2020Looking Back on 2020’s Top Privacy and Cybersecurity Trends

Looking Back on 2020’s Top Privacy and Cybersecurity Trends

As 2020 comes to a close, Beckage looks back on the ways this difficult and unprecedented year impacted the data privacy and cybersecurity landscape both domestically and across the globe.

Enhanced Privacy Challenges and Concerns Due to Covid-19

In response to the COVID-19 pandemic, businesses around the globe made a major pivot to online or virtual operations early this year. An intentional focus on data protection and a solid understanding of the regulatory landscape is a legal requirement that demands the integration of data protection up front in any network design or business practice. The increase in exposure of company assets made it necessary to implement a variety of technical safeguards. Companies still had to meet the compliance milestones of the NY SHIELD Act and California’s Consumer Protection Act (CCPA) while dealing with new privacy challenges caused by a distributed workforce and a global health pandemic. Beckage reminds organizations of the importance of revisiting their readiness through business continuity, incident response, and more expansive administrative, technical, and physical safeguards when shifting to a work-from-home model and recommends continued assessment of your company’s privacy pitfalls in this ever-shifting legal landscape.

Increased Ransomware and Cyberattacks

With rapid changes in organizational operations caused by the COVID-19 pandemic, attackers became more sophisticated in their strategies and unleashed several unrelenting, simultaneous attacks on service providers and the organizations they serve in 2020. Victims of recent cyber attacks, such as the SolarWinds campaign carried out in December, include government agencies, healthcare providers, consulting agencies, and , technology, telecom, and oil and gas companies. In many of these campaigns, attackers were able to gain access and move freely throughout an organization’s server, installing additional software, creating new accounts, and accessing sensitive data and valuable resources while remaining largely undetected. In response to the uptick in data incidents this year, the Beckage Incident Response Team recommends organizations implement several preventative steps to safeguard their organization to help minimize legal risk.

Patient Access Rights and Interoperability

Recent developments in 2020 concerning patients’ right to access health information to implement interoperability and record access requirements intend to help patients obtain access to health records and payment data to make informed decisions about their healthcare. The CMS Proposed Rule and the OCR Proposed Rule represent a complete overhaul of well-established standards and an introduction of new and highly technical requirements with healthcare compliance. The experienced Health Law Team at Beckage can help to distill these lengthy and complicated rules so organizations can understand practical implications on daily operations.

Increased International Focus on Consumer Privacy

On the heels of EU’s General Data Protection Regulation (GDPR), many countries followed suit by establishing legal frameworks for governing how organizations collect, use, and store their citizens’ personal data. One example is Brazil’s Lei Geral de Proteção de Dados (LGPD), which went into effect in August of 2020. This general data protection law, which closely mimics the GDPR, places strict requirements on organizations that process Brazilian citizen’s personal data.

At the same time, Europe continued to elevate its enforcement of the GDPR, with major decisions from various member state Data Protection Authorities, the European Court of Justice (ECJ), and the European Data Protection Board (EDBP). The most impactful for businesses across the globe was the ECJ’s decision in Schrems II, which invalidated the EU-US Privacy Shield and called into question the long-term viability of the Standard Contractual Clauses (SCCs) to transfer data from the EU to the US. In 2021, companies should closely monitor the evolving guidance on international data transfers and be prepared to mitigate risk of global data transfers.

Beckage’s Global Data Privacy Team expects continued adoption of data protection regulations across many regions, and an emphasis on creating global security and privacy compliance programs in the year ahead.

Uptick in ADA Litigation

This past year, the Beckage Accessibility Team has witnessed a drastic increase in litigation under Title III of the Americans with Disabilities Act. On average, about eight new lawsuits are filed a day by disabled individuals alleging unequal access to goods and services provided on a company’s digital platforms. While the Department of Justice (DOJ) has consistently held that the ADA applies to websites and mobile apps, they have failed to clarify the precise requirements for a business to be deemed compliant. This has prompted a wave of litigation by plaintiffs’ who claim a website or mobile app’s incompatibility with assistive technology, like screen-reading software, has denied them full access to and equal enjoyment of the goods, services, and accommodations of the website, therefore violating the ADA. Most of these lawsuits are settled quickly out of court to avoid litigating in such uncertain legal terrain.

Beckage handles the defense of website accessibility lawsuits as well as assists companies in navigate pre and post-suit settlement agreements for this unique area of the law.  Beckage also works with clients under privilege to conduct internal and remedial audits of client websites and mobile applications, evaluate platform compatibility and oversee implementation of recommended remedial or accessibility-enhancement measures.

California Consumer Protection Act (CCPA)  

Enforcement of California’s comprehensive California Consumer Privacy Act (CCPA) began on July 1, 2020 and has brought a range of plaintiff related lawsuits under its private right of action provision expanding California breach laws. For a data breach to be actionable, the information accessed must be identified as personal information, as narrowly defined by California’s data breach notification law. Recently, in November 2020, the Consumer Right To Privacy Act (CRPA) ballot initiative was passed, creating additional privacy rights and obligations pertaining to sensitive personal information that will go into effect. CPRA also expands data breach liability created by the CCPA, adds a private right of action for unauthorized access that permits access to an account if the business failed to maintain reasonable security, and imposes data protection obligations directly on service providers, contractors, and third parties. Beckage urges businesses who operate in or serve California citizens to continue to follow CCPA developments and carefully monitor related litigation in the coming months.

Emerging Technologies

The recent expansion of the Illinois Biometric Information Privacy Act (BIPA) has resulted in numerous class actions suits against organizations alleged to have collected plaintiffs’ biometric data. With the expanding use of biometric equipment, these claims often allege defendants obtained plaintiffs’ biometric data without complying with the BIPA’s notification and consent requirements. Upcoming class suits may address the issue of BIPA having an extraterritorial effect when bringing claims against out of state vendors.

Similarly, computers that manipulate the media, known as deep fakes, advance the dangers of influenced perceptions. The advancements of deep fakes are giving rise to laws regarding defamation, trade libel, false light, violation of right of publicity, or intentional infliction of emotional distress. Sophisticated tech lawyers can assist in determining rights and technological solutions to mitigate harm. As former tech business owners, Beckage lawyers want to drive innovation with use of these new and emerging technologies while understanding standards and laws that may impact such development. Beckage recommends that companies proactively mitigate the risks associated with collecting biometric information and deep fakes to prevent legal repercussions and defamation. 

Key Takeaways

2020 proved to be an unpredictable year in more ways than one. The COVID-19 pandemic forced companies to rapidly adapt to new privacy and data security challenges caused by a distributed workforce, emerging technologies, and an increased focus on ecommerce with in-person shopping and events. As we move towards 2021 with no definitive end to the pandemic in sight, it is crucial for companies to prioritize data privacy and cybersecurity initiatives by consulting qualified legal tech experts who can help navigate the uncertainty next year will bring. Beckage attorneys can assist in creating, implementing, and evaluating robust data security and privacy infrastructures that will help put your business in a position to tackle all the challenges 2021 has in store.

*Attorney Advertising. Prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

ONCHHS Announces Last-Minute Changes to Compliance Deadlines

HHS Announces Last-Minute Changes to Compliance Deadlines

The US Department of Health and Human Services’ (“HHS”) Office of National Coordinator for Health IT (“ONC”) recently extended a few key compliance deadlines relevant to developers of certified health IT products, healthcare providers, and health information networks and exchanges (HIEs/HINs). Specifically, ONC pushed back certain requirements related to certification of certified health IT products and Information Blocking found in the ONC Cures Act Final Rule (ONC Rule), a rule that promotes seamless and secure access, exchange, and use of electronic health information through standardized health IT requirements. HHS stressed that it has extended these compliance deadlines to provide the healthcare industry additional time to implement the ONC Rule as the healthcare industry continues to grapple with the myriad challenges presented by COVID-19.

Developers of certified health IT are required to certify their products under the ONC Health IT Certification Program (“Program”). The Program now incorporates numerous new administrative and technical requirements outlined in the ONC Rule. The updated compliance deadlines give developers of certified health IT more time to update their currently certified products or build new products to comply with the new certification requirements, as well as more time to test those products. These developers also have additional time to attest under the Program that their products are compliant with specific conditions (known in the industry as the Conditions and Maintenance of Certification (“COC”)) that were updated by the ONC Rule.

Additionally, under the updated deadlines, developers of certified health IT, as well as healthcare providers and HIEs/HINs, have more time to comply with the new Information Blocking obligations required under the ONC Rule. Information Blocking is defined as any practice that is likely to “interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” There are eight narrow exceptions to these practices that allow an entity to engage in this type of behavior, most notably where the practice is intended to prevent harm, safeguard the security of electronic health information, or safeguard the privacy of the individual’s electronic health information.

The following is a summary of some key deadlines: 

Requirement Deadline 
Developers of certified health IT, healthcare providers, and HIEs/HINs cannot engage in Information Blocking. April 5, 2021 
Developers of certified health IT must attest that they comply with the CoC that were updated by the ONC Rule. May 1, 2022 
All products certified under the Program must align with the ONC Rule’s new technical certification requirements. December 31, 2022 (except with respect to a requirement related to electronic health information exports, which is not required until December 31, 2023) 
Developers of certified health IT must successfully test their certified health IT under real world conditions.Initial Plan for testing due December 14, 2021; Initial Results of testing due March 15, 2023 

For more information regarding the specific deadline updates, please see HHS’s official press release regarding the changes.

We anticipate that the updated compliance deadlines will be a welcome change given the many technical and compliance challenges presented by the ONC Rule. With this extra breathing room, now is the ideal time for companies to evaluate their compliance posture with respect to the ONC Rule and begin to develop strategies for adopting and implementing the new requirements under the ONC Rule, as implementation will require consultation with technical and legal teams. Beckage attorneys will continue to follow the evolving regulatory compliance guidance on deadlines and substantive requirements to assist clients in the health IT and healthcare industry as they navigate these and other new regulatory requirements. Beckage attorneys are uniquely experienced to help health organizations and tech companies of all sizes to navigate the complicated maze of legal and practical considerations raised by these and other health law regulations. Please do not hesitate to reach out if you are interested in discussing the ONC Rule’s potential impact on your business.

*Attorney Advertising. Prior results do not guarantee future outcomes. 

Subscribe to our Newsletter.

0
COVID-19Insights Into the COVID-19 Health Data Bill

Insights Into the COVID-19 Health Data Bill

This update concerns the COVID-19 Health Data Bill, recently introduced to the New York State Senate by State Senator Kevin Thomas (S8448A), and in the State Assembly by Assemblywoman Linda B. Rosenthal (AB 10583). The COVID 19 Bill could have significant implications on businesses that collect information as part of their federal and state COVID-19 compliance measures, including the NYS-Required Safety Plans.  

The COVID-19 Bill applies to any company/person that collects, uses, or discloses “emergency health data,” which is defined to include data that is “linked or reasonably linkable to an individual or device, including data inferred or derived about an individual or device from other collected data” and that “concerns the public COVID-19 health emergency.”  

Emergency health data includes information that reveals past, present, or future physical or behavioral health or condition of, or provision of healthcare to, an individual including:

• data derived from testing or examination;

• whether or not an individual has contracted or been tested for, or an estimate of the likelihood that a particular individual may contract, such disease or disorder; or

• genetic data, biological samples, and biometrics.

Emergency health data also includes “other data collected in conjunction with other emergency health data that can be used to infer health status, health history, location or associations”. This includes: geolocation data, proximity data, demographic data, contact information, and other data collected from a personal device.  

The Bill requires businesses that collect, process, or use emergency health data in connection with the COVID-19 crisis to:

1. Obtain Affirmative Opt-In Consent: The Bill requires that businesses obtain an individual’s “freely given specific, informed, and unambiguous opt-in consent” to process individual emergency health data and prohibits collection without such consent except in certain narrow circumstances.

2. Comply with Data Retention Requirements: The Bill contains rigid data retention time periods (30 days or 14 days for proximity tracing or exposure notification data). If a business stores emergency health data for more than 30 days, The Bill requires the business to “reengage consent” from the individual from whom the information was collected in the first instance.

3. Maintain Written Privacy Policies and Transparency Reports: The Bill requires the posting of Privacy Policies which detail the business’s collection and use of emergency health data and the preparation of written Transparency Reports describing the business’s collection of emergency health data every 90 days.  

4. Limit Use: Data collected for responding to the COVID-19 public health emergency (e.g., tracking, screening, monitoring, contact tracing) must be collected “at a minimum level of identifiability reasonably needed for tracking COVID-19”. The Bill clarifies that for covered entities using proximity tracing or exposure notification, this includes changing temporary anonymous identifiers “at least once in a 10-minute period.” The Bill also prohibits the use of emergency health data for any purpose beyond what is adequate, relevant, and necessary to perform the transaction consented to by the individual, or for any purpose not authorized by The Bill (e.g., commercial purposes, advertising, selling, etc.).

5. Provide Individual Right to Access and Correction: The Bill gives individuals the right to access and correct their emergency health data.

6. Maintain Reasonable Security Measures: An entity that collects emergency health data must have reasonable administrative, physical, and technical controls in place to safeguard the information from misuse and unauthorized disclosure.

7. Maintain Minimum Necessary Access Restrictions: The entity must have access restrictions in place limiting access to the emergency health data to authorized essential personnel only.

8. Complete Compliance Audits: Covered entities are subject to data protection audits, which include the requirement for risk assessments and evaluation of the technologies used in connection with the information gathering. The results of the compliance audits shall be made available to the public.

The Bill also has notable enforcement teeth, authorizing the State Attorney General to bring enforcement actions and seek civil penalties of up to $25,000 per violation or up to 4% of a business’s annual revenue. As The Bill is for the purposes of the COVID-19 public health crisis, it purports to expire and be repealed on January 1, 2023.

To date, the bill is not on a committee agenda and there is no scheduled testimony for the COVID-19 Health Data Bill. It is not clear whether the bill will move through committee to the floor for a vote before the legislative session ends. However, we anticipate that legislators will be back in Albany at least a few more times this year, and Senator Thomas has been vocal in his desire to make progress on the Bill.

Beckage will monitor the progress on this and other relevant data privacy bills. Beckage is in communication with lobbyists and is closely monitoring for opportunities to provide input on behalf of the business community. Please do not hesitate to reach out if you are interested in discussing the bill’s potential impact on your business. Beckage is privileged to work with clients in a variety of sectors and industries in building efficient, repeatable, and scalable privacy and security programs.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.