The BR Privacy & Security Download: September 2021
Welcome to the third issue of The BR Privacy & Security Download, the new digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. The rapid pace at which technology and data privacy and security regulation are evolving can make it a challenge to keep up with worldwide legal events affecting businesses′ use of personal data. The BR Privacy & Security Download keeps you up to date with the important data privacy and security-related news of the past month. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.
Privacy & Security Developments
STATE & LOCAL LAWS & REGULATION
- ULC’s Model State Privacy Law Available for States to Consider: Following a two-year drafting process, the Uniform Law Commission (“ULC”) approved the Uniform Personal Data Protection Act (“UPDPA”) in July 2021 and the UPDPA is now available for states’ 2022 legislative sessions. The UPDPA varies in significant ways from existing state comprehensive privacy legislation in California, Colorado, and Virginia. For example, the definition of “personal data” is much more limited in scope than existing state privacy laws and is defined as “a record that identifies or describes a data subject by a direct identifier or is pseudonymized data.” Another significant difference is that the UPDPA only provides data subjects the right to copy and correct personal data. Moreover, compliance with another state’s law is considered sufficient if the Attorney General determines that such law provides for equal or stricter data protection, and the Attorney General may charge for its cost in making such determination. The UPDPA does not include a private right of action and leaves enforcement to the state Attorney General.
- California AG Publishes Bulletin Reminding Healthcare Entities of Data Privacy Obligations: On August 24, 2021, California Attorney General Rob Bonta issued a bulletin to stakeholder organizations, including the California Hospital Association, the California Medical Association, and the California Dental Association, reminding healthcare entities that they must notify the California Department of Justice (“CA DOJ”) when the health data of more than 500 California residents has been breached. Emphasizing that the healthcare sector has been a main target for cyberattacks, the bulletin also provides guidance on the minimum preventive measures that healthcare entities should take to protect its data systems from ransomware attacks.
FEDERAL LAWS & REGULATION
- NIST Publishes Request for Information on AI Risk Management Framework: The National Institute of Standards and Technology (“NIST”) announced it is developing an Artificial Intelligence Risk Management Framework (“AI RMF”) to improve the management of risks to individuals, organizations, and society related to the use of artificial intelligence (“AI”) and issued a request for information seeking input from stakeholders. The AI RMF is intended to help organizations enhance the trustworthiness of AI applications and manage risks during the design, development, and use of AI products services and systems. Stakeholders are asked to help NIST identify and better understand common challenges relating to AI systems, gain a better understanding about the extent to which organizations are using AI risk management standards and best practices, and specify high-priority gaps that the AI RMF may address through guidelines, standards, and best practices. Once completed, the AI RMF could provide a flexible, risk-based approach for companies to manage risk when developing, using, and deploying AI systems.
- FINRA Releases New Guidance on Supervisory Obligations Related to Outsourcing to Third-Party Vendors: On August 13, 2021, the Financial Industry Regulatory Authority (“FINRA”) released Regulatory Notice 21-29 (the “Notice”) relating to member firms’ regulatory obligations associated with engaging third-party vendors. The Notice reminds firms that outsourcing an activity or function to a vendor does not relieve members of their ultimate responsibility for compliance and that members have a continuing responsibility to oversee, supervise, and monitor the vendor’s performance of the outsourced activity or function. The Notice further reminds firms that they must implement and maintain written policies and procedures that address administrative, technical, and physical safeguards to protect customers’ nonpublic personal information and maintain a business continuity plan that extends to vendors. FINRA has taken action in the past against those firms who failed to supervise vendors and against vendors who did not implement technical controls to protect customer information.
- CISA Releases Fact Sheet Addressing Ransomware: On August 18, 2021, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) released the fact sheet Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches. The fact sheet provides guidance on how to both prevent and respond to ransomware attacks and how to protect sensitive and personal information. CISA’s recommendations include encrypting sensitive information at rest and in transit, employing multi-factor authentication, maintaining offline encrypted backups of data and regularly testing such backups, having an incident response plan in place, regularly conducting vulnerability scans, updating software, and implementing cybersecurity training on phishing. CISA also points to its joint guidance with the Multi-State Information Sharing & Analysis Center for a full ransomware response checklist.
- Seventh Circuit Affirms Denial of Biometric Tech Developer’s Attempt to Push BIPA Class Action Out of Court & into Arbitration: The Seventh Circuit Court of Appeals issued its long-awaited decision in Sosa v. Onfido, Inc., 2021 WL 3523197 (7th Cir. Aug. 11, 2021), involving the scope of arbitration challenges in BIPA class litigation, which has become one of the strongest defenses available to defendants to defend against and defeat biometric privacy class actions. The Onfido court held that the defendant, a non-signatory biometric technology provider to mobile apps, could not enforce an arbitration agreement entered into between the plaintiff and the defendant’s mobile app customer based on third-party beneficiary, agency, or equitable estoppel grounds. The Onfido opinion shows that while arbitration is a robust defense to BIPA class action claims, the scope of the defense is not unlimited.
- Two More Defendants Extricate Themselves from BIPA Suits through Successful Preemption Challenges: The month of August saw two more BIPA defendants utilize successful preemption challenges to limit or defeat class actions alleging violations of BIPA. In the first case, Abudayyeh v. Envoy Air, Inc., 2021 WL 3367173 (Aug. 3, 2021), Envoy Air, the largest regional carrier for American Airlines, asserted a preemption defense under the Railway Labor Act (“RLA”) and the Seventh Circuit’s opinion in Miller v. Southwest Airlines Co., 926 F.3d 898 (7th Cir. 2019), to obtain the dismissal of all claims post-dating Envoy’s interim collective bargaining agreement with its employees’ union, of which the plaintiff was a member. In the second decision, Williams v. Ecolab Inc., 2021 WL 3674608 (N.D. Ill. Aug. 19, 2021), a similar challenge asserted under the Labor Management Relations Act (“LMRA”)—which provides a virtually identical preemption standard vis-à-vis the RLA—resulted in the dismissal of the entire action brought against Ecolab Inc. by its former warehouse employee.
- BIPA Suit Stayed Pending Resolution of Appeals That Will Likely Bring Clarity to Two Major Unsettled Issues in Biometric Privacy Class Litigation: Additional BIPA activity was seen in August in the Southern District of Illinois, which granted a stay of all proceedings in Roberts v. Graphic Packaging Int’l, LLC, 2021 WL 3634172 (S.D. Ill. Aug. 17, 2021). While the stay itself is nothing to write home about, the opinion serves as a reminder of several currently pending BIPA appeals that will bring clarity to two key issues in biometric privacy class action litigation. As a reminder, in In Re White Castle System, Inc., No. 20-8029, the Seventh Circuit has been asked to decide when BIPA claims accrue and, more specifically, whether a private entity violates BIPA when it first collects or discloses biometric data or, alternatively, whether a violation occurs each time biometric data is collected or disclosed in violation of Sections 15(b) or 15(d). And in Tims v. Black Horse Carriers, Inc., No. 1-20-0562, and Marion v. Ring Container Techs., LLC, No. 3-20-0184, Illinois appellate courts will decide whether BIPA claims are subject to a one, two, or five-year statute of limitations period.
- FTC Removes Company from Approved COPPA Safe Harbor Program: On August 4, 2021, the FTC announced that Aristotle International, Inc. (“Aristotle”) was removed from the approved list of self-regulatory organizations offering compliance programs for the Children’s Online Privacy Protection Act (“COPPA”). The FTC had approved seven organizations to operate self-regulatory COPAA “safe harbor” programs that certify compliance with COPPA and its implementing rules. Companies that are certified as members of a safe harbor program are deemed to be in compliance with the COPPA rules. Aristotle is the first to be removed from the list. The FTC determined that Aristotle did not sufficiently monitor the compliance of its member companies to ensure that they were complying with Aristotle’s safe harbor guidelines. Companies that participated in Aristotle’s self-regulatory program will no longer receive favorable regulatory treatment. The FTC’s review of Aristotle’s safe harbor program demonstrates the current state of heightened regulatory scrutiny relating to the collection and use of children’s personal information.
- SEC Settles Charges for Misleading Investors about Data Breach: The SEC announced on August 16, 2021, that Pearson plc (“Pearson”) agreed to pay a one- million-dollar civil penalty to settle charges that it misled investors about a 2018 breach affecting millions of individual records and had inadequate disclosure controls and procedures. The SEC found that Pearson had made misleading statements and omissions about the breach by referring to the incident in a semi-annual report as a hypothetical risk after the breach had already occurred, stating in a media release that the breach may have affected dates of birth and e-mail addresses when in fact it already knew that such records had been compromised—and omitting known facts regarding the scale of the breach. Additionally, the SEC found that the company overstated its data safeguards and did not have disclosure controls and procedures designed to ensure that individuals responsible for making disclosure determinations were informed of all information regarding the breach.
- SEC Sanctions Broker Dealer/Investment Advisory Firms for Deficient Cybersecurity: On August 30, 2021, the SEC announced that it sanctioned eight firms across three corporate groups for lax cybersecurity practices that resulted in the exposure of personally identifiable information of thousands of customers and clients of the firms. The SEC found that each of the firms violated Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, by failing to implement appropriate security procedures to protect firm representative e-mail accounts from known threats and failing to protect e-mail accounts consistent with existing security policies. The SEC levied penalties against the firms for the violations ranging from $200,000 to $300,000. Investment advisory firms and broker dealers should ensure that they are fully implementing their own internal information security policies as well as timely adopting appropriate enhanced security measures in the face of known cyberattacks.
INTERNATIONAL LAWS & REGULATION
- China's Data Security Law Has Taken Effect: China’s Data Security Law (“DSL”) came into effect September 1, 2021. The DSL regulates data processing activities (e.g., collection, storage, use, processing, transmission, provision, and disclosure of data) within China as well as outside of China to the extent such data processing activities would be detrimental to China’s national security or public interest or the lawful rights and interests of any Chinese citizen or organization. “Data” under the DSL covers any record of information whether in electronic or other format. The DSL classifies different types of data based on its impact on national security, the economy, public interest, and possible level of harm as a result of a data security incident, and then proposes to establish a protection/security standard for each data class. The DSL also requires data processors to implement and maintain a data security management system (including establishing an emergency response system for data security incidents), and expressly prohibits providing any data stored in China to law enforcement authorities or judicial bodies outside of China without prior Chinese government approval. Violations of the DSL can result in suspension of the business, revocation of the business license, fines up to RMB 10 million ($1.56M USD), and potential criminal penalties.
- China Passes Personal Information Protection Law: In addition to the DSL, on August 20, 2021, China passed the Personal Information Protection Law (“PIPL”). The PIPL applies both to data processing activities within China and outside of China where the processing is for the purposes of providing products or services to China residents, analyzing or assessing the behavior of China residents, or for other purposes to be specified by law or regulations. The PIPL shares a number of similarities with the EU’s GDPR. Like the GDPR, the PIPL provides China residents the rights to access and copy, correct, delete, object to, and restrict the processing of personal information. However, the PIPL provides more limited legal bases for the processing of personal information, with much greater emphasis on notice and consent. As a result, companies subject to the PIPL may need to build appropriate consent mechanisms into their operations. The PIPL also affects cross-border transfers, only permitting the transfer of or access to China residents’ personal information outside of China if certain obligations are satisfied, including providing notice and obtaining the resident’s consent, which could make it more difficult for companies to export the personal data of Chinese consumers. Violations of the PIPL may result in corrective actions, warnings, confiscation of illegal income, suspension of services or fines that can be up to 50 million RMB or five percent of an organization’s annual revenue for the prior financial year. The PIPL will come into effect November 1, 2021.
- ICO Launches Consultation on Data Transfers: On August 11, 2021, the UK’s Information Commissioner’s Office (“ICO”) launched a public consultation on its draft international data transfer agreement and guidance, which will replace the UK’s current Standard Contractual Clauses (“SCCs”) as a mechanism for transfers of personal data to countries not recognized by the UK as providing an equivalent level of protection for personal data. The consultation is split into three sections, offering a selection of proposals and options to consider, including: 1) proposal and plans for updates to guidance on international transfers; 2) transfer risk assessments; and 3) the international data transfer agreement. The consultation period will end on October 7, 2021. The consultation follows the European Commission’s release of new SCCs that came into effect on June 27, 2021, which are not applicable to the UK following Brexit. The ICO has previously released guidance explicitly stating that the EU’s new SCCs would not be valid for transfers of personal data outside of the UK.
- Canadian Privacy Commissioner Updates Guidance Regarding Sensitive Information: On August 13, 2021, the Office of the Privacy Commissioner of Canada (“OPC”) issued several updated guidance documents relating to personal information generally considered sensitive under the Canadian federal Personal Information Protection and Electronic Documents Act (“PIPEDA”). The updated guidance documents state that health and financial data, ethnic and racial origins, political opinions, genetic and biometric data, an individual’s sex life or sexual orientation, and religious and philosophical beliefs are generally considered sensitive under PIPEDA and require a higher degree of protection. The updated guidance seeks to assist in the European Commission’s comparison of PIPEDA against the GDPR in its review of its adequacy decision regarding Canadian privacy legislation, which is currently underway. Companies should pay attention to the scope of sensitive personal information established by the OPC guidance as PIPEDA requires companies to use higher safeguards to protect such data and mandates stricter consent requirements relating to the use of such personal information.
- Swiss Data Protection Authority Approves Use of EU Standard Clauses: The Swiss Federal Data Protection and Information Commissioner (“FDPIC”) announced on August 27, 2021, that it has recognized the new standard contractual clauses (“SCCs”) adopted by the European Union (“EU”) in June as a valid transfer mechanism for Swiss personal data. The FDPIC announcement includes guidance explaining what adjustments need to be made to the SCCs to facilitate use for the transfer of Swiss personal data, including specifying the competent supervisory authority, applicable law and jurisdiction for claims under the SCCs, and adjustments for references to GDPR for use cases involving either only Swiss personal data or a mix of personal data subject to Swiss law and the GDPR. The FDPIC is providing a transition period to implement the new SCCs. Old data transfer contracts will no longer be available for use on or after September 27, 2021, and organizations will have until January 1, 2023, to replace old data transfer contracts with the new SCCs or an alternative transfer mechanism.
Save the Date
Live CLE Webinar
Tuesday, September 21, 2021 • 1:00–2:00 p.m. ET • 10:00–11:00 a.m. PT
Please contact Courtney Litman via e-mail with any questions.
Recent Publications & Media Coverage
- Sharon Klein Named “2021 Legal Visionary” (L.A. Times B2B Publishing)
- Herd Immunity Can Strengthen Cybersecurity (L.A. Times B2B Publishing Business of Law Magazine)
- Rebuffing Biometric Privacy Class Actions with Preemption Challenges (Bloomberg Law)
- A Potential Trend in the Making? Utah Becomes the Second State to Enact Data Breach Safe Harbor Law Incentivizing Companies to Maintain Robust Data Protection Programs (ABA TIPS Cybersecurity & Data Privacy Committee Newsletter)
- How to Comply with BIPA’s Security Requirement to Mitigate Class Action Liability Exposure (Pratt’s Privacy & Cybersecurity Law Report)