Cybersecurity and Privacy Law Developments in Q1 of 2020

PDF

Professionals

Practice Areas

Attorneys of the Cybersecurity and Privacy Practice Group
Robinson Bradshaw Publication
April 28, 2020

Cybersecurity and privacy law is evolving rapidly as lawmakers, government agencies and plaintiffs respond to the growth of new technologies, privacy concerns and cyberattacks. Businesses are facing new compliance obligations, greater legal uncertainty, and expanding liability risk from data breaches and privacy scandals. This trend will only increase as COVID-19 social-distancing measures drive people and businesses to greater reliance on digital and telecommunications services. Keeping track of the many legal developments can be challenging, but Robinson Bradshaw attorneys are here to help. We publish quarterly updates to highlight noteworthy developments of cybersecurity and privacy law from the previous quarter. Click here to subscribe to our Cybersecurity and Privacy list and receive future updates via email.

Introduction

The start of 2020 marked a watershed moment in U.S. privacy law with the groundbreaking new California Consumer Privacy Act going into effect. However, several other major developments in cybersecurity and privacy law also occurred during the first quarter of 2020. The first state laws to regulate the security of connected devices – known as the "Internet of Things" – went into effect, and a number of states beyond California also strengthened their requirements for data security and breach notification, such as New York's strikingly detailed requirements to safeguard personal data of New York residents. In a similar trend, the Federal Trade Commission announced a new model consent order for data security cases designed to add teeth and specificity; the Securities and Exchange Commission's Office of Compliance Inspections and Examinations published detailed observations of cybersecurity best practices for securities market participants; and the Department of Defense unveiled the new Cybersecurity Maturity Model Certification framework designed to strengthen and standardize cybersecurity obligations across all defense contracts. Beyond data security, last quarter two states and the European Commission tackled privacy concerns arising from the use of artificial intelligence – with a new Illinois law regulating the use of artificial intelligence in video interviews of job applicants, and a new Oregon law regulating the government's use of facial recognition services. As for litigation, the wave of class action lawsuits under the Illinois Biometric Information Privacy Act has continued apace – with a record-breaking $550 million settlement by Facebook – and the first class action lawsuit under the CCPA has already been filed. Federal courts also tackled tricky issues under both the Telephone Consumer Protection Act and the Computer Fraud and Abuse Act that have split circuits and are likely to reach the Supreme Court.

By the end of the first quarter of 2020, the spread of COVID-19 was declared a pandemic by the World Health Organization and became a human, economic and social crisis in the U.S. and across the world. The Office of Civil Rights in the Department of Health and Human Services has announced temporary relaxation of enforcement of certain HIPAA security requirements during the COVID-19 crisis to facilitate telemedicine. Other government authorities responsible for cybersecurity and privacy law may well take similar steps during the crisis – such as relaxing protections to help leverage electronic surveillance technology in order to trace the spread of infections. However, the California attorney general has rejected calls to delay the enforcement of the CCPA currently set to begin on July 1.

If you have questions about any of the legal developments highlighted in this quarterly update, please contact any member of our Cybersecurity and Privacy Practice Group for assistance.

State Law Developments


[1] The text of the California Consumer Privacy Act and related materials may be found via the California attorney general's website at this location: https://oag.ca.gov/privacy/ccpa.

[2] The text of California's S.B. 327 concerning IoT security may be found here: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327.

[3] The text of Oregon's H.B. 2395 concerning IoT security may be found here: https://olis.leg.state.or.us/liz/2019R1/Downloads/MeasureDocument/HB2395/Enrolled.

[4] The text of Oregon's S.B. 684 amending the renamed Oregon Consumer Information Protection Act may be found here: https://olis.leg.state.or.us/liz/2019R1/Downloads/MeasureDocument/SB684/Enrolled.

[5] The text of Texas' H.B. 4390 amending the Texas Identity Theft Enforcement and Protection Act may be found here: https://legiscan.com/TX/text/HB4390/2019. Information about the Texas Privacy Protection Advisory Council may be found here: https://senate.texas.gov/cmte.php?c=990.

[6] The text of Illinois' S.B. 1624 amending the Illinois Personal Information Protection Act may be found here: http://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=101-0343.

[7] The text of Illinois' Artificial Intelligence Video Interview Act may be found here: http://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=101-0260.

[8] The California attorney general's revised proposed regulations under the CCPA and information about the rulemaking process may be found here: https://oag.ca.gov/privacy/ccpa. The California governor's executive order N-40-20 may be found here: https://www.gov.ca.gov/wp-content/uploads/2020/03/3.30.20-N-40-20.pdf.

[9] The text of Washington's H.B. 1071 amending its breach notification law may be found here: http://lawfilesext.leg.wa.gov/biennium/2019-20/Pdf/Bills/House Passed Legislature/1071-S.PL.pdf.

[10] The text of New York's Stop Hacks and Improve Electronic Data Security Act may be found here: https://www.nysenate.gov/legislation/bills/2019/s5575.

[11] The text of Washington's S.B. 6280 concerning the government's use of facial recognition services may be found here: http://lawfilesext.leg.wa.gov/biennium/2019-20/Pdf/Bills/Senate%20Passed%20Legislature/6280-S.PL.pdf?q=20200413073638.

Federal Law Developments


[12] The FTC's blog post about new consent orders in data security cases may be found here: https://www.ftc.gov/news-events/blogs/business-blog/2020/01/new-improved-ftc-data-security-orders-better-guidance?utm_source=govdelivery.

[13] The Cybersecurity and Resiliency Observations published by the Securities and Exchange Commission's Office of Compliance Inspections and Examinations may be found here: https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf.

[14] Information about the Cybersecurity Maturity Model Certification framework from the Office of the Under Secretary of Defense for Acquisition and Sustainment may be found here: https://www.acq.osd.mil/cmmc.

[15] The text of the proposed Data Protection Act of 2020 may be found here: https://www.gillibrand.senate.gov/imo/media/doc/2.11.2020_Data%20Protection%20Act.pdf.

[16] The ONC Final Rule may be found here: https://healthit.gov/curesrule. The CMS Final Rule may be found here: https://www.cms.gov/Regulations-and-Guidance/Guidance/Interoperability/index.

[17] The Cyberspace Solarium Commission's report may be downloaded at https://www.solarium.gov/report.

[18] The text of the proposed Consumer Data Privacy and Security Act of 2020 may be found here: https://www.moran.senate.gov/public/_cache/files/a/e/ae6c623f-1c01-4f14-88c2-3ff8e8312ea3/15902DF0B294E025216BED39DD7317AF.lyn20111.pdf.

[19] A clearinghouse of OCR guidance related to the COVID-19 crisis may be found here: https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19.

Foreign Law Developments


[20] The Age Appropriate Design Code of the U.K. Information Commissioner's Office may be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/key-data-protection-themes/age-appropriate-design-a-code-of-practice-for-online-services.

[21] The European Commission's statement on the consequences of Brexit for data protection law may be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/brexit_en.

[22] The European Commission's White Paper on Artificial Intelligence may be found here: https://ec.europa.eu/info/publications/white-paper-artificial-intelligence-european-approach-excellence-and-trust_en.

Litigation and Enforcement


[23] The FTC's announcement of the settlement with InfoTrax Systems, L.C., including links to the consent order and underlying complaint, may be found here: https://www.ftc.gov/news-events/press-releases/2020/01/ftc-finalizes-settlement-utah-company-its-former-ceo-over.

[24] The FTC's announcement of the settlement with Mortgage Solutions FCS, Inc., including links to the consent order and underlying complaint, may be found here: https://www.ftc.gov/news-events/press-releases/2020/01/mortgage-broker-posted-personal-information-about-consumers?utm_source=govdelivery.

[25] The FTC's announcement of settlements with five companies regarding the EU-U.S. Privacy Shield may be found here: https://www.ftc.gov/news-events/press-releases/2020/01/ftc-finalizes-settlements-five-companies-related-privacy-shield?utm_source=govdelivery.

[26] The decision may be found at National Ink and Stitch, LLC v. State Auto Insurance Companies, No. 18-2138 (D. Md. Jan. 27, 2020). 

[27] The two decisions may be found at Glasser v. Hilton Grand Vacations Co., No. 18-14499 (11th Cir. 2020), and Gadelhak v. AT&T Services, Inc., No. 19-1738 (7th Cir. 2020).

[28] The two complaints may be found at Sedory v. Aldi, Inc., No. 2020-ch-02768 (Ill. Cir. Ct. Mar. 2, 2020), and Allen v. GWR Ill. Prop. Owner, LLC, No. 2020-ch-02983 (Ill. Cir. Ct. Mar. 10, 2020).

[29] The complaint may be found at Barnes v. Hanna Andersson, LLC, No. 3:20-cv-00812-DMR (N.D. Cal. Feb. 3, 2020).

[30] The court's decision may be found at In re Marriott Int'l, Inc., No. 19-md-2879 (D. Md. 2020).

[31] The complaint may be found at Fuentes v. Sunshine Behavioral Health Grp., LLC, No. 8:20-cv-00487-JLS-JDE (C.D. Cal. Mar. 10, 2020).

[32] The cited decisions interpreting the CFAA may be found at Christian Sandvig et al. v. William Barr, No. 16-1368 (D.D.C. 2020); hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019); and United States v. Van Buren, 940 F. 3d 1192 (11th Cir. 2019).

Main Menu