Does the CCPA Apply to Financial Institutions?

Posted on April 7, 2020 by Matthew Siegel

Despite the global pandemic, the California Attorney General will begin enforcing the California Consumer Privacy Act on July 1 as planned, so even in this new work-from-home environment, businesses must continue to work towards compliance and resolve any open issues. One question we’ve been asked is whether the CCPA provides a complete exemption for financial institutions. We address that question below.

The CCPA imposes new requirements on businesses that collect and maintain the personal information of California consumers. It is meant to apply broadly to nearly every type of business that meets certain thresholds, even those, such as financial institutions, that are already regulated by federal privacy law. The Gramm-Leach-Bliley Act regulates the collection and disclosure of much of the same type of personal information that is regulated by the CCPA, and imposes strict requirements on financial institutions to protect customer data and provide notice to customers about the information they collect and maintain. Under the GLBA, financial institutions are required to assess and implement controls for risks to customer information, with a focus on areas that are particularly important to information security, including employee training and management, information systems, and preventing and responding to attacks and system failures.

Read more ›
Tagged with: , , , , , ,
Posted in CCPA, Legislation, Privacy, Regulations

Cybersecurity Best Practices in the Remote-Working Environment

Posted on March 31, 2020 by Matthew Siegel

In the wake of the COVID-19 crisis, much of the workforce has shifted to working remotely, with many workers operating out of makeshift “offices” they created in their homes with little or no warning. Along with this remote work comes an increased cybersecurity threat. We recently issued a client alert to raise awareness about and help companies overcome these evolving challenges. The full alert can be found here. For the sake of brevity, however, we offer some quick tips below:

Read more ›
Tagged with: , , , , , ,
Posted in Data Security, Policies and Procedures, Privacy, Uncategorized

Eight Best Practices for Avoiding Data Breaches

Posted on March 6, 2020 by Matthew Siegel

As data breaches are on the rise, the old adage rings true: it’s not a question of if, but when. More companies are experiencing crippling breaches and the statistics are alarming:  According to IBM Security’s Cost of a Data Breach Report 2019, the average cost of a data breach is $3.9 million and the average cost per record lost is $150. There was a time when organizations argued (perhaps correctly) that they could not have anticipated being breached or, even if they were, the size and scope of the compromised data. Such arguments no longer hold water and, increasingly, regulators are examining the reasonableness of the data security practices that were in place at the time of the breach, which can lead to fines and penalties tacked on to an already costly situation.

Ann-Marie Luciano and Jawaria Gilani of our firm’s State Attorneys General Practice analyzed recent state Attorney General and FTC enforcement actions to identify eight data security best practices that companies can adopt to mitigate the likelihood of a breach. Their findings are summarized on the infographic that can be accessed here:

Avoiding-Data-BreachesDownload

Both our State Attorneys General and Privacy & Data Security Practice Groups are available to assist and take a deeper dive into the issues summarized above.

Tagged with: , , , ,
Posted in Data Breach, Data Security, Policies and Procedures, Standards

Plaintiffs Allege Security Promises Ring False

Posted on February 26, 2020 by Brian Kint

John and Jennifer Politi, purchasers of several Ring products, have filed a putative class action lawsuit against Ring, LLC arising out of Ring’s alleged failure to implement industry standard security features into its products.  The case has been consolidated with a similar case that was filed in the U.S. District Court for the Central District of California in December 2019.

The allegations in the class action complaint are certainly disturbing.  The Plaintiffs allege that they purchased various Ring products, including a video doorbell and outdoor and indoor video surveillance cameras.  They allege that Ring’s advertisements include statements that these products bring the purchaser “peace of mind.”  They also allege that Ring represents to its customers that privacy and security is “at the top of [Ring’s] priority list” and that Ring takes measures “to help secure Ring devices from unauthorized access.”

Read more ›
Posted in Internet of Things, Litigation

What Is A “Reasonable Link” Under CCPA?

Posted on February 14, 2020 by Brian Kint

On February 7, 2020, California Attorney General Xavier Becerra published modified regulations for the California Consumer Privacy Act after reviewing the public comments received on the initial draft regulations.  While the modified regulations provide some much-needed clarity, they also leave some notable gaps.  One of those gaps is the lack of clear guidance on what it means for a piece of data to meet the definition of “personal information” because it can be “reasonably linked” to a particular consumer or household.

The question is an important one.  The Act applies only to those entities that do business in California, collect consumers’ personal information, determine the purposes and means of processing that information, and meet one of three thresholds.  One of those thresholds is that the business “annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.”

Given the magnitude of internet activity, that threshold may not be as high as it initially appears.  Businesses routinely collect the IP addresses of visitors to their websites and can tell when those IP addresses are associated with a California user.  If those IP addresses meet the definition of “personal information” and the business uses them for a commercial purpose, then, on average, only 140 Californians per day need to access the website for the business to meet the 50,000-consumer threshold.  Yet the business may collect further personal information, such as a name and shipping address, from a much more limited subset of those visitors.  For example, an e-commerce business may log hundreds of thousands of visits to its website from unique California IP addresses, but complete very few sales to California consumers.  Consequently, whether the Act applies to that business may turn on whether the IP address information meets the definition of “personal information” under the Act.     

Read more ›
Tagged with:
Posted in CCPA, Privacy, Regulations

Is Privacy Profitable?

Posted on January 31, 2020 by Brian Kint

It is evident that a company must invest in its privacy practices to meet legal requirements if it wants to avoid investigation costs and potential civil penalties.  But can investment in privacy, data security, and data management bring benefits to the organization beyond those of bare legal compliance?  A recent Data Privacy Benchmark Study by Cisco suggests that it can.  According to the study, the organizations surveyed realized healthy returns on their privacy spend.  And interestingly, organizations with more robust privacy programs generally got a better return on further investment.  The survey is admittedly subjective and imprecise.  For example, it simply asked survey participants to estimate the value of the return they received on their investment in privacy.  Nevertheless, at the very least the survey gives some valuable insight into some areas that organizations believe investing in privacy and data management has broader benefits.

Operational Efficiencies

Investments in privacy and data management can bring operational efficiencies to an organization.  As a company grows, its data management practices must grow with it.  For example, a small organization may be able to get along just fine with an ad hoc approach to data management that is not formalized, documented, or systematic.  As the business and its data inventory grow, however, such informal systems can become unwieldy and wildly inefficient.  Yet inertia or a failure to prioritize can lead to neglecting investment in privacy and data management.  Therefore, renewed focus and investment in a company’s data management practices can lead to less duplication, improved workflows, and cost reductions.  A well-planned approach is also more scalable, so that the organization can continue to reap the benefits of increased efficiency even as it continues to grow. 

Preventing & Mitigating Data Security Incidents

Investments in privacy and data management can also help companies avoid the costs associated with data breaches and other data security incidents.  Of course, investments in new technologies can help an organization keep its data secure.  But investment costs should go beyond technology as well.  Investments in training programs can ensure that all employees know the content and importance of the company’s privacy practices.  Training can also help employees avoid becoming victims of social engineering attacks that may compromise company data systems.  By investing in training and technologies that will help to prevent data security incidents, companies can save the costs of breach notification, customer ill will, litigation, investigations, and fines.    

Additionally, companies with robust privacy and data security practices can more quickly and efficiently respond to and recover from data security incidents should they occur.  An updated, comprehensive, and rehearsed incident recovery plan can help a company avoid extensive revenue loss by quickly getting critical systems back online after a data security incident.  This is truly a case where an ounce of prevention is worth a pound of cure and continuing investment now can save a company countless dollars later. 

Increased Sales

Privacy is becoming a key touchpoint with consumers.  This is evident in Apple’s recent push to tout the privacy features of its latest iPhone.  This benefit, however, is not limited to companies that look to market privacy overtly.  Both consumers and the law increasingly demand that companies are transparent about their privacy practices.  No company wants to disclose privacy practices that show it is woefully behind its competitors or standard practices.  A commitment to privacy, on the other hand, is likely to result in better sales, brand recognition, and customer loyalty. 

Companies that act as vendors or service providers can also benefit substantially from investments in privacy.  Clients of these companies do not want to risk their own reputations by engaging vendors or service providers with questionable privacy practices.  Due diligence with respect to privacy and data security is increasingly becoming a key part of vendor management.  These companies, therefore, must ensure that their privacy practices meet or exceed industry standards, or else they risk losing key contracts and relationships with their clients. 

Here, investment in privacy certifications can play a key role.  Certifications such as EU-US and Swiss-US Privacy Shield, APEC Cross-Border Privacy Rules (CBPR), and ISO/IEC 27001 or ISO/IEC 27701 can serve as important proxies for signaling an organization’s commitment to privacy.  Investment in gaining and maintaining such certifications can reduce transaction costs by giving potential customers an easily and quickly recognizable sign that a company’s privacy and data management practices are in line with industry standards and best practices.      

Increased Investment

Investing in privacy and data management can make an organization more attractive for investment.  Well informed investors may scrutinize a public company’s privacy practices when deciding whether to invest.  The Securities and Exchange Commission has issued interpretive guidance on disclosure of cybersecurity risks and incidents, recognizing that these subjects can materially affect investment decisions.  Senators have introduced a bill that would require publicly traded companies to disclose cybersecurity expertise at the board level.  In such an environment, a public company that lags behind on its investments in privacy and data security risks leaving investor money on the table. 

Similarly, companies in the mergers and acquisitions market should view investment in privacy and data security as essential to maximizing the company’s value.  Acquiring companies are putting increased emphasis on the privacy practices of target companies in due diligence.  After all, no one wants to purchase a company that is at risk of becoming a financial burden due to costs associated with prior data breaches or sloppy data management practices.  In addition, the more developed a company’s data management practices are, the more cleanly the acquiring company can integrate them into its own systems and operations.  Simply put, organizations that have invested the time and money to ensure their privacy practices are solid and up to date make more enticing targets than those that have not.

Successful businesses are those that properly determine where they should deploy their limited funds to get the best return on investment.  Recent trends show that investment in privacy and data security are an important part of that conversation.  

Tagged with: , ,
Posted in Data Security, Privacy

In Search Of A Federal Data Privacy Law

Posted on January 16, 2020 by Brian Kint

In the absence of a comprehensive federal data privacy and data security law, states continue to fill the gap. The California Consumer Privacy Act took effect on January 1, 2020, and several other states have similar laws under consideration. Nevertheless, in search of a federal solution, two data privacy laws, one from each side of the aisle, are spurring debate in the Senate. Senator Maria Cantwell (D-WA) and several of her Democratic colleagues have introduced the Consumer Online Privacy Rights Act (COPRA), while Senator Roger Wicker (R-MA) has unveiled the United States Consumer Data Privacy Act (CDPA). Both bills share many similarities, but the differences between them are significant as well.

What Entities Are Covered?

COPRA would apply to any entity that is subject to the Federal Trade Commission Act and processes or transfers covered data. CDPA would cover those entities as well, along with common carriers and non-profit organizations. Both bills have exceptions for small businesses, and both bills define a small business as one that over the preceding 3 years, on average, had annual gross revenues of $25,000,000 or less, processed the covered data of less than 100,000 individuals or devices, or derived less than 50 percent of its revenue from transferring covered data. While COPRA excludes these small businesses completely, CDPA excludes them only from the right to access, correction, deletion, and portability provisions along with data minimization requirements.

What Data Is Covered?

Both bills make a distinction between “covered data” and “sensitive covered data.” Both bills similarly define covered data generally as information that identifies or is linked or reasonably linkable to an individual or consumer device. The COPRA definition, however, also specifically includes “derived data,” which it defines as data that is derived from other information sources about an individual, household, or device. Both bills exclude deidentified data, employee data, and publicly available information from the definition of “covered data.” CDPA also excludes aggregated data from its definition of covered data.

Read more ›
Tagged with: , ,
Posted in Data Security, Legislation, Privacy

Google Partners with Ascension To Store and Analyze Millions of Patient Health Records

Posted on November 20, 2019 by Gregory Fliszar

Google has confirmed that it is working with Ascension, one of the nation’s largest health systems in a project that will involve the health data of millions of Americans.  Google and Ascension have partnered in a project to store and analyze patient data with the intended goal of using Google’s artificial intelligence tools to enhance patient care and medical decision making.  As a result of this partnership, it has been estimated that over 100 Google employees may have access to sensitive patient data such as name, birth date, diagnoses and treatments.  Such access by Google to millions of patient’s health data has resulted in some concern over how the data will be protected, including a recently announced inquiry into the relationship by the U.S. Department of Health and Human Services’ Office of Civil Rights (“OCR”).  OCR has stated that it “would like to learn more information about this mass collection of individuals’ medical records with respect to the implication for patient privacy under HIPAA.”  Ascension has said that the project with Google has complied with the law and followed the healthcare organization’s “strict requirements for data handling.”

We will continue to follow this important story.  Several other tech companies continue to try to gain a bigger share of America’s health care market, which will all have to be balanced with patient data privacy and security concerns.

Posted in Data Security

New York AG Files Lawsuit Against Dunkin’ Donuts For Attacks On Customer Accounts

Posted on October 14, 2019 by Brian Kint

On September 26, 2019, New York Attorney General Letitia James filed a lawsuit against Dunkin’ Brands, Inc., the franchisor of Dunkin’ Donuts (“Dunkin’”).

The lawsuit involves security issues surrounding Dunkin’s stored value cards, which customers can use to purchase Dunkin’ food and merchandise.  Customers can create an online account through Dunkin’s website or mobile app, and then manage their card though that account.  Customers can store credit card information in their account to “reload” their cards.

The lawsuit alleges that beginning in early 2015, Dunkin’ customer accounts were targets of credential stuffing attacks (i.e., repeated attempts to gain access to an account through the use of username and password combinations that were previously stolen in an unrelated data breach).  If successful in logging in to a customer account, the attackers could access to the customer’s name, email address, profile id, and the card numbers and PINs for all Dunkin’ stored value cards associated with the customer’s account.  By August 2015, over 19,000 customer accounts had allegedly been compromised.

The lawsuit alleges that Dunkin’ was aware of these attacks as early as May 2015, but failed to take any remedial action for several years.  The developer of the Dunkin’ mobile app noticed higher than expected traffic, consistent with a credential stuffing attack, and alerted Dunkin’ in June 2015.  But, according to the lawsuit, Dunkin’ did not investigate the issue, implement additional security measures, or take steps to identify customer accounts that might have been compromised.

Then, in the fall of 2018, attackers gained access to more than 300,000 customer accounts through credential stuffing attacks.  Approximately 175,000 of those customer accounts had at least one stored value card associated with it.  According to the lawsuit, while Dunkin’ notified the affected customers in November 2018, that notification implied that unauthorized third-parties may have attempted to log in to the customer account, where in fact, those customer accounts had actually been accessed by an unauthorized party.

The lawsuit asserts causes of action under New York law for repeated and persistent fraudulent business conduct, deceptive business practices, and false advertising.  It also alleges violation of New York’s data breach notification law.  The lawsuit alleges that Dunkin’ violated those law by misrepresenting to its customers the steps Dunkin’ took to safeguard customer accounts, failing to properly investigate and provide notification of the breaches, and misrepresenting the nature of the attacks.

The case illustrates the importance of acting quickly to remediate and investigate suspected data breaches and thoroughly documenting the resulting analysis and course of action.  For example, Dunkin’ stated that the accounts breached in 2015 did not contain any customer payment card data, and therefore, customer notification was not necessary.  Comprehensive documentation of the steps Dunkin’ took to make this determination could provide powerful evidence that it did not violate the law.  With regard to the 2018 breach, Dunkin’ states that it properly notified affected customers.  Again, documentation of the steps that Dunkin’ took to identify compromised accounts and mitigate the risk of harm to its customers will be a key component of its defense.

Posted in Data Breach, Data Security

Privacy Primer: Family Educational Rights and Privacy Act (FERPA)

Posted on September 4, 2019 by Brian Kint

FERPA is a U.S. law, passed in 1974, that protects the privacy of student educational records.  FERPA applies to all schools, from elementary schools to postsecondary education institutions, that receive federal funds under a program of the U.S. Department of Education.  FERPA and the regulations promulgated under it provide a right to inspect educational records, a right to request amendment of educational records, and a right to privacy of educational records.

First, the rights under FERPA apply to “educational records,” which are records that are directly related to a student and are maintained by the educational institution or by a party acting on the institution’s behalf.  Educational records, however, do not include, for example, personal notes, records of law enforcement units (i.e., campus police), or employment records of students who may also be employees of the institution.

The right to inspect educational records initially belongs to parents.  Once a student turns 18 or attends school beyond the high school level, he or she becomes an “eligible student,” and the inspection rights transfer from the parent to the student.

Parents or eligible students have a right to review the student’s educational records and request that the school amend records that they believe are inaccurate, misleading, or in violation of the privacy rights of the student.  If the school does not make a requested amendment, the parent or eligible student has a right to a formal hearing with the school.  If the school decides not to make the requested amendment after the hearing, the parent or eligible student has the right to place a statement in the record as to why he or she believes the information is inaccurate, misleading, or in violation of the privacy rights of the student.  Any time the school discloses the disputed part of the record, it must also disclose the parent or eligible student’s statement.

Covered institutions generally cannot disclose to a third party any personally identifiable information from an educational record of a student without the parent or eligible student’s written consent.  The written consent must specify the records that the institution can disclose, the purpose of the disclosure, and to whom the institution can make the disclosure.

Covered institutions, however, can disclose personally identifiable information from an educational record without written consent to the following parties for the following reasons:

  • To school officials who have a legitimate educational interest in the information
  • To officials of another school for purposes related to a student’s enrollment in or transfer to that school
  • To certain federal officials or state and local educational authorities
  • To appropriate parties in connection with a student’s application for financial aid
  • To organizations conducting studies for a school to develop, validate, or administer predictive tests, administer student aid programs, or improve instruction
  • To accrediting organizations
  • To comply with a judicial order or lawfully issued subpoena, after making a reasonable effort to notify the parent or eligible student of the order or subpoena before disclosure, so that the parent or eligible student may seek a protective order.
  • To appropriate parties in connection with a health or safety emergency
  • To comply with laws regarding registered sex offenders
  • To parents of eligible students at postsecondary education institutions who are under 21 and commit a disciplinary violation with respect to the use or possession of alcohol or a controlled substance
  • To appropriate parties in connection with disciplinary proceedings at postsecondary education institutions, provided that the student is an alleged perpetrator of a violent crime or non-forcible sex offense and has committed a violation of the institution’s rules or policies

 

Covered institutions can also disclose “directory information” without written consent.  Directory information consists of information that would not generally be considered an invasion of privacy if disclosed, such as a student’s name, address, telephone number, e-mail address, field of study, grade level, enrollment status, dates of attendance, or degrees, honors, and awards received.  Before disclosing directory information, however, the institution must give notice to parents and attending students as to what categories of information it consideres directory information and give them a reasonable opportunity to opt out of having any or all of those categories of information designated directory information for the particular student.

The Department of Education is responsible for enforcing FERPA.  There is no private right of action, but parents or eligible students who believe an institution has violated FERPA can file a complaint with the Department of Education’s Office of the Chief Privacy Officer.  The Office will investigate the claim and issue findings.  If it determines that the institution violated FERPA, it may set forth corrective actions that the institution must take.  If the institution fails to take such corrective actions within a reasonable time, as set by the Office, the Department can withhold further payments to the institution or terminate the institution’s eligibility to receive funding under any Department program.

Tagged with: ,
Posted in Privacy
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates

cyberlawmonitor

Cozen O’Connor Blogs