On May 4, the Californians for Consumer Privacy (led by Alistair McTaggart, the real estate investor and activist behind the original ballot initiative that led to the CCPA), announced in a letter that it had collected over 900,000 signatures to qualify the California Privacy Rights Act (“CPRA”) for the November 2020 ballot.  This version of the CPRA, commonly referred to as “CCPA 2.0”, would amend the CCPA to create new and additional privacy rights and obligations.  Specifically, it would:

  • Sensitive Personal Information.  Establish a new category of “sensitive personal information” to which new consumer privacy rights would apply. This category would be defined to include: Social Security Number, driver’s license number, passport number, financial account information, precise geolocation, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, and information about sex life or sexual orientation
  • Right to Correction. Grant consumers the right to request correction of inaccurate personal information held by a business.
  • Increased Fines and New Opt-In for Children’s Data.  Triple fines for violating the CCPA’s existing right to opt-in to sales and would create a new requirement to obtain opt-in consent to sell or share data from consumers under the age of 16.
  • Clarify Data Breach Liability. Amend the data breach liability provision to clarify that breaches resulting in the compromise of a consumer’s email address in combination with a password or security question and answer that would permit access to the consumer’s account are subject to the relevant provision.
  • Enforcement. Establish the California Privacy Protection Agency to enforce the law, instead of the California Attorney General’s Office.

To view the announcement, click here.

To view the proposed CPRA, click here.

On April 30, 2020, U.S. Sens. Roger Wicker (R-MS), chairman of the Senate Committee on Commerce, Science, and Transportation, John Thune (R-SD) chairman of the Subcommittee on Communications, Technology, Innovation, and the Internet, Jerry Moran (R-KS), chairman of the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security, and Marsha Blackburn (R-TN),  announced plans to introduce the COVID-19 Consumer Data Protection Act.  The legislation would provide all Americans with more transparency, choice, and control over the collection and use of their personal health, geolocation, and proximity data. The bill would also hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic.

The COVID-19 Consumer Data Protection Act would:

  • Require companies under the jurisdiction of the Federal Trade Commission to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.
  • Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained.
  • Establish clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to protect consumer data from being re-identified.
  • Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
  • Direct companies to provide transparency reports to the public describing their data collection activities related to COVID-19.
  • Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity.
  • Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
  • Authorize state attorneys general to enforce the Act.

To view the Senate committee’s press release, click here.

 

Last Friday, May 1, the White House signed an executive order prohibiting Federal Agencies and U.S. persons from acquiring, importing, transferring, or installing any bulk power system (“BPS”) equipment in which:

  • the transaction involves bulk-power system electric equipment designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary; and
  • the Secretary of Energy determines the transaction:
  • poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of the bulk-power system in the United States;
  • poses an undue risk of catastrophic effects on the security or resiliency of United States critical infrastructure or the economy of the United States; or
  • otherwise poses an unacceptable risk to the national security of the United States or the security and safety of United States persons.

The Secretary, in consultation other agencies as appropriate, may design or negotiate mitigating measures, which may serve as a precondition to Secretary approval of a transaction or of a class of transactions that would otherwise be prohibited under this order.  The Executive Order also authorizes the Secretary of Energy to:

  • Establish and publish criteria for recognizing particular equipment and vendors as “pre-qualified” (pre-qualified vendor list).
  • Identify any now-prohibited equipment already in use, allowing the government to develop strategies and work with asset owners to identify, isolate, monitor, or replace this equipment as appropriate.
  • Work closely with the Departments of Commerce, Defense, Homeland Security, Interior; the Director of National Intelligence; and other appropriate Federal agencies to carry out the authorities and responsibilities outlined in the Executive Order.

A Task Force led by the Secretary will develop energy infrastructure procurement policies to ensure national security considerations are fully integrated into government energy security and cybersecurity policymaking. The Task Force will consult with the energy industry through the Electricity Subsector Coordinating Council (ESCC) and Oil and Natural Gas Subsector Coordinating Councils (ONG SCC) to further its efforts on securing the Bulk Power System.

It is unclear how the policies may be coordinated with or interact with the NERC CIP-013 supply chain standards, whose implementation was deferred three months by FERC on April 20 as a result of the COVID-19 pandemic.  Section 2(c) of the order does allow the Secretary to “redelegate any of the authorities conferred on the Secretary pursuant to this section within [DOE].” In response to this executive order, NERC issued the following statement:

“The supply chain executive order launches a critical initiative to secure the bulk power system. Efforts outlined in the order will help support activities already underway in NERC’s supply chain standards and other work. The order is a positive step forward to improve reliability and security of the bulk power system supply chain. NERC looks forward to working with industry and government stakeholders toward effective implementation of the executive order.”

To view the executive order, click here.

To view the Department of Energy’s press release, click here.

To view NERC’s response, click here.

Note:  This post was originally posted in our Southeast Financial Litigation Monitor.

Gregory C. Cook & Brandon N. Robinson

The story is becoming all too common.  A merchant (or consumer) is convinced to wire money to a fraudulent account because of an incorrect belief that they are wiring the money to the real party.  A common example is a fraudster convincing a purchaser of a home to wire money in the mistaken belief that they are wiring the money to a closing attorney or agent.  Another common example is a fraudster convincing a company to wire money in the mistaken belief that they are paying a valid vendor.  These transactions can involve millions of dollars and it is rare that the money can be recovered after it is sent.

Can insurance cover these losses?  Recently the Eleventh Circuit decided Principle Solutions Group, LLC v. Ironshore Indemnity, Inc., 944 F.3d 886, (11th Cir. Dec. 9, 2019).  There, the insured employer filed an action against insurer, seeking coverage for a wire transfer of funds made by insured’s employee to scammers.  The employer claimed coverage under the “fraudulent instruction” provision of its commercial crime insurance policy, and asserted bad faith.

The loss stemmed from a sophisticated phishing scheme in which a scammer posing as an executive of Principle Solutions Group, LLC, persuaded the company’s controller to wire money to a foreign bank account, leading to the loss of $1.7 million dollars.  The controller received an email, allegedly from a managing director, informing her that he had been “secretly working on a ‘key acquisition’ and asking her to wire the money… as soon as possible” and directing her to speak with “attorney Mark Leach” who would give her further instructions.  Further, because the purported deal was not public, she was to treat the matter with “u[t]most discretion” and “deal solely” with this attorney.  Next, she received an email and a call purporting to be from this attorney, which provided wiring instructions.  Later, Principle’s bank demanded verification, which the controller confirmed.  The controller realized the fraud the next day when she spoke with the managing director. but neither the company nor law enforcement able to recover the funds.

The policy covered “[l]oss resulting directly from a fraudulent instruction directing a financial institution to debit [Principle’s] transfer account and transfer, pay or deliver money or securities from that account.”  The insurer denied coverage and argued that the scammer’s communications with the employee did not meet the conditions for a fraudulent instruction under the policy and that the loss did not result directly from the fraudulent instruction.

The Eleventh Circuit found coverage and held that the transfer of funds involved loss from a “fraudulent instruction directing a financial institution to transfer funds.”  The court noted that the policy defines a “fraudulent instruction” as an “electronic or written instruction initially received by [Principle], which instruction purports to have been issued by an employee, but which in fact was fraudulently issued by someone else without [Principle’s] or the employee’s knowledge or consent.”  The court rejected the argument that the two emails did not constitute an instruction when read together.

The court also rejected the insurer’s argument that the loss did not result “directly” from the fraudulent instructions because it was not an “immediate” link.  Instead, the court determined that “resulted directly from” meant “proximately caused” and determined that the policy was satisfied.  The majority expressly rejected the argument that the employee should have done more to prevent the fraud (and therefore proximate cause should have been a jury question).  The majority held that “the relevant question is whether [the controller’s] failure to verify the transfer in the ways the dissent suggests was foreseeable.  And that failure was foreseeable: the scammers set up a system designed to prevent [the controller] from verifying the request, which means that they foresaw [the controller’s] failure.”  Therefore “[n]o unforeseeable cause intervened between [] purported email and Principle’s loss.”

The lessons from this case are many.  First, you should review your insurance policies to determine if you would have coverage from such an event.  Second, you should institute two-factor confirmation in wire and ACH transactions.  Third, you should train your financial employees regarding such fraud.  For instance, a best practice would be to pick up the phone (using a phone number independently obtained and not from the originating email) to verify wiring instructions above a certain threshold.  Finally, if you discover you have been the victim of a fraudulent wiring instruction, immediately file a complaint with the FBI’s Internet Crime Complaint Center (IC3) at https://www.ic3.gov/default.aspx.  They can help to quickly investigate and in some cases, if detected quickly enough, they can sometimes (but not always) recover the lost funds or a portion thereof.

On March 18, 2020, the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) announced steps to ensure that operators of the bulk electric system can focus resources on safety and reliability during the COVID-19 emergency.  FERC and NERC are advising all registered entities that they will consider the impact of the coronavirus outbreak with regards to NERC compliance as follows:

  • The effects of the coronavirus will be considered an acceptable basis for non-compliance with the personnel certification requirements of Reliability Standard PER-003-2 from March 1, 2020 to December 31, 2020. Registered entities should notify their Regional Entities and Reliability Coordinators when using system operator personnel that are not NERC-certified.
  • The effects of the coronavirus will also be considered an acceptable reason for case-by-case non-compliance with NERC requirements involving periodic actions that would have been taken between March 1, 2020 and July 31, 2020. Registered entities should notify their Regional Entities of any periodic compliance actions that will be missed during this period.
  • Finally, on-site audits, certifications and other on-site activities by Regional Entities will be postponed until at least until July 31, 2020. Registered entities should communicate any resource impacts associated with remote activities to their Regional Entities.

FERC and NERC will continue to evaluate the situation to determine whether the above dates should be extended.

To view the FERC-NERC joint announcement click here.

As more and more businesses send their employees home to self-quarantine and work remotely as part of their COVID-19 mitigation measures, it is important to remember that working remotely carries with it unique data privacy and security concerns of which everyone should be aware.  The following are a few tips for employers and employees to be aware of during these times:

  • Security of VPN/Remote Connections. As employees shift to logging into VPN and other remote connections, IT professionals should be assessing their resources to ensure both: (a) adequate capacity and (b) proper security of these connections.   According to a study conducted by OpenVPN in 2019, 24% of companies had not updated their remote work security policy in over a year, and 44% say their IT department did not lead the remote work security policy plan. Questions employers should be asking include:
    • What’s the maximum number of users who need remote access?
    • How does this translate into additional bandwidth needed?
    • How soon will we need additional bandwidth and how quickly can it be provided?
    • What technologies can we use to boost bandwidth cost-effectively?
    • How quickly can we obtain additional licenses and other resources to support the demand?
    • How much will additional bandwidth and network components cost?
    • How will we handle cybersecurity threats?
    • How do we secure and protect the increased amount of data traffic?
    • How quickly and cost-effectively can we scale back resources once the demand for remote access has subsided to normal levels?
    • What resources are available from local access carriers, WAN carriers and Internet services providers (ISPs)?

 

When choosing a VPN, consider whether it allows for multi-factor authentication, provides access control, and provides endpoint security (i.e., securing the various endpoints that connect to a network such as mobile devices, laptops, and desktops), as these issues will be critical to both availability and security of remote connections.

 

  • Keep a proper balance between employee/customer health and privacy rights. Collecting and sharing information is necessary, but must be done with employee’s privacy in mind. Many businesses are curious to know what they can ask employees without violating any privacy laws.
    • For example, can businesses take temperatures at work? This is typically considered a medical exam and normally would be prohibited under the Americans with Disabilities Act (ADA). However, according to new guidance issued by the Equal Employment Opportunity Commission (EEOC) on March 18, 2020, employers may measure employees’ body temperatures in light of CDC and local health authorities’ precautions.
    • The new EEOC Guidance also states that if an employee calls in sick, the employer may ask if  the employee is experiencing symptoms of the pandemic virus, which for COVID-19 include symptoms such as fever, chills, cough, shortness of breath, or sore throat.
      • The employer may also ask other employees if they too have “the same symptoms” and “encourage them to report that they may be a high risk for COVID-19.”  The CDC states that employees who fall ill with flu-like symptoms during a pandemic should leave the workplace, and so this information is necessary to comply with that guidance.
    • Both temperature readings and information an employee provides about symptoms should be considered confidential medical information.  The employer should maintain all such information about employee illness as a confidential medical record in compliance with the ADA.
      • The EEOC has directed employers to review the EEOC publication entitled: Pandemic Preparedness in the Workplace and the Americans With Disabilities Act.
      • Educational institutions should also be cautious about how they handle the health concerns and privacy rights of students under the Family Educational Rights and Privacy Act (FERPA). FERPA prohibits an educational agency or institution from disclosing personally identifiable information (PII) from a student’s education record without the prior written consent of a parent or non-minor student unless an exception applies. One exception is the “health or safety emergency,” which allows disclosure in an emergency to public health agencies, medical personnel, law enforcement officials or even parents if such disclosure is necessary to protect the health and safety of other students or individuals. There must be an actual emergency, not a future or unknown one. In areas where COVID-19 has been declared a public health emergency, this exception would arguably be met. However, the Department of Education notes that public health departments typically can have education records disclosed under this exception even in the absence of a formally declared health emergency. For more, see the U.S. Department of Education’s Frequently Asked Questions regarding student privacy and coronavirus.
    • Consider security and confidentiality of client data. For employees who are attorneys, healthcare workers, accountants, government contractors, and some consultants, consider how you plan to keep client information appropriately confidential and proprietary, and in compliance with any applicable privacy laws, while working in a home environment.  This is especially important if you are part of a dual income family whether both spouses are working from home. Consider the following:
      • Find out if your organization has rules or policies for telework; if so, make sure you read and comply with them. For example, they may allow you to use your own computer for reading company email, but not for accessing or storing sensitive customer data.
      • If you use Wi-Fi at home, make sure your network is set up securely. Look to see if it is using “WPA2” or “WPA3” security and make sure your password is hard to guess.
      • If working from a home computer or mobile device, make sure it is patched and updated.
      • Do you and your spouse share a computer? If so, do you have separate login profiles where electronic data can be segregated, or do you share the same drives, servers, and folders? Can you store client data separately on the cloud instead of locally on the hard drive?
      • Where do you keep physical files? Do you have a file cabinet at home? If not, can you designate a separate workspace?
      • How can you ensure privacy during phone calls and teleconferences. As you engage in client phone calls and teleconferences / videoconferences, can you isolate yourself within the house to a separate room? Can you be aware of the information you disclose verbally so as to effectively communicate without necessarily revealing identities or other confidential information verbally. (e.g., say “the client/patient” instead of “John Smith”).
    • Continue to be vigilant and educate employees regarding phishing and other social engineering attempts.
      • As always, there will continue to be bad actors who wish to capitalize on a national tragedy or vulnerability. Already, the Department of Health and Human Services experienced a cyber attack intended to slow its coronavirus response.
      • It is entirely expected that a new onslaught of phishing attempts will flood inboxes related to the coronavirus pandemic – pretending to offer information, provide education or services, or solicit donations. With increased information exchange taking place over the phone or through email, you can also expect to see more “spearphishing” attempts where an employee receives an email from a sender purporting to be another employee within the organization (up to and including executive management) requesting the recipient to click on a link, open an attachment, or process or wire funds.
      • It is therefore important that employees – particularly those unaccustomed to working remotely or via email – be on the lookout for social engineering attempts such as phishing emails or phone scams related to telework. Be wary of emails from unknown accounts with strange file attachments, any calls from people claiming to be technical staff asking for passwords or requesting that you allow them to ‘scan’ your computer, or unusual web meeting requests—don’t hesitate to ask questions and verify things by phone or other means before proceeding. Employers should consider updating firm directories or creating phone trees that would allow an employee to pick up the phone and verify such attempts “offline” before proceeding.
      • As always, judgment is key. If something seems slightly off, or if the stakes are large (i.e., large payments), take the extra time to double check “offline” through independent means before proceeding with granting access to a computer, clicking a link or opening any attachments, or processing any payments.

 

For more resources about addressing legal and business challenges associated with COVID-19, please visit Balch’s COVID-19 Resource Center.

According to a Bloomberg article posted earlier this morning, the U.S. Health and Human Services Department (“HHS”) suffered a cyber attack on its computer systems Sunday night.  The attack appears to have been intended to slow the agency’s systems, but was unable to do so in any meaningful way.   Just before midnight, the National Security Council also tweeted: “Text message rumors of a national #quarantine are FAKE.  There is no national lockdown.  @CDCGov has and will continue to post the latest guidance on #COVID19.”  The tweet was related to the hacking and release of disinformation. The government realized Sunday that there had been a cyberintrusion and that false information was circulating.

The hacking involved multiple incidents, and the tweet was meant in part to address the hacking.  It does not appear the hackers took data from the systems.  The administration has not yet confirmed who was behind the attack, which involved overloading the HHS servers with millions of hits over several hours. AS of the posting of this blog, neither HHS, the White House, nor the National Security Council responded to Bloomberg’s requests for comment.

To view Bloomberg’s article, click here.

On December 6, 2019, the FTC issued an opinion finding that Cambridge Analytica, they had engaged in deceptive practices to collect personal information from several users of Facebook for purposes of voter profiling and targeting.  In addition, the Commission found that Cambridge Analytica had engaged in deceptive practices regarding its participation in the EU-US Privacy Shield framework. According to the administrative complaint’s allegations, an app developer worked with Cambridge Analytica’s then-CEO to enable the developer’s GSRApp to collect Facebook data from app users and their Facebook friends. The complaint alleged that app users were falsely told the app would not collect users’ names or other identifiable information. The GSRApp, however, collected users’ Facebook User ID, which connects individuals to their Facebook profiles

The FTC issued a final order which would prohibit Cambridge Analytica from misrepresenting the extent to which it protects the privacy and confidentiality of personal information, and its participation in the Privacy Shield and other similar regulatory or standard-setting organizations. Moreover, the Final Order instructs Cambridge Analytica to continue to apply the Privacy Shield’s protections to personal information collected while it participated in the Privacy Shield, or to provide other protections authorized by law, or to return or delete the information. It must also delete the personal information it collected through the GSRApp.

To view the Final Order, click here.

To view the FTC’s Opinion, click here.

To read the press release, click here.

Yesterday (November 26, 2019), a comprehensive federal privacy bill was introduced that would grant individuals broad rights with respect to their data, impose new obligations on data processors, and expand the Federal Trade Commission’s enforcement authority with respect to privacy, as well as allowing for state attorney general enforcement and individual rights of action. The bill was sponsored by Senators Maria Cantwell (D-WA), Brian Schatz (D-HI), Amy Klobuchar (D-MN), and Ed Markey (D-MA).

Some key elements of the bill include:

  • Broad definitions of covered data. Covered data is broadly defined, including all information “that identifies, or is linked or reasonably linkable to an individual or consumer device, including derived data”.
  • Broad scope of covered entities. With certain exceptions, covered entities would include all of those that are subject to the FTC Act and those that process or transfer covered data.
  • Preemption. The bill would preempt directly conflicting state laws, but not those that provide greater protections.
  • Individual Privacy Rights. Much like the GDPR and CCPA, individuals would have rights of access, deletion, correction, and portability over covered data. The individual also has the right to object to the transfer of data to a third party.
  • Consent and Data Minimization Obligations.  The bill would impose a general duty not to engage in deceptive or harmful data practices. The entity must also engage generally in the privacy principle of data minimization, but not processing or transferring covered data “beyond what is reasonably necessary, proportionate, and limited.”  Specifically, an entity must have “prior, affirmative express” consent of the individual to transfer or process “sensitive” covered data (e.g., sensitive images, geolocation information, and others information as defined).
  • Reasonable Data Security and Other Obligations. An entity must implement “reasonable” data security practices, including vulnerability assessments, employee training, and secure data retention and disposal.  The entity must also designate privacy and data security officers in charge of ensuring compliance.  Entities transferring or processing data for a significant number of individuals must annually certify to the FTC that adequate internal controls exist.
  • Civil Rights. The bill would prohibit the use of data based on certain classifications (e.g., gender and familial status).  Entities engaged in algorithmic decision-making for certain purposes (e.g., credit eligibility) must conduct privacy impact assessments.
  • FTC Authority. The bill directs the FTC to establish a new bureaus focused on privacy and data security, and grants the FTC along with state attorneys general (as well as individual rights of action, see below) the authority to enforce COPRA.  The FTC and state attorneys general, would deposit recovered funds in the Data Privacy and Security Relief Fund, which would be used to compensate individuals. COPRA also directs the FTC to issue implementing regulations to refine definitions and establish a process for objecting to transfers of covered data.
  • Private Rights of Action. COPRA provides a private right of action for individuals, with damages ranging from $100 – $1000 per violation per day. Arbitration agreements and class action waivers are invalid with respect to disputes arising under COPRA.

We will be tracking the progress of this bill as it evolves.  To view the text of the draft bill, click here.

Last Friday, October 11, 2019, one day after the California Attorney General issued proposed regulations to implement the California Consumer Privacy Act of 2018 (“CCPA”), the California Governor, Gavin Newsom, announced that he signed all five of the September 2019 legislative amendments to the CCPA into law.  Those amendments include AB-25, AB-874, AB-1146, AB-1355, and AB-1564.  The governor had until Sunday, October 13 to either sign or veto the bills.

Among other changes to the CCPA, the amendments make the following notable changes:

  • Create a one-year exemption for HR data which sunsets Jan 1, 2021 (AB-25)
  • Create a one-year exemption from applicability for business-to-business customer representative personnel date, which sunsets Jan 1, 2021 (AB-1355)
  • Make various changes to the definitions of
    • “personal information” (AB-874 and AB-1355) to add reasonableness into the capability of being associated with an individual consumer or household; clarifies that personal information does not include de-identified or aggregate consumer information
    • “publicly available” information (AB-874); and
    • “verifiable consumer request” (AB-1355);
  • Create revisions to the private right of action (AB-1355) to clarify that class action lawsuits may only be brought for breaches pursuant to CA data breach notification law when the person information is “nonencrypted and nonredacted”.
  • Create limited exemptions for personal information necessary to fulfill a product warrant or recall or vehicle repair covered by a vehicle warranty or recall (AB-1146)
  • Clarify that a business does not need to retain or collect information that is in addition to that it would otherwise collect in the ordinary course of business (AB-1355)
  • Revise the anti-discrimination right (AG-1355); and
  • Clarify that a business only operating online needs to only provide an email address as a designated consumer request method (AB-1564).

To view the various amendments, click on the following links: AB-25, AB-874, AB-1146, AB-1355, AB-1564.