Keypoint: New Utah law creates incentive for businesses to develop and implement a written cybersecurity program to protect themselves against data breach lawsuits.
On March 11, 2021, Utah governor Spencer Cox signed the Cybersecurity Affirmative Defense Act, which creates affirmative defenses to certain causes of action arising out of a breach of system security.
Keypoint: Supreme Court’s decision could require individuals to suffer an actual injury prior to participating in a class action.
On December 16, the Supreme Court of the United States agreed to review a case with potential major implications for data-breach class actions.
Trans Union v. Ramirez arises out of a class action about inaccurate credit reports. The class representative claimed that his credit report contained an error indicating that his name matched someone on the government’s list of persons with whom businesses in the United States are prohibited from transacting. Mr. Ramirez claimed this error caused him to be unable to obtain credit when purchasing a vehicle, caused him embarrassment in front of his family, and caused him to cancel a vacation to Mexico.
Continue Reading Supreme Court to Hear Case With Large Potential Impact for Data-Breach Litigation
On May 26, the District Court found in the In Re: Capital One Consumer Data Security Breach Litigation, MDL No. 1:19md2915 (AJT/JFA)(ED VA) that a report prepared by Mandiant concerning the Capital One data breach (Breach Report) was not protected by the work product privilege and must be turned over to Plaintiffs.
Continue Reading Breach Report in Capital One Litigation Not Privileged
Keypoint: The use of no-contact temperature taking devices can be an important part of a company’s return-to-work program, but companies should fully vet these devices to ensure that they are not unintentionally violating privacy laws or exposing themselves to potential liabilities.
As U.S. companies start planning and implementing return-to-work plans, many are considering whether to use no-contact temperature taking devices.
The federal government has recognized that taking temperatures is a step that companies can take to mitigate the risk of spreading coronavirus. For example, the CDC interim guidance for critical infrastructure workers recommends that employers “measure the employee’s temperature and assess symptoms prior to them starting work.” EEOC return-to-work guidance also recognizes that employee screening “may include continuing to take temperatures . . . of all those entering the workplace.”
States and cities also have recommended taking temperatures. For example, in Colorado, the Governor’s office has encouraged large workplaces to implement symptom and temperature checks as part of the state’s gradual return-to-work strategy. New York Mayor Bill de Blasio has stated that temperature checks will be part of the City’s return-to-work program. New Jersey Governor Phil Murphy suggested that restaurants could check temperatures before allowing customers to enter.
However, the taking of temperatures creates logistical issues such as who should take the temperatures, what precautions should be in place, and when and where the temperatures should be taken. As with many other facets of this pandemic, companies have looked to technology to answer some of these questions, and there are many solutions – some old, some new – in the marketplace.
Depending on the type of device, the use of no-contact temperature taking devices can raise numerous privacy issues. As companies begin to vet and implement these devices, they will need to ensure that they do not unintentionally violate privacy laws or assume potential liabilities.
Continue Reading U.S. Privacy Law Implications with the Use of No-Contact Temperature Taking Devices
Keypoint: If properly deployed, the use of COVID-19 contact-tracing apps by employers, in combination with other measures, could be an effective way to return employees to the workforce. However, before deploying these apps, employers should take caution to fully vet the technologies being used to ensure that employee privacy is respected.
As the United States and Europe have started the process of returning to work, the development, deployment, and use of COVID-19 contact-tracing apps has become a focal point for how governments intend to mitigate risk. China, Singapore, and South Korea have already implemented national contact-tracing apps. European countries and Australia have been rapidly working towards their deployment.
In connection with the rapid development of governmental contact-tracing apps, tech companies have started to develop similar apps for employers. A handful of employer-focused contact-tracing apps are already on the market and many more are in development. Some employers are already planning to deploy these apps. For example, Ferrari recently announced that it will utilize a contact-tracing app as part of its “Back on Track” plan.
The use of these apps raises numerous privacy concerns for U.S. employers. As employers begin to vet these apps, they will need to ensure that they do not unintentionally violate privacy laws or assume liabilities by deploying them with their workforce.
Keypoint: Individuals and businesses should take steps to prevent against becoming victims of the rapid rise in Coronavirus-related hacking scams.
On March 20, 2020, the FBI issued an alert warning that cyber thieves are actively trying to exploit the Coronavirus pandemic to steal money, commit identity theft, and engage in other hacking-related activity. The Cybersecurity and Infrastructure Security Agency (CISA) issued a similar alert earlier this month.
Continue Reading FBI and CISA Warn of Coronavirus-Related Cyber Scams
Keypoint: 2020 promises to be another ground-breaking year in privacy and cybersecurity law in the United States.
2019 was an exciting year in privacy and cybersecurity law. In the United States, the California Consumer Privacy Act (CCPA) was the most significant story, but there also were developments in states such as New York and Nevada. Numerous other states also considered consumer privacy legislation, and federal lawmakers even jumped into the fray, proposing a variety of bills and regulations. Overseas, GDPR garnered the most headlines of course, but other countries, such as Brazil, also made news.
But 2019 was just the start. There is no doubt that privacy and cybersecurity law is undergoing a fundamental change in the United States. If nothing else, the legal landscape of privacy law in the United States promises to look very different by the end of the year.
Below we discuss what we anticipate will be the biggest stories in 2020 and beyond.
Continue Reading The Year to Come in U.S. Privacy & Cybersecurity Law
Key Point: If signed by the Governor, the legislation will expand the types of personal information covered by the CCPA’s provision authorizing private litigants to seek statutory damages of between $100 and $750, per consumer per incident, for data breaches.
On September 6, the California legislature passed amendments to the state’s data breach notification statutes
Key Point: The SHIELD Act increases the statutory penalties for knowing and reckless violations of the State’s data breach notification law. It also authorizes the NY Attorney General to pursue injunctive relief and monetary penalties against persons and businesses who fail to implement reasonable safeguards to protect New York residents’ private information.
On July 25, 2019, New York Governor Andrew Cuomo signed two bills related to data privacy and identity theft. In our June 24 post, we summarized the contents of the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The second signing was the Identity Theft Prevention and Mitigation Services bill. Highlights of the laws’ requirements and effective dates are described below.
Key Point: If signed by the Governor, the legislation will require entities doing business in New York to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information.
As it closed its session, the New York legislature passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The bill, which the New York Attorney General’s (“AG”) office strongly supports, is now at the governor’s office for review. New York AG Letitia James stated New York will join the “increasing number of states that require reasonable data security protections, while being careful to avoid excessive costs to small business and without imposing duplicate obligations under federal or state data security regulations.”
If Governor Cuomo signs the bill, New York will build upon its existing data breach notification law, and add a new requirement for data custodians in the private and public sectors to adopt reasonable measures to safeguard sensitive data of New York residents.