Things You Should Know Leading Up to World Data Privacy Day 2020

January 22 - January 28, 2020

What's on the Horizon? How US Federal and State Governments are Expanding Data Privacy Laws in the Wake of GDPR.

January 28, 2020

By: Fred J.M. Price and Elizabeth Morgan

The passage of the California Consumer Privacy Act (CCPA), which was preceded by the EU’s General Data Protection Regulation (GDPR), triggered a national conversation among members of the US federal and state governments regarding the status of their respective data privacy laws. As such, there has been a flurry of legislation considered across the nation, some of which has recently been enacted into law. 

Numerous states are following California’s lead and developing ambitious data privacy laws. Nevada and Maine have both passed data privacy legislation with effective dates of October 1, 2019 and July 1, 2020, respectively. Hawaii, Illinois, Maryland, Massachusetts, New Mexico, Pennsylvania, Rhode Island, and Texas have or currently are considering legislation modeled after the CCPA. Washington is considering modeling their legislation after the GDPR. New York is considering four bills that would vastly expand data privacy protections.

Congress is acting too. The 2019-2020 session alone introduced 26 bills that address data privacy protection. These bills range from comprehensive data privacy legislation (the Digital Accountability and Transparency to Advance Privacy “DATA” Act), to regulating facial recognition technologies (the Commercial Facial Recognition Privacy Act), to tracking personal information (the Mind Your Own Business Act). While most of these bills are not expected to progress, at least anytime soon, Congress continues to express bipartisan support for general data privacy protections.

It is all but certain that data privacy legislation will continue to be proposed and enacted here in the US and abroad, expanding the data privacy rights of individuals. 

For more information regarding these new laws and how to prepare your business for compliance, contact Fred Price, Elizabeth Morgan, or any one of our attorneys in the Cybersecurity and Data Privacy Practice Group.

NY SHIELD Act – Are Your Policies in Place?

January 27, 2020

By: Jessica L. Copeland

Taking effect March 21, 2020, the New York Stop Hacks and Improve Electronic Date Security Act (SHIELD Act), imposes several potentially onerous compliance requirements on businesses operating in (and even some outside of) New York. These requirements are referred to as: Technical, Administrative, and Physical Safeguards. 

Within each category of “safeguard” an organization, that is not considered a “Small Business,”1 is required to develop, implement, and maintain a data security program that includes policies for training employees, periodic technical monitoring of the company’s computer systems/networks (e.g., penetration testing, vulnerability scans, etc.), and data retention/destruction practices. 

While many organizations falling outside of the definition of “Small Business,” set forth in the Act, may already have a data security program in place that includes employee training and computer vulnerability analyses, it is entirely possible these organizations have not established a data retention policy. So, what is a reasonable data retention policy? The Act requires organizations to “dispose of private information within a reasonable amount of time after it is no longer needed for business purposes . . . .” Maintaining former employee records for five years after employment ceases is considered “best practice” in New York, but is not necessarily required by law. Is following what is considered a “best practice” reasonable under SHIELD? Probably, but a definitive answer is not available now, and will not be until this particular issue is contested. Another measure of what is reasonable may be attached to payroll audit requirements. For example, if a company is obligated to retain payroll information for potential auditing by the department of labor (for six years in New York), is it reasonable to build a document retention policy that provides for deletion of electronic payroll information every six years? We expect the answer is yes, but again without clear guidance from the state attorney general’s office, there is no bright line rule for what is acceptably reasonable under SHIELD. These questions invite another line of inquiry related to customer data? How long can a company retain customer information after a sale of items is complete? What if you expect return customers? Is it reasonable to retain such information for one year? Two years? Five years? What if customers are members of a loyalty program? Probably one year is okay, but beyond that it is safer to build a data retention policy around deleting customer electronic data within a year of its last use. 

For more information on compliance with NY SHIELD Act, contact Jessica L. Copeland or any one of our attorneys in the Cybersecurity and Data Privacy Practice Group.
 

1 SHIELD Act defines a “Small Business” as “any person or business with (i) fewer than fifty employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles.” Compliance for Small Businesses is met by developing a data security program that is “reasonable” that are appropriate for the size and complexity of the Small Business, the nature and scope of the business’s activity and the sensitivity of the data collected.

The CLOUD Act: Where International Data Privacy and Law Enforcement Collide

January 27, 2020

By: Kristin Warner

The Clarifying Lawful Overseas Use of Data Act (the CLOUD Act), a United States federal law, will be celebrating its two-year anniversary on March 23, 2020. It was effectively, and primarily, an amendment to the Stored Communications Act (SCA) of 1986. This amendment allows US federal law enforcement to compel US-based technology companies to provide requested data following receipt of a valid subpoena or warrant, regardless of whether the requested data is stored on servers located within the United States or on foreign soil. This Act also allows certain foreign governments to enter into new bilateral agreements with the US that will prequalify them to make foreign law-enforcement requests directly to US service providers rather than via the US government under a mutual legal assistance treaty (MLAT). 

The CLOUD ACT was proposed after Microsoft refused to provide emails that a US citizen had stored on one of its remote servers in Ireland, after being issued a warrant under the SCA by the Federal Bureau of Investigation. This refusal led to a legal challenge that made its way to the United States Supreme Court, with Microsoft arguing that the SCA did not cover data outside of the United States and that the FBI could request a MLAT to aid in such data discovery. Microsoft, at the time, was correct in that the SCA was enacted long before cloud-based storage would become a viable technology and MLATs were the norm for cross-border data discovery. While the case was pending at the Supreme Court, the CLOUD Act was passed which rendered the case moot and vacated a lower appellate court’s (2nd Circuit) decision, which had held in favor of Microsoft. 

More recently, the United States and the United Kingdom entered into the world’s first ever CLOUD Act Agreement, entitled the US-UK Bilateral Data Access Agreement. This Agreement will allow law enforcement agencies of both countries to demand electronic data directly from tech companies based in the other respective country. Proper authorization is required but this will, in the words of Attorney General William Barr, “enhance the ability of the United States and the United Kingdom to fight serious crime – including terrorism, transnational organized crime, and child exploitation – by allowing more efficient and effective access to data needed for quick-moving investigations.” It is anticipated that this agreement will dramatically accelerate investigations by allowing quicker access to data than the procedures currently in place, which can take months and sometimes even years for access to be granted.

So, doesn’t the CLOUD Act undermine the GDPR? This question, as of today, remains unanswered though there are proponents on both sides of the argument. Initially, neither the CLOUD Act nor the GDPR changes the fundamental legal considerations for cross-border data transfers when the recipient is a US Law enforcement authority. However, the language of the GDPR itself may pose a problem. Article 48 of the GDPR addresses disclosures required by non-EU jurisdictions. This Article references treaties, such as MLATs, as the optimal vehicle for law enforcement requests for data involving EU data controllers or processors. Some critics of the CLOUD Act cite to this Article as being absolute in that treaties are the only acceptable vehicle, and that complying with requests under the CLOUD Act could place a company in violation of the GDPR. Others contend that Article 48’s affinity for treaties is merely a preference and that its language that the use of treaties is “without prejudice to other grounds for transfer” - combined with Article 49(e)’s definition of “other grounds” as transfers “necessary for important reasons of public interest” as well as transfers “necessary for the establishment, exercise or defence of legal claims” - leaves open the possibility that a warrant issued under the CLOUD Act would not necessarily, and certainly would not automatically or presumptively, be a violation of the GDPR. As these issues have yet to be challenged, only time will tell whether the CLOUD Act and the GDPR can cohabitate harmoniously. 

If you have any questions regarding this memo, or any other related matter, please contact Kristin Warner, or any one of our attorneys in the Cybersecurity and Data Privacy Practice Group.

Beyond the Border: GDPR and Other Privacy Considerations in Domestic M&A Transactions 

January 24, 2020

By: Kate Chmielowiec and Amber L. Lawyer

Data privacy should be a top concern for US businesses that may enter into merger and acquisition transactions this year. If your business collects, processes, stores, or transfers identifiable information relating to individuals (“Personal Data”) or if your business contracts with vendors that may collect, process, store, or transfer any Personal Data, your business is likely subject to several new data privacy laws and regulations including the European Union’s General Data Protection Regulation (GDPR) and/or the California Consumer Privacy Act (CCPA). 

The following are questions that: (1) Sellers of domestic companies can expect to hear from potential Buyers during the sale transaction process and (2) Buyers should be asking Sellers during due diligence:

  • Does your business collect or process Personal Data of persons located in the EU or California? 
  • Does your business use cloud storage to store employee or customer Personal Data?
  • Does your business transfer Personal Data to other entities? 
  • Is your website accessible to users in the EU or California? 
  • Does your business process any sensitive data? 
  • What security measures has your business taken to ensure adequate data protection?
  • What steps has your business taken to comply with domestic and foreign data privacy laws? 

The GDPR, CCPA, and other data protection laws including the New York SHIELD Act can have a significant impact on both cross-border transactions as well as domestic transactions. These privacy laws may impact various parts of a transaction, including:

  • The structure of the deal as a stock sale or an asset sale; 
  • The due diligence process; 
  • The representations and warranties that a Seller is being asked to make and on which Buyer relies; 
  • Indemnification and escrow holdbacks; and 
  • Purchase price adjustments. 

Domestic Sellers that are considering selling their businesses should expect questions from potential Buyers regarding the Personal Data that the Seller collects, processes, and stores and its lawful basis for doing so under applicable data protection laws. Sellers are likely to receive requests for information regarding compliance with applicable data protections laws and may be required disclose any security incidents. 

Sellers who are not in compliance with applicable data protection laws jeopardize the value of their businesses and risk fines and penalties from enforcement agencies. Sellers may need to be wary of how they represent and warrant compliance with applicable data protections laws because misrepresentation may result in breach of contract actions and associated litigation costs. Buyers will need to factor in the costs of remedying compliance issues after the closing, the risk of an enforcement action, and potential litigation based on a claim of non-compliance when considering risks associated with a deal. This is likely to affect the purchase price of a deal and may require post-closing indemnification or an escrow holdback. 

What does this mean for your business? Businesses that collect Personal Data should become compliant with all applicable data protection laws as soon as possible. Businesses that are considering entering into a transaction this year should be concerned about data privacy and should take the aforementioned information into consideration before entering into any deal. 

Bond’s Mergers and Acquisitions and Cybersecurity and Data Privacy teams cohesively work together on asset purchases, stock purchases, and mergers across various industries to assist Buyers and Sellers with: (1) selling business and developing compliance measures prior to the sale to limit exposure during the sale process; and (2) buying businesses and performing diligence to confirm the extent of the target company’s compliance with applicable data protection laws. 

For more information regarding data privacy compliance for M&A transactions, contact Kate Chmielowiec, Amber L. Lawyer or any one of our attorneys in our Mergers and Acquisition or Cybersecurity and Data Privacy Practice Groups.

The GDPR is New but the GLBA Continues to Endure.

January 23, 2020

By: Dori K. Bailey

The General Data Protection Regulation (GDPR) is a privacy law issued by the European Union with far reaching effects, but the Gramm-Leach-Bliley Act (GLBA) continues to provide privacy requirements for financial institutions, including commercial banks, savings banks, credit unions and other businesses that engage in activities that are financial in nature.

The rules implementing the GLBA prohibit a financial institution from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party unless certain notice and opt out requirements are met. Nonpublic personal information includes personally identifiable financial information of a consumer, such as information on a loan application and account balance information. Certain exceptions may also apply.

Our Financial Institutions Regulatory Practice provides comprehensive and customized legal, regulatory and business advice to our financial institution clients. We have the resources and substantial experience to advise our clients through the labyrinth of complex and extensive laws and regulations applicable to financial institutions, including the GDPR and the GLBA. We are committed to assisting every financial institution client with our coordinated and responsive approach to client needs.

HIPAA Compliance: How to Protect Patient Information Inside Your Organization

January 23, 2020

By: Samuel P. Burgess and Jessica L. Copeland

Healthcare organizations continue to be a premier target in cyber-attacks and data breaches. Also concerning is the frequency at which cyber intrusion originates within an organization.

A common type of internal incident occurs when there is an inadvertent disclosure by an employee (e.g.., sending information to the wrong patient). This can result from carelessness and/or lack of proper training, or failure to implement adequate procedures to mitigate this risk.

A rising, and more significant risk revolves around employees accessing information for which there is no justifiable reason (i.e., snooping through patient records). As a reminder, patient information should only be accessed by individuals who need the information to conduct their regular job functions. Even then, an employee should only be accessing the minimum information necessary to complete their job functions. Allowing employees unfettered access to patient information creates a grave risk that accidental or intentional, unauthorized access or disclosure of patient information could occur, which may expose the organization to significant liability. 

While it may be difficult for an organization to limit the information accessed by employees, an organization must act reasonably in its efforts to comply with HIPAA. This can be accomplished through annual training of employees, consistent and periodic monitoring and auditing of access and disclosure of information, as well as pen testing, mock-phishing exercises and other vulnerability assessments. Further, organizations should develop disciplinary procedures for handling unauthorized access to patient information and advise all employees accordingly. 

The most effective way to achieve compliance is through continued education and monitoring. All healthcare organizations should provide necessary training of employees, implement policies for the handling of information as well as the resulting disciplinary procedures, and develop procedures to regularly audit and monitor the information that is being used within the organization to determine if there has been any inappropriate access or disclosures. 

If you have any questions regarding this memo, or any other healthcare related matter, please contact Samuel P. Burgess, Jessica L. Copeland or one of our attorneys in the Cybersecurity and Data Privacy Practice Group.

New Privacy Rights for Consumers: What Businesses Need to Know About the California Consumer Privacy Act

January 22, 2020

By: Amber L. Lawyer and Hannah K. Redmond

In June of 2018 the California Consumer Privacy Act (the “CCPA”) was signed into law. Passed on the heels of the European General Data Protection Regulation, the CCPA vastly expands the data privacy rights of California residents. The CCPA became effective on January 1, 2020. The overriding purpose of the CCPA is to provide California’s consumers greater control over their personal information, promote transparency in businesses’ data practices, and safeguard against the misuse of consumer data. In furthering these goals, the CCPA provides privacy rights for consumers and imposes reciprocal obligations on businesses. As such, businesses collecting the data of California consumers may need to comply with the CCPA. 

Businesses subject to the CCPA include for-profit entities that: (i) have annual gross revenues exceeding $25 million; or (ii) buy, sell, share, or receive the personal information of at least 50,000 consumers, households, and/or devices per year; or (iii) derive 50% or more of their annual revenues from selling consumers’ personal information. Importantly, the CCPA defines consumer as California residents only.

In an effort to provide consumers a greater degree of control over their personal information, the CCPA allows consumers to:

  • request that a business disclose what personal information is collected, from what sources, for what purpose, and to whom that information is given;
  • request that a business delete personal information unless retaining such information is necessary for a business purpose (i.e. completing a transaction or maintaining an on-going business relationship); and 
  • “opt-out” of having their information shared, sold, or collected at any point.

A corollary of these consumer rights is that businesses must be prepared to meet consumer demands for disclosures and be equipped to handle requests for deletion or opt-out. The CCPA mandates significant changes for affected businesses. Businesses need to develop internal procedures for handling consumer requests and to modify privacy policies and websites to meet new CCPA obligations. Although certain one-year exemptions may temporarily reduce the burden of compliance for some businesses (see our latest post regarding these exemptions), these exemptions are limited in both scope and time. Any business subject to the CCPA is, therefore, encouraged to promptly take appropriate compliance steps. 

Affected businesses were expected to be compliant as of January 1, 2020. Though enforcement actions may not be brought until July 1, 2020, the Attorney General of California may review a business’s compliance with CCPA as of January 1 when assessing penalties for violations of the law. As such, there is limited time for businesses subject to the mandates of the CCPA to remedy any compliance issues.

For more information regarding the CCPA and compliance efforts businesses should be taking, contact Amber LawyerHannah Redmond, or any one of our attorneys in the Cybersecurity and Data Privacy Practice Group.