New York’s proposed data privacy law failed to materialize in the latest legislative session and is now presumed dead.  New York was one of a number of states that proposed sweeping privacy legislation after the enactment of the California Consumer Privacy Act (CCPA). The proposed New York law, in fact, was broader than the CCPA in many ways. The law would have applied to non-profits as well as for profits, and included a private right of action for data breaches of $10,000 per consumer.  The proposed law also would have designated businesses that collect personal information of New York consumers as “information fiduciaries” and imposed on such companies a “duty to exercise loyalty and care” in how the business uses personal information, as the Electronic Frontier Foundation put it.

Concerns about the overly prescriptive nature of the proposed law as well as its potential impact on small and medium-sized companies appear to have derailed the bill in the New York senate. A number of other states, including Massachusetts and Connecticut, are still considering their own privacy laws, but for the time being at least, the CCPA remains the only comprehensive US state privacy law on the books.

At what has been described as a marathon hearing that lasted late into the night of July 9, the California Senate Judiciary Committee advanced several amendments to the California Consumer Privacy Act (the “CCPA”), but major changes that opponents claimed would have eroded privacy protections for consumers largely failed.  The bills advanced from the Senate Judiciary Committee will now go to the Appropriations Committee, and if they pass, to a full Senate vote.

Among the more notable amendments that advanced was AB25.  A  more business-friendly version of AB25 passed in the Assembly in May, pursuant to which certain employment-related information would be excluded from the CCPA.  However, AB25 was modified while in the Senate Judiciary Committee, and the version of AB25 that advanced from Committee requires employers to tell employees what type of information they are collecting and the reason for doing so.  The modification was made in an effort to “create a layer of transparency between employers and employees.”

Another amendment that advanced was AB1564.  The prior text of the bill removed a requirement that businesses provide a phone number for customers requesting access to their personal information.  Groups who opposed this amendment argued that it would make it harder for people without internet access to exercise their privacy rights.  The amended version of AB1564 that advanced restored the phone number requirement for stores that have a direct, in-person relationship with the customer.

Two hotly contested amendment bills did not advance—AB873 and AB1416.  AB873 would have changed the definition of “personal information” and “deidentified information” so that more private data falls outside the protection of the CCPA.  Supporters say that this amendment would make the CCPA workable for both small businesses and major corporations.  Critics say that the amendment would dramatically weaken the effect of the CCPA as a whole.  AB873 deadlocked in a 3-3 vote, meaning it failed to advance.  However, there has been a request for reconsideration.  AB1416 would have allowed businesses to sell personal data to third parties even after the consumer opted out if the sale was for the purpose of detecting security incidents or protecting against various types of malicious actors.  Groups that oppose AB1416 say that it would create a major loophole in the CCPA. The bill was dropped from this year’s legislative session, but it will likely re-emerge next year.

While the advanced bills may undergo more modifications, the Judiciary Committee changes serve as a reminder that companies should not bet on major changes to save them from the CCPA’s reach.  Indeed, the modifications to AB25 indicate that business-friendly amendments may need to be watered down to a degree in order to advance.  Accordingly, companies should be diligently preparing for the January 1, 2020 effective date of the CCPA.

Since the passage of the California Consumer Privacy Act (CCPA) in June 2018, over a dozen US states have proposed their own privacy laws, many of which are nearly identical to the CCPA.  Some of these proposals have since become law.  Others are in different stages of the legislative process.  To help clients keep track of the status of these proposed laws, Ballard has launched a US State Privacy Law Tracker.  We’ll be updating the Tracker as these laws progress and states propose new privacy laws, so check back regularly.  Continue Reading Ballard Launches US State Privacy Law Tracker

Last Friday we blogged on the Saks data breach class action, and in the process mentioned a trend among federal courts to reject fear of future identity theft claims in retail breach cases.  As we  explained, because retail breaches rarely involve theft of social security numbers, date of birth, healthcare information or other data that can be used to commit identity theft, courts have typically found that plaintiffs in such cases lack standing to pursue their claims in federal court. Continue Reading 8th Circuit Decision in SuperValu Class Action is a Reminder that Injury and Damages Aren’t the Same Thing.

For years, plaintiffs in data breach class actions have argued that the threshold for Article III standing is low – and increasingly courts are accepting that argument. The Saks data breach class action, pending in the Southern District of New York, is the latest example of a federal court finding that Article III standing exists even where the plaintiff’s asserted injuries are very minimal. Continue Reading Court Ruling in Saks Data Breach Case Illustrates That Threshold for Article III Standing Is Low

The Office of Civil Rights of the Department of Health and Human Services (OCR) announced that it has entered into a settlement with a business associate that provides electronic medical records services to health care providers.  The resolution agreement requires Medical Informatics Engineering, Inc. (MIE) to pay $100,000 and adhere to a corrective action plan.  Under the corrective action plan, MIE must conduct a security risk assessment and implement a security risk management plan under OCR supervision.

 

The breach giving rise to the settlement resulted from a compromised user name and password that allowed hackers access to the electronic protected health information of 3.5 million people.  The information compromised included names, addresses, dates of birth, Social Security numbers, e-mail addresses, clinical information, and health insurance information.  As required by HIPAA, MIE itself reported the breach.  OCR investigated and found that MIE had failed to conduct an accurate and thorough security risk analysis.

 

The resolution agreement does not provide details about OCR’s evaluation of the situation, but the settlement suggests that OCR did not find MIE’s violation to be particularly blatant and that it paid more attention to the nature of the breach than to its impact.  On the basis of the information revealed and the numbers affected, the penalty could have been much larger. Under OCR guidance, the minimum penalty that applies (when even reasonable diligence would not have prevented the breach) would be calculated based on $100 per violation.  With 3.5 million individuals affected, that would come to $350 million.

 

That amount does not take into account the maximum limit that applies for each type of violation. In this case, only one type of violation was identified, so the cap is easy to figure. Under the rules that applied prior to the new guidance issued a few weeks ago, all penalties were  capped at a total of $1.5 million for each type of violation, so we might have expected that to be the penalty. However, under the new guidance, penalties are reduced where the violations are less blameworthy. The $100,000 penalty in this case matches the maximum penalty for a violation that is due to reasonable cause.

 

Without a more detailed understanding of the facts, it is not possible to determine whether the reasonable cause limitation was applied or appropriate in this case, but the result suggests that the new caps may influence sanctions that OCR will seek in at least some HIPAA enforcement actions.

 

 

In April 2019, the California Assembly Privacy and Consumer Protection Committee rejected a proposal known commonly as the “Privacy for All Act” (AB-1760), which among other things would have provided a private right of action for all violations of the California Consumer Privacy Act (CCPA). The rejection of AB-1760 was a blow to consumer privacy advocates. A similar measure, SB-561, would also have provided a private right of action for all privacy violations. That bill has also been defeated, meaning that the CCPA’s private right of action provisions will not be expanded this year. Continue Reading Proposed Expansion of CCPA’s Private Right of Action Defeated in State Senate

Following the speedy enactment of the California Consumer Privacy Act (CCPA or Act) in June 2018, business and consumer advocates alike have been pressuring California lawmakers to clarify the many ambiguities raised by the Act’s sweeping requirements. California lawmakers recently responded to these calls for greater clarity by proposing a slate of amendments to address some of the more controversial provisions of the CCPA, including the definition of “personal information”, requirements regarding information sharing, and the scope of industry exemptions. Continue Reading Proposed Amendments to the California Consumer Privacy Act May Limit Scope of the Act

After a quiet winter, the Department of Health and Human Services’ Office for Civil Rights (OCR) revived with the spring, issuing a set of frequently asked questions and two recent announcements.

The FAQs address the situation where an individual requests a covered entity to disclose protected health information (“PHI”) to an app. The covered entity must generally comply with the request, even if the app is unsecured. It may be prudent to advise the individual of concerns about the app, but the individual has the right under HIPAA to access most PHI held by a covered entity set and to direct where the covered entity should send that information.

In case of unauthorized access to PHI that has been transmitted to the app, the liability of a covered entity, or an electronic health records (“EHR”) developer acting as a business associate for the covered entity, will be determined by the relationship with the app. If, for example, there is no relationship with the app developer and the app does not perform functions on behalf of the covered entity, the FAQs provide comfort that the covered entity, and EHR developer, will not be exposed to penalties under HIPAA in the event of unauthorized access to PHI that has been transmitted to the app.

Conversely, if a relationship exist, for example, the app developer serves as a business associate of the EHR developer or the app is performing functions for the covered entity, the EHR developer and covered entity may be exposed to liability. Covered entities should consider building appropriate contractual protections into their business associate agreements to safeguard against such liabilities.

Within two weeks of publishing the new FAQs, the OCR issued a notification that it is reducing the maximum penalties that will apply to certain types of HIPAA violations.  For penalty purposes, the OCR breaks HIPAA violations into four categories based on the severity of the violation.  Prior to the new guidance, only the minimum penalty per violation increased with severity.  The maximum penalty that could be imposed was the same for each category: $1.5 million for any type of violation per year.  Under the new guidance, the maximum remains at $1.5 million for the most serious category of violations, but is lowered significantly for other types of violations.  Going forward, the maximum penalty will be:

  • Where the entity did not know and by exercising reasonable diligence would not have known of the violation, $25K per type of violation per year.
  • Where the violation arises from reasonable cause, $100K per type of violation per year.
  • Where the violation arises from willful neglect and is corrected, $250K per type of violation per year.
  • Where the violation arises from willful neglect and is not corrected, $1.5M per type of violation per year.

However, the reduction in the maximum penalties does not necessarily translate to a significant reduction in what the OCR will seek in enforcement actions, at least not with respect to the resolution agreements that the OCR has historically announced.  Those resolution agreements typically pertain to situations where the OCR finds serious, uncorrected violations, often of more than one type.

One week after this notification, the OCR seemed to signal that it will continue to seek large settlement amounts when it followed the notice of penalty reductions with an announcement of a $3 million settlement with Touchstone Medical Imaging, LLC for violations that exposed the PHI of more than 300,000 patients.  Although the OCR reached this resolution agreement prior to issuing its notice of the reduction in penalties, it is unlikely that the reduction would have made any difference with regard to the Touchstone breach, where the OCR found several HIPAA violations, including issues with the timing and thoroughness of the health care provider’s investigation of the incident, which in turn led to a delay in its provision of notice of the breach to affected individuals.

The practical changes that will come from the reduction in penalties remain to be seen.  Covered entities and their business associates under HIPAA may take comfort that relatively minor violations that are quickly addressed will not result in multimillion dollar liabilities, but based on past settlement announcements, it seems unlikely that the OCR would enforce the HIPAA requirements so harshly.  On the other hand, it appears as if the OCR will continue to seek substantial monetary penalties for significant, uncorrected breaches.

The Denmark Data Protection Authority (DPA) ruled on April 11, 2019 that affirmative consent is required when companies record customer telephone calls. Because voice recordings constitute personal data under the European Union’s (EU) General Data Protection Regulation (GDPR), international companies that communicate via telephone with EU customers will need to take steps to ensure GDPR compliance.

In this case, Denmark’s largest telecommunications company, TDC A/S, provided disclosures to its customers that calls may be recorded for training purposes, but the company offered no mechanism for customers to opt-in or opt-out of the recording. During one such call, the customer requested that the call not be recorded, but the service agent said there was no way to turn off the recording. The Denmark DPA rejected the company’s arguments that its recording practices served a legitimate interest, such as the improvement of its customer service, and concluded that the company’s telephone recording practices violated the GDPR. Continue Reading Denmark DPA Rules on How GDPR Applies to Voice Recordings