European Privacy: Complexity and High Stakes

Europe has the world's strongest data protection laws, and highest potential sanctions for non-compliance (€20MM or 4% of global revenue, not to mention criminal penalties!), so it makes sense for privacy professionals with global responsibility to become well-versed in European data protection law.  After working intensely in 2017 and 2018 to help my colleagues in Europe establish a GDPR program for one of the world's largest consumer-facing companies, and having remained actively involved in European data protection matters since, I finally felt I had the knowledge and experience to pursue certification in European data protection from the International Association of Privacy Professionals.  Today, I received that certification. 

According to the IAPP, which is the world's premier (and largest) data protection certification organization, a CIPP/E designation means one has "the comprehensive...knowledge, perspective and understanding to ensure compliance and data protection success in Europe." To demonstrate mastery of the field, all applicants must pass a rigorous exam which covers all of the topics listed here, including European legal frameworks, institutions, history, treaties, private sector laws, public sector laws, national laws, norms and standards, and best practices.

If you have an interest in obtaining the CIPP/E designation, I'd be happy to talk with you about it, and specifically how I studied for the examination.

Going forward, I might be posting more content to this blog relating to European data protection (I've been writing and speaking about it since 2015), if the posts receive enough traffic to indicate interest.

(P.S.- Special thanks to my friend and brilliant Italian lawyer Fabio Svizzero for the many hours spent explaining the nuances of EU data protection law and customs!)

New York SHEILD Act becomes effective (in part) today

Back in July, the State of New York adopted the Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act"), which operates as an amendment to New York's existing data breach notification statute.  Certain parts of the SHEILD Act become effective today:

• The breach notification provisions formerly applied only to those conducting business in New York.  Now, like many other state breach notification laws, the statute applies to any person or business that owns or licenses private information of a New York resident.
• A security breach will now include unauthorized "access" of computerized data that compromises the security, confidentiality, or integrity of private information, which is intended to include most ransomware.  ("Acquisition" of data is no longer required.)
• "Private information" will now include biometric information, as well as a username/email address in combination with a password or security questions and answers, and account numbers  (including credit/debit card numbers) even without a password or code if the account could be accessed without a code.

In addition, beginning March 21, 2020, New York will join other states in requiring companies to adopt reasonable safeguards to protect the security, confidentiality, and integrity of private information.

Proposed Regulations Implementing the California Consumer Privacy Act

California's Attorney General released proposed regulations implementing the California Consumer Privacy Act yesterday (10/10), and at first glance, I'm disappointed.  I'm still digesting them, and will probably post more later, but you can read them for yourself here.  The AG's press release is here.  The AG's "Fact Sheet" is here.

The draft regulations are out for public comment until December 6. Make your voice heard! The Attorney General will consider  comments and may revise the regulations in response. Any revision will trigger an additional 15 day public comment period.  Following the comment period(s), the AG will submit the final text to the Office of Administrative Law, which has 30 business days to review the regulations before they will go into effect.  In other words, the regulations will not be final before the January 1 compliance deadline. 

Although the AG will not begin enforcing the regulations until July 7, 2020, I predict the plaintiffs' bar will be initiating actions soon after January 1. 

Sorting Through the CCPA Amendments

The legislative session of the California Legislature effectively ended on Friday in a flurry of activity. Privacy and data security lawyers have been closely monitoring the many amendments to the California Consumer Privacy Act. Several of those amendments are now dead, a couple failed to pass but are being held over until the next legislative session, and a handful of amendments passed. Here is my quick take (but stay tuned for more in-depth analysis as I have time to delve deeper):

The highlights of the amendments approved by the legislature are as follows:

• The most important amendment for most organizations, and the one I have been watching most closely, is Assembly Bill 25.  Because the original language of the CCPA defined "consumer" as a "natural person," there was some uncertainty regarding the application of the law to employee data.  AB 25 was originally intended simply to make clear the original intent of the legislature that employees are not considered "consumers" per se (unless and to the extent they actually are consumers).  However, following some lobbying, AB 25 was altered, and now provides only a partial, time-limited exemption for employee (and applicant) data collected solely within the context of that role.  Businesses will need to create the notice described in the CCPA (Sec. 1798.100(b)) and provide it to employees by January 1.  The private right of action relating to data security breaches will apply to employee data, and the law will expire on January 1, 2021, when, one hopes, it will be replaced by a well-thought-out employee privacy law.  In addition, AB 25 made explicit a business's right to require reasonable verification before honoring a consumer request (DSR), and made clear that if a consumer has an online account, the business may require any requests (DSRs) to be submitted through that account.
• AB 1202 requires annual registration by data brokers (defined, more or less, as a business that collects and sells personal information despite not having a direct relationship with consumer.  The meaning of "direct relationship" remains in question, however. (Can merely clicking on an ad create a direct relationship?)
• AB 1146 creates exemption for vehicle ownership information which is intended to address warranty and recall concerns. 
• AB 1564 modifies the required methods for consumer requests (DSRs).  It retains the two earlier methods…a toll free telephone number and a website address, if the business has a website. It adds, however, a provision that says if business is exclusively online, and has a direct relationship with the consumer, the business only has to provide an email address.
• AB 874 modifies the definition of “personal information” by adding the word “reasonably” in front of “capable of being associated with,” so that theoretical but extremely difficult re-identification methods can be disregarded.  It also corrects an error to make it more clear that "personal information" doesn’t include de-identified or aggregated consumer information.  It also simplifies what is meant by “publicly available.”
• AB 1335 is a bit of a catch-all technical corrections bill that makes technical corrections regarding how "specific pieces" of information are furnished, the applicability to 16-year-olds, and--importantly--corrects the previously inscrutable phrase "reasonably related to value of the consumer data to the consumer," which appeared to mandate clairvoyance on a massive scale. It clarifies that the data breach liability safe harbor is available if data is encrypted or redacted (rather than both encrypted and redacted...which would have been plain weird), and addresses the sticky issue of business contact information.  Finally, there is a carve-out for activities authorized under the Fair Credit Reporting Act.  
• Not to be overlooked is AB 1130, which adds biometric data to the state’s data breach notification law (it was already in the CCPA definition). In effect, this creates a private right of action if a data security breach includes biometric information.  

Before becoming law, the amendments must be signed by the Governor of California, who has 30 days to sign them (if he fails, it's called a "pocket veto" and they fade into non-existence).

Amendments That May Rise From The Grave

Two bills which did not pass but which may (apparently) be revived in the next session are AB 846 and AB 1138. The first would have clarified that consumer loyalty programs are permissible. The second would have required parental consent for minors (younger than 18 years old) to use social media.  A consumer loyalty program bill would have been immensely helpful for consumer-facing retailers! *cough*

Dead Amendments

The "dead" amendments include those that would have (i) created an express private right of action for any violation; (ii) required disclosure of the average value of personal information; (iii) removed the “Do Not Sell” link requirement; (iv) required removal of social media information; (v) created an exemption related to government agencies; and (vi) created a carve-out for certain insurance transaction data. (See AB 981, AB 1416, AB 288, AB 873, SB 561, SB 753, AB 950 and AB 1760.)

No Action from Attorney General

California's Attorney General Xavier Becerra is required to promulgate regulations implementing certain aspects of the CCPA, but has not yet issued any proposed rules.  Perhaps he anticipated the amendments and did not want to propose rules until the legislature had adjourned and the CCPA was more or less final (for now).  Although the CCPA becomes effective on January 1, the AG cannot bring any enforcement actions until the earlier of (a) the date on which he promulgates final rules or (b) July 1, 2020.  Once the AG proposes rules, there will be a delay before they become final and enforceable: there must be a 45- day public comment period, and, if comments result in changes, there will be another 15- to 45-day waiting period.  Accordingly, it seems unlikely that the AG will be enforcing the CCPA before July 1.  Note, however, that many commenters speculate there could be retroactive enforcement, and certainly there could be private litigation before the AG's enforcement deadline, so organizations should keep their focus on the January 1 deadline. 


I hope this quick summary is helpful.  Much more will be said about each of these bills in the coming days.  

Know A Bit Aboot Canadian Privacy Law, Eh?

It's widely acknowledged that data protection law in Canada has long been more robust and strict than here in the United States.

In 2019, the Privacy Commissioner of Canada signaled an intention to interpret Canada's laws even more strictly, and indicated a desire to propose to the Canadian Parliament changes to the Personal Information and Electronic Documents Act and the Privacy Act which would bring Canadian law more into line with Europe's GDPR.  In light of this, and my responsibilities for international privacy compliance, I began studying Canadian federal and provincial data protection law in earnest, and recently became credentialed by the International Association of Privacy Professionals as a Certified Information Privacy Professional in Canadian data protection law and practice (CIPP/C).

According to the IAPP, which is the world's premier (and largest) data protection certification organization, a CIPP/C designation means "you have an understanding and application of Canadian information privacy laws, principles and practices at the federal, provincial and territorial levels."  To demonstrate mastery of the domain, all applicants must pass a rigorous exam which covers all of the topics listed here, including Canadian legal frameworks, private sector law, public sector law, healthcare sector laws, financial sector laws, provincial laws, norms and standards, and best practices.

If you have an interest in obtaining the CIPP/C designation, I'd be happy to talk with you about it, and specifically how I studied for the examination.

Stay tuned, as I may be posting more content to this blog relating to Canadian data protection in the future.

What's in your wallet? Maybe someone else's hand! (How to protect yourself following the Capital One breach)

What Happened?

Capital One, a major credit card issuer headquartered in Virginia has disclosed a data security breach that affected around 100 million individuals in the US and around 6 million in Canada.

The perpetrator sought information relating to individuals who had applied for credit card products between 2005 and 2019, potentially accessing names, addresses, email addresses, phone numbers, dates of birth and self-reported income, as well as 140,000 social security numbers and 80,000 bank account numbers in the US and million social insurance numbers of Canadians. Capital One claims the hacker did not gain access to credit card account numbers, and Capital One believes it has fully remediated the vulnerability that lead to the breach.

What You Can Do To Protect Yourself

If you believe your personal information may be at risk as a result of this incident, you can take some steps to protect yourself. Here are some suggestions:

1. Check your Capital One account online for unauthorized charges. Log in to your account (from a secure connection and trusted device, as always) and search your recent transaction history for any unfamiliar transactions. If you see any unauthorized charges, follow Capital One's process to dispute the validity of those charges immediately.

2. Change your password for your online Capital One account. It's a good idea to periodically change your passwords anyway. Do not re-use a password that you have used (anywhere) before. Ensure your password is long and complex. (Here's what NIST has to say about password length and complexity).

3. Check your credit, if you haven't done so recently. You're entitled to one free copy of your credit report every 12 months from each of the three nationwide credit reporting companies. Order your reports online from annualcreditreport.com, the only authorized website for free credit reports, or call 1-877-322-8228. You will need to provide your name, address, social security number, and date of birth to verify your identity. Review the reports to ensure they show only accurate, legitimate lines of open credit (e.g., your mortgage, credit card, etc.).

4. Consider a credit freeze. Placing a security freeze on your credit reports can prevent an identity thief from opening a new account or getting credit in your name. State laws, including North Carolina's state law, allows residents to set up and manage security freezes free of charge, and beginning in September of last year, federal law gives all Americans similar rights. To implement a security freeze, you will need to contact each of the three credit bureaus online:

• Equifax
• Equifax.com/personal/credit-report-services
• 800-685-1111
• Experian
• Experian.com/help
• 888-EXPERIAN (888-397-3742)
• Transunion
• TransUnion.com/credit-help
• 888-909-8872

Be prepared to provide authenticating information, such as:

• Your Full Name
• Your Address
• Your Date of Birth
• Your Social Security Number

When you put a security freeze in place, the credit bureau will send you confirmation of the freeze along with information on how to remove the freeze, which may include a PIN (Personal Identification Number) or password. The information should be sent to you no later than five business days after placing the freeze. Don't lose your PIN/password! If you want to apply for a new line of credit, you can request that a freeze be lifted for a specified period of time or removed by making the request to the credit bureaus and providing proper identification. The credit bureaus must lift or remove a freeze within one hour if you request by telephone or online.

5. Take advantage of the free credit monitoring and identity protection services that Capital One will soon be offering. (Details to follow soon, we assume. Check Capital One's website.)


Take care of yourselves, and good luck!

Washington's privacy bill seems dead, but a data security bill passes

Privacy and data security law are essentially moving targets.  Take for example recent events in the state of Washington.

Last month, I wrote about a bill introduced in the state legislature of Washington that would mimic the California Consumer Privacy Act, but would be even more strict in some cases. 

It has been a rollercoaster ride for the bill's sponsor and supporters.  The bill originally enjoyed overwhelming support in the Senate, but later, after stalling in a House committee, the bill seemed dead; the state's Chief Privacy Officer thought the bill was doomed. 

Just days later, a data security bill was approved by the legislature and presented to the Governor for signature.  (It seems likely that the data security bill is being adopted instead of the privacy bill.)

As amended, the data security bill will:

• expand the definition of "consumer information" for purposes of triggering the breach notification requirements;
• address breaches that specifically involve usernames and passwords;
• provide a 30-day notification timeframe; and
• add information to be included in breach notifications.

You can read the data security bill here.

Utah Expands Privacy Protections For Data Held By Third Parties

Utah's Governor Gary Herbert is expected to sign a privacy bill in the next few days following unanimous approval in the state's legislature. This bill is particularly interesting (at least to privacy law geeks like you and me) for two reasons:

First, this bill diverges from the general trend. The bill's primary effect is to limit law enforcement's access to electronic data. (The general trend in the United States over the past two decades has been to grant law enforcement greater access to electronic data while gradually restricting data access and sharing in the private sector.) In the United States, law enforcement agencies are generally permitted to access data that is shared with a third party without a warrant, if the third party (not the individual data subject) consents. Many of the large custodians of consumer data routinely grant access to government agencies without demanding a warrant. The U.S. Constitution's 4th Amendment, which prohibits unreasonable searches and seizures, generally has not been applied to information in the custody of a third party.

Second, bills like this could eventually make trans-Atlantic data transfers easier.  One of the primary sources of tension in the context of cross-border personal data transfers is the difference between the U.S. government's relatively easy access to these data repositories without strict procedural protections versus the European Union's General Data Protection Legislation, which calls for strong protections around consumer data. If other states, or the federal government, follow Utah's lead, the U.S. could move closer to becoming a jurisdiction with "adequate" privacy protections, for purposes of the GDPR.

The bill, titled simply "The Electronic Information or Data Privacy Act,"

• makes clear that the "owner" of data is the individual who transmits electronic information or data;
• requires, with some exceptions, a search warrant to obtain certain electronic information or data in the custody of a third-party (other than the owner);
• requires, with some exceptions, notification that electronic information or data was obtained;
• provides for transmission of electronic information or data to a remote computing service, including restrictions on government entities;
• excludes from evidence certain electronic information or data obtained without a warrant; 
• defines and re-defines certain terms; and
• makes some technical and conforming changes.

You can read the bill's full text for yourself here.

Will the "Washington Privacy Act" be the aftershock to the CCPA's seismic shift?

California has been getting most of the attention lately for the California Consumer Privacy Act, but Washington may be following closely behind with its own bold new privacy statute.  Senate Bill 5376 has been approved by the state's Senate and is currently before the House (in the Environment, Energy & Technology Committee as of the date of this post).  The current version can be viewed here. 

"Washingtonians cherish privacy as an element of their individual freedom..." the bill begins (somewhat awkwardly), and takes off from there.  Briefly, here are some highlights:

• Jurisdiction resembles the CCPA. It applies to entities that conduct business in Washington or intentionally target residents if they (a) processes personal data of 100,000 consumers; or(b) derives over fifty percent of gross revenue from the sale of personal data and process personal data of 25,000 consumers.
• The controller/processor paradigm is clearly set out, reflecting the influence of HIPAA and international laws.  Controllers and processors share liability under a "comparative fault" framework.
• Access, correction, and deletion rights are all specifically conferred (not unlike CCPA and GDPR).  These are each subject to "verification" of the request.  
• Consumers have a right to information regarding a controller's sharing of their data (by category) with processors, and processors must cooperate with controllers to fulfill opt-out, correction, and deletion requests from consumers. 
• Consumers are given the specific right to opt out of "targeted advertising" by controllers, and third-party processors must honor the request.
• Consumer requests should be fulfilled within 30 days, but the timeline can be extended by 60 days if necessary. 
• Risk assessments (similar to privacy impact assessments) are mandated for all new processing of personal information or material changes.  This is not limited to processing of sensitive data.  If the risks are substantial, consumer consent is required.  The AG may inspect risk assessments, but otherwise they are confidential.
• There are healthcare carve-outs; it doesn't appear to be intended to overlap with HIPAA.
• The use of facial recognition (a) for decision-making with "significant effects" or (b) by the government is specifically restricted.
• There is no private right of action created by the statute.
• The AG will enforce the statute, but there is a 30 day cure period. 
• An "office of privacy and data protection" is created, and (all of) the civil penalties extracted from violators by the AG will be used to fund it.

The statute would become effective July 1, 2021.  Stay tuned!

The (Revised) Proposal to "Strengthen North Carolina Identity Theft Protection Act"

North Carolina's Attorney General, Josh Stein, and Representative Jason Saine have unveiled a revised proposal for amending the state's existing Identity Theft Protection Act.  Recall that one year ago, Stein and Saine introduced a summary of proposed legislation (sometimes erroneously called a "fact sheet") outlining their plans for bipartisan legislation to tighten privacy and data security protections for North Carolinian.  In this post, I will attempt to describe the 2019 proposal and highlight differences from the 2018 proposal.

 

Concerns with the 2018 proposal

 

In many of my privacy and data security law presentations during 2018, I expressed my view that some elements of the proposal were reasonable and advisable improvements to the statute, and I also described a couple of my concerns with the proposal:

 

1.  First, the 2018 version of the Act to Strengthen Identity Theft Protections would have created the shortest breach reporting timeframe in the entire United States--only 15 days--giving organizations only half the time to respond to a breach as the next shortest timeframe.  Having assisted some of North Carolina's largest and smallest organizations in post-incident response, I thought that was unrealistically aggressive (although I'm sure well-intentioned).  Several states did, in fact, adopt or revise reporting deadlines in 2018, but none were close to the 15 days in the Stein-Saine proposal, for example:

• 30 days: Colorado; 
• 45 days: Alabama, Arizona, Maryland, Oregon; and
• 60 days: Delaware, Louisiana, South Dakota.

2.  Second, the 2018 proposal would have included ransomware in the definition of "breach" even if no personal information was divulged (i.e., "exfiltrated").  Notifying individuals of an incident in which their data has not been exposed, and for which they probably cannot really take any pro-active or remedial actions, seems pointless, would likely generate fear disproportionate to the risk of harm, and creates a significant and unnecessary expense for the entity that has been attacked. In other words, I think there are good reasons why other states do not include ransomware attacks within the scope of a reportable breach.

What's new in the 2019 proposal

 

In the 2019 version of the proposal, one of these concerns has been addressed.  Let's take a look at how the 2019 proposal differs from the 2018 proposal:

 

• In the 2018 proposal, the Attorney General's office would "determine the risk of harm" to consumers. In the 2019 proposal, the organization makes the initial determination, and "if the breached entity determines that no one was harmed, it must document that determination for the Attorney General’s office to review."
• There were no changes to the security obligation. Both proposals impose a duty on a "business that owns or licenses personal information to implement and maintain reasonable security procedures and practices – appropriate to the nature of personal information – to protect the personal information from a security breach. "
• There were no changes to the proposed expansion of "personal information." In both proposals, the scope would be expanded to include medical information and insurance account numbers. (The interaction with HIPAA was not addressed specifically.)
• The 15 day reporting timeframe in the 2018 proposal has been changed to a 30 day timeframe in the 2019 proposal, which is much more consistent with the approach of other states.
• Under both proposals, consumers will be able to place and lift a credit freeze on their credit report at any time, for free, and credit reporting agencies will also be required to cooperate to establish a simple method so that consumers need not repeat the process with each CRA. (If this sounds familiar, it is because this is how credit fraud alerts already work. Credit fraud alerts are creatures of federal law, and credit freezes arise from state law, and therefore vary from state to state.)
• Under the 2018 proposal, consumers affected by a breach would have access to three free credit reports from each national consumer reporting agency, but that provision was dropped from the 2019 version of the proposal.
• Under the 2018 proposal, if a consumer reporting agency is breached, it will be obligated to provide five years of free credit monitoring; under the 2019 version, the CRA would provide monitoring for four years.
• Under the 2019 version, if any organization is breached, it must provide two years of free credit monitoring to each affected consumer. There was no similar provision in the 2018 proposal (except for CRAs).
• Under the 2019 version, a failure to report a breach will be a violation of the NC Unfair and Deceptive Trade Practices Act. (The 2018 version specified that each affected consumer would support a separate violation; the 2019 version omits that statement.) Frankly, I am not sure that this would actually be a change from the current law; it may be a mere attempt to codify the status quo.
• Both proposals say that a company will need a person's permission before obtaining or using a person’s credit report or credit score, and must disclose the reason for the request. (This is already a requirement under federal law, so I do not foresee much impact from this provision.)
• Finally, both proposals would give NC residents the right to obtain from any CRA "the information maintained on him or herself (both credit related and non-credit related information), its source, and a list of any person or entity to which it was disclosed."

 

 The 2018 proposal never made it to a vote in the North Carolina General Assembly, and I cannot predict whether the new proposal will be adopted in the 2019-2020 session, but it is clear that the Attorney General intends to focus on privacy and data security, through legislation and enforcement actions, during the coming year.

 

 

 

 

 

 

Business North Carolina has released the 2019 "Legal Elite"

The start of a new year brings many opportunities to improve ourselves, but it is also a time to reflect on the accomplishments of the prior year. Each January, Business North Carolina releases the results of its annual survey of lawyers. The survey asks one simple question: "Of the Tar Heel lawyers whose work you have observed firsthand, whom would you rate among the current best in these categories?"

(Lawyers are never allowed to vote for themselves.) This year, I was included among the 22 honorees in the "Corporate" law category, along with some incredibly talented and accomplished lawyers.  I want to thank all of the lawyers across the state who took the time to vote.  Your confidence is humbling (and inspires me to be a better lawyer to meet your estimation!).

[I was also included in the "Young Guns" category again this year, and I'm delighted that some people still consider me young!] 

I hope each of you find meaning and purpose in your work in 2019 and that your efforts are rewarded with great success!