Welcome to this month's issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice.
STATE & LOCAL LAWS & REGULATIONS
CPPA Publishes Notice of Proposed Rulemaking
On July 8, 2022, the California Privacy Protection Agency (“CPPA”) published a Notice of Proposed Rulemaking (“NPRM”), officially beginning the formal rulemaking process to adopt regulations implementing the California Privacy Rights Act (“CPRA”). The CPPA will hold hearings on August 24 and 25, 2022, for the public to provide comments on the draft regulations that were published as part of and approved during the CPPA’s June 8 public board meeting. Written comments on the draft regulations must be submitted in advance of the public hearing on August 23, 2022, at 5:00 p.m. The NPRM indicates that the CPPA will not be promulgating rules on cybersecurity audits or automated decision-making technology at this time. On July 20, 2022, the U.S. House of Representatives Committee on Energy and Commerce passed H.R. 8152, the American Data Privacy and Protection Act (“ADPPA”) (as amended), by a vote of 53-2. The ADPPA next will be put before the full House for a vote. The House Committee on Energy and Commerce approved an amendment to the ADPPA that expressly authorizes the CPPA to enforce the ADPPA “in the same manner” the CPPA “would otherwise enforce the California Consumer Privacy Act.” The CPPA held a special meeting to discuss possible action on proposed federal privacy legislation, including the ADPPA.
Florida Prohibits State Agencies and Local Governments from Paying Cyber Ransoms
Florida enacted HB 7055, amending Florida’s State Cybersecurity Act. HB 7055 requires state agencies and local governments to report ransomware incidents and certain cybersecurity incidents to Florida’s Cybersecurity Operations Center (“CSOC”), the Cybercrime Office of the Department of Law Enforcement and local sheriff no later than 12 hours after discovery for ransomware incidents and 48 hours after discovery for cybersecurity incidents. HB 7055 further prohibits state agencies, counties, and municipalities from paying or otherwise complying with a ransom demand.
FEDERAL LAWS & REGULATIONS
American Data Privacy and Protection Act Advances to Full U.S. House Vote
The House Committee on Energy and Commerce voted to advance an amended ADPPA to the House floor. The Committee adopted amendments to the ADPPA relating to authorizing the Federal Trade Commission (“FTC”) to regulate security requirements in consultation with the U.S. National Institute of Standards and Technology (“NIST”), exempting small employers from the requirement to designate a data protection officer and exempting certain sharing of data in the context of health research. Proposed amendments by California congressional delegates to wholly exempt state privacy laws such as the California Consumer Privacy Act and California Privacy Rights Act were not included. This will be the first time a federal comprehensive privacy bill has been subject to a full chamber vote in either the House or the Senate. Despite the bill’s continued advancement in the House, the bill still appears to lack key support in the Senate.
California Agencies and Congressional Delegates Express Federal Privacy Bill Preemption Concerns
A number of California agencies and Congressional delegates issued letters and statements against preemption of California and other state privacy laws in the ADPPA and other proposed privacy legislation. The CPPA wrote a memo describing how it believes the ADPPA would weaken privacy protections for California residents. The CPPA held a special meeting to discuss possible action on proposed federal privacy legislation, including the ADPPA. California State Attorney General Rob Bonta wrote a letter to Congress urging adoption of legislation that sets a floor rather than a ceiling for privacy rights. The attorneys general of Connecticut, Illinois, Maine, Massachusetts, Nevada, New Jersey, New Mexico, New York, and Washington joined Attorney General Bonta as signatories to the letter. California congressional delegates have also reportedly expressed concerns about preemption of California’s stringent privacy protections as the bill continues to move forward in the U.S. House of Representatives.
Senate Committee Advances Two Children’s Privacy Bills
The Senate Commerce Committee advanced two bills designed to enhance protections for children’s privacy online. The first bill, the Children and Teens’ Online Privacy Protection Act, would increase the age of children protected by the Children’s Online Privacy Protection Act (“COPPA”) from 13 to 16, establish prohibitions on targeted marketing to children under 16 and enhance access, correction and erasure rights for children and parents. The second bill, the Kids Online Safety Act, would create a duty of loyalty for social media platform providers obligating those providers to prevent harm to minors.
FTC Issues Business Alert on Handling Location, Health and Other Sensitive Data
The FTC published a business alert on companies’ handling of sensitive data, focusing on location and health data. The alert stresses how the marketplace for consumer’s location and health data is “opaque” and how the combination of such information “creates a new frontier of potential harms to consumers,” especially reproductive health data. The alert cites to an enforcement action brought by the Massachusetts Attorney General against a marketing company for using location technology to identify when people crossed a secret digital “fence” near a clinic offering abortion services and sending targeted ads to their phones with links to websites with information about abortion alternatives. The alert reminds companies that: (1) sensitive data is protected by numerous federal and state laws (e.g., Section 5 of the FTC Act, the Safeguards Rule, the Health Breach Notification Rule and the Children’s Online Privacy Protection Rule); (2) claims that data is “anonymous” or “has been anonymized” are often deceptive as such information can often be re-identified; and (3) the FTC “cracks down” on companies that misuse consumer’s data, taking enforcement actions against companies that over-collect, indefinitely retain, or misuse consumer data.
President Biden Issues Executive Order to Protect Reproductive Healthcare Services
In the wake of the Supreme Court’s Dobbs decision, President Biden issued an executive order intending in part to protect the privacy of patients’ reproductive health data. The executive order directs the U.S. Department of Health and Human Services (“HHS”) to consider actions under the Health Insurance Portability and Accountability Act (“HIPAA”) and other laws to strengthen protections for information related to reproductive healthcare services and bolster patient-provider confidentiality. The executive order also directs the Chair of the FTC to consider possible actions to address consumers’ privacy when seeking information about reproductive healthcare services.
Department of Defense Memorandum Highlights Cybersecurity Focus in Contracting
The U.S. Department of Defense (“DoD”) issued a memorandum to contracting officers detailing remedies available to the government in the event federal contractors breach of cybersecurity requirements. While the DoD’s Cybersecurity Maturity Model Certification program (“CMMC”) will be rolled out in 2023, the memorandum reminds contracting officers that contractors that receive controlled unclassified information are still subject to current requirements to provide adequate security for such information under current defense contracting regulations. The memorandum states that failure to comply with such requirements may be considered a material breach of contracts, allowing the DoD to exercise remedies such as withholding progress payments, foregoing remaining contract options, or terminating the contracting in whole or in part.
NIST Updates Healthcare Cybersecurity Guidance
NIST issued a new draft publication entitled, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide. The draft publication is intended to update guidance first published in 2008, before NIST developed its Cybersecurity Framework and security and privacy controls in NIST Special Publication 800-53. The new guidance document explicitly connects to these NIST cybersecurity resources. NIST is accepting comments to the new draft guidance until September 21, 2022.
National Credit Union Administration to Require Speedy Cyber Incident Reporting
The National Credit Union Administration (“NCUA”), a federal agency tasked with supervising federal credit unions, published a proposed rule for cyber incident notification that would require credit unions to provide a detailed assessment of any reportable cybersecurity incident to the NCUA within 72 hours. The proposed rule follows requirements adopted by the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller Currency to require institutions subject to those agencies’ jurisdiction to report certain security incidents within 36 hours. It also follows actions by other federal agencies such as the Cybersecurity and Infrastructure Security Agency, the Transportation Security Administration, and the Security and Exchange Commission to create expedited incident notification requirements for critical infrastructure providers and public companies.
CFPB Issues Advisory for Protection of Personal Data
The Consumer Financial Protection Bureau (“CFPB”) issued an advisory to ensure that companies that use and share credit reports and background reports have a permissible purpose (e.g., for credit, insurance, housing, or employment decisions) under the Fair Credit Reporting Act (“FCRA”). In particular, the advisory opinion makes clear that the permissible purposes under the FCRA are consumer specific, and a consumer reporting company may not provide a consumer report to a user of the report under the FCRA unless it has reason to believe that all of the consumer report information it includes pertains to the consumer who is the subject of the user’s request. The advisory opinion also provides that credit reporting companies and users have specific obligations to protect the public’s data privacy, including not using name-only matching procedures, which may provide information of other individuals for whom a user of a credit reports does not have a permissible purpose. The advisory also reminds covered entities of potential criminal liability for certain misconduct.
Robinhood Financial Settles Account Hack Class Action Claims
Robinhood Financial LLC (“Robinhood”) settled a putative class action that accused Robinhood of failing to protect unauthorized access to approximately 40,000 user accounts and related personal information. As part of the settlement, Robinhood agreed to pay up to $20 million to class members as compensation for certain out-of-pocket losses and credit monitoring services. The proposed settlement would allow class members to claim certain out-of-pocket expenses up to $260 each with a $500,000 aggregate cap for the class, provide for credit monitoring worth an estimated $19.5 million for class members and require Robinhood to make certain cybersecurity improvements, including supplemental two-factor authentication, customer cyber security awareness campaigns and screening for and proactively prompting users to update compromised passwords, among other things.
Court Approves Plaid Settlement Relating to Alleged Unauthorized Sharing of Financial Data
New York Attorney General Settles Cybersecurity Enforcement Action with Supermarket Chain
The New York Attorney General announced that it settled an enforcement action against Wegmans Food Markets, Inc. (“Wegmans”) stemming from allegations that Wegmans’ faulty configuration of cloud storage containers led to the exposure of the personal information of three million consumers. In April and May of 2021, Wegmans became aware that two of its cloud storage containers had been misconfigured from their creation in 2018 in a way that left the containers unsecured and publicly accessible. The storage containers contained the email addresses, account passwords, mailing addresses and data derived from drivers’ licenses of over three million customers. Wegmans began notifying customers in June 2021. The New York Attorney General alleged that Wegmans had violated the state’s data security laws by failing to appropriately configure storage containers, inventory its cloud assets, secure user passwords, conduct regular security testing of cloud assets, and maintain long term logs relating to its cloud assets. Under the settlement, Wegmans will pay a $400,000 penalty and implement new data security measures including maintaining a comprehensive data security program and maintaining appropriate asset management practices, among other things.
Pennsylvania Attorney General Settles with Wawa for 2019 Data Breach
The Pennsylvania Attorney General (“PA AG”) announced an $8 million agreement with Wawa to resolve a December 2019 data breach that compromised approximately 34 million payment cards used across all Wawa stores. The PA AG along with the New Jersey Attorney General led a coalition of seven attorneys general in investigating the breach. In addition to $8 million total payment to the states, Wawa must implement and maintain a series of data security practices designed to safeguard consumers’ personal information, including maintaining a written comprehensive information security program with administrative, technical and physical safeguards, which must be reviewed at least annually; providing appropriate security awareness and privacy training to all personnel who have key responsibilities for implementation and oversight of the information security program; employing specific security safeguards with respect to logging and monitoring, access controls, file integrity monitoring, firewalls, encryption, comprehensive risk assessments, penetration testing, intrusion detection, and vendor account management; and consistent with previous state data breach settlements, undergo a post settlement information security assessment which in part will evaluate its implementation of the agreed upon information security program.
HHS Announces Eleven Enforcement Actions
The Office of Civil Rights (“OCR”) at the HHS announced the resolution of eleven investigation in its Health Insurance Portability and Accountability Act (“HIPAA”) Right of Access Initiative, bringing the total number of these enforcement actions to 38 since the initiative began. OCR created this initiative to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule. The eleven enforcement actions for not complying with an individual’s request to access their medical records range from $3,500 to $240,000 in civil penalties.
Department of Justice Ends Criminal Probe Over Uber 2016 Data Breach
The U.S. Department of Justice (“DoJ”) announced it entered into a non-prosecution agreement with Uber Technologies, Inc. (“Uber”) stemming from a 2016 data breach affecting 57 million consumers. The DoJ stated that Uber accepted responsibility for failing to report the incident to the FTC even though the FTC was actively investigating Uber’s data security practices at the time. Uber settled an enforcement action with 50 state attorneys general relating to the breach for $148 million in 2018.
Massachusetts Attorney General Settles Data Breach Enforcement Action with Construction Staffing Company
The Massachusetts Attorney General’s office announced it entered into a settlement with TradeSource, Inc. (“TradeSource”), a construction staffing company, relating to a breach that affected 3,000 Massachusetts residents. The breach resulted from a phishing attack that compromised a TradeSource employee’s credentials, allowing hackers to access TradeSource systems and individuals’ personal data, including names and social security numbers. The Massachusetts Attorney General alleged that TradeSource violated Massachusetts data privacy and security laws by failing to have a written information security program in place prior to the data breach. Under the settlement, TradeSource will pay $230,000 in penalties and continue to implement and maintain a written information security program in compliance with state laws.
INTERNATIONAL LAWS & REGULATIONS
German DSK Publishes FAQ on Facebook Fan Pages
The Conference of the Independent Data Protection Authorities of Germany (Datenschutzkonferenz or “DSK”) has published an FAQ on Facebook Fan Pages, stating that Facebook Fan Pages are problematic under the GDPR, as Facebook processes the personal data of users for targeted advertising based upon user profiles. In the FAQ, the DSK points to a June 5, 2018, decision (C210/16, “Wirtschaftsakademie”), where the European Court of Justice (“ECJ”) held Facebook Fan Page operators are jointly responsible for the processing of user data due to the “Insights” function (which provides Fan Page operators with a user analysis for their pages on Facebook), requiring a joint controllership agreement. However, the DSK took the view that the current agreement submitted by Facebook does not meet the requirements set forth in Article 26 of the GDPR and that additional issues are raised by cross border transfers of personal data through Fan Pages. The FAQ further states that if the processing of personal data cannot be carried out in accordance with the law, the operation of a Facebook Fan Page is illegal and should be deactivated immediately. According to the FAQ, public bodies are currently the priority for enforcement.
Chinese Regulator Releases Draft Standard Contract for Cross-Border Transfer of Personal Data
The Cyberspace Administration of China (“CAC”) released draft provisions for a standard contract for cross-border data transfer for public comment. The draft contract provisions are responsive to Article 38 of China’s Personal Information Protection Law, which allows the use of a government approved standard contracts as a lawful data transfer mechanism. The draft provisions require the data exporter to file the standard contract with the CAC along with a personal information protection impact assessment that must be completed prior to the transfer of personal data. Use of the draft standard clauses is restricted to data exporters that process the personal data of less than 1 million individuals, transfer the personal data of less than 100,000 individuals in a year, transfer sensitive personal data of less than 10,000 individuals in a year, and to data exporters that are not deemed critical information infrastructure operators. The CAC has provided a deadline of July 29, 2022, to submit comments.
Chinese Authorities Fine DiDi Ride Hailing Service for Cybersecurity Violations
The CAC fined DiDi Global Inc. (“DiDi”) eight billion Yuan ($1.2 billion) for violations of China’s Cybersecurity Law, Data Security Law and Personal Information Protection Law. The CAC alleged that DiDi illegally and excessively gathered personal information such as screenshots from user phone photo albums, facial recognition information, precise geolocation information and age and other demographic information, and provided inaccurate and unclear explanations of data handling, among other things. The CAC also alleged that DiDi refused to carry out governmental requirements and evaded supervision.