar outcome.

Does the GDPR Apply to Your US-Based Business?

Does the European Union’s General Data Protection Regulation (GDPR) apply to your non-EU company? State-side, this is the million-dollar question that many US based companies are still grappling with today – some 8 months after the GDPR’s enactment.  

Long-promised and much-awaited Guidance from the European Data Protection Board (“Board”) on the territorial scope of the GDPR is here and attempts to provide clarification to that question.  

As adopted by the Board, the Guidance explains that the GDPR applies in situations where the “Establishment Test” or the “Targeting Test” is met – explained below.

The Establishment Test

The Board confirmed that the processing of certain personal data does not have to occur within the EU for the GDPR to apply.  Indeed, the “geographical location [of processing] is not important for the purposes of Article 3(1) with regard to the place in which processing is carried out, or with regard to the location of the data subjects in question.”

What is required, as per the Guidance, is that the entity be a processor or controller that is established in the EU and that the processing occur within the context of the activities of that establishment.

Establishment is a threshold of GDPR applicability.  So,what is establishment?  GDPR Article 3 defines establishment as “any effective and real exercise of activities”through “stable arrangements” in the EU.  Art. 3.  The Guidance further interprets the concept of establishment by citation to pre-GDPR case law from the Court of Justice of the European Union (CJEU) which found “establishment” where a company:

      - Had (a) a website in the Hungarian language for the purpose of advertising in Hungary; (b) a representative in Hungary serving as a point of contact between that company and the data subjects; (c) a Hungarian postal address and a letter box; and (d)a bank account intended for the recovery of debts. See Weltimmo v. NAIH;

      - Processed personal data where such processing was “inextricably linked to” and carried out “in the context of … activities” of the company’s subsidiary which was located in an EU member state. See Google v Costeja (Google Spain).

Got it?  Not quite.  The Guidelines also provided a handful of helpful case studies, including the following theoretical:

A China-based e-commerce website conducts data processing activities exclusively in China. The same company has established an office in Berlin to implement commercial prospection and marketing campaigns towards EU markets.

Does the GDPR apply?  Yes,according to the Guidance, the activities of the Berlin office are inextricably linked to the processing of personal data carried out by the Chinese company,insofar as the commercial prospection and marketing campaign towards the European Union markets notably serve to make the service offered by thee-commerce service profitable.

Lest application of the GDPR feel like a law school exam, there is a second test for applicability – the Targeting Test, which the Guidance also helps to clarify.

The Targeting Test

The GDPR also applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union where the processing activities are related to: (a) the offering of goods or services to data subjects in the European Union (regardless of whether or not payment is required); or (b) the monitoring of the data subjects’behavior as far as their behavior takes place within the European Union.

Let’s break that down.    

In the European Union

The Guidance confirms that the “in the EU” portion of the test does not require citizenship or residence in the EU.  Any data subject located in the European Union is entitled to the rights and privileges afforded by the GDPR,regardless of whether that subject is an EU citizen or resident of a member state.  

Offering Goods and Services

To determine whether your non-EU company is offering goods and services to data subjects located in the EU, the Guidance provides a series of factors for consideration:

     - paying a search engine operator to facilitate access to consumers in the EU;

      - mentioning contact details to be reached from a Member State;

      - using a top-level domain name other than that of the third country where the processor or controller is established;

      - offering the delivery of goods to Member States;

      - using a language or currency other than that generally used in the trader’s country;

      - offering a description of travel instructions from one Member State to the place where the service is provided;  

     - identifying international clientele in various Member States.

This Guidance, plus an earlier Recital of the GDPR, make clear the goods and services part of the Targeting Test remains highly fact-sensitive and subjective.

Monitoring Behavior

The Guidance provides most clarity when it comes to the monitoring behavior grounds of the Targeting Test.  There are numerous methods to monitor online activities including, most notably, the use of first-party cookies.  The use of cookies, or the “online collection or analysis of personal data of individuals in the EU” does not automatically constitute “monitoring” under this test. Rather, the collection must be for purposes of profiling or analyzing the behavior of that person. Specifically, and citing back to an earlier Recital, the Board states that to constitute monitoring, the purpose of the collection should be to “profil[e] a natural person,particularly in order to make decisions concerning her or him or for analy[z]ing or predicting her or his personal preferences, behaviors and attitudes.”  Indeed, the use of the word monitoring“implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behavior within the EU.”   Thus, it could be argued that the GDPR would not apply to a non-EU based company that “inadvertently” tracks EU-based persons through website cookies provided that information is not used for profiling and behavior monitoring.  

The Board clarified that other types of technology involving personal data processing,such as wearable and smart devices, may also be a method by which monitoring behavior subject to the GDPR can occur.  In sum, there are no hard and fast rules here.  A case-by-case assessment needs to be performed in order to establish whether “monitoring” is performed.

While some unanswered questions remain, the Guidelines set out to clarify the criteria for determining the applicability of the GDPR to your US-based company.  The attorneys at Beckage PLLC are fully equipped to help companies big and small navigate the territorial scope issues surrounding GDPR applicability and help reduce your risk and exposure under the new law.

 

DISCLAIMER: This alert is for general information purposes only. It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.  If you have any questions, please contact an attorney at Beckage. www.beckage.com or info@beckage.com.

 

Next Compliance Milestone Approaches Under the NYS DFS Cybersecurity Regulation

The New York State Department of Financial Services issued a Cybersecurity Regulation (23 NYCRR 500)(“Regulation”) that went into effect on March 1, 2017.  The Regulation carried with it several compliance milestones applicable to “Covered Entities” under the Regulation,which includes those entities that are operating or required to operate under the New York insurance, finance and banking laws.  

SUMMARY OF COMPLIANCE MILESTONES TO DATE

The Regulation first required Covered Entities to establish a number of Cybersecurity and IT policies and procedures by August 28, 2017.  Next,Covered Entities were required to submit a Certification to the Department of Financial Services by February 5, 2018, that they complied with the first milestone under the Regulation.  By March 1, 2018, the Regulation required Covered Entities to additional CISO reporting,Annual Penetration Testing and Vulnerability Assessments, Risk Assessments and implement Multi-Factor Authentication where necessary based on the results of the Risk Assessments.

The most recent milestone was on September 3, 2018.  Covered Entities were responsible for establishing audit trails to reconstruct material financial transactions creating policies and procedures around in-house developed applications and assessing the security of externally developed applications.  In addition, Covered Entities were required to establish policies on Data Retention limitations,continue Cybersecurity training and monitoring and develop procedures for the encryption of Non-Public Information that is transmitted over external networks and at rest, unless infeasible.  

NEW MILESTONE - MARCH 1, 2019 DEADLINE

The next compliance milestone pertains to Third Party Service Providers. This milestone must be met by March 1, 2019 and involves the oftentimes complex process of evaluating the Third-Party Service providers utilized by your company.  This process can be a cumbersome and time-consuming given to the complexity of the relationships your company may have with a variety of Third-Party Service Providers.  Accordingly, it is recommended that you begin this process as soon as possible as there are often several components to the analysis.  

SUGGESTED NEXT STEPS

Moving towards the March deadline, Covered Entities should assess the risk that each Third-Party Service Provider poses to their data and systems and then determine an effective solution to address those risks.  It is insufficient to rely solely on the Certification of Compliance submitted by theThird-Party Service Providers the DFS under the Regulation as their only means of evaluating their compliance with this milestone.  

Covered Entities should take steps to determine what, if any, Third Party Service Providers are being utilized by the company, evaluate them as it relates to security, and review the relevant policies and procedures. Covered Entities should consider whether or not it makes sense to require Third Party Service Providers to carry adequate insurance including Cyber Insurance to cover both the entity and the Covered Entity should a breach occur.  

ADDITIONAL INSIGHT INTO THE REGULATION

It is helpful to note that the DFS regularly answers FAQs pertaining to the DFS Cybersecurity Regulation that provide valuable insight.  The complete list of FAQs can be found at the following link: https://www.dfs.ny.gov/about/cybersecurity_faqs.htm

The contents of  23 NYCRR Part 500 can be found here: https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf

The attorneys at Beckage PLLC are fully equipped to help you navigate through the Third-Party Service Provider Risk Assessment and all other components required under the Regulation by offering practical legal advice that will help arm your company with the knowledge to assist in making sound business decisions.  

DISCLAIMER: This alert is for general information purposes only. It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.  If you have any questions, please contact an attorney at Beckage. www.beckage.com.or info@beckage.com.

Attorney Adverting: Prior results to not guarantee a similar outcome.

 

The Importance of an Incident Response Plan

As recent news headlines confirm, data breaches continue to be a threat to companies regardless of size. From reputational harm, disruption to your daily business, to significant monetary penalties and litigation, the potential consequences of a data breach are significant. It is more important than ever that companies evaluate their cybersecurity readiness plan, from policies and procedures to privacy concerns under the GDPR to ensure they are ready if a breach occur. While there is no one-size fits all approach to preventing data breaches, there are many best practices companies can employ to help minimize the risk of being breached. From regular conducting risk assessments and inventorying of the data that you collect to developing and testing your incident response plan, preparation is the name of the game. One component of your data security program, an Incident Response Plan, is an important step you should have in place to help mitigate and contain an incident if one occurs.

What is an Incident Response Plan?

An Incident Response Plan sets forth the company’s procedure for identifying, reporting and responding to an incident should one occur. It ensures that everyone is on the same page if a data breach happens. At a minimum, here are some key elements that an Incident Response Plan should include:  

   1) Policy scope and definitions.

   2) Identify Incident Response Team Members and outline roles for each.

   3) Outline procedures for identifying, reporting and responding to an incident.

   4) Set forth the legal obligations for reporting and notice to potentially impacted persons.

   5) Identify how often the Incident Response Plan will be reviewed and updated.

   6) Post-incident analysis procedures.

Developing an Incident Response Plan is not the end of the road, however. Your Incident Response Plan is a living and breathing document and the best way to know if it actually works is to test it consistently. Simulated cyber incidents that force your company to work through the procedures in your plan must be tested, gaps fixed, and improvements made. Simulated incidents with counsel are ideal to help identify legal risks along the way and help put the company in a legally defensible position.

It is very important to have your Incident Response Plan reviewed by Legal Counsel to ensure it satisfies your legal obligations under various state, federal and international laws. Beckage attorneys are fully equipped to help you navigate this process and help reduce your risk and exposure should a data breach occur.

DISCLAIMER: This client advisory is for general information purposes only. It does not constitute legal advice, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.

Preparing for New York’s New Sexual Harassment Laws

In the wake of the #MeToo movement and widespread attention on sexual harassment in the workplace, on April 12 Governor Cuomo passed into law the 2019 Budget, which included a package of laws aimed at combating sexual harassment.  These laws apply to employers of all sizes – even those with only one employee and obligates employers, among other things, to 1) distribute a written sexual harassment policy, and 2) perform annual sexual harassment training.  Now is the time to revisit your anti-sexual harassment programs and policies and make the necessary changes to ensure compliance with these laws. Here are a few key elements employers need to know.  

Sexual Harassment Policy:
By Oct. 9, every employer in New York state must have a written sexual harassment prevention policy in place and distribute it to its employees.

Employers can use the model policy created by the New York State Department of Labor and the New York State Division of Human Rights, or they can create their own policy provided that it equals or exceeds the minimum standards set forth in the model policy.   

Some key elements the policy must include:  

  • A statement prohibiting sexual harassment;  
  • Examples of prohibited conduct that would constitute unlawful sexual harassment;
  • Information concerning the federal and state statutory provisions concerning sexual harassment, remedies available and a statement that there may be applicable local laws;
  • A standard complaint form;
  • A prohibition on retaliation;  
  • A procedure for the timely and confidential investigation of complaints and ensure due process for all parties;
  • An explanation to employees of their rights of redress and all available forums for adjudicating sexual harassment complaints administratively and judicially; and
  • A statement that sanctions will be enforced against those who engage in sexual harassment and managers and supervisors who knowingly allow sexual harassment.  

A sexual harassment policy can be provided to employees in hard copy or electronically but must also be accessible and printable during working hours.  Employers are required to prepare and distribute a compliant written policy by October 9, 2018.  

Mandatory Sexual Harassment Training:
Beginning Oct. 9, every New York state employer must provide sexual harassment prevention training to all employees on an annual basis. Employers can either use the model sexual harassment prevention training program created by the New York State Department of Labor and the New York State Division of Human Rights or establish their own training program that equals or exceeds the minimum standards provided by the model.  While it hasn’t been officially confirmed, it seems likely that this training can be given online provided it is interactive. The training must include the following:

  • An interactive component;
  • An explanation and examples of prohibited sexual harassment;
  • Information on federal and state statutes prohibiting sexual harassment;
  • Remedies and rights of redress under the applicable statutes; and
  • An explanation of added responsibilities for supervisory employees.

Employers may satisfy the “interactive” training requirement by: (1) asking questions of the employees as part of the program; (2) including question and answer portion to accommodate employee questions; (3) using a live trainer to conduct the training or making a live-trainer available to answer questions; or (4) requiring employee feedback about the training. Employers should implement as many of the above interactive components as is feasible. All employees must receive a compliant sexual harassment training on or before October 2019.

New hires must receive a compliant sexual harassment training within 30 calendar days of hire.  

Special Provisions for New York City Employers:
Beginning April 1, 2019, all New York City employers with 15 or more employees must provide interactive (but not necessarily live) sexual harassment prevention training to all full- and part-time employees and interns annually, and to new employees within 90 days of hire.

The NYC Commission on Human Rights will create an interactive training module that will be available to employers free of charge.  While these government-created training programs will meet minimum legal requirements, employers should consider providing more detailed, in-person sexual harassment and anti-discrimination training programs.

Beckage attorneys are available to help employers navigate these new sexual harassment laws, including drafting and reviewing sexual harassment policies as well as offering webinars and interactive training programs to ensure compliance with the new laws.    

DISCLAIMER: This client advisory is for general information purposes only. It does not constitute legal advice, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.

Privacy Statements and Terms of Use - Low Cost Updates Can Provide High Impact Results

If you have not noticed, most websites have Terms of Use and Privacy Statements. What is the difference between them, what do they mean, and why are they important?

In short, Terms of Use - also called Terms and Conditions or Terms and Conditions of Use - all explain the rights and responsibilities of parties using a company's website. It typically addresses intellectual property rights and proper use of the website.

Privacy Statements - or Privacy Policies - help companies tell website users about the information the company collects from the user and how the company will use that information. This would include information the user enters into the site, or information that is automatically collected through the use of cookies or web beacons or other behavior tracking methods, which may provide information to the company or simply just assist with the user's navigation and use of the website.

With the EU's new General Data Protection Regulation (GDPR) in place, Privacy Statements are even more important now. Legal counsel should review these statements to ensure that they are accurate and legally compliant.  

Understanding the technology being used as part of the website development process is critical and companies may struggle in putting them together. The risks of not having an accurate site, however, are significant. While there are some common elements that may be included, the specific content included in privacy statements and terms of use will be unique to your business and website type.

Beckage is made up of former owners of a web development company, technologists, and lawyers certified as Certified Information Privacy Professionals, United States (CIPP/US), and have developed many privacy statements and terms of use. We are happy to help review your Privacy Statement and Terms of Use - a low cost project that delivers a high impact for your organization.

DISCLAIMER: This client advisory is for general information purposes only. It does not constitute legal advice, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.

Evolving Privacy Paradigms

Privacy paradigms all over the world are quickly evolving, starting with the European Union’s adoption of the General Data Protection Regulation (GDPR), Brazil’s General Data Protection Law, India’s pending Personal Data Protection Bill, and California’s just-passed Consumer Privacy Act. While the specifics vary, the international trend in adopting a comprehensive privacy law to govern all sectors, industries and emerging technologies remains. What’s more, the international paradigm is shifting away from a US-backed view of personal data as a commodity, and towards the EU’s view of personal data as an extension of self, with a range of human rights implications for data subjects. From the right to notice, access and correction to the right to portability and even erasure, companies subject to international privacy laws must have processes in place to identify personally identifiable information and respond expeditiously to the requests of individuals.

Depending on past data practices, businesses may also be faced with legacy archives of personal data now subject to international regulation. Inventorying your company’s data archives, classifying that data based on its content and sensitivity, and processing or destroying it appropriately are all necessary steps that businesses will need to take in the near term. Businesses should also consider whether de-identification and anonymization of personally identifiable information provides an avenue to avoid the strictures of some of these international privacy regimes.

To successfully operate in a multi-jurisdictional world businesses must appreciate the evolving privacy paradigms currently in play and adapt to them within the requisite time frames. With penalties nearing 4% of annual worldwide revenues for the GDPR, compliance is key. Beckage attorneys know the difference between being in compliance with privacy laws, and being able to demonstrate that compliance to the satisfaction of a national or international regulator. Call experienced counsel on whether and how your company can comply with the GDPR or national and international privacy laws.

DISCLAIMER: This client advisory is for general information purposes only. It does not constitute legal advice, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.

Changing Times Means Revising Employee Handbooks

While employee handbooks are not required, creating, maintaining and regularly updating a company handbook is a best practice to follow. An employee handbook lays out basic information to employees about company polities and the employment relationship. But creating and implementing your handbook is insufficient – it is a living and breathing document that must be updated regularly (ideally annually) to ensure compliance with evolving federal, state and local laws as well as fast-moving changes to technology.

A properly drafted employee handbook is a valuable communication tool to help employers avoid legal problems and relay expectations, especially with the proliferation of technology use both in and outside of the workplace. From smart phones to tablets, employees regularly conduct both personal and professional business using various devices. Clear and concise employer-issued policies, such as those that govern social media use, computer use, data security, and bring your own device (BYOD), help set the expectations for both the employees and employers on what behavior is appropriate and can help protect employers from liability if an issue arises.

This past June the General Counsel of the National Labor Relations Board (the “NLRB”) issued a memorandum that, while not binding, provides helpful insight to employers reviewing their handbooks under the National Labor Relations Act (the “NLRA”). By way of background, the NLRA applies to both union and non-unionized workforces and generally protects an employee’s right to discuss wages, hours, and other terms and conditions of employment, known as Section 7 rights. Based on NLRB case law, employers may not maintain any work rule if the rule has a “chilling effect” on such rights. The NLRB will find such a chilling effect if employees would “reasonably construe” the rule’s language to prohibit their Section 7 rights under the NLRA. This memorandum marks a shift in the NLRB’s prior broad prohibition on certain workplace rules and signals a more employer-friendly approach in interpreting federal labor law.

The NLRB memo, issued on June 6, 2018, provides practical examples for employers of specific workplace rules and breaks them down in to three categories of rules that are useful in evaluating employer policies. Rules in the first category are generally lawful and include those requiring civility and authorization to speak on behalf of the employer and preclude the disclosure of confidential customer information. Examples include rules against defamation or misrepresentation, rules against using employer logos or intellectual property, and rules requiring authorization to speak for the company. Rules in the second category warrant “individualized scrutiny” and include, for example, those regulating off-duty conduct, confidentiality and conflicts of interest. Rules in the third category are unlawful and include confidentiality rules regarding wages, benefits or working conditions. The memo does a good job of providing specific examples in each category that are informative in crafting and evaluating language contained in employer policies.

While not binding, this memo is instructive as to what the NLRB will be looking for in terms of its prosecution of employers. Employers are encouraged to carefully review their handbooks and technology-use policies to see where they might be able to articulate stronger expectations in light of the various examples offered in the memo. It is expected there will be more guidance and decisions coming out from the Board in this area over the next several months so employers should proceed cautiously in revisiting rules in their employee handbooks with the assistance of counsel. Beckage attorneys are available to help you draft or redraft rules in light of these changing standards and closely monitor this evolving area of employment law.  

DISCLAIMER: This client advisory is for general information purposes only. It does not constitute legal advice, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.