Just a friendly reminder from the Taft Law Privacy and Data Security Practice Group that the Attorney General of California will commence enforcement of the California Consumer Privacy Act (CCPA) on July 1, 2020. While we have all understandably been focused on the many important issues of this year, both personally and professionally, let us not forget that the Attorney General of California explicitly declined to extend the enforcement date due to COVID-19 for this first of its kind state privacy law.

While it is obviously late in the game, and impossible to provide you all the ins and outs of CCPA compliance in this single post, you can always check older posts on our Taft Privacy & Data Security Insights.  That said, it doesn’t mean you can’t get started or continue making progress to understand and meet any applicable requirements for your business. Here are some quick points and additional resources to consider.
Continue Reading Don’t Forget! CCPA Enforcement Commences July 1, 2020

Like so many companies navigating the challenges and changes demanded by COVID-19, we at Taft have had to move our entire workforce home while maintaining a high level of support for our employees and clients. Whether in crisis, design, or other business strategy, companies should carefully and methodically approach the transition of its employees, equipment, and data to a remote environment. Such an approach should be followed in all such moves, whether temporary or permanent. In this article we share what we have learned and some best practices that will benefit any company considering making the move.

A. Operational Support (Andrea Markstrom, CIO, Taft Stettinius & Hollister LLP)

Faced with COVID-19 and moving a firm of 620+ attorneys to home offices, I knew this was not just another business continuity tabletop exercise. I needed to plan thoroughly while still reacting quickly. To do so, I thought about how we were going to be able to keep our employees safe, fully productive, and continue providing excellent service to our clients. To be successful, I think you need to consider and accomplish the following three things.
Continue Reading It’s more than giving ‘em a laptop: Operational & Security Considerations for Supporting the Remote Workforce

The road to hell is paved with good intentions. While the proverb may be a stretch for now, the latest lawsuit by the American Civil Liberties Union of Illinois (ACLU) against Clearview AI certainly shows that good intentions, when acted upon, may have unintended consequences. Technology utilized in the name of public protection—whether from global pandemics or criminal activity—can have disastrous effects when it comes to civil liberties and privacy.

The ACLU filed a lawsuit against Clearview AI based on violations of Illinois residents’ privacy rights. Clearview AI is a technology company that scrapes images from the internet, primarily from various social media platforms, in order to create a searchable database of individual’s face prints. The company claimed that it sold access to its searchable database to hundreds of police departments and federal agencies in order to protect children and aid victims of crimes. However, a recent data breach showed that Clearview AI actually also sold or provided access to its searchable database to retail chains Walmart and Macys, the NBA, Equinox, and many other non-law enforcement entities.


Continue Reading Crossing the Line? ACLU challenges Clearview AI’s Facial Recognition Technology

Losing a job and struggling with finances have added significant stress to those trying to stay safe during the COVID-19 pandemic. It is no secret that for weeks, state departments administering unemployment compensation have been under fire due to massive backlogs of unprocessed claims. Adding to claimants’ frustrations are a number of security incidents affecting several states’ agencies. We previously reported that the Small Business Administration experienced a breach compromising personal data for thousands of applications for financial assistance. Now we are seeing state level entities experiencing security compromises.

Pandemic Unemployment Assistance (PUA) is unemployment compensation available to self-employed and “gig” workers. In the past several weeks, thousands of workers in several states who applied for PUA received notice that their personal information was possibly exposed to other users. The personal information exposed included social security numbers, addresses, names, and the amount workers were receiving in benefits. Fortunately, at least at this time, there is no evidence personal information was misused and the alerts from the states were preventative.
Continue Reading Adding Insult to Injury: Government Agency Security Incidents Expose Unemployed Personal Data

For years, the idea of a federal privacy law in the same vein as GDPR seemed to be a far-fetched dream.  Then came the nightmare: coronavirus.  As mobile device and other monitoring services are being considered for employers and retail, because of the COVID-19 pandemic, the U.S. Senate announced a bill, which would apply to the collection of American health, geolocation, and proximity information.

The COVID-19 Consumer Data Protection Act (the “Act”) aims to heighten protection for American’s data by imposing requirements on businesses similar to those seen in the GDPR and CCPA.  Specifically, the Act is designed to protect information that constitutes “precise geolocation data, proximity data, and personal health information.”  Any entity or person who “collects, processes, or transfers covered information” and is also subject to the Federal Trade Commission Act, is a common carrier subject to the Communications Act of 1934, or is a nonprofit organization would be subject to the law.


Continue Reading COVID-19 Inspires Federal Consumer Privacy Act

As up-to-date readers of Taft’s Privacy & Data Security Insights blog know, the legal landscape continues to quickly evolve due to the economic, legal and privacy impacts of COVID-19. Moreover, we have seen significant flexibility from government agencies on various laws and regulations as a result of COVID-19.

Brazil’s encroaching data privacy law is the latest to suffer a delay as a result of the economic uncertainty caused by COVID-19. Brazil’s General Data Protection Law (aka, the Lei Geral de Proteção de Dados and referred to as the “LGPD” in the Portuguese acronym) appeared ready to go into effect in August 2020. However, Brazil has recently and rapidly become a hot spot for COVID-19. On April 3, 2020, as a result of the healthcare crisis caused by COVID-19, the Brazilian Senate approved Bill No. 1179/2020. This emergency measure postpones the effective date for the LGPD to January 2021, with sanctions and penalties enforceable only after August 2021. The Brazilian Senate validated its emergency measure by asserting that businesses should not be burdened by having to dedicate resources for privacy compliance as they navigate the crisis caused by COVID-19. Bill No. 1179/2020 is now awaiting approval by the Brazilian House of Representatives.


Continue Reading Brazil Postpones Enforcement of New Privacy Law in Response to COVID-19

As the majority of states execute stay at home orders to curb the effects of COVID-19, businesses (and educational institutions) have had to set up ways for employees and students to work remotely. As we have discussed before, companies and employees must make sure both company and employee data is secure while working on home networks and remote devices. Employee use of video conference software is no different. In an effort to keep employees connected and working efficiently, many businesses and educational institutions have had to adopt video conference software in an expedited fashion. This can be seen by looking at Zoom, a video and audio conferencing software. At the end of December 2019, Zoom had approximately 10 million daily meeting participants. Now, in just over several months, Zoom has reached 200 million daily meeting participants. While a useful and effective tool, Zoom has also experienced some challenges with security.  Even in these unique, difficult, and fast moving situations, the Zoom experience stresses the importance of still following best practices in all use of technology to process your company’s data.
Continue Reading COVID-19 Bulletin: Recent Zoom Security Issues Serve as a Cautionary Tale for Businesses in Times of Crisis (and not)

With at least 70% of American schools shutting down, and others, if not all, to follow, school and millions of parents are faced with unprecedented challenges managing the children’s education from children’s homes through online schooling. Online schooling or “distance learning” presents not only operational and technical challenges of its own, but also presents concerns and challenges to properly protecting the privacy and security of student information. Even in view of a pandemic and emergency conditions, schools and online education providers are still required to meet legal obligations under various laws and implement best practices to not only meet the laws’ requirements but also to foster a secure environment for students to learn. The following provides a summary of the applicable federal and state laws impacting online learning, followed by general best practices.

Continue Reading COVID-19 Bulletin: Online Schooling Data Privacy Concerns and Best Practices During the Pandemic

On Thursday, March 26, 2020, the Senate passed the Coronavirus Aid, Relief, and Economy Security Act (the “CARES Act”), which provides economic relief for individuals, businesses and industries affected by the COVID-19 pandemic. In addition, some provisions specifically relate to nascent privacy and data security concerns to be addressed both during and after the pandemic:

  • Financial Assistance for Training: Qualifying small businesses and minority owned businesses may apply for financial assistance in the form of grants to cover training and advising for employees on risks of and mitigation of cybersecurity threats in remote customer service or telework practices. The economic landscape following the COVID-19 pandemic will highlight businesses’ increased reliance upon technology, and the nascent need for increased attention to data security education. The financial assistance available to small and minority-owned businesses provides a great opportunity for companies to get ahead of the curve with respect to myriad information security threats.
  • Credit Reporting: The Fair Credit Reporting Act is revised so that furnishers of consumer and payment information, who make an accommodation with respect to one or more payments on a consumer’s account or credit obligation, must report the account or obligation as “current,” unless it was delinquent prior to the accommodation.
  • Public Health Service Act Amended to Conform with HIPAA: The Public Health Service Act is amended to include breach notification and consent requirements consistent with HIPAA. In addition, within one year after the date of enactment, the Secretary of Health and Human Services shall update 45 C.F.R 164.520 so that covered entities and entities creating or maintaining records relating to substance abuse education, training, treatment, and research shall provide easily understandable notices of privacy practices. As a result, some entities not currently regulated by HIPAA will need to adapt to some of the HIPAA requirements related to breach notification and notice of privacy practices.
  • Cybersecurity & Infrastructure Security Agency: $9 million is allocated for supply chain and information analysis, as well as impacted critical infrastructure coordination.
  • Funding for Public Health Surveillance: $500 million is allocated for public health data surveillance and analytics infrastructure modernization.


Continue Reading COVID-19 Bulletin: CARES Act Provides Attention to Privacy & Data Security Precautions

While the bulk of current conversation and headlines revolve around an ever growing pandemic, California Attorney General, Xavier Becerra, provided us a much needed distraction. A little over a month since the Attorney General released the first set of modifications (the “First Modifications”) to the California Consumer Privacy Act’s (the “CCPA”) initial regulations, he has now released the second set of modifications (the “Second Modifications”) based on written comments received over the 15-day comment period that ended on Feb. 25, 2020. While the Second Modifications are not as voluminous as the First Modifications, there are still some significant changes and clarifications that may affect businesses or service providers and changes that nullify a few of the First Modifications, including some of our discussion points from our discussion of the First Modifications.

Continue Reading How am I supposed to do this? Part Trois: California Attorney General issues CCPA modifications