California Legislative Update: Prop 24

Apparently there’s some stuff going on with a couple of guys named Joe and Don that’s got everyone distracted for some reason. The cool kids know, however, that the most important thing to happen last night was the passage of Prop 24 in California which means the CCPA is old news and the CPRA is the new game in town.

You read that right. Having just (mostly) figured out what the implementing regulations should be for CCPA, a massive new privacy law that’s only been in effect since January, California voters said, “Eh, know what? Let’s do it all over again.”

We’ll let you get back to clicking around about this Joe and Don thing, but here’s a quick run-down of what the new CPRA adds to the CCPA:

  • specific third-party oversight responsibilities, similar to GDPR;
  • requirements for annual audits and regular risk assessments for certain businesses;
  • requirements when doing “profiling” that are in-line with the GDPR:
  • an entirely new enforcement authority the California Privacy Protection Agency;
  • an expanded private right of action to cover beaches of account access credentials;
  • increased penalties for mishandling of children’s data;
  • a consumer right to correct data; and
  • more specific data retention disclosures

We’ll have more in-depth analysis and thoughts on readiness programs to come in the near future.

California Legislative Update

Just a quick legislative update from everyone’s favorite US privacy jurisdiction, California. Governor Newsom:

Signed AB 1281 – That Act extends the B2B and HR data exemptions under CCPA for another year. This is very good news.

Vetoed AB 1138 – That Act would have given CA a state analog to COPPA and required, among other things, parental consent prior to kids under 13 using social media. In his veto message found here, Newsom said he based his decision on the same reasons many of us lawyers and privacy professionals had been criticizing AB 1138, which is that COPPA already robustly occupies the field and the FTC has an excellent track record of enforcement. A state law analog would have added nothing more than regulatory burden and cost amidst the already challenging pandemic economy.

Proposed Bill to Establish Security Standards for IoT Devices Used by Government Officials Passes House

 

For many, being able to securely connect, access, and move data across multiple devices is an integral aspect of everyday life. Some of our nation’s lawmakers are wanting to ensure that the internet connected devices that they use have the same established cybersecurity standards that the public has come to expect in the private sector. Lawmakers got one step closer to making that a reality this week.

The U.S. House of Representatives passed the Internet of Things (IoT) Cybersecurity Improvement Act, known as House Bill 1668, earlier this week, which seeks to establish security standards for the federal purchases of internet-connected devices and the private sector groups providing such devices.

Currently, there is no national standard to ensure the security of internet-connected devices purchased by the federal government. Under the proposed law, these internet-connected devices, which would include computers, mobile devices and other devices that have the ability to connect to the internet, would now have to comply with minimum security recommendations issued by the National Institute of Standards and Technology (NIST). The bill does not lay out what those standards should be; rather, it tasks the Office of Management and Budget to oversee that adopted IoT cybersecurity standards are in line with minimum information security requirements.

Devices covered under the bill

The bill would not only cover computers and smart phones used by federal government officials. The legislation defines a covered device to include a physical object that is capable of being in regular connection with the Internet or a network that is connected to the Internet, and has computer processing capabilities of collecting, sending or receiving data. It would not include personal cell phones or personal computers. It also exempts devices that are necessary for “national security” or “research purposes”.

Obligations on the private sector under bill

The bill would require contractors and their subcontractors that provide covered devices to the federal government to notify government agencies of any security vulnerabilities. While security standards are being considered, private sector providers, contractors and subcontractors can look to Standards 29147 and 30111 in the International Standards Organization for guidance since bill drafters explicitly cited to them in the Act. There’s a process for companies to challenge whether their devices are covered under the bill as well.

Cyberthreat on IoT

The Mirai botnet attack in 2016 served as the drive for the Bill’s sponsors. Recall that the Mirai botnet attack left millions in the East Coast, among other locations, without access to many popular websites for a few hours in late October of 2016. The attack blocked unsecured internet connected devices from accessing popular websites such as Twitter, Netflix and the New York Times in order to carry out a cyber attack.

While Mirai primarily impacted internet connected computers, for many, including the IoT Cybersecurity Improvement Act sponsors, the Mirai attack showed just how debilitating a cyber attack can have on a heavily connected internet life, and the havoc attackers can create on unsecured internet connectable devices and the lives that depend on their functionality. Internet connected devices, or IoT devices, are devices which can be controlled or accessed using the internet, including everything from webcams to baby monitors to gaming consoles. It includes any exercise tracker or a programmable lock to your home. According to some estimates, there will be close to 75 billion IoT connected devices by 2025. The IoT Cybersecurity Improvement Act would work toward ensuring the government’s IoT connected devices containing the nation’s top data information are secure.

Up next for the bill

The IoT Cybersecurity Improvement Act heads next to the Senate floor, after passing unanimously by the House.

Up next for you

Gordon & Rees will keep an eye on cutting-edge developments in this space. We can expect similar regulations in the private sector with various guiding authorities, such as NIST, providing similar recommendations.

SCHREMS II – IT’S DÉJÀ VU ALL OVER AGAIN

The more things change, the more they stay the same. On July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued its decision in the so called “Schrems II” case. If you need some background on the case, you can find our original blog post on the case here.  

The two main takeaways of the Schrems II decision are:

  1. 1. The CJEU invalidated the EU-US Privacy Shield framework.
  1. 2. The CJEU reaffirmed the validity of standard contractual clauses (“SCCs”).

While the validity of SCCs were upheld, and remain a viable transfer mechanism, the CJEU holding requires businesses utilizing SCCs to analyze whether the destination country provides an adequate level of data protection.  Where the country doesn’t, the business must provide additional safeguards or suspend the transfer. Similarly, EU data protection authorities must suspend or prohibit a transfer of personal data to a third country if the data protection authority has determined that SCCs cannot be complied with in the third country and data protection cannot be ensured. 

Recall that the Privacy Shield worked together in a closely integrated manner with the GDPR. It was not a separate law or a substitute for GDPR compliance. More specifically, and to use a bit of regulatory jargon (we’ll leave unexplained for now in the interest of brevity), the Privacy Shield had served as what is known as a “partial adequacy decision” falling under GDPR Article 45. In short then, what the CJEU has done in the Schrems II case is take the Privacy Shield, a proven, centralized system for regulatory oversight and enforcement on both sides of EEA-US data transfer equation, and replace it with a system of self-policing by transferors and ad hoc decision making by local EEA authorities.  

That’s all likely to work out about as well as it did in 2015 when the EU-US Safe Harbor was invalidated in the Schrems I case. Back then, data transfers continued (and even increased), through a two year period of ambiguity, confusion and almost complete non-enforcement until the Privacy Shield went into effect to fill the void left by the CJEU’s invalidation of the Safe Harbor.  

So what does all this mean for US businesses who had relied on the Privacy Shield?  Not much over at least the next week or two, and likely longer.  Contracting counter-parties in the EEA, rather than regulators, will be the most likely source of pressure to adopt the SCCs.  The U.S. Department of Commerce, for instance, issued a statement in response to the Schrems II decision informing US businesses that it intends to continue to operate for the time being as if the Privacy Shield remains in effect and, as such, the CJEU decision does not relieve participating businesses of their Privacy Shield obligations. 

If US and EU negotiators can’t work together to fix this soon, companies will need to start looking at alternative to the Privacy Shield such as SCCs, binding corporate rules or the derogations under GDPR Article 49.  Regardless of what happens as a result of Schrems II, US businesses that remember and practice our recurring mantra about applying the Pareto Principle to their data security and privacy compliance obligations will get through this fine. So if you haven’t already:

  • adopt a risk-based technical and administrative data protection program,
  • take the time to actually implement that program (“saying” it is one thing, “doing it” is another)
  • tell your employees and customers what you’re doing with the data you collect about them and why,
  • give your employees and customers some degree of access to, and autonomy over, that data,
  • keep a close eye on third parties (including vendors) with whom you share that data, and
  • respond swiftly to, and be honest with those affected by, unauthorized use if it occurs.

Learn more and contact the Gordon & Rees Privacy, Data & Cybersecurity practice group here.

The Third Annual Review on the U.S.-EU Privacy Shield Notes the U.S. Is Doing Well, Are You?

On October 23, 2019, the European Commission published a report on its third annual review of the Privacy Shield. The results are generally positive with no immediate risk to the Privacy Shield’s existence (as a regulatory matter) for at least another year. While you can read the full report here, the following serves as a brief summary, which will be reviewed in more detail in the weeks to come.

Recall that the Privacy Shield works together in a closely integrated manner with the GDPR. It is not a separate law or a substitute for GDPR compliance. More specifically, and to use a bit of regulatory jargon (we’ll leave unexplained for now in the interest of brevity), the Privacy Shield serves as what is known as a “partial adequacy decision” falling under Article 45 of the GDPR.

Per the US-EU bilateral agreement that resulted in the Privacy Shield, it is subject to annual review by the relevant authority in the EU. If the review goes badly, it would be an existential threat to the Privacy Shield. Thankfully, that did not happen. It is important to note that, this report is, of course, unrelated to the Schrems II case (which we posted on here) and its anticipated follow-on cases which are likely to judicially challenge the Privacy Shield.

Since there’s a lot of confusion, even amongst some practitioners, about what the Privacy Shield is and how it fits in with GDPR, we always feel it’s a good idea to give a reminder whenever we post on the Privacy Shield. So here goes:

Under the Privacy Shield, U.S.-based companies who self-certify can lawfully receive GDPR-governed personal data from companies based in the European Economic Area. Equally as important, Privacy Shield also signals to the marketplace that your company has what we refer to at the end of this post as the “Pareto Principle” of data security and privacy policies – procedures and programs in place that are not only required by GDPR, but are fairly universal across global regulatory regimes. As a result, Privacy Shield self-certification is definitely a plus, but it is not fatal to your company’s ability to receive personal data from the EEA. If you aren’t Privacy Shield self-certified, it just means you can’t rely on GDPR Article 45 to receive personal data.

Instead, you have to look to GDPR Article 46. That Article enumerates a handful of mechanisms that also can be used to lawfully receive EEA personal data transfers. They range from the so-called Standard Contractual Clauses (which are currently under attack in Schrems II) to a costly and complex mechanism called Binding Corporate Rules.

The key take away from today’s report is this: For the third year in a row, Privacy Shield has proven its viability. Becoming Privacy Shield self-certified is worth considering if your business requires regular receipt of GDPR-governed data. It also has some independent value beyond EEA transfers insofar as it shows your company’s security and privacy practices have at least some minimum level of maturity. As we all know and preach, it is essential in today’s global privacy evolution to ensure the development, implementation and continued monitoring and improvement of sound data security and privacy policies and practices.

Should you have any questions before our more detailed post is published, please contact Rich Green for more information.

Seventh Circuit Limits FTC’s Monetary Restitution Powers

The ability of the Federal Trade Commission (“FTC”) to obtain monetary restitution for consumers just took a major loss from the Seventh Circuit Court of Appeals. This federal appellate court ruled that Section 13(b) of the FTC Act only provides that the FTC can obtain restraining orders and injunctions but it does not state that the FTC can obtain equitable monetary relief for consumers, including but not limited to ex parte asset freezes to e-commerce merchants’ banking accounts. Prior to this decision, it was implied that the FTC could obtain monetary restitution relief for consumers from Section 13(b) of the FTC Act.

In this case (FTC vs Credit Bureau Center), the FTC showed the court that an e-commerce credit bureau retailer deceived consumers into enrolling in its service by posting misleading statements about receiving a “free” credit report (when in fact in was not free), and thereby deceptively leading consumers into purchasing recurring monthly credit monitoring service. The federal district court held that this e-commerce retailer had violated the FTC Act and other consumer protection laws, entered summary judgment in favor of the FTC, and ordered the e-commerce retailer to pay equitable monetary relief to consumers. This decision was appealed to the Seventh Circuit Court of Appeals who affirmed the FTC’s power to obtain restraining order and injunctions, but specifically ruled that since Section 13(b) of the FTC Act does not state that the FTC can obtain monetary restitution for consumers, the FTC cannot do so under Section 13(b).

This is a huge decision because under its current practices, the FTC may no longer be able to rely on Section 13(b) of the FTC Act to obtain monetary restitution for consumers arising from false and misleading statements, and deceptive acts or practices, e.g., ROSCA violations and data breaches. This decision by the Seventh Circuit (jurisdiction over the federal district courts in Illinois, Indiana and Wisconsin) is the first federal court of appeals decision to limit the FTC’s ability to obtain monetary restitution for consumers under Section 13(b) of the FTC Act, creating a circuit split among the federal appellate courts.

Given the huge impact that this federal appellate opinion has on the FTC’s monetary restitution powers, it is foreseeable that this decision will be appealed to the US Supreme Court, who will ultimately determine the FTC’s powers under Section 13(b) of the FTC Act. If the Supreme Court agrees with the Seventh Circuit, then the FTC’s ability to obtain monetary restitution under Section 13(b) will be impacted severely.

In the interim, expect the FTC to seek monetary restitution for consumers under other provisions of the FTC Act (e.g., Sections 5(m)(1)(B) and 19) and other statutes that the FTC administers and enforces.

For guidance through the legal and regulatory compliance land mines of FTC Compliance, ROSCA and data breaches, do not hesitate to contact Mark Ishman, a member of Gordon Rees’ Advertising and E-Commerce and Privacy, Data & Cybersecurity Practice Groups.

How Many Schrems Does It Take to Stop a Data Transfer?

The so-called “Schrems II” case was heard earlier this week. It’s impossible to give this topic the treatment it deserves in a single blog post. So for now, here’s a quick FAQ:

What’s this case about?

Collecting personal data from the European Economic Area (aka, the “EEA”) and transferring to other countries is restricted by law. It can be done, but companies have to use certain statutorily prescribed mechanisms. Those, more or less, have been the rules of the game since at least 1995 continuing through today under the new GDPR which you’ve probably heard a lot about.

The prescribed mechanisms have varied over the years, but one constant has been what are known as “Standard Contractual Clauses” or “SCCs.” SCCs are a set of data protection contract terms that have been pre-approved by the EU data protection regulators. In the “old days” (by which we mean the mid- to late 1990s) they were called “model clauses.”

If each of the EEA- and US-based counterparties to a data transfer transaction agree to bind themselves to the SCCs, then an otherwise prohibited transfer becomes permissible.

In simplest terms, the Schrems II case is trying to stop companies from being able to do that. The plaintiff’s claim is that the SCCs are not valid under EU law because they fail to provide adequate levels of protection for personal data.

Why do they call it Schrems II?

Schrems is the surname of an EU qualified attorney and political and privacy activist. He and the ecosystems of activist organizations around him are serial plaintiffs. This is their second (and definitely not final) attack on EU-US data transfers.

Back under the old 1995 law, one way to conduct a permitted personal data transfer was to use the EU-US Safe Harbor Framework. If a company took a couple of (pretty minimal) steps and signed up with the US Department of Commerce to be part of the Safe Harbor, it could receive personal data from the EEA.

Spurred on by the intelligence agency surveillance scandals that occurred during the Obama administration, Schrems, then a law student, brought a series of cases trying to invalidate the EU-US Safe Harbor. After a few procedural losses and a bit of forum shopping, he finally succeeded in 2015. That case became instantly known as “Schrems I” because Schrems and his supporters were already preparing their challenge to the SCCs. And, again, that’s exactly what’s happening now under Schrems II.

Didn’t the EU-US Privacy Shield replace the Safe Harbor

Yes. A detailed analysis of the Privacy Shield (and its all-important relationship to the GDPR) is beyond the scope of this post, so here’s the summary version:

The Privacy Shield is considered a “partial adequacy decision” under GDPR Article 45. As such, it allows companies to collect/transfer EEA personal data to the US as long as the US-based recipient company is Privacy Shield self-certified.

But this case isn’t about the Privacy Shield (at least not nominally—more on that in a minute) or even GDPR Article 45. As stated in the prior two FAQs, this case is about one of the other prescribed mechanisms, the long-standing SCCs which have been in existence for nearly 25 years and today fall under the aegis of GDPR Article 46.

That said, while we’re still waiting on our own confirmation, it’s being reported by reliable news sources that, in open court this past Tuesday, Schrems’ lawyers asked the court to also invalidate the EU-US Privacy Shield—despite not having actually pled or argued for it previously (in fact there is an entirely separate case for that) and despite the fact that it derives from a statutory mechanism (GDPR 45) that is separate and distinct from the SCCs (which, again, are GDPR 46).

What happens if the European Court of Justice invalidates the SCCs

Déjà vu all over again. Things will very likely look pretty much the same as they did in 2015 when the Schrems I court invalidated the Safe Harbor. Which means there will be a long interregnum during which there will be less regulation, more unfettered transfers and lots of confusion.

You see, like the too-clever-by-half Wile E. Coyote character of Warner Brothers cartoon fame, in the first case that bears his name, Schrems thought he was going to dynamite, and thereby halt, EU-US data transfers by invalidating the Safe Harbor. But in the end, the only thing that went up in smoke was his goal of protecting data transfers.

Invalidating the Safe Harbor didn’t stop transfers out of Europe to the US at all. Instead, the result in Schrems I combined with the already looming specter of Schrems II, led companies to conclude that European law was, to put it colloquially, a hot, unenforceable mess.

EU regulators, already under-staffed, under-funded and overwhelmed, were more or less paralyzed after Schrems I. So responsible, law abiding companies had to more or less make it up as they went along. Most did their best to self-regulate and relied on SCCs. Others, knowing Schrems II was imminent and SCCs thereby in doubt, used ad hoc data export/import contracts. Meanwhile, the less law abiding were all too happy to flout the spirit of the law entirely and were doing pretty much whatever they wanted with impunity.

That same environment of confusion and virtual lawlessness, rather than Schrems’ goal of stopping or better protecting US transfers, will play out again if the Schrems II court invalidates SCCs. It’ll happen a thousand-fold if the Schrems II court decides, sua sponte, to invalidate the Privacy Shield too

What can we do now to prepare?

For starters, keep reading this blog! In addition to that, remember our recurring mantra about applying the Pareto Principle to data security and privacy compliance.

Sure it’s true that there are variations between laws and some laws have real quirks (CCPA anyone?!). But it’s even more true that just about every data sec or privacy law (from HIPAA to the NY Cyber-reg to GDPR) has the following (or a very similar) set of building blocks at its foundation:

  • adopt a risk-based technical and administrative data protection program,
  • tell your employees and customers what you’re doing with the data you collect about them and why,
  • give your employees and customers some degree of access to and autonomy over that data,
  • keep a close eye on third parties (including vendors) with whom you share that data, and
  • respond swiftly to, and be honest with those affected by, unauthorized use if it occurs.

So put that foundation in place, and check on it periodically, and you’ll be well on your way to achieving 80% compliance no matter what the Schrems II court decides.

New Massachusetts Law Creates More Stringent Notification Requirements for Data Breach Incidents

While we’ve all been busy keeping an eye on California’s CCPA mess and the brewing federal privacy legislation, Massachusetts enacted some amendments to its already stringent consumer-protection oriented privacy laws. (See MGL c.93H)

As a result of the amendments, effective April 11, 2019, Massachusetts’ general breach notification statute will include the following new requirements:

  1. Consent to Access Credit Reports – Before getting hold of a consumer’s credit report for most non-credit purposes, third parties must obtain the consumer’s consent. In the process, they also need to disclose the reason they’re seeking access.
  2. Security Freezes – Consumer reporting agencies can no longer charge a fee to consumers to place, lift, or remove a security freeze on their credit reports.
  3. Credit Monitoring Services – Companies experiencing a security breach involving social security numbers must offer affected MA residents free credit monitoring services for at least 18 months (or 42 months if the company is a consumer reporting agency). Additionally, companies that experience a security breach must file a report with the Attorney General and Department of Consumer Affairs and Business Regulation certifying their credit monitoring services comply with state law.
  4. No Waiver – Individuals affected by breaches can no longer be required to waive their private right of action as a condition to getting credit monitoring services.
  5. Breach Notice Obligations – Notice to the Attorney General and Department of Consumer Affairs and Business Regulation must include additional information such as the person responsible for the breach (if known), the type of personal information compromised, and whether the entity has a written information security program in place. Notice to consumers must include the name of the parent or affiliated corporation if the entity that experienced the breach is owned by another entity.
  6. No Delay in Notice to Residents – Notice to residents cannot be delayed on the grounds that the total number of residents affected has not been ascertained. If and when additional information is obtained, additional notice must be provided as soon as practicable and without unreasonable delay.

It’s not clear how these requirements will work in practice, but for those whose business activities expose them to Massachusetts law, existing incident response and management policies should be revisited by the end of March to make sure they reflect these new obligations.

Google Faces European Consumer Group Complaints Alleging GDPR Violations for Improper Collection of Location Tracking Data

On Tuesday, November 27th, consumer groups filed complaints with the data protection authorities in seven European countries, accusing Google of improperly collecting location tracking data in violation of the new General Data Protection Regulation (“GDPR”). The complaints, filed in the Czech Republic, Greece, Netherlands, Norway, Poland, Slovenia, and Sweden, cite to a study by the Norwegian Consumer Council, which reviews the various methods used to track consumers’ location when they use Google services on their smart phones.

Consumer groups claim that Google has been using a variety of techniques to “push or trick” users into allowing themselves to be tracked when they use Google services. These techniques include “withholding or hiding information, deceptive design practices, and bundling of services.” Complainants specifically allege that tracking is accomplished through the “Location History” and “Web & App Activity” features built into Google accounts, and these issues are particularly pronounced on mobile devices that use the Android platform.

The complainants go on to allege that Google does not have a valid legal basis for processing users’ location data and is processing personal information in violation of GDPR. Assuming Google will attempt to rely on consumer consent, complainants argue consent from Google users is inadequate because users are not given sufficient information to make informed choices, default settings are hidden, and users are repeatedly nudged to turn on features that track location.

In response to a request for comment, a Google spokesperson said: “Location History is turned off by default, and you can edit, delete, or pause it at any time. If it’s on, it helps improve services like predicted traffic on your commute.

“If you pause it, we make clear that—depending on your individual phone and app settings—we might still collect and use location data to improve your Google experience.”

These recent complaints are significant for several reasons. First, GDPR only recently took effect on May 25, 2018. Enforcement to date has been limited and there is little legal precedent that can be relied on to ascertain a potential outcome for these complaints. It is difficult to predict how the data protection authorities in these seven countries will respond.

Second, penalties for violations of GDPR are prohibitive. Current regulations provide for fines of up to 4% of global annual revenue, so Google, and its parent company Alphabet, could face fines in the billions of dollars.

Third, Google is facing lawsuits in United States federal court over the same location tracking data. The plaintiffs in those suits allege Google continued to track users’ locations through their phone, even after location tracking features were disabled. Google has filed a motion to dismiss, which will be heard in January 2019. It is unclear what impact, if any, these new complaints in the European Union will have on ongoing US litigation, and vice versa.

Three Key Requirements Imposed by Colorado’s New Consumer Data Privacy Statute

Be careful what you ask for (and maintain) about Colorado residents…especially if you don’t have the proper data security policies in place. On September 1, 2018, Colorado’s new privacy law, HB 18-1128, goes into effect, imposing new requirements on any business or government entity that maintains, owns, or licenses personal identifying information about Colorado residents.

The new law imposes three key requirements on businesses subject to the rule:

  1. Reasonable security procedures and practices must be implemented that are proportionate to the nature of the personal identifying information maintained and the nature and size of the business’s operations.
  2. Written policies for the destruction and proper disposal of paper and electronic documents containing personal identifying information must be developed.
  3. Breach notification procedures must be followed, including adhering to a 30-day time period by which notification must be completed.

Business that do not already have written data disposal and security policies should act quickly to ensure that they are compliant with the nuances of the new law.

Colorado’s breach notification requirement imposes a more aggressive requirement for notifying affected residents than requirements under the Health Insurance Portability and Accountability Act (HIPAA) and virtually any other U.S. state. A business must provide written notification with certain information to affected residents in the most expedient time possible and without unreasonable delay, but not later than 30 days after the point in time when there is sufficient evidence to conclude that a security breach has occurred. For breaches believed to have affected 500 residents or more or 1000 residents or more, businesses must notify the Colorado Attorney General and certain consumer reporting agencies, respectively.

Reflective of the shift towards providing consumers with more control over their personal information, the bill is codified under the Colorado Consumer Protection Act (CCPA) and potentially creates a private right of recourse against businesses who misuse a resident’s information. CCPA causes of action oftentimes include assertion of a right to triple damages and reasonable attorneys’ fees. Additionally, the Colorado Attorney General may bring civil, or in some cases criminal, actions for violation of the law.

The frequently unforgiving nature of civil monetary penalties imposed by the HHS Office of Civil Rights (OCR) for HIPAA violations should be cautionary. But, not only is there great risk of exposure for unprepared or noncompliant businesses facing enforcement by state and federal regulatory agencies, now more than ever, individual or class action liability seems to be on the horizon. Last, but not least, businesses never envision themselves as “the ones” making headlines about their data breaches…until it happens…and happens quickly.

What if I already comply with other state or federal privacy laws?

The new law indicates that businesses already regulated by other state or federal law are in compliance if adhering to such regulator’s procedures for the protection and disposal of personal identifying information. If the business operates in interstate, international and/or online commerce involving Colorado residents, however, a thorough review of policies and procedures is recommended to ensure that various applicable laws are reconciled.

Recommendations:

Businesses subject to the privacy law should take the following steps, at a minimum, to ensure that they are prepared to comply.

  1. Entities should know and map the flow of data both internally and outside of their business, whether in paper or electronic format. Inventories of hardware and other electronic portable devices where electronic media is stored should be routinely tracked.
  2. Employees must be routinely trained in policies. Handbooks should be updated and whether to require nondisclosure and confidentiality agreements assessed. Appropriate protocols for the destruction and disposal of personal identifying information must be implemented for current and departing employees.
  3. Third-party service vendors should be identified and communicated with regularly to obtain assurances of compliance. Contractual documents should memorialize vendors’ obligations.
  4. Businesses, including HIPAA covered entities, should rework their data breach policies and ensure that third-party vendor agreements or business associate agreements reflect Colorado’s more stringent breach notification timeline of 30 days.

Conclusion:

There is no uniform mechanism for determining how best to implement the necessary measures. Legal counsel specializing in data privacy and security law are instrumental resources when ensuring that adequate measures are taken to navigate compliance with state and federal laws, especially in today’s rapidly changing environment.