On Monday, the White House announced the nomination of Alvaro Bedoya to serve as FTC Commissioner.  Mr. Bedoya is slated to fill the seat on the Commission currently held by Rohit Chopra, which Mr. Chopra will vacate upon his confirmation as CFPB Director.  Mr. Chopra is expected to be confirmed as CFPB Director before the end of the year.

If confirmed, Mr. Bedoya would join the two other Democratic FTC Commissioners, Lina Khan, Chair of the Commission, and Rebecca Slaughter, and allow Democrats to maintain a 3-2 majority.

Mr. Bedoya is currently a law professor at Georgetown University Law School, where his research has focused on how technologies such as facial recognition have led to discrimination against immigrants and people of color.  He was the founding director of Georgetown University’s Center on Privacy & Technology.  Mr. Bedoya also served as the first Chief Counsel for the Senate Judiciary Committee’s Subcommittee on Privacy, Technology & the Law.  As a result, some observers view Mr. Bedoya’s nomination as a precursor to greater FTC focus on potential discrimination arising from the use of  artificial intelligence and other technological innovations as well as privacy considerations for both consumer protection and competition among Big Tech companies.

On August 12, 2021, the United States District Court for the District of South Carolina issued an opinion denying in part and granting in part a motion by Blackbaud to dismiss seven statutory claims brought by plaintiffs in a multidistrict consolidated action stemming from a ransomware attack. The most notable aspect of the opinion is the Court’s interpretation of the California Medical Information Act (CMIA), which may have the effect of broadening the scope of liability for California-based cloud service providers that suffer data breaches. Continue Reading Federal Court Holds that Cloud Service Provider is Subject to CMIA

The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has continued its enforcement of HIPAA’s privacy and security rules in the new administration, announcing a number of settlements of alleged violations in the first seven months of 2021.  This settlement activity followed a few other significant HIPAA developments that occurred in January of 2021, including HHS’s release of proposed regulations to the HIPAA Privacy Rule and a Fifth Circuit Court of Appeals opinion vacating an OCR penalty of approximately $4.44 million for a HIPAA security breach involving the University of Texas MD Anderson Cancer Center (MD Anderson).  The Fifth Circuit took issue with the standards that OCR (and an administrative law judge) had applied in assessing the penalty.  It found that MD Anderson had implemented a mechanism for the encryption of data, even if certain employees did not follow that mechanism.  It held that the government had not demonstrated that MD Anderson made any affirmative disclosure of protected health information to an outside person.  The Court explained that even if the government had established that MD Anderson was liable, the Court would have lowered the penalties substantially, finding that the amount assessed exceeded applicable limits.  Although it is unclear how the Fifth Circuit’s opinion will affect OCR’s enforcement activity (or the willingness of parties to settle) going forward, this year’s settlements demonstrate that OCR has remained active in enforcing HIPAA’s rules.

OCR’s first settlement of 2021 was also its largest of the year to date.  OCR learned of the breach when Excellus Health Plan reported to OCR that cyber-attackers had installed malware and gained unauthorized access to its systems from December 2013 to May 2015.  The breach resulted in the impermissible disclosure of more than 9.3 million individuals’ protected health information, including their social security numbers, bank account information, health plan claims, and treatment information.  HHS investigated the breach and alleged that Excellus Health Plan did not conduct a thorough analysis of the risks and vulnerabilities of the electronic protected health information (ePHI), implement security measures to mitigate risks and implement procedures to regularly review information system activity records.  Excellus Health Plan agreed to pay a resolution amount of $5.1 million and entered into a Corrective Action Plan, requiring it to perform a comprehensive risk analysis to identify any other potential risks or vulnerabilities to its systems maintaining ePHI, prepare written policies to address the monitoring of suspicious activity and submit the policies to HHS for review, provide training to employees on such policies and submit to monitoring by HHS for a period of two years.  OCR’s analysis of the severity of the potential violations and determination of the resolution amount appears to have been heavily influenced by the length of time that the breach went undetected, as the director of OCR commented: “In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries.”  This settlement serves as a reminder that covered entities should be vigilant in reviewing activity within their systems so they may respond quickly if a breach does occur.

OCR has also demonstrated a continuing commitment to enforce the obligation to provide individuals with timely access to their health information upon request.  OCR entered into six separate Resolution Agreements between January and June of 2021, amounting to 19 total actions under its Right of Access Initiative.  All six settlements involved health care providers that failed to provide patients’ medical records in a timely manner, ranging from a 6-month delay to a complete failure to provide the requested documents.  Each entity entered into a Resolution Agreement and Corrective Action Plan with OCR, with resolution payments ranging from $5,000 – $200,000.  Based on the limited information available in the Resolution Agreements, it is unclear how the monetary resolution amounts were set.  They may have been based on a combination of factors such as the time that passed between the initial request and the date the entity provided the medical records, the number of complaints that HHS received with respect to each entity, or the size and sophistication of each entity.  Although the settlement amounts for breaches of the access to information requirements tend to be less than those involving an actual breach of privacy, the Corrective Acton Plans still require the entities to undertake significant compliance measures, including revising internal policies and procedures for HHS review, providing training to all employees with job duties that relate to processing these requests, and submitting to monitoring by HHS for up to two years.  These Resolution Agreements and accompanying press releases indicate that HHS will continue pursuing its Right of Access Initiative, demonstrating the importance of health care entities to maintain sufficient policies to ensure timely, comprehensive and accurate responses to patients’ requests for medical records.

With a little over a year of enforcing the California Consumer Privacy Act (CCPA) under its belt, the Office of the California Attorney General (OAG) recently held a press conference to announce updates on its CCPA enforcement efforts and promote new tools relating to California consumers’ right to opt out of the sale of their personal information. Continue Reading California Enforcement Updates and Privacy Tools Highlight Regulatory Scrutiny of Right to Opt Out

Following in the footsteps of the Eastern District of Virginia’s Capital One decision last year and the District of D.C.’s Clark Hill decision earlier this year, the Eastern District of Pennsylvania has just ordered the production of a data breach forensic report and related communications.  In re Rutter’s Data Sec. Breach Litig., No. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (E.D. Pa. July 22, 2021).  The Rutter’s decision is a reminder that although courts had generally found such documents protected by the attorney-client privilege and/or work product doctrine, the tide may be changing.

On May 29, 2019, Rutter’s received two security alerts which detailed “the execution of suspicious scripts and indications of the use of potentially compromised credentials.”  The same day, Rutter’s engaged outside counsel to advise on its potential notification obligations.  Outside counsel then engaged a forensic investigator to perform an analysis to determine the character and scope of the incident.  The parties all assumed that the investigation, including its ultimate report and the communications made in furtherance thereof, would be protected by the attorney-client privilege and/or the work product doctrine.  The plaintiffs moved to compel, and the federal magistrate judge granted the motion.

With respect to the work-product doctrine, the Court explained that the doctrine only applies where impending litigation is the “primary motivating purpose behind the creation of the document.”  The Court then held that it was clear from the contract that “the primary motivating purpose” behind the forensic investigation was not to prepare for the prospect of litigation—it was to determine whether data was compromised, and the scope of such compromise if it occurred.  The Court also relied on the testimony of Rutter’s corporate designee and the fact that outside counsel did not receive the report before Rutter’s.   Based on these facts, the Court held that the work product doctrine did not apply.

With respect to the attorney-client privilege, the Court explained that a “communication may only be privileged if its primary purpose is to gain or provide legal assistance.”  The Court further explained that for privilege to apply, the attorney must be “acting as a lawyer,” meaning that the lawyer “must guide future conduct by interpreting and applying legal principles to specific facts.”  The Court emphasized that privilege does not protect communications of fact, nor communications merely because a legal issue can be identified.  Based on that law, the Court found that Rutter’s had not demonstrated that the forensic report and related communications involved “presenting opinions and setting forth . . . tactics rather than discussing facts.”  Specifically, the Court noted that only one portion of the forensic vendor’s services was not inherently factual—working with Rutter’s IT personnel to identify and remediate potential vulnerabilities, which the Court found was not providing legal advice.

The Rutter’s opinion casts further doubt on whether courts will extend protection over data breach forensic investigation reports and communications.  However, like the Capital One and Clark Hill cases, the Rutter’s opinion leaves open the possibility for protection if certain facts occur—some of which companies and outside counsel can control to a degree.  Accordingly, although confusion and chaos can be pervasive at the beginning stages of a data breach, companies and outside counsel should take steps to build a record that may help them secure privilege down the road.

On July 9, 2021, New York City’s biometric identifier information law became effective. The law, which was enacted in January 2021, addresses the collection and use of biometric identifier information (BII) by commercial establishments—meaning places of entertainment, retail stores, or food and drink establishments—to track customer activity. It creates a private right of action and subjects violators to statutory damages.

Continue Reading New York City’s Biometric Identifier Information Law Takes Effect

Phil Yannella, Ballard Spahr litigation partner and Practice Leader of Ballard’s Privacy & Data Security Group, recently authored a treatise on data breach and privacy litigation. The book, Cyber Litigation: Data Brach, Data Privacy & Digital Rights, is published by Thomson Reuters and is available now for purchase. Continue Reading Ballard Spahr Partner, Phil Yannella, Authors Book on Data Breach and Privacy Litigation

On June 4, 2021, the European Commission adopted an updated and long-awaited set of standard contractual clauses (SCCs) for the international transfer of personal data. The previous SCCs were created prior to the implementation of the EU General Data Protection Regulation (GDPR) and required substantive revisions to bring them in line with the GDPR and the Court of Justice of the European Union’s July 2020 Schrems II decision (previously covered here). Continue Reading The European Commission’s Adoption of New SCCs

On June 14, the California Privacy Protection Agency (CPPA), the first state agency in the country dedicated to privacy, held its first public meeting. In her opening remarks, Acting Chairwoman Jennifer M. Urban introduced each of the Board members: John Christopher Thompson, Angela Sierra, Lydia de la Torre, and Vinhcent Le. The meeting covered an extensive agenda, available here, which highlighted the processes and procedures required by the Board to perform its duties, including issuing final regulations under the California Privacy Rights Act of 2020 (CPRA), which will go into effect on January 1, 2023.

The Board discussed the urgent need to hire at least two executive leadership positions to meet its July 1, 2022 deadline to issue final regulations under the CPRA. The Board also approved several subcommittees, including a Regulations Subcommittee, which will be dedicated to developing the CPRA regulations.

During the meeting, the Administrative Procedures Act process that the Board will follow in developing the CPRA regulations was described. Any regulations drafted and proposed by this Board will be sent to the Office of Administrative Law (OAL) in the form of a notice package. Once published in the state’s registrar, a minimum of a forty-five day public comment period will allow written comments to be submitted about the proposed regulations. After the public comment period, the Board will adopt the regulations as initially proposed or make additional modifications to the text. If modifications are made, there will be an additional public comment period of fifteen days. If the Board approves the changes, the final regulations will be sent to the OAL for final approval. Approved regulations by the OAL will become effective on a quarterly basis, however, the Board can also request the OAL to make the effective date of any such regulations to be the date of filing with the Secretary of State.

The Board plans to meet on a monthly basis, and all such meetings will be open to the public. Although the Board has not yet set a specific date for its next meeting, the Board will provide at least ten calendar days of notice and release an agenda to the public in advance of each meeting.

In a long awaited opinion, the Supreme Court recently resolved a circuit split regarding the proper interpretation of a statute implicated in many post-employment disputes. Since its enactment, federal courts of appeal have been divided over the proper interpretation of the phrase “exceeds authorized access” under the Computer Fraud and Abuse Act (“CFAA”), a primarily criminal statute that also includes a civil cause of action where an individual accesses a protected computer without authorization or exceeds authorized access. Some courts have held that the “exceeds authorized access” requirement only applies where the individual was authorized to access the computer itself but not the particular files or information that are the subject of the dispute. Continue Reading Supreme Court Limits the Scope of Computer Fraud and Abuse Act