Financial Institutions have always banked their privacy practices on the requirements under Title V of the Gramm-Leach-Bliley Act (GLBA) and its implementing regulations. That day is now over! The California Consumer Privacy Act (CCPA) is sweeping in and changing the financial privacy landscape. Many had hoped the CCPA would have an all-inclusive exemption for financial instructions already subject to compliance under GLBA; however, the California legislature has made clear that CCPA’s application will apply to portions of data held by financial institutions.
Scope of Financial Institution Exemption
CCPA exempts certain types of information that are subject to GLBA. The impact for financial institutions – all of the personal information collected today that is not subject to GLBA will be subject to CCPA (to the extent the financial institution is subject to CCPA). This includes the following information: personal information collected through general advertising and website marketing; personal information obtained from non-financial institution partners; and personal information obtained for commercial (non-personal or household) purposes.
A financial institution will be subject to CCPA if it does business in California and either (1) has at least $25 million in annual gross revenues; (2) buys, sells, shares or receives information from at least 50,000 California consumers; or (3) derives at least 50% of its annual revenue from selling California personal information.
Financial Institution Data Likely Subject to CCPA
The initial action financial institutions should take is to perform an internal data mapping exercise. Once the financial institution has determined what personal information it collects that is not subject to GLBA, the financial institution can prepare a practical and efficient CCPA compliance plan for all “non-GLBA” information.
As you are formulating a plan to comply with CCPA, our experienced privacy team is ready to partner with you in determining the most practical approach that minimizes disruptions to your already existing GLBA obligations. Here is a link for more information about our team: Privacy Team
With the California Consumer Privacy Act’s (CCPA) compliance deadline fast approaching (January 1, 2020), companies are preparing to comply with the additional complex data privacy and security requirements. HIPAA-Covered Entities may mistakenly overlook the fact that the CCPA does not wholly-exempt personal information collected by HIPAA-Covered Entities, but in turn only exempts information already protected by HIPAA. HIPAA, the Health Insurance Portability and Accountability Act, requires health care organizations, employer-sponsored group health plans, healthcare clearinghouses, and other Covered Entities to ensure the privacy and security of Protected Health Information (“PHI”). Although the CCPA exempts data that constitutes PHI, a HIPAA-Covered Entity or related Business Associate must still protect personal data (or even health data) that is covered by the CCPA but does not satisfy the definition of PHI under HIPAA.
HIPAA-Covered Entity Data Could Be Subject to CCPA
What type of data is governed by HIPAA and, as a result, exempt from the CCPA? PHI is defined as “individually identifiable health information” held or transmitted by a Covered Entity or its Business Associate, in any form or medium, whether electronic, paper, or oral. For example, health information, demographic data, medical histories, test results, and insurance information are forms of PHI if they can reasonably be used to identify a patient. Identifiers coupled with health information such as names, geographic locations, dates, contact information, social security numbers, and more can also constitute PHI. If the data amounts to PHI, that data is exempt from the CCPA.
Not all data collected by a HIPAA-Covered Entity amounts to PHI. For example, employment records held in the hands of an employer (rather than held by the group health plan sponsored by the employer) are not PHI. Any data collected by a HIPAA-Covered Entity that is not PHI will be subject to the CCPA (to the extent the entity is subject to the CCPA). However, the CCPA provides for an exception. When a Covered Entity or health care provider maintains health information in the same manner as PHI, even though the health information is not PHI, the CCPA rules do not apply. That being said, applying HIPAA privacy and security rules to non-PHI could be a burdensome task and cause confusion amongst a Covered Entity’s employee population.
What This Means for HIPAA-Covered Entities
Start your data mapping now. To determine what information is collected that is not protected under HIPAA and, to what extent the CCPA applies to such data, you must understand what categories of information are collected, who it is received from, what’s being done with the data and who it is shared with. From there, you can formulate a CCPA plan that correlates and flows with obligations under HIPAA to ensure efficiencies throughout your data compliance program.
As you are reviewing CCPA application to your entity, reach out to our experienced privacy and ERISA team to partner with you to develop a practical plan that minimizes risk and syncs to your already existing HIPAA obligations. Here is a link for more information about our team: Privacy Team
Tackling The California Market From The Midwest? What A Business Needs To Know About The California Consumer Privacy Act (CCPA)
The data privacy regime is starting to look like more of the wild west every day. A year after companies had to focus resources on complying with Europe’s onerous requirements under the General Data Protection Regulations (GDPR), companies must once again gear-up for the first round of U.S. state efforts to tighten up data privacy rules with California’s new California Consumer Privacy Act (CCPA), which comes into effect on January 1, 2020. Whether you were able to ignore GDPR or not, CCPA sets the data privacy bar higher for most U.S. based companies.
DOES CCPA APPLY TO YOUR COMPANY?
CCPA generally will apply to any for-profit company that does business in California; and, either (1) has at least $25 million in annual gross revenues; (2) buys, sells, shares or receives information from at least 50,000 California consumers; or (3) derives at least 50% of its annual revenue from selling California personal information.
COMPLIANCE WITH GDPR DOES NOT EQUAL COMPLIANCE WITH CCPA.
CCPA also includes specific disclosure requirements with respect to the “sale” of California consumer personal information and specific disclosure requirements with respect to personal information of minors. As part of the “sale” disclosures, many companies will need to add a new website opt-out option labeled “Do Not Sell My Personal Information.”
RISKS OF NONCOMPLIANCE.
CCPA is enforceable by both the California Attorney General and through limited private rights of action (specific to claims with respect to data breaches). Enforcement of CCPA will begin by the California Attorney General 6 months after the publication of final regulations or July 1, 2020, whichever is sooner. Fines can run from $2,500-$7,500 per incident (for example, a violation involving 10,000 California consumers could result in fines of $25 million to $75 million).
EXEMPTIONS – GLBA AND HIPPA.
There are specific exemptions with respect to certain types of data under CCPA. If you are a financial institution subject to Gramm-Leach-Bliley Act (GLBA) or a covered entity subject to HIPPA, certain data collected will be exempt. However, financial institutions and covered entities are still subject to CCPA with respect to data not subject to GLBA (non-NPPI) or HIPPA protection (i.e. non-PHI). It is important for companies to understand the interplay between all privacy regulations and set forth a data privacy compliance program that complies with all applicable laws.
WHERE TO START.
Analyzing the application of data privacy regulations can be daunting. McGrath North recommends companies start with data mapping to determine what information is collected, where the information is collected from, and what a company does with the information (including a list of third-parties that the information is later shared with). From here, companies can start to formulate well-thought-out compliance programs that allow them to comply with applicable data privacy laws while maintaining efficient and effective operations.
With a heightened national focus on data privacy and security, these burdensome and sometimes difficult to manage regulations are not going away. Whether you put in place a compliance program to satisfy the requirements of GDPR or not, CCPA and other U.S. state-based data privacy laws will impact almost all nationally operating entities.
McGrath North has data privacy experts to help you work through the weeds of the regulations and to partner with you to determine the most practical and efficient way for your company to implement privacy policies and procedures to ensure compliance. Here is a link for more information on our team: Privacy Team
GDPR One Year Later: Has Your Company Sorted Through The Confusion And Risks – What U.S. Companies Need To Remember
It’s been more than 1 year since Europe’s General Data Protection Regulations (GDPR) went into effect, and the data protection regulatory front still remains confusing and difficult to trudge through for many U.S. based companies. However, it is clear, there is no slowing down when it comes to increased data privacy regulation. Below is a refresher on the basics of GDPR, as last year we saw many U.S. based companies put aside the issue of whether they needed to focus dollars and time on complying with GDPR. As the regulatory front continues to grow and there is increasing pressure from consumers, customers and vendors to pay attention to data privacy laws (like GDPR), companies who avoided GDPR should review the jurisdictional requirements to confirm their compliance obligations.
WHY CARE – HOW GDPR APPLIES TO U.S. COMPANIES?
Why should a U.S. (or local Midwest based) company pay attention to a set of regulations providing rights (in general) to residents of European nations? The answer is simple; GDPR’s extra-territorial reach allows European nations who have adopted GDPR to latch onto U.S. based companies who have no physical presence in Europe. A U.S. based company with no operations (or other establishment) in Europe will be subject to GDPR jurisdiction if the company either (1) offers goods or services to residents of European nations, or (2) monitors the behavior (i.e. through its website) of residents of European nations.
PRACTICAL WAYS TO START YOUR COMPLIANCE PLAN.
Companies who desire to start formulating a plan with respect to data privacy compliance should start with data mapping. Understanding where and who data is collected from, what the company does with the data and where and who data is shared with will help a company determine what data privacy regimes govern its operations. From there, a company can begin to pull together its data privacy compliance program (whether basic or more sophisticated) to ensure compliance with all applicable data privacy laws.
IMPLEMENTING NECESSARY CHANGES.
Penalties under GDPR for noncompliance can be hefty and upwards of $20 million Euros or 4% of a company’s worldwide annual turnover (whichever is greater). Companies may also be subject to criminal penalties, suits by supervisory authorities or private rights of action by individuals. And today, various European supervisory authorities are beginning to investigate compliance among dozens of U.S. based companies.
GDPR’S NOT FOR YOU – YOUR CUSTOMERS AND VENDORS MIGHT TELL YOU OTHERWISE.
Even if a company determines that GDPR’s jurisdictional reach does not apply to its operations, many U.S. based companies are seeing their customers and services providers require them to comply with the terms of GDPR (through flow-down liability). It is important for companies to understand what they are contractually signing up for and what impact agreeing to GDPR compliance will have.
What this means for most U.S. based companies, is that if GDPR is not yet on your radar (or you subtly ignored GDPR over the last few years), today is the day to review its application and take the necessary steps to gain compliance. With the regulatory focus on data privacy and security, even if GDPR does not apply to your company, almost all U.S. based companies will be impacted by various data privacy state laws working their way through local legislation. Starting with GDPR analysis is just the beginning!
As you are evaluating GDPR’s ongoing impact, our experienced privacy team is ready to partner with you in formulating a practical, effective and tailored compliance approach that minimizes disruptions to your company’s business plans. Here is a link for more information on our team: Privacy Team
Unless you have been paying attention to data privacy news, you may not realize that January 1, 2020, is the implementation date of the California Consumer Protection Act (CCPA) and that July 1, 2020, is the current deadline for the California Attorney General to implement regulations under CCPA. As currently drafted, the CCPA directs the California Attorney General to forego bringing any enforcement action under the CCPA until six months after publication of such final regulations, or July 1, 2020, whichever is sooner.
The CCPA constitutes an expansion beyond California’s existing privacy laws and various provisions of the new law will apply to all businesses that do business in California:
- With annual gross revenue greater than $25 million (not just in California),
- That obtain or share for commercial purposes the personal information of 50,000 or more California residents, households or devices, or
- That get 50% or more of their revenue from selling or sharing the personal information of California residents.
Many non-California based businesses may be surprised to learn that they fall within the scope of the CCPA.
The CCPA was passed quickly to avoid a similar voter initiative ballot measure, and as a result has numerous ambiguities and apparent inconsistencies. The law was amended on September 23, 2018, and it is very likely that the law will be changed again by amendment, and clarified through final rules and regulations, before it comes into effect on January 1, 2020.
Note that at this point, the application of the CCPA to employee data remains an open question. On its face, the CCPA appears to apply only to California “consumers.” However, the CCPA’s definition of consumer (a California resident) combined with California’s longstanding practice of protecting individual privacy rights, suggests that the CCPA also may extend to the personal information of California residents maintained as part of an employment relationship. If so, the CCPA would apply to residents of California who are job applicants, full or part time employees, temporary workers, interns, volunteers, independent contractors, and even such persons’ dependents or beneficiaries.
While the CCPA will almost certainly change again before it comes into effect on January 1, 2020, businesses may want to begin thinking now about some of the core new provisions in that law, in particular, how the business will respond to consumers’ requests for information about their personal information held by the business and such consumers’ requests to delete their personal information held by the business. Note that as presently drafted, the CCPA requires businesses to maintain a twelve (12) month look back (as early as back to January 1, 2019) of data processing activities relating to covered personal information.
Also worth watching is the law’s treatment of private rights of action. While the CCPA does not contain a private right of action for violation of any of the new disclosure or individual rights provisions, it does provide a private right of action for California consumers whose information has been compromised in a data breach resulting from inadequate security measures. This essentially codifies the concept of negligence in California data breaches and, by imposing statutory damages ($100-$750), may largely affect the pleading and proof of damages in data breach cases, which is often the issue of greatest dispute. From a litigation standpoint, these statutory damages plus the broad definition of “consumer” means that plaintiff’s attorneys may be gearing up to use the CCPA to bring cases against businesses that do business in California on behalf of a myriad of different groups about whom businesses typically hold personal information including, for example, end use customers, employees, shareholders and service providers and vendors.
If you have questions or would like to discuss the CCPA’s application to your business, please contact a member of the McGrath North Privacy and Data Security team.
McGrath North is pleased to host the International Association of Privacy Professionals (IAPP) Privacy After Hours event coming to Omaha on January 26, 2017. Privacy After Hours is a fun and easy way for IAPP members and non-members to get to know other local privacy professionals. There’s no agenda, just show up to the designated location and have a good time! The event is open to anyone who works in or is interested in privacy. The Omaha event will be Thursday, October 15, from 5:30 – 7:30 p.m. at Fox and Hound, Western Crossing Shopping Center, 506 N 120th Street, Omaha, NE 68154.
For more information click here to access the IAPP website.
The Federal Trade Commission Has Issued Important Guidance Regarding How To Respond To A Data Breach.
On October 25, 2016, the Federal Trade Commission (“FTC”) issued a guide and instructional video regarding how to respond to a data breach. Both the guide and video are available at this link, which also contains a summary by the FTC.
The FTC’s guidance is not binding, but it is important because it is likely to be used as a benchmark by other government agencies and by plaintiff’s lawyers who are trying to prove that a company acted negligently in responding to a data breach.
Among other things, the FTC’s guidance discusses:
- Securing a company’s operations in response to a data breach while not destroying forensic evidence;
- Fixing vulnerabilities; and
- Notifying appropriate parties.
- The FTC’s guidance helps show why companies should work proactively with attorneys to develop a game plan before a data breach occurs.
Until now, the federal government has only provided criminal sanctions for misappropriation of trade secrets, leaving civil remedies for businesses exclusively to the states. However, President Obama signed the Defend Trade Secrets Act of 2016 (DTSA) into law on May 11, 2016 effective immediately. DTSA creates a civil action for businesses to seek redress under federal law for the misappropriation of their trade secrets. This new federal law does not preempt state law, but provides businesses with the option to file their claims under either state or federal law. Federal courts can provide many benefits to plaintiffs, such as uniformity in law in all jurisdictions and efficiency given the federal system’s smaller case load.
DTSA matches much of what state law has already provided. Here is what is new:
“Whistleblower Immunity”: DTSA provides immunity from criminal and civil liability for an individual disclosing a trade secret to any federal, state, or local government official, or to an attorney, for the purpose of “reporting or investigating a suspected violation of law.” Immunity is also provided to individuals who disclose a trade secret to his or her attorney in an action against an employer for retaliation of reporting a violation of law. Additionally, this immunity allows the individual to use the trade secret in the retaliation court proceeding. DTSA requires employers to provide notice of this immunity to employees, independent contractors and consultants either by inclusion in an agreement that governs use of trade secrets or in a policy document cross-referenced in an agreement, which establishes the employer’s reporting policy for suspected violations of law. Failure to provide this notice will deprive employers of their right to another DTSA benefit – collection of exemplary damages and attorney fees – in an action against any employee, independent contractor or consultant who was not provided notice.
Ex Parte Seizure: DTSA includes an ex parte seizure provision that allows employers to seize another party’s property containing misappropriated trade secrets without their knowledge in extraordinary circumstances. This request for seizure may be granted if immediate and irreparable injury will occur as a result of a high likelihood the other party will evade, avoid, or not comply with other equitable relief by means of destroying, moving, hiding, or otherwise making such a matter inaccessible to the court.
Time is of the essence for employers to update their agreements to become compliant with DTSA and to consider updating policies on when trade secret misappropriation actions will be pursued. Employers should also consider adding this notice to confidentiality forms and non-disclosure agreements. Please contact the McGrath North Intellectual Property Group with your DTSA compliance concerns or to discuss commencing a misappropriation of trade secrets action.
McGrath North is pleased to host the International Association of Privacy Professionals (IAPP) Privacy After Hours event coming to Omaha on January 28. Privacy After Hours is a fun and easy way for IAPP members and non-members to get to know other local privacy professionals. There’s no agenda, just show up to the designated location and have a good time! The event is open to anyone who works in or is interested in privacy. The Omaha event will be Thursday, January 28, 2016, 6:15 pm – 7:45 pm at Fox and Hound, Western Crossing Shopping Center, 506 N 120th Street, Omaha, NE 68154.
For more information click here to access the IAPP website.
On October 6, 2015, the European Court of Justice (ECJ) issued a ruling invalidating the U.S.-EU Safe Harbor Framework (Safe Harbor). Safe Harbor is an agreement between the U.S. and the EU designed to create a streamlined way to transfer personal data from Europe to U.S. firms in accordance with European data protection rules. Over 4,000 U.S. companies are currently Safe Harbor self-certified.
Does It Impact Your Company?
Yes, if your company has relied on its Safe Harbor certification for authority to transfer data from the EU to the U.S. for processing (for example, if your company transfers European employees’ personal data back to the U.S. for human resources purposes) or if your company uses vendors or suppliers that have relied on the Safe Harbor to transfer data from the EU to the U.S.
What Are Your Company’s Next Steps?
If you believe your company may be affected by this decision, we recommend working quickly to analyze any cross-border data flows to the U.S. Such analysis includes a thorough review of your company’s supply chain. If your company transfers data from the EU to a U.S. processor, or accesses data of EU data subjects that may be stored or processed by a processor in the EU, we recommend reviewing all agreements executed with such processors, identify which ones have represented they are Safe Harbor certified and promptly work with each such entity to find an alternative means to satisfy the European data protection rules.
For compliance purposes, we also recommend mapping out what kinds of data is processed cross-borders (personal and otherwise), identify the data subjects (customers, employees, etc.) and estimate the amount of transferred data.
How Can Your Company Continue to Transfer Data in the Absence of Safe Harbor?
To the extent that your company or your vendors or suppliers have relied on Safe Harbor for data transfers, you should consider alternative mechanisms to legalize such data transfers, including incorporating the Model Contract Clauses by addenda into current supplier and vendor agreements, implementing Binding Corporate Rules or obtaining prior written consent from all data subjects.
Please contact a member of the McGrath North Privacy and Data Security Group if you have further questions, would like to discuss how the Safe Harbor ruling applies to your company or if you would like additional information on how to make your company compliant with the EU Data Protection Directive.
Read the press release from the European Court of Justice. (http://www.politico.eu/wp-content/uploads/2015/10/schrems-judgment.pdf)