As predicted, the start of 2019 provided scant respite from the frenetic pace of privacy and cybersecurity developments during 2018. This past month alone, in a blizzard of activity, regulators amended regulations and enforced substantial fines under existing regulations; courts issued significant interpretations of current law; and legislatures proposed new laws aimed at increasing privacy obligations and potential liability. The common theme is that from all corners—hackers, regulators, legislators and plaintiffs—the burden on companies to protect sensitive information is only growing, as are the obligations on companies to provide greater transparency and greater rights to customers and employees on their data collection and sharing practices.
This Alert highlights the most pressing cybersecurity and data privacy updates from the month of January, including the French fine on Google; the US federal court decisions rejecting the Yahoo! data breach settlement and largely granting CareFirst’s motion to dismiss; the Illinois Supreme Court’s decision allowing a class action alleging technical violations of a biometric statute to go forward; Massachusetts’ revised breach law; the National Futures Association’s revised cybersecurity guidance; and Washington State’s introduction of a General Date Protection Regulation (GDPR)-like privacy bill.
Google Faces First Major Fine Under the GDPR and a US Judge Rejects Yahoo! Settlement
The CNIL, France’s data protection regulator, opened 2019 with a bang by handing down a $57 million fine against Google, by far the largest penalty issued under the GDPR thus far. Previous fines under the law had not crossed the $1 million mark. The CNIL found that Google violated the GDPR because the tech giant failed to provide enough information to consumers regarding its data collection practices and failed to obtain valid consent for personalized advertisements.
While Google plans on appealing the decision, the CNIL’s action reinforces some cautionary points. First, transparency and coherence are vital. For all companies, it will be important to ensure that privacy disclosures are aggregated in one place and are clear on what the company is doing with an individual’s data, how it is collecting and sharing that data, and how long it is retaining it, and that the privacy policy is presented in a way that is easy to read and readily accessible to the individual. US courts are also willing to take strong action against companies that they deem insufficiently transparent. This month, US District Court Judge Lucy Koh rejected a proposed $50 million settlement over Yahoo!’s data breach, citing in part the egregious nature of the company’s “history of nondisclosure and lack of transparency related to the data breaches.”
Returning to the GDPR, the emphasis on transparency can play out in privacy policies. For example, companies often create policies that make blanket declarations of their lawful bases for gathering personal data (e.g., “we collect your information on the bases of our legitimate interest and the necessity of fulfilling a contract”). That approach may not be sufficiently transparent, as opposed to listing the specific categories of data collected and stating the specific lawful bases.
This clarity theme is also relevant to consent. The Google decision emphasized the need for the individual to take a positive step to evidence consent (no opt-outs or implied consents), and for the consent to have clarity on what consent is actually being requested.
Second, the CNIL decision indicates that it will be important for those companies with EU establishments to make clear their “main establishment” in the EU. In addition, for this designation to be recognized, there needs to be decision making about the relevant data processing occurring in that location. If all the decision making still happens outside the EU, or in a different EU country, the supervisory authorities can take the view that it is not the main establishment and lead supervisory authority, and the company could therefore lose the benefit of the “one stop shop.” With many international groups having small presences in the EU—perhaps driven by tax considerations— and all the decision making still happening back at corporate HQ outside the EU, that will cause concern. The CNIL felt it could take its action because Google had not sufficiently established that Ireland was its main establishment for the particular processing concerned. This also raises the point that some organizations may have different main establishments for particular types of processing.
Third, this decision shows that regulators are willing to back up the GDPR with substantial fines. The Yahoo! decision also indicates the long-term costs of non-compliance. Put another way, if companies think the costs of compliance are expensive, regulators and courts are basically saying: try non-compliance.
US District Court Dismisses Vast Majority of Claims against CareFirst
US courts in January have shown that there are limits to private suits against companies that have suffered a breach. On January 29, DC District Court Judge Christopher R. Cooper, in the CareFirst class action, agreed with Eversheds Sutherland attorneys Matt Gatewood and Robert Owen when he dismissed the vast majority of claims against the health insurer. Judge Cooper originally dismissed the suit on constitutional standing grounds in 2016, but the US Court of Appeals for the DC Circuit reversed, ruling that the policyholders had “cleared the low bar to establish their standing at the pleading stage” by asserting there was a substantial risk that their stolen personal information could be used “for ill" purposes, such as identity theft, even though it had yet to be misused. The US Supreme Court declined to take the case. On remand, Judge Cooper held that while plaintiffs’ “alleged injuries may be enough to establish standing at the pleading stage of the case, they are largely insufficient to satisfy the ‘actual damages’ element of nine of their state-law causes of action.” Judge Cooper concluded that the Complaint’s allegations of future risk of identity theft, loss of the benefit of the bargain, prophylactic purchase of credit monitoring, and emotional distress were not enough to clear the requirement that actual damages be stated.
Illinois Supreme Court Finds that Plaintiffs Need Not Show Actual Harm in Biometrics Cases
In Illinois, January was to be plaintiffs’ month. In a unanimous decision on January 25, 2019, the Illinois Supreme Court found that a plaintiff need not show actual harm to seek relief under the state’s Biometric Information and Privacy Act (BIPA). Instead, the court held that a procedural harm is sufficient to bring forth a claim under the law. Eversheds Sutherland has analyzed the decision and its impact.
So many businesses are seeking to adopt biometrics across the spectrum of sectors, and they are doing so both for the consumer-facing part of their businesses and for their employees. Ironically, many are doing so to further protect data. However, biometrics are also being adopted in physical location access controls, time and performance management systems, and in myriad other ways to verify the ID of staff for purposes other than security. This use is becoming more challenging to adopt lawfully across a growing number of countries and not just where the jurisdictional reach of the GDPR comes into play. This case is interesting, not just as it pertains to BIPA, but also because it is not clear how Article 79 of the GDPR and its right to a judicial remedy for a breach will play out in the courts, alongside the Article 82 right to compensation.
Massachusetts Updates its Data Breach Notification Law
On January 10, Massachusetts Governor Charlie Baker signed a bill amending the state’s data breach notification requirement. Set to go into effect on April 11, 2019, the amendments will require:
-
Companies that suffer data breaches involving social security numbers to provide credit monitoring services for 18 months to affected consumers free of charge; this requirement is 42 months if the company that suffered the breach is a credit monitoring agency;
-
Post-breach notice sent to the Massachusetts Attorney General and the state’s Office of Consumer Affairs and Business Regulation (OCABR) to include whether the company has a written information security program in place and the type of information compromised; and
-
Corporations providing post-breach notification to consumers to identify any parent or affiliated corporations.
The newly amended law will also require the OCABR to post information about the breach on its website, including a copy of the notice sent to consumers regarding the breach and instructions on how consumers could get access to the notice sent to the OCABR and the state attorney general.
These amendments will make Massachusetts’ data breach notification laws one of the most onerous in the country. Massachusetts will join California, Delaware and Connecticut as only the fourth state to require companies to provide credit monitoring services to consumers after a data breach. As seen in the past with data breach laws, other states may follow Massachusetts’ lead and pass laws that have similar or more stringent requirements. North Carolina’s Attorney General, for example, has proposed an amendment to the state’s data breach notification requirement that would expand the definition of a security breach to include ransomware attacks and require credit reporting agencies that suffer a data breach to provide five years of free credit monitoring to affected consumers.1
For the latest state and foreign breach jurisdiction requirements, please visit our app.
NFA Amends Interpretive Notice Regarding Cybersecurity Information Systems Security Programs
In addition to the numerous legislatures amending or considering amending their data breach notification requirements, the National Futures Association (NFA)—the self-regulatory organization for the US derivatives industry—recently amended its interpretive notice regarding cybersecurity. The amendments, set to go into effect on April 1, 2019, will update the current Information Systems Security Program (ISSP) requirements that NFA members have to comply with in three important ways. First, the amendments require members to provide cybersecurity training to employees at least annually and more frequently if warranted, in addition to training upon hiring as is currently required. The amendment also requires that NFA members identify specific topic areas that they will cover in their cybersecurity trainings.
Second, the amendment clarifies the appropriate officers that may approve the ISSPs. While currently the NFA member’s CEO, CTO or “other executive level official” has the authority to approve ISSPs, the amendment deletes the term “executive official” and replaces it with “senior level officer with primary responsibility for information security or other senior official who is a listed principal and has the authority to supervise the NFA Member’s execution of its ISSP.”
Finally, and perhaps most importantly, the amendment to the interpretive notice requires members to notify the NFA of a security incident in certain circumstances. Currently NFA members are not required to send incident responses to the NFA. But once the amendment goes into effect on April 1, 2019, if an NFA member (other than futures commission merchants for which the NFA is not the designated self-regulatory organization) suffers a cybersecurity incident that results in a loss of customer or counterparty funds, or a loss of a member firm’s capital, or if the member has to otherwise notify its customers or counterparties of a cybersecurity breach pursuant to state or federal law, then that member must also notify the NFA. The NFA plans on releasing subsequent guidelines regarding the manner in which members need to notify the NRA after a cybersecurity incident prior to the April 1 implementation date of the amendment.
Read more about the latest NFA amendment.
Washington State Proposes its own Version of the CCPA
With the California Attorney General currently hosting public hearings regarding rulemaking required under the California Consumer Privacy Act (CCPA), the state of Washington is considering similar comprehensive data privacy legislation. A bill has been introduced that mirrors the CCPA in many ways, which in turn mirrors the GDPR, and provides individual data privacy rights to consumers—such as the right to be notified that their personal information is being collected, the right to opt out of the sale of their personal information for marketing purposes, and the right to be forgotten.
Penalties under Washington’s bill would be capped at $7,500, like the CCPA, though the former is only enforceable by the state attorney general, while the CCPA also has a limited private right of action. The state legislature recently held a hearing on the bill. Should it gain traction and pass into law in its current form, it would go into effect on December 31, 2020.
While the Washington law may change significantly as it goes through the legislative process, and may not even pass, the message is nonetheless clear. More jurisdictions, both in the US and abroad, are continuing the trend sparked by Europe’s GDPR to require companies to provide enhanced transparency into their data collection, retention and sharing practices and to enhance the data privacy rights of individuals.
__________________
1https://ncdoj.gov/CMSPages/GetFile.aspx?nodeguid=89988b8d-2bbe-4854-bc7f-a77cfc4b38b2&lang=en-US.
[View source.]
