As states fill the legal void for consumer privacy rights,[1] a new federal standard has emerged to assist companies with their compliance efforts. The National Institute of Standards and Technology (“NIST”) Privacy Framework (“PF”) was released last month to help organizations manage the risks associated with their data processing activities.
What the PF Does
Under the California Consumer Privacy Act, any California consumer whose personal information is compromised “as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices … may institute a civil action.”[1]
Consumers can initiate this private right of action right now, whereas other consumer rights can only be enforced by the Attorney General beginning in July.[2]
Why This Matters
Most civil actions filed against companies during the last decade were dismissed. Why? Consumers were unable to demonstrate a suitable harm. Sure, cybersecurity incidents are a hassle for consumers to deal with, but that alone was not enough. Recently, however, courts have said “the hassle” is enough, at least for cases to proceed past their initial stages. This has led to a steady rise in both the number of cases that are settled and their dollar amounts.
Complicating things further, under the CCPA proving harm doesn’t necessarily matter. If personal information is compromised because of a failure to implement and maintain reasonable security, the CCPA quantifies harm to be “not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident” or an amount higher if proven.[3] What matters is whether your security is reasonable.
Google’s search engine defines reasonable as “as much is appropriate or fair.” For those who reminisce about how they spent three years in law school learning the many ways “reasonable” can be interpreted, the CCPA may trigger déjà vu; neither the CCPA nor its proposed regulations defines “reasonable security.” But reliable guidance is available.
Continue Reading CCPA Is Here – Is Your Security “Reasonable”?
On January 1, 2020, if your company sells goods or services to California consumers and meets certain criteria,[1] the agreements you have with companies that handle personal information on your behalf should be analyzed and, if necessary, updated just as your privacy notices should be updated.[2]
Examples of companies that handle personal information on a company’s behalf include marketing companies, managed security service providers (MSSP), and software-as-a-service (SaaS) providers such as payment processing, document and email management, and customer analytics companies.
Why this Matters
Under the California Consumer Privacy Act (“CCPA”), companies that handle consumer information on behalf of a company are “service providers.”[3] The CCPA requires that a company enter into an agreement with a service provider that
prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business … [4]
This is important because the CCPA exempts a company for any violation of the CCPA if its service providers have executed an agreement and they, not the company providing the personal information, violates any of the rights given to California consumers under the CCPA.[5]
Continue Reading CCPA is Here – Are Your Agreements Ready?
Last year towards the end of May, a barrage of emails and pop-ups informed online users about how companies use cookies – small bits of software that track website activity – in accordance with a requirement under the European Union’s General Data Protection Regulation.
On January 1, 2020, many companies will inform consumers about updates to their privacy notices – agreements between companies and their consumers about how personal information is processed – in accordance with a requirement under the California Consumer Privacy Act (“CCPA”).
Why this Matters
A privacy notice (aka privacy policy or privacy statement) is typically the first place a company explains its practices for handling the personal information it collects. Privacy notices have received considerable attention this year, not all of it positive. You do not have to read all of the New York Times article, “We Read 150 Privacy Policies. They Were an Incomprehensible Disaster,” to know what it concluded.[1] Similarly, an article titled “Are Organizations Ready for New Privacy Regulations?” summarizes the Online Trust Alliance’s analysis of 1,200 privacy statements and its view that many of these privacy notices could result in penalties for failing to follow new laws such as the CCPA.[2] In addition, privacy notices have been the subject of litigation in cases asserting that the sale of customer information to non-affiliated entities for marketing purposes,[3] and the transfer of customer data in a merger, asset sale, or sale of customer information, were all improper because they violated companies’ privacy notices.[4]
Continue Reading CCPA is Here – Is Your Privacy Notice Ready?
Scammers are always seeking new ways to target victims for Business Email Compromise (BEC) scams, where they leverage email to try to convince you to give them credentials, send them confidential information like W2s, send them money by changing things like direct deposit instructions, or give any other data that can help them profit from
For Cybersecurity and Privacy, “What Are the Industry Standards? Are We Meeting Them?”
These are questions the FTC Chairman, Joseph Simons, strongly suggested a CEO must ask before a data breach occurs to avoid the prospect of personal liability. These questions and statements by other commissioners emphasizing the FTC’s role – to bring about a “culture of change” that better protects consumers – were part of separate meetings with each of the five FTC commissioners last month. On the heels of these meetings, Senator Ron Wyden (D-OR) proposed federal legislation that would give the FTC new powers and incarceration for executives who fail to meet industry standards.
With the FTC already requiring at least one CEO to verify that a company is meeting industry standards for privacy, the question of what industry standards apply is more important than ever. Since 2010 the FTC has resolved about 50 cases involving alleged cybersecurity incidents and privacy violations (mostly the latter). In 12 of these the FTC named directors and officers and their organizations. In four of these the FTC negotiated settlements requiring organizations to establish and implement written cybersecurity and privacy programs. As noted previously, the FTC has been on a tear”[1] and recently mandated that Equifax implement a comprehensive cybersecurity program that included, “at a minimum,” 26 requirements.
Which brings us back to Chairman Simons’ questions and what constitutes “industry standards.” Some laws and commonly used contract terms define industry standards as “the usual and customary practices in the delivery of products or services within a particular business sector.”[2] Industry standards can also refer to a standard adopted by a Standards Setting Organization. Establishing such standards takes time as they must be tested to ensure broad application. Enter NIST – the National Institute of Standards and Technologies.[3]
In February 2013, an executive order was issued requiring government and private sector organizations to collaborate on how “to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”[4] A year later the NIST Cybersecurity Framework (“CSF”) was published and last year on April 16 it was updated. The Organization of American States and Amazon Web Services recently described it as:
[U]ndoubtedly a tool for cybersecurity risk management, which enables technological innovation while adjusting to all types of organizations (regardless of category or size) … [and is] a simple-approach to strategy to cybersecurity governance, to make it possible to easily transfer technical notions to the business objectives and needs.[5]
The CSF can be found here: https://www.nist.gov/cyberframework.
The Internet Society’s Online Trust Alliance (OTA) released a report this week that measured 1200 U.S.-based organizations’ readiness for three major global privacy regulations: the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in the United States that goes into effect January 1, 2020, and the Personal Information
What the FTC Wants, the FTC (Mostly) Gets
In recent weeks the Federal Trade Commission has been on a tear. As one example, on July 22 it announced a $700 million settlement with Equifax for “the 2017 data breach that jeopardized the personal data of a staggering 147 million people.” But it is a decision earlier this year that is perhaps more ominous, at least regarding personal liability for directors and officers (“D&Os”).
On February 27, 2019, after announcing a $5.7 million settlement with TikTok for various privacy violations relating to its lip-syncing app, two of the five FTC commissioners, Rebecca Kelly Slaughter and Rohit Chopra, issued this joint statement:
When any company appears to have made a business decision to violate or disregard the law, the Commission should identify and investigate those individuals who made or ratified that decision and evaluate whether to charge them. As we continue to pursue violations of law, we should prioritize uncovering the role of corporate officers and directors and hold accountable everyone who broke the law.
This approach appears to have some traction with the current FTC Chairman, Joe Simons, and the Bureau of Consumer Protection Director, Andrew Smith, who both discussed Slaughter and Chopra’s statement at the 2019 International Association of Privacy Professionals Global Privacy Summit. Smith described naming D&Os as a “way to make companies take notice that [the FTC] is serious about compliance.”
Continue Reading Recent FTC Enforcement Actions
Does your business collect personal information from residents in California? Does it monitor user activity on its website? If so, there is a good chance it will need to comply with the California Consumer Privacy Act (“CCPA”), which takes effect January 1, 2020.
Following the European Union’s implementation of GDPR, California adopted the CCPA, which
The Yahoo! class action over the 2013-2014 hacks, affecting 1 billion (later updated to 3 billion) accounts, is poised to settle for $85 million – and the provision of free credit monitoring services for 200 million account holders for 2 years.
While $85 million may seem like a relative bargain compared to the $350 million