0
Top Privacy and Cybersecurity Trends of 2021Year in Review: 2021’s Top Privacy and Cybersecurity Trends

Year in Review: 2021’s Top Privacy and Cybersecurity Trends

Despite the ongoing COVID-19 pandemic, 2021 proved to be another incredibly busy year for consumer privacy and cybersecurity. In this blog post, we revisit some of the most important domestic and international privacy and cybersecurity trends of the past year. 

 

New State Consumer Privacy Laws 

On the heels of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), Virginia and Colorado became the next two states to enact comprehensive consumer privacy laws. Signed into law by Governor Ralph Northam back in March, the Virginia Consumer Data Protection Act (VCDPA) becomes effective on January 1, 2023 and applies to all companies who operate a business or produce products or services that are targeted to residents of Virginia and meet certain thresholds. Months later in July, Governor Jared Polis signed the Colorado Privacy Act (CPA) into law. Set to go into effect on July 1, 2023, the CPA applies to controllers that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado and meet certain thresholds. Both the VCDPA and the CPA carve out several exemptions for entities that are already covered under the privacy and security requirements of other federal laws. Unlike the CCPA and the VCDPA, however, the CPA does not provide an exemption for non-profit organizations. Furthermore, neither the VCDPA nor the CPA offer a private right of action. 

Other notable state privacy developments include New York’s new rules on employee electronic monitoring as well as Nevada’s SB260 amendment, which expanded the right to opt-out of sales and created new requirements for “data brokers”. 

As we head into 2022, we anticipate that the patchwork of state consumer privacy laws will continue to grow. Beckage recommends that businesses take proactive steps to first evaluate what laws and regulations apply to their business and then develop a comprehensive roadmap and plan to mature their data privacy and security posture both internally and externally.   

 

Continued Focus on Cybersecurity 

Threat actors in 2021 continued to launch increasingly sophisticated ransomware and cyberattacks against businesses of all sizes and in all industries. In the wake of highly disruptive attacks such as SolarWinds and the Colonial Pipeline ransomware attack, both the federal government and also state governments sought to increase their focus on cybersecurity standards. For example, the New York State Department of Financial Services (NYDFS) issued guidance to cyber insurers in the form of the Cyber Insurance Risk Framework. The Cybersecurity and Infrastructure Security Agency (CISA) also regularly issued advisories informing businesses of vulnerabilities. In an effort to secure critical infrastructure, President Biden signed an Executive Order on “Improving the Nation’s Cybersecurity” in May. The new Civil Cyber-Fraud Initiative announced by the Department of Justice back in October further indicates the increasing importance of developing and maintaining resilient cybersecurity protocols.  

The federal government’s response to this year’s exponential increase in ransomware attacks has led several high-profile threat actors – such as DarkSide, REvil, and Black Matter – to take their dark web platforms offline.  At the same time, however, new variants of ransomware are constantly emerging and there is significant evidence that experienced cyber criminals are rebranding to evade law enforcement rather than shutting down their operations.   

In this complex threat landscape, companies across industries are wisely seeking to secure or renew cyber liability coverage in an increasingly competitive market.  Insurers are asking meaningful questions about applicants’ security programs and expecting strong safeguards in place.  For organizations of all sizes, the past year has shown that cybersecurity incidents are now a question of when rather than if.  

Beckage’s Incident Response Team urges businesses to develop plans and procedures to mitigate cyber and legal risk. Beckage recommends businesses continue to dedicate internal resources to refining compliance programs and testing incident response plans through tabletop training exercises. 

 

Health Privacy and Compliance Challenges 

Our lives have become increasingly digitized, and 2021 was no different – especially with the COVID-19 pandemic. The proliferation of apps and technologies handling personal health data led the FTC to confirm back in September that the requirements contained in the agency’s Health Breach Notification Rule extend to health apps and connected device companies. And as the world continued to operate under the shadow of the COVID-19 pandemic, businesses faced – and will continue to face – uncertainty regarding new federal vaccination and testing policies. Beckage’s Data Security and Privacy Compliance and Health Law Teams recommend businesses take stock of their employee data collection practices in their efforts to prevent the spread of COVID-19. 

 

Biometrics Class Actions, BIPA Claims Accrual, and Statute of Limitations 

In 2021, litigation under Illinois’ Biometric Information Privacy Act (BIPA) remained at the forefront of the data privacy landscape. As we noted back in JanuaryMarch, and April, BIPA’s private right of action has contributed in part to an increase in the number of class actions. In September, the First District of the Illinois Appellate Court found that the statute of limitations period could range from one year to as much as five years depending on the nature of the alleged violation. But as the year closed out, Illinois courts continued to wrestle with the issues of BIPA claims accrual and statute of limitations. As this blog post goes to press, the U.S. Court of Appeals for the Seventh Circuit had just issued its decision in Cothron v. White Castle, certifying the issue of BIPA claims accrual to the Illinois Supreme Court.  

 

Website Accessibility Litigation and What Counts as a Place of Public Accommodation 

The Beckage Accessibility Team continues to see a drastic increase in litigation filed under Title III of the Americans with Disabilities Act (ADA) as well as the rapidly evolving caselaw surrounding website accessibility claims. 2021 is set to be a record-breaking year, with approximately of 4,000 new lawsuits filed this year alone, with most of these cases filed against small to medium sized businesses. The issue of whether websites qualify as places of public accommodates under the ADA continued to take shape in 2021. For example, in May the Eleventh Circuit Court of Appeals held in Gil v. Winn-Dixie Stores that a website is not a “place of public accommodation” under Title III of the ADA, creating a clear conflict with 9th Circuit authority that has held a website is a place of public accommodation if there is a nexus to a brick and mortar location. In September, the United States District Court for the Eastern District of New York issued a decision in Winegard v Newsday LLC, which also concluded that a website is not a “place of public accommodation” under Title III of the ADA. Despite this unsettled landscape, we anticipate more litigation to come around the specific statutory definition of what constitutes a “public accommodation.” 

Nevertheless, there is no end in sight for companies facing lawsuits under the ADA. Accordingly, Beckage recommends that businesses with any online presence or mobile application take proactive steps and prioritize accessibility internally. Minimizing legal risk through a digital accessibility compliance buildout that includes both a full scale audit of digital assets and internal and external policy development is recommended for all businesses looking ahead in to 2022.  

 

Telephone Consumer Protection Act (TCPA) 

TCPA class actions are numerous. Beckage’s TCPA team has charted the complex legal landscape surrounding text message marketing and telemarketing throughout the course of 2021. In April, we covered the decision by the Supreme Court of the United States in Facebook v. Duguid et al., which narrowed the scope of the TCPA down to systems that utilize random number generators. In November, we covered Florida’s new telemarketer requirements. As we head into 2022, TCPA compliance will continue to be an important area of focus for businesses. Businesses that leverage text messaging marketing as part of their consumer outreach should evaluate compliance initiatives and stay up to date on this fast moving area of the law. 

 

More Global Privacy and Cybersecurity Developments 

Privacy and cybersecurity continued to be areas of significant focus on an international scale. For example, China’s new Data Security Law (DSL) and new Personal Information Protection Law (PIPL) became effective on September 1 and November 1, respectively. Along with the Cybersecurity Law (CSL) of 2017, these two new laws have added a set of new cross-border requirements for international companies seeking to do business in China. Furthermore, following the Schrems II decision, which invalidated the EU-US Privacy Shield, the EU Commission released new standard contractual clauses (SCCs) intended to provide more flexibility and options for cross-border data exchange. The new SCCs are applicable for all new contracts entered into as of September 27, and businesses have until December 27, 2022 to transition all contracts using the older SCCs to ones with the new SCCs. Additionally, Québec’s Bill 64, which received royal assent a few months ago, has a series of new requirements coming into effect within the next couple of years for businesses both within and outside the province. 

On the global data privacy class action front, the UK Supreme Court’s recent decision in Lloyd v. Google suggests that opt-out class action cases for data privacy claims will be very difficult to bring. 

 

Conclusion and Key Takeaways 

In the midst of the ongoing COVID-19 pandemic and a rise in sophisticated cyberattacks, 2021 saw many privacy and cybersecurity trends and developments. There were new laws and regulations on both a domestic and an international scale. Case law in relevant areas developed rapidly, with some issues still unresolved as we embark on 2022. Things do not seem to be slowing down at all in the realm of privacy and cybersecurity. Beckage’s team of attorneys and technologists work with businesses of all sizes and industries to develop comprehensive scalable data security and privacy infrastructures to navigate this fast moving area. 

*Attorney Advertising. Prior results do not guarantee similar outcomes. 

Subscribe to our newsletter. 

0
New Federal COVID-19 Vaccination Policies Trigger Data Privacy ConsiderationsNew Federal COVID-19 Vaccination Policies Trigger Data Privacy Considerations

New Federal COVID-19 Vaccination Policies Trigger Data Privacy Considerations

UPDATE:  On November 6th, the U.S. Court of Appeals for the Fifth Circuit issued a temporary stay of OSHA’s latest vaccine rules in BST Holdings, L.L.C., et al. v. OSHA, noting that “there are grave statutory and constitutional issues with the Mandate.” On November 12th, the Fifth Circuit issued an order in continuance of its November 6th stay, stating that enforcement of OSHA’s latest vaccine rules “remains STAYED pending adequate judicial review of the petitioners’ underlying motions for a permanent injunction.” The Fifth Circuit further ordered “that OSHA take no steps to implement or enforce the Mandate until further court order.”

However, with several other similar lawsuits pending in other federal circuits, the Judicial Panel on Multidistrict Litigation has selected, by lottery on November 16th, the U.S. Court of Appeals for the Sixth Circuit to be the tribunal to hear the consolidated cases. The Sixth Circuit will thus have the authority to issue the controlling opinion on OSHA’s latest vaccine rules, though many expect litigation to continue up to the Supreme Court of the United States for a final decision.

Businesses should stay up to date with current developments regarding OSHA’s latest vaccine rules and related lawsuits and should understand existing and intended data collections practices within their organizations.  Evaluating what is being collected, how it is being retained, how this information can be accessed and by whom remains a very important part of an organization’s data security and privacy infrastructure in light of this climate. The Compliance Team at Beckage is experienced in navigating such changes and can assist businesses with their data security and privacy programs as the landscape continues to evolve within the next couple of months.

Email Beckage Privacy Compliance Team Lead Kara L. Hilburger, Esq., (CIPP/US)  at khilburger@beckage.com or call 716.898.2102 for assistance in analyzing this and other regulatory and legislative matters in this space.

Continue reading initial post regarding The OSHA Rule below.


11-8-2021

On Thursday, November 4, 2021, the Occupational Safety and Health Administration (OSHA) published an Interim Final Rules (OSHA Rule) requiring employers with 100 or more employees to implement plans to confirm employees are vaccinated, and if not to test their employees weekly and require face masks. The OSHA Rule, published in the Federal Register on November 5, 2021, requires employers subject to the OSHA Rule to implement testing protocols for unvaccinated employees starting January 5, 2022.

Although the Fifth Circuit Federal Court of Appeals temporarily blocked the OSHA Rule on November 6, 2021, employers should still prepare a plan in the event the OSHA Rule is not permanently blocked given the pending compliance deadlines. This may require employers to revise existing procedures or create new policies and procedures. As employers develop and implement these policies, it’s important to carefully consider data privacy and security implications of maintaining this sensitive information about employees.

Below are just a few questions employers should ask as they develop these new policies.

Does the OSHA rule apply to me?

The answer depends on your company’s size, operation, and industry. Importantly, the new OSHA Rule does not apply to health care providers, which have even more stringent rules announced by the Centers for Medicare and Medicaid (CMS) on the same day.  The OSHA Rule applies to businesses with 100 or more employees.  To determine whether an employer meets this 100-person threshold, companies should count all full- and part-time employees at all locations and worksites. Employers do not have to count employees who are contractors, employees from a staffing agency, or franchisee employees if the employer is the franchisor.

What does the OSHA Rule require?

Employers that are subject to the OSHA Rule must:

  • Determine vaccination status. Determine the vaccination status of each employee, accept proof of vaccination, and maintain records of each employee’s vaccination status. The OSHA Rule outlines forms of acceptable proof of vaccination, which includes COVID-19 Vaccination Record Cards, a copy of medical records documenting vaccination, and employee attestations in limited circumstances.
  • Test unvaccinated employees and require masks. If an employer elects to not mandate COVID-19 vaccinations, the company must test each employee who is not fully vaccinated at least once every 7 days. If an employee has not been tested within a 7-day period, the employee must telework for two weeks before reporting back to a location with other employees and be tested within 7 or fewer days before returning. Employees will have to provide documentation of their test results and employers must maintain these test result records. Unvaccinated employees must wear face masks at the workplace.
  • Require employees to notify the employer of a positive COVID test or diagnosis. Companies must require employees to provide prompt notice of positive COVID-19 tests and diagnoses and take steps to remove them from the workplace until they meet the criteria for returning.

Are there any exceptions?

Yes. The OSHA Rule does recognize certain exceptions and exemptions to these requirements.

  • Employees who work exclusively remotely or at outside locations are not subject to the requirements.
  • The OSHA Rule also does not apply to workplaces covered by the Safer Federal Workforce Task Force COVID-19 Workplace Safety: Guidance for Federal Contractors and Subcontractors.
  • The OSHA Rule does not apply to health care providers, which are covered by the CMS interim final rule.
  • The OSHA Rule has exceptions for employees who cannot receive the vaccine for medical reasons, or who are legally entitled to a reasonable accommodation under federal civil rights laws because of disability or sincerely held religious beliefs that conflict with the vaccination requirement.

Do I need to provide paid leave for vaccinations?

Yes. Companies subject to this rule must provide employees with up to four hours of paid time to receive their vaccination. They must also allow for reasonable time and paid sick leave for the employee to recover from vaccine side effects.

Do I need to pay for the cost of testing if an employee isn’t vaccinated?

No, the OSHA Rule does not require covered employers to cover the costs of testing. However, other laws, regulations, collective bargaining agreements, or collective negotiation agreements may require the employer to pay for testing.

How does the OSHA rule impact state vaccination and testing laws?

The OSHA Rule pre-empts any state law that has less restrictive standards regarding vaccination and testing for COVID-19 in the workplace. States can impose greater vaccination requirements; for example, some employers may be subject to state laws that do not include medical or religious exceptions.

What needs to be addressed in the vaccination policy?

Companies must develop, implement, and enforce mandatory policies that address COVID-19 vaccination procedures or mandatory testing if the company does not mandate vaccinations.  These policies must be provided to employees in a language and literacy level that employees understand.

Are there any additional documentation and reporting requirements?

Yes. Companies must provide employees and their designated representatives with their vaccination and testing records by the end of the next business day following the request for such records. Companies must also be able to provide policies and procedures to OSHA within four business hours and must provide an aggregate number of total vaccinated employees upon request by the next business day.  Finally, companies must report work-related COVID-19 fatalities to OSHA within 8 hours of learning about them. Covered employers must report a COVID-19 related in-patient hospitalization within 24 hours of learning about it.

Are there penalties for non-compliance?

OSHA Officials have stated they will use OSHA’s authority to inspect workplaces and investigate complaints received from employees. Failure to comply with OSHA regulations can lead to a $13,653 penalty per violation for serious or failure to abate violations and a $13,532 per violation for willful or repeated violations.

How should companies prepare?

Companies subject to the OSHA Rule should review the new requirements and develop a strategy on how to document and implement the mandatory procedures most effectively and efficiently. The new rule requires employers to collect and maintain sensitive employee data. Policies and procedures addressing how these records will be maintained and protected will be necessary, and in tandem with developing procedures, companies may want to evaluate whether they need to update record retention procedures and determine whether existing data security and privacy protocols are sufficient.  It is also recommended that companies work with legal counsel to review whether and how state laws interplay with the new OSHA requirements.  Many state laws have statutes and regulations requiring companies to safeguard medical information held on behalf of clients and employees. This is particularly important for employers that have not previously held sensitive employee information such as health records and may not have proper procedures in place for safeguarding such records.

Beckage continues to monitor this evolving landscape and provide updates on important topics that impact data privacy and security, which have a very real impact on business operations. Regardless of the legislative landscape, a robust data security and privacy program that can stand the test of time is a wise investment. Our team is available to assist your team in the evaluation of legal implications of current requirements and legislative changes in the data privacy field.

Email Beckage Health Law Team Lead Sarah L. Rugnetta, Esq., (CIPP/E) at srugnetta@beckage.com or call 716.898.2102 for assistance in analyzing this and other regulatory and legislative matters in the Health Law space.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

0
Illinois Cannabis Compassionate Care ActIllinois Cannabis Dispensaries and Their Vendors Should Pay Close Attention to Upcoming Compliance Deadlines

Illinois Cannabis Dispensaries and Their Vendors Should Pay Close Attention to Upcoming Compliance Deadlines

The Illinois Department of Financial and Professional Regulation (IDFPR) recently provided guidance interpreting data privacy and security requirements in Illinois’ Compassionate Use of Medical Cannabis Program Act (A280). Specifically, IDFPR recently published an FAQ outlining its interpretation of, and deadlines associated with, the Act’s requirement that Illinois cannabis dispensaries comply with certain sections of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

The guidance from IDFPR describes steps dispensaries must take to protect the security and privacy of health information, consistent with requirements in the HIPAA Privacy and Security Rules. As of August 1, 2021, dispensaries are required to provide customers with a Notice of Privacy Practices. The FAQ directs dispensaries and many of their vendors to conduct a security risk analysis that identifies risks to health information, and the likelihood and impact of such risks, by December 1st. Dispensaries must also adopt administrative, technical, and physical controls consistent with HIPAA standards by December 1, 2021.

Fines of up to $10,000 per violation may be issued against dispensaries and their agents. Examples of violations cited in the FAQ include sharing computer passwords, discussing health information with third parties, not using an industry-standard firewall, and not encrypting computers or networks that store health information.

Dispensaries and technology vendors that host health information on behalf of dispensaries should meet with counsel to discuss how these new requirements can be efficiently incorporated into existing compliance programs.  Specifically, dispensaries and vendors should confirm that their compliance programs include:

  1. Administrative safeguards: Under HIPAA these include a security management process, assigned security responsibility, workforce security, information access management, security awareness training, security incident procedures, a contingency plan, and an evaluation.
  2. Physical safeguards: Under HIPAA these include facility access controls, workstation use procedures, workstation security, and device and media controls.
  3. Technical safeguards: Under HIPAA these include access controls, audit controls, integrity controls, person or entity authentication, and transmission security.

Two HIPAA safeguards that IDFPR focuses on in its guidance are security risk analysis and encryption of health information at rest and in transit.  Although HIPAA has no prescriptive timeframe for a security risk analysis, the IDFPR FAQ states that medical cannabis dispensing organizations should conduct a security risk analysis annually to identify areas of high-security risk to health information and implement security measures to address these risks.

Below are just a few key questions cannabis dispensaries and vendors should ask themselves as they evaluate readiness for these new requirements:

  1. Do I need to update my Notice of Privacy Practices or website privacy policies?
  2. Do I need to appoint additional privacy and security personnel?
  3. Is my training program appropriate and adequate?
  4. Do I need to consider additional administrative, technical, or physical controls to prevent unauthorized access (e.g., encryption, multi-factor authentication, heightened password requirements, access controls)?
  5. Is my annual risk analysis sufficient?
  6. Do I need to change my vendor management protocols or contract documents?
  7. Does my incident response plan consider relevant notification requirements?
  8. How should I document these compliance measures?

Conclusion:

As the cannabis industry continues to grow, attention from state legislators and regulators increases.  Cannabis dispensaries (and technology vendors operating in Illinois) should review their privacy and security programs to confirm compliance with HIPAA’s standards, which the state incorporated into the Compassionate Use of Medical Cannabis Program Act (A280).

Beckage focuses on the tech and privacy side of Cannabis so companies can grow smarter and more secure.  We work closely with IT teams, general counsel, and executive leadership to accomplish these results.  For more information regarding the Compassionate Use of Medical Cannabis Program Act (A280), email Beckage Cannaprivacy Team Lead Daniel P Greene, Esq., CIPP/US, CIPP/E at dgreene@beckage.com or call 716.898.2102.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

 

 

 

 

0
FTC Issues Policy Statement Affirming that Health Apps Must Comply with FTCFTC Issues Policy Statement Affirming that Health Apps and Connected Device Companies Must Comply with FTC’s Health Breach Notification Rule

FTC Issues Policy Statement Affirming that Health Apps and Connected Device Companies Must Comply with FTC’s Health Breach Notification Rule

At an open commission meeting on Wednesday, September 15th, the Federal Trade Commission (FTC) voted 3-2 to approve a policy statement affirming that health apps and connected devices that draw information from multiple sources need to comply with the FTC’s August 2009 Health Breach Notification Rule. The policy statement serves as a notice to health apps and connected devices – companies that are traditionally not covered entities under HIPAA –  “of their ongoing obligation to come clean about breaches”.  The statement also affirms that the entities may be subject to civil penalties of up to $43,792 per violation per day.

The American Recovery and Reinvestment Act of 2009 (Recovery Act of 2009) required the FTC to enforce breach notification requirements with respect to vendors and third parties and to adopt a rule implementing such requirements. Under the Health Breach Notification Rule, vendors of personal health records and related entities must notify U.S. consumers and the FTC, and, in some cases the media, if there has been a breach of unsecured identifiable health information.

Acknowledging that it has now been more than a decade since the promulgation of the Health Breach Notification Rule and that there has been a proliferation of apps and technologies that consumers can now use “to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas,” the FTC affirmed on Wednesday that apps capable of drawing information from multiple sources (such as through a combination of consumer inputs and APIs) are covered, even if the health information comes from only one source.

You can read the full policy statement of the FTC here.

FTC Chair Lina M. Khan and Commissioners Rohit Chopra and Rebecca Kelly Slaughter voted in favor of the policy statement, while Commissioners Joshua Phillips and Christine S. Wilson each issued dissenting statements. The dissenting opinions asserted that this statutory and regulatory opinion should be determined in the context of the rulemaking process that is currently under way, rather than a policy statement.

It is important that companies developing health apps and connected devices be aware of this announcement.  Beckage closely monitors developments in laws and regulations governing health data and breach response. Beckage’s team of highly skilled attorneys and technologists are uniquely situated to assist clients as they navigate these changes.

Email Beckage Health Law Team Lead Sarah L. Rugnetta, Esq., (CIPP/E) at srugnetta@beckage.com or call 716.898.2102 for assistance in analyzing this and other regulatory and legislative matters in the Health Law space.

*Attorney advertising; prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

Data Privacy DayBeckage Attorneys Make 2021 Data Security & Privacy Predictions in Observance of Data Privacy Day

Beckage Attorneys Make 2021 Data Security & Privacy Predictions in Observance of Data Privacy Day

Today is Data Privacy Day – an international event held annually on January 28th with the purpose of promoting privacy and data protection best practices for consumers and businesses. At Beckage, every day is Data Privacy Day – our team of lawyers and technologists works daily with clients on data security and privacy measures, from developing policies and procedures to comply with international and domestic privacy regimes to responding to headline-making data incidents and defending clients in data security and privacy class actions.

The legal landscape surrounding data security and privacy is constantly evolving to adapt to technological advancements and global privacy trends. In observance of this holiday, we asked some of our experienced team members what they expect to see in this space in 2021.


Litigation – Myriah V. Jaworski, Esq. CIPP/US, CIPP/E

My data privacy prediction for 2021 is also related to biometrics. This year we will see the continued rise of regulation over and litigation concerning the use of biometric information.

A few years after the Illinois State Legislature passed BIPA, the Biometric Information Privacy Act, we started to see a slew of class action lawsuits filed against businesses alleged to have violated BIPA’s written release requirement. BIPA class actions have ranged from headline-making cases against major tech companies, such has Facebook, to small and medium-sized businesses across numerous industries.

While biometric lawsuits were once viewed as a risk associated only with doing business in Illinois, other states, like Washington and Texas, have followed suit by passing their own laws mimicking BIPA and others are eyeing their own biometric privacy bills. Of note, a bill nearly identical to BIPA is pending in the New York State legislature, which, if passed, could have a much larger impact on businesses given that New York is one of the largest economies in the United States.

At the federal level, we have recently seen the Federal Trade Commission (FTC) enter the biometric conversation with its consent agreement with EverAlbum, Inc. This consent order may have set a nation-wide standard for businesses’ use and collection of biometric information, regardless of whether those businesses operate in states that have enacted or pending biometric privacy laws.

In short, in 2021 the risks and penalties associated with collecting and using biometric information are steep. Any business, regardless of location, that is engaging in biometric information collection should conduct a privacy audit, look at its written policies, and ensure that it has the requisite consents in mind. As a litigator, I always say “demonstrable compliance is the strongest legal defense,” and that is certainly true in the biometric privacy space.

Watch Myriah’s video prediction here.


Incident Response – Daniel P. Greene, Esq., CIPP/US, CIPP/E

At the heart of what we do as incident response privacy practitioners is data breach prevention.  My 2021 prediction for the privacy landscape is an expansion in the use of multi-factor authentication. This is great news for incident response because, often, multi-factor authentication is an important step in helping to avoid a data incident and protect the privacy of data.

Multi-factor authentication is when a user identifies themself through biometrics, like a facial or fingerprint scan, or though entering a code on a device to confirm access to sensitive spaces, like a bank account or work network. It helps in avoiding unauthorized access and we expect to see this technology used in new spaces in 2021, such as when using an ATM or checking out at a grocery store.

We also anticipate an expansion in the use of biometrics over device authentication. There have been numerous documented incidents where device authentication has backfired. A famous example occurred in 2019 when attackers were able to gain access to Twitter CEO Jeff Dorsey’s account using a SIM card swap scheme. Because biometric identifiers are much more difficult to change or duplicate, using a facial scan or fingerprint is a much more secure method of confirming a user’s identity. And while this brings up a host of other issues about safeguarding biometric information, I think we can expect to see it used a lot more soon.

Watch Dan’s video prediction here.


Government Investigations – Michael L. McCabe, Esq., CCEP

In 2021, I expect to see increased enforcement of privacy and data security laws and regulations at both the federal and state level. Considering new leadership in Washington D.C. and the looming impact of the COVID-19 pandemic, I predict not just an uptick in enforcement, but also a more muscular approach by regulators.  More enforcement actions are expected, a further reminder for companies to work with experienced tech privacy and security legal counsel to minimize legal and technical risk.

At the federal level, look for enhanced enforcement by the Federal Trade Commission (FTC), Federal Communications Commission (FCC), and Securities and Exchange Commission (SEC). On the state level, I anticipate a similar response by state attorneys general outside of Washington.   

In 2020, we saw a major uptick in cyber-attacks, due in part to companies having to quickly adopt policies for a distributed workforce.  There were also numerous COVID-related phishing attempts. These developments have resulted in a record number of data security incidents. Therefore, I expect the focus of these enforcement actions to be not just on privacy compliance, but also on effective data security and incident response.  

Watch Mike’s video prediction here.


Privacy Compliance – Kara L. Hilburger, Esq., CIPP-US

My prediction for the privacy compliance area in 2021 is the increased focus on consumer privacy rights. With California’s comprehensive privacy law, the California Consumer Privacy Act (CCPA), now one year old, there is increase awareness and attention to data subject rights.  With a myriad of other states entertaining statutes similar to the CCPA, I anticipate a host of plaintiff related lawsuits filed under these statutes’ privacy right of action provisions. The result is that business operating in this highly global, multi-jurisdictional environment will need to continue to work towards building out robust and scalable data security and privacy infrastructures that take into account not only the GDPR and CCPA but other emerging laws. For example, updating forward-facing website disclosure policies and user agreements will be paramount here to be sure they comply with the required disclosures.

Relatedly, my second prediction as that we will continue to see an uptick in litigation filed under the Americans with Disabilities Act and frankly no end is in sight.  Businesses are continuing to educate themselves on the legal standards necessary for building and maintaining an accessible website.  We also anticipate much in the way of legislation or increase DOJ involvement in this area under the new administration.

Watch Kara’s video prediction here.


Health Law – Allison K. Prout, Esq., Cert. AWS Cloud Practitioner

With so much of our everyday lives moving online in the wake of the COVID-19 pandemic, we have seen a large uptick in data breaches caused by third-party vendors and service providers. And when it comes to the healthcare industry, I anticipate a continued increase in incidents that originate with business associates and other vendors providing services to covered entities. 

 In fact, about 40% of HIPAA breaches involve or are caused by business associates. With a new administration that’s likely to favor regulatory action, we expect to see regulatory authorities continue to enforce actions against covered entities whose business associates or service providers experience breaches. 

So what does this mean for the industry?  We expect to see covered entities taking a much closer look at who they are working with—and whether those parties have robust security and privacy protocols. For this reason, business associates may need to prepare accordingly. Whether you are a covered entity or a business associate, now is the time to dust off vendor due diligence and monitoring policies and procedures. It’s also a good idea to take a closer look at those service agreements and business associate agreements to make sure your service providers are making the right security commitments—and assuming responsibility—when there’s a breach.

Watch Allie’s video prediction here.


Global Data Privacy – Jordan L. Fischer, Esq. CIPP/US, CIPP/E, CIPM

My first prediction for the global data privacy space in 2021 is the creation and evolution of additional data privacy regulations across the globe. The so-called “GDPR Effect” has been pushing data privacy trends across the globe, and we expect to this to continue as more regions and countries adopt legislation mimicking parts of the GDPR, putting their own unique twist on data privacy, or modernizing their existing data privacy regulations to make them more compatible with the GDPR and other global privacy regimes.

My second prediction is a major emphasis on cross-border data transfers. The 2020 Schrems II decision invalidated the EU-US Privacy Shield for sending data from Europe to the United States. This decision was focused on data transfers between the United States and the European Union, but it also highlights a challenge we are continuing to see in international law – while these privacy regulations see borders, the digital realm does not.  Thus, it is increasingly hard to segment data and maintain it within a specific region. This year, I anticipate a lot of tension between regions that approach privacy and security from various perspectives that don’t always align. This presents a challenge for businesses to continue to operate efficiently while minimizing risk and dealing with multiple global privacy and security regulations.

Regardless of the specific trends we expect to see this year, one thing is certain – the global data privacy landscape will continue to change rapidly, creating a fascinating environment for data privacy and security lawyers to practice in.  I am very excited to be a part of such a dynamic team that will continue to provide services to our clients in this space.

Watch Jordan’s video prediction here.


Key Takeaways

Today, as well as every other day of the year, we hope you take some time to reflect on data privacy and security and the ways you can better protect your personal or business’ private information. The Beckage team is passionate about to educating the masses on the importance of data security, the consumer privacy rights and the impact on businesses, and the steps you can take safeguard your information. We are committed to providing updates on relevant legislation, current threats, and proactive data security steps. Be sure to follow us on LinkedIn, read our blog, and subscribe to our newsletter to stay up to date on the latest in this ever-changing space. Happy Data Privacy Day!

*Attorney advertising – prior results do not guarantee future outcomes.

1 2 3 4