Articles Posted in Privacy Regulations

Many races and initiatives that California voters considered on November 3 are still undecided, but Proposition 24, the California Privacy Rights Act of 2020 (the “CPRA”) isn’t one of them. The California electorate approved Proposition 24 by a comfortable margin – 56% of Californians voted in favor.

Like its predecessor the California Consumer Privacy Act of 2018 (the “CCPA”), the impact of the CPRA won’t be felt immediately. It goes into effect on January 1, 2023, and many of its provisions are unclear and will require study. But all businesses that have a presence in California will need to consider its requirements, and given the scope of the law, addressing its requirements early will be essential.

New Sheriff in Town

Perhaps the most significant development in the CPRA is the establishment of a new agency, the California Privacy Protection Agency, dedicated to handling enforcement and compliance with privacy regulations. This makes California the first state with an agency focused solely on enforcing privacy laws. This new agency will replace the California Attorney General in interpreting and enforcing the CCPA. The ultimate impact of the agency will develop as its members are selected and interpret its mandate, but it is clear from the CPRA that it has broad authority to bring civil and criminal actions.

Select Key Provisions

The CPRA is not an entirely new law – it is an extension and modification of the CCPA. It adds a number of new definitions and provisions that, in some cases, extend the scope of the CCPA and, in other cases, clarify the requirements of the CCPA. The result is that companies that already comply with the CCPA will need to revisit their policies and procedures to ensure compliance with the CPRA. Key provisions include:

  • Sensitive Data. The CPRA adds a definition of “sensitive data,” which includes government-issued identifiers, account log-in credentials, financial account information, precise geolocation, contents of certain types of messages, genetic data, racial or ethnic origin, religious beliefs, biometrics, health data, and data concerning sex life or sexual orientation, and allows consumers the ability to limit the use and disclosure of sensitive data.
  • Data Breach Liability. The liability for data breaches under the CCPA has been expanded to include a private right of action for unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security. These kinds of breaches are common and raise the stakes for companies doing business in California. The CPRA also eliminates the 30-day cure period for bringing private actions – something that was more confusing than effective.
  • Annual Audits and Risk Assessments. Under regulations to be adopted by the new Agency, businesses that undertake high-risk processing will be required to have annual audits and regular risk assessments. In particular, such regulations would require businesses whose processing presents significant risks to consumer privacy or security to perform a thorough and independent cybersecurity audit annually.
  • Automated Processing Limitations. A new concept of “profiling” has been added to the CCPA, consisting of “any form of automated processing of personal information, . . . to evaluate certain personal aspects relating to a natural person, and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.” The Privacy Agency is required to develop regulations addressing access and opt-out rights for this kind of technology, similar to the requirements of the EU’s General Data Protection Regulation.
  • Right to Correct Inaccurate Data. The CPRA adds the right to correct consumer data to the existing rights of notice and deletion.
  • Limits on Sharing Personal Information. In addition to restrictions on the sale of personal information, the CPRA extends many of those limits to the “sharing” of personal information. This change will expand the obligations of companies to comply with opt-out and similar requests.
  • Data Minimization. Similar to the GDPR, the CPRA adds concepts of data minimization, requiring companies to limit the personal information they collect to the type of information that is necessary for their operations, and to inform consumers of the length of time the business intends to retain each category of personal information and sensitive personal information, or the criteria used to determine that period.
  • Service Providers, Contractors and Third Parties. The CPRA places new contractual and direct obligations on service providers, contractors and third parties. In particular, the CPRA adds and revises existing definitions in the CCPA, and adds a new definition for contractors, which focuses on the business providing data pursuant to a written contract, prohibiting the contractor from sharing or selling the personal data, processing it for any purposes other than those specified in the contract or combining it with data received or collected through other means, with some limited exceptions. Moreover, the CPRA contractually extends the data protection obligations of the act to service providers, contractors and third parties, and requires service providers and contractors to cooperate with and assist businesses in providing requested personal information in response to consumer requests, and complying with correction or deletion requests. As we learned from the CCPA, an effective date in two years is a short time when it comes to compliance with complex privacy laws. Companies that have taken steps to comply with the CCPA will need to take concrete steps to comply with the CPRA, including:

Continue reading

Are your cybersecurity management practices reasonable? Do you know your risk tolerance? Are you covering all the cybersecurity bases that make up reasonable cybersecurity?

The California Consumer Privacy Act (CCPA) and other emerging laws require organizations to have “reasonable cybersecurity practices.” The challenge is that there is no accepted definition of exactly what “reasonable” means.

Addressing this challenge, Robert Braun, co-chair of JMBM’s Cybersecurity & Privacy Group, will participate as a panelist for the online interactive program Cybersecure LA2020: A Reasonable Approach to Reasonable Security sponsored by SecureTheVillage.

There is no one size fits all: Whatever “reasonable” is to mean, it must – at the very least – take into account the particular circumstances of the organization and the information it possesses. It would clearly be unreasonable, for example, to hold a small manufacturing company or nonprofit to the same standard as a large bank.

Join SecureTheVillage at CybersecureLA 2020 and learn how to think through your organization’s particular cybersecurity and privacy circumstances … the information you must protect … the laws and regulations governing protection … your own corporate risk-tolerance … and integrate these together into an information security management program that’s reasonable for your organization.

Register Now

Date:   Wednesday, October 28th

Time:   2:30 – 5:00 pm Pacific Time

Who should attend:  Board members. C-Level Executives. CFOs, Chief Risk Officers, Chief Information Security Officers. Anyone in the organization with management responsibility for information security. Trusted advisors.

Learn by doing: CybersecureLA 2020 is organized as an interactive workshop, taking advantage of online event capabilities including small group discussion, polls, surveys, and interactive Q&A.

You will learn to:

  1. Identify your cyber-risk exposure
  2. Explore your cyber-risk tolerance
  3. Know the key elements of reasonable cybersecurity
  4. Leave with a well-defined process to follow in identifying what reasonable security is for your organization.

Register Now For This Informative Program

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

About JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

Shrems II – Groundhog Day, All Over Again

Past is Prologue

One of the keys to the European’s Union data protection regime has been the prohibition against transferring personal data from EU countries to jurisdictions that do not have regimes that, in the determination of the EU, provide adequate protection to consumers. Beginning in 2000 the U.S. – EU Safe Harbor Framework allowed U.S. companies to certify their compliance with EU data protection requirements, and facilitated the transfer of data between the EU and the U.S. On October 6, 2015, the Court of Justice of the European Union, the European Union’s highest court, overturned the Safe Harbor Framework. In response, the EU and the U.S., primarily through the Department of Commerce, developed International Safe Harbor Privacy Principles, commonly called the “Privacy Shield,” and a more robust framework was adopted, allowing substantially the benefits of the Safe Harbor.

On July 16, 2020, the CJEU held that the EU-U.S. Privacy Shield arrangement — which includes more than 53,000 participating companies — is invalid. The CJEU said in a press release that, in the court’s view, “the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities … are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.” The Court also said that the United States ombudsman is neither independent enough, nor has adequate authority, to provide an effective cause of action to guarantee the protections under EU laws and regulations.

In particular, the court said that the ombudsperson mechanism in the U.S. — a role created by the Privacy Shield arrangement — “does not provide data subjects with any cause of action before a body which offers guarantees” at the level of EU law. The CJEU said the ombudsperson, which sits under the U.S. Department of State, is neither empowered nor independent at an adequate level.

Impact of the Decision

Like the invalidation of the Safe Harbor, the rejection of the Privacy Shield is likely to create substantial disruptions in data transfers, a key to international trade, until a resolution is found. It is hard to overstate the significance of this decision. The U.S. Commerce Department estimates that the value of the transatlantic economic market at $7.1 trillion, and that a multitude of companies, large and small, rely on the ability to transfer personal, employee and other data from the EU to the U.S. The impact on individual firms will be wide: Continue reading

As a privacy and cybersecurity lawyer, I’m often asked by clients and potential clients about preparing a privacy policy – whether they need one, and how much it costs. And underlying the question is an assumption – privacy policies are really just formalities, and all they need to do is find the right form, or a competitor’s model, make sure to change the name and contact information, and they’re done.

They are right about one thing – any company that collects any kind of personal information needs a privacy policy. Laws throughout the world – not just in the United States, but in the European Union, Canada, Australia and elsewhere – have laws that require a privacy policy, some in great detail, others more generally. The California Online Privacy Protection Act, which went into effect in 2004, began this trend, and the advent of the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in California increased the details for privacy policies of companies under their jurisdiction, by requiring greater detail on the types of data collected, the uses of the data, and how consumers can limit the use of personal data.

There are also third parties that require privacy disclosures, including Google Analytics, a ubiquitous feature of commercial websites.

But they are wrong about what it takes to create a privacy policy. Using another company’s policy might be a starting place, but it takes much more. Assuming that all privacy policies are alike is a dangerous practice – if a company does not take the steps to ensure that the policy is accurate and complete, it increases, rather than limits, its liability. Companies must analyze their data collection practices and make sure that reality is reflected in the policy.

What is Included in a Privacy Policy?

While there are a wide variety of policies, they generally include some key elements:

  • Information about the business, including contact details;
  • The types of personal data that is collected;
  • How the data is used;
  • Whether and how it is shared with third parties; and
  • What does the company do to protect personal information?

Continue reading

Robert E. Braun, chair of JMBM’s Cybersecurity & Privacy Group, will be the keynote speaker for the webinar, Privacy and Information Security – Best Practices and Imperatives.

Date: Wednesday, May 27, 2020

Time: 2:00 PM Pacific Time

Register Now Continue reading

Leonard Lee of Thomson Reuters Legal Current interviewed Bob Braun, Co-chair of JMBM’s Cybersecurity & Privacy Group for a podcast titled, “Are You Practicing Social Media Hygiene?”

Listen to the podcast here.

In this brief podcast (18:28 minutes), Bob Braun discusses the risks that both companies and individuals face when posting information on social media.

Braun describes situations in which hackers spoof a company’s boss, based on real-time information posted on social media, resulting in unrecoverable monetary losses for the company.

“Posting information about yourself on social media can be used by a hacker to fool you or people you know,” he said.

Braun covers issues that individuals and employees should be aware of when using social media, including email.

“Sophisticated programs are easily available on the dark web. We are dealing with bad actors who are extremely skilled and creative,” he said.

“Habits on social media have to be consistent in business and personal lives.”

Listen to the podcast here. Continue reading

There’s no question that this is one of the most difficult times we have faced. The turnaround from nearly full employment to 3,000,000 new unemployment claims, the sequestration of two-thirds of the population, the closing of restaurants, entertainment venues, places of worship, mass furloughs and layoffs, the elimination of the social interactions which we thrive on – these are not normal times. And, moreover, the world that emerges from the Covid-19 pandemic will be very different from the world that preceded it.

So with all of this going on, when many of you are simply trying to see how you can survive and emerge from this crisis, why should you worry about privacy and security?

Things Will Return to Normal

Eventually – and hopefully not terribly long from now – life will gain a new normality. It won’t necessarily be business as usual, but it will be some kind of business, and one thing that will return are the laws and regulations that govern us now. Just as the California Attorney General has decided (as of now) not to delay enforcement of the California Consumer Privacy Act, the other strictures regarding privacy and security aren’t going away. The crisis will not cause the FTC to stand down on its enforcement of claims of unfair and deceptive trade practices, the Department of Health and Human Services will continue to enforce HIPAA, the federal banking regulators will enforce the Gramm-Leach-Bliley Act, and as soon as they can meet, electronically or in person, state (and perhaps even federal) legislatures will press for more stringent privacy and security laws and regulations.

Some Changes will be Permanent

One change that is likely to stick beyond the end of the crisis is the move to remote working. Many workers will find that they like to work at home. Many businesses will realize that keeping their workforce in offices is less productive and costly. The possibility that waves of Covid-19 or other viruses may continue will make working remotely more common. And the success of online meeting tools – Zoom, Webex and others – will make both workers and companies realize that while in-person meetings are important, they aren’t always necessary.

A side effect, and one that we are already seeing, is the need to protect the expanding edge of network environments. As networks expand from the physical dimensions of an office to homes, security profiles change. Firms will need to consider how to maintain a secure computing environment when they have less control over that environment.

Security and Privacy is an Asset

An effective and compliant privacy and security program is a valuable asset that can differentiate a firm from its competitors. Clients and customers are increasingly sophisticated and recognize that a company whose privacy policy is dated before 2020 has not addressed the new obligations of companies to protect the personal information of its clients, customers, employees and others is behind the times.

Moreover, there are increasing liabilities associated with poor security and non-compliance. It is unlikely that any entity that does business in California is unaware of the private right of action that the California Consumer Privacy Act grants to individuals whose personal information has been compromised because a company failed to maintain “adequate security,” and that individual plaintiffs may be awarded between $250 and $750 for failure to maintain adequate data security. Many other state proposals, as well as federal initiatives, include a similar private right of action. In the absence of a data breach, the CCPA includes an enforcement mechanism giving the California Attorney General the ability to seek damages of between $2,500 and $7,500 for each violation of the CCPA. The stakes for companies are high, and getting higher.

What to Do?

In a crisis, companies should take the time to prepare for the aftermath. Many firms should see how they can adapt their business operations to take advantage of new opportunities and fend off threats. Companies now have the ability to allocate resources to protect themselves from breaches and establish compliance programs, which they will not as business eventually ramps up again. Companies that look forward to the new business environment and prepare for it will survive and thrive; those that do not will be left behind.

The JMBM Cybersecurity and Privacy Group assists clients both in complying with laws and achieving real data and information security. For more information, contact Robert Braun (RBraun@jmbm.com) or Michael Gold (MGold@jmbm.com).

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

There’s no question that the novel Coronavirus, COVID-19, has created massive disruptions in our lives.  Those of us who can work are working remotely, social distancing has become the rule of the day, and while this will end, there is no sure end date in sight.

Even some things that we thought might be unalterable have changed – tax returns have been delayed, and multiple laws are modified to fit the times, whether they be a holiday from parking tickets (at least in Los Angeles), to extensions of unemployment insurance and sick leave.  But some things have not changed, and privacy laws are one of them.

Data Privacy and Security Laws Haven’t Changed

Privacy and security obligations under the European Union’s General Data Protection Regulation, protection of health data under the Health Insurance Portability and Accountability Act, financial privacy under Gramm-Leach-Bliley – all of these are still in place and being enforced.  Contractual obligations, for the most part, remain unaffected (although force majeure clauses and governmental action might provide some relief).

And enforcement of the California Consumer Privacy Act of 2018 by the California Attorney General remains scheduled for July 1, 2020, even if the recently amended regulations interpreting the act don’t become effective until after that.  Businesses throughout California have petitioned the Attorney General for a delay in enforcement while they contend with the disruptions of the current pandemic, without response from the AG.

Data Breaches Continue

One group that hasn’t been impacted by the COVID-19 pandemic has been data thieves.  Yesterday, a non-scientific sampling of headlines included:

If anything, the pandemic has given hackers new venues to seek out victims under compelling phishing campaigns.

What Has Changed?

Continue reading

Amended CCPA Regulations – Key Takeaways

On February 7, 2020, the California Attorney General issued a second draft of the regulations implementing the California Consumer Privacy Act of 2018 (the “CCPA”).  Interestingly, while the Attorney General had earlier stated that the final regulations would be substantially the same as the original regulations, the Attorney General has made a number of significant changes.

The amended regulations are a mixed bag.  In a number of areas, the regulations as initially proposed went beyond the scope of the CCPA; that has, in a number of cases, been rectified.  However, the amended regulations do retain the do-not-sell signal requirement and add restrictions on how service providers handle personal information.

Here are some key takeaways:

  • Notice Provisions. The “at collection” notice requirements, which have been problematic for many companies, have been expanded.  The amended regulation requires notices on “all webpages where personal information is collected,” as well as both on a mobile app download page “and within the app,” such as through the app’s download page or settings menu.  At the same time, the regulation answers a common question – oral notice would be allowed when information is collected in person or over the phone. The amended regulations add a requirement for a “just-in-time” notice for collection of personal information on mobile devices if “the consumer would not reasonably expect” the collection.  Compliance with this requirement will be challenging, and companies will need to consider what a consumer would reasonably expect.
  • Deletion Requests. The original regulations treated an unverified request to delete as a request to opt-out of sales.  The amended regulations allows companies to ask a consumer that has made an unverified request to delete if they would like to opt out of the sale of the personal information. Businesses would also be permitted to retain a record of a deletion request for the purpose of ensuring the consumer’s personal information remains deleted from the business’s records. And the new regulation also provides much-needed guidance regarding the deletion exception for data stored on backup systems; personal information does not need to be deleted unless the data in the backup system is restored to an active system or is accessed or used for a sale, disclosure or commercial purpose.

Continue reading

The FTC Speaks

On January 6, 2020, the Director of the Federal Trade Commission’s (FTC) Consumer Protection Bureau published a blog post with changes to the FTC’s approach to its orders and settlements of data breach enforcement actions.  One of the key elements of the report was a revision to the FTC’s routine enforcement practice to ensure that its remedial data security orders include greater specificity about compliance expectations for companies subject to enforcement action and for third-party assessors engaged to conduct FTC-mandated monitoring and audits of targeted companies’ data security practices.

Beyond greater detail guiding data security requirements, the blog post highlights that a core element of the FTC’s model for remedial orders is that senior management, on at least an annual basis, present the company’s written information security program to the board or other governing body for oversight and review, and that management certify to the FTC that the company has complied with data security obligations.

The Growing Role of Managers and Boards in Data Security

The decision by the FTC reflects a growing consensus about the roles and responsibilities of management and boards for the adequacy of enterprise programs to identify, evaluate, and manage data and information security risks.  While this is not the first time boards of directors have been held accountable for the security practices of the companies they represent, it shows that this obligation has become mainstream and should be noted by all companies, whether they are the victim of a breach or not.

The FTC’s endorsement of data security-related corporate governance approaches, safeguards, and third-party monitoring methods is likely to impact enforcement expectations of other regulators, whether state, federal or local, responsible for administering data security compliance and breach notification regulations.

Impact on Business

Businesses regularly collect vast amounts of personal information, and often are unaware of the extent, location and accessibility of that information.  Moreover, businesses rely on third parties to collect, store, and process data, and the responsibility for the protection of personal data – customer, client and employee data – is a hot potato.  Companies are only now reviewing their internal operations, as well as their relationships with vendors, to inventory their data and data collection practices.  The FTC’s rule makes it clear that the responsibility for the protection and privacy of personal information will reach to the top of the business. Continue reading