By Jordan L. Fischer of XPAN Law Group LLC
As we close out 2019, it is a good time to reflect on the numerous changes to the privacy and security legal landscape, while also preparing for what is to come in the new year. The short predictions: the craziness of 2019 is going to continue for some time. Patchwork data privacy and cybersecurity requirements, at both the domestic and international level, are not going away soon. It is important to dedicate time and resources to preparing for current obligations, which will hopefully position your organization well for the new wave of legal requirements that are coming down the pike.
First, what did 2019 bring us?
Let’s start with cybersecurity. On par with the theme of this entire decade, it feels like cybersecurity breaches are on the rise (or at least firmly here to stay!). Capital One suffered a breach in July, impacting approximately 100 million individuals in the United States and approximately 6 million in Canada. Quest Diagnostics suffered a breach as well, exposing the financial data, social security numbers and medical data of approximately 11.9 million patients (thankfully, the exposure did not include laboratory test results). The Quest breach was a great reminder that you are only as strong as your weakest supplier/vendor: it was Quest’s vendor’s vendor that was breached.
In a scary (or scarier) turn of events, a single server containing 1.2 billion records was found exposed online. And, why is this scarier? The server appeared to contain four different data sets and it was unclear how the data got there and where it came from. While it does not appear that a company was “breached” in a traditional sense, it does show that data vulnerabilities come in all different shapes and sizes.
Local and state governments had a tough year as well. Baltimore city suffered a ransomware attack, shutting down the city’s technological resources and disrupting critical services across the entire area. The Baltimore city attack highlights a key issue going into 2020: repeat victimization of governments who do not necessarily have the resources to maintain a robust cybersecurity infrastructure. In Texas, at least 23 towns were impacted by a “coordinated ransomware attack.” This was after the state of Louisiana was forced to declare a state of emergency when cyberattacks shut down the school systems throughout the state. And, earlier this month, the city of Pensacola, Florida suffered a cyberattack impacting the city’s network, phones, email and even some buildings. All in all, government entities were viewed as very attractive targets, with less resources than private entities to prepare for and protect against various cyber threats.
Next, there have also been significant changes to the data privacy landscape, creating a U.S. domestic regulatory flurry around privacy. In October, Nevada’s Internet Privacy Law went into effect, which regulates the security and privacy of personal information collected by operators of commercial websites and online services and provides Nevada consumers with the ability to opt-out of the sale of their personal information. There is an increasing focus by state legislatures to pass biometric data laws, beyond the well-known Illinois Biometric Information Privacy Act (which continues to survive attacks from across a variety of industries).
The Federal Trade Commission (FTC) expanded its enforcement in the security and privacy realm, entering into a $170 million settlement with Google and YouTube for illegally collecting data from children without their parents’ consent in direct violation of the Children’s Online Privacy and Protection Act (COPPA). And, the FTC made headlines with its largest fine to date: $5 billion against Facebook for several privacy-related violations, including that Facebook allowed users to choose settings that purportedly limited access to their personal information just to their “friends” without adequately disclosing that another setting allowed their information to be shared with developers of third-party applications used by the “friends.”
The FTC also actively enforced the EU-US Privacy Shield Framework, taking action against companies falsely claiming to participate in the Framework. The FTC’s involvement was seen as a positive in the EU’s 3rd Annual Review of the Framework, where the U.S. received a passing, but not stellar, grade. The Framework continues to garner attention, both in the U.S. and abroad, and faced legal challenge in front of the CJEU in 2019, with a decision expected in 2020 (C-311/18, Facebook Ireland and Schrems).
The National Institutes of Standards and Technology (NIST) introduced its first-ever draft Privacy Framework in September. The goal of this Privacy Framework is to drive better privacy engineering and help organizations protect individuals’ privacy by building customer trust, fulfilling current compliance obligations, and facilitating communication about privacy practices with all stakeholders. NIST has previously provided valuable guidance in the cybersecurity space, especially with its Cybersecurity Framework (a great starting point for all sized businesses who are just scratching the surface of cybersecurity and privacy management). NIST’s proposed Privacy Framework signals two key things going forward: (1) Privacy, and proactive privacy management, is here to stay; and (2) the U.S. is starting to weigh-in on the international (and heavily EU dominated) privacy conversation.
Finally, the courts continue to grapple with the challenge of cybersecurity and data privacy lawsuits. When should companies be held accountable for cybersecurity breaches? What constitutes a breach of privacy? Is the taking of data alone enough, or do we need something more? These are the questions that courts across the country are facing. Successful litigants are finding standing in statutory violations (mostly in the biometric data space): the Ninth Circuit certified that a class action lawsuit against Facebook under the Illinois Biometric Information Privacy Act. As more regulatory causes of action go into effect, this area of litigation will be tested further, and likely make its way up to the Supreme Court (sooner or later).
So, to put it lightly, 2019 was an interesting year. The patchwork approach to data privacy and cybersecurity with an assortment of laws across the U.S. is keeping companies on their proverbial toes. Each new regulation or law requires a company to have a deep understanding of how the data they collect can impact their compliance obligations and potential liabilities in all jurisdictions in which they do business. On the flip side, consumers are gaining ground on the issue of transparency. Most states are moving in the direction of giving consumers the ability to track the data that is collected about them, and, in some instances, more control over that data going forward.
So what can we expect in 2020?
Likely, (and somewhat, sadly), a lot more of the same. Technology is moving at a rapid rate; and, it feels like we are all just hanging on to see what happens next. But, there is hope.
Proactive requirements for companies who collect, process and maintain personal information are on the rise. California hits the ground running on Jan. 1, 2020, with the California Consumer Privacy Act (CCPA). The CCPA brought to the U.S. what is becoming a standard approach to privacy abroad: personal information requires proactive protective measures, and comes with liability for the company collecting, processing and maintaining that data. And while California continues to make headlines (especially with proposed 2020 ballot initiative that would alter the current iteration of the CCPA), it is not the only state weighing in on how to protect individuals in the digital age.
New York passed the SHIELD Act in 2019, and it goes into effect in March 2020. This regulation aligns with the trend towards general data protection regulations, requiring companies to take certain privacy and security measures proactively (instead of retroactively after a breach has occurred). Further, many states who took an unsuccessful pass at privacy legislation in 2019 are likely to go in for a second round in 2020. Pennsylvania House Bill 1049 proposes CCPA like protections in the Commonwealth of Pennsylvania, and is pending in the legislature. Washington State’s first attempt at a privacy bill failed, there are already conversations to push again in 2020, both on general data privacy and facial recognition protections.
Heading out of 2019, and into 2020, the federal government also is weighing in on proactive privacy requirements. On Nov. 26, 2019, Senator Maria Cantwell (D-WA) along with other democratic senators introduced the Consumer Online Privacy Right Act (COPRA) to establish digital requirements for companies and to ensure certain consumer rights to their personal data. We anticipate that debates around a federal privacy law, and exactly whose interests will be accounted for, will dominate in 2020.
Cybersecurity threats and exposures are only going to grow. As more and more companies rely on both technology and third-party providers to supply critical services, the risks of data exposure and system infiltrations only increase. So the moral of the story is, understand what regulations apply to your business and begin the process of working toward compliance. The enemy of companies (and the hero for hackers) is doing nothing. Because in 2020, more so than ever before, luck favors the prepared!