The BR Privacy & Security Download: August 2021
Welcome to the second issue of The BR Privacy & Security Download, the new digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. The rapid pace at which technology and data privacy and security regulation are evolving can make it a challenge to keep up with worldwide legal events affecting businesses′ use of personal data. The BR Privacy & Security Download keeps you up to date with the important data privacy and security-related news of the past month. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.
Privacy & Security Developments
STATE & LOCAL LAWS & REGULATIONS
- Florida Enacts Mini-TCPA: On July 1, 2021, Florida enacted CS/SB 1120 into law, updating the Florida Consumer Protection Law and the Florida Telemarketing Act. CS/SB 1120 prohibits making or knowingly allowing a telephonic sales call to be made through an automated system without the prior express written consent of the called party. CS/SB 1120 arguably reaches beyond the federal Telephone Consumer Protection Act (“TCPA”) through the use of the undefined term “automated system.” Because CS/SB 1120 applies to any system that “automat[es] … the selection or dialing of telephone numbers,” “automated system” may be construed to include more types of equipment than the TCPA’s “automatic telephone dialing system,” the interpretation of which was recently narrowed by the U.S. Supreme Court. CS/SB 1120 also greatly expands the liability for marketing calls and text messages, creating a private right of action allowing Florida residents to sue to recover $500 (or $1,500) per violation plus attorneys’ fees and costs. You can read more about CS/SB 1120 here.
- Colorado Governor Says Changes to the Colorado Privacy Act Are Needed: As we previously reported, the Colorado Privacy Act (“CPA”) was passed into law on June 8, 2021. However, Colorado Governor Jared Polis foreshadowed that additional amendments would be needed in a letter addressed to the Colorado Legislature. Governor Polis stated that “in the haste to pass [the CPA], several issues remain outstanding,” and that his “chief concern is ensuring Colorado’s competitiveness with other states as an incubator of new technologies and innovations.” He stated, “[the CPA] will require clean-up legislation next year, and in fact, the sponsors, proponents, industry, and consumers are already engaged in conversations to craft that bill.”
- California Attorney General Mandates Response to Global Privacy Control and Creates New Tool to Notify Businesses of Noncompliance: On July 15, 2021, the California Attorney General (“AG”) made a minor yet substantial addition to the CCPA FAQs, stating that under the California Consumer Privacy Act (“CCPA”), global privacy controls sent from consumers’ browsers “must be honored by covered businesses as a valid consumer request to stop the sale of personal information.” This change draws upon the CCPA regulations, which require businesses collecting consumers’ personal information online to treat user-enabled global privacy controls, such as a browser plug-in or privacy setting, that communicate or signal a consumer’s choice to opt out of the sale of their personal information as a valid opt-out request. The AG also created a new Consumer Privacy Interactive Tool, which helps consumers notify businesses of their noncompliance with the CCPA. Currently, the tool is limited to drafting notices to businesses that do not post or do not publish an easy-to-find “Do Not Sell My Personal Information” link on their website. However, the tool may be updated over time to include other potential CCPA violations. Instructions with the tool state that consumer notices like the ones generated with the tool may serve as sufficient notice to start the clock on the CCPA’s 30-day cure period.
- California AG Releases CCPA Enforcement Case Examples: On July 19, 2021, the California Attorney General (“AG”) issued a press release summarizing its first year of CCPA enforcement actions and released brief summaries of 27 exemplary enforcement cases. The AG reported that 75 percent of businesses that received a notice of an alleged violation since the AG began enforcing the CCPA on July 1, 2020, had taken action to come into compliance within the 30-day statutory cure period. The remaining 25 percent are currently within their 30-day window for cure or under active investigation. The summaries show that enforcement has been undertaken against companies in a diverse set of industries. The CCPA enforcement case examples do not include all of the details of specific violations or curative actions that were taken and deemed sufficient by the AG, but several themes emerge in the summaries. Many of the enforcement cases address deficiencies in notices to consumers such as failing to include a description of consumer rights or request submission methods, or a notice of financial incentive. Inadequate or missing “do not sell” links were also cited in several cases, providing some additional clarity on the AG’s position that data collection by a third party via cookies is a sale unless the business obtains appropriate contractual commitments from the third party to make them a “service provider” under the CCPA. Failure to timely respond to consumer rights requests and noncompliant service provider contracts were additionally cited.
- Ohio Introduces Comprehensive Privacy Legislation: On July 13, 2021, Ohio introduced its own comprehensive privacy legislation, the Ohio Personal Privacy Act (“OPPA”), following in the footsteps of California, Virginia, and Colorado. Like its predecessors, OPPA provides Ohio residents with the rights to access, obtain a portable copy of, delete, and opt out of the sale of personal data. OPPA applies to entities that conduct business in Ohio, or produce products or services targeted to Ohio residents, and (1) have annual gross revenues generated in Ohio that exceed $25 million; (2) controls or processes personal data of 100,000 or more Ohio residents in a calendar year; or (3) derives over 50 percent of its gross revenue from the sale of personal data and processes or controls personal data of 25,000 or more consumers in a calendar year. OPPA would be solely enforced by the Ohio Attorney General. Unique to OPPA, a covered business has an affirmative defense for OPPA violations if it maintains and complies with a written privacy program that reasonably conforms to the National Institute of Standards and Technology privacy framework.
FEDERAL LAWS & REGULATION
- Government Launches New Website to Prevent Ransomware: With the recent rise of ransomware attacks, including SolarWinds, Colonial Pipeline, JBS, and Kaseya, the Department of Justice (“DOJ”) and the Department of Homeland Security (“DHS”), along with other federal partners, launched a new website on July 15, 2021, to combat the threat of ransomware. StopRansomware.gov provides resources to help understand the threat of ransomware, mitigate risk, and, in the event of an attack, know what steps to take. The website also provides information on how to report ransomware attacks. StopRansomware.gov consolidates ransomware resources and alerts from all federal government agencies, including DHS’s Cybersecurity and Infrastructure Security Agency (“CISA”) and the U.S. Secret Service, the DOJ’s Federal Bureau of Investigation, the Department of Commerce’s National Institute of Standards and Technology, and the Departments of the Treasury and Health and Human Services. Guidance is mainly provided through the “Ransomware Guide” published by CISA in September 2020.
- DHS Releases New Security Directive for Critical Pipeline Owners and Operators: On July 20, 2021, the U.S. Department of Homeland Security’s (“DHS”) Transportation Security Administration (“TSA”) released a security directive requiring owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to implement “a number of urgently needed protections against cyber intrusions.” The security directive requires covered pipeline owners and operators to implement specific mitigation measures to protect against ransomware attacks and other known threats, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review. This is the second security directive released by the TSA in response to the Colonial Pipeline ransomware attack. The first security directive, effective May 28, 2021, required covered pipeline owners and operators to: (1) report cybersecurity incidents to CISA; (2) designate a cybersecurity coordinator; (3) review current practices; and (4) identify and report gaps and related remediation measures to the TSA and CISA within 30 days.
- U.S. House Passes Consumer Protection and Recovery Act (H.R. 2668): On July 20, 2021, the U.S. House of Representatives (“House”) passed the Consumer Protection and Recovery Act (H.R. 2668). The bill is intended to restore the Federal Trade Commission’s (“FTC”) consumer protection enforcement powers under Section 13(b) of the FTC Act and comes just three months after the U.S. Supreme Court ruled in AMG Capital Management, LLC v. Federal Trade Commission that the FTC did not have the authority to pursue monetary penalties under Section 13(b). The bill authorizes the FTC to seek restitution for losses; contract reformation and recission; money refunds; or the return of property in federal court from businesses that engage in unlawful commercial practices such as false advertising, consumer fraud, and anticompetitive conduct. The bill further authorizes the FTC to seek temporary restraining orders and preliminary injunctions, as well as other equitable relief, including disgorgement, and provides that any relief sought under Section 13(b) of the FTC Act may be for past violations in addition to ongoing and imminent violations.
- Federal SAFE DATA Act Reintroduced: On July 28, 2021, Senators Roger Wicker (R-Miss.) and Marsha Blackburn (R-Tenn.) reintroduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (the “SAFE DATA Act”), originally introduced in September 2020. The SAFE DATA Act would preempt state and local privacy laws but propose many of the same provisions current laws address, including providing consumer rights to access, correct, and delete personal information; requiring opt-in consent for secondary use of personal information and processing or transferring of sensitive personal information; requiring data portability, data minimization, non-discrimination, and disclosure obligations for businesses; and requiring privacy impact assessment requirements for data processing activities that may present heightened risks of harm to consumers. The SAFE DATA Act would grant rulemaking authority to the Federal Trade Commission (“FTC”) and enforcement authority to the FTC and state attorneys general but would not provide a private right of action for consumers.
- House of Representatives Aims to Strengthen Energy Industry Cybersecurity: On July 19, 2021, the House of Representatives approved a pair of bills aimed at reducing the threat of cyberattacks directed at critical energy infrastructure—the Energy Emergency Leadership Act (HR 3119) and the Enhancing Grid Security through Public-Private Partnerships Act (HR 2931)—which are now under consideration by the U.S. Senate. HR 3119 seeks to reorganize the Department of Energy (“DOE”) by elevating energy emergency and cybersecurity responsibilities as core DOE functions and adding a new DOE Assistant Secretary position to oversee and manage these key issues. HR 2931 issues explicit directives to the Secretary of Energy to develop more robust security protections for safeguarding electric utilities’ physical and cyber operations, such as by providing training to electric utilities to manage and guard against cybersecurity supply chain management risks and enhancing the cybersecurity of third-party vendors that work with electric utilities. Together, these two bills, if enacted, would significantly broaden the DOE’s regulatory authority.
- Introduction of Federal Cyber Incident Notification Act: On July 21, 2021, the U.S. Senate introduced the Cyber Incident Notification Act of 2021 (the “Act”), which aims to require federal agencies, federal contractors, owners/operators of critical infrastructure, and related organizations that provide cyber incident response services (“Covered Entities”) to promptly notify the federal government of cyberattacks. Due to the broad scope of the Act, these requirements would apply to the majority of entities in the federal supply chain. Under the Act, any Covered Entity would be required to report any suspected or actual cyberattack events to the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) within 24 hours of confirmation of an attack. The Act would also mandate that until a cyberattack has been mitigated, any Covered Entity would be required to provide CISA with any new threat information within 72 hours of obtaining the new information. In terms of enforcement, the Act provides that federal contractors can be subjected to penalties determined by the Administrator of the General Services Administration (“GSA”), including removal from GSA federal supply schedules. Those entities that do not operate under federal contracts can also face financial penalties of up to 0.5 percent per day of the company’s gross revenue from the prior year.
- President Biden Signs Memorandum Aimed at Improving Cybersecurity for Critical Infrastructure Control Systems: Following the recent cyberattacks on SolarWinds, Colonial Pipeline, JBS, and Kaseya, on July 28, 2021, President Biden issued a National Security Memorandum, Improving Cybersecurity for Critical Infrastructure Control Systems, aimed at further enhancing the security of America’s critical infrastructure from growing, persistent, and sophisticated cyber threats. The Memorandum establishes an Industrial Control Systems Cybersecurity Initiative—a voluntary, collaborative effort between the federal government and the infrastructure community to significantly improve the cybersecurity of critical systems that focuses on expanding the deployment of technologies that provide threat visibility, indications, detection, and warnings, while enhancing response capabilities. In addition, the Memorandum also directs the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) and the National Institute of Standards and Technology (“NIST”) to develop cybersecurity performance goals for critical infrastructure.
- Court Rules Computer Forensics Report Not Privileged: Continuing a recent trend of court skepticism about protecting computer forensics investigative reports from discovery in data breach litigation, on July 22, 2021 a magistrate judge in in the U.S. District Court for the Middle District of Pennsylvania ordered a convenience store chain to produce a forensics report relating to a suspected breach event prepared by the chain’s security consultants, as well as all communications between the chain and the consultant. The court ruled that neither the report nor the communications were protected from disclosure by the work product doctrine or attorney-client privilege because the primary motive for preparation of the investigative report was not to prepare for litigation. The judge found that the language of the contract with the security consultant demonstrated that the overall purpose of the investigation was to determine whether unauthorized activity in the chain’s information technology systems led to a compromise of sensitive data and to determine the scope of any compromise. Additionally, the chain’s corporate designee who signed the contract testified that he was not contemplating lawsuits that could have resulted from the breach at the time the contract was executed and that the chain would have done the investigative work regardless. Finally, the judge found that there was no evidence the investigative report had been provided to outside counsel to assess legal risk prior to delivery to the chain. The ruling highlights the importance of involving outside counsel early and of clearly defining the purpose of any data breach investigation when engaging third-party security consultants.
- Federal Banking Regulators Request Comment on Proposed Guidance on Third Party Risk Management: On July 13, 2021, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency (“Regulators”) issued a request for public comment on proposed guidance intended to help banking organizations manage risks associated with third-party relationships, including financial technology-focused parties. The Regulators emphasized that banking organizations engaging third parties are responsible for ensuring the outsourced activities are conducted safely in compliance with all applicable laws and regulations. Banking organizations are required under the proposed guidance to adopt third party risk management processes corresponding to the identified level of risk, complexity of the third-party relationship, and the organizational structure of the banking organization and identifies several factors that are relevant for performing due diligence on third parties.
- DOJ/FTC Settles with KuuHuub for COPPA Violations: On July 21, 2021 the Department of Justice (“DOJ”) and Federal Trade Commission (“FTC”) announced that Canadian-based KuuHuub Inc. and its two Finnish subsidiaries (collectively, “KuuHuub”) agreed to settle claims arising under the FTC Act and Children’s Online Privacy Protection Act (“COPPA”) relating to KuuHuub’s digital coloring and social media platform app, Recolor. According to the complaint, a portion of the app targeted “kids,” and KuuHuub knowingly collected personal information of users 13 or younger without attempting to obtain verifiable parental consent and improperly allowed third parties to use the information for targeted advertising. The settlement includes a three-million-dollar civil penalty and injunctive relief, including, notifying users of the alleged violations; deleting children’s personal information held by KuuHuub and seeking deletion of children’s personal information held by third-party advertising networks; and record-keeping and other compliance obligations.
INTERNATIONAL LAWS & REGULATION
- European Data Protection Board Adopts Final Controller/Processor Guidance: On July 8, 2021, the European Data Protection Board (“EDPB”) adopted the final version of its guidelines on the concepts of controller and processor. The EDPB guidelines update guidance issued by the EDPB’s predecessor, the Article 29 Working Party, in 2010. Following a period of public consultation after the release of the draft guidance in July 2020, the final version of the guidance includes additional clarifications on the concepts of controller, joint controllers, and processors. The new guidelines provide important guidance on management of vendors that process European Union personal data and emphasize that contracts between controllers and processors should not merely restate Article 28 requirements, but rather include specific, concrete information about how the requirements should be met in practice (e.g., by specifying how particular communication will be communicated, when, and by whom). Controllers and processors should review their data processing agreements going forward to determine whether they meet the standards set in the guidelines.
- Italian DPA Approves New Cookie Guidelines: On July 10, 2021, the Italian Data Protection Authority (the Garante) approved new Guidelines for Cookies and other Tracking Tools. Consistent with recent guidance from its French counterpart, the Garante emphasized no cookies or other tracking tools may be placed on a user’s device or browser prior to obtaining the user’s consent. Consent must be requested through a conspicuous banner and, according to the guidance, taking action to close the banner or scrolling down the page cannot be interpreted as consent. The Garante also stated that companies are prohibited from resubmitting the banner to solicit consent each time the user accesses the website, except in limited circumstances where it is impossible to know whether the user declined placement of cookies. Companies have 6 months to come into compliance with the newly approved guidelines.
- French DPA Issues €1.75 Million Fine for Data Retention and Notice Failures: The French DPA (the CNIL) announced on July 22, 2021, that it fined Mutual Insurance Group company AG2R LA MONDIALE €1.75 million after it found the company had breached its obligations under the GDPR to limit the retention period of personal data and to provide required information to data subjects at the time of collection. The CNIL found the Company had not implemented the retention periods it had defined in its policies and also kept personal data in excess of what was allowed under applicable law. The CNIL further cited a failure by the company’s subcontractors to provide requisite notice to data subjects when they contacted individuals by telephone. The subcontractors failed to provide individuals with information regarding the processing of their personal data and their other rights and failed to offer an option to obtain more complete information. Additionally, the subcontractors failed to inform individuals that conversations could be recorded or that the individuals had the right not to consent to the recording.
Save the Date
Live CLE Webinar
Old Dominion, New Privacy Law: The Virginia Consumer Data Protection Act
Tuesday, September 21, 2021 • 1:00–2:00 p.m. ET • 10:00–11:00 a.m. PT
Invitation & details to follow. Please contact Courtney Litman via e-mail with any questions.
Recent Publications & Media Coverage
- Biden’s Executive Order Strengthens Government’s Cybersecurity Practices (The Legal Intelligencer)
- Data Breach Class Actions: U.S. Supreme Court Decision May Tilt the Odds in Favor of Defendant Organizations (The Daily Swig)
- Baltimore Bill Is Most Draconian Facial Recognition Ban Yet (Law360)
- Colorado Privacy Law Ups Compliance Ante as U.S. Patchwork Grows (Bloomberg Law)
- Virtual Try-On Technology: Practical Guidance to Mitigate Biometric Privacy Liability Risk (Legaltech News)
- With Looming Attack and Litigation Risk, Lawyers Say Every Business Should Buy Cybersecurity Insurance (Texas Lawyer)