Colorado has become the third state to enact a comprehensive data privacy statute imposing compliance obligations on legal entities that collect or process the personal data of its residents. The Colorado Privacy Act (CPA) is based on and enforces many of the same key concepts as do other data privacy statutes and regulations. As such, companies that are implementing or updating compliance programs for the European Union’s General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and Virginia Consumer Data Protection Act (CDPA) will be familiar with the main provisions of the CPA and likely will have an easier time achieving compliance. There are, however, some important distinctions that companies must consider as part of any ongoing compliance efforts in anticipation of the CPA’s effective date of July 1, 2023. As a threshold matter, the CPA applies to legal entities that (i) conduct business in Colorado or produce or deliver commercial products or services that are “intentionally targeted to residents of Colorado,” and (ii) either (a) control or process personal data of more than 100,000 consumers per year or (b) earn revenue (or receive a discount on goods or services) from the sale of personal data and control or process personal data of more than 25,000 consumers. Notably, the CPA...
Tagged: Data Security
State legislatures from California and New York have taken action to respond to rising privacy concerns by enacting legislation to protect consumers and their personal information, and the New Jersey legislature is actively working to pass similar legislation to enhance the privacy and security obligations applicable to personal information obtained from New Jersey consumers. This legislation typically requires businesses to inform residents of certain rights regarding the collection or sale of their personal information and to provide notice to residents if a security incident at the company involves their personal information. As deadlines quickly approach for the enforcement of these laws, it is important for businesses to take action now and revisit privacy, security, and storage practices, as well as the associated policies for maintaining appropriate data privacy and security throughout the organization. The California Consumer Privacy Act (CCPA), which takes effect January 1, 2020, accords significant new privacy rights to consumers and imposes corresponding new requirements on businesses. In general, the CCPA mandates businesses to implement procedures to provide notice to consumers at or before the collection of personal information, to respond to consumers’ requests for the production or deletion of their collected information or to opt-out from its sale, and to create privacy policies detailing their processes for selling or distributing consumer data....
The New Jersey Assembly is considering legislation that will require individuals and businesses that own or license personal information about a New Jersey resident to create and maintain a comprehensive information security program (“ISP”). The bill, A-5206, was introduced by Assemblywoman and Deputy Majority Leader Annette Quijano (D-Union) on November 30, 2017, and referred to the Assembly Homeland Security and State Preparedness Committee. If passed, New Jersey would join other states including Massachusetts (see 201 CMR 17.01 to 17.05) and Rhode Island (R.I. Gen. L. § 11-49.3-2), and sector-specific regulatory schemes including the Gramm-Leach-Bliley Act (16 CFR 314), New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule (45 CFR 164), that require a written information security program. The bill as currently drafted includes a minimum of 28 data security policies and practices that must be included in any company’s ISP. These include: Designating one or more employees to be in charge of the ISP; Ongoing employee training regarding risks to the security, confidentiality, and integrity of any records containing personal information, and imposing disciplinary measures for violation of ISP rules; Obligating a company to conduct due diligence when engaging third-party service providers with access to the company’s records containing personal...
On December 28, 2016, the New York Department of Financial Services (“DFS”) published an updated version of its proposed “Cybersecurity Requirements for Financial Services Companies.” The updated regulations will become effective on March 1, 2017. As previously reported, these regulations are an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.
11th Circuit’s Stay Suggests that the FTC’s Final Order Against LabMD May Itself be “Unfair” and “Unreasonable”
As reported on this blog on September 27, 2016, the FTC issued a Final Order holding that LabMD’s data security practices were “unreasonable” and constituted an “unfair” business practice in violation of Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §45(a) and (n). The findings were a clear signal of the FTC’s expanding efforts to regulate data security and to incentivize companies handling sensitive data to implement and maintain strong data security practices. On Thursday, November 10, 2016, the 11th Circuit stayed enforcement of the FTC’s Final Order pending a full hearing and final decision on LabMD’s appeal, and called into question the validity of the FTC’s conclusions as to what may constitute an actionable “privacy harm” following a data security breach.
Regulations Proposed by NY Department of Financial Services are a Significant Development for Regulated Entities … and Everyone Else
On September 13, 2016, New York Governor Andrew M. Cuomo announced new first-in-the-nation proposed regulations to protect against the ever growing threat of cyber-attacks in the financial services industry. The proposed regulations, to be enforced by the New York State Department of Financial Services, would apply only to an entity regulated by the NY Department of Financial Services – from a multi-national bank to a “mom-and-pop” operation. However, the regulations are important for all companies to review and consider, regardless of their location or scope of operations, because the proposal represents an important step in the ongoing national dialogue about reasonable and necessary cybersecurity standards for all businesses.
The FTC Confirms That Mere Disclosure of Health Information is a “Substantial Injury” Justifying Sanctions for “Unreasonable” Data Security Practices
The Federal Trade Commission (“FTC” or “the Commission”) recently confirmed that disclosure of sensitive consumer data as a result of inappropriate data security practices may be deemed an “unfair act or practice” in violation of the Federal Trade Commission Act (“FTC Act”). This decision is important because the FTC reached this conclusion with no evidence of actual economic or physical harm, or any actual health and safety risks as a result of the disclosure. The Commission’s decision is also notable because it emphasizes the FTC’s expanding reach in the regulation of data security.
Data Breach Victims Grounded: Third Circuit Affirms Dismissal of Putative Class Action Based on Economic-Loss Doctrine and Absence of Explicit Contractual Obligations
The Third Circuit’s recent decision affirming the district court’s dismissal of a proposed class action in its entirety highlights the difficulties faced by Plaintiffs pursuing data-security class actions in situations where the claims are not based upon explicit contractual language. This is an important decision for defense counsel to keep in mind in considering options to get rid of a class action before it takes off.
As previously noted, in response to the European Court of Justice ruling in Schrems v. Data Protection Commissioner (Case C-362/14) striking down as inadequate the so-called “safe harbor” agreement that existed for more than a decade, the EU Commission and U.S. Department of Justice announced the framework of a deal to allow transatlantic data transfers between the EU and U.S. without running afoul of Europe’s strict data protection directives. Described as the EU-U.S. “Privacy Shield” agreement, that framework has now been vetted by EU Member States, modified in certain respects, and formally adopted on July 12, 2016 by the European Commission.
Anyone reading recent headlines knows that Apple, Inc. is engaged in a legal, and ultimately political, struggle with the U.S. Government over access to the cell phone of Syed Rizwan Farook, one of the shooters in the December 2, 2015 terror attack at the Inland Regional Center in San Bernardino, California. The core issue in that California proceeding is whether Apple should be forced to “create and load Apple-signed software onto the subject iPhone device to circumvent the security and anti-tampering features of the device in order to enable the government to hack the passcode to obtain access to the protected data contained therein.”