SAFE DATA ActLegislative Update on the SAFE Data Act

Legislative Update on the SAFE Data Act

In late September, a few Republican members of the Senate Committee on Commerce, Science and Transportation (“Commerce Committee”) introduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act, adding to the slew of federal data privacy bills before the Committee.

The Safe Data Act would enhance the Federal Trade Commission’s (FTC) authority and provide additional enforcement resources.  The Safe Data Act contains some measures captured in other bills before the Commerce Committee, including the Deceptive Experiences to Online Users Reduction Act (Detour Act), the Balancing the Rights of Web Surfers Equally and Responsibly Act (Browser Act), and the Consumer Online Privacy Rights Act (COPRA).  It provides consumers with more control over their data and strengthens the FTC’s ability to respond to changes or advancements in technology.  

If enacted, the Safe Data Act would prohibit businesses from processing or transferring sensitive consumer data without their consent.  The Safe Data Act would also minimize the amount of consumer data businesses can collect, process, and retain, and would limit secondary uses of consumer data without consumer consent.  

The Safe Data Act attempts to create a national standard that would preempt or supersede state privacy laws.  A federal standard could, in theory, ease the burden on businesses that currently need to comply with a complicated patchwork of state and local privacy laws.  This preemption issue captured a lot of attention during Committee testimony on September 23rd, particularly from California Attorney General Xavier Becerra, who argued that a federal standard should be the floor rather than the ceiling for privacy standards.  Earlier this year, Becerra oversaw the implementation of California Consumer Privacy Act—the nation’s most comprehensive state data protection statute to date—which, he said would be heavily dismantled by Federal preemption.  Another issue that has captured attention during the Committee hearing is whether federal legislation should include a private right of action, which would allow consumers to pursue legal remedies themselves.

The bottom line?  There are several approaches being considered and little agreement on the path forward.  Though we expect the conversation to continue into Lame Duck, we do not anticipate consensus on a unified approach to data privacy until the 117th Congress in January 2021.

Beckage continues to monitor this evolving landscape and provide updates on important topics such as data privacy, which have a very real impact on business operations.  Regardless of the legislative landscape, a robust data security and privacy program that can stand the test of time is a wise investment.  Our team is available to assist your team evaluate legal implications of current requirements and legislative changes in the data privacy field.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

Privacy ShieldFTC Privacy Principles Offer Guidance to Companies In Light of Schrems Decision

FTC Privacy Principles Offer Guidance to Companies In Light of Schrems Decision

The invalidation of the Privacy Shield by the recent Schrems decision has left businesses scrambling as to their data transfers abroad.  The FTC can be looked at as a source of guidance for businesses grappling with data transfers in this uncertain landscape.   

In July, the European Union Court of Justice (CJEU) issued the Schrems II (C-3111/18) decision, invalidating the EU-US Privacy Shield Framework.  The EU-US Privacy Shield was a mechanism used to allow United States businesses to transfer and store European Union personal data in the United States.  The ruling in this case renders the United States an inadequate country without special access to Europe’s personal data streams.  However, while the Privacy Shield has been declared invalid, the CJEU ruled international data flows under the General Data Protection Regulation (GDPR) can continue under EU Standard Contractual Clauses.  The continuation under the Standard Contractual Clauses calls into question the future of international data flows between the United States and the European Union.  

Despite the Schrems II decision invalidating the Privacy Shield Framework, here in the United States, the Federal Trade Commission (FTC) will continue to hold companies to its principles.  With broad civil enforcement authority to promote consumer protection and competition in the commercial sphere, the FTC will hold companies accountable for violating international data commitments to protect data transfers across the Atlantic Ocean, despite the framework being rejected, including adherence to the following principles:  

  1. Notice of participation, types of data collected, and purposes for the data collected. 
  1. Choice of individuals to opt out or consent to types of data being collected. 
  1. Companies taking accountability for onward transfers of personal data collected by third parties while complying with Notice and Choice Principles. 
  1. Companies taking reasonable and appropriate security measures to mitigate risks associated with maintaining personal data collection. 
  1. Ensuring data integrity and purpose legitimation to confirm data is reliable and compatible for collected purposes. 
  1. Ensuring individuals have access to the personal data organizations hold. 
  1. Incorporating robust mechanisms to ensure company compliance and recourse for individuals who fall victim to noncompliance procedures. 

FTC commissioners agree that there should be a national data privacy law regarding online privacy and that there is increased attention on the need for broader data privacy policy that would allow the FTC to impose civil penalties, adapt with changing technology, and to hold non-profits and carriers accountable under the Privacy Shield Framework that were previously beyond the FTC’s enforcement powers.  The FTC has broad civil enforcement authority to promote consumer protection and competition in the commercial sphere.  

Data security and privacy continue to be a major part of ongoing antitrust investigations on technology platforms.  Europe is determined to provide strong privacy protections, hinting that data security is one of its key priorities relating to the exponential growth in data collections. Although the Privacy Shield is no longer a viable mechanism to comply with EU data protection requirements, the US is not relieved of its prior obligations.  

We encourage companies to continue to follow robust privacy principles, such as those underlying the Privacy Shield Framework, and to review their privacy policies to ensure they accurately describe their privacy practices, including with regard to international data transfers.  

At Beckage, we have a team of highly skilled attorneys certified in comprehensive GDPR knowledge that can help your company work towards compliance and data protection in both Europe and the United States.  Beckage works with clients to review current policies and assess data security practices.  Our team can help implement a plan to address any related data privacy legislation and be the appropriate legal counsel to help your company better understand the legal implications surrounding transatlantic data information transfers.  

*Attorney Advertising. Prior results do not guarantee similar outcomes. 

Subscribe to our Newsletter.

Breach ResponseRecent Court Decisions Warns Companies To Not Engage Incident Response Tech Firms Without First Engaging Legal Counsel

Recent Court Decisions Warns Companies To Not Engage Incident Response Tech Firms Without First Engaging Legal Counsel

In any data incident the first question is – who do I call first? Well a recent court decision reminds companies that the first call should be legal counsel.

Data breaches are a risk to any company collecting personally identifiable information. When an incident occurs, companies should carefully consider the possibility that the incident may result in litigation, including a data breach class action brought by any impacted consumers, and therefore take appropriate steps to preserve privilege over any post-breach analysis and work product. A recent court decision serves as a warning for companies who want to utilize the privilege doctrine to shield their post breach work product from disclosure during post breach litigation.  

Capital One

In 2015, Capital One hired Mandiant to provide cybersecurity consulting services. The master service agreement executed between the parties was occasionally supplemented by various Statements of Work for Mandiant to provide additional specified services. In March 2019, Capital One experienced a data breach. Capital One immediately retained outside counsel to provide legal advice regarding the incident. Thereafter outside counsel, Mandiant, and Capital One executed a Letter Agreement pursuant to which Mandiant would provide incident response, forensic and remediation services in relation to the incident.  

After conducting its analysis, Mandiant provided a forensic report regarding the incident to outside counsel. The forensic report was subsequently distributed to Capital One’s legal team, board of directors, various employees, regulators, and Capital One’s accounting firm. In post-breach litigation following the incident, Capital One asserted that the forensic report was privileged and protected by the work product doctrine.  

The court held that despite the fact that the report was prepared at the direction of outside counsel, Capital One failed to satisfy its burden of proving that the report would not have been prepared but for anticipated litigation and thus fell outside the scope of protected attorney work product.

District Court Affirms

Not surprisingly, Capital One appealed the Court’s ruling, arguing that the magistrate judge misapplied the controlling law and improperly relied on Capital One’s business uses of the report. On June 25, 2020, the District Court affirmed the decision, ordering Capital One to produce the report. On appeal, the Court focused on “the driving force behind the preparation of the report” and whether it was compiled in anticipation of litigation. The Court found that Capital One failed to prove that there were any differences between Mandiant’s report and what would have been prepared in the ordinary course of business, absent anticipated litigation or legal counsel.

Lessons from the Decision

This conclusion brings into question best practices following a data security incident. At least according to this decision, companies should consider the following guidance points offered by the decision when preparing for potential data security incidents.

1. Legal vs. Business Advice

An important factor considered by the court in Capital One was whether the report in question was prepared in order to provide legal advice or business advice.  In general, the attorney client privilege does not apply in situations where the attorney acts merely to provide business advice. (Aetna Cas. & Sur. Co. v. Sup. Ct., 153 Cal. App. 3d 467 (1984)).  

In Capital One the court placed the burden on Capital One to prove that the forensic report was prepared for the purpose of anticipated litigation and concluded that they failed to provide sufficient evidence. The court found that hiring outside counsel alone was insufficient.  Companies should therefore consider ways to memorialize the fact that a forensic report is being prepared for legal advice—and specifically disclaim that the report is not for business purposes.

2. Distinguish Post-Breach Relationships from Preexisting Relationships

Even though Capital One found that hiring outside counsel alone was insufficient to establish privilege, it is still an important factor in proving that a forensic company’s work is done in anticipation of litigation. Capital One distinguished its circumstances from a previous case, In re Experian Data Breach Litig., where the court held that a similar report was privileged in part because Experian hired outside counsel first, and that counsel retained the cybersecurity firm to prepare a forensic report.

In the event of a preexisting relationship with a cybersecurity firm, in light of the Capital One decision, companies should distinguish the post-breach services from those of a previous business relationship. The post-breach agreement should make it clear that the work is being done at the direction of outside counsel in anticipation of potential litigation.  The post-breach work should be limited in scope and any non-litigation work should be outlined on a different agreement.

3. Legal Expense

The Capital One court put emphasis on the fact that Capital One designated Mandiant’s retained as a “business critical” expense and not a legal expense at the time it was paid. Companies should therefore always pay for a third-party forensic firm’s work out of its legal budget.

4. Limit Dissemination of Post-Breach Forensic Report

Another important distinction between Capital One and Experian was that in Experian the full report was not shared with the company’s incident response team.  In contrast, in Capital One the post-breach report was widely disseminated to internal groups and third-party regulators. Companies should limit the distribution of post-breach reports and consider including confidentiality instructions to maintain privilege.  

Conclusion

The cases are varied in their approach to the use of incident response tech law firms. But all decisions make clear that legal counsel should be engaged at the outset of a breach.

Companies confronted with a data breach should carefully consider the guidance offered in Capital One. Hiring experienced data breach counsel to help preserve applicable privileges and leverage their industry experience may prove extremely helpful during any post-breach litigation.  Recent increases in data breach class actions brought under the California Consumer Protection Act (CCPA) highlight the importance of being prepared for post-breach litigation.

The team at Beckage has extensive experience in data security incident response and understanding of the steps necessary in order to preserve privilege. If your company believes it is experiencing a data breach, call our 24/7 breach response line at 844.502.9363. One of our tech breach coach lawyers would be happy to assist you.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

SHIELD ActBeckage Urges NYS AG To Delay SHIELD Act Enforcement

Beckage Urges NYS AG To Delay SHIELD Act Enforcement

In light of the rapidly evolving COVID 19 pandemic and the unprecedented changes to the New York workforce and network infrastructure, Beckage PLLC has sought from New York’s Attorney General (AG) Letitia James a delay to the March 21 compliance milestone and general enforcement of the New York State Stop Hacks and Improve Electronic Data Security Act (SHIELD) Act by six months.  

By letter dated March 18, 2020, the law firm Beckage, on behalf of a range of its clients which cut across industries and size in New York State, asked the AG to provide this relief for companies as well as a concurrent postponement of enforcement actions and civil penalties to allow companies throughout New York State to work to update their administrative, physical, and technical controls in light of the current pandemic.

For background, phase two of the SHIELD Act’s implementation has a compliance deadline of March 21, 2020.  This compliance milestone requires companies handling NYS resident data to have certain administrative, physical, and technical controls and policies in place by this date for data security protections.

Leading up to March 21, companies were forced to respond to the COVID 19 outbreak, shift overnight to a remote workforce, but still meet the phase two of the SHIELD Act.  Companies throughout the state have experience sudden changes in a very short period to adapt to the COVID 19 pandemic.  Accordingly, any prior SHIELD Act compliance work needs to be reviewed and updated as necessary.  

Considering the COVID 19 pandemic, for which Governor Cuomo issued a state-wide emergency declaration on March 13, 2020, Beckage’s letter to the AG highlighted the incredible challenges posed as it relates to the SHIELD Act.  

Jennifer A. Beckage, Beckage said, “Businesses throughout the State are moving hundreds, if not thousands, of employees to remote workforce and cloud-based environments and are dedicating extensive Information Technology and HR resources to these efforts.  The diversion of these resources to COIVD 19 efforts means that many organizations may not have the resources to meet the SHIELD Act’s March 21, 2020 milestone.”  Additionally, even organizations with extensive resources that have already taken steps to comply with the Act by the milestone are now seeing their entire enterprise shift in light of COVID 19.  As Ms. Beckage explained, “By moving to remote workforces overnight, existing policies, practices, network infrastructure, and risk assessments may have completely changed, rendering current policies in some respects irrelevant or obsolete, or requiring updates to existing administrative, physical and technical controls.”

Beckage supports the goals of the SHIELD Act and applauds New York’s efforts to keep the state’s laws up to date with current technology.  Beckage is organizing comments on behalf of businesses impacted by the SHIELD Act, which will be anonymized and included in a report prepared by Beckage to the New York’s AG’s office as they continue to seek assistance from the AG.  Should you wish to be included, please submit your comments through our SHIELD Act comment portal by emailing shieldactcomments@beckage.com.

Subscribe to our newsletter.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Second Compliance Deadline of NY SHIELD Act ApproachesSecond Compliance Deadline of NY SHIELD Act Approaches

Second Compliance Deadline of NY SHIELD Act Approaches

If you waited until the last minute to develop a data privacy program, well now it is required in New York. Signed into law on July 26, 2019 by Governor Cuomo, the Stop Hacks and Improve Electronic Data Security (SHIELD) Act requires businesses to implement safeguards for the “private information” of New York residents and broaden New York’s security breach notification requirements.

Read More
1 2