Three Key Requirements Imposed by Colorado’s New Consumer Data Privacy Statute

Be careful what you ask for (and maintain) about Colorado residents…especially if you don’t have the proper data security policies in place. On September 1, 2018, Colorado’s new privacy law, HB 18-1128, goes into effect, imposing new requirements on any business or government entity that maintains, owns, or licenses personal identifying information about Colorado residents.

The new law imposes three key requirements on businesses subject to the rule:

  1. Reasonable security procedures and practices must be implemented that are proportionate to the nature of the personal identifying information maintained and the nature and size of the business’s operations.
  2. Written policies for the destruction and proper disposal of paper and electronic documents containing personal identifying information must be developed.
  3. Breach notification procedures must be followed, including adhering to a 30-day time period by which notification must be completed.

Business that do not already have written data disposal and security policies should act quickly to ensure that they are compliant with the nuances of the new law.

Colorado’s breach notification requirement imposes a more aggressive requirement for notifying affected residents than requirements under the Health Insurance Portability and Accountability Act (HIPAA) and virtually any other U.S. state. A business must provide written notification with certain information to affected residents in the most expedient time possible and without unreasonable delay, but not later than 30 days after the point in time when there is sufficient evidence to conclude that a security breach has occurred. For breaches believed to have affected 500 residents or more or 1000 residents or more, businesses must notify the Colorado Attorney General and certain consumer reporting agencies, respectively.

Reflective of the shift towards providing consumers with more control over their personal information, the bill is codified under the Colorado Consumer Protection Act (CCPA) and potentially creates a private right of recourse against businesses who misuse a resident’s information. CCPA causes of action oftentimes include assertion of a right to triple damages and reasonable attorneys’ fees. Additionally, the Colorado Attorney General may bring civil, or in some cases criminal, actions for violation of the law.

The frequently unforgiving nature of civil monetary penalties imposed by the HHS Office of Civil Rights (OCR) for HIPAA violations should be cautionary. But, not only is there great risk of exposure for unprepared or noncompliant businesses facing enforcement by state and federal regulatory agencies, now more than ever, individual or class action liability seems to be on the horizon. Last, but not least, businesses never envision themselves as “the ones” making headlines about their data breaches…until it happens…and happens quickly.

What if I already comply with other state or federal privacy laws?

The new law indicates that businesses already regulated by other state or federal law are in compliance if adhering to such regulator’s procedures for the protection and disposal of personal identifying information. If the business operates in interstate, international and/or online commerce involving Colorado residents, however, a thorough review of policies and procedures is recommended to ensure that various applicable laws are reconciled.

Recommendations:

Businesses subject to the privacy law should take the following steps, at a minimum, to ensure that they are prepared to comply.

  1. Entities should know and map the flow of data both internally and outside of their business, whether in paper or electronic format. Inventories of hardware and other electronic portable devices where electronic media is stored should be routinely tracked.
  2. Employees must be routinely trained in policies. Handbooks should be updated and whether to require nondisclosure and confidentiality agreements assessed. Appropriate protocols for the destruction and disposal of personal identifying information must be implemented for current and departing employees.
  3. Third-party service vendors should be identified and communicated with regularly to obtain assurances of compliance. Contractual documents should memorialize vendors’ obligations.
  4. Businesses, including HIPAA covered entities, should rework their data breach policies and ensure that third-party vendor agreements or business associate agreements reflect Colorado’s more stringent breach notification timeline of 30 days.

Conclusion:

There is no uniform mechanism for determining how best to implement the necessary measures. Legal counsel specializing in data privacy and security law are instrumental resources when ensuring that adequate measures are taken to navigate compliance with state and federal laws, especially in today’s rapidly changing environment.

Trial and Error: VPN Continues to Disappoint

The last time I wrote I said I would be trying Nord VPN to see how well it worked to allow me to access bank and office email when traveling. Today, I’ll tell you why I gave up using it. This may tell you more about me, however, than about Nord VPN. My primary reason for using an IPN was to be able to access bank sites from hotel rooms. (I’d hate to think the stock market fell and I couldn’t sweat the details that evening!)

I found it too difficult to use such sites after I logged in. Many times, my fix to turn the VPN on to log in then turn it off to download transactions into my financial software. Some banks regard the use of an IPN as a red flag for fraud, particularly if you appear to be logging in from a foreign country.

(I haven’t found that myself).

I looked on the internet to see what I could do and was disheartened by the complexity of it all.

Maybe I am spoiled by the ease of using an iPhone but I was hoping this would work without having to troubleshoot settings.

Bottom line: VPNs do not appear to be a ready and easy way to safely use unprotected Wi-Fi connections. Your cellular phone connection is safe.

(I sure hope so.)

If you can’t use your laptop via cellular, you can use your phone to change your password, use laptop on an unsecure network, then use phone to change password back.

(Or am I missing some other problem?)

California’s Mini-GDPR? The Newly-Enacted California Consumer Privacy Act of 2018

On June 28, 2018, California passed the so-called California Consumer Privacy Act of 2018 (“CCPA”), changing the landscape of privacy laws and compliance for many years to come. The new law gives Californians more control over the information businesses collect on them, and imposes new requirements and prohibitions on businesses. Non-compliance with and violations of the CCPA will also expose businesses to penalties and, because the CCPA provides for a private right of action, the risk of private law suits.

Effective Date:

The new law (full text available here) goes into effect on January 1, 2020.

Potential Liability:

The CCPA is similar to Europe’s General Data Protection Regulation (“GDPR”), which went into effect on May 25, 2018. Much like the GDPR, the cost of noncompliance can be staggering. The CCPA imposes penalties of $750 per consumer per incident (e.g., $750,000 for an incident involving 1,000 consumers) or actual damages, whichever is greater.

As for penalties assessed against businesses, the highest amount is $7,500 per violation, notwithstanding penalties under California’s Unfair Business Practices Act. While at first the penalties and damages under the CCPA may seem minimal, they can add up to enormous amounts, depending on the number of violations, number of consumers, and the amount of actual damages.

What is “Personal Information”?

The CCPA derives from the California Constitution’s inalienable right of privacy. The Legislature reasoned that Californians’ ability “to control the use, including the sale, of their personal information” is fundamental to protecting their right of privacy. For purposes of the CCPA, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” such as name, internet protocol (IP) address, email address, postal address, driver’s license number, social security number, and passport information. Publically available information (i.e., information lawfully made available by federal, state, or local government records) is expressly excluded from the CCPA’s definition of “personal information.”

What “Businesses” Are Covered?

The CCPA broadly applies to “businesses” that operate for-profit and (1) have an annual gross revenue of more than $25 million, (2) buy, receive or share for commercial purposes, or sells personal information of 50,000 of more consumers, households, or devices, or (3) derive 50% or more of their annual revenue from selling consumers’ personal information. The CCPA also applies to entities that share common branding with a qualifying “business” and that controls or is controlled by that business.

Summary of Consumer Rights, and Business Requirements and Prohibitions:

The following table highlights the CCPA’s most important consumer rights, as well as business requirements and prohibitions.

CCPA Consumer Rights CCPA Business Requirements and Prohibitions
Consumers may request that a business disclose:

(a) the categories and specific pieces of personal information that it collects about the consumers;

(b) the categories of sources from which that information is collected;

(c) the business purposes for collecting or selling the information; and

(d) the categories of third parties with which the information is shared.

Businesses are required to make disclosures about the information they collect and the purpose for which it is used.
Consumers may request that a business selling consumers’ personal information, or disclosing it for business purposes, disclose (a) the categories of information it collects, and (b) the categories of information and the identity of third parties to which the information was sold or disclosed. Businesses are required to provide this information in response to a verifiable consumer request.
Consumers may opt out of the sale of personal information by a business. Businesses are prohibited from discriminating against a consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.

However, businesses may offer financial incentives for collection of personal information.

Businesses are prohibited from selling the personal information of a consumer under the age of 16, unless affirmatively authorized (known as “the right to opt in”).

The CCPA is considered one of the toughest data privacy laws in the United States and will dramatically impact how businesses handle data. A more detailed analysis of the CCPA, and how it may impact our clients will be published shortly. To be included on our distribution list, please contact Susan Orona. In the meantime, to get more information about the CCPA, including assistance on updating your processes to comply in advance of the January 1, 2020, effective date, please contact Andy Castricone, Craig Mariam or Christina Vander Werf.

What’s ‘Hot’ in GDPR this Week

Here’s a quick Friday afternoon post on five noteworthy developments the first week after GDPR go-live:

  • Surprising no one, Google figured out a way to monetize the GDPR through compliant ads https://tinyurl.com/y9xzxrhs
  • And just as unsurprisingly, Max Schrems figured out a way to monetize Google (and others) by suing for billions under the GDPR https://tinyurl.com/yazdrbg4
  • Japan took one step closer to getting an adequacy decision, we all knew this would progress post-GDPR what’s surprising is how fast (keep an eye on the PPC rulemaking) https://tinyurl.com/JapanEUadequacy.
  • Both the US Department of Commerce and the US Chamber of Commerce are picking fights with the European Commission over GDPR’s extra-territoriality and un-intended consequences, among other things https://tinyurl.com/yb7kw8xl and https://tinyurl.com/y8vxqeg4
  • But one US Senator apparently thinks Commerce and the Chamber are getting it wrong and introduced a resolution to prove it https://tinyurl.com/y9xawr9c

GDPR Go-Live: The End of the Beginning

Today is May 25th. Unless you’ve been living in a cave without a hotspot for the last year, you know that means today is the go-live date for Europe’s new General Data Protection Regulation or “GDPR.” With its controversial extraterritorial reach, the GDPR has been causing much commotion around the world and along with that commotion, a whole lot of breathless hyperbole in the popular and professional trade media.

We haven’t done much writing on any of it in this space because, well, we’ve been busy doing GDPR preparedness work for our clients. And lots of it! (Article 28 anyone?) But the occasion of the go-live date has given us a brief respite, so here’s a quick run down on what’s going to happen now that the law is finally in effect, and what to do if you’ve, well, done nothing so far.

What’s going to happen on May 26th?

We can say for certain that the sun is going to rise, the earth is going to rotate on its axis and life will go on. There’s been so much myth and hype about the GDPR it seems worth pointing all that out. More importantly, it’s also worth pointing out you’re not going to wake up tomorrow morning with the equivalent of a subpoena from an EU member-state data protection regulator in your mailbox. To date, more than half the EU member states had not adopted the GDPR into law (which doesn’t affect its validity, but does raise questions about enforcement), and in a recent survey of most of the relevant regulators, about two-thirds said they won’t be ready to start enforcement activities any time soon. Among those regulators who do feel ready, most have stated publicly that there will be few fines in 2018 unless something is very wrong.

So come dawn tomorrow, things will feel an awfully lot like any other Saturday. If your company’s been doing its GDPR homework for the last years/months that will be especially true. If not, then keep reading….

We haven’t done anything to prepare. Now what?

You have some work to do and soon. That said, we’re calling for clients newly discovering GDPR to act with thoughtful urgency, not panic.

The first thing you’ll need to do is determine whether you’re subject to the GDPR. There are two ways than can happen: direct and indirect. If it meets the requirements for being a data “controller” or “joint controller” that is “established” in the EU, your company is directly covered. If it does not meet those requirements, but does meet the requirements of a data “processor,” your company will be indirectly covered.

How Do We Know If We’re A “Controller” Who’s “Established” In the EU?

The language of the GDPR can make this a difficult question to answer, particularly with regard to the “established” element. There are, however, a few obvious tests. For instance, if you answer “yes” to any of the following questions you are likely directly covered:

  • do you have a physical presence in the EU?
  • do you have employees or paid contractors in the EU?
  • do you sell products that are designed to meet EU market requirements (220 volt products are a simple example)
  • are any of your sales and marketing activities purposefully directed at the EU market? Some examples of being purposefully directed include if you:
    • have distributors/resellers in the EU
    • accept Euros or member state currency
    • translated your website, brochures, product manuals or other collateral or documentation into member state languages
  • do you monitor the behavior of customers based in the EU?
    Some examples of what it means to “monitor behavior” include:

    • use of technologies to track EU website users
    • using predictive analytics to anticipate buying patterns
    • operating affinity or loyalty programs in the EU

It Looks Like We Are a Controller Established in the EU. Are we in Trouble?

Based on what the regulators are saying about enforcement, as long as well-planned steps are taken to immediately start a compliance program, your company will probably be ok in the very near-term. Below is a brief, simplified list of what you’ll need to accomplish for GDPR compliance:

  • identify and assess risks by personal data types
  • identify who you share personal data with and where it’s stored
  • determine which of the six GDPR-permitted reasons you are relying on to possess personal data
  • update public privacy policies and internal adverse event policies and procedures, especially regarding response and notification
  • be able to respond to requests from people whose personal data you hold (such as providing copies or erasing their data)
  • review/amend your vendor agreements and remediate any gaps between existing terms and those GDPR requires

We are not Directly Covered. How do we Determine if we are Indirectly Covered?

This analysis is a bit easier than the direct coverage analysis, but there are still many variations and nuances. The easiest way to determine whether your company is indirectly covered is if you collect (via the phone, internet etc.) personal data (which, be forewarned, is very broadly defined under the GDPR) from your customers’ employees, clients, etc. You will also be indirectly covered as a processor if all of the following are true:

  • your customers collect, for themselves or for their own upstream customers, personal data from employees, consumers or others in the EU,

then

  • send all or part of that personal data (again, broadly defined) to your company no matter where it’s located including in the United States,

and

  • you “process” it on behalf of that customer, noting that “processing” is also very broadly defined to include recording, organizing, structuring, storing, transmitting, adapting and the like.

We Are Indirectly Covered, What Do We Need To Do?

As with companies who newly discover they are directly covered, if you’re indirectly covered it’s time for thoughtful urgency, but not panic. As an indirectly covered entity, your company’s GDPR obligations will come in the form of so-called “flow-downs” from the obligations that directly covered entities have with respect to their vendors, agents, and sometimes even their affiliates, known under GDPR as “processors.”

Directly covered entities do have a small degree of latitude in determining which obligations to flow-down and how to do so, based on the nature and types of work you do for them. At a minimum, however, a directly covered entity will require you to enter into a written contract, or if you already have one, add an addendum, under which the directly covered entity “instructs” you in what elements of their personal data you can process and the scope of your authorization to so.

You also should expect directly covered entities to impose most of the following obligations on you (at least some of which you may be able to satisfy if you are ISO 27001 certified or receive unqualified SOC 2, Type 2 reports):

  • restrict you from subcontracting without their consent
  • require you to obtain confidentiality commitments from employees who are directly involved with the “processing” for that covered entity
  • implement data security safeguards to protect their personal data (which may include encryption)
  • assist them in meeting their own GDPR obligations to provide data subjects with access to their data and the right to have it deleted

Some processors choose to be proactive and send their own form of Data Protection Agreement or GDPR policy statement to their customers. This can be a viable strategy, but should be assessed on a case-by-case basis.

Marking a Facebook Post “Private” is No Shield from Disclosure in New York State

By now, most litigators are aware of the potential gold mine that an opposing party’s social media account can contain. The trick is getting the other side to give it up. One common tactic for the party trying to prevent disclosure is to claim that certain material is private and therefore protected from discovery. Well, now litigators in New York State can combat this argument, thanks to the state high court’s decision in Forman v. Henkin, 2018 NY Slip Op 01015, 2018 N.Y. Lexis 180 (Feb. 13, 2018), which held that making a Facebook post “private” does not give it any special protection under the liberal principles applicable to the discovery process. The court also provided guidance for how to apply those principles to social media accounts, which can prove very useful for litigators in the future. Click here to read the full article.

The United States Indicts Members of One of the Largest Cyber-Fraud Organizations

Thirty-six individuals from across the globe were indicted by a Las Vegas, Nevada grand jury this past Wednesday, February 7, 2018, for their alleged roles in a cyber-criminal enterprise known as the Infraud Organization (short for “In Fraud We Trust”), one of the longest-running “one-stop shops for cybercriminals worldwide.”

Infraud was an online community engaged in the large-scale acquisition, sale, and dissemination of stolen identities, debit and credit cards, personally identifiable information, financial and banking information; computer malware; and other contraband. The United States Justice Department alleges that Infraud caused more than $530 million in actual losses, and had intended to cause more than $2.2 billion in losses. Among the stolen items were HSBC bank logins, PayPal logins and credentials, and credit card numbers. Infraud also provided escrow services to facilitate its members’ illicit transactions and employed screening protocols to ensure that its vendors were of “high quality.”

As of March 2017, the organization’s forums hosted 10,901 member accounts. The website has since been taken down and replaced with a seizure notice.

Infraud founder Svyatoslav Bondarenko of Ukraine allegedly went missing in 2015, and has yet to be apprehended. Co-founder Sergey Medvedev, also of Ukraine, allegedly took over Bondarenko’s role as administrator in 2015 when Bondarenko went missing; Medvedev was apprehended earlier this month in Thailand while on holiday. Four other alleged, higher-ranking members of the organization still remain at large.

Overall, at least thirteen of the thirty-six defendants have been apprehended, including all five defendants from the United States: Frederick Thomas of Alabama; John Telusma of Brooklyn, New York; Jose Gamboa of Los Angeles, California; David Jonathan Vargas of San Diego, California; and Pius Sushil Wilson of Flushing, New York. Allegedly, Thomas, Telusma, Gamboa, and Vargas were vendors who sold illicit products and services to the organization’s members, while Wilson was allegedly a “VIP member” of the organization that purchased compromised credit cards and repeatedly solicited sales for more compromised credit cards. Others who were apprehended abroad are awaiting extradition.

While it may be unlikely that the shutdown of Infraud will significantly curb cyber-fraud crimes in the future, it has disrupted one of the largest cyber-fraud organizations, and may potentially lead to other “busts” should the multi-national law enforcement agencies involved here track other Infraud members as they flee to different communities.

Although this news may be encouraging to all potential victims of cyber-fraud, consumers and businesses should still remain vigilant about protecting themselves from cybercrime.

The U.S. Department of Justice news release is located here: https://www.justice.gov/opa/pr/thirty-six-defendants-indicted-alleged-roles-transnational-criminal-organization-responsible

Beware the Pitfalls of Public WiFi

Public Wi-Fi’s may seem harmless, as users connect to them every day in coffee shops, airports, bars and other places. But most users do not realize the extent to which their personal information, passwords, logins and other sensitive data are left exposed when connecting to an unsafe public WiFi network. While not all such connections are dangerous, you can never be confident that your information is secure when you use one. Thus, for example, as tempting as it might be, you should not access your financial accounts or make credit card purchases over public WiFi. That is, unless you use a VPN (virtual private network).

VPN (virtual private network) service providers can create secure connections between the Internet and the Internet user device, whether the user is connected at home, the office or using Public WiFi. Because Internet traffic that is encrypted is difficult to crack, a VPN can make using public WiFi considerably safer.

Note that I said that a VPN “can” create a secure connection and “can” make using public WiFi safer. That is because not all do. Many use outdated technology that can be readily hacked. Thus, a 2015 study reported that 11 of 14 commercial VPNs were vulnerable to hacking.1

So what is one to do? If you try to research VPN providers you soon run into a salad of acronyms that are likely only understood by those who already know what to do about Internet security. For example, you would learn that a secure VPN must protect IPv6, as well as IPv4 and that “all desktop VPN clients tested, except for Private Internet Access, Mullvad and VyprVPN, leak the entirety of IPv6 traffic.”2 See what I mean?

I failed at trying to understand the technology. But I found an easy answer in a current article in PC Magazine.3 This article rated several VPN providers favorably. I’m giving one a try and will let you now how it goes next time.

_______________________________________________________________________

1 V.C. Perta, M.V. Barbera, G. Tyson, H. Haddadi, and A. Mei, A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients, Proc. Privacy Enhancing Tech., 2015 (1): 77–91 (available online at http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf).
2 Id. at 81.
3 The Best VPN Services of 2017, PC Magazine (Nov. 27, 2017) (available online at https://www.pcmag.com/article2/0,2817,2403388,00.asp).

The Internet of Pills: The FDA’s Approval of Digital Smart Pills Takes the Internet of Things to New Levels

If your insurance company knew that you did not take your medication as prescribed, could it deny future coverage? Could your physician refuse to continue to treat you? What if your medication was an anti-psychotic; could you be terminated from your employment? Could you be ordered to take it as a condition of parole? What other rights could be impacted?

These 1984 type questions are being asked today because the Food and Drug Administration has approved a “Smart pill” – i.e., a pill embedded with a digital sensor that records when, whether and in what amount you have taken your prescription medicine – for Abilify MyCite, a medicine for the treatment of schizophrenia and related disorders, which can include paranoia and delusions.

Proponents of digital medicine claim it will improve overall public health, especially for the forgetful among us. They point out that many patients with these types of conditions do not take their medication regularly, with severe consequences.

Opponents warn that the new data collecting pills can create an environment that coerces patients to become addicted to medicine they would otherwise not want to take. As quoted in the N.Y. Times, Dr. Paul Applebaum, director of law, ethics and psychiatry at Columbia University’s psychiatric department, warns that “[m]any of those patients don’t take meds because they don’t like side effects, or don’t think they have an illness, or because they become paranoid about the doctor or the doctor’s intentions.” He wonders why a drug treating these particular symptoms was chosen as the starting point for this new data gathering tool.

The medicinal, legal, and practical ramifications of this “Internet of Pills” will be played out in the courts, in doctors’ offices and in many unanticipated ways over the next several years.

All Eyes on Equifax

As news around the world has reported, the Equifax data breach from mid-May through July resulted in the exposure of sensitive personal information of more than 143 million American consumers. Although this may not be the largest data breach ever, it has been regarded as one of the most significant breaches because of the sensitive information at risk: social security numbers, drivers’ license numbers, addresses, and more.

The Federal Trade Commission (FTC) confirmed this month that it is “actively investigating” the data breach due to the “intense public interest and potential impact” of the breach. The breach is also being investigated by the Department of Justice, Consumer Financial Protection Bureau, and the Securities and Exchange Commission. The investigations were the result of action by multiple senators and legislative committees highlighting the severity of the breach and the deficiencies of Equifax’s response, as well as threats by several states to bring suit against Equifax.

Senator Mark Warner (D-Va) sent a detailed letter to the acting head of the FTC calling for the investigation, and calling for the agency to scrutinize Equifax for the security lapses and its poor handling of customer service after the breach was disclosed. Specifically, Sen. Warner has stated: “The hack was awful but then [Equifax’s] response to the hack continued to show [Equifax’s] incompetence. This should be a new impetus to move.”

The investigations are expected to involve the alleged errors by Equifax leading up to the breach and in handling the breach. In addition to the company’s alleged cyber vulnerabilities which led to the breach, the investigations will also include potential insider trading by Equifax executives more than a month before the breach was made public and ambiguous language in Equifax’s Terms of Service, purporting to waive a consumer’s right to sue the service.

Most importantly, the FTC’s investigation of the Equifax breach could provide momentum for Congress to act on federal data privacy legislation. Although this legislation has been long pushed for by advocates and elected officials, the efforts have proved unsuccessful in recent years. Sen. Mark Warner has stated that he is working on efforts to pass a data breach notification law requiring companies to notify customers about a breach within a certain narrow time frame. Given the scope of the breach, and Equifax’s response, this may be the final straw to prompt a definitive reaction from Washington.