Yesterday, California Attorney General Xavier Becerra announced his submission of the Final Regulations under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL).  Under the California Administrative Procedure Act (APA), the OAL has 30 business days plus 60 calendar days (due to a COVID-related executive order) to determine whether the regulations meet the requirements of the APA.  This final submission comes after various public forums, hearings, commentary, and revisions to the regulations.

Back in April, we discussed our expectations for the Final Regulations, which remain largely unchanged from the March 11, 2020 draft.  In that post, we assessed certain elements of the Regulations that seemed to be in flux, such as notice at collection, and of financial incentives, consumer opt-out rights, and the handling of requests to know and delete.

An important note is that the AG has requested an expedited timeline for OAL review in order to make the July 1 date for enforcement applicable.  Specifically, Attorney General Becerra points to his particularly early submission of his rulemaking package in advance of his October deadline. This is in support of his request for the OAL to expedite their review consistent with the standard 30 business day requirement, which would bring the Regulations’ effective date close to in line with the CCPA’s specified July 1, 2020 enforcement date. Continue Reading California Attorney General Becerra Publishes Final Text of Proposed CCPA Regulations

At the beginning of 2020, a Federal privacy law, similar to that of GDPR or PIPEDA, was a faint and distant reality. However, in light of some mobile device and other monitoring being considered because of the COVID-19 pandemic, US Senators Roger Wicker (R-Miss.), chairman of the Senate Committee on Commerce, Science, and Transportation; John Thune (R-S.D.), chairman of the Subcommittee on Communications, Technology, Innovation, and the Internet; Jerry Moran (R-Kan.), chairman of the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security; and Marsha Blackburn (R-Tenn.) announced on Friday, May 1, a bill proposing the enactment of the “COVID-19 Consumer Data Protection Act,” which would apply to American health, geolocation, and proximity information.

This comes as various tech giants rush to develop an opt-in functionality or application that would allow users to trace their whereabouts to determine potential exposure to the deadly virus. The proposed Act aims to heighten protection for Americans’ data by imposing requirements on businesses similar to those seen in the CCPA and GDPR, such as providing notice to consumers at the point of collection regarding how data will be handled, how long it will be maintained, and to whom it may be transferred. Businesses would also need to allow consumers to opt out of the collection, processing, or transfer of applicable data under the Act. Further, businesses regulated by the FTC would be required to obtain affirmative consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for purposes of tracking the spread of COVID-19. We also see the concepts of data de-identification, data minimization, data security requirements, which all similarly sound very familiar.

While this proposed legislation applies only to health, proximity, and geolocation data, the burning question becomes whether, if enacted, this Act will pave the path toward Federal US Privacy Legislation.

While the United States largely hit the brakes as of March in the wake of the COVID-19 crisis, California Attorney General Xavier Becerra made clear his intentions to begin enforcement of the Act on July 1, 2020, as originally planned. This announcement came despite many organizations’ pleas to defer enforcement in order to relieve the additional stress imposed on organizations as they respond to the COVID-19 crisis, and continue to work towards ensuring their compliance with the CCPA. While Becerra has not yet published his final regulations on the Act, there are aspects of the regulations that we expect to be largely intact in their current form once the final regulations are out as a result of reviewing the three drafts Attorney General Becerra has already produced.

Multiple Notice Requirements

The CCPA introduces a number of requirements with regards to consumer notice. The CCPA expressly introduces the concept of “layered notices.” This means passive notice requirements in the form of a privacy policy are not all that is required. There are also affirmative notice requirements at different points of a business-consumer relationship – not the least of which is at the point the business collects consumer data.

The CCPA Regulation imposes requirements for notice under sections 999.304, 999.305, and 999.308.  Section 304 lays out a roadmap for the types of notices required under the CCPA.  It states that a business required to comply with the CCPA must have a privacy policy. It imposes the requirement of a notice at the point a business collects personal information from a consumer. It also requires that a business provide a notice of a California consumer’s right to opt out if a business is selling the consumer’s personal data. Finally, under section 999.304, a business must also notify a consumer if it is offering a financial incentive or price differential for the disclosure of personal information. What isn’t clear around all of these notices is “where do they go?”

The CCPA makes abundantly clear that regardless of the type of notice a business is providing, it needs to be easily understandable, noticeable, interpretable, and accessible.

Specific Content Requirements

Throughout the multiple rounds of revisions, certain aspects of the Attorney General Regulations have remained largely untouched. It is therefore reasonable to rely on the following provisions being consistently incorporated into the final version of the Regulations. Accordingly, those preparing for CCPA enforcement beginning July 1, might start by ensuring the following:

  • Any notice or privacy policy provided to consumers:
    • avoids legal jargon and technical language, and is instead prepared in plain, easy-to understand language (don’t just reproduce the statutory language for categories of data collected);
    • is prepared in a format that readable, taking into account the types of devices from which a reader may access (think mobile v. laptop or tablet);
    • is available in the languages consistent with the contracts, disclaimers, announcements, etc. that the company provides in the ordinary course of business;
    • is accessible to those with disabilities.
  • The business’ privacy policy should also generally outline the consumer’s right to know about information collected, disclosed, or sold; their right to request deletion, right to opt out of the sale of personal information, and right to non-discrimination; it should include contact information for questions or concerns, and the date last modified.

Specific Process Requirements

With all the notice requirements come requirements to have processes and procedures in place to actually fulfill the obligations set out in the notices. To that end, the CCPA regulations have been consistent across all three drafts with the need for the following:

  • The business’ privacy policy is conspicuously posted on its website, or otherwise obviously available to consumers;
  • California consumer personal information is not utilized beyond the means initially disclosed at collection;
  • Collection does not happen unless a consumer has been notified;
  • No additional consumer information is collected or used beyond the disclosures at collection, without first notifying the consumer (and the notice has to include all those other notice provisions noted above);
  • Mechanisms for handling consumer requests are in place:
    • Consumers are provided with two or more methods for submitting requests to delete and opt out;
    • Businesses should consider their usual forms of contact with consumers to determine the appropriate mechanism for submitting such requests;
    • Businesses should develop a workflow to ensure requests are acknowledged within 10 business days, and responded to within 45 calendar days;
    • Businesses should ensure that they’re able to verify consumer identity open receipt of a request to know or delete;
    • Development of a two step-process for requests to opt into the sale of personal information.
  • Appropriate training is performed so employees or contractors handling consumer personal information understand the requirements of the CCPA and Regulations;
  • Record retention schedules and policies are updated to account for consumer records requests; and
  • The business has reasonable security measures in place to transmit personal information.

What we Aren’t Sure About

While we do have some insight as to the content of the final regulations, we still have to note that a number of important elements are not yet stable. The components of notice at collection seem to be slightly in flux. Where each notice might be presented (can you combine notices?) is also unclear. The Opt-Out Right also seems to be changing. This is mostly a function of what defines a “sale” and whether there will be exceptions to the currently absolute Opt-Out Right. The same is the case with the notice requirement around financial incentives (but components of this notice haven’t changed too much). Finally, the handling of requests to know/delete seem to be changing as well.

Conclusion

Following two rounds of revisions, we more than ever have an understanding of what will be required of businesses under the CCPA Regulations.  Various requirements and components of notice and the handling of consumer requests have remained largely unchanged, thus making those elements a reliable place to start in terms of CCPA compliance.  Attorney General Becerra has no intention at this time to defer the July 1, 2020 enforcement date, so time is of the essence for currently non-compliant businesses.

In response to the COVID-19 crisis, nearly all companies and organizations were abruptly forced to transition portions of, and in many cases, their entire workforce to remote work.  After a few weeks, it seems that many companies have adjusted to this “new normal” and settled in, albeit with some lingering technical and connectivity issues.  As companies raced to get their employees up and running remotely, it is likely many were primarily focused on connectivity and security, while necessarily ignoring the complex privacy, security, compliance, and document preservation challenges lurking below the surface of the “new norm.”

Companies will begin to realize that transitioning to a remote workforce can lead to unintended consequences that can and should now be addressed. Some of these unintended consequences include:

  1. Information Technology (“IT”) departments deploying software and systems such as Microsoft Teams, Slack, etc that have not yet been properly tested, including establishing retention periods, back-up procedures, and acceptable use policies.
  2. “Shadow IT” issues relating to employees using whatever services and products they think will help them do their remote job better, even when those products or services are not vetted by, supported by, or welcomed by corporate IT.
  3. Informal communications using messaging tools or social media platforms that are either not preserved subject to an active litigation hold notice, or that violate company policy, or frame the company in a negative light.
  4. Remote employee use of unauthorized external or cloud-based storage for company data.
  5. Information subject to a litigation hold notice being lost due to the inadequate back-up of laptops and other systems being used off-premises.
  6. Recycling of laptops, desktops, and mobile devices subject to a litigation hold notice in order to ensure rapid deployment of remote workforce.
  7. Employees using personal devices to store information and communications that are or could become subject to a litigation hold notice.
  8. Risking breach of confidential, sensitive, or personally identifying information (“PII”) due to lack of adequate remote security.
  9. Employees using unauthorized, unsecured, commercial collaboration tools.
  10. Employees using unsecured endpoints or endpoints with consumer-grade antivirus or antimalware.
  11. Employees operating off-network such that corporate firewalls for phishing and network intrusion are not engaged.
  12. Terminated employees subject to a litigation hold notice.

Continue Reading COVID-19 Remote Workforce Risks – Preservation, Compliance, Privacy, and Data Security Risks

Seyfarth Synopsis: In the past week, the cybersecurity community has seen a dramatic increase in the number of attacks being made on healthcare organizations around the globe. Despite the despicable nature of these attacks by malicious attackers trying to get rich off the suffering of others, there is a force of good that’s arisen from the cybersecurity community recently to help combat the threats.

The COVID-19 Cybersecurity Threat Intelligence League was formed by Ohad Zaidenberg last week, and has quickly grown into over 900 cybersecurity experts who are volunteering their time and experience to help healthcare organizations defend against the malicious threat actors. The group is comprised of malware researchers, white hat hackers, CISOs, cyber consultants, reverse engineers, coders, software providers, etc. Seyfarth’s own Richard Lutkus is involved with the group and is helping with cybersecurity related legal issues that members have. As part of the FBI’s InfraGard Special Interest Group for Legal, Richard is helping information be shared between law enforcement (including DHS, FBI, etc.) and private sector organizations.

One of the immediately useful results of the group’s collective wisdom is a publicly available list of IP addresses, URLs, file (hashes), and domains that are known to be related to COVID malware, ransomware, phishing, or other malfeasance. The link below contains each categorical list. Network administrators or cyber professionals can use these links to help protect their networks from these growing threats. It’s likely this list will be updated frequently. The list works by helping block malicious sites and applications from connecting the victim to the threat actor. When that connection fails, the malicious intent is frustrated. Thus, even when an employee accidentally clicks a malicious link, this can serve as a first line of defense to stop the malicious website from opening.

https://github.com/COVID-19-CTI-LEAGUE/PUBLIC_RELEASE

Beyond the list above, there is a major threat that has bubbled up to the surface recently.  In our prior article, we discussed the increase in remote workers being a threat to organizations. It appears that threat is being acted upon by malicious threat actors already. Seyfarth’s cybersecurity team is aware of over 767,000 computers around the world currently online that have exposed Remote Desktop Protocol (aka “RDP”) sessions and whose login credentials are being actively sold on the DarkWeb.  Typically, this service operates on port 3389 or 3390. Normally, having this exposed to the Internet is bad enough without source-IP limitations at the firewall level. However, because of a Microsoft bug (CVE-2019-0708) from last year relating to Remote Desktop, certain unpatched systems are extremely high risk if not patched.  We are seeing many unpatched systems, unfortunately, and now we have evidence of active exploitation of those systems.

While the list of currently vulnerable and exploited systems mentioned above cannot be shared publicly, if your organization is affected, you will likely hear from DHS of the FBI. Please share the above information with your CISO, CIO, CTO, or CSO (or anyone who fills that role for your organization) so that you can better defend against these ongoing threats.

Seyfarth Synopsis: As individuals and businesses continue to focus on the rising number of confirmed Coronavirus cases throughout the world and what steps they can take to guard against infection, malicious actors are exploiting those very same fears for their own profit. A dramatic increase in the number of employees working from home coupled with overworked business and commercial IT staff has resulted in a higher likelihood that security best practices may be forgotten or disregarded entirely.

A number of recent examples are discussed below:

1. Phishing

While the U.S. Treasury[1] has issued a relatively simplistic notice warning of an increase in phishing communications with instruction to simply disregard them, the FCC[2] has provided a number of recordings of phishing attempts related to obtaining a complimentary COVID-19 testing kit and scheduling HVAC cleaning to protect against the spread of COVID-19.

Other phishing attempts seen in recent weeks involve the threat actor posing as members of the Center for Disease Control and Prevention or the World Health Organization in an attempt to legitimize their scams.  A common tactic is for these scammers to register malicious domain names (cdc-gov.org and cdcgov.org) that are similar to valid domains (cdc.gov) in order to confuse already worried recipients. Continue Reading The Impact of COVID-19 on Cybersecurity

In this unprecedented time, businesses are, more than ever, implementing and rapidly rolling out programs for remote or at-home work by employees. The quick changes in local and state governmental “shelter in place” instructions and Public Heath directives have placed significant strains on remote networks and caused local shortages of laptop computers at office supply and electronic stores across the country.

With this unexpected increase in remote workers, many companies are pushing the limits of their existing remote access technology, or deploying ad hoc technology and access solutions as quickly as possible. Some of those companies are not taking the time to consider potential information security, privacy, and other compliance ramifications for those same remote workers.

It is entirely appropriate and necessary for companies to adapt their technology and work networks are utilized to the greatest degree possible to remain in operation and serve business and customer needs. But as always, data security and privacy should always be part of the equation.

Below are some essential things to know about the security risks posed by remote or at-home worker, and a Technical Checklist for Remote employees to make sure your corporate data is safe, and you do not risk compliance challenges with data privacy law and requirements. Continue Reading Cybersecurity, Data Privacy, and Compliance Issues Related to Remote Workers

At the end of 2019, the Second Circuit finally weighed in on an issue that has divided federal courts considering applications for discovery pursuant to 28 U.S.C. § 1782, through which a litigant can obtain an order from a federal court for discovery to be used in a foreign proceeding. (You can read more about Section 1782 here and here). Federal courts have split over whether Section 1782 allows a party to obtain documents controlled by an entity in the United States but that are held overseas—for example, records held in the London office of a corporation headquartered in New York.1 In a pair of recent decisions, the Court of Appeals for the Second Circuit joined the Eleventh Circuit in holding that Section 1782 does permit discovery of documents held outside the United States and that are within the control of a US individual or entity. Continue Reading Second Circuit Weighs in on the Extraterritorial Application of 28 U.S.C. § 1782

At Seyfarth, I’m not just an attorney—I’m also an ethical hacker and digital forensic expert, and I’m proud to be one of several “attorneys who code” at Seyfarth. Here, we’re passionate about technology, and we routinely seek creative ways to leverage innovations that enhance client services.

I’ve found that one area where emerging technology can make an enormous impact is in the data breach notification assessment space. Specifically, I’ve found that artificial intelligence can power the evaluation of implicated data for personal information like PII and PHI to determine notice requirements in the various implied jurisdictions. While there are many ways to accomplish that evaluation, I wanted to share my experience partnering with Text IQ, a company that builds AI for sensitive information, to power a data breach response in a blind study alongside the traditional document review and coding approach. The result was reduced risk, quicker turnaround time, and cost reduction for Seyfarth’s client. Continue Reading Powering Data Breach Response with AI: A Case Study

In a much-anticipated opinion, Judge George B. Daniels of the United States District Court for the Southern District of New York recently affirmed the decision of a magistrate judge regarding the scope of discovery in aid of a foreign litigation pursuant to 28 U.S.C. § 1782.  (You can read more about Section 1782 and the magistrate judge’s underlying decision in our prior blog post, here).  Briefly, Magistrate Judge Gabriel W. Gorenstein grappled with an issue that has divided federal courts: whether Section 1782 can be used to compel the production of documents maintained outside the United States.[1]  Magistrate Judge Gorenstein held that the fact that documents were maintained overseas did not bar the discovery sought so long as the documents were within the control of a discovery target located in the U.S.—in this case, a New York-based law firm with a branch office in Russia.  Continue Reading New Decision Regarding Discovery in Aid of Foreign Litigation