Introduction

Employers need to be aware of the significant changes that are on the horizon when the California Privacy Rights Act (CPRA) becomes operative on January 1, 2023.

By way of background, in November of 2021, California residents voted to pass the CPRA, which affords California consumers heightened rights and control over their personal information. 

This post has been cross-posted from Seyfarth’s Consumer Class Defense Blog.

Now more than ever, it is important for organizations to review and update their basic information security protocols (their incident response, business continuity and crisis communications plans), and to ensure they’re keeping apprised of potential and developing security threats that may imperil their organizations (like a catastrophic ransomware attack). Nation state attacks and cyber criminal gangs efforts seem to be aimed daily at US businesses. And the ransomware plague that continues unabated, affects nearly all industry verticals.¹

Unfortunately, sometimes even when threats are known and being addressed, when employees are trained frequently regarding information security, and when the highest security precautions are taken, a threat-actor can quickly capitalize on miniscule vulnerabilities, and an organization is faced with the grueling task of picking up the pieces. This usually includes conducting a forensic investigation, updating written information security protocols, deploying patches and password resets, replacing hardware, conducting additional employee training, as well as analyzing differing state breach legislation and notifying consumers, attorneys general, and credit bureaus in accordance with those laws.

Even after these efforts, an organization is still at risk of privacy class action litigation. This might arise through a state attorney general, federal regulator, or a consumer whose data was wrongly accessed or in fact stolen during the cyber-attack.

But in order for a consumer to sue, the threshold, and hot-button, question is whether the consumer has standing under Article III of the US Constitution. [T]he “irreducible constitutional minimum” of standing consists of three elements. The plaintiff must have (1) suffered an “injury in fact” (2) that is “fairly traceable” to the challenged conduct of the defendant and (3) that is likely to be redressed by a favorable judicial decision.²

This article discusses the first prong of the standing elements: injury in fact. Because it is generally difficult for plaintiffs in these actions to show financial harm, or other actual damages, arguments have been raised by the plaintiffs’ bar that the future risk of harm should suffice to meet the first prong of the standing elements. The Supreme Court stated in Spokeo, Inc. v. Robins that even when a statute has been violated, plaintiffs must show that an “injury-in-fact” has occurred that is both concrete and particularized. While this did provide some additional information, the question of how the future risk of harm fits in was left outstanding. Fortunately, on June 25, 2021 the Supreme Court revisited this issue in TransUnion LLC v. Ramirez, 20-297, 2021 WL 2599472, at *1 (U.S. June 25, 2021), when a credit reporting agency flagged certain consumers as potential matches to names on the United States Treasury Department’s Office of Foreign Assets Control (OFAC) list of terrorists, drug traffickers, or other serious criminals. The Court found that those “flagged” consumers whose information was divulged to third party businesses as being included in this list suffered a concrete injury in fact.. With regards to those consumers who were flagged as potential matches, but the information was never disseminated, the Court was unconvinced that a concrete injury occurred. Id. The Court further examined the risk of future harm for these individuals, but declined to find injury in fact, stating that risk of harm cannot be speculative, it must materialize, or have a sufficient likelihood of materializing. Id. It will be interesting to see how this ruling plays out in the circuits in the context of a data breach. The Court included in its opinion some interesting information regarding certain circumstances that may give rise to a concrete harm. Id. Aside from physical or financial harm, the Court also stated that reputational harm, the disclosure of private information, or intrusion upon seclusion may rise to the level of concrete harm. Id. This then begs the question of whether a risk of harm analysis might be necessary in the context of a breach, where private information is indeed accessed and disclosed (i.e., disseminated) to an unauthorized 3rd party.
Continue Reading First There Was Litigation; And Then There Was Standing

This month, the cybersecurity research firm Volexity found a series of four critical security vulnerabilities in Microsoft’s Exchange Server software.  Since then, vulnerability has been independently verified and confirmed by Microsoft.  It is believed to have been used by foreign-state threat actors for an unknown period of time, extending at least to January, 2021.  Exchange acts as the back-end software that handles email for the vast majority of large organizations; Outlook connects to Exchange to display email for user accounts.

While the vulnerability does not affect customers running Microsoft’s Exchange Online service exclusively, most organizations in the US are running some form of Internet-facing Microsoft Outlook Web Access (OWA) for their email systems in tandem with Exchange servers.

Companies that use Microsoft Exchange Server for email messaging in any version should take immediate steps to address the situation.  Office 365 is not affected, but companies with physical Exchange servers combined with Office 365 would still be vulnerable.  The vulnerability effects every version of Microsoft Exchange Server from 2010 through 2016.  The exploited vulnerability and potential back door allows a remote attacker full access and control of the organization’s Exchange server, including all the data residing on it—emails, attachments, contacts, notes, tasks, calendar items, etc.  Attackers using the vulnerability can also identify a mailbox by user name and view or copy the entire mailbox contents.

The seriousness of the issue is difficult to understate.  Using the exploit, intruders are able to leave behind one or more “web shell,” scripts for future use.  A web shell is an easily-operated, password-protected hacking tool that can be accessed from any browser over the Internet; they are also commonly used for legitimate functions, and thus difficult to identify as malware by file type alone.
Continue Reading Organizations Using Microsoft Exchange Mail Server Face Severe Cybersecurity Threat

California has once again decided it needed to pass privacy legislation to protect the residents of the great state from the nefarious actions of Big Tech. However, this time they did it with a ballot initiative and not via the thoughtful (mostly) mechanism of the legislative process. The proponents of the California Privacy Rights Act of 2020 (“CPRA”) touted this as an improvement over the CCPA – but is it really? To listen to the proponents of the CPRA, it aims to strengthen California consumer privacy rights, while for the most part, avoiding the imposition of overly-burdensome requirements on a business, particularly those businesses that are already CCPA compliant. So, what’s changed, really?
Continue Reading California Prop 24 – Is the New Privacy Law Really New (Or Is the Sky Falling)

Yesterday, California Attorney General Xavier Becerra announced his submission of the Final Regulations under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL).  Under the California Administrative Procedure Act (APA), the OAL has 30 business days plus 60 calendar days (due to a COVID-related executive order) to determine whether the regulations meet the requirements of the APA.  This final submission comes after various public forums, hearings, commentary, and revisions to the regulations.

Back in April, we discussed our expectations for the Final Regulations, which remain largely unchanged from the March 11, 2020 draft.  In that post, we assessed certain elements of the Regulations that seemed to be in flux, such as notice at collection, and of financial incentives, consumer opt-out rights, and the handling of requests to know and delete.

An important note is that the AG has requested an expedited timeline for OAL review in order to make the July 1 date for enforcement applicable.  Specifically, Attorney General Becerra points to his particularly early submission of his rulemaking package in advance of his October deadline. This is in support of his request for the OAL to expedite their review consistent with the standard 30 business day requirement, which would bring the Regulations’ effective date close to in line with the CCPA’s specified July 1, 2020 enforcement date.
Continue Reading California Attorney General Becerra Publishes Final Text of Proposed CCPA Regulations

At the beginning of 2020, a Federal privacy law, similar to that of GDPR or PIPEDA, was a faint and distant reality. However, in light of some mobile device and other monitoring being considered because of the COVID-19 pandemic, US Senators Roger Wicker (R-Miss.), chairman of the Senate Committee on Commerce, Science, and Transportation; John

While the United States largely hit the brakes as of March in the wake of the COVID-19 crisis, California Attorney General Xavier Becerra made clear his intentions to begin enforcement of the Act on July 1, 2020, as originally planned. This announcement came despite many organizations’ pleas to defer enforcement in order to relieve the

This weekend, Google was fined 50 million euros (over $55 million) by France’s Data Privacy Authority,  CNIL, for breaching Europe’s (fairly) new General Data Protection Regulation.

GDPR lays the framework for the legal processing of personal data, requiring that companies  have a lawful basis for processing a user’s personal information.  This lawful basis can result from the user’s genuine consent prior to collecting personal information; processing necessary for the performance of a contract, compliance with a legal obligation, to protect the vital interests of a data subject or natural person, for the performance of a task in the public’s interest, or for the purpose of the legitimate interests of a controller or third party.

The GDPR went into effect on May 25, 2018.  Shortly after its enactment, two privacy rights groups, noyb (Max Schrems’ brainchild) and La Quadrature du Net (LQDN) filed complaints against Google with the CNIL. The noyb complaint was filed on May 25, the same day the Regulation took effect. 
Continue Reading Google First “Tech Giant” to be Fined for Violating GDPR

Seyfarth Shaw Partner Jason Priebe was recently interviewed by C4CM regarding his tips for records retention.  This thoughtful discussion covered not only record retention policies, but information governance, risk, and potential costs resulting from the increasing volume of data produced during litigation.  Jason also provided practical steps to formulate a record retention policy when one

Seyfarth Synopsis: Please join us at our Chicago Willis Tower office on Thursday, December 6th, for breakfast along with a Seyfarth Legal Forum and Continuing Legal Education (CLE): 2018 Highlights and a Look Ahead to 2019.

About the Program

Providing our clients with a multidisciplinary overview of Legal Hot Button issues and Best Practice.