The BR Privacy & Security Download: November 2021
Welcome to this month's issue of The BR Privacy & Security Download, the new digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. The rapid pace at which technology and data privacy and security regulation are evolving can make it a challenge to keep up with worldwide legal events affecting businesses′ use of personal data. The BR Privacy & Security Download keeps you up to date with the important data privacy and security-related news of the past month. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.
Privacy & Security Developments
STATE & LOCAL LAWS & REGULATION
- Florida’s Protecting DNA Privacy Act Takes Effect: Florida’s Protecting DNA Privacy Act (the “Act”) became effective on October 1, 2021. The Act criminalizes (1) willfully collecting or retaining another person's DNA sample with the intent to perform DNA analysis without express consent; (2) willfully submitting another person's DNA sample for DNA analysis or conducting or procuring the conduction of another person's DNA analysis; (3) willfully disclosing another person's DNA analysis results to a third party without express consent; and (4) willfully selling or otherwise transferring another person's DNA sample or DNA analysis results to a third party without express consent, regardless of whether the DNA sample was originally collected, retained, or analyzed with express consent. The Act provides certain exceptions, including using a DNA sample, DNA analysis, or results of a DNA analysis for purposes of criminal investigations or prosecutions; compliance with a subpoena, summons, or other lawful court order; compliance with federal law; and in certain circumstances for medical diagnoses, quality assessments, improvement activities, and patient treatments.
- California Privacy Protection Agency Appoints Executive Director: On October 4, 2021, California’s new privacy protection agency, the California Privacy Protection Agency (“Agency”), announced Ashkan Soltani has been selected to serve as its first executive director. Soltani will “carry out the day-to-day operations” of the Agency, which is overseen by a five-member board. Soltani was formerly the FTC chief technologist and served as senior advisor to the U.S. chief technology officer in the White House Office of Science and Technology Policy under the Obama administration. He was also involved in drafting both the California Consumer Privacy Act (the “CCPA”) and the California Privacy Rights Act (the “CPRA”), which amends the CCPA and becomes effective January 1, 2023. Soltani has focused on online tracking and surveillance, among other areas, in his prior regulatory positions and academic work, possibly signaling future emphasis in those areas as the Agency begins its rulemaking process in earnest over the next several months.
- GIPA Approved by California Governor: On October 6, 2021, California Governor Gavin Newsom signed SB 41, the Genetic Information Privacy Act (“GIPA”), into law. As reported previously, GIPA requires direct-to-consumer genetic testing companies to disclose information regarding the company’s policies and procedures and receive express consent for the collection, use, maintenance, and disclosure of genetic data. “Genetic data” is defined as any data, regardless of its format, that results from the analysis of a biological sample from a California resident, or from another element enabling equivalent information to be obtained, and concerns genetic material, including but not limited to, DNA, RNA, genes, chromosomes, alleles, and genomes. While GIPA contains a robust penalty structure, it exempts certain types of information and entities, including those governed by California’s Confidentiality of Medical Information Act and the federal Health Insurance Portability and Accountability Act. GIPA will become effective January 1, 2022.
- Massachusetts Legislature Moves Closer to Enacting New Biometric Privacy Statute: On October 13, 2021, the Massachusetts state legislature held a hearing to discuss S.220, “An Act to Protect Personal Biometric Data,” moving a step closer to enacting new state-level biometric privacy regulation. S.220 is almost identical to the well-known Illinois Biometric Information Privacy Act (“BIPA”), including the requirements and restrictions it places on companies that use biometric data, with one notable exception: higher statutory damages awards as compared to its Illinois counterpart. Specifically, while Illinois provides for damages of $1,000 per “negligent” violation and $5,000 per “willful” or “intentional” violation, the Massachusetts legislation provides for statutory damages of “no less” than $5,000 per violation and up to $15,000, but not less than $10,000, for each willful or knowing violation of the statute. Companies that utilize biometric data in the course of their operations—even those outside of Massachusetts—should pay close attention to this particular bill, as a vote by Bay State legislators to enact S.220 may mark the beginning of a trend of additional states following suit by enacting new biometrics laws with statutory damages far surpassing those of BIPA.
FEDERAL LAWS & REGULATION
- HHS Releases Guidance on Workplace-Related Disclosures of Vaccination Status: The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights released an FAQ addressing the applicability of the Health Insurance Portability and Accountability Act (“HIPAA”) to a number of scenarios involving the confidentiality of an employee’s vaccination status. The guidance makes clear that HIPAA does not prevent an individual or entity from asking another about their vaccination status or whether the individual has received a particular vaccine, or an individual from asking a company whether its workforce is vaccinated. The guidance also states that HIPAA does not prevent an employer from requiring an employee to disclose whether he or she has received a vaccine to the employer, clients, or members of the public as the HIPAA Privacy Rule does not apply to employment records or regulate what information can be requested from employees as part of the terms and conditions of employment. Employers should be mindful that, while HIPAA does not apply to these and other scenarios illustrated in the guidance, other state and federal laws such as the Americans with Disabilities Act may still affect when and how an employer may request such information, and obligate employers to maintain such information in confidence.
- DHS Issues Cybersecurity Performance Goals and Objectives for Critical Infrastructure: Secretary of Homeland Security Alejandro N. Mayorkas and Secretary of Commerce Gina Raimondo released a joint statement on the issuance of preliminary Critical Infrastructure Control Systems Cybersecurity Performance Goals and Objectives (“Preliminary Goals”). The Preliminary Goals are responsive to President Biden’s National Security Memorandum released in July. The Preliminary Goals identify nine categories of cybersecurity best practices and include baseline objectives in each category that are recommended for all control system operators as well as enhanced objectives for critical infrastructure operators, such as those in the energy, communications, transportation, and water sectors. The cybersecurity best practice categories identified in the Preliminary Goals cover risk management and cybersecurity governance, system architecture and design, configuration and change management, physical security, system and data integrity, availability and confidentiality, monitoring and vulnerability management, training and awareness, incident response and recovery, and supply chain risk management. The Preliminary Goals will be finalized in the coming months as the Department of Homeland Security (“DHS”) engages industry stakeholders for comment.
- Senators Introduce Cyber Incident Reporting Act: Legislation was introduced in the Senate that would establish a Cyber Incident Review Office within the DHS and require critical infrastructure operators to report cyber attacks within 72 hours. The notification period mirrors a provision in the defense authorization bill passed by the House. The “Cyber Incident Reporting Act of 2021” would also require businesses with more than 50 employees and state and local governments to notify the DHS Cybersecurity and Infrastructure Security Agency (“CISA”) if they make a ransom payment and would require such entities to evaluate options other than making a ransom payment before doing so. If passed, reporting obligations would not take effect until completion of the rule making process. The bill requires CISA to publish an interim final rule within 270 days of the bill’s passage, with a final rule due within a year of the interim rule’s publication.
- Kids Internet Design and Safety (“KIDS”) Act Reintroduced in Senate: Senators reintroduced the KIDS Act as Facebook’s internal research into the impact of its service on young audiences also became a focus of a congressional inquiry. The KIDS Act would ban certain design features deemed damaging for users under 16 years of age such as auto-play settings that prolong sessions, push alerts that encourage screen time, badges that reward users for spending time on an app or website, and interface features such as “like” buttons that quantify levels of popularity. The KIDS Act would also prohibit websites and applications for kids from amplifying harmful content or engaging in certain marketing practices deemed manipulative, such as recommending content that includes influencer marketing like unboxing videos or exposing children to marketing with embedded interactive elements.
- DHS Secretary Mayorkas Makes Remarks on Pending TSA Cyber Initiative: On October 6, 2021, DHS Secretary Alejandro N. Mayorkas delivered a keynote address at the 12th Annual Billington CyberSecurity Summit. Mayorkas discussed the steps DHS has taken and will take to strengthen the nation’s cybersecurity through its CISA, other DHS divisions, and various government agencies and sectors, including the Transportation Security Administration (“TSA”), Coast Guard, Federal Emergency Management Agency, Secret Service, and U.S. Immigration and Customs Enforcement. Mayorkas highlighted that TSA will issue a new security directive this year “to cover higher-risk railroad and rail transit entities and require them to identify a cybersecurity point person, report cyber incidents to CISA, and put together a contingency and recovery plan in case they become a victim of malicious cyber activity.” For lower-risk surface entities, TSA will issue separate guidance that encourages, rather than requires, these entities to take the same measures.
- FTC Amends Safeguards Rule to Strengthen Security Safeguards for Consumer Financial Information: On October 27, 2021, the Federal Trade Commission (“FTC”) updated its Safeguards Rule to strengthen the safeguards that financial institutions must implement to protect their customers’ financial information following a marked uptick in widespread data breaches and other cyberattacks. The FTC’s updated Safeguards Rule requires non-banking financial institutions—such as mortgage brokers, motor vehicle dealers, and payday lenders—to develop, implement, and maintain a comprehensive security system to keep their customers’ information safe. These changes adopted by the FTC include more specific criteria for safeguards that financial institutions must implement as part of their information security program, such as limiting who can access consumer data and utilizing encryption to secure data. The FTC also implemented changes designed to increase transparency by requiring institutions to explain their data sharing practices; specifically, the administrative, technical, and physical safeguards that these entities use to assess, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle consumers’ secure information. In addition, financial institutions are now required to designate a single qualified individual to oversee their information security programs and report periodically to the organization’s board of directors or, alternatively, to a senior officer in charge of information security.
- FTC Highlights Problems with ISP Data Practices: The FTC released a staff report on internet service provider (“ISP”) data collection and use practices on October 21, 2021 that concluded ISPs collect far more data than consumers may expect and fail to offer meaningful choices about how the data is used. The report is a result of a two year effort following the FTC’s orders in 2019 seeking information on broadband companies’ privacy practices. The report found that the ISPs have evolved to offer a wide range of services in addition to traditional internet services, including voice, content, smart devices, advertising, and analytics, which increases the volume of information they collect. The FTC also identified data collection practices it deemed troubling at several ISPs, including combining data across product lines; combining personal, app usage, and web browsing data to target ads; placing consumers into sensitive categories by race and sexual orientation; and sharing real-time location data with third parties. The report also states that ISPs offer limited choices or ability to control secondary use of personal data, even though several ISPs promise not to sell the personal data they collect. Following repeal of Federal Communications Commission (“FCC”) privacy-related rules and net neutrality rules in 2017, ISPs face limited privacy regulation. FTC Commissioner Rebecca Kelly Slaughter said the report highlights the need for stricter regulation in the industry.
- Marriott Stockholder Derivative Suit Dismissed: On October 5, 2021, the Delaware Court of Chancery dismissed a shareholder derivative suit against Marriott International, Inc. (“Marriott”), which alleged that Marriott’s board breached its duty of loyalty by failing to respond to cybersecurity deficiencies in the systems of Starwood Hotels and Resorts (“Starwood”), which Marriott acquired in 2016, leading to one of the biggest data breaches in the United States. In holding that the plaintiff’s claims fell short of pleading a breach of the directors’ duty of loyalty under the Caremark standard, the court pointed to the fact that the board was routinely appraised on cybersecurity risks and mitigation, including by receiving reports on vulnerabilities and cyber risks and engaging outside consultants to improve and audit corporate cybersecurity practices. Additionally, the court found that Starwood’s systems were not in violation of any law and that the board did not deliberately disregard any deficiencies in Starwood’s systems but rather relied on management’s reports that it was addressing or would address the issues presented based upon recommendations made by a third-party security assessment firm.
- Ruling in Blackbaud MDL on Sufficiency of Common Law Claims Could Have Potential Sizeable Ramifications on Cloud Service Provider Liability: On October 19, 2021, the South Carolina federal court overseeing the Blackbaud data breach multi-district litigation addressed the sufficiency of the common law negligence, gross negligence, negligence per se, and unjust enrichment claims asserted against Blackbaud in the wake of its mid-2020 ransomware attack incident. While the court dismissed the negligence per se and unjust enrichment causes of action, it rejected Blackbaud’s attempt to have the ordinary negligence claims kicked as well, finding that Blackbaud owed a duty of care based on the company’s contracts with its customers, as the purpose of those contracts was to secure the personal data of the patrons of Blackbaud’s clients. The court also found a duty existed based on the “special circumstances” as they related to Blackbaud’s position as the party with the most control over the security of data that it stored, as well as the fact that it was in the best position to prevent harm associated with a breach of its systems. Importantly, this ruling may have sizeable ramifications for cloud service providers by expanding the scope of liability in connection with the services provided by these entities for the purpose of storing and securing sensitive personal information.
- Class Action Filed Against Ancestry.com Filed for Violation of Illinois GIPA: On October 29, 2021, a class action was filed against Ancestry.com (“Ancestry”) in the U.S. District Court for the Southern District of Illinois for Ancestry’s alleged violation of the Illinois Genetic Information Privacy Act (“Illinois GIPA”). The Illinois GIPA prohibits the release and/or disclosure of genetic testing and information derived from genetic testing to anyone other than the individual tested or to persons specifically authorized in writing. The complaint alleges that Ancestry unlawfully disclosed plaintiffs’ genetic information to Blackstone, Inc. (“Blackstone”), when Blackstone acquired Ancestry on December 4, 2020. According to the complaint, following Blackstone’s acquisition of Ancestry, Ancestry disclosed on its website that the plaintiffs’ genetic information maintained by Ancestry would be released and/or disclosed to entities acquiring Ancestry, but failed to provide plaintiffs an opportunity to consent to or identify any method by which plaintiffs could prevent such disclosure of their genetic information to Blackstone or any other party. The plaintiffs request injunctive relief as well as damages, including statutory damages under the Illinois GIPA, which provides for up to $15,000 for each willful and/or reckless violation and $2,500 for each negligent violation.
- Department of Justice Launches Civil Cyber Fraud Initiative and Establishes National Cryptocurrency Enforcement Team: On October 6, 2021, the U.S. Department of Justice (“DOJ”) announced a new Civil Cyber-Fraud Initiative to pursue government contractors when they fail to follow required cybersecurity standards through the use of the enforcement mechanisms of the False Claims Act. Led by the Civil Division’s Commercial Litigation Branch, Fraud Section, the initiative will “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.” You can read more about the DOJ’s Civil Cyber-Fraud initiative and its impact on companies through various tiers of the government contracting ecosystem here. The DOJ simultaneously announced a new National Cryptocurrency Enforcement Team (“NCET”) to tackle complex investigations and prosecutions of criminal misuses of cryptocurrency and assist in tracing and recovery of assets lost to fraud and extortion (e.g., cryptocurrency payments to ransomware groups). Under the supervision of the assistant attorney general, the NCET will combine the expertise of the DOJ Criminal Division’s Money Laundering and Asset Recovery Section (“MLARS”), Computer Crime and Intellectual Property Section (“CCIPS”), and other sections in the division, with experts detailed from U.S. Attorneys’ Offices.
- OFAC Publishes Sanction Compliance Guidance for Virtual Currency Industry: The U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) announced on October 15, 2021, the publication of guidance to help entities in the virtual currency industry, including technology companies, administrators, miners, wallet providers, and users, comply with OFAC sanctions. The guidance is intended to assist members of the virtual currency industry to evaluate sanctions risk, build a risk-based sanctions compliance program, protect their business from sanctions violations and intentional misuse of virtual currency by malicious actors, and understand OFAC’s recordkeeping, reporting, licensing, and enforcement processes. The guidance is part of a broader effort by the U.S. Department of the Treasury and the federal government to combat ransomware and other exploitation by sanctioned persons and other illicit actors by seeking to use existing regulations to make it more difficult to profit from such attacks.
- New Jersey Attorney General Settles Data Breach-Related Enforcement Action with Fertility Clinic: The New Jersey attorney general’s office announced on October 12, 2021, that it had entered into a settlement with a healthcare provider focused in the treatment of infertility issues to resolve an investigation arising from a data breach that spanned five and a half months in 2016 and 2017 and affected 14,663 patients. The New Jersey attorney general alleged that the clinic violated the New Jersey Consumer Fraud Act and HIPAA when it removed administrative and technical safeguards for protected health information, resulting in unauthorized access to its network. The attorney general cited a number of specific violations, including failing to conduct an accurate and thorough risk assessment; failing to implement a mechanism to encrypt electronic protected health information; and failing to implement proper procedures for creating, changing, and safeguarding passwords; among other violations. Pursuant to the settlement, the clinic will pay a $495,000 which includes $412,300 in civil penalties and $82,700 in investigative costs and attorneys’ fees.
INTERNATIONAL LAWS & REGULATION
- Draft Decision OKs Facebook Reliance on Contractual Necessity for Advertising: On October 6, 2021, the Irish Data Protection Commissioner (“DPC”) submitted a draft decision relating to enforcement action against Facebook that proposes fines for certain GDPR violations relating to a lack of transparency regarding its personal data processing, but also permits Facebook to rely on contractual necessity as a legal basis for serving personalized ads to users. The DPC started an inquiry in response to a complaint alleging that, when Facebook updated its terms and conditions for GDPR compliance, Facebook forced users to consent to certain uses of data in the terms and conditions and Facebook’s Data Policy to continue use of the platform, and that therefore the consent that allegedly was used as the legal basis for processing was invalid. The DPC found that Facebook had not relied on consent as a legal basis for processing data in accordance with its terms and conditions. The DPC instead found that Facebook could, in principle, rely on contractual necessity as the basis for legal processing required to deliver personalized ads because it was a “core element of the commercial transaction between Facebook and Facebook users.” The draft decision will now be reviewed by other data protection authorities in the European Union, who may object to the proposed decision.
- ICO Call For Views on Anonymization, Pseudonymization, and Privacy Enhancing Technologies Guidance: The United Kingdom’s Information Commissioner’s Office (“ICO”) is calling for views on its updated draft guidance on anonymization, pseudonymization, and privacy enhancing technologies. In May 2021, the ICO published a consultation draft of the first chapter of the guidance, “Introduction to Anonymisation,” in which the ICO outlined the legal, policy, and governance issues around the application of anonymization in the context of data protection law. In October 2021, the ICO published the second chapter of the guidance, “Identifiability,” which focuses on how to assess anonymization in the context of identifiability. The ICO is now asking for feedback on its second chapter. The consultation period will close on November 28, 2021. The ICO will continue to publish draft chapters for comment, including chapters on pseudonymization techniques and best practices, accountability and governance requirements in the context of anonymization and pseudonymization, anonymization and pseudonymization in the context of research, privacy enhancing technologies, technological solutions, and data sharing options and case studies.
- ICO Issues Opinion and Call For Evidence on the Use of Age Assurance: On October 14, 2021, the ICO published an opinion on Age Assurance for the Children’s Code (“Opinion”) as well as a call for evidence on certain aspects of age assurance services. The Opinion provides the ICO’s view on how the law applies to companies using age assurance services to conform to the Children’s Code. The Children’s Code requires information society services to take a risk based approach to recognizing the age of users. Recognizing that age assurance technology is developing rapidly, the ICO simultaneously issued a call for evidence to survey stakeholders on specific areas related to age assurance. The survey specifically asks for respondents to provide evidence on technical feasibility, effectiveness, and approaches to age estimation, emerging approaches, economic considerations, and data protection risks associated with age assurance. The consultation period will close on December 9, 2021.
- Australian Government Proposes New Online Privacy Regulation; Higher Penalties in Draft Privacy Bill: On October 25, 2021, the Australian government released draft legislation intended to strengthen the Australian Privacy Act of 1988 (“Online Privacy Bill”) by enhancing penalties and enforcement measures and enabling the introduction of a binding online privacy code for social media and certain other online platforms. The Online Privacy Bill would increase the maximum penalty for serious or repeated breaches of privacy from A$2.1 million to the greater of A$10 million, three times the value of any benefit obtained through the misuse of information, or 10% of an entity’s annual revenue in Australia. The new code-making powers provided by the Online Privacy Bill are intended to enable the development of an online privacy code to regulate social media services, data brokerage services, and large online platforms, and would include requirements relating to transparency, user consent, and privacy requirements for children. The Australian government has requested comments to the proposed the Online Privacy Bill by December 6, 2021.
Blank Rome Launches Biometric Privacy Insider Blog
Blank Rome’s Biometric Privacy Team is pleased to announce the launch of a new blog, Biometric Privacy Insider, which will offer insight and analysis on issues in the rapidly growing world of biometric privacy. Authored by Blank Rome’s dedicated Biometric Privacy Team—seasoned privacy, cybersecurity, artificial intelligence, and class action attorneys from around the country—the Biometric Privacy Insider is a one-stop destination for all things biometrics.
NOW AVAILABLE ON DEMAND
Future Proofing Privacy Compliance with Impending State Regulatory Regimes
Led by Blank Rome Partners Sharon R. Klein, Alex C. Nisenbaum, Ana Tagvoryan, and Associate Karen H. Shin, this complimentary on-demand webinar analyzes the application and coverage of state laws, highlights material differences among upcoming California, Colorado, and Virginia privacy regulations and existing regulations under the CCPA and GDPR that will present operational challenges, and discusses strategies for leveraging and adjusting current compliance programs to meet those challenges.
RECENT PUBLICATIONS & MEDIA COVERAGE
- Maritime Cybersecurity: Prepare, Detect and Respond (Marine News)
- Designing a BIPA Defense: Biometric Manufacturer & Vendor Litigation Strategies (Biometric Privacy Insider)
- Department of Justice to Prioritize Cybersecurity Fraud through New Civil Cyber-Fraud Initiative (Blank Rome Client Advisory)
- Pennsylvania Litigation Trends to Watch in 2021 (Chambers and Partners)
- Changing EU Data Transfer Requirements Create New Challenges (Maritime Executive)