On June 1, 2020, California Attorney General Xavier Becerra submitted a finalized package of CCPA regulations to the California Office of Administrative Law (OAL).   The package included not only the final text of the regulations, but also the final statement of reasons for amendments to the previous drafts. There have been multiple rounds of drafts of the regulations, along with corresponding comment periods and workshops.  The first comment period received over 1,700 comments, leading to modifications published on February 7, 2020.  A second set of modifications released on March 11, 2020 eliminated the opt-out button and clarified procedures for consumer requests.  This finalized version of the regulations appears nearly identical to the March version.

Attorney General Becerra has stood firm in his insistence on the scheduled enforcement deadline of July 1, 2020, notwithstanding pleas to delay enforcement due to the COVID-19 pandemic.  However, the regulations must first be approved by the OAL, which has 90 days to make its decision.  Specifically, the OAL has 30 working days, plus an additional 60 calendar days under Executive Order N-40-20 related to the COVID-19 pandemic, to review the package for procedural compliance. However, the AG submitted a written justification for a request for an expedited review by the OAL to be completed within 30 business days and that the Final Regulations become effective upon filing with the Secretary of State.  Notably, the statute has been in effect as of January 1, 2020, and the statute includes a 12-month “look-back” requirement allowing consumers to request their records dating back one year from when the request was made.

While these CCPA regulations move toward finalization, we have previously written about a new ballot initiative scheduled for November 2020 for the California Privacy Rights Act (CPRA), commonly referred to as CCPA 2.0, which would significant strengthen the CCPA’s requirements and enforcement tools, would weaken defenses to private rights of action under the CCPA, and would establish the California Privacy Protection Agency to enforce privacy rights in California.

To view the final CCPA regulations, click here.

To view the California Attorney General’s press release, click here.

To view the California Attorney General’s supporting documentation, click here.

  1. Details about Apple/Google Launch

Yesterday (May 20, 2020), Apple and Google launched software that will allow public health authorities to create mobile applications that notify people when they may have come in contact with people who have confirmed cases of COVID-19, while purportedly preserving privacy around identifying information and location data. People who have updated their phones with the latest software will be able to share their Bluetooth signal, logging when the radio recognizes other people who have downloaded an app that uses the software.

Their public launch means that health agencies can now use the API in applications released to the general public. To date, Apple and Google had only released beta versions to help with the development process.  (To be clear, Apple and Google are not themselves creating an exposure notification or contact tracing application – but the launch means that developers working on behalf public health agencies can do so.)  This “exposure notification” tool uses Bluetooth radios within smartphones, and will be part of a new software update the companies will be pushing out Wednesday. State and federal governments can use it to create contact tracing applications that citizens can download via the Apple Store or Google Play store.

Many U.S. states and 22 countries across five continents have already asked for, and been provided access to, the API to support their development efforts, and they anticipate more being added going forward. So far, Apple and Google say they have conducted more than 24 briefings and tech talks for public health officials, epidemiologists and app developers working on their behalf.

The exposure notification API uses a decentralized identifier system with randomly generated temporary keys created on a user’s device (but not specifically tied to personally identifiable information). Public health agencies can define parameters around exposure time and distance, and can tweak transmission risk and other factors according to their own standards.

The applications are allowed to combine the API and voluntarily submitted user data provided through individual apps to enable public health authorities to contact exposed users directly to make them aware of what steps they should take.

Apple and Google have incorporated various privacy protections, including: (a) encryption of all device-specific Bluetooth metadata (e.g., signal strength, specific transmitting power), and (b) explicitly barring use of the API in any apps that also seek geolocation information permission from users.  Because many public health authorities developing contact tracing were considering using geolocation data, this privacy measure has prompted some to reconsider their approach.

Apple and Google provided the following joint statement about the API and how it will support contact-tracing efforts undertaken by public health officials and agencies:

One of the most effective techniques that public health officials have used during outbreaks is called contact tracing. Through this approach, public health officials contact, test, treat and advise people who may have been exposed to an affected person. One new element of contact tracing is Exposure Notifications: using privacy-preserving digital technology to tell someone they may have been exposed to the virus. Exposure Notification has the specific goal of rapid notification, which is especially important to slowing the spread of the disease with a virus that can be spread asymptomatically.

To help, Apple and Google cooperated to build Exposure Notifications technology that will enable apps created by public health agencies to work more accurately, reliably and effectively across both Android phones and iPhones. Over the last several weeks, our two companies have worked together, reaching out to public health officials scientists, privacy groups and government leaders all over the world to get their input and guidance.

Starting today, our Exposure Notifications technology is available to public health agencies on both iOS and Android. What we’ve built is not an app — rather public health agencies will incorporate the API into their own apps that people install. Our technology is designed to make these apps work better. Each user gets to decide whether or not to opt-in to Exposure Notifications; the system does not collect or use location from the device; and if a person is diagnosed with COVID-19, it is up to them whether or not to report that in the public health app. User adoption is key to success and we believe that these strong privacy protections are also the best way to encourage use of these apps.

Today, this technology is in the hands of public health agencies across the world who will take the lead and we will continue to support their efforts.

Google and Apple are also releasing draft technical documentation including Bluetooth and cryptography specification and framework documentation.

2. Privacy Reactions and Concerns Regarding Contact Tracing Applications

Many within the privacy community are focused on whether these types of applications meet the principles of “Privacy by Design”, with much emphasis being placed on using decentralized tracing rather than location data stored in central databases. The UK data protection authority (UK ICO) concluded on April 17, 2020 that proposals for the contact tracing framework itself “appear aligned with the principles of data protection by design and by default”, based on certain assumptions.  At the same time, France asked Apple to remove the limitation that Apple’s operating system prevents contract tracing apps using its Bluetooth technology from running constantly in the background if that data is going to be moved off the devise, a limit designed to protect user’s privacy, but which France said was standing in the way of the type of app that France wanted to build.

It is important to recognize that technology (in the form of a contact tracing application) is only a part of the solution, and that many security and privacy issues arise not only from the technology itself, but in the purpose, process, and manner in which it is used. For employers considering the use of contact tracing technologies or applications leveraging the Apple/Google APIs, a number of questions need to be addressed. For example:

  • Will you require employee consent and on what conditions? Will the contact tracing app continue to monitor after work hours are over?
  • How will you handle external requests (e.g., law enforcement, state/local government, hospitals, health authorities, nonprofits, etc.)?
  • Will your process be forward- or backward-looking? Will you penalize those who violate social distancing requirements based on this information to prevent infection? Or simply wait until positive testing results indicate a positive infection, and then look back at contact history to notify those in contact with the individuals?  The Apple and Google API appears to favor more of a backwards looking approach.
  • How will you ensure confidentiality among colleagues? South Korea and Israel’s approaches were more publicly accessible, which led in some cases to protests, vigilante reactions, and social stigma. Think through how to avoid social stigma towards any employees – even when not testing positive, there may be questions or rumors based on employer efforts to preserve confidentiality.  Policies should be clearly explained and emphasized to mitigate such misunderstanding and disproportionate reactions.
  • Also consider how to handle false positives and false negatives. If you lift the lockdown with the idea that an app can control the infection, you could create a false sense of security that, once compromised, eventually gives way to ignoring the technology itself. One examples is Singapore where, despite using a widely credited tracing app, still had to return to lockdown. Their app examined whether an individual had been within two meters of someone with COVID-19 in the past 30 minutes. If so, they receive a signal that they are possibly infected, as well. This is both over-inclusive (Bluetooth through glass walls and windows) and under-inclusive (viral transmission through kissing or intimate contact for less than 30 minutes).

Many of these applications attempt to address many of these privacy concerns by simply notifying the app users themselves (instead of the employer or public health agency), to encourage responsible behavior.

Much remains to be seen about how our society will balance the tension between privacy rights and public health and safety needs as it pertains to application of contact tracing technologies. Nonetheless, yesterday’s release marks a significant event in this continuing conversation.

Today, Senators Blumenthal (D-CT) and Mark Warner (D-VA) introduced the Public Health Emergency Privacy Act (“PHEPA”) into the Senate. A companion house bill was introduced by Reps. Anna Eshoo (D-CA), Jan Schakowsky (D-IL), and Suzan DelBene (D-WA), which was co-sponsored by Reps. Yvette Clarke (D-NY), G.K. Butterfield (D-NY), and Tony Cárdenas (D-CA).   This and similar legislation has been introduced in the last week as health agencies and technology companies nationwide are developing contact tracing and monitoring tools to contain the pandemic.

The Act would restrict data collected for public health purposes, limit what and by whom it can be collected and for what purposes it can be used. For example:

  • It requires data minimization procedures for that info, and require opt-in consent for any efforts.
  • It would formally mandate data collected to fight the pandemic be deleted after the public health emergency.
  • The bill would protect personal data collected in connection with COVID-19 from being used for non-public health purposes,
  • It would prohibit conditioning the right to vote based on use of such services or a medical condition.
  • It provides for both public enforcement (by the FTC) as well as a private right of action.
  • The private right of action specifies a range of statutory penalties ($100-$1000 for negligent violations, $500-$500 for reckless, willful, or intentional violations), plus attorney fees and costs, and any other appropriate relief. It would also make the statutory violation sufficient injury to allege standing.

This Democratic legislation comes as a counterproposal to the Senate Republicans’ bill, the COVID-19 Consumer Data Protection Act, failed to gain Democratic support.  The Republican bill’s opt-in requirement was more limited to data collected for purposes of tracking the spread of the virus, and did not include the same civil rights protections that are included in this legislation. It also did not include a private right of action. Both bills, however, include rules mandating transparency and consent, and controlling the use of data for purposes other than public health.

An unofficial copy of the legislation is available here on the website of the Electronic Privacy Information Center (EPIC).  We will update this post once it is available in the Congressional Record.

On May 1, 2020, the U.S. House of Representatives introduced House Resolution 6666, the COVID-19 Testing, Reaching, And Contacting Everyone (“TRACE”) Act.  The resolution, sponsored by Bobby Rush (D-IL) would authorize the Secretary of Health and Human Services to award grants to eligible entities to conduct diagnostic testing for COVID-19 to trace and monitor the contacts of infected individuals and to support the quarantine and testing of such contacts.  The resolution contemplates such activities occurring at mobile health units and, as necessary, at individuals’ residences.  A grant recipient may use the grant funds: (1) to hire, train, compensate, and pay expenses of individuals; and (2) to purchase personal protective equipment (“PPE”) in support of such contact tracing and other activity. Priority is given to applicants proposing to: (1) conduct activities in “hot spots and medically underserved communities”; and (2) hiring residents of the area or community where the activities will occur.

In addition, the resolution outlines that Federal privacy requirements must be complied with, and that no provisions of the Resolution and actions taken under those provisions may supersede any Federal privacy or confidentiality requirements under Federal legislation, including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and other laws.

The resolution authorizes appropriations of $100,000,000,000 for fiscal year 2020; and such sums as may be necessary for each of fiscal year 2021 and any subsequent fiscal year during which the emergency period continues.  The resolution has been introduced and referred to the House Committee and Energy and Commerce, where it currently awaits further action.

To view the resolution, click here.

As they had previously announced their intent to do so,  the leadership of several Senate Committees introduced the “COVID-19 Consumer Data Protection Act” on May 7, 2020.

The Act would:

  • Require companies under FTC jurisdiction to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, device, geolocation, or proximity information for the purposes of tracking the spread of COVID-19 (e.g., contact tracing).
  • Direct companies to disclose at the point of collection how data will be handled, to whom it will be transferred, and how long it will be retained.
  • Establish clear definitions about what constitutes aggregated and de-identified data to ensure sufficient technical and legal safeguards to protect consumer data from being re-identified.
  • Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
  • Direct companies to provide public transparency reports describing data collection activities related to COVID-19.
  • Establish data minimization and security requirements for any personally identifiable information collected by a covered entity.
  • Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
  • Authorize state attorneys general to enforce the Act.

To read the bill, click here.

On May 4, the Californians for Consumer Privacy (led by Alistair McTaggart, the real estate investor and activist behind the original ballot initiative that led to the CCPA), announced in a letter that it had collected over 900,000 signatures to qualify the California Privacy Rights Act (“CPRA”) for the November 2020 ballot.  This version of the CPRA, commonly referred to as “CCPA 2.0”, would amend the CCPA to create new and additional privacy rights and obligations.  Specifically, it would:

  • Sensitive Personal Information.  Establish a new category of “sensitive personal information” to which new consumer privacy rights would apply. This category would be defined to include: Social Security Number, driver’s license number, passport number, financial account information, precise geolocation, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, and information about sex life or sexual orientation
  • Right to Correction. Grant consumers the right to request correction of inaccurate personal information held by a business.
  • Increased Fines and New Opt-In for Children’s Data.  Triple fines for violating the CCPA’s existing right to opt-in to sales and would create a new requirement to obtain opt-in consent to sell or share data from consumers under the age of 16.
  • Clarify Data Breach Liability. Amend the data breach liability provision to clarify that breaches resulting in the compromise of a consumer’s email address in combination with a password or security question and answer that would permit access to the consumer’s account are subject to the relevant provision.
  • Enforcement. Establish the California Privacy Protection Agency to enforce the law, instead of the California Attorney General’s Office.

To view the announcement, click here.

To view the proposed CPRA, click here.

On April 30, 2020, U.S. Sens. Roger Wicker (R-MS), chairman of the Senate Committee on Commerce, Science, and Transportation, John Thune (R-SD) chairman of the Subcommittee on Communications, Technology, Innovation, and the Internet, Jerry Moran (R-KS), chairman of the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security, and Marsha Blackburn (R-TN),  announced plans to introduce the COVID-19 Consumer Data Protection Act.  The legislation would provide all Americans with more transparency, choice, and control over the collection and use of their personal health, geolocation, and proximity data. The bill would also hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic.

The COVID-19 Consumer Data Protection Act would:

  • Require companies under the jurisdiction of the Federal Trade Commission to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.
  • Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained.
  • Establish clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to protect consumer data from being re-identified.
  • Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
  • Direct companies to provide transparency reports to the public describing their data collection activities related to COVID-19.
  • Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity.
  • Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
  • Authorize state attorneys general to enforce the Act.

To view the Senate committee’s press release, click here.

 

Last Friday, May 1, the White House signed an executive order prohibiting Federal Agencies and U.S. persons from acquiring, importing, transferring, or installing any bulk power system (“BPS”) equipment in which:

  • the transaction involves bulk-power system electric equipment designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; and
  • the Secretary of Energy determines the transaction:
  • poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of the bulk-power system in the United States;
  • poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the economy of the United States; or
  • otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.

The Secretary, in consultation other agencies as appropriate, may design or negotiate mitigating measures, which may serve as a precondition to Secretary approval of a transaction or of a class of transactions that would otherwise be prohibited under this order.  The Executive Order also authorizes the Secretary of Energy to:

  • Establish and publish criteria for recognizing particular equipment and vendors as “pre-qualified” (pre-qualified vendor list).
  • Identify any now-prohibited equipment already in use, allowing the government to develop strategies and work with asset owners to identify, isolate, monitor, or replace this equipment as appropriate.
  • Work closely with the Departments of Commerce, Defense, Homeland Security, Interior; the Director of National Intelligence; and other appropriate Federal agencies to carry out the authorities and responsibilities outlined in the Executive Order.

A Task Force led by the Secretary will develop energy infrastructure procurement policies to ensure national security considerations are fully integrated into government energy security and cybersecurity policymaking. The Task Force will consult with the energy industry through the Electricity Subsector Coordinating Council (ESCC) and Oil and Natural Gas Subsector Coordinating Councils (ONG SCC) to further its efforts on securing the Bulk Power System.

It is unclear how the policies may be coordinated with or interact with the NERC CIP-013 supply chain standards, whose implementation was deferred three months by FERC on April 20 as a result of the COVID-19 pandemic.  Section 2(c) of the order does allow the Secretary to “redelegate any of the authorities conferred on the Secretary pursuant to this section within [DOE].” In response to this executive order, NERC issued the following statement:

“The supply chain executive order launches a critical initiative to secure the bulk power system. Efforts outlined in the order will help support activities already underway in NERC’s supply chain standards and other work. The order is a positive step forward to improve reliability and security of the bulk power system supply chain. NERC looks forward to working with industry and government stakeholders toward effective implementation of the executive order.”

To view the executive order, click here.

To view the Department of Energy’s press release, click here.

To view NERC’s response, click here.

Note:  This post was originally posted in our Southeast Financial Litigation Monitor.

Gregory C. Cook & Brandon N. Robinson

The story is becoming all too common.  A merchant (or consumer) is convinced to wire money to a fraudulent account because of an incorrect belief that they are wiring the money to the real party.  A common example is a fraudster convincing a purchaser of a home to wire money in the mistaken belief that they are wiring the money to a closing attorney or agent.  Another common example is a fraudster convincing a company to wire money in the mistaken belief that they are paying a valid vendor.  These transactions can involve millions of dollars and it is rare that the money can be recovered after it is sent.

Can insurance cover these losses?  Recently the Eleventh Circuit decided Principle Solutions Group, LLC v. Ironshore Indemnity, Inc., 944 F.3d 886, (11th Cir. Dec. 9, 2019).  There, the insured employer filed an action against insurer, seeking coverage for a wire transfer of funds made by insured’s employee to scammers.  The employer claimed coverage under the “fraudulent instruction” provision of its commercial crime insurance policy, and asserted bad faith.

The loss stemmed from a sophisticated phishing scheme in which a scammer posing as an executive of Principle Solutions Group, LLC, persuaded the company’s controller to wire money to a foreign bank account, leading to the loss of $1.7 million dollars.  The controller received an email, allegedly from a managing director, informing her that he had been “secretly working on a ‘key acquisition’ and asking her to wire the money… as soon as possible” and directing her to speak with “attorney Mark Leach” who would give her further instructions.  Further, because the purported deal was not public, she was to treat the matter with “u[t]most discretion” and “deal solely” with this attorney.  Next, she received an email and a call purporting to be from this attorney, which provided wiring instructions.  Later, Principle’s bank demanded verification, which the controller confirmed.  The controller realized the fraud the next day when she spoke with the managing director. but neither the company nor law enforcement able to recover the funds.

The policy covered “[l]oss resulting directly from a fraudulent instruction directing a financial institution to debit [Principle’s] transfer account and transfer, pay or deliver money or securities from that account.”  The insurer denied coverage and argued that the scammer’s communications with the employee did not meet the conditions for a fraudulent instruction under the policy and that the loss did not result directly from the fraudulent instruction.

The Eleventh Circuit found coverage and held that the transfer of funds involved loss from a “fraudulent instruction directing a financial institution to transfer funds.”  The court noted that the policy defines a “fraudulent instruction” as an “electronic or written instruction initially received by [Principle], which instruction purports to have been issued by an employee, but which in fact was fraudulently issued by someone else without [Principle’s] or the employee’s knowledge or consent.”  The court rejected the argument that the two emails did not constitute an instruction when read together.

The court also rejected the insurer’s argument that the loss did not result “directly” from the fraudulent instructions because it was not an “immediate” link.  Instead, the court determined that “resulted directly from” meant “proximately caused” and determined that the policy was satisfied.  The majority expressly rejected the argument that the employee should have done more to prevent the fraud (and therefore proximate cause should have been a jury question).  The majority held that “the relevant question is whether [the controller’s] failure to verify the transfer in the ways the dissent suggests was foreseeable.  And that failure was foreseeable: the scammers set up a system designed to prevent [the controller] from verifying the request, which means that they foresaw [the controller’s] failure.”  Therefore “[n]o unforeseeable cause intervened between [] purported email and Principle’s loss.”

The lessons from this case are many.  First, you should review your insurance policies to determine if you would have coverage from such an event.  Second, you should institute two-factor confirmation in wire and ACH transactions.  Third, you should train your financial employees regarding such fraud.  For instance, a best practice would be to pick up the phone (using a phone number independently obtained and not from the originating email) to verify wiring instructions above a certain threshold.  Finally, if you discover you have been the victim of a fraudulent wiring instruction, immediately file a complaint with the FBI’s Internet Crime Complaint Center (IC3) at https://www.ic3.gov/default.aspx.  They can help to quickly investigate and in some cases, if detected quickly enough, they can sometimes (but not always) recover the lost funds or a portion thereof.

On March 18, 2020, the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) announced steps to ensure that operators of the bulk electric system can focus resources on safety and reliability during the COVID-19 emergency.  FERC and NERC are advising all registered entities that they will consider the impact of the coronavirus outbreak with regards to NERC compliance as follows:

  • The effects of the coronavirus will be considered an acceptable basis for non-compliance with the personnel certification requirements of Reliability Standard PER-003-2 from March 1, 2020 to December 31, 2020. Registered entities should notify their Regional Entities and Reliability Coordinators when using system operator personnel that are not NERC-certified.
  • The effects of the coronavirus will also be considered an acceptable reason for case-by-case non-compliance with NERC requirements involving periodic actions that would have been taken between March 1, 2020 and July 31, 2020. Registered entities should notify their Regional Entities of any periodic compliance actions that will be missed during this period.
  • Finally, on-site audits, certifications and other on-site activities by Regional Entities will be postponed until at least until July 31, 2020. Registered entities should communicate any resource impacts associated with remote activities to their Regional Entities.

FERC and NERC will continue to evaluate the situation to determine whether the above dates should be extended.

To view the FERC-NERC joint announcement click here.