Month: September 2022

The U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) seeks public comment on structuring and implementing regulations for reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).  Comments may be submitted by November 14, 2022 through the Federal e-Rulemaking Portal: http://www.regulations.gov.  The CISA’s Request for Information is located at: https://www.federalregister.gov/documents/2022/09/12/2022-19551/request-for-information-on-the-cyber-incident-reporting-for-critical-infrastructure-act-of-2022

Data privacy laws take effect during 2023 in California, Virginia, Colorado, Utah, and Connecticut.  Specifically:

• • California Privacy Rights Act, effective January 1, 2023
  • Virginia Consumer Data Protection Act, effective January 1, 2023
  • Colorado Privacy Act, effective July 1, 2023
  • Connecticut Data Privacy Act, effective July 1, 2023
  • Utah Consumer Privacy Act, effective December 31, 2023

Other states are actively considering the implementation of a comprehensive privacy law.

Currently, the United States does not have a federal data privacy law.  In May 2022, a bipartisan group of legislators introduced the American Data Privacy and Protection Act (“ADPPA”), which includes federal preemption of state laws with some exceptions, such as a limited private right of action for certain privacy violations.

As we enter the last quarter of 2022, make preparations to comply with the new state data privacy laws.

In a precedential ruling, the Third Circuit reinstated a class action lawsuit filed by a former employee who was required to provide sensitive personal and financial information to her employer which was then released on the dark web following a phishing attack, despite the employer’s statement that it would take appropriate measures to protect the information.   In Clemens v. ExecuPharm Inc., No. 21-1506 (3d Cir. Sept. 2, 2022), the Third Circuit:

• • overturned the District Court’s dismissal of the action for which the District Court found that Plaintiff failed to allege that she experienced actual identity theft or fraud
  • rejected the contention that a risk of identity theft or fraud cannot qualify as sufficiently “imminent” to establish standing to bring a lawsuit

Plaintiff, a former employee of Defendant, was required as a condition of her employment to provide sensitive personal and financial information, such as her social security number, bank and financial account numbers, tax information, her passport, and information about her husband and child.  Plaintiff’s employment agreement states that Defendant would “take appropriate measures to protect the confidentiality and security” of this information.

After Plaintiff left Defendant’s employment, a hacking group used a phishing attack in March 2020 to install malware on Defendant’s servers, stealing sensitive information about current and former employees including Plaintiff.  Either because Defendant refused to pay or for other reasons, the company’s data – including 123,000 files and 162 gigabytes of data – was released on the dark web, as confirmed by screenshots taken by an intelligence firm.

Plaintiff promptly took actions, including: (1) enrolling in Defendant’s complimentary one-year credit monitoring services, (2) transferring her account to a new bank, and (3) placing fraud alerts on her credit reports.

Plaintiff filed a class action lawsuit asserting claims for breach of contract, breach of implied contract, negligence, negligence per se, breach of confidence, and breach of fiduciary duty.  Plaintiff alleged that she sustained injuries as a result of the data breach – primarily the risk of identity theft and fraud – in addition to the investment of time and money to mitigate potential harm.

The District Court dismissed the case, stating that Plaintiff had not yet experienced actual identity theft or fraud, and thus she had no standing to bring this action.

First, the Third Circuit analyzed that to sustain an injury-in-fact in order to have standing to bring a lawsuit, the injury must be “actual or imminent” which indicates that Plaintiff need not wait until she has actually sustained the feared harm in order to seek judicial redress.  Instead, Plaintiff can file suit when the risk of harm becomes imminent: “meaning it poses a substantial risk of harm – versus hypothetical in the data breach context.”  Id. at  10.  The Third Circuit discussed that there are many factors to determine whether a risk is “imminent,” including whether:

• • the data breach was intentional
  • the data was misused
  • the nature of the information accessed through the data breach could subject a plaintiff to a risk of identity theft

Second, the Third Circuit cited to U.S. Supreme Court cases which ruled that an intangible injury – which is an injury that does not represent a purely physical or monetary harm to a plaintiff – may be a “concrete” injury.

Third, the Third Circuit analyzed the employment agreement in which Defendant expressly contracted to “take appropriate measures to protect the confidentiality and security” of this information.

Thus, the Third Circuit is permitting the class action to proceed in the District Court.

 

California’s bill would require companies that provide online services or products “likely to be accessed by children” – defined as any individual under the age of 18 – to adhere to heightened privacy and data protection standards.

The California Age-Appropriate Design Code Act, A.B. 2273, passed in the California Legislature.  The bill is expected to be signed by the Governor and go into effect July 1, 2024.

The anticipated law applies to “businesses” which are for-profit organizations that do business in California and: (1) have revenue of more than $25 million, or (2) derive 50% or more of its annual revenue from selling consumers’ personal information, or (3) buys/receives for commercial purposes the personal information of more than 50,000 consumers/households/devices.  In summary, A.B. 2273 requires:

• Default privacy settings:  Companies must configure default privacy settings to the highest possible level of privacy and provide privacy information and other policies prominently in terms that children can understand.
• No use of minor’s personal information:  Companies will be banned from using children’s personal information “for any reason other than a reason for which the personal information was collected, unless the business can demonstrate a compelling reason that use of the personal information is in the best interests of children,” according to the legislation.
• Attorney General’s authority:  A.B. 2273 permits the Attorney General to seek an injunction or civil penalty against companies that violate the Act.  Negligent violations could result in a penalty of up to $2,500 per affected child, and intentional violations could result in a penalty of up to $7,500 per affected child, according to the bill.  Currently, the bill does not provide a private right of action.

In sum, the bill: (1) increases technology regulation, (2) aims to provide more online privacy protections for minors, and (3) will cause companies to increase privacy, legal, and engineering resources to meet the bill’s requirements.