The Illinois Supreme Court held on January 25, 2019, that plaintiffs filing suit under the Biometric Information Privacy Act—which regulates how private entities disclose and discard biometric identifiers—do not need actual damages for standing. The decision has serious implications for companies collecting biometric data from Illinois residents.

The Act provides a private right of action to individuals “aggrieved” by any violation, allowing them to seek, among other remedies, liquidated or actual damages, attorneys’ fees, and costs. However, there has been widespread uncertainty as to whether an aggrieved individual asserting a private action under the Act needed to show that he or she suffered an actual injury as a result of an alleged violation, or if a violation of the Act in and of itself conveys standing. Continue Reading Illinois Supreme Court: No ‘Actual Harm’ Required for Biometric Information Privacy Act Claims

The prevailing wisdom after last year’s enactment of the California Consumer Privacy Act (CCPA) was that it would result in other states enacting consumer privacy legislation. The perceived inevitability of a “50-state solution to privacy” motivated businesses previously opposed to federal privacy legislation to push for its enactment. With state legislatures now convening, we have identified what could be the first such proposed legislation in New York Senate Bill 224.

The proposed legislation is not nearly as extensive as the CCPA and is perhaps more analogous to California’s Shine the Light Law. The proposed legislation would require a “business that retains a customer’s personal information [to] make available to the customer free of charge access to, or copies of, all of the customer’s personal information retained by the business.” It also would require businesses that disclose customer personal information to third parties to disclose certain information to customers about the third parties and the personal information that is shared. Businesses would have to provide this information within 30 days of a customer request and for a twelve-month lookback period. The rights also would have to be disclosed in online privacy notices. Notably, the bill would create a private right of action for violations of its provisions.

We will continue to monitor this legislation and any other proposed legislation.

As we turn the page on 2018, let’s reflect on some of the key privacy and cybersecurity issues that will continue to occupy our hearts and minds in 2019.

Owning the Mega-Breach

2018 was the year in which data breaches in mergers and acquisitions became the iceberg in full view. This fuller realization of cyber risk in transactions, though, actually has its origin in September 2016 – when Yahoo and Marriott were in the midst of deals that would involve some of the largest data breaches on record. Continue Reading Some Thoughts on the Year in Privacy and Data Security Law

Hold the date: Phil Yannella, Ballard Spahr partner and co-chair of the firm’s Privacy & Data Security Group, will participate in an ACC webcast on Tuesday, December 4, 2018 titled “The State of US State Privacy Laws.” The webcast will focus on the recent proliferation of US state privacy and data security laws, some of which provide for a private right of action, and discuss how companies can provide “reasonable” security to customer and employee data. You can register for the webcast here. 

 

For good reason, there has been much discussion about the new privacy rights created by the California Consumer Privacy Act of 2018 (CCPA), which becomes effective January 1, 2020. Perhaps one of the most significant provisions of the CCPA, though, will be one that has been somewhat overlooked: Section 1798.150, which provides for statutory damages of between $100 and $750 per consumer per incident for certain data breaches. Indeed, had California enacted Section 1798.150 alone, it would have garnered scores of articles on how its statutory damages remedy will likely lead to an explosion in “bet-the-company” private class action litigation over data breaches. The fact that it was enacted as just one provision in a first-in-the-nation privacy law has resulted in commentators spending less time analyzing its impact on businesses.

We will try to remedy this by taking a look at this provision and analyzing how it will apply to businesses covered by the CCPA. We begin by discussing existing California laws that are referenced in the CCPA’s private right of action. We then track the private right of action through its various forms, starting with the ballot measure and ending with its current version as reflected in Senate Bill 1121. Finally, we discuss how the private right of action likely will be used by private litigants and what steps businesses should take to avoid costly litigation. Continue Reading Analyzing the California Consumer Privacy Act’s Private Right of Action

Less than three months after California passed the California Consumer Privacy Act of 2018 (CCPA), Governor Jerry Brown signed SB 1121 this week, making a number of technical and substantive changes to the law.

Of particular note: SB 1121 modifies the financial institution carve-out language in CCPA section 1798.145(e). While the change is a welcome development for entities subject to regulation under the Gramm-Leach-Bliley Act (GLBA), it does not grant full exemption from the CCPA. Therefore, GLBA-regulated entities that collect information online will need to analyze the CCPA’s requirements and how they apply to a specific business. Continue Reading GLBA and the California Privacy Act: Analyzing SB 1121’s Change to the Financial Institution Carve-Out Provision

California is once again poised to set the standard for privacy and data security by enacting the first state law directed at securing Internet of Things (IoT) devices. The law has passed the state legislature and is awaiting the signature of Governor Jerry Brown. It requires manufacturers of “connected devices” to equip them with “a reasonable security feature or features” that are:

  • appropriate to the nature and function of the device;
  • appropriate to the information the device may collect, contain or transmit; and
  • designed to protect the device and any information contained in it from unauthorized access, destruction, use, modification, or disclosure.

Continue Reading California Poised to Enact Internet of Things Information Security Law

Ballard Spahr’s Privacy and Data Security Group will again be hosting its Colorado Cybersecurity Summit on September 18, 2018, at Ballard Spahr’s Denver office and via webinar.

Highlights will include a discussion with the Colorado Deputy Attorney General who will be responsible for enforcing Colorado’s groundbreaking new cybersecurity law, as well as the former Director of Legislative Affairs who ushered the law through the state legislature. The Summit will also feature panel discussions on the current state of GDPR, how the new California Consumer Privacy Act will affect businesses, and innovative ways to mitigate risk in a world with quickly changing technology.

The Summit is co-sponsored by IMA Financial Group, Kivu Consulting, Noosa Yogurt, and Colorado = Security.

CO CLE and IAPP CPE credits are pending. Uniform Certificates of Attendance will also be made available for the purpose of seeking CLE credit in other jurisdictions.

For more information and to register please click here.

 

The New York Department of Financial Services (“NYDFS”) has adopted a regulation that requires “consumer credit reporting agencies” (“CCRAs”) to register with the NYDFS, prohibits CCRAs from engaging in certain practices, and requires CCRAs to comply with certain provisions of the NYDFS cybersecurity regulation. Continue Reading NYDFS Requires Consumer Credit Reporting Agencies to Comply with Cybersecurity Regulation

As we discussed in our prior alert, California voters had been poised to consider a citizen-initiated ballot measure that would have significantly expanded the privacy rights of California citizens and provided substantial penalties for noncompliant companies. In response to that ballot measure, the California legislature hastily pushed through privacy legislation despite the “grave, grave concerns” expressed by lawmakers.

Lawmakers were willing to enact the flawed legislation based on an assurance from the leader of the ballot measure that he would not submit the measure if the legislation was passed. However, because the deadline to submit ballot measures was June 28, 2018, lawmakers had to rush the legislation through both houses. And, since state law requires that legislation be in print for at least 72 hours before a vote, lawmakers had no opportunity to offer amendments.

Lawmakers were willing to engage in such a rushed course of action because, if the ballot measure had become law, both houses would have been required to approve any changes by a 70 percent vote instead of a simple majority. Also, because the legislation does not go into effect until January 1, 2020, lawmakers theoretically can fix any problems in the intervening time frame.

Despite its tumultuous legislative history, the legislation—titled the California Consumer Privacy Act of 2018—grants significant privacy rights to California residents. Any entity that does business in California and qualifies as a “business” under the Act will need to comply with the law or risk substantial financial penalty.

Continue Reading California Passes Legislation Significantly Changing Privacy Requirements for Entities Doing Business in the State