There’s no question that this is one of the most difficult times we have faced. The turnaround from nearly full employment to 3,000,000 new unemployment claims, the sequestration of two-thirds of the population, the closing of restaurants, entertainment venues, places of worship, mass furloughs and layoffs, the elimination of the social interactions which we thrive on – these are not normal times. And, moreover, the world that emerges from the Covid-19 pandemic will be very different from the world that preceded it.

So with all of this going on, when many of you are simply trying to see how you can survive and emerge from this crisis, why should you worry about privacy and security?

Things Will Return to Normal

Eventually – and hopefully not terribly long from now – life will gain a new normality. It won’t necessarily be business as usual, but it will be some kind of business, and one thing that will return are the laws and regulations that govern us now. Just as the California Attorney General has decided (as of now) not to delay enforcement of the California Consumer Privacy Act, the other strictures regarding privacy and security aren’t going away. The crisis will not cause the FTC to stand down on its enforcement of claims of unfair and deceptive trade practices, the Department of Health and Human Services will continue to enforce HIPAA, the federal banking regulators will enforce the Gramm-Leach-Bliley Act, and as soon as they can meet, electronically or in person, state (and perhaps even federal) legislatures will press for more stringent privacy and security laws and regulations.

Some Changes will be Permanent

One change that is likely to stick beyond the end of the crisis is the move to remote working. Many workers will find that they like to work at home. Many businesses will realize that keeping their workforce in offices is less productive and costly. The possibility that waves of Covid-19 or other viruses may continue will make working remotely more common. And the success of online meeting tools – Zoom, Webex and others – will make both workers and companies realize that while in-person meetings are important, they aren’t always necessary.

A side effect, and one that we are already seeing, is the need to protect the expanding edge of network environments. As networks expand from the physical dimensions of an office to homes, security profiles change. Firms will need to consider how to maintain a secure computing environment when they have less control over that environment.

Security and Privacy is an Asset

An effective and compliant privacy and security program is a valuable asset that can differentiate a firm from its competitors. Clients and customers are increasingly sophisticated and recognize that a company whose privacy policy is dated before 2020 has not addressed the new obligations of companies to protect the personal information of its clients, customers, employees and others is behind the times.

Moreover, there are increasing liabilities associated with poor security and non-compliance. It is unlikely that any entity that does business in California is unaware of the private right of action that the California Consumer Privacy Act grants to individuals whose personal information has been compromised because a company failed to maintain “adequate security,” and that individual plaintiffs may be awarded between $250 and $750 for failure to maintain adequate data security. Many other state proposals, as well as federal initiatives, include a similar private right of action. In the absence of a data breach, the CCPA includes an enforcement mechanism giving the California Attorney General the ability to seek damages of between $2,500 and $7,500 for each violation of the CCPA. The stakes for companies are high, and getting higher.

What to Do?

In a crisis, companies should take the time to prepare for the aftermath. Many firms should see how they can adapt their business operations to take advantage of new opportunities and fend off threats. Companies now have the ability to allocate resources to protect themselves from breaches and establish compliance programs, which they will not as business eventually ramps up again. Companies that look forward to the new business environment and prepare for it will survive and thrive; those that do not will be left behind.

The JMBM Cybersecurity and Privacy Group assists clients both in complying with laws and achieving real data and information security. For more information, contact Robert Braun (RBraun@jmbm.com) or Michael Gold (MGold@jmbm.com).

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

There’s no question that the novel Coronavirus, COVID-19, has created massive disruptions in our lives.  Those of us who can work are working remotely, social distancing has become the rule of the day, and while this will end, there is no sure end date in sight.

Even some things that we thought might be unalterable have changed – tax returns have been delayed, and multiple laws are modified to fit the times, whether they be a holiday from parking tickets (at least in Los Angeles), to extensions of unemployment insurance and sick leave.  But some things have not changed, and privacy laws are one of them.

Data Privacy and Security Laws Haven’t Changed

Privacy and security obligations under the European Union’s General Data Protection Regulation, protection of health data under the Health Insurance Portability and Accountability Act, financial privacy under Gramm-Leach-Bliley – all of these are still in place and being enforced.  Contractual obligations, for the most part, remain unaffected (although force majeure clauses and governmental action might provide some relief).

And enforcement of the California Consumer Privacy Act of 2018 by the California Attorney General remains scheduled for July 1, 2020, even if the recently amended regulations interpreting the act don’t become effective until after that.  Businesses throughout California have petitioned the Attorney General for a delay in enforcement while they contend with the disruptions of the current pandemic, without response from the AG.

Data Breaches Continue

One group that hasn’t been impacted by the COVID-19 pandemic has been data thieves.  Yesterday, a non-scientific sampling of headlines included:

If anything, the pandemic has given hackers new venues to seek out victims under compelling phishing campaigns.

What Has Changed?

Continue reading

Amended CCPA Regulations – Key Takeaways

On February 7, 2020, the California Attorney General issued a second draft of the regulations implementing the California Consumer Privacy Act of 2018 (the “CCPA”).  Interestingly, while the Attorney General had earlier stated that the final regulations would be substantially the same as the original regulations, the Attorney General has made a number of significant changes.

The amended regulations are a mixed bag.  In a number of areas, the regulations as initially proposed went beyond the scope of the CCPA; that has, in a number of cases, been rectified.  However, the amended regulations do retain the do-not-sell signal requirement and add restrictions on how service providers handle personal information.

Here are some key takeaways:

  • Notice Provisions. The “at collection” notice requirements, which have been problematic for many companies, have been expanded.  The amended regulation requires notices on “all webpages where personal information is collected,” as well as both on a mobile app download page “and within the app,” such as through the app’s download page or settings menu.  At the same time, the regulation answers a common question – oral notice would be allowed when information is collected in person or over the phone. The amended regulations add a requirement for a “just-in-time” notice for collection of personal information on mobile devices if “the consumer would not reasonably expect” the collection.  Compliance with this requirement will be challenging, and companies will need to consider what a consumer would reasonably expect.
  • Deletion Requests. The original regulations treated an unverified request to delete as a request to opt-out of sales.  The amended regulations allows companies to ask a consumer that has made an unverified request to delete if they would like to opt out of the sale of the personal information. Businesses would also be permitted to retain a record of a deletion request for the purpose of ensuring the consumer’s personal information remains deleted from the business’s records. And the new regulation also provides much-needed guidance regarding the deletion exception for data stored on backup systems; personal information does not need to be deleted unless the data in the backup system is restored to an active system or is accessed or used for a sale, disclosure or commercial purpose.

Continue reading

The FTC Speaks

On January 6, 2020, the Director of the Federal Trade Commission’s (FTC) Consumer Protection Bureau published a blog post with changes to the FTC’s approach to its orders and settlements of data breach enforcement actions.  One of the key elements of the report was a revision to the FTC’s routine enforcement practice to ensure that its remedial data security orders include greater specificity about compliance expectations for companies subject to enforcement action and for third-party assessors engaged to conduct FTC-mandated monitoring and audits of targeted companies’ data security practices.

Beyond greater detail guiding data security requirements, the blog post highlights that a core element of the FTC’s model for remedial orders is that senior management, on at least an annual basis, present the company’s written information security program to the board or other governing body for oversight and review, and that management certify to the FTC that the company has complied with data security obligations.

The Growing Role of Managers and Boards in Data Security

The decision by the FTC reflects a growing consensus about the roles and responsibilities of management and boards for the adequacy of enterprise programs to identify, evaluate, and manage data and information security risks.  While this is not the first time boards of directors have been held accountable for the security practices of the companies they represent, it shows that this obligation has become mainstream and should be noted by all companies, whether they are the victim of a breach or not.

The FTC’s endorsement of data security-related corporate governance approaches, safeguards, and third-party monitoring methods is likely to impact enforcement expectations of other regulators, whether state, federal or local, responsible for administering data security compliance and breach notification regulations.

Impact on Business

Businesses regularly collect vast amounts of personal information, and often are unaware of the extent, location and accessibility of that information.  Moreover, businesses rely on third parties to collect, store, and process data, and the responsibility for the protection of personal data – customer, client and employee data – is a hot potato.  Companies are only now reviewing their internal operations, as well as their relationships with vendors, to inventory their data and data collection practices.  The FTC’s rule makes it clear that the responsibility for the protection and privacy of personal information will reach to the top of the business. Continue reading

CCPA: Hotel Loyalty Programs, Data Retention and the Brave New World of Privacy

By Robert E. Braun

This article first appeared in the Hotel Business Review and is reprinted with permission from www.HotelExecutive.com.

The California Consumer Privacy Act (the “CCPA” or the “Act”) is a piece of consumer privacy legislation which was signed by California Governor Jerry Brown on June 28, 2018, and goes into effect on January 1, 2020. The Act is, far and away, the strongest privacy legislation enacted in the United States at the moment (although there are a number of contenders for that honor), giving more power to consumers to control the collection and use of their private data, and is poised to have far-reaching effects on data privacy.

What is the CCPA?

It is estimated that more than 500,000 companies are directly subject to the CCPA, many of them smaller and mid-size business, where the detailed requirements of the Act – disclosure and notice procedures, opt-out rights, updating privacy policies, and revising vendor agreements – is daunting. As discussed below, many hotels and hotel companies will be directly impacted by the Act, either because their qualify as a “business” as defined in the CCPA, or because they are associated with companies – brands and management companies – that are subject to the Act. Hotel owners, managers and brands that have not grappled with the requirements of the CCPA need to move quickly to do so, or risk potential liability under the penalty provisions of the Act.

Where did the Act Come From?

In early 2018, Alistair McTaggart, a California real estate developer, led an effort to include a new privacy law – the Consumer Right to Privacy Act of 2018 – on the November 2018 California ballot. By June 2018, supporters of the initiative had gathered enough signatures to earn a place on the November ballot. In response, California legislators, working with California businesses and other interest groups, negotiated and passed a substitute bill – the CCPA – in exchange for an agreement to drop the more restrictive text in the Consumer Right to Privacy Act from the November ballot.

The Act is aggressive, and cites the March 2018 disclosure of the misuse of personal data by Cambridge Analytica, as well as the congressional hearings that followed which highlighted the fact that any personal information shared on the internet can be subject to considerable misuse and theft. This prompted the California legislature to move rapidly to protect Californians’ right to privacy by giving consumers much more control of their personal information.

Because the Act was adopted so quickly, and because it was driven by the original proposition, the Act, as entered into law, does not have the kind of guidance that helps us understand how to implement the concepts in the Act. The California Attorney General has, as required under the Act, submitted proposed regulations that assist in complying with the Act, but much more needs to be done for businesses to feel comfortable in plotting a means of compliance. It is likely that our understanding of the Act, and how businesses can comply with the Act, will evolve over the coming years.

The Act as Part of a Broader Shift in Consumer Preferences

In order to understand the impact of the Act, and how to address its many changes, businesses need to understand how it reflects an evolution in consumer attitude toward the ownership and use of personal information.

In the United States, there have been few limitations on the collection or use of personal data. There are some exceptions – financial information is regulated under the Gramm-Leach-Bliley Act, health information is governed under the Health Insurance Portability and Accountability Act , and children’s information is addressed under the Children’s Online Personal Privacy Act. But in general, personal information – names, addresses, and other identifying information – may be collected and used without significant restriction, and consumers did not typically object.

The advent of computers and the increased ability to collect, store, process and monetize information, has changed consumers’ attitudes. Companies increasingly base their business models on the ability to collect and utilize information. This is not limited to firms like Facebook and Google; a variety of firms monetize the information they collect, both by direct marketing and by sharing, or selling, the data to others. Along with the “legitimate” use, came less savory forms, like credit card fraud and identity theft. As a result, individual consumers are increasingly concerned about how their personal data is shared.

Hotels should be particularly aware of this shift, since hotels are among the businesses most targeted by bad actors, and reports of data theft are regularly reported.

Behind these changes is a significant shift in the treatment of personal information. Increasingly, the belief is that an individual should have control over his or her identifying data, and not just a limited selection of financial data, but a broad array of information – essentially, anything that could be used to identify an individual. This would include not just names, addresses and other obvious data points, but also biometric and location data, of which many of us are unaware are being collected.

Do Hotels Need to Comply with the Act?

The Act is applicable to many businesses, whether located inside or outside California.? The Act applies to for-profit entities that both collect and process the personal information (as defined in the Act) of California residents and do business in the State of California – ?a physical presence in California is not a requirement to becoming subject to the Act. Additionally, the business must meet at least one of the following criteria: Continue reading

As most (but not all) business know, the California Consumer Privacy Act of 2018 (the “Act” or “CCPA”) goes into effect January 1, 2020. It is estimated that more than 500,000 companies are subject to the CCPA, many of them smaller and mid-size businesses that may not have pre-existing robust privacy policies and procedures.

The CCPA applies to for-profit entities that both collect and process the personal information (as defined in the Act) of California residents and do business in the State of California, whether or not the business has a physical presence in California. Businesses that meet at least one of the following criteria are subject to the Act:

  • Generate annual gross revenue in excess of $25 million,
  • Receive or share personal information of more than 50,000 California residents annually, or
  • Derive at least 50 percent of its annual revenue by selling the personal information of California residents.

While enforcement actions by the Attorney General won’t begin until six months after the final regulations are published, or July 1, 2020, companies need to ensure they are in compliance on January 1, 2020, when the Act goes into effect. This article is a summary of a five-part series designed to guide companies through compliance, Complying with the California Consumer Privacy Act in 5 (More or Less) Not So Easy Steps.”

Part 1 – Data Mapping

A company cannot comply with the Act without understanding what data the company collects, how it uses the data and who has access to it. Understanding how the company collects, processes, transmits and stores data – as well as how it’s used and who uses it – is the foundation of a data privacy program and the key to complying with the Act and most other privacy regulations. A company’s data is often its most valuable asset, but the exact movements of sensitive data are often poorly understood, providing unknown exposure points and increasing the risk of data loss.

There is a benefit to this practice that goes beyond complying with the Act. Companies can determine the extent of their data collection practices and whether it advances the business. Companies must realize that every point of data it holds is not just an asset, but also a liability. Eliminating unnecessary data reduces liability exposure. Understanding a company’s data profile leads to efficiencies in operations and can better rationalize costs associated with maintaining data, including cybersecurity and insurance expenses. Learn more here.

Continue reading

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps

Part 5 of a Series

Consumer Rights: Deletion, Do Not Sell, Non-Discrimination

The California Consumer Privacy Act obligates covered businesses to disclose the categories of personal information, the sources of personal information and uses of personal information collected in the course of their operations.  In addition, the CCPA gives consumers specific rights not just to know what data is being collected, but also whether and how that data can be used.  Compliance with the CCPA requires an understanding of these rights, and adoption of procedures to comply with them.

Deletion

Under Section 1798.105 of the CCPA, consumers have the right to request a business to delete “any personal information about the consumer which the business has collected from the consumer.” The business must fulfill such requests — and to direct “any service providers,” as that term is defined in the CCPA, to do the same — within 45 days of receiving a “verified request” or “verifiable request” from the consumer.  Businesses should be aware that the consumer’s right to delete is one of the provisions that must be included in the company’s privacy policy.

The right to delete is not absolute.  Businesses are also not required to delete information “if it is necessary” to:

  • Complete the transaction for which it was collected.
  • Provide a good or service the consumer has requested.
  • Perform a contract between the business and the consumer.
  • Detect security incidents.
  • Protect against “malicious, deceptive, fraudulent, or illegal” activities.
  • Prosecute people responsible for “malicious, deceptive, fraudulent, or illegal” activities.
  • “Debug to identify and repair errors that impair existing intended functionality.”
  • Ensure the exercise of free speech by another customer.
  • Ensure the company’s exercise of “another right provided for by law.”
  • Comply with a legal obligation, in particular, those of the California Electronic Communications Privacy Act.

These exceptions give businesses a broad range of reasons to keep information.  For example, a business may continue to use a consumer’s personal information that has been the subject of a deletion request “internally, in a lawful manner that is compatible with the context in which the consumer provided the information.” A similar exception is carved out for “solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.”

Opt-out of Sales

The CCPA gives consumers two related rights regarding the sale of personal information: 1) a “right to opt out” of the sale of personal information, and 2) for consumers under the age of 16, a “right to opt in”. Continue reading

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps:
Part 4 of a Series

Verified Requests for Data

The CCPA is hurtling headlong toward implementation on January 1, 2020.  The Act, which is likely to be amended, perhaps substantially, in the next sixty days, and which has no guiding regulations, continues to present a conundrum for companies faced with designing and implementing policies and procedures that need to be consumer-ready by Day 1.

One requirement that has created substantial confusion and uncertainty is directly related to a key element of the Act – the right of consumers to control the personal information held by companies. Under the Act, companies must develop or identify internal mechanisms to respond to a consumer’s exercise of their right to access the information collected about them, verify their identity, respond within the mandated 45 days, and document both the request and response.

While the obligation is clear and seemingly innocuous, it is creating both confusion and its own cottage industry of consultants and service providers.

The sticking point of this requirement is determining how a company will reasonably verify the requester’s identity. The California Attorney General was to have adopted regulations to help businesses determine when a request is a verified consumer request (sometimes referred to by the quaintly anachronistic acronym “VCR”). Those regulations have not yet been proposed.

In the interim, companies are left with little more than what feels like the type of direction from U.S. Supreme Court Justice Potter Stewart, when he was forced to define a threshold test for obscenity in 1964:

“I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description, and perhaps I could never succeed in intelligibly doing so. But I know it when I see it….”

Like so much of the CCPA, the obligation is appropriate on its face, but difficult to implement. Continue reading

Ever since the California Consumer Privacy Act (the “CCPA”) was adopted in 2018, various constituencies have lobbied for revisions. While multiple proposals were considered in the California legislature, only a few have a chance for passage and enactment. Last month, the California Senate Judiciary Committee passed several amendments to the CCPA, and we now have a better idea as to what amendments are likely to be adopted. The bills head now to the Appropriations Committee and then to the full state Senate. Here are the important highlights:

  • Employee Exemption: With AB25, lawmakers weakened the employee exception, which now sunsets on Jan. 1, 2021. The current exemption means CCPA does not cover collection of personal information from job applicants, employees and certain others, but only for one year. Afterward, employers will be required to tell employees what type of information they are collecting, and why.
  • Loyalty Programs: AB 846 clarifies and modifies CCPA application to loyalty and reward programs. Businesses would still be prohibited from selling consumer information gathered as part of these programs.
  • Phone Access: AB 1564 requires businesses to provide a toll-free phone number for customers to request access to their personal information. On-line only businesses are only required to provide an email address.

Three bills, AB 873, AB 1416 and AB 981 failed. They would have changed the definition of “personal information” and “de-identified information,” weakening the privacy protections.

These and several related bills will head to the full Senate, which must vote by Sept. 13, 2019. Governor Newsom then has a month to consider signing them (along with another 1,000 or so bills), and any bill that is signed will go into effect Jan. 1, 2020.

Bottom Line: The law’s strong consumer protections withstood challenges, though observers anticipate there will continue to be debate and negotiations with unions as to how CCPA affects employees. Companies should continue apace with their plans for implementation.  Companies that haven’t yet begun to comply should start now!

See our recent blogs on the CCPA below.

Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps:

 Part 1 – the Data Map
 Part 2 – the Breach Response Plan
 Part 3 – the Privacy Policy

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

On August 5, 2019, Marriott International announced that it had taken a $126 million charge in the second quarter, primarily as a result of the data breach it announced in 2018.  Coincidentally, on July 9, 2019, The United Kingdom’s Information Commissioner’s Office (ICO), which enforces the General Data Protection Regulation (GDPR) in the UK, announced that it intends to impose a fine of £99,200,396 ($123,705,870) on Marriott for last year’s data breach.

As was widely reported, in November 2018, Marriott disclosed that hackers accessed the Starwood guest reservation database since 2014. Initially, the company said hackers stole the details of roughly 500 million hotel guests, which the hotel chain later corrected to 383 million following a more complete investigation.  Still, 383 million records is nothing to be laughed at.

The hackers stole a breathtaking array of sensitive data:

  • 383 million guest records
  • 5 million encrypted passport numbers
  • 25 million unencrypted passport numbers
  • 1 million encrypted payment card numbers
  • 385,000 card numbers that were still valid at the time of the breach

What went wrong? What can be distilled from Marriott’s experience that other companies can apply in their efforts to comply with the GDPR?

For JMBM’s Hotel Law Blog, I have outlined some important lessons learned, particularly for U.S. companies with business with Europe. To read the blog, see Cybersecurity Lawyer: Lessons from Marriott’s $123 million GDPR fine.

— Bob Braun

 

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.