CLA’s Privacy Law Section summarizes important developments in the privacy world and invites you to join and get involved with our new section!
Chair’s March 2021 Message
By Jeewon Kim Serrato
This week marks the one-year anniversary of many of us starting to work from home. We hope everyone is staying safe and feeling connected through our community. We are grateful that we were able to establish the new Privacy Law Section during the pandemic and that this is giving us an opportunity to continue to stay involved in the ever-evolving privacy landscape and build the community to support each other.
We are excited to announce two upcoming events in March. We have focused much of our recent programming on CCPA and CPRA related topics. On March 18, we’ll be turning our eye towards Europe and we’ll be discussing with international data protection experts the current restrictions on personal data transfers between the EU and US and strategies for how to stay on top of the new EU regulations. On March 30, we’ll be coming back to Sacramento and having an insider-look conversation with lobbyist Samantha Corbin new developments in privacy law in California including potential amendments to the CCPA/CPRA, negotiations over B2B and employee exemptions, and other CPRA cleanup amendments.
To learn more about these upcoming events and register, please visit: https://calawyers.org/section/privacy-law/events/
We will continue with our CCPA Intensive 12-webinar series in April. If you have an expertise in CCPA compliance or on other privacy topics and would like to speak at one of our webinars, please send a description of your expertise to firstname.lastname@example.org to be added to our speakers list.
In case you missed it, we published in February the Privacy Law Review – What you need to know (December 2020- January 2021) and Privacy Trends in 2021 and Beyond. The Privacy Law Review included: (1) a CCPA Regulations update, Status of Fourth Set of Proposed Modifications; (2) an article summarizing the new Apple App Store privacy disclosure requirements; and (3) a roundup of seven (7) CCPA litigation cases initiated in 2020, all of which were class actions filed in California federal courts.
To see the latest in privacy trends, news and thought leadership, please visit: https://calawyers.org/tag/privacy-news/
We are a volunteer-based organization and the best way to get more active in our section is to join one of our committees. Whether you are interested in helping us build the organization and get involved in the Operations or are interested in writing an article or planning an event, please consider joining the committees by emailing Privacy@CALawyers.org.
- Memberships Committee
- Governance Committee
- Privacy Treatise Committee
- Privacy Publications Committee
- Privacy Education Committee
- Legislative Committee
- California Young Lawyers Association Committee
Descriptions of the committees can be found here:
All active Section members are also invited to join our CLA Privacy Law Section Monthly Meetings, which occur every First Tuesday of the month, 11-11:30am PST. If you would like to hear the latest programming and section news, please message us at email@example.com to be added to our mailing list.
As we announced last month, we are now actively seeking new members to join the Executive Committee. The application form can be found here: https://calawyers.org/wp-content/uploads/2021/03/2021-2022-Appointment-Form-v1.pdf
Information regarding the appointment process can be found here: https://calawyers.org/cla/appointment-process/
If you are interested in learning more about what the Executive Committee does and whether you would like to join us, you can find a list of our current ExCom members here:
SAVE THE DATE
As part of the CLA Legislative Day, which we usually hold annually in-person in Sacramento, the Privacy Law Section will be holding a special session on April 14, 2:30pm-5pm PST, to meet virtually with California legislators and staff members and discuss the latest developments in California privacy, including CCPA amendments and CPRA rulemaking. Please mark your calendars and look out for event details, which will be circulated soon to our mailing list.
See you at the next event!
California Legislature Introduces Over 40 Privacy and Cyber-Related Bills
As all eyes are focused on anticipated appointments to the California Privacy Protection Agency and operationalizing the California Privacy Rights Act amendments to CCPA, California legislators have quietly introduced over 40 privacy and cybersecurity-related bills this legislative session, most of which have nothing to do with CCPA.
Many of the bills seek to strengthen privacy and security obligations of state entities. Several would prevent agencies from sending outgoing mail that revealed social security numbers, another seeks to strengthen data breach notification obligations of state agencies, and yet another would require state agencies implement NIST cybersecurity guidelines.
Bills seeking to further regulate consumer genetic testing companies have also been introduced, including one that is nearly identical to a bill that was vetoed by Governor Newsom over COVID-related testing concerns, and another that seeks to include genetic information in state data breach laws.
The Automated Decision Systems Accountability Act of 2021 introduced by Representative Chau joins the growing chorus of concern about algorithmic bias and would require businesses to take affirmative steps to ensure automated decision systems were continually tested for biases and require impact assessments.
Despite the flurry of privacy bills, none were introduced to harmonize CPRA amendments with CCPA amendments passed after the initiative was drafted and none seek to codify employee or B2B exemptions set to expire January 1, 2023. CPRA has not been entirely ignored, as a bill was introduced to require appointees to the California Privacy Protection Agency to have a background in consumer rights advocacy.
The Privacy Law Section has an active Legislative Committee that provides CLA members with unique opportunities to get involved in state privacy legislation and regulation. If you are interested, please contact the committee at Privacy@CALawyers.org.
Another Massive Cyberattack – Microsoft Exchange Servers Impacted
On March 2, 2021, Microsoft disclosed a critical vulnerability impacting on-premises Microsoft Exchange Servers, including 2010, 2013, 2016, and 2019 versions. Servers that are internet-facing such as Outlook Web Access servers are particularly at risk of compromise.
This vulnerability does NOT affect Office 365/Exchange Online mailboxes.
Microsoft identified a hacking group, Hafnium, behind this attack. According to Microsoft, they primarily target entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.
Now that patches have been made public for these vulnerabilities, the number of successful attacks against vulnerable internet-facing Exchange Servers is only going to increase. Threat actors can exploit these vulnerabilities to install web shells and gain access to the underlying system and networks. This can move the risk from access to email to access to the entire network itself.
Privacy professional should immediately review with IT staff the states of their exchange inboxes, and make sure that the following Microsoft advisories have been reviewed and apply patches to protect vulnerable servers and mailboxes. The use of endpoint monitoring or active network monitoring is a needed countercheck for impacted exchange servers, to check to see if there has been any network access or data exfiltration.
The EU/UK Draft Adequacy Decisions
CIPP/US, CIPP/E, CIPM
On February 19, 2021, the Commission announced two draft ‘adequacy decisions’ that would allow the free flow of data to continue from the EU to the UK. One decision has come under the Regulation (2016/679) and the other for the Law Enforcement Directive (2016/680), which deals with the processing of personal data for law enforcement purposes. If approved, the decisions would grant adequacy status to the U.K., ensuring EU personal data can continue to flow freely to the U.K.
Many are breathing a sigh of relief as the draft decisions likely foreshadow that the official adequacy decisions will be adopted soon. The draft adequacy decisions are the first and only adequacy decisions since the Schrems II ruling of the Court of Justice of the European Union (CJEU), which invalidated the Privacy Shield and led the European Data Protection Board (EDPB) to prepare its recommendation.
The U.K. does not have to do anything else. The publication of the draft decisions is the beginning of a process towards their adoption. First, EDPB will provide a non-binding opinion on the findings. Then, the Commission will request approval from member states representatives under the comitology procedure before adopting the final adequacy decisions for the UK. This process will have to move quickly as the extension under the TCA expires Aprils 30, 2021, but if need be, can be extended to June 30, 2021.
While there was once talk of the U.K. leaving the EU and aligning its data privacy regime more with the U.S., it would seem that talk has ceased. It is clear that the U.K. intends to keep its data privacy regime aligned with the EU’s GDPR. Until further notice, U.S. businesses should expect to continue to conduct data transfers with the U.K. as if it were still a member of the EU, meaning mostly more of the same: appropriate safeguard mechanisms and derogations.
Second in the Nation: Following California, Virginia Governor Signs Comprehensive Privacy Bill
The Virginia Legislature moved quickly this session to approve the Consumer Data Protection Act (CDPA), which the Governor signed on March 2. Virginia follows California’s move to establish consumer privacy rights, where the California Consumer Privacy Act (CCPA) was adopted in 2018 with an effective date of January 1, 2020, and amended by the California Privacy Rights Act (CPRA) approved by voters in 2020. Like many of the CPRA amendments to CCPA, CDPA will be effective January 1, 2023.
Companies subject to the new laws in Virginia and California, which have already incorporated CCPA requirements, will need to expand their operations to meet additional obligations set forth in CDPA and CPRA.
At the heart of both CDPA and CCPA as amended by CPRA is the establishment of consumer privacy rights. Both laws grant consumers the right to access, delete, correct, and port their personal data. Additionally, under both laws, consumers can opt-out of the sale and sharing of personal data for targeted advertising, and specific protections are created for sensitive personal data (SPI). There are some nuances in how each law defines these rights. For example, CDPA defines a sale of personal data as involving monetary compensation, while a sale is defined much broader under CCPA. With respect to SPI, CDPA requires affirmative consent for use, while CPRA amendments give consumers the right to limit certain uses of SPI. Companies will need to closely scrutinize these differences to create processes that meet the requirements of each consumer right.
In addition to consumer rights, both CDPA and CCPA include obligations related to contracts with third parties and give the Attorney Generals of each state the right to enforce the laws. But differences exist here as well. CPRA amendments create a new privacy protection agency, while CDPA does not. And CDPA does not include a private right of action for security breaches, which is incorporated into CCPA. Additionally, CDPA permanently exempts employee and business-to-business data, while the exemptions for these types of data under CCPA will sunset on January 1, 2023.
CDPA was one of many state privacy bills introduced state legislatures this year. Bills in Washington, Oklahoma and New York are moving steadily along. Now that CDPA is law, companies will face the challenge of incorporating new processes that comply with the nuances of the California and Virginia laws and will likely face even more varied requirements as additional states pass privacy legislation.
11th Circuit Weighs in on Article III Standing in Data Breach Cases
By Jennifer Oliver, MoginRubin LLP
Federal courts have long struggled with the issue of standing in data breach litigation. On February 4, the Eleventh Circuit joined the coalition of courts that have found that a consumer’s exposure to substantial risk of future identity theft and need to expend significant efforts to mitigate that risk does not confer Article III standing.
The decision is Tsao v. Captiva MVP Restaurant Partners, LLC, Case No. 18-14959, and it involved a restaurant point of sale system hack that resulted the breach of consumers’ credit and debit card information. But because the class representative plaintiff did not allege that his credit cards were used a third party, that his identity was stolen, or “a single specific, concrete injury in fact that he or anyone else  suffered as a result of any misuse of customer credit card information,” the court found that the plaintiff’s allegations of harm were speculative at best.
In affirming the lower court’s dismissal of the case for lack of standing, the Eleventh Circuit found that neither the risk of injury from misuse of personal information obtained in the hack at some future time, nor actual present injuries in the form of time spend notifying card issues and other mitigation, confer standing in data breach cases in that circuit.
It is important to note, however, that circuits remain split on whether alleged future risk of identity theft—without more evidence—satisfies Article III injury requirements. The Sixth, Seventh, Ninth, and D.C. Circuits have each found alleged future risk of identity theft, without any alleged misuse of data, satisfies Article III requirements. See, e.g., Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384 (6th Cir. 2016); In re Zappos.com, Inc., 888 F.3d 1020, 1023 (9th Cir. 2018); Attias v. Carefirst, Inc., 865 F.3d 620, 627 (D.C. Cir. 2017) (“Nobody doubts that identity theft, should it befall one of these plaintiffs, would constitute a concrete and particularized injury.”); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692 (7th Cir. 2015) (victims of identity theft suffer “aggravation and loss of value of time needed to set things straight, to reset payment associations after credit card numbers are changed and pursue relief for unauthorized charges”).
The Third, Fourth, and Eighth Circuits are in line with the Eleventh Circuit, finding that alleged future identity theft is too speculative to confer standing without allegations of actual misuse of personal information. See, e.g., Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011); Beck v. McDonald, 848 F.3d 262, 274-75 (4th Cir. 2017); In re SuperValu, Inc., 870 F.3d 763, 771-73 (8th Cir. 2017).
These divergent interpretations of Article III’s application in data breach cases only increases the importance of state data privacy laws that explicitly confer standing even where evidence of actual misuse has not yet come to light. The California Consumer Privacy Act of 2020, for example, confers standing on “[a]ny consumer whose nonencrypted or nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Cal. Civ. Code Section 1798.150(a)(1).