California has enacted the California Consumer Privacy Act of 2018, establishing the strictest data privacy law in the United States. Recent amendments provide a one-year partial exemption for personal information that is collected from job applicants, employees, business owners, directors, officers, medical staff or contractors. However, qualifying employers are still required to provide certain disclosures and are still liable for statutory damages if unencrypted, sensitive employee data is breached as a result of a failure to implement reasonable security measures.
The following is a CCPA checklist for employers:
· Determine whether the CCPA applies to your business.
· Inform key decision-makers about the CCPA and appoint privacy compliance manager.
· Conduct data mapping of employee personal information.
· Draft an employee-specific disclosure document.
· Ensure that the employee disclosure is provided at or prior to the collection of employee personal information (including all applicants).
· Ensure that all contracts with service providers with access to employee personal information include robust information security and privacy provisions.
· Ensure compliance with other privacy, security and data protection and disposal laws.
For more detailed information on this topic, please see our Alert.
Ransomware attacks are on the rise and expected to reach epidemic proportions. The most publicized attack took place this year at the Hollywood Presbyterian Medical Center when it was forced to declare an “internal emergency” after a ransomware attack locked down its systems. Businesses that are viewed as offering a combination of valuable data and weak security may be seen as attractive to attackers. Some attackers have strictly financial motivations while others may simply be in it for “the data.”
According to Cisco’s Midyear Cybersecurity Report, email and malicious advertising are the primary ways ransomware infiltrates a system. Businesses often pay the ransom but even when paid, files may be lost or altered in ways that could be devastating to the business.
Cisco reports that companies entering into M&A deals often do not conduct enough due diligence on the risk posture of the acquired business and realize their shortcomings after the deal is done, when it is too late to remediate problems or when it’s harder to do so because the networks are intertwined.
What can you do? Robust security is clearly the first step to prevent attacks and that begins with the creation of a comprehensive privacy and security roadmap that addresses high risk areas, compliance gaps and specific tactics for incident preparedness. It is important to involve experienced counsel at the outset to not only advise on the array of federal and state privacy and cybersecurity laws and help develop the policy but also to direct any security investigation so that consultants can report potential vulnerabilities to outside counsel to protect potentially negative findings from discovery in future litigation.
On September 7th, the Federal Trade Commission will begin its series of seminars on new and emerging technologies with a workshop on ransomware.
Following the July 12, 2016, adoption by the European Commission of the EU-U.S. Privacy Shield (the “Privacy Shield”), companies engaging in trans-Atlantic data sharing can now register for the Privacy Shield. It replaces the prior Safe Harbor Program, which was invalidated by the European Court of Justice on October 6, 2015, when it ruled that the data of European citizens was not safe when stored on U.S. computer servers given the U.S. government’s ability to access information through its intelligence services.
The new Privacy Shield provides transparency in how companies use personal data, robust U.S. government oversight and increased cooperation with EU data protection authorities (the “DPA”). It includes more rigorous monitoring and enforcement by the U.S. Department of Commerce (the “Department”) and the Federal Trade Commission (“FTC”). Because the Privacy Shield is enforceable as U.S. law against a registered company, it is essential to ensure its compliance before registering.
Key provisions of the Privacy Shield include:
- Informing Individuals About Data Processing: The Privacy Shield requires more heightened notice standards than under the Safe Harbor, including additional requirements for participants’ privacy policies.
- Providing Free and Accessible Dispute Resolution: The Privacy Shield outlines several dispute resolution mechanisms and specific timelines for handling disputes.
- Cooperating with the Department of Commerce: Participants should promptly respond to Department inquiries and requests for information relating to the Privacy Shield.
- Ensuring Accountability for Data Transferred to Third Parties: Participants must enter into written agreements with third parties to ensure that data is processed for limited and specified purposes consistent with the consent provided by the individual, that the third party will provide the same level of protection and that the third party will provide notification if it can no longer meet its obligation.
- Transparency Related to Enforcement Actions: The Privacy Shield seeks to create greater transparency for enforcement actions by making public any Privacy Shield-related sections of any compliance or assessment reports submitted to the FTC as a result of an FTC or court order based on non-compliance.
- Potential Additions in the Future: The Privacy Shield is designed to be updated with time to address evolving issues and accommodate the General Data Protection Regulation (effective in 2018).
The requirements of the Privacy Shield are different than its predecessor Safe Harbor. It may be prudent for companies engaging in the cross-border transfer of data to consult legal counsel experienced with the Privacy Shield to ensure compliance.
The Electronic Information Privacy Center (EPIC) has just filed a third-party intervention brief before the European Court of Human Rights (the Court) to help challenge the surveillance activities of intelligence organizations of the United States and the United Kingdom.
The case, according to EPIC’s brief, “impacts the human rights to privacy, data protection and freedom of expression of people around the world …,” and is of “broad international importance because it involves arrangements to transfer personal data between the United States and European counties.” A core purpose of EPIC’s intervention is to show the Court that “current trends in U.S. and European surveillance law … are undermining privacy, data protection, and security.” Continue reading “EPIC Helps Challenge Surveillance by US and British Intelligence Agencies”