While the pandemic has brought economic downturn to many industries, a recent uptick in data security breaches suggests business is booming for cybercriminals. Universities and health care institutions dealing with the coronavirus have been particularly targeted by hackers attempting to exploit the current climate of confusion, urgency, and stress. In this post, we discuss the attacks and provide steps organizations can take to prevent and respond to breaches. Continue Reading Universities and Hospitals Facing Increased Cyber Attacks
On November 3, 2020, Californians will vote on whether to approve a ballot initiative to enact a new California Privacy Rights Act (CPRA). If, as current polling suggests, California voters pass the CPRA into law in November, it will significantly revise the California Consumer Privacy Act (CCPA) of 2018, which entered into force only in January of this year.
The CPRA expands the provisions of the CCPA, removes the ability of businesses to remedy some violations before they are penalized, and creates a new agency – the California Privacy Protection Agency – to implement and enforce it. The CPRA’s substantive provisions would take effect on January 1, 2023, but its new obligations would apply to personal information collected after January 1, 2022. Continue Reading New California Privacy Initiative Certified for November Ballot
Even with states easing COVID-19 related restrictions, suggestions that social distancing could last through the summer (or even longer) have led many companies that traditionally rely on in-person promotional visits to consider other options. One obvious alternative is telephone or text marketing, but companies that are new to the practice should be aware of the numerous federal and state laws and regulations governing telemarketing, which impose significant fines or statutory damages for violations. In one notable example, Dish Network was assessed $280 million in penalties in an action brought by the FTC and state attorneys general for alleged violations of the Telemarketing Sales Rule (TSR) and related state laws, and in a separate class action, plaintiffs were awarded $61 million in statutory damages.
Both the federal government and all 50 states plus the District of Columbia have laws applicable to the use of telephones for marketing purposes. Some of the restrictions may also apply to non-marketing communications. This post provides a high-level overview of the rules applicable to the space; but before engaging in telemarketing activities, companies should be sure to review both federal and state laws to ensure their practices are fully compliant.
On June 1, 2020, the Office of the California Attorney General submitted its final proposed CCPA regulations to the California Office of Administrative Law (OAL) to review for compliance with the California Administrative Procedures Act. The text of the final proposed regulations is the same as the second set of modifications, released on March 11 and summarized here. Accompanying the proposed regulations is a Statement of Reasons setting out modifications from the initial proposed text of the regulations published on October 11, 2019. If the regulations are approved by OAL, the final text will be filed with the California Secretary of State and will become enforceable. The core provisions of the CCPA became operational on January 1, 2020, and the AG may bring enforcement actions under the CCPA as of July 1, 2020, although it could not premise enforcement actions on its regulations until they are final.
In addition to the adoption by the European Data Protection Board (“EDPB”) of Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak, various other European guidance regarding the use of data and technology in connection with COVID-19 has also been published. Continue Reading COVID-19 Contact Tracing Apps Essential Requirements and Best Practices
On April 21, the European Data Protection Board (“EDPB”) released guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (“Guidelines”).
The Guidelines note that the GDPR includes various provisions which permit health data to be collected and processed for scientific research purposes connected with COVID-19 and also envisages specific derogations to the prohibition on processing certain special categories of personal data, such as health data, where necessary for scientific research purposes. Continue Reading European Guidelines Adopted on Health Data Processed in the Context of the Covid-19 Outbreak
Karl Racine, the first elected Attorney General for the District of Columbia, will likely be more of a factor when responding to data breaches in light of a new Washington, D.C. law, which passed at the end of March. Slated to take effect by June 12, 2020, the new Security Breach Protection Amendment Act of 2019 requires entities to maintain “reasonable security safeguards,” significantly expands the definition of “personal information,” imposes new requirements to notify the Attorney General’s Office, and mandates 18 months of free credit monitoring for breaches involving social security or tax identification number. Continue Reading New D.C. Data Security Requirements and Amended Breach Requirements to Take Effect by June 12, 2020
Recognizing the increasing prevalence of data-driven solutions in combatting COVID-19 and the numerous related privacy concerns, on April 21, the EDPB adopted guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (“Guidelines”).
The Guidelines clarify the conditions and principles for proportionate use of location data and contact tracing tools for two particular purposes: (i) the use of location data to support the response to the pandemic by modelling COVID-19’s spread to calculate the overall effectiveness of confinement measures; and (ii) contact tracing, which aims to notify individuals that they have been in close proximity to an infected individual, to break the contamination links quickly and combat the virus’ spread. Continue Reading European Guidelines Adopted on Contact Tracing Tools and the Use of Location Data in the Context of the COVID-19 Outbreak
On 5 May 2020, the Information Commissioner’s Office (ICO) published a blog setting out the Information Commissioner’s new priorities for UK data protection during COVID-19 and beyond. This follows on from the document published on 15 April 2020, in which the ICO promised an “empathetic” approach to its enforcement of data protection laws during the coronavirus outbreak, prioritizing areas likely to cause the greatest public harm and directing its services towards providing guidance for organizations about how to comply with the law during the crisis. Continue Reading The UK Information Commissioner’s Regulatory Approach and Priorities During COVID-19
In news that will no doubt alarm many of the airline’s passengers, easyJet plc (easyJet) has confirmed that it has suffered a serious data breach affecting nine million customers as the result of a cyber-attack. In addition to certain personal data including email addresses and travel details, the credit card details of 2,208 customers have apparently been impacted and the UK Information Commissioner’s Office (ICO) has been informed. Continue Reading easyJet Suffers Data Breach Involving Nine Million Customers