An extract from The Privacy, Data Protection and Cybersecurity Law Review, 8th Edition
Nearly 130 years ago, two American lawyers, Samuel Warren and Louis Brandeis – the latter of whom would eventually become a Supreme Court Justice – wrote an article in the Harvard Law Review expressing their concern that technological advances like 'instantaneous photographs' and the 'newspaper enterprise' were threatening to 'make good the prediction that “what is whispered in the close shall be proclaimed from the house-tops”'.2 To address this trend, Warren and Brandeis argued that courts should recognise a common law tort based on violations of an individual's 'right to privacy'.3 US courts eventually accepted the invitation, and it is easy to consider Warren and Brandeis's article as the starting point of modern privacy discourse.
It is also easy to consider the article as the starting point of the United States' long history of privacy leadership. From the US Supreme Court recognising that the US Constitution grants a right to privacy against certain forms of government intrusion to the US Congress's enacting the Privacy Act to address potential risks created by government databases to US states adopting laws imposing data breach notification and information security requirements on private entities, the United States has long innovated in the face of technological and societal change.
In recent years, however, privacy commentators have painted the United States in a different light. Over the last generation, the United States has balanced its commitment to privacy with its leadership role in developing the technologies that have driven the information age. This balance has produced a flexible and non-prescriptive regulatory approach focused on post hoc government enforcement (largely by the Federal Trade Commission (FTC)) and privacy litigation rather than detailed prohibitions and rules, sector-specific privacy legislation focused on sensitive categories of information, and laws that seek to preserve an internet 'unfettered by Federal or State regulation'. The new technologies that have changed the day-to-day lives of billions of people and the replication of US privacy innovations around the globe have – at least to many US regulators and regulated entities – long indicated the wisdom of this approach.
But there is now a growing perception that other jurisdictions have seized the privacy leadership mantle by adopting more comprehensive regulatory frameworks, exemplified by the European Union's General Data Protection Regulation (GDPR). A series of high-profile data breaches in both the public and private sectors and concerns about misinformation and the misuse of personal information have also created a 'crisis of new technologies' or 'techlash' that is shifting popular views about privacy in the United States. The privacy issues at the centre of the covid-19 pandemic, recent state privacy law developments and the rise in cybersecurity attacks on American companies have also led to serious public concern surrounding privacy and cybersecurity that have necessitated action by the new administration. Once again, it seems, the United States is starting to undergo a period of intense regulatory innovation in response to a new technological world.
In short, the US privacy zeitgeist is shifting – and this chapter, while not providing a comprehensive overview of the rich US privacy and cybersecurity landscape, will attempt to show how that is the case. The chapter will begin by describing, with a focus on the concrete developments over the past year, the significant shift in how the United States is thinking about privacy and cybersecurity regulation that appears to be underway:
- how the covid-19 pandemic continues to place issues concerning the collection and use of personal data front and centre, and coupled with the growing epidemic of cyberattacks in the current remote working environment, intense discussions over the need for privacy and cybersecurity regulation are paving the way for a concerted response by the federal US government;
- how all three branches of the federal US government are actively taking steps to confront the privacy and cybersecurity questions of the day; and
- how the real action continues to be not in Washington, DC, but rather in the 50 US states – as California's far-reaching comprehensive privacy bill called 'California's GDPR' went into effect on 1 January 2020 and California voters approved an even more comprehensive law called the California Privacy Rights Act (CPRA), while numerous other states (such as Virginia and Colorado) either have enacted or are considering substantial new privacy legislation.
The chapter will then provide an overview of the existing US regulatory and enforcement framework – which exemplifies the balance between privacy protection and innovation described above. The chapter then concludes by detailing the significant changes in the international data transfer framework between the EU and US, considerations for foreign organisations that must engage with the US privacy regime, and some thoughts on how that regime may continue to evolve going forward.
The year in review
As noted at the outset, the privacy zeitgeist in the United States is shifting. The enactment of the European Union's GDPR, a series of high-profile data breaches, and concerns about misinformation and the misuse of personal information have created a 'crisis of new technologies' or 'techlash', which has shifted popular views about privacy in the United States and forced the hand of legislators and regulators. The covid-19 pandemic has only heightened the importance of privacy and cybersecurity considerations. The United States is thus consequently undergoing a period of intense privacy innovation, with the federal government, state governments, and private industry all taking consequential steps to address this new world.
Given the sheer breadth and diversity of activity, this chapter cannot detail every key event in the US privacy and data protection landscape that occurred in the past year. Nonetheless, below we highlight the most important changes, which we believe more than demonstrate how dynamic this area is and will likely continue to be.i Privacy issues and cybersecurity attacks during the covid-19 pandemic
From 20 January 2021 onward, the Biden administration has had to address unprecedented public health, economic and cybersecurity crises. Among other things, the collection of personal data and digital contact tracing during the pandemic, as well as the increasing prevalence of foreign cyberattacks, have led to serious public concern surrounding privacy and cybersecurity and necessitated action by the new administration. It is no understatement to say that the ongoing covid-19 pandemic has changed and is continuing to change our world in many ways. First, the need for employers to begin capturing significantly more health information about their employees as part of their back to work efforts, including now the vaccination status of employees, to the use of novel technologies to track the virus, it is no understatement to say that privacy and cybersecurity considerations have been central to the policy response to the pandemic. Second, the covid-19 teleworking environment has led to systemic cyber risks. As a large proportion of the US workforce was forced to begin teleworking almost overnight, companies saw a significant increase in the number of ransomware attacks. These cyber threats were designed to take advantage of remote working arrangements in place since the beginning of the pandemic lockdowns. Third, and somewhat relatedly, the past year has been highly eventful in terms of cybersecurity attacks (especially ransomware attacks), prompting responses from Congress and the Biden administration as calls for increased regulation intensify. This growing epidemic of cyberattacks has prompted a coordinated response from the federal government, as detailed below.
First, businesses have had to consider how to continue operating or reopen safely during the pandemic, which often involves or requires collecting sensitive health and related data (such as temperature and symptom checks, recent travel history and contact with infected persons) before employees return to work and establishing protocols for symptom and exposure reporting. During the height of the pandemic, new federal, state, and local laws and guidance on collecting and using covid-19-related information were issued on almost a daily basis. Various federal, state and local agencies issued mandatory or recommended guidance on nearly every aspect of these issues – from what screening must and may be done, what information can and should be captured, and how long such information must and can be maintained. Federal, state and local agencies also promulgated guidance or released statements noting that they may modify their enforcement posture or reporting requirements during the pandemic. For example, the Department of Health and Human Services (HHS) waived penalties and refrained from enforcing certain provisions under the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), including the requirement to obtain patients' consent before speaking with family members or friends about patients' care, the requirement to distribute a privacy notice, and the patient's right to request privacy restrictions or request confidential communications.4
At the time of writing, with more than half of the US population fully vaccinated, the conversation has now shifted to the collection and use of vaccination status information. The pandemic has pushed many companies into new territory, requiring the gathering of personal information that they would not normally collect, such as temperature checks and travel histories. Now, asking for proof of a covid-19 vaccine in exchange for entry on a plane or into a concert venue presents the same type of privacy and data security concerns. Moreover, the concept of vaccine passports also prompts further interest in federal, omnibus privacy legislation.
Second, one of the most immediate consequences of the covid-19 pandemic was that a large proportion of the US workforce was forced to begin teleworking. This distributed environment raised the level of cybersecurity risk businesses faced, as did the fact that cybersecurity criminals and scammers increased their efforts to target vulnerable employers and workforces. Given this, several US federal agencies issued guidance on cybersecurity risks in relation to the pandemic; for example, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Trade Commission (FTC) issued guidance on avoiding phishing and scam emails relating to covid-19.5 And organisations increased their preventative efforts, undertaking such tasks as reviewing and updating their incident response plans to address an increased attack surface resulting from remote work, ensuring regular patching and remote wiping, clarifying business continuity plans and processes with vendors and clients, and raising employee awareness about covid-19 related phishing emails. Despite these efforts, ransomware cases have surged. Some estimate that cases increased 150 per cent in 2020 compared to the previous year. The Department of Justice noted that roughly US$350 million in ransom was paid to malicious cyber actors in 2020, an increase of more than 300 per cent from the previous year.6
Third, the past year has continued to be very eventful in terms of cybersecurity attacks, with the breaching of US government networks, ransomware hackers holding a major US pipeline hostage and attackers infiltrating software companies. On 13 December 2020, hackers compromised the update process of a widely used piece of SolarWinds software, the Orion platform. The update was downloaded onto thousands of organisations' information systems, essentially planting backdoors in the networks of up to 18,000 organisations, including the US Departments of Commerce, the Treasury, Homeland Security and Defense and the Energy Department's Nuclear Security Administration. This attack was the most visible, widespread and intrusive IT software supply chain attack to date. Around the same time, another cyberattack on California-based file-sharing software vendor, Accellion, made news headlines. As a result of the attack, one million Washington residents whose data was housed at the state auditor's office may have had their social security numbers and other personal information unlawfully accessed. And if that were not enough, the trend of targeting third-party software platforms continued in March, when Microsoft reported a cyberattack on its Exchange email servers. These attacks have emphasised the importance of software supply chain security, spurring companies to take a closer look at security risks from using third-party software providers. The attacks also showed that, by compromising just one vendor, attackers may get access to the vendor's customers. The attacks showed that even high-profile government agencies and security vendors, such as FireEye, can be targets.
Moreover, the pace of ransomware attacks had already been on the rise before 2021, but the issue made its way into the public domain after an attack temporarily halted the Colonial pipeline in May, causing fuel shortages throughout the East Coast. The President and CEO of Colonial, Joseph Blount, defended the company's ransom payment worth US$4.4 million in cryptocurrency in order to get its systems operational faster. Although highly publicised, the Colonial Pipeline cyberattack is not unique. In fact, the event is just one in a growing pattern of ransomware attacks against major US companies and critical infrastructure. Weeks after the Colonial Pipeline event, meat processing company JBS also acknowledged a ransom payment of US$11 million in response to a ransomware attack. In addition, a ransomware cyberattack in July 2021 on software vendor Kaseya, a provider of remote software IT services, came with an aggregate demand of US$70 million in cryptocurrency and affected up to 1,500 organisations.
In light of these events, the growing epidemic of cyberattacks has become a key area of concern for federal lawmakers. The Senate Committee on Homeland Security and Governmental Affairs and the House Homeland Security Committee heard testimony from Colonial's CEO, where lawmakers expressed their expectation that companies should have plans in place to anticipate possible ransomware attacks; consult with the FBI on ransom payments; and participate in government cybersecurity initiatives that are applicable to their business. A key point of agreement between the legislators and the witnesses was the importance of communicating cybersecurity information between and among private entities and the federal government. The legislators also agreed that the federal government must take strong action against foreign nations that engage in cyberattacks or shelter cybercriminals.
The Biden administration has also responded, underscoring the broader shift to implementing certain security measures, greater reporting and coordination requirements and enhanced communication between the government and the private sector. On 12 May 2021, the Biden administration issued a lengthy Executive Order, 'Improving the Nation's Cybersecurity', which it described as the 'first of many ambitious steps' toward modernising US cybersecurity defences.7 Although the Order details a host of new requirements that will apply to federal departments and agencies, the Order also focuses on private entities that do business with the federal government, particularly software suppliers. Pursuant to the Order, government agencies will be required to deploy multifactor authentication, encryption, endpoint detection response and logging, and operate under the principle of a 'zero trust' environment. The Order also requires federal contractors to share information regarding security incidents. The Order also tasked the Cybersecurity and Infrastructure Security Agency (CISA), a unit of the Department of Homeland Security, to produce a cloud service governance framework and a standard incident response playbook for federal agencies. Under the Order, the National Institute of Standards and Technology (NIST) was tasked with identifying security measures for the use of critical software and recommending minimum standards for software vendors to test their products before offering them to the government. In response, NIST posted two new pieces of guidance in July 2021.8 Now, the Office of Management and Budget must require federal agencies to implement the security measures NIST outlined for the using of critical software, including through their procurements. The new federal requirements and standards for development of secure software will undoubtedly also set expectations for software products sold and used exclusively in the private sector as well.
On 28 May, the US Department of Homeland Security's Transportation Security Administration (TSA) also issued a Security Directive, 'Enhancing Pipeline Cybersecurity', laying out new cybersecurity requirements for operators of liquids and natural gas pipelines and LNG facilities designated as critical infrastructure.9 Unlike the Executive Order, which covered government agencies and their suppliers, the Directive focuses directly on the activity of private sector entities.
Although the Executive Order and TSA's directive are noteworthy, they are limited in scope. To augment the nation's cybersecurity posture, lawmakers are contemplating national cyberincident reporting legislation. Federal officials note that the lack of information about breaches (that typically occur on private networks) hampers their ability to address digital threats and disruptions. This is due to the patchwork of federal and state data breach reporting laws, many of which are sector-specific (in the federal sphere) or require the exposure of consumers' personal information (in the state breach notification regime). Specifically, a bipartisan group of senators is considering legislation that would require a broad range of companies, including critical infrastructure operators, to report hacks (regardless of whether personal data is implicated) to the government. The House Homeland Security Committee is also drafting similar legislation.
The Biden administration continues to bolster its efforts to halt the growing ransomware threat via a national counter-ransomware campaign. In June 2021 the White House issued an open letter to corporate executives and business leaders, 'What We Urge You To Do To Protect Against The Threat of Ransomware', referring to the President's new Cybersecurity Executive Order and detailing practical steps companies should take to protect themselves.10 The White House described the letter as setting forth the government's 'recommended best practices – we've selected a small number of highly impactful steps to help you focus and make rapid progress on driving down risk'.
The administration also formed an inter-agency ransomware taskforce. The taskforce is overseeing and harmonising federal agencies' digital resilience activities, working to curtail ransom payments, working to disrupt ransomware operators' networks and their use of cryptocurrencies for transferring funds and urging international cooperation to combat the issue. The taskforce also provides the Biden administration with weekly updates on the agencies' efforts. Another option the administration is currently considering is hacking back. Recently, the State Department announced its Rewards for Justice programmes, offering rewards for helping identify the perpetrators of these attacks, especially of state-sanctioned breaches of critical infrastructure. The State Department announced that it would provide rewards of up to US$10 million 'for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyberactivities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA)'. CISA has also been tasked with launching an interagency website, stopransomware.gov, to collect guidance from various agencies on the issue.
Meanwhile, lawmakers continue to question whether ransom payments should be permitted and if federal law should be passed to outright prohibit ransom payments in order to curtail and disincentivise such attacks. While there is no current federal or state law prohibiting ransom payments, on 1 October 2020, the US Treasury Department's Office of Foreign Assets Control (OFAC) published an advisory to highlight the risk of potential US sanctions law violations if US individuals and businesses comply with certain ransomware payment demands.11 The US Treasury's Financial Crimes Enforcement Network (FinCEN) has issued a similar advisory.12 Specifically, the advisory provides helpful guidance for financial institutions to better detect and report suspicious payments as required by FinCEN's anti-money laundering regulations. FinCEN also is continuing to address ransomware by setting up exchanges between government and private sector partners to determine next steps. Finally, the US Treasury Department is also focusing on efforts to track major cryptocurrency payments in order to stop ransoms before they reach hackers' crypto-wallets. Against this backdrop, the recent discussions of a federal law that broadly prohibits ransomware payments continue.ii Key federal government privacy and data protection actions
Over the past year, all three branches of the federal government have taken significant steps with respect to privacy and data protection, underscoring the current focus on these issues.Executive branch – recent enforcement cases and proposed rules
The FTC had an active year with several enforcement actions. In addition to the court's approval of the FTC's historic US$5 billion settlement with Facebook, the agency brought several notable actions regarding unfair practices, data security and the Children's Online Privacy Protection Act (COPPA).
Along with the past year's significant increase and reliance on Zoom videoconferencing during the pandemic lockdowns came concerns about and allegations of inadequate data security. On 9 November 2020, the FTC announced a settlement with Zoom regarding the agency's allegations that the company made false and deceptive claims about its encryption since at least 2016, as well as engaged in unfair practices, which undermined the security of its users, specifically, the installation of software that bypassed a security feature in Apple's Safari browser.13 The FTC also focused on allegedly deceptive claims and inadequate security for two healthcare companies (SkyMed and Flo Health) for failing to take reasonable steps to secure sensitive health records,14 as well as sharing users' health information with undisclosed data analytics providers.15 With respect to the use of facial technology, Everalbum settled FTC allegations that it deceived consumers about its retention of photos and videos of users who deactivated their accounts.16
Moreover, the FTC demonstrated its continued focus on children's privacy during the past year. In July 2020, the FTC finalised a settlement and consent agreement to resolve allegations that Miniclip misrepresented its status in a COPPA safe harbour programme.17 Kuuhuub Inc, Kuu Hubb Oy and Recolor Oy (an online colouring book app) also settled FTC allegations that, in violation of COPPA, they collected and disclosed personal information about children who used the app without notifying their parents and obtaining their consent.18
The impact on the FTC's Section 5 enforcement activities of the recent appointment of a new FTC commissioner and chair, Lina Khan, remains to be seen. The former Columbia Law professor with the profile of a progressive reformer of antitrust is expected to focus on tech giants and their privacy practices. President Biden's recent Executive Order on Promoting Competition in the American Economy contains data-related provisions. The Order encourages the chair to focus on 'unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy'.19 Many expect Chair Khan to scrutinise consumer data collection as part of her focus on the dominance of US tech giants, which may result in additional rule-making as well as high-profile enforcements by the FTC.
The FTC was not the only agency that had an active year. The Securities Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) have been exercising increasingly aggressive oversight regarding cybersecurity compliance in recent years, and the past year was no exception. Building on the SEC's 2018 issuance of new interpretive guidance to assist publicly traded companies in disclosing their material cybersecurity risks and incidents to investors,20 the SEC's Office of Compliance Inspections and Examinations (OCIE) (recently renamed the Division of Examinations)21 issued guidance in 2019 identifying the multiple steps it is taking to heighten its enforcement presence for cybersecurity matters.22 In April and May 2019, the OCIE further issued two risk alerts providing regulated entities with details on its privacy and cybersecurity focus areas during examinations.23 More recently, the OCIE released its 2020 examination priorities, which, among other priorities, include cyber and information security risks, as well as a report on 'Cybersecurity and Resiliency Observations', providing an overview of best practices based on prior exams to help organisations when considering 'how to enhance cybersecurity preparedness and operational resiliency'.24 Finally, earlier this year on 1 February 2021, FINRA updated its prior guidance by issuing a report on its examination and risk monitoring programme, which covers cybersecurity and technology governance – an area of emphasis for FINRA especially in this remote work environment.25
The SEC has also backed up its guidance with action on the enforcement front. For example, on 14 June 2021, the SEC settled an action against First American Insurance Company related to the same facts of a New York Department of Financial Services (DFS)investigation. The DFS alleged that First American experienced a vulnerability that resulted in the exposure of consumers' personal information and further alleged that the company failed to remediate the vulnerability and violated six provisions of the DFS Cyber Regulation. The SEC announced settled charges against First American for disclosure controls and procedures violations concerning cybersecurity vulnerability. The Exchange Act Rule 13a-15(a) requires 'every issuer of a security registered pursuant to Section 12 of the Exchange Act to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or submits under the Exchange Act is recorded, processed, summarized, and reported within the time periods specified in the Commission's rules and forms.'26 Without admitting or denying the SEC's findings, First American agreed to a cease-and-desist order and to pay a US$487,616 penalty.
Another regulator that has recently brought several enforcement actions was the US Department of Health and Human Services, Office for Civil Rights (OCR). In 2020 and 2021, OCR settled several cases related to alleged violations of HIPAA. OCR mainly alleged non-compliance with the administrative and technical safeguards of the HIPAA Security Rule, with a focus on encryption practices, risk analyses and management plans, development of business associate agreements and proper employee training regarding protected health information (PHI).27
Several executive agencies have also proposed rules regarding privacy and data security. With respect to health information, on 10 December 2020 OCR released a proposed rule that would make a number of key changes to the Privacy Rule under HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH).28 The rule is intended to reduce burdens that may limit or discourage care coordination and case management communications among individuals and HIPAA-covered entities while continuing to protect the privacy of individuals' PHI. In the wake of the rise in cyberattacks, in December 2020 the US Federal Deposit Insurance Corporation approved and several federal banking agencies (including the Office of the Comptroller and the Board of Governors of the Federal Reserve System) jointly announced a notice of proposed rule-making, 'Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers'.29 Generally, if finalised, the proposed rule would require certain banking organisations and bank service providers to provide accelerated notices of certain cybersecurity and related events 'as soon as possible and no later than 36 hours after the banking organization believes in good faith that the incident occurred'.
Finally, in addition to promulgating policies regarding privacy or data security, federal regulators are also increasingly interested in studying and regulating digital innovation and artificial intelligence. The examples of this trend are numerous, with some of the highlights being the following:
- In May 2020, the National Telecommunications and Information Administration (NTIA) published a notice seeking comments regarding the development of an implementation plan for the national strategy to secure 5G, a component of the 'Secure 5G and Beyond Act of 2020' that was signed into law on 23 March 2020.30
- In June 2020, FINRA issued its 2020 Artificial Intelligence Report for industry comment.31 The report is a culmination of FINRA's Office of Financial Innovation review of emerging challenges and legal considerations confronted by the securities industry as broker-dealers introduce AI-based applications into their businesses.
- In March 2021, the five largest federal financial regulators in the US (the Board of Governors of the Federal Reserve System, the Bureau of Consumer Financial Protection, the Federal Deposit Insurance Corporation, the National Credit Union Administration and the Office of the Comptroller of the Currency) released a request for information on how banks use AI, signalling that new guidance for the financial sector may be issued soon.32
- In April 2021, the FTC released a set of guidelines aiming for 'truth, fairness, and equity' in companies usage of AI.33 The previous year, in April 2020, the FTC's Bureau of Consumer Protection also issued a statement on 'Using Artificial Intelligence and Algorithms', which acknowledged the risks and benefits presented by AI technologies. The statement has served as helpful guidance for entities considering the use of AI and automated decision-making technologies.34
The popular focus on privacy and cybersecurity matters in 2020 during the covid-19 pandemic has continued. Some privacy practitioners believe that 2021 has the best chance yet due to the election of President Joe Biden together with the President's party controlling both houses of Congress, and that the continued legislative action in the states may also result in federal momentum. Many of the world's governments, including China, have enacted data privacy legislation in the past year, and as more and more countries are expected to pass comprehensive legislation, including India, sufficient pressure may mount for the US to keep up with the largest international markets by enacting its own omnibus data privacy law.
Multiple congressional committees continue to hold high profile hearings on the possibility of enacting comprehensive federal privacy legislation, and both industry and civil society are urging Congress to act. Many see the value in having a federal law versus a patchwork of state laws from both a consumer and business standpoint. One of the more recent proposals, the Information Transparency and Personal Data Control Act, was the first piece of comprehensive privacy legislation introduced in the 117th US Congress by Representative Susan DelBene (D-Washington) – about two weeks after Virginia passed its own comprehensive data privacy law.35 (Congresswoman DelBene introduced a similar version of the bill in 2019, but it did not gain traction then.) On 29 April 2021, US Senator Jerry Moran (R-Kansas) also reintroduced a bill for the Consumer Data Privacy and Security Act. In particular, SB 1494 seeks to strengthen the laws that govern consumers' personal data and create clear standards and regulations for American businesses that collect, process and use consumers' personally identifiable data.36 Senator Moran previously introduced a version of this bill in 2020 that stalled in committee. Both bills grant enforcement authority to both the FTC and state attorneys general, but notably do not include a private right of action. More recently, Senator Kirsten Gillibrand (D-New York) reintroduced the Data Protection Act.37 The bill would establish a new federal agency, the Data Protection Agency, which, among other things, would regulate and enforce federal data privacy laws, create and develop model data privacy standards for the private sector, jointly review mergers with the FTC and DOJ involving the transfer of data for more than 50,000 individuals, and advise Congress on emerging privacy and technology issues.
Whether the bills noted above will garner enough support remains uncertain. Despite the current consensus that something needs to be done, however, support at the time of writing continues to cleave between those who want to enact legislation that pre-empts state law such that US businesses are not subject to a patchwork quilt of privacy regulation and those who (mirroring civil society) want to allow states to provide additional privacy rights above a federal floor. The enactment of federal privacy legislation rests on the resolution of this debate, as well as agreement on the particulars of the regulatory scheme.
In addition to comprehensive privacy legislation, in the past year Congress has also focused on several more targeted issues, such as artificial intelligence and US cybersecurity preparedness.38 The 2021 National Defence Authorisation Act created the position of a National Cyber Director within the White House to strengthen the nation's cyber capability through national-level coordination of cyber strategy and policy, and President Biden nominated the first National Cyber Director on 12 July 2021. Congress has also continued to focus on the issue of the government's use of facial recognition technology.39 Indeed, the currency of this issue increased in the wake of civil unrest and protests regarding police reform in 2020, with some states and cities having banned the use of the technology and several companies calling on Congress to issue rules on the use of the technology and halting sales of facial recognition technology to US police.40 Other recent issues that have attracted congressional attention include potential reforms to Section 230 of the Communications Decency Act, which shields tech companies that provide online platforms from civil liability stemming from third-party content.41Judicial branch, including key developments with discovery and disclosure
Finally, as they do every year, the federal courts decided a number of important cases relevant to privacy and data security. Notably, on 25 June 2021, the Supreme Court issued its decision in TransUnion LLC v. Ramirez, which tightened the Court's requirements to establish the constitutionally required 'standing' necessary to sustain litigation – in other words, whether the plaintiff has suffered a sufficient 'injury in fact' to allow a federal court to adjudicate the claims in question.42 In TransUnion, the named plaintiff, Sergio Ramirez, represented a class of 8,185 individuals who had been notified of their presence on the Treasury Department's OFAC list that identifies suspected terrorists and narcotics traffickers. The plaintiffs in the case alleged that TransUnion violated the Fair Credit Reporting Act (FCRA) by not ensuring the accuracy of certain information placed on credit reports; they alleged that TransUnion assigned an 'alert' to anyone whose name matched a name on the OFAC list without confirming that the name actually referred to the person in question. Ramirez alleged he suffered actual injury in the form of denied credit to finance a car, public embarrassment and a resulting vacation cancellation (out of fear that he would come under scrutiny when trying to travel). TransUnion has since changed its practices.
Faced with the question of what makes an injury concrete, the Court held that the vast majority of the class members whose allegedly inaccurate credit reports were not disseminated to any third party (outside of TransUnion) did not have standing to assert a claim under the FCRA. The Court held that for consumers whose information was not shared with third parties the risk of future harm was simply too speculative to support federal litigation. The TransUnion decision confirmed the Court's rule of 'no concrete harm, no standing' in its 2016 decision, Spokeo, Inc v. Robbins.43 With TransUnion, the Court further restricted the circumstances where a statutory violation can form the basis for a claim; the Court expanded on Spokeo by instructing that 'an injury in law is not an injury in fact'. Perhaps most significantly, the TransUnion decision suggests it will be difficult to sue over internal information errors that are never disseminated externally and do not cause concrete harm. This case may also accelerate the trend for privacy litigation based on relatively more abstract or speculative allegations of harm to be filed in state rather than federal court. The US Constitution only requires the doctrine of 'injury in fact' to be applied in federal courts, and many state courts apply less rigorous standing principles.
And, on 26 May 2020, the District Court for the Eastern District of Virginia issued a decision with potentially significant ramifications for the confidentiality of businesses' data breach response efforts.45 The question before the Court was whether the attorney work product doctrine allowed Capital One to withhold from civil discovery a forensic report developed by a third-party investigator at the direction of counsel. Believing a substantially similar report would have been prepared regardless of whether the litigation followed, the Court relied on several key facts to find that the report must be produced, including that Capital One executed a non-privileged statement of work for services with the third party prior to the data breach, the post-breach agreement included the same scope of work as the prior statement of work, and the forensic report was widely distributed to different regulators and Capital One's accountant, suggesting that it was not specifically created in anticipation of litigation. This opinion underscores the importance for organisations to consider, in advance, how to engage with incident response service providers in order to protect privilege in the event of a data breach litigation.iii Key state privacy and data protection actions
While, as the above demonstrates, the federal government has been very active on privacy and data security matters over the past year, there is a very good case that the real action may not be in Washington DC, but rather in the 50 US states.California's data privacy regime
One of the biggest privacy developments in the United States has been the recent entry into force of the CCPA,46 a comprehensive privacy bill that commentators have called 'California's GDPR', which was recently amended by the newly enacted California Privacy Rights Act (CPRA). Alastair Mactaggart, the consumer rights advocate who was the driving force behind the CCPA, secured enough signatures to place the CPRA, a proposed law that would significantly expand the CCPA (and sometimes referred to as 'CCPA 2.0') as an initiative on California's November 2020 ballot.47 On 3 November 2020, Californians voted to approve Proposition 24. The CPRA amends various parts of the existing CCPA, with most of the substantive changes going into effect on 1 January 2023. The CPRA becomes fully enforceable on 1 July 2023 – with a lookback period from 1 January 2022. Given California's size and the fact that it is the home of Silicon Valley, the CCPA and CPRA are having a wide impact, and companies across the United States and around the world are considering what it might mean for them.
Upon enactment, the CCPA immediately became the most far-reaching privacy or data protection law in the country, and with the passage of the CPRA, California's privacy law regime will share many attributes with the EU's GDPR. The CPRA augments and expands the CCPA in many ways. While a full discussion of how the CPRA compares with the CCPA is beyond the scope of this chapter, notable changes by topic are highlighted below.
- Modification of the definition of a covered 'business': the CCPA applies to for-profit entities that are doing business in California; that collect or determine the means of processing personal information; and that meet one of three size thresholds.48 The CPRA modifies the definition of a covered business that both increases and decreases the number of businesses currently subject to the CCPA.
- Creation and expansion of consumer privacy rights: the CCPA mandates that businesses provide California residents with the rights to access and delete their personal information, as well as the right to stop the sale of their information to third parties.50 The CPRA provides new rights and amends existing rights. Some of the new rights include the right to correction, the right to opt-out of automated decision making technology, the right to access information about automated decision making and the right to limit use and disclosure of sensitive personal information. Some of the modified rights include a modified right to delete, an expanded right to know, an expanded right to opt-out and an expanded right to data portability. Perhaps the most significant feature of the CPRA is the provision that gives consumers the right to stop a business from sharing their personal information with third parties for the purpose of engaging in 'cross-context behavioural advertising'.
- Strengthening of opt-in rights for minors: the CCPA prohibits businesses from selling personal information of individuals under the age of 16, absent affirmative authorisation.51 As with the opt-out right, businesses must wait 12 months before asking a minor for consent to sell or share his or her personal data after the minor has declined to provide it. The CPRA also increases fines for violations of the opt-in right for minors.
- Expansion of triggering data for a breach: the CCPA provides a private cause of action for certain data breaches that result from a business's violation of the duty to implement and maintain reasonable security procedures and practices.52 The CPRA expands the CCPA's private right of action for breaches of certain login credentials that would permit access to an account if the business failed to maintain reasonable security.
- Creation of a new privacy enforcement authority: the CCPA authorises the California Attorney General to enforce its provisions with statutory fines of up to US$7,500 per violation.53 The CPRA restructures this enforcement regime by establishing the California Privacy Protection Agency (CPPA), the first data protection agency in the United States, empowered to promulgate regulations supporting the CPRA and to enforce the CCPA and CPRA after it becomes effective. Moreover, the CPRA essentially removes the 30-day cure period that businesses currently have under the CCPA after being formally notified of an alleged violation. Instead, the CPPA has discretion to provide businesses with a time period to cure and may take into account 'voluntary efforts undertaken by the business, service provider, contractor, or person to cure the alleged violation prior to being notified by the agency of [a] complaint' made by any person. Businesses will still have the opportunity to cure violations of personal information security breaches within 30 days, but only to the extent the violations are curable.
- Extension of certain exemptions: seeking to temper the CCPA's broad demands, the California legislature has also created a number of exemptions from all or a substantial part of the CCPA – most notably, employee information and B2B information, which were slated to expire at the end of 2021. The CPRA has extended the employee data and business-to-business data exemptions through 2022.
- Expansion of contracting requirements: the CPRA requires businesses to enter into contracts with certain requirements with service providers, contractors and third parties.
- Creation of a new risk assessment and audit requirement: under the CPRA, annual cybersecurity audits are required for businesses whose processing presents a significant risk to consumer privacy or security. Such businesses may also be required to submit a regular risk assessment to the CPPA.
In the meantime, businesses should focus on complying with the CCPA and the proposed regulations implementing the CCPA's obligations. The California Attorney General, exercising authority explicitly granted to him by the CCPA, has proposed regulations providing further guidance on a number of the CCPA's obligations. In particular, among other things, the regulations provide guidance on required content for privacy policies, requirements for responding to data subject requests and appropriate verification standards for requests. Since the CCPA went into effect on 1 January 2020, then Attorney General Xavier Becerra finalised the regulations implementing the Act on 14 August 2020 and subsequently proposed several sets of modifications to the regulations, with the most recent modifications being released on 12 October 2020 and 15 March 2021.
Much as with the GDPR, the early days of the CCPA have brought regulatory uncertainty. Even though the proposed regulations were only recently finalised, the office of the California Attorney General began actively enforcing the CCPA on 1 July 2020, sending violation notice letters to a 'swath' of online businesses.54
Moreover, since the CCPA went into effect on 1 January 2020, there have been many cases filed around the country that include alleged violations of the CCPA. The vast majority of those cases have been filed in federal courts in California. The rate at which the cases were filed was initially slow, but began to pick up throughout the year and did not appear to slow down during covid-related shutdowns.
CCPA enforcement under the Attorney General continues, and California is preparing for enforcement of the CPRA: on 17 March 2021, California announced the appointment of the inaugural five-member board for the CPPA. The CPRA rulemaking process is scheduled to begin in the summer of 2021, and thus the CPPA staff is moving swiftly. The deadline for the CPPA to adopt final regulations implementing the CPRA is 1 July 2022.Other state privacy laws
California has long been a privacy bellwether, as its legislative actions have often prompted other states to follow suit: for example, California was the first state to enact a data breach notification law, and all 50 states now have one. It is thus unsurprising that the passage of the CCPA has prompted numerous other states to consider privacy legislation. Nevada became the first state to follow the CCPA trend when, on 29 May 2019, it enacted a law that grants consumers the right to opt-out of the sale of personal information. While Nevada's law is not as comprehensive as the CCPA, it entered into force earlier on 1 October 2019.55 Recent amendments to the law, signed by the Nevada Governor, include exemptions of certain persons and information collected about a consumer from the law's privacy requirements, expansion of the types of entities that must facilitate consumer privacy opt-out rights, provision of new and updated definitions, authorisation of the opportunity to remedy a failure to comply with certain requirements and updated provisions to reflect the addition of data broker entities.56 Maine also followed California's footsteps, with the Governor signing into law the 'Act to Protect the Privacy of Online Consumer Information' on 6 June 2019, which officially went into effect on 1 July 2020 (although Maine's Attorney General agreed to delay enforcement until 1 August 2020 due to covid-19).57 Again, this law is not as comprehensive as the CCPA, but it does obligate internet service providers in Maine to obtain permission from their customers before selling or sharing their data with a third party.
More recently, Virginia became the second state to pass comprehensive privacy legislation. On 2 March 2021, Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA).58 The VCDPA, which will not enter into effect until 1 January 2023, borrows heavily from the CCPA and the EU'S GDPR – although there are subtle differences. The law contains several new rights and obligations, including the right to opt-out of targeted advertising and profiling, new limits on collection and required appeals process, restrictions on the use of 'sensitive data' and the requirement to conduct data protection assessments for certain processing activities.
While privacy legislative initiatives have fizzled out in some places, a number of states are considering comprehensive privacy bills, including Massachusetts, New York, North Carolina and Pennsylvania. Moreover, in July 2021, the Uniform Law Commission (ULC) voted to approve the Uniform Personal Data Protection Act (UPDPA). The UPDPA is a model data privacy bill designed to provide a template for uniform state privacy legislation.60 After some additional amendments, the model law will be ready for introduction in state legislatures in January 2022 and, if adopted by states, will be binding law. Additionally, as happens most years, a number of states have also passed amendments to their data breach notification laws or had such amendments enter into force, offering another reminder of the fact that businesses must continually try to stay on top of the various state law requirements in this area.61 Several states have also passed laws adopting prescriptive data security requirements for insurers that generally track the Insurance Data Security Model Law adopted by the National Association of Insurance Commissioners (NAIC).62
States are continuing to take the lead in regulating emerging technologies, with a prime example of this being facial recognition technologies. On 31 March 2020, the Governor of Washington state signed into law SB 6280, a bill aimed at regulating state and local government agencies' use of facial recognition services.63 The law contains safeguards that ensure testing, transparency and accountability for the uses of facial recognition technology and includes various measures to uphold fundamental civil liberties. In June 2021, both chambers of Maine's legislature unanimously enacted a bill regulating the use of facial recognition technology, which goes into effect 1 October 2021. Maine's new facial recognition law strictly regulates how law enforcement agencies can employ the technology for their investigations in the state. The law also prohibits government use of facial recognition in public schools and in many areas of government, including for surveillance purposes, and adds accountability measures.64 Although Virginia, Massachusetts and Washington legislatures have also banned some police use of facial recognition technology, they fall short of regulating the technology in schools and other state agencies.
Additionally, while Texas, Washington and Illinois have already enacted statutes governing biometric data directly, many other states indirectly regulate biometric data by including it in their statutory definitions of personal information. At the time of writing, many states currently have BIPA-modelled legislation pending, including South Carolina. These laws, which generally require notice and opt-out, limitations on the commercial use of acquired biometric data, destruction of the data after a certain amount of time, and employment of industry standards of care to protect the data, will likely continue to be an area of focus.State data protection actions
Besides taking the lead on enacting broad, cross-sectoral privacy and data security legislation and updating their data breach notification laws, states are also taking the lead in putting in place and enforcing cybersecurity regulatory regimes. One regulator that has been active in this space has been the New York DFS. With its ground-breaking Cybersecurity Regulation, which took effect in March 2017, DFS is now actively enforcing its prescriptive cybersecurity requirements. DFS filed its first enforcement action on 21 July 2020 against First American Title Insurance Company, and First American has opted to litigate its action with DFS. A hearing before a DFS-appointed administrative judge was scheduled for August 2021.
At the time of writing, DFS has also brought actions and entered into settlements with three additional regulated entities. In March 2021, DFS announced a settlement with Residential Mortgage Services.65 DFS alleged an unreported 2019 phishing attack in its 2020 examination of the company. Among other items, Residential Mortgage Services agreed to pay a US$1.5 million penalty. The following month, DFS announced a settlement with National Securities.66 DFS alleged that National Securities failed to implement multifactor authentication as required under the Cybersecurity Regulation until well after the compliance deadline, failed to timely notify DFS of two cyber events, and, as a result of these failures, filed a false certification of compliance with the Cybersecurity Regulation for 2018. Among other items, National Securities agreed to pay a US$3 million penalty. Finally, in May 2021, DFS announced a settlement with First Unum and Paul Revere Life Insurance Companies.67 The insurance companies provided notice to DFS of two phishing attacks in 2018 and 2019. In connection with the incidents, DFS alleged that the companies failed to implement multifactor authentication (or reasonably equivalent or more secure access controls), and as a result of these failures, the companies' certification of compliance for 2018 was therefore false. Among other items, the companies agreed to pay a US$1.8 million penalty.
DFS was also the first US regulator to issue specific guidance concerning cyber insurance. On 4 February 2021, DFS issued Circular Letter No. 2, which announced a cyber insurance risk framework that describes industry best practices for New York-regulated property and casualty insurers.68 As cybercrime becomes more common and more costly, this new cyber insurance framework seeks to 'foster the growth of a robust cyber insurance market' to help protect against the growing number of cyber threats faced by organisations in modern life.
Finally, DFS has positioned itself as an active regulator in both the cybersecurity preparedness and cyber risk management arena. On 27 April 2021, the Department issued a report on its investigation into the New York financial services industry's response to the SolarWinds supply chain attack.69 Shortly after the attack, DFS alerted its regulated entities and made clear its expectation that any 'impacted' regulated entities should report if they used the infected versions of software and provide information to DFS. Upon investigating and receiving information from licensed entities, DFS prepared a report summarising the information gathered by the regulator from interviewing 88 regulated entities and compiling an analysis of effective response tactics and lessons learned, as well as highlighting the importance of vigorous third-party risk management to prevent such attacks.State courts
Just as the federal courts have decided a number of recent important privacy and data security cases, so too have state courts. While a complete canvas of all of these decisions is beyond the scope of this chapter, highlighting a couple of examples serves to demonstrate the general point. The Illinois Biometric Information Privacy Act (BIPA) provides a private right of action for aggrieved individuals, and the Illinois Supreme Court has held that bare procedural violations of the statute are sufficient to establish standing.70 A wide range of technology companies, including Facebook, Shutterfly, Snapchat and Google, are finding themselves defending their implementation of facial recognition technology against BIPA claims in Illinois courts.
It remains to be seen how state laws and state courts may be influenced by the Supreme Court's standing decision in TransUnion v. Ramirez, discussed earlier. The Supreme Court precedent could substantially curtail federal court jurisdiction for CCPA and BIPA cases. Many state courts currently apply standing rules analogous to those of federal courts, so claims based on technical violations of privacy regulations could also be affected by the TransUnion precedent. Commentators emphasise that TransUnion will likely create procedural challenges for multi-state class actions where the complaint cannot allege that all members of the class suffered the same concrete harm. Notably, however, state courts in California do not follow the federal standing rules, so cases filed under the CCPA or CPRA in state court would not likely be affected by TransUnion.
For all these reasons, US law can have a dramatic impact on foreign organisations and, as a result, we live in interesting times. As detailed above, the US law concerning privacy and data security is quite dynamic, with both federal and state lawmakers and regulators actively considering potentially dramatic new laws and regulations. Foreign organisations are thus recommended to keep careful tabs on US developments, as the requirements may change at any moment.