Unless you have been paying attention to data privacy news, you may not realize that January 1, 2020, is the implementation date of the California Consumer Protection Act (CCPA) and that July 1, 2020, is the current deadline for the California Attorney General to implement regulations under CCPA. As currently drafted, the CCPA directs the California Attorney General to forego bringing any enforcement action under the CCPA until six months after publication of such final regulations, or July 1, 2020, whichever is sooner.
The CCPA constitutes an expansion beyond California’s existing privacy laws and various provisions of the new law will apply to all businesses that do business in California:
- With annual gross revenue greater than $25 million (not just in California),
- That obtain or share for commercial purposes the personal information of 50,000 or more California residents, households or devices, or
- That get 50% or more of their revenue from selling or sharing the personal information of California residents.
Many non-California based businesses may be surprised to learn that they fall within the scope of the CCPA.
The CCPA was passed quickly to avoid a similar voter initiative ballot measure, and as a result has numerous ambiguities and apparent inconsistencies. The law was amended on September 23, 2018, and it is very likely that the law will be changed again by amendment, and clarified through final rules and regulations, before it comes into effect on January 1, 2020.
Note that at this point, the application of the CCPA to employee data remains an open question. On its face, the CCPA appears to apply only to California “consumers.” However, the CCPA’s definition of consumer (a California resident) combined with California’s longstanding practice of protecting individual privacy rights, suggests that the CCPA also may extend to the personal information of California residents maintained as part of an employment relationship. If so, the CCPA would apply to residents of California who are job applicants, full or part time employees, temporary workers, interns, volunteers, independent contractors, and even such persons’ dependents or beneficiaries.
While the CCPA will almost certainly change again before it comes into effect on January 1, 2020, businesses may want to begin thinking now about some of the core new provisions in that law, in particular, how the business will respond to consumers’ requests for information about their personal information held by the business and such consumers’ requests to delete their personal information held by the business. Note that as presently drafted, the CCPA requires businesses to maintain a twelve (12) month look back (as early as back to January 1, 2019) of data processing activities relating to covered personal information.
Also worth watching is the law’s treatment of private rights of action. While the CCPA does not contain a private right of action for violation of any of the new disclosure or individual rights provisions, it does provide a private right of action for California consumers whose information has been compromised in a data breach resulting from inadequate security measures. This essentially codifies the concept of negligence in California data breaches and, by imposing statutory damages ($100-$750), may largely affect the pleading and proof of damages in data breach cases, which is often the issue of greatest dispute. From a litigation standpoint, these statutory damages plus the broad definition of “consumer” means that plaintiff’s attorneys may be gearing up to use the CCPA to bring cases against businesses that do business in California on behalf of a myriad of different groups about whom businesses typically hold personal information including, for example, end use customers, employees, shareholders and service providers and vendors.
If you have questions or would like to discuss the CCPA’s application to your business, please contact a member of the McGrath North Privacy and Data Security team.
McGrath North is pleased to host the International Association of Privacy Professionals (IAPP) Privacy After Hours event coming to Omaha on January 26, 2017. Privacy After Hours is a fun and easy way for IAPP members and non-members to get to know other local privacy professionals. There’s no agenda, just show up to the designated location and have a good time! The event is open to anyone who works in or is interested in privacy. The Omaha event will be Thursday, October 15, from 5:30 – 7:30 p.m. at Fox and Hound, Western Crossing Shopping Center, 506 N 120th Street, Omaha, NE 68154.
For more information click here to access the IAPP website.
The Federal Trade Commission Has Issued Important Guidance Regarding How To Respond To A Data Breach.
On October 25, 2016, the Federal Trade Commission (“FTC”) issued a guide and instructional video regarding how to respond to a data breach. Both the guide and video are available at this link, which also contains a summary by the FTC.
The FTC’s guidance is not binding, but it is important because it is likely to be used as a benchmark by other government agencies and by plaintiff’s lawyers who are trying to prove that a company acted negligently in responding to a data breach.
Among other things, the FTC’s guidance discusses:
- Securing a company’s operations in response to a data breach while not destroying forensic evidence;
- Fixing vulnerabilities; and
- Notifying appropriate parties.
- The FTC’s guidance helps show why companies should work proactively with attorneys to develop a game plan before a data breach occurs.
Until now, the federal government has only provided criminal sanctions for misappropriation of trade secrets, leaving civil remedies for businesses exclusively to the states. However, President Obama signed the Defend Trade Secrets Act of 2016 (DTSA) into law on May 11, 2016 effective immediately. DTSA creates a civil action for businesses to seek redress under federal law for the misappropriation of their trade secrets. This new federal law does not preempt state law, but provides businesses with the option to file their claims under either state or federal law. Federal courts can provide many benefits to plaintiffs, such as uniformity in law in all jurisdictions and efficiency given the federal system’s smaller case load.
DTSA matches much of what state law has already provided. Here is what is new:
“Whistleblower Immunity”: DTSA provides immunity from criminal and civil liability for an individual disclosing a trade secret to any federal, state, or local government official, or to an attorney, for the purpose of “reporting or investigating a suspected violation of law.” Immunity is also provided to individuals who disclose a trade secret to his or her attorney in an action against an employer for retaliation of reporting a violation of law. Additionally, this immunity allows the individual to use the trade secret in the retaliation court proceeding. DTSA requires employers to provide notice of this immunity to employees, independent contractors and consultants either by inclusion in an agreement that governs use of trade secrets or in a policy document cross-referenced in an agreement, which establishes the employer’s reporting policy for suspected violations of law. Failure to provide this notice will deprive employers of their right to another DTSA benefit – collection of exemplary damages and attorney fees – in an action against any employee, independent contractor or consultant who was not provided notice.
Ex Parte Seizure: DTSA includes an ex parte seizure provision that allows employers to seize another party’s property containing misappropriated trade secrets without their knowledge in extraordinary circumstances. This request for seizure may be granted if immediate and irreparable injury will occur as a result of a high likelihood the other party will evade, avoid, or not comply with other equitable relief by means of destroying, moving, hiding, or otherwise making such a matter inaccessible to the court.
Time is of the essence for employers to update their agreements to become compliant with DTSA and to consider updating policies on when trade secret misappropriation actions will be pursued. Employers should also consider adding this notice to confidentiality forms and non-disclosure agreements. Please contact the McGrath North Intellectual Property Group with your DTSA compliance concerns or to discuss commencing a misappropriation of trade secrets action.
Cyber Risk impacts all businesses. A holistic company approach, starting from the top, helps in the effort to combat the likelihood of a security incident.
Learn more from Amy Roland and Amy Bagge, who co-authored the feature article published in the March/April 2016 edition of The Nebraska Lawyer. Click here to read the full article.
McGrath North is pleased to host the International Association of Privacy Professionals (IAPP) Privacy After Hours event coming to Omaha on January 28. Privacy After Hours is a fun and easy way for IAPP members and non-members to get to know other local privacy professionals. There’s no agenda, just show up to the designated location and have a good time! The event is open to anyone who works in or is interested in privacy. The Omaha event will be Thursday, January 28, 2016, 6:15 pm – 7:45 pm at Fox and Hound, Western Crossing Shopping Center, 506 N 120th Street, Omaha, NE 68154.
For more information click here to access the IAPP website.
Amy Bagge, an associate attorney at McGrath North, has earned the designation of Certified Information Privacy Professional/United States (CIPP/US) through the International Association of Privacy Professionals (IAPP), the world’s largest information privacy organization. Founded in 2000, the IAPP is the leading association for privacy professionals in the world and the first organization to establish professional standards for education and training in cybersecurity. The CIPP/US credential is the preeminent professional certification offered in information privacy.
Amy’s CIPP/US certification demonstrates her broad-based knowledge of United States privacy laws and regulations, as well as an understanding of the requirements for the responsible transfer of sensitive personal data. Amy is one of only three attorneys in the State of Nebraska who have successfully obtained CIPP/US certification.
Amy is an attorney in the firm’s Intellectual Property practice group and focuses her practice on all aspects of intellectual property and technology law, providing vital counsel to her clients on matters such as trademark clearance and protection, copyright law, privacy and information security, licensing, cloud computing, use of open source technology, and securing and protecting sensitive personal data.
On October 6, 2015, the European Court of Justice (ECJ) issued a ruling invalidating the U.S.-EU Safe Harbor Framework (Safe Harbor). Safe Harbor is an agreement between the U.S. and the EU designed to create a streamlined way to transfer personal data from Europe to U.S. firms in accordance with European data protection rules. Over 4,000 U.S. companies are currently Safe Harbor self-certified.
Does It Impact Your Company?
Yes, if your company has relied on its Safe Harbor certification for authority to transfer data from the EU to the U.S. for processing (for example, if your company transfers European employees’ personal data back to the U.S. for human resources purposes) or if your company uses vendors or suppliers that have relied on the Safe Harbor to transfer data from the EU to the U.S.
What Are Your Company’s Next Steps?
If you believe your company may be affected by this decision, we recommend working quickly to analyze any cross-border data flows to the U.S. Such analysis includes a thorough review of your company’s supply chain. If your company transfers data from the EU to a U.S. processor, or accesses data of EU data subjects that may be stored or processed by a processor in the EU, we recommend reviewing all agreements executed with such processors, identify which ones have represented they are Safe Harbor certified and promptly work with each such entity to find an alternative means to satisfy the European data protection rules.
For compliance purposes, we also recommend mapping out what kinds of data is processed cross-borders (personal and otherwise), identify the data subjects (customers, employees, etc.) and estimate the amount of transferred data.
How Can Your Company Continue to Transfer Data in the Absence of Safe Harbor?
To the extent that your company or your vendors or suppliers have relied on Safe Harbor for data transfers, you should consider alternative mechanisms to legalize such data transfers, including incorporating the Model Contract Clauses by addenda into current supplier and vendor agreements, implementing Binding Corporate Rules or obtaining prior written consent from all data subjects.
Please contact a member of the McGrath North Privacy and Data Security Group if you have further questions, would like to discuss how the Safe Harbor ruling applies to your company or if you would like additional information on how to make your company compliant with the EU Data Protection Directive.
Read the press release from the European Court of Justice. (http://www.politico.eu/wp-content/uploads/2015/10/schrems-judgment.pdf)
McGrath North is pleased to host the International Association of Privacy Professionals (IAPP) Privacy After Hours event coming to Omaha on October 15. Privacy After Hours is a fun and easy way for IAPP members and non-members to get to know other local privacy professionals. There’s no agenda, just show up to the designated location and have a good time! The event is open to anyone who works in or is interested in privacy. The Omaha event will be Thursday, October 15, from 5:30 – 7 p.m. at Fox and Hound, Western Crossing Shopping Center, 506 N 120th Street, Omaha, NE 68154.
For more information click here to access the IAPP website.
A recent federal court decision upheld the Federal Trade Commission’s (FTC) authority to take enforcement action on behalf of consumers against businesses that fail to take reasonable steps to secure sensitive consumer information.
The U.S. Court of Appeals for the Third Circuit ruled that the FTC could proceed with a lawsuit alleging hotel chain Wyndham Worldwide Corp. was, at least in part, responsible for the three unauthorized intrusions it experienced over the span of two years that compromised the credit card numbers of 619,000 customers and lead to more than $10.6 million in fraudulent charges (click here to read the ruling). The FTC alleged that Wyndham had engaged in cybersecurity practices that, collectively, were unfair and unreasonable, resulting in unnecessary exposure of consumers’ sensitive data. Such Wyndham cybersecurity practices cited by the FTC as unfair and unreasonable, included but were not limited to, lax password management, lack of appropriate firewall protection for consumer data, use of outdated software and its failure to follow proper incident response procedures.
Going forward, based on the reasoning of the Wyndham decision, it is going to be difficult for any business, large or small, to take the position that it was somehow unaware of the importance of cybersecurity. As such, it is imperative that your business have appropriate cybersecurity practices and policies in place for the protection of sensitive consumer information. When reviewing your business’s current cybersecurity practices and policies, keep in mind the following principles:
- Be aware of all the personal information collected, retained and shared. Review your system to learn how your business and/or vendors use consumer data. Restrict access to sensitive data to only those “need to know” employees or vendors.
- Keep only personal information required for legitimate business operations. If you don’t need it, don’t keep it.
- Use physical and electronic security to protect the information your business retains. Such security could include firewalls, encryption of sensitive data or implementing password management rules.
- Properly dispose of personal information as soon as it is no longer necessary for business operations. When disposing of old computers and portable storage devices, use software for securely erasing data.
- Have a plan to respond to security incidents. Designate someone on your staff to someone with sufficient authority within your organization to coordinate and implement the response plan. Investigate security incidents immediately.
Please contact a member of the McGrath North Privacy and Data Security Group if you have further questions or would like to discuss your business’s cybersecurity practices and policies.