On Thursday, March 26, 2020, the Senate passed the Coronavirus Aid, Relief, and Economy Security Act (the “CARES Act”), which provides economic relief for individuals, businesses and industries affected by the COVID-19 pandemic. In addition, some provisions specifically relate to nascent privacy and data security concerns to be addressed both during and after the pandemic:

  • Financial Assistance for Training: Qualifying small businesses and minority owned businesses may apply for financial assistance in the form of grants to cover training and advising for employees on risks of and mitigation of cybersecurity threats in remote customer service or telework practices. The economic landscape following the COVID-19 pandemic will highlight businesses’ increased reliance upon technology, and the nascent need for increased attention to data security education. The financial assistance available to small and minority-owned businesses provides a great opportunity for companies to get ahead of the curve with respect to myriad information security threats.
  • Credit Reporting: The Fair Credit Reporting Act is revised so that furnishers of consumer and payment information, who make an accommodation with respect to one or more payments on a consumer’s account or credit obligation, must report the account or obligation as “current,” unless it was delinquent prior to the accommodation.
  • Public Health Service Act Amended to Conform with HIPAA: The Public Health Service Act is amended to include breach notification and consent requirements consistent with HIPAA. In addition, within one year after the date of enactment, the Secretary of Health and Human Services shall update 45 C.F.R 164.520 so that covered entities and entities creating or maintaining records relating to substance abuse education, training, treatment, and research shall provide easily understandable notices of privacy practices. As a result, some entities not currently regulated by HIPAA will need to adapt to some of the HIPAA requirements related to breach notification and notice of privacy practices.
  • Cybersecurity & Infrastructure Security Agency: $9 million is allocated for supply chain and information analysis, as well as impacted critical infrastructure coordination.
  • Funding for Public Health Surveillance: $500 million is allocated for public health data surveillance and analytics infrastructure modernization.

Continue Reading COVID-19 Bulletin: CARES Act Provides Attention to Privacy & Data Security Precautions

In a letter sent earlier this month, a group representing more than 30 companies, trade associations and various industries asked the California Attorney General if enforcement of the California Consumer Privacy Act could be postponed. Concerned with the business impacts and reprioritization related to COVID-19, the association asked the Attorney General to delay enforcement from July 2020 until January 2021. The association stated that companies scrambling to respond to COVID-19 would need more time to comply with the various requirements of the new privacy law.

On March 24, 2020, the office of the California Attorney General provided its response. No. As reported by Forbes online, in an email to Forbes magazine, an adviser from the Attorney General’s office stated “Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first….We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”

Notable from the adviser’s comments above is that the enforcement would commence when the rules were finalized or July 1, “whichever comes first.” This raises the possibility or question of whether the CCPA could be enforced BEFORE July 1. This would be a significant departure from previous guidance and the statute itself. The text of the statute states enforcement will begin July 1, or 6 months after the publication of the final regulations. The CCPA’s implementation regulations were only recently revised a second time, with comments due back to the Attorney General by this Friday, March 27. Accordingly, we would expect July 1 to remain the date upon which enforcement will generally begin.

Taft’s Privacy and Data Security (PDS) practice group will continue to monitor this development and other issues associated with the CCPA in view of this new challenge. We encourage you to check out other posts on CCPA, as well as other COVID-19 Tool Kit updates regarding emerging threats to data security and privacy.

Other PDS Posts on the CCPA:

While the bulk of current conversation and headlines revolve around an ever growing pandemic, California Attorney General, Xavier Becerra, provided us a much needed distraction. A little over a month since the Attorney General released the first set of modifications (the “First Modifications”) to the California Consumer Privacy Act’s (the “CCPA”) initial regulations, he has now released the second set of modifications (the “Second Modifications”) based on written comments received over the 15-day comment period that ended on Feb. 25, 2020. While the Second Modifications are not as voluminous as the First Modifications, there are still some significant changes and clarifications that may affect businesses or service providers and changes that nullify a few of the First Modifications, including some of our discussion points from our discussion of the First Modifications.

Continue Reading How am I supposed to do this? Part Trois: California Attorney General issues CCPA modifications

In our previous COVID-19 bulletin, we discussed the importance of companies maintaining information system and data security while allowing employees to work remotely. Over the last week, as people scramble to identify trustworthy information about the spread of COVID-19, how they can protect themselves, and how they can get tested, spammers and scammers have taken advantage of vulnerable telecommuters. For example, in just the past week, media outlets have reported on the following scams:

  • Email Phishing. According to a Kaspersky study and the FTC, email phishing schemes include the use of organizations’ names that would normally seem legitimate. Such emails appear to be coming from representatives of the Centers for Disease Control and Prevention (CDC) or the World Health Organization (WHO). The emails have the CDC or WHO logos and headings or have email addresses that, in a quick glance, look to be official (such as cdc-gov.org). The links in these emails may infect the user’s device with malware or even ask them to enter in an email and password for their Microsoft Outlook account.
  • Domains and Apps. There are website domains that appear to keep track of COVID-19 updates and health information. Instead, these domains prompt users to download apps to access this information. In particular, there is an Android App that, once downloaded, infects the device with ransomware and demands payment or else the data on the device will be erased. Additionally, there is an interactive infections and deaths map circulating that is being used to spread password-stealing malware.
  • Goods Delivery. While goods and supplies, such as cleaning and household supplies, are running out at local stores, there are online sellers purporting to have these items in stock. Instead, they are scams that take your payment and never deliver your ordered items. Employers, or employees in charge of supplies, should be cautious of online retailers and conduct additional research into the seller to verify legitimacy.
  • Fake Charities. As with any major event or crisis, there are scammers trying to take advantage of people’s good intentions. This can take form in fake charities or fake donation pages. The fake charity can be a completely made up organization or one that closely resembles names of established charities.

Continue Reading Don’t Let COVID-19 Lure You In: Phishing and Malware Attacks Skyrocket During Coronavirus Crisis

In the past week, businesses in every industry faced the growing concerns that the coronavirus pandemic has brought to our communities. As the situation around the globe continues to develop and multi-faceted issues arise, companies should be considering their employees’ and customers’ privacy and be prepared to adequately and appropriately respond to privacy concerns, requests for information, and understand the basic expectations of how and when personal information can be used without consent.

While the current environment demands flexibility and responsiveness, and not all-personal information or your industry may be subject to such regulations, the following information provides some guidelines on how the law expects businesses to balance privacy and public health concerns. We conclude with some best practices that apply to the use of personal information in all conditions.

Continue Reading COVID-19 Bulletin: Balancing Privacy and Public Health Needs

As many employers are considering sending employees home to protect them and other employees from the threat of the COVID-19 virus, it is extremely important to not increase your data security risk while you attempt to reduce the risk to employee and customer health. The following are some best practices for any employees working remotely, whether temporarily or permanently from locations outside your office and (hopefully secure) network.

  • Establish clear guidance and expectations to your employees.
    • All remote computer and data use should happen in accordance with the same privacy and security policies as you have in your company office. Working remotely should not weaken safeguards for company data.
    • No expectation of privacy. Employees should already know that any use of your company systems or data is subject to monitoring or review and they should not expect privacy on such systems.
    • Establish alternative communication channels. In accordance with your business continuity plan, make sure you have the ability to communicate with employees through non-company devices, such as personal cell phones to convey all updates, especial in view of a security incident or inability to access or use company information systems.
    • Employees must remain vigilant!
      • Remind employees to remain aware of their surroundings when using company computers or discussing company information in public spaces.
      • With the concerns and constant news coverage about COVID-19, employees might be subject to phishing attacks and other attempts to obtain access to company data masquerading as public service announcements or even company updates. A reminder about such emails and best practices is always appropriate, specifically:
        • Always be wary of emails or texts containing links or attachments from unknown senders.
        • Do not click on suspicious links or open suspicious attachments. Report all such content to the company IT department.
        • Employees should be encouraged to report all suspicious or known security incidents as soon as possible in accordance with your company’s incident response plan.
  • Establish a secure connection to your company network.
    • All remote connections to your company network should happen via a secure connection or virtual private network (VPN). Such a connection encrypts the communications between your employee’s device and the network, and requires authentication of the employee before access is provided.
    • All remote connections should be authenticated using multifactor authentication. Such steps help prevent a bad actor from using stolen credentials to access your company network (very common these days).
    • Public wi-fi networks, such as those at coffee shops, airports and hotels should be avoided unless a company VPN is in place and used.
  • Company computer use.
    • Whenever possible, all such remote work should be completed using company-owned devices and computers. Such use ensures existing security policies are being run on such devices and all system patches and malware protections are up to date.
    • Ensure your devices are running antivirus software with the latest updates from the manufacturer. When possible, updates should happen automatically.
    • Whenever possible, all portable devices should be encrypted at the hard drive level with a key maintained separately from the device. Such protections safeguard company data in the event of theft or loss, and may also prevent the need to issue notice under various state data breach laws.
    • Whenever possible, documents and sensitive files should be saved or uploaded to the company network and not on the company laptop or device, itself.
  • Physical security.
    • Employees must always protect against unauthorized access to their devices and company data in remote locations, including from family members, friends, and others.
      • Hard copies of company sensitive material should be shredded prior to disposal or recycling. Such documents should be crosscut shredded whenever possible or otherwise rendered incapable of re-assembly or reading.
      • Home or remote offices, closets, or desks in which company data and devices are being used or stored should be physically secured using locks or other means to prevent theft or unauthorized use.

Lastly, if any of these terms or practices are foreign to your organization, take time to understand the benefits, risks and impacts of each. Rash decisions made in an effort to keep the business running in the face of a crisis can have severe consequences and open the door to security vulnerabilities that can harm the very business and customers you are seeking to protect.

As we have often said here in the US, “so goes California, so goes the country” when it comes to laws of all kinds, not just those addressing privacy. Well, globally, the same can be said of the impact of the European Union’s GDPR. Originally scheduled to go into effect this month (it was later amended to be enforced in August 2020), Brazil will be regulating privacy and security more extensively with the Brazilian General Data Protection Law (aka, the Lei Geral de Proteção de Dados and often referred to as the “LGPD” in the Portuguese acronym) (Law 13.709/2018). Here is a quick summary of the LGPD’s requirements.

Continue Reading So goes the EU, so goes the world….Brazil’s new privacy law is on the horizon.

Last year we wrote about the California attorney general’s initial guidance on implementation and enforcement requirements for the California Consumer Privacy Act (“CCPA”). Now, over a month since the CCPA went into effect, California Attorney General Xavier Becerra proposed modifications (the “Modifications”) to the initial proposed regulations (the “Initial Regulations”) that were published in early October 2019. The Modifications are the Attorney General’s response to public comments of the Initial Regulations that were submitted during the written comment period. While these changes are not final, they shed light on how the AG’s office expects businesses to plan, operate, and respond to consumer requests.

Continue Reading <i>How</i> am I supposed to do this? Part Deux: California Attorney General issues CCPA modifications

Last summer, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The SHIELD Act’s data breach notification requirements are already effective and the law’s data security requirements go into effect on March 21. Any company that does business in New York or has customers in New York needs to understand what the law requires.

New York, like many other states, has a data breach notification law that requires businesses to notify consumers when a breach occurs. The SHIELD Act goes further than New York’s previous law, both in its definition of what type of information is covered and in reaching companies that may not have any connection to New York except for having information about New York residents in their database. The SHIELD Act:

Continue Reading The SHIELD Act: What You Need to Know About New York’s New Data Breach Notification Law

According to the FBI, billions of dollars are lost every year repairing computer systems and networks hit by cyberattacks like ransomware. The 2019 Internet Crime Report notes that in 2019 alone, the FBI’s Internet Crime Complaint Center received 467,361 complaints of cybercrime with reported losses exceeding $3.5 billion. While the number of ransomware attacks has declined sharply, the amounts demanded in such attacks has increased. For example, BleepingComputer recently reported seeing ransom notes for the Ragnar Locker ransomware, which targets software commonly used by managed service providers, with demands ranging from $200,000 to about $600,000.

Some insurers selling cyber insurance offer to pay a ransom demand, which theoretically should allow the policyholder to get their data back. But what happens if you don’t have cyber insurance or the funds to pay the ransom? What if you pay the ransom and the criminals renege? If your computers and network are slowed but otherwise operable, will your traditional business owners’ insurance policy pay to replace the damaged computers and network?

Continue Reading Business owners’ insurance policy required to pay for computer damage from ransomware attack