For years, the idea of a federal privacy law in the same vein as GDPR seemed to be a far-fetched dream.  Then came the nightmare: coronavirus.  As mobile device and other monitoring services are being considered for employers and retail, because of the COVID-19 pandemic, the U.S. Senate announced a bill, which would apply to the collection of American health, geolocation, and proximity information.

The COVID-19 Consumer Data Protection Act (the “Act”) aims to heighten protection for American’s data by imposing requirements on businesses similar to those seen in the GDPR and CCPA.  Specifically, the Act is designed to protect information that constitutes “precise geolocation data, proximity data, and personal health information.”  Any entity or person who “collects, processes, or transfers covered information” and is also subject to the Federal Trade Commission Act, is a common carrier subject to the Communications Act of 1934, or is a nonprofit organization would be subject to the law.

Continue Reading COVID-19 Inspires Federal Consumer Privacy Act

The town of Westport, Connecticut, is the latest administration to face the challenge of balancing privacy concerns while combating the COVID-19 pandemic. By April 17, 2020, there were 183 confirmed cases of COVID-19 in Westport. For the sake of public health, Westport announced its intent to collaborate with the company Draganfly to use drone technology to monitor social distancing. Draganfly’s drones are allegedly able to detect fevers, heart and respiratory rates, and people sneezing and coughing. The drones would aid in the fight against COVID-19 by alerting officials of any locations where crowds were not properly social distancing, using biometric readings to analyze population patterns.

Photo credit:  Draganfly Screenshot as reported in Hartford Courant, April 23, 2020.  

Continue Reading Connecticut Town’s Drone Program Grounded: What Businesses Can Learn from Latest Battle Balancing Privacy and the Public Good

As up-to-date readers of Taft’s Privacy & Data Security Insights blog know, the legal landscape continues to quickly evolve due to the economic, legal and privacy impacts of COVID-19. Moreover, we have seen significant flexibility from government agencies on various laws and regulations as a result of COVID-19.

Brazil’s encroaching data privacy law is the latest to suffer a delay as a result of the economic uncertainty caused by COVID-19. Brazil’s General Data Protection Law (aka, the Lei Geral de Proteção de Dados and referred to as the “LGPD” in the Portuguese acronym) appeared ready to go into effect in August 2020. However, Brazil has recently and rapidly become a hot spot for COVID-19. On April 3, 2020, as a result of the healthcare crisis caused by COVID-19, the Brazilian Senate approved Bill No. 1179/2020. This emergency measure postpones the effective date for the LGPD to January 2021, with sanctions and penalties enforceable only after August 2021. The Brazilian Senate validated its emergency measure by asserting that businesses should not be burdened by having to dedicate resources for privacy compliance as they navigate the crisis caused by COVID-19. Bill No. 1179/2020 is now awaiting approval by the Brazilian House of Representatives.

Continue Reading Brazil Postpones Enforcement of New Privacy Law in Response to COVID-19

As businesses continue to apply for relief through Small Business Administration (SBA) programs, SBA’s Carol R. Wilkerson announced that nearly 8,000 business owners’ information may have been exposed to unauthorized users on March 29, 2020. This incident only affected the Disaster Loan Program and not the Paycheck Protection Program. The SBA has notified the business owners that may have been affected and offered them a year of free credit monitoring.

At this time, the SBA has stated that the affected part of the system that allowed unauthorized users to view business owners’ information has been disabled. Even though the vulnerability has been reportedly addressed, we recommend any business owners that applied for relief through the Disaster Loan Program to check their accounts and review their credit reports for any unusual or unauthorized activity. This should serve as a reminder to routinely review business accounts and personal accounts to catch any unauthorized uses early and mitigate the resulting issues.

Please visit our COVID-19 Toolkit for all of Taft’s updates on the coronavirus and related legal issues.

As the majority of states execute stay at home orders to curb the effects of COVID-19, businesses (and educational institutions) have had to set up ways for employees and students to work remotely. As we have discussed before, companies and employees must make sure both company and employee data is secure while working on home networks and remote devices. Employee use of video conference software is no different. In an effort to keep employees connected and working efficiently, many businesses and educational institutions have had to adopt video conference software in an expedited fashion. This can be seen by looking at Zoom, a video and audio conferencing software. At the end of December 2019, Zoom had approximately 10 million daily meeting participants. Now, in just over several months, Zoom has reached 200 million daily meeting participants. While a useful and effective tool, Zoom has also experienced some challenges with security.  Even in these unique, difficult, and fast moving situations, the Zoom experience stresses the importance of still following best practices in all use of technology to process your company’s data. Continue Reading COVID-19 Bulletin: Recent Zoom Security Issues Serve as a Cautionary Tale for Businesses in Times of Crisis (and not)

While hardly a new topic for anyone doing business with the government, current events and the challenges of COVID-19 provide a cautionary tale and proactive reminder that doing business with the government carries with the burden of ensuring applicable data privacy and security protections are in place.  As companies consider existing relationships with the U.S. government, or potentially pursuing new business with the U.S. government in responding to current challenges, we thought it a good time to provide a high-level summary of what to expect.

All organizations store, maintain, and process data to some extent.  However, organizations that contract with the federal government may also be storing controlled unclassified information (“CUI”).  The federal government requires that CUI be protected from public disclosure; or other unauthorized use.  Protection of CUI in nonfederal systems and organizations is important to federal agencies and can directly affect the ability of the federal government to successfully conduct its essential missions and functions. For example, over the last decade, cyber criminals have increasingly targeted contractor organizations to extract information in an attempt to weaken the federal government’s supply chain. Accordingly, companies can expect to see an emphasis on security of CUI when contracting with the federal government as they process CUI and other types of data on the government’s behalf, whether directly as a prime contractor or subcontractor to a prime contractor of the government.

Continue Reading COVID-19 Bulletin: Dreaming of a government contract? Neglecting data security can be a nightmare.

As we discussed before, educational institutions are closing campuses and are meeting legal obligations to educate their students by conducting online schooling. Now, some school districts across the country are banning teachers from using Zoom for online schooling during the COVID-19 pandemic due to security and privacy issues surrounding the videoconferencing app.  Reported cases of classroom “Zoombombings” included an incident where hackers broke into a class meeting and displayed a swastika on students’ screens, which led the FBI to issue a public warning about Zoom’s security vulnerabilities. New York City School District and Nevada Clark Public Schools disabled Zoom access, while schools in Utah and Washington State are reassessing its use at the time of this posting.

Amid the raised safety concerns, Zoom responded and advised schools to protect video calls with passwords and to lock down meeting security with currently available privacy features in the software. On March 18, 2020, Zoom added a privacy policy specific for K-12 schools and districts stating that it is “designed to reflect our compliance” with student privacy laws and also posted best practices for teachers to use.

Continue Reading COVID-19 Bulletin: ZOOM Challenges Provide Timely Reminder about Need for Diligence in Managing Privacy and Security and Student Data

The COVID-19 outbreak has ignited a frenzy of scamming attempts as about 90% of Americans are ordered to stay at home and are navigating how to work remotely and keep themselves and their loved ones safe. Our recent bulletin discussed attempts bad actors are using to try to steal personal information through email phishing attacks and ransomware, as well as efforts to ransack bank accounts through donations to fake charities and orders for goods that never arrive. Government officials warn that the scams will not stop there. To be sure, during any year these tactics are often seen during tax season when taxpayers are receiving their refund from the Internal Revenue Service (IRS). These scams can also be aimed towards tax professionals and payroll and human resources departments. This year, with the CARES Act authorizing $1,200 stimulus checks to many Americans, scammers will be searching for opportunities to cash in.

With that in mind, the United States Attorney’s Office and the IRS offered the following tips and information to identify when a bad actor is trying to steal your information and how these stimulus checks will be issued:

  • The IRS will deposit your check into the direct deposit account you previously provided on your tax return (or, in the alternative, send you a paper check).
  • The IRS will not call and ask you to verify your payment details. Do not give out your bank account, debit account, or PayPal account information – even if someone claims it is necessary to get your check. It’s a scam.
  • If you receive a call, don’t engage with scammers or thieves, even if you want to tell them that you know it’s a scam, or you think that you can beat them. Just hang up.
  • If you receive texts or emails claiming that you can get your money faster by sending personal information or clicking on links, delete them. Do not click on the links.
  • Bogus checks may also exist. If you receive a “check” in the mail now, it is not legitimate. Treasury checks have not yet been mailed. If you receive a “check” for an odd amount (especially one with cents), or a “check” requiring you to verify the “check” online or by calling a phone number, it is a fraud.
  • The IRS will not ask you to send money before it will issue your economic impact payment. If someone asks you to send money to get your payment, do not send money.

As we have written before, these scams are not limited to using the government as part of the bait. Half the battle is just being aware! It is important that individuals and companies, alike, stay diligent in safeguarding personal information to avoid falling victim to cyber attacks and scams. Taft’s Privacy and Data Security team stands ready and will continue to provide updates via the COVID-19 Toolkit to keep you apprised of new developments.

With the focus rightly on the challenges presented by COVID-19, it is also important to keep an eye on what is happening in the world of data privacy and security regulation. One such development involves a little known application of a financial services privacy law to the world of higher education.

On Feb. 28, 2020, the Federal Student Aid office (“FSA”) of the Department of Education (the “DoE”) posted an Electronic Announcement, advising all entities with an active Program Participation Agreement with the DoE (“Institutions”) that the DoE will begin strictly enforcing the requirement that each Institution must comply with the data privacy and cybersecurity requirements set forth in 16 C.F.R. Part 314 and administered by the Federal Trade Commission (“FTC”).

Although all Institutions have been subject to these compliance requirements for some time (technical application dates back to 2003, and auditing requirements date back to 2016), enforcement actions by the DoE and FTC in the wake of non-compliant audits have been lacking. No longer. According to FSA, that’s about the change.

Continue Reading Higher Education Institutions Must Be Prepared: “Enhanced” Cybersecurity Audits are Coming

With at least 70% of American schools shutting down, and others, if not all, to follow, school and millions of parents are faced with unprecedented challenges managing the children’s education from children’s homes through online schooling. Online schooling or “distance learning” presents not only operational and technical challenges of its own, but also presents concerns and challenges to properly protecting the privacy and security of student information. Even in view of a pandemic and emergency conditions, schools and online education providers are still required to meet legal obligations under various laws and implement best practices to not only meet the laws’ requirements but also to foster a secure environment for students to learn. The following provides a summary of the applicable federal and state laws impacting online learning, followed by general best practices.

Continue Reading COVID-19 Bulletin: Online Schooling Data Privacy Concerns and Best Practices During the Pandemic