On January 12, 2021, the federal District Court for the Central District of California dismissed a data breach law suit—including a claim filed under the California Consumer Privacy Act (“CCPA”)—against Marriott International, Inc.  The holding, which dismissed the claims for lack of standing, will likely play a role in a number of CCPA cases that have motions to dismiss pending. The case stems from a cybersecurity breach announced by Marriott on March 31, 2020, in which two employees of a Marriott franchise in Russia allegedly accessed some personal information without authorization.  The class action was filed asserting claims for negligence,…
The Administrative Office of the U.S. Courts (the “AO”) recently disclosed that it has initiated an investigation into an apparent compromise in security of the Judiciary’s Case Management/Electronic Case Files System (“CM/ECF”) as a result of vulnerabilities associated with SolarWinds Orion products.  The AO noted that it is currently working with the Department of Homeland Security on an audit of security vulnerabilities that may pose a confidentiality risk for non-public documents stored on CM/ECF.  In other words, the AO is auditing whether sealed filings in federal cases have been compromised. As background, SolarWinds is a vendor that works with the…
On December 18, 2020, the United States Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued guidance specific to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the COVID-19 public health emergency. The guidance addresses permitted HIPAA disclosures of Protected Health Information (“PHI”) by covered entities and business associates via health information exchanges (“HIEs”) for certain public health purposes. OCR issued this guidance in order “to highlight how HIPAA supports the use of health information exchanges in sharing health data to improve the public’s health, particularly during the COVID-19 public health emergency.” Specifically,…
On January 6, 2021, a bipartisan group of New York state lawmakers released a copy of Assembly Bill 27 (AB 27), the  New York Biometric Privacy Act.  If New York passes AB 27, it will join Illinois, Texas, and Washington as states that have adopted laws that strictly regulate the notice, collection, and handling of biometric information.  Significantly, however, it would join Illinois as only the second state to provide a private right of action with statutory damages for violations. The proposed bill is similar to the three other states with biometric-specific bills in that it would prohibit businesses…
On December 14, 2020, the Federal Trade Commission (FTC) announced in a press release that it is issuing orders under the FTC’s authority in Section 6(b) of the FTC Act to the following nine social media and video streaming companies: Amazon.com, Inc., ByteDance Ltd. (which operates the short video service TikTok), Discord Inc., Facebook, Inc., Reddit, Inc., Snap Inc., Twitter, Inc., WhatsApp Inc., and You Tube LLC. The FTC made publicly available samples of the letter and order sent to each company. Specifically, the FTC is seeking privacy policies, procedures, and practices related to: how social media and video streaming…
On December 18, 2020, the Office of the Comptroller of the Current (OCC), Federal Reserve Board (FRB), and Federal Deposit Insurance Corporation (FDIC) announced an interagency notice of proposed rulemaking that would require supervised banking organizations to provide notification of significant computer security incidents to their primary federal regulator.  Under the proposed rule, for incidents that could result in a banking organization’s inability to deliver services to a material portion of its customer base, jeopardize the viability of key operations of a banking organization, or impact the stability of the financial sector, the banking organization must notify its primary federal…
A recent settlement between the U.S. Department of Justice and a media conglomerate underscores the importance of implementing robust Telephone Consumer Protection Act compliance measures, including for third-party vendors.  In 2017, a jury found DISH Network LLC liable for its vendors’ violations of the Telemarketing Sales Rule and the Telephone Consumer Protection Act, as well as several state statutes.  Earlier this year, the Seventh Circuit affirmed DISH’s liability, but vacated the award and remanded for a recalculation of damages. Now, following the Seventh Circuit’s remand, the Department of Justice’s Civil Division has announced a $210 million settlement with…
The California Attorney General’s Office recently released a fourth set of proposed regulatory modifications to the California Consumer Privacy Act (the “CCPA”). As background, the Attorney General’s Office had only just recently given notice of a third set of modifications on October 12, 2020.  The third set of modifications revised the regulations relating to the notice of a consumer’s right to opt-out of the sale of their personal information.  Our previous post detailed the specific changes in the third set of modifications. The Attorney General’s Office received around 20 comments in response to the third set of modifications; these modifications…
On November 17, 2020, H.R. 1668, the “Internet of Things Cybersecurity Improvement Act of 2020”, was unanimously passed by the Senate. The bill is now on its way to President Trump for signature or veto. The bill would require the National Institute of Standards and Technology (“NIST”) and the Office of Management and Budget (“OMB”) to take certain steps to increase cybersecurity for Internet of Things (“IoT”) devices. IoT describes the extension of internet connectivity into physical devices and everyday objects. Examples of IoT devices include internet connected appliances, thermostats, locks, or smoke detectors, but they are now pervasive…
On November 4, 2020, California voters approved of the ballot initiative Proposition 24, more commonly known as the California Privacy Rights Act (the “CPRA”).  The CPRA goes into effect on January 1, 2023, and will expand several of the existing protections in the California Consumer Privacy Act (the “CCPA”). As background, the original CCPA emerged in 2018 as a compromise between legislators and the advocacy group, Californians for Consumer Privacy, which had secured a ballot measure vote for its proposed privacy law.  Californians for Consumer Privacy withdrew the ballot measure upon the passing of the CCPA.  However, the…
The Cybersecurity Infrastructure Security Agency, Federal Bureau of Investigation, and Department of Health and Human Services have jointly posted an advisory to warn hospitals and other health care providers about the threat of malicious attacks on their information systems.  At least six hospitals across the United States were recently victimized by attacks using Trickbot malware within a 24-hour period.  These attacks have led to requests for ransom to release data, data theft, and the disruption of services. The advisory describes how the malware works, identifies indicators that a system may have been infected with the malware, and sets forth measures…
Assaults on Section 230 of the Communications Decency Act (the “CDA”)—which shields online platforms from civil liability for third party content on their services—are abundant these days.  On October 15, 2020, FCC Chairman Ajit Pai announced that his agency, at the request of President Trump, will draft rules explaining when platforms’ efforts to moderate user-posted content will leave them exposed to potential liability.  Two days earlier, Justice Thomas issued a scathing critique of the Court’s current interpretation of Section 230, arguing for a much more limited interpretation that would drastically narrow the liability shield. Most of the discussion has focused…
The Regulations to the California Consumer Privacy Act (CCPA) continue to evolve, in confusing fashion. As background, the AG’s Office had previously issued proposed Regulations to the CCPA in October 2019. The AG’s Office then issued a revised set of proposed amendments to the Regulations in February 2020 and then again in March 2020. While most of the regulations were made effective on August 14, 2020, the California Department of Justice withdrew four (4) sections of the proposed Regulations from the review of the Office of Administration Law so that they could be adjusted at a later date. Adding to…
  October is National Cybersecurity Awareness Month, and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and Office of Foreign Assets Control (“OFAC”) kicked off the month by issuing two advisories that aim to increase cybersecurity awareness, assist financial institutions in detecting and reporting ransomware activity, and highlight potential sanctions risks for facilitating ransomware payments. The FinCEN and OFAC advisories signal the seriousness with which the Department of Treasury treats the threat of cybercriminals and ransomware attacks. Both FinCEN and OFAC have now squarely placed an obligation on financial institutions and other payment intermediaries to put procedures…
This week, California Governor Gavin Newsom signed into law two amendments to the California Consumer Privacy Act (CCPA) that would impact various CCPA exemptions. One amendment, A.B. 1281 would extent two exemptions that were set to expire later this year: the employee exemption and the business (B2B) exemption. Both of these exemptions will now remain in effect until at least January 1, 2022. The other amendment, A.B. 713, would clarify the exemption relating to de-identified personal information. This amendment went into immediate effect and imposing additional disclosure requirements and contract restrictions on the sale or disclosure of such information by businesses…