The Year In Review: a Privacy and Data Security Law Update

The pace of change in privacy and data security law continues at grow, and even though this is one of the most rapidly-developing areas of law, the law simply cannot keep up with the speed of technology and business. 

Today, I delivered a continuing legal education presentation on behalf of the North Carolina Bar Association summarizing the changes in privacy and data security law over the past year, along with Elizabeth Johnson.

This post contains a brief outline of the items we described, and it might serve as a helpful checklist for those of you who are taking a moment near the end of the year to look back to ensure you have kept up with the many, many developments:

North Carolina Law Update

• NC narrowly avoided the shortest breach reporting timeframe in US 
• Amendment to Revenge Porn statute (Session Law 2017-93) 
• NC DHHS ordered to develop telemedicine policy including data security standards. (Session Law 2017-133) 
• Transfer of data to CIO conditioned on adequate data security protocols. (2018 appropriations bill; Session Law 2017-204) 
• Secretary of Revenue ordered to establish information security program for tax information. (Session Law 2018-5)
• NC Bank Commission records receive enhanced privacy protection. (Session Law 2017-165.) 
• Privacy and data security training mandated for opioid diversion investigators and supervisors. (SL 2018-44.)

Other States’ Data Breach Laws

• Alabama and South Dakota become 49th and 50th states to enact data breach notification statutes in 2018
• Reminder of interplay between state, federal, local, and international data breach laws, as well as private requirements (contracts and PCI rules)

Trends in State Data Breach Law

• Substantial majority of laws amended/enacted in 2018 added reporting deadline
• Slight majority of laws amended/enacted in 2018 added regulator reporting requirement
• Substantial majority of laws amended/enacted in 2018 expanded coverage of personal information

New Breach Notification Timelines

• 30 days: Colorado
• 45 days: Alabama, Arizona, Maryland, Oregon
• 60 days: Delaware, Louisiana, South Dakota,

New Law: Healthcare or Health Insurance Data

• States’ data breach laws that cover healthcare data

New law: Login Credentials

• States that Cover Login Credentials

New law: Biometric Data

• States that Cover Biometric Data
• Specific requirements of Illinois, Texas, Washington: notice, consent, disclosure limitation, retention limitation
• Illinois’ BIPA private right of action (multiple class actions against employers)

Expanding data covered by breach laws

• Arizona (passport number; TIN; private, unique key used to authenticate/sign electronic record)
• Delaware (passport number; TIN)
• Maryland (passport number; TIN)
• Oregon (any data that could be used to access financial account)
• Virginia (for tax preparers, income tax information such as deductions and exceptions)
• Ohio safe harbor for post-breach action
• Colorado data protection requirements and vendor oversight
• New Hampshire constitutional amendment
• Iowa and Nebraska data security laws for EdTech
• Credit freeze changes in Kentucky, Massachusetts, Minnesota, Oregon, Louisiana
• California website privacy class actions proliferating

The California Consumer Privacy Act

• History
• Requirements
• Ambiguities
• Enforcement and Penalties

EU General Data Protection Regulation (GDPR)

• Quick recap of GDPR
• Max penalty is €20mm or 4% of global turnover
• Scope of application
• What have we learned since 25 May 2018?
• Extraterritorial jurisdiction
• Early enforcement
• Contract battles
• Data mapping pains
• Privacy Shield update

HIPAA Update

• No major rule developments
• Steady flow of guidance documents
• Cyber newsletters
• Family access to PHI
• Emergencies and business continuity
• Enforcement continues at steady pace
• Cases, settlements and penalties
• Requests for information
• OCR Priorities

Hot Topics and Miscellaneous Developments

• Trends in breaches/causes/losses: Identity Theft Resources Center, IBM Ponemon Institute reports
• Lessons from the Uber Breach
• FTC Update
• Social Media – third party sharing (Cambridge Analytica), Facebook breach
• Minors
• Internet of Things
• Equifax (one year later)
• New NIST privacy framework
• US v. Microsoft (Stored Communications Act)
• CLOUD Act
• GLBA (Regulation P) amendments from CFPB
• Data broker issues (Vermont)
• Cyberinsurance issues
• International developments:

• China
• Canada, Alberta
• Australia
• New Zealand
• Brazil
• Argentina
• Chile
• India
• Kenya
• Hungary
• Vietnam

Canada's First Nationwide Data Security Breach Notification Requirement Becomes Effective November 1

Canada's first nationwide data security breach notification requirement will become enforceable in a few days.  Here is what you need to know "ah-boot" it:

Back in 2015, the Digital Privacy Act received Royal Assent, making it law. The DPA introduced a number of amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal privacy law governing the private sector (the Privacy Act controls privacy in the government), and these changes were scheduled to become effective over time. Among the amendments were new provisions related to data security breach reporting, which will become enforceable on November 1^st, 2018. 

 The amendments to the PIPEDA made by the DPA include the following:

• data breaches that pose a "real risk of significant harm" to individuals will need to be reported to the Office of the Privacy Commissioner, and affected individuals will need to be notified;
• an organization may also be required to notify other organizations if they are in a position to protect affected individuals from harm (e.g. credit card companies, financial institutions or credit reporting agencies, if their assistance is necessary for contacting individuals or assisting with mitigating harm);
• records of all data breaches experienced by an organization will need to be maintained (for 24 months) and provided to the Privacy Commissioner upon request;
• deliberately failing to report a data breach, or deliberately failing to notify an individual as required will be separate offences subject to fines of up to CA$100,000. In the case of notification to individuals, it will be a separate offence for every individual who is not notified; and
• deliberately failing to keep, or destroying, data breach records will also be an offence, subject to a fine of up to CA$100,000.

Some Canadian provinces already had breach reporting notification requirements, such as Alberta's Personal Information Protection Act, which requires notification to the Information Privacy Commissioner of Alberta if there is a "real risk of significant harm" to an individual.

The new Breach of Security Safeguards Regulations published in the Canada Gazette (which sounds infinitely more readable than the Federal Register) on April 18, 2018 will also come into force on November 1, along with the related statutory requirements.     

You can read more about the law here. 

Data breach notification in the United States is required by certain federal laws that govern specific industries, and every state in the United States now has a data security breach notification requirement.  Alabama and South Dakota were the last states to adopt notification requirements, and both of those statutes became effective earlier this year, as I described back in April.

Becoming an ABA/IAPP Certified Privacy Law Specialist

I have just been certified as a Privacy Law Specialist by the International Association of Privacy Professionals, and by extension the American Bar Association, as part of the inaugural class of this brand new area of specialization.  Because a specialization in privacy law is something that has never before been possible in the United States, I thought I would describe the specialization, the application criteria and process, and how the ABA/IAPP certification interacts with state bar rules.

What is a legal specialization?

Many lawyers limit their practices to certain areas of law, because, frankly, the law has become far too complex for any one person to be competent, let alone proficient, in the entire spectrum of law.   Not every lawyer who focuses his or her practice on one or two areas of law, however, is necessarily proficient.  Recognizing this, virtually all state bars (the regulatory bodies that govern the practice of law) prohibit attorneys from calling themselves "specialists" or "experts" (or similar terms) unless they have been certified as specialists.  Certification is intended to objectively verify the lawyer's mastery of the practice area.  (See, for example, Rule 7.4 of the Rules of Professional Conduct of the North Carolina State Bar.)  According to the North Carolina State Bar:

"Certification of lawyers as specialists by an objective entity and according to objective criteria fulfills the mission of the State Bar to protect the public by providing relevant, truthful, and reliable information to consumers of legal services. Certification helps consumers to identify lawyers who have experience and skill in a certain area of practice. Certification also helps lawyers by encouraging them to improve their expertise in particular areas of practice and providing them with a legitimate way of informing the public and other lawyers of this expertise."

Most state bars create specializations and the associated criteria themselves, but about one-half of all states allow lawyers to hold themselves out as specialists if they are certified by an American Bar Association (ABA) accredited entity.

Why did the ABA and IAPP create this specialization?

After extensive deliberation, the American Bar Association's House of Delegates voted in February 2018 to approve a new certification in privacy law, making it the 15th such accredited specialization.  Although no state bar had yet issued a specialization certificate in privacy law, it had become clear that lawyers were focusing their practices on this rapidly-evolving area of law, which was becoming more and more complex and specialized.  The ABA acknowledged that privacy law has become so specialized that the public would benefit by knowing which attorneys could be deemed proficient according to objective standards.

What are the requirements?

If you want to be considered for Privacy Law Specialist status, you must meet each of the following seven requirements:

1. Be an attorney admitted in good standing in at least one U.S. jurisdiction; 
2. Earn a CIPP/US designation; 
3. Earn either a CIPM or CIPT designation; 
4. Pass a legal ethics exam administered by the IAPP (similar to a mini-MPRE exam) or submit a very recent MPRE score of at least 80 points;
5. Provide evidence of “ongoing and substantial” involvement in the practice of privacy law (at least 25% of your full-time practice over the last three years);
6. Supply evidence of at least 36 hours of continuing education in privacy law for the three-year period preceding the application date; and
7. Provide five to eight peer references from attorneys, clients or judges who can personally attest to your qualifications.

What is the application process?

First, you need to achieve a passing score on each of three examinations: the CIPP/US exam, either the CIPM or CIPT exam, and the legal ethics exam.  These tests are all administered electronically at testing centers around the world.  You can schedule the exams online at the testing center nearest you, and results are delivered instantly.  The IAPP offers study guides for all of the exams except for the ethics exam.  (However, I created a study manual for the ethics exam, which I am happy to share with you.  Just connect with me on LinkedIn and send me a message!)

Next, you need to compile information about at least 36 hours of continuing education that you have obtained in the past three years relating to privacy or a closely-related area.  If you have not yet taken enough continuing education courses in the area, you need to defer your application and focus on obtaining more continuing education credits. 

You will also need to identify peers who will serve as your references.  I recommend you select lawyers with (or against) whom you have worked, because they have the best, firsthand knowledge of your experience and expertise.  I also suggest you confirm that they are willing to serve as a reference before you submit their names (because...courtesy!) and that you submit at least eight rather than the minimum number of five.  If some of your references get busy and fail to respond to the IAPP, your application could be denied. 

Of course, you will need to pay a fee.  For the $125 application fee, your initial IAPP membership will be included.  You do not have to become an IAPP member, but the annual certification fee is equivalent to the IAPP membership fee, and the membership is included, so it is difficult to imagine why any certificate holder would not also be a member.

Where can I learn more?

That's easy: The IAPP's website has more info.  (Also, the IAPP's staff was pretty cool about answering my questions.)

Can I become a state bar certified specialist in privacy law?

Not quite yet.  No state bar has certified specialists in privacy law, but the North Carolina State Bar has already approved a specialization in privacy and data security law and the first examination will be administered this fall.  This effort (led by yours truly) has been underway since before the ABA considered adopting a privacy law specialization, but the ABA was able to move more quickly because it decided to rely primarily on existing IAPP examinations.  In North Carolina, we are creating a three-hour examination which focuses on North Carolina law, as well as the IAPP's CIPP/US examination.  The first application deadline has already come and gone, and we look forward to certifying our first class of specialists soon!  If you are interested in establishing a privacy and data security specialization in your state, I would be happy to share my experiences with you.