Category: Privacy and Data Security

“Say Cheese!” CVS Passport Photo Practices Subject to BIPA Suit

In May 2022, a group of plaintiffs brought a putative class action against CVS Pharmacy, Inc. (CVS) alleging the company violated several provisions of the Illinois Biometric Information Privacy Act (BIPA) through its practices for taking passport photos. On May 4, 2023, in Daichendt and Odell v. CVS Pharmacy, Inc., the United States District Court for the Northern District of Illinois denied CVS’s motion to dismiss, holding the plaintiffs sufficiently stated a claim under Section 15(b) of BIPA. Section 15(b) of BIPA prohibits private entities from collecting “or otherwise obtain[ing] a person’s or a customer’s biometric identifier or biometric information, unless it first”: (1) provides notice of collection; (2) provides notice of the specific purpose of collection; and (3) obtains affirmative written consent. Here, the plaintiffs alleged that CVS required them to “enter[] their names, email addresses, and phone numbers into a computer terminal inside defendant’s stores prior to scanning their biometric identifiers.” Thereafter, CVS’s system would “check” and “verify” an individual’s facial features (i.e., whether the individual is smiling) to comply with government requirements. Against this backdrop, the plaintiffs argued this system violated Section 15(b) because it “collected and stored their personal contact data (‘real-world identifying information’), such as their names and email addresses,” thus allowing CVS the ability to identify the plaintiffs “when...

GoodRx Fined $1.5 Million for Disclosure of Users’ Personal Information to Third Parties Without Notice or Consent

On February 1, 2023, the Federal Trade Commission (FTC) filed a “first of its kind” enforcement action under the FTC’s Health Breach Notification Rule, 16 CFR Part 318, which offers several useful takeaways for all companies that collect and process a consumer’s personal information – not just companies that handle health-related data. The FTC’s proposed order seeks to impose a $1.5 million civil penalty against GoodRx, a digital health platform, for sharing the sensitive personal health and other information of millions of GoodRx users with various advertising platforms, including Facebook and Google, and failing to report these disclosures to consumers. According to the FTC complaint, GoodRx collects sensitive personal information from users and represents that it will treat users’ information in accordance with its privacy policies. Since at least 2017, the GoodRx privacy policy specifically stated that GoodRx “would never disclose personal health information to advertisers or any third parties.”  Yet for several years, GoodRx allegedly violated these promises “by sharing information with Advertising Platforms, including Facebook, Google and Criteo, about users’ prescription medications or personal health conditions” and “did so without notice to users, and without obtaining consent.” In addition, GoodRx monetized the personal health information it collected through the creation of advertising campaigns on Facebook and Instagram that targeted GoodRx users. In August...

Gibbons P.C. Presents “Keys to Negotiating Better Software and Software-as-a-Service Agreements”

From May 17-19, Peter J. Frazza, a Director in the Gibbons Commercial & Criminal Litigation Group, will lead a seminar in Las Vegas analyzing the negotiation of software licenses and software-as-a-service agreements, including data protection and privacy issues companies face that are specific to software transactions, artificial intelligence, and the Internet of Things (IoT). Mr. Frazza has over 30 years of experience handling complex lawsuits and contract negotiations on behalf of licensees and users in software licensing and software-as-a-service matters. For additional seminar details or to register, visit https://conta.cc/3CFGxws.

States Step Up Data Privacy and Security Regulation

State legislatures from California and New York have taken action to respond to rising privacy concerns by enacting legislation to protect consumers and their personal information, and the New Jersey legislature is actively working to pass similar legislation to enhance the privacy and security obligations applicable to personal information obtained from New Jersey consumers. This legislation typically requires businesses to inform residents of certain rights regarding the collection or sale of their personal information and to provide notice to residents if a security incident at the company involves their personal information. As deadlines quickly approach for the enforcement of these laws, it is important for businesses to take action now and revisit privacy, security, and storage practices, as well as the associated policies for maintaining appropriate data privacy and security throughout the organization. The California Consumer Privacy Act (CCPA), which takes effect January 1, 2020, accords significant new privacy rights to consumers and imposes corresponding new requirements on businesses. In general, the CCPA mandates businesses to implement procedures to provide notice to consumers at or before the collection of personal information, to respond to consumers’ requests for the production or deletion of their collected information or to opt-out from its sale, and to create privacy policies detailing their processes for selling or distributing consumer data....

Gibbons Hosts “Keys to Negotiating Better Software & Software-as-a-Service Agreements” Seminar – October 16-18, 2019

From October 16-18, Peter J. Frazza, a Director in the Gibbons Commercial & Criminal Litigation Department, will lead a seminar in Las Vegas analyzing the negotiation of software licenses and software-as-a-service agreements, including data protection and privacy issues companies face that are specific to software transactions, artificial intelligence, and the Internet of Things (IoT). Mr. Frazza has over 30 years of experience handling complex lawsuits and contract negotiations on behalf of licensees and users in software licensing and software-as-a-service matters. For additional seminar details or to register, visit https://conta.cc/31AYf0h.

New Fair Credit Reporting Act – Summary of Rights Forms

The Consumer Financial Protection Bureau (“CFPB”), the Federal agency that administers the Fair Credit Reporting Act (“FCRA”), just issued new Summary of Rights forms. An employer conducting a background check on an employee or applicant through a consumer reporting agency must provide such employee or applicant a Summary of Rights notice when first obtaining consent to conduct the background check — together with a written disclosure about the use of the background check — and when taking adverse action based on the background check. Starting today, September 21, 2018, the new Summary of Rights form must be used. The CFPB also issued forms called Summary of Consumer Identity Theft Rights that must be provided to consumers by credit reporting agencies when the subject of an identity theft. A new law also requires credit reporting agencies to implement a “national security freeze” at no cost to a consumer that restricts prospective lenders from access to a consumer’s credit report. Other changes include a one year (instead of 90 days) notification of a fraud alert in a consumer’s file. The notification informs a lender that the consumer may have been the victim of identity theft, for which the lender must take additional steps to verify the identity of anyone attempting to obtain credit in the consumer’s name....

New Jersey Poised to Mandate Across-the-Board Information and Data Security Preparedness

The New Jersey Assembly is considering legislation that will require individuals and businesses that own or license personal information about a New Jersey resident to create and maintain a comprehensive information security program (“ISP”). The bill, A-5206, was introduced by Assemblywoman and Deputy Majority Leader Annette Quijano (D-Union) on November 30, 2017, and referred to the Assembly Homeland Security and State Preparedness Committee. If passed, New Jersey would join other states including Massachusetts (see 201 CMR 17.01 to 17.05) and Rhode Island (R.I. Gen. L. § 11-49.3-2), and sector-specific regulatory schemes including the Gramm-Leach-Bliley Act (16 CFR 314), New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule (45 CFR 164), that require a written information security program. The bill as currently drafted includes a minimum of 28 data security policies and practices that must be included in any company’s ISP. These include: Designating one or more employees to be in charge of the ISP; Ongoing employee training regarding risks to the security, confidentiality, and integrity of any records containing personal information, and imposing disciplinary measures for violation of ISP rules; Obligating a company to conduct due diligence when engaging third-party service providers with access to the company’s records containing personal...

Proper Planning Means You Do Not Need to Shed Tears When Hit with the Likes of WannaCry

Since Friday, May 12, over 200,000 companies from over 150 countries have become victims of a massive cyber-attack from the ransomware variant WannaCry (also known as WCry or WanaCryptor). The attackers demanded payment of $300 in Bitcoin from each victim to restore access to files that the ransomware encrypted. The attackers stated that the price of file retrieval would elevate to $600 after a short period of time, and if the company-victim refused to pay, the files would be permanently deleted. Notably, this particular ransomware appears to have been propagated primarily due to a failure to patch a Windows software vulnerability known as EternalBlue, and potentially gave the attackers access to the files they encrypted. Organizations large and small, domestic and international, are among the victims. The WannaCry attack is a stark reminder of the need to have comprehensive information governance and incident response plans in place. Planning for such an attack can be just as important, if not more so, than the response itself, and can block the threat or mitigate the damage, disruption, and liability suffered in the event the organization is a victim of a successful attack. Implement a Written Information Security Program. Knowing how to mitigate the effects of a breach and how to respond upon notice of a breach starts with...

NY Updates Cybersecurity Requirements for Financial Services Companies

On December 28, 2016, the New York Department of Financial Services (“DFS”) published an updated version of its proposed “Cybersecurity Requirements for Financial Services Companies.” The updated regulations will become effective on March 1, 2017. As previously reported, these regulations are an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.