Recent Developments in Consumer Privacy Legislation and Cybersecurity Practices
As regulators attempt to keep pace with the ever-changing technological landscape, legislation and agency guidance continue to evolve. Below, we provide insight into two recent developments – the clarification and modification of the California Consumer Privacy Act (CCPA) and the release of the U.S. Department of Health and Human Services’ (HHS) voluntary cybersecurity practices for health care organizations.
CCPA CLARIFIED BY RECENT LEGISLATIVE DEVELOPMENTS, ENABLING COMPANIES (INCLUDING THOSE IN NEW YORK) TO BETTER ANTICIPATE COMPLIANCE OBLIGATIONS BEFORE JANUARY 2020 DEADLINE
In recent weeks, the California Assembly’s Committee on Privacy and Consumer Protection approved a slew of bills intended to modify and/or clarify the CCPA, which subsequently cleared the California Assembly Appropriations Committee, and were recently submitted to the Senate for final approval. Consequently, we are very close to knowing what the final version of the law will look like. The CCPA, which was signed into law in June 2018, takes effect on January 1, 2020, and may even impact businesses with small operations in California or those that are not even physically located in California.
The CCPA is widely considered to be the most comprehensive privacy law in the United States. Indeed, it is often compared to the far-reaching European General Data Protection Regulation (GDPR). While the CCPA incorporates some GDPR concepts, there are many differences between the two, and it is imperative that businesses consult legal professionals who are intimately familiar with both, as well as other laws that may apply.
The CCPA applies to businesses conducting business in California that (1) have gross revenues in excess of $25 million; (2) buy, receive or share for commercial purposes, the personal information of 50,000 or more consumers, households or devices; and/or (3) derive 50 percent or more of their annual revenues from selling consumers’ personal information.
Companies with a relatively small operation in California or even companies that are not physically located in California may fall within the ambit of the statute, particularly if those companies collect, use or sell personal information of California consumers. Moreover, companies that control or are controlled by a business that is subject to the CCPA may also have to comply with the CCPA.
Further complicating interpretation of the CCPA is its definition of “personal information,” which is broader than the typical definition of Personally Identifiable Information (PII) under state data breach laws. For instance, as under the GDPR, IP addresses, aliases, postal addresses, unique personal or online identifiers, geolocations, professional information, signatures and “commercial information” constitute “personal information,” among other things.
The CCPA requires covered businesses to comply with various requirements, including, but not limited to (1) providing particular privacy notices to consumers; (2) certain opt-out rights; (3) prohibitions on using personal information; and (4) permitting consumers to exercise their right of disclosure and access, data portability, and erasure, as well as other requirements.
Although the CCPA does not explicitly impose data security requirements, it establishes a private right of action for certain data breaches resulting from a business’ failure to implement and maintain reasonable security procedures pursuant to existing California law. Consumers may seek the greater of actual damages or statutory damages of $100 to $750 per consumer per incident, as well as injunctive or declaratory relief. The California Attorney General is authorized to bring enforcement actions that may result in civil penalties of $2,500 to $7,500 per violation.
The California Attorney General is also required to draft implementing guidelines a few months before the end of this year, but companies need not wait for this guidance to begin evaluating whether the CCPA applies to them, and if so, to take steps towards compliance. Those of us who just finished or are in the midst of GDPR compliance efforts know that this process will take a lot of planning and resources, and planning well in advance of the deadline will significantly ease organizational burdens.
HHS RELEASES VOLUNTARY CYBERSECURITY PRACTICES FOR HEALTH CARE ORGANIZATIONS
The HHS recently released voluntary cybersecurity practices for health care organizations of all sizes entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP). The HICP was developed in response to a mandate set forth by the Cybersecurity Act of 2015 (CSA). Specifically, Section 405(d) of CSA directs the HHS to develop practical cybersecurity guidelines to reduce cybersecurity risks for health care organizations. Following the enactment of CSA, the HHS worked with more than 150 cybersecurity and health care experts for two (2) years to develop practices aimed at reducing security risks and updating cybersecurity programs across the health care industry.
The HICP is comprised of the following four (4) volumes:
- The main document of the HICP identifies the five (5) most relevant and current threats to the health care industry: (1) e-mail phishing attacks; (2) ransomware; (3) loss or theft of equipment or data; (4) insider, accidental or intentional data loss; and (5) attacks against connected medical devices that may affect patient safety.
The HICP also sets forth 10 cybersecurity recommendations to guard against these threats that are consistent with the National Institute of Standards and Technology (NIST) Cybersecurity Framework:
- E-mail protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
- Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations sets forth implementation strategies for the aforementioned 10 cybersecurity recommendations for small health care organizations. This technical volume is geared toward Information Technology (IT) departments and IT security professionals.
- Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations discusses how medium and large health care organizations can implement the 10 cybersecurity recommendations. The primary focus of this technical volume is the operation and management of IT departments and IT security professionals.
- Resources and Templates: This final volume provides additional resources and materials that health care organizations of all sizes can access to assist with development of cybersecurity policies and procedures, including risk assessment and management.
Cybersecurity remains a top priority for the HHS, which recommends that all health care organizations review the guidance provided under the HICP and develop a plan to implement the recommended cybersecurity practices. In addition, the HHS plans to update the current cybersecurity threats and recommendations set forth in the HICP in order to remain current with the issues faced by health care organizations.
Should you have any questions regarding consumer privacy or cybersecurity, please contact any of the attorneys on our Data Security & Privacy Practice Team.