STATE & LOCAL LAWS & REGULATIONS
- Nevada Bill Provides Residents Broader Rights to Opt Out of Sales. On June 2, 2021, Nevada Governor Stephen F. Sisolak signed SB 260, amending Nevada’s online privacy notice law to provide Nevada residents with broader rights to opt out of the sale of certain personal information and create new requirements for data brokers. Nevada law previously provided consumers with the right to opt out of sales, but defined “sale” as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” SB 260 eliminates the requirement that the exchange be for the purpose of the other person selling or licensing the information. The law also requires “data brokers” to provide a designated address for consumers to submit requests to opt out of the sale of their covered information and respond to requests within 60 days. Operators of commercial websites have been subject to similar requirements since 2019. The revisions provide a 30-day cure period for operators and data brokers that have not previously failed to comply with the law’s requirements.
- Connecticut Amends Data Breach Notification Law. The Connecticut Legislature passed HB 6607 in early June 2021 to amend its data breach notification law to create a limited safe harbor for entities impacted by a data breach. HB 6607 prohibits courts from assessing punitive damages for tort claims against an entity that experiences a data breach if the entity has created, maintained, and complied with a written cybersecurity program protecting restricted information that conforms to an industry-recognized framework (e.g., NIST) and/or federal laws (e.g., HIPAA). “Restricted information” is information about an individual that alone or in combination with other information (including personal information) can be used to distinguish or trace the individual's identity or is reasonably linked or linkable to an individual, if the information is not encrypted, redacted, or otherwise made unreadable—the breach of which is likely to result in a material risk of identity theft or other fraud. HB 6607 follows a similar amendment to Utah’s data breach notification statute earlier in 2021. While HB 6607 was passed, Connecticut’s comprehensive privacy legislation SB 893 failed to pass before the end of Connecticut’s legislative session on June 9, 2021.
- Colorado Passes Comprehensive Privacy Law. On July 8, 2021, the Colorado Governor Jared Polis signed the Colorado Privacy Act (“CPA”) into law, making Colorado the third state (after California and Virginia) to pass a comprehensive privacy law. The CPA contains many of the same requirements as the California Consumer Privacy Act (“CCPA”) and Virginia’s Consumer Data Protection Act (“CDPA”). The CPA provides consumers rights like the CCPA and CDPA—the rights to access, obtain a portable copy of, correct, and delete their personal data. Like the CDPA, the CPA requires controllers of personal data to conduct and document data protection assessments when conducting processing that presents a heightened risk of harm to a consumer and requires consent for processing “sensitive data.” The CPA also requires a written contract between controllers and processors that mirror the requirements of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”). The CPA provides a 60-day cure period to rectify non-compliance, but only until January 1, 2025. The CPA would become effective July 1, 2023. You can read more about the CPA here.
- New York City Enacts Tenant Data Privacy Act. New York City recently added to the web of biometric privacy regulation that continues to grow across the country with its enactment of the Tenant Data Privacy Act (“TDPA”) (Int. 1760-2019), which regulates the collection, use, retention, and security of biometric data (as well as other forms of sensitive personal information) by owners and operators of “smart access buildings” located in New York City. The TDPA is the latest in a string of new laws specifically targeting the collection and use of biometrics, but is the first of its kind to provide targeted requirements and limitations focused on residential “smart access” technology. The TDPA will go into effect on July 29, 2021, although the teeth of the law—its private right of action relating to prohibited sales of biometric data—will not take effect until January 1, 2023. Landlords that operate in New York City should consult with experienced biometric privacy counsel to begin coming into compliance with the TDPA. At the same time, landlords outside of New York City should also consider enhancing their own biometric privacy compliance programs at this time, as it is likely that similar laws will be enacted in other parts of the country sooner than later. Read more about the TDPA here.
- Baltimore Passes Private Sector Facial Recognition Ban. On June 14, 2021, Baltimore passed Council Bill 21-0001, becoming the second U.S. jurisdiction to enact sweeping facial recognition regulation that bars the use of facial biometrics by any private entity or individual within city limits—except in the limited case when facial biometrics are used for the purpose of protecting against unauthorized access to a particular location or electronic device. While a number of cities have enacted laws prohibiting law enforcement and other governmental agencies from using facial recognition, Portland, Oregon, became the first jurisdiction to extend a blanket ban over the use of this technology to the private sector in September 2020. The Baltimore ban goes even further than its Portland counterpart by imposing criminal penalties of up to a year in jail on companies and individuals that run afoul of the ban. The bill is currently awaiting signature from Baltimore Mayor Brandon Scott and will go into effect 30 days after it is enacted. Companies located in Baltimore should take immediate action to evaluate whether any form of facial biometrics is currently being used. If so—and the technology is not being utilized for the purpose of protecting against unauthorized access to a particular location or electronic device—its use should be eliminated.
- Texas Amends Data Breach Notification Law. On June 14, 2021, Texas Governor Greg Abbott signed HB 3746 into law, amending Texas’s data breach notification law. Texas’s data breach notification law required businesses to notify the Texas Attorney General of any data breach that affects at least 250 Texas residents, and required businesses to report the number of Texas residents affected by the breach in such notification to the Attorney General. HB 3746 now requires breach notifications to the Attorney General to also include the number of affected Texas residents that “have been sent a disclosure of the breach by mail or other direct method of communication at the time of notification [to the Attorney General].” HB 3746 further amends Texas’s data breach notification law to require the Attorney General to post and maintain a listing of the breach notifications received by the Attorney General on the Attorney General’s publicly accessible website. The Attorney General is required to update the list within 30 days of receiving a breach notification report, and must remove a business from the list after one year from the notice date, assuming the business has not submitted any updated or additional breach notifications since that time. The amendments are effective September 1, 2021.
FEDERAL LAWS & REGULATION
- Private Sector Pipeline Companies Required to Report Breaches. Following the ransomware attack on Colonial Pipeline, the Transportation Security Administration (“TSA”) released a security directive, effective May 28, 2021, to better “identify, protect against, and respond to threats to critical companies in the pipeline sector.” The security directive is addressed to “owners and operators of a hazardous liquid and natural gas pipeline or a liquefied natural gas facility” that are notified by TSA that their pipeline system or facility is “critical.” The security directive orders such pipeline companies to report confirmed or potential cybersecurity incidents within 12 hours of discovering such incident to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”). The report must include details on the pipeline facilities potentially affected and, in the case of a ransomware attack, information on the malicious software, domains, and IP addresses being used by attackers. The security directive also orders critical pipeline companies to designate a primary and at least one alternate cybersecurity coordinator to serve as the primary contact of cyber-related intelligence information and other activities with TSA and CISA.
- Deputy National Security Advisor Issues Cybersecurity Best Practices Letter. Following President Biden’s Executive Order on Improving the Nation’s Cybersecurity, on June 2, 2021, Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, issued a letter addressed to executives and business leaders, stating that protecting the country’s resilience against cyberattacks in both the private and public sector is a top priority for President Biden. The letter lists recommended best practices that the government suggests private companies adopt now, including 1) implement multifactor authentication, endpoint detection and response, encryption, and a skilled, empowered security team; 2) backup data, system images, and configurations, and regularly test the backups and keep them offline; 3) update and patch systems promptly; 4) test incident response plans; 5) use a third-party penetration tester to test the security of systems; and 6) segment networks.
- Biden Signs Executive Order on Protecting Sensitive Data from Foreign Adversaries. On June 9, 2021, President Biden signed the Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries (the “Order”). The Order revokes and replaces three executive orders (O.s 13942, 13943, and 13971) signed by then-President Donald J. Trump, which aimed to prohibit transactions with TikTok, WeChat, and eight other communications and financial technology applications. The Order directs the U.S. Department of Commerce to evaluate transactions involving connected software applications that may pose an unacceptable risk to U.S. information and communications technology, critical infrastructure, digital economy, or national security, and to take appropriate action based on its evaluation. The Order also directs the Department, in consultation with various U.S. agencies, to make recommendations to protect against harm from the sale or transfer of, or access to, sensitive personal data by persons owned or controlled by, or subject to the jurisdiction or direction of, foreign adversaries.
- Senator Gillibrand Reintroduces the Data Protection Act of 2021. Senator Gillibrand (D-NY) reintroduced the Data Protection Act of 2021 (the “Bill”) on June 17, 2021, which would create an independent federal privacy regulator, the Data Protection Agency (“DPA”). The revised Bill, originally introduced in February 2020, adds provisions to allow the DPA to serve as a rule-maker regarding social, ethical, and economic impacts of data collection, as well as a rule-enforcer with a broad range of enforcement tools (e.g., civil penalties, injunctive relief, equitable remedies). The revisions provide the DPA with oversight authority of any person or entity processing personal data for commercial reasons (“Data Aggregators”) and broadly-defined “High-Risk Data Practices,” which include automated decision-making or sensitive personal data (e.g., biometrics, geolocation, credit) processing. The DPA would also be responsible for reporting to the FTC on the privacy and data protection implication of any merger involving a Data Aggregator or mergers involving large data transfers of 50,000+ individuals’ personal data.
- Supreme Court Narrows Interpretation of the Computer Fraud and Abuse Act (“CFAA”). The U.S. Supreme Court limited the application of the CFAA in Van Buren v. United States, No. 19-783 (U.S. June 3, 2021). The CFAA imposes criminal liability on anyone who “intentionally accesses a computer without authorization or exceeds authorized access.” In its ruling, the court held that “an individual ‘exceeds authorized access’ under the CFAA when accessing a computer with authorization but obtaining information located in particular areas of the computer—such as files, folders, or databases—that are off limits to the individual.” Conversely, according to the court, no unauthorized access occurs when individuals misuse their access to obtain information otherwise available to them for an unauthorized purpose. The ruling resolves a circuit court split about whether the definition of “exceeds authorized access” includes someone obtaining information they had access to for an improper purpose, or only someone who accessed information they did not have lawful access. The CFAA is often used by organizations to bring private lawsuits seeking injunctive or monetary relief, and the ruling will now limit the circumstances under which such relief may be available if access to data is not appropriately restricted. Companies should review their user access policies and controls to ensure that access to sensitive data is appropriately limited.
- Supreme Court Limits Class Action Standing. The U.S. Supreme Court issued an opinion in TransUnion LLC v. Ramirez, No. 20-7297 (U.S. June 25, 2021) clarifying what qualifies as the type of “concrete harm” necessary to establish standing under Article III of the U.S. Constitution. In TransUnion, the court reduced the class size of consumers asserting violations of the Fair Credit Reporting Act (“FRCA”), finding that a class of consumers that had been flagged as potential matches to names on a list maintained on the U.S. Treasury Department’s Office of Foreign Assets Control of terrorists, drug traffickers, and other serious criminals. The court held that only those individuals whose credit report with the misleading label was sent to third parties suffered the concrete harm required to constitute Article III. Consumers whose reports were never disseminated to third parties did not meet the concrete harm standard. Read more about the TransUnion case and what it means for the future of class actions here.
- FTC Settles Enforcement Action Against MoviePass, Inc. On June 7, 2021, the Federal Trade Commission (“FTC”) announced the settlement of its enforcement action brought under the FTC Act and the Restore Online Shoppers’ Confidence Act (“ROSCA”) against now-defunct MoviePass, Inc. for alleged deceptive trade practices and data security shortcomings. MoviePass offered a monthly, fee-based subscription service that allowed customers to see unlimited movies in theaters. According to the FTC, once the company began experiencing financial difficulties, it implemented several strategies to prevent subscribers from utilizing the advertised service. In addition, the FTC also alleged that the company failed to take reasonable measures to safeguard consumers’ data, resulting in a data breach in 2019. Companies that offer products or services with negative option or autorenewal features should pay close attention to this settlement, which serves as notice of the FTC’s intent to use ROSCA (which regulates negative option marketing) to challenge any misleading or deceptive representations made in connection with autorenewal programs for the purpose of obtaining monetary relief, even when such violations do not pertain to a negative option feature. Moreover, because the Supreme Court’s recent ruling in AMG Capital Management has significantly curtailed the FTC’s ability to obtain monetary relief in enforcement actions outside of the negative option context, the FTC may make policing companies that offer negative option features a high priority for the foreseeable future.
- SEC Issues Fine for Failure to Maintain Disclosure Controls. The Securities and Exchange Commission (“SEC”) announced on June 15, 2021, that it entered an order assessing a $487,616 penalty and settling charges against First American Financial Corporation for a failure to maintain appropriate disclosure controls and procedures relating to a cybersecurity vulnerability that exposed sensitive consumer personal information. The SEC alleged that First American was informed of a vulnerability in its document sharing application that exposed documents dating back to 2003 that contained sensitive personal information, including social security numbers and financial information. According to the SEC, First American’s senior executives that were responsible for the disclosures were not informed of certain information relating to the incident, including that First American information security personnel had identified the vulnerability several months earlier but had failed to remediate the vulnerability in accordance with company policies. The order highlights the need for public companies to maintain disclosure controls that ensure all available relevant information regarding cybersecurity-related is made available to executives responsible for submitting reports under the Exchange Act.
- SEC Sends Companies Request for Information Regarding SolarWinds Breach. As part of its investigation regarding the SolarWinds cyberattack, in mid-June the SEC sent requests to companies to voluntarily provide previously undisclosed information and related documents regarding how they were affected by the attack. U.S. securities laws require companies to disclose material information that could affect share prices, including significant data breaches and other material cybersecurity events. The SEC requests contain an offer of amnesty, stating that the SEC’s Division of Enforcement will not recommend enforcement actions against recipients that come forward with requested information, subject to certain limitations and conditions. SolarWinds disclosed that nearly 18,000 of its customers may have been affected by the breach and it is believed the SEC may be targeting some or all of those customers with these requests. The SEC has released an FAQ related to the Solar Winds requests. Public companies should reasonably expect additional SEC investigations on other security incidents.
- NYDFS Issues Ransomware Guidance. On June 30, 2021, the New York Department of Financial Services (“NYDFS”) issued new guidance on ransomware prevention after reviewing 74 ransomware attacks reported to the department. The guidance identifies nine key cybersecurity measures that NYDFS recommends all covered financial institutions implement, regardless of entity size, to reduce the risk of ransomware attacks, including: training employees in cybersecurity awareness and identification of phishing; implementing a vulnerability and patch management program; using multi-factor authentication and strong passwords; segregating and testing backups; and having a tested ransomware specific incident response plan. The guidance also stated that NYDFS-regulated entities should report to the NYDFS any successful deployment of ransomware on their internal network and any intrusion where hackers gain access to privileged accounts as promptly as and no later than 72 hours after the event. Financial institutions regulated by NYDFS should assess their cybersecurity programs to identify and remediate any gaps in compliance with the new recommendations. In addition to this guidance, NYDFS has stated it is considering revising its Cybersecurity Regulation to address the evolution in cyber risk.
INTERNATIONAL LAWS & REGULATION
- European Commission Releases New Standard Clauses for International Data Transfers. On June 4, 2021, the European Commission released the final version of its implementing decision adopting new standard contractual clauses (“SCCs”) for use in connection with the transfer of personal data from the European Economic Area (“EEA”) to third parties outside the EEA. The new SCCs are a culmination of efforts to update the SCCs to take into account the requirements of the GDPR and the July 2020 decision in Schrems II by the Court of Justice of the European Union (“ECJ”). Consistent with Schrems II and subsequent data protection authority guidance, the new SCCs require parties to evaluate each transfer and document that an adequate level of protection is afforded to the transferred personal data. The new SCCs also use a modular approach to enable businesses to account for a variety of complex data transfers. The new SCCs became effective and available for use by companies on June 27, 2021. Companies may continue to use the old versions of the SCCs until September 27, 2021, after which time they will be repealed and no longer available to use with international transfers. Companies have until December 27, 2022, to transition to the new SCCs. You can read more about the new SCCs here.
- EU’s Top Court Delivers One-Stop-Shop Ruling. The ECJ ruled on June 15, 2021, that in certain circumstances a data protection authority may pursue court proceedings against a company even if the authority is not the company’s main privacy regulator. Belgium’s data protection authority had taken action against Facebook to prevent the company from tracking Belgian users through Facebook’s social media plug-ins. Facebook argued that under the GDPR’s one-stop-shop mechanism, only Ireland’s data protection authority was competent to bring such an enforcement action against Facebook. The one-stop-shop mechanism provides the supervisory authority in the country of the main establishment of a company and is the lead supervisory authority competent to oversee cross-border data processing for that company. The ECJ affirmed the one-stop-shop mechanism, but held that other supervisory authorities may take action against a company in cases mainly of national relevance, when taking limited duration provision measures under the GDPR’s urgency procedure, for pre-GDPR processing and in cases of non-GDPR processing.
- Final Recommendations on Supplementary Measures for Personal Data Transfers Released. Following on the heels of the European Commission’s release of new SCCs, the European Data Protection Board (“EDPB”) released its final recommendations on supplementary measures for data transfers on June18, 2021. The recommendations outline steps organizations should take to transfer personal data outside of the EEA in compliance with the Schrems II judgment and examples of supplementary measures that could be put in place if needed. Like the initial draft recommendations released in November 2020, the final recommendations require entities to assess the law and practices of the country to which personal data is transferred to determine if there is anything that may impinge the effectiveness of safeguards utilized in the context of a specific transfer (e.g., the safeguards provided by the SCCs). However, the EDPB moved away from its draft recommendation position stating organizations could not rely on subjective factors such as the likelihood of access by public authorities. Instead, the final recommendations provide for a risk-based approach where organizations may consider the actual practices of public authorities as they relate to a specific transfer. If an organization concludes that the legislation or practices of the country to which personal data is transferred may impinge the effectiveness of the transfer tool being used, the organization must identify and adopt supplementary measures as appropriate to provide an adequate level or protection. Organizations are required to document transfer assessments and supplemental safeguards as well as reevaluate protections for transfers at appropriate intervals. Companies should ensure that they have built and maintain appropriate policies, procedures, and internal controls that comply with EDPB recommendations when transferring personal data from the EEA to the United States.
- European Commission Adopts UK Adequacy Decisions. On June 28, 2021, the European Commission adopted adequacy decisions for the UK under GDPR and the Law Enforcement Directive. The decisions confirm that the UK provides an essentially equivalent level of protection for personal data as EU law and enable organizations in the EU to continue to transfer personal data to the UK without restriction. Use of standard contractual clauses or other cross-border data transfer mechanisms will not be required for such transfers. The adequacy decisions require the European Commission to review the adequacy of UK law within four years. The adequacy decisions will lapse unless renewed by the European Commission after that time.