- Posts by Karin M. McGinnisMember
Well versed in employment, privacy, and general commercial litigation, Karin helps clients navigate a range of complex issues. In addition to employment and privacy matters, Karin has successfully litigated a wide range of ...
So far 2024 has seen a flurry of new and proposed state comprehensive privacy legislation. Nebraska and Kentucky are the two latest states to jump on the bandwagon. Both follow the now familiar framework established by the Virginia Consumer Data Protection Act. We explore each below.
Last week the Florida Senate passed its version of a comprehensive privacy law (SB 262), entitled the Florida Digital Bill of Rights. If signed by Governor DeSantis, the Digital Bill of Rights will require large companies (those with at least $1 billion in annual global gross revenues and who meet other metrics) to provide consumers with certain rights, including access, correction and deletion rights, opt-ins for processing of sensitive personal information and data of known children, and opting out of the collection of targeting advertising, profiling, and voice recognition data. Although the threshold for coverage is high, the obligations are significant, including reasonable security measures, fair information practices, data protection assessments, mandated data retention limits, specific disclosures if the controller is engaged in targeted advertising, and a controversial requirement for disclosure of search engine methodology. Although there is no private cause of action, the Florida Department of Legal Affairs can enforce the law and impose civil penalties up to $50,000 per violation with trebling in certain instances.
Iowa has become the latest state to enact a consumer privacy law, joining California, Colorado, Connecticut, Utah, and Virginia. On March 28, Governor Kim Reynolds signed into law Senate File 262, which effective January 1, 2025, will provide Iowa consumers various protections over their personal data. The law applies to businesses that either conduct business in Iowa or produce products or services targeting Iowa consumers AND that either controls or processes personal data of at least 100,000 consumers or controls or processes personal data of at least 25,000 consumers while deriving more than 50% of gross revenue from the sale of personal data. Unlike California’s comprehensive privacy law, the Iowa statute does not have a revenue threshold for application of the statute. The statute excludes from coverage financial institutions and affiliates and data subject to GLBA, and HIPAA covered entities, among others.
On March 29, 2023, Iowa’s governor made Iowa the sixth state with a comprehensive privacy law, following in the footsteps of California, Colorado, Connecticut, Virginia and Utah. The Iowa Act Relating to Consumer Data Protection (ICDP) goes into effect on January 1, 2025.
The ICDP (which can be found here: https://custom.statenet.com/public/resources.cgi?id=ID:bill:IA2023000S262&cuiq=8e04c833-ee30-5394-bd10-4b61a2d27686&client_md=d7215793292e6d8c9cb26a1382d8546d&mode=current_text )
is most similar to the Utah Consumer Privacy Act, although the ICDP ...
On May 29, 2022, Maryland amended the Maryland Personal Information Protection Act (PIPA). Effective October 1, 2022, the amendment (located here https://mgaleg.maryland.gov/2022RS/chapters_noln/Ch_502_hb0962E.pdf ) revises provisions regarding genetic information. These revisions include an undefined term “genetic information” for purposes of notices requires under PIPA. But the revisions also add a revised definition of genetic information as it applies to all other provisions of the law, including provisions requiring investigation into a data breach and the requirement that businesses implement and maintain reasonable security procedures and practices. Specifically, the revised definition includes data that results from the analysis of a biological sample of the individual or from another source that concerns genetic material and enables equivalent information to be obtained, DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms, and information extrapolated, derived or inferred from such data, unless the information is encrypted, redacted or otherwise protected by a method that renders the information unreadable or unusable.
Late last month the Securities and Exchange Commission (“SEC”) charged JP Morgan, UBS and Trade Station with violations of Regulation S-ID based on a range of inadequacies in their identity theft red flag policies and procedures. https://www.sec.gov/news/press-release/2022-131 The violations at issue might seem less than critical, such as not updating policies, merely copying over examples of red flags from Reg S-ID’s Appendix A, not incorporating specific policies into the red flag program, covering all accounts instead of conducting specific account assessments, and not providing sufficient detail in board reports. Although the SEC did not note any failure by these broker-dealers and investment advisors to actually detect and respond to identity theft red flags, the resulting orders and fines (up to $1.2 million), underline the SEC’s seriousness about protecting investors from cybercrime by requiring broker dealers and investment advisors to up their game and focus on the details.
The U.S. Equal Employment Opportunity Commission (“EEOC”) is tasked with administrative enforcement of a variety of employment discrimination laws, including the Americans with Disabilities Act as amended (the “ADAAA”). The ADAAA prohibits discrimination against job applicants and employees based on “disabilities”, generally defined as a physical or mental impairment that substantially limits the individual in a major life activity. Employers of employees with a disability are required to provide disabled employee with a reasonable accommodation to enable the employee to perform the essential functions of their job, unless the reasonable accommodation would impose an undue hardship on the employer or in certain instances where the employee would still pose a direct threat to the health or safety of themselves or others that cannot be addressed by a reasonable accommodation. It is interesting, therefore, that the EEOC issued Technical Assistance on May 12, 2022 entitled The American with Disabilities Act and the Use of Software, Algorithms and Artificial Intelligence to Assess Job Applicants and Employees. The stated concern is that use of AI tools will disadvantage job applicants and employees with disabilities.
The EEOC’s Technical Assistance is not law. It is not even regulation. But it does signal how the EEOC might deal with charges of discrimination brought by applicants and employees based on an employer’s use of AI.
On May 10, 2022, Connecticut became the fifth state in the U.S. to enact a comprehensive data privacy statute.
Effective July 1, 2023, the law imposes CCPA-like requirements on covered businesses. In scope and requirements, the law more closely mirrors Virginia’s and Colorado’s comprehensive privacy laws, effective January 1, 2023 and July 1, 2023, respectively.
Effective July 1, 2022, owners of personally identifiable information on residents of Indiana must provide notice of a data breach no later than 45 days after discovering of the breach. Currently, Indiana’s data breach law requires notice of a breach “without unreasonable delay.” When the amendment goes into effect in July, the 45-day period will be the latest that notice can be given.
The legal issues surrounding COVID-19 vaccines and mandates on employees are not unique to the United States. Karin McGinnis, Co-head of Moore & Van Allen's Data Privacy Team and member of Employment & Labor and Litigation Teams, recently collaborated with 11 esteemed colleagues from Globalaw™ in creating an article examining the law on COVID-19 vaccines in the workplace across five continents.
You can find the article here.
For questions and specific guidance regarding workplace vaccination regulations, contact Karin at the below link.
Resolving a split in lower courts, the U.S. Supreme Court issued a ruling in June limiting the type of conduct that can be prosecuted under the federal Computer Fraud and Abuse Act of 1986 (CFAA), a statute often used by U.S. Attorneys to prosecute hackers. In a 6-3 decision, SCOTUS ruled in Van Buren v. United States that Section 1030(a)(2) of the CFAA does not impose liability on individuals who use a computer to alter or obtain information they otherwise are entitled to obtain, even when they access the information for a prohibited purpose. In so ruling, SCOTUS limited a powerful federal ...
The U.S. Equal Employment Opportunity Commission (EEOC) on May 28, 2021 issued updated guidance on vaccinations. The relevant excerpts are attached and the full EEOC guidance is here https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws
In short:
- During the pandemic, employers can mandate that employees receive the COVID 19, subject to exceptions such as required accommodations for persons with disabilities (see K5);
- Employers can require employees to provide the employer documentation showing that ...
The Employee Benefits Security Administration of the United States Department of Labor (“EBSA”) recently published guidance regarding cybersecurity best practices for recordkeepers and service providers responsible for plan related information technology systems and data for ERISA-covered plans, including 401k and other pension plans.
The EBSA counseled that a plan’s service providers should implement the following practices:
- Have a formal, well documented cybersecurity program.
- Conduct prudent annual risk assessments.
- Have a reliable annual third-party ...
Virginia’s Consumer Data Protection Act makes it the second state to pass a comprehensive data privacy law.
Facebook is at the center of the “Schrems” case, which exposed contradictions between U.S. and EU data privacy rules and toppled the U.S./EU Safe Harbor (Schrems I). In Schrems II, Austrian Max Schrems challenges the adequacy of standard contractual clauses and the Privacy Shield (the replacement to the Safe Harbor). A recent opinion in Schrems II questions the adequacy of privacy protections guaranteed by the U.S. but for now preserves the Privacy Shield and standard contractual clauses as potential adequate means of transferring personal data from the EU to the U.S.
The ...
Earlier we posted an article regarding the amendments to the California Consumer Privacy Act by AB 25 and AB1355 creating a moratorium on the application of much of the CCPA to employee personal information—subject to approval by California’s governor. Pleased to report that Governor Newsom approved both AB25 and AB1355 and therefore the moratorium will be in effect until January 1, 2021. Some welcome relief to businesses trying to comply with the CCPA’s requirements.
The California Consumer Privacy Act (CCPA) imposes significant protections for California residents covered by the law, and significant burdens for companies required to comply with it. One area of concern is whether the CCPA applied to employee data collected by a business. The language of the CCPA was unclear, but was open to the interpretation that its protections covered such data. With an effective date of January 1, 2020, employers have been watching to see if the California legislature would clear up the uncertainty. The good news is that for at least until January 1, 2021, most ...
On April 16, 2019, Representatives Saine, Jones and Reives introduced House Bill 904, the long anticipated amendments to the North Carolina Identity Theft Protection Act, N.C. Gen. Stat. § 75-61 et seq.. We first wrote about the proposed legislation in February 2018 [Two Proposed Data Security Laws Reflect National Trend Toward Affirmative Responsibilities]. The bill also amends the definition of identifying information in North Carolina’s criminal identity theft statute, N.C. Gen. Stat. § 14-113.20(b), adopted by reference in the Identity Theft Protection Act’s ...
Following in the footsteps of California, and the European Union’s General Data Protection Regulation, the State of Washington is taking steps to adopt a comprehensive privacy law focused on protecting consumer information. SB 5376, better known as the Washington Privacy Act, passed in the Washington State Senate on March 6, 2019 by a vote of 46 to 1 and had a public hearing in the Washington State House Committee on Innovation, Technology & Economic Development on March 22, 2019.
The bill has also received support from Microsoft General Counsel and former U.S. FTC Commissioner ...
With major consumer data breaches making headlines on a semi-regular basis, legislators around the country are starting to hold businesses more accountable for cybersecurity compliance. Industry-specific laws such as HIPAA and the Gramm-Leach-Bliley Act (GLBA) already establish federal data security standards for some companies, and the Federal Trade Commission has taken the position that failure to have reasonable security measures is a violation of the FTC Act (see our DataPoints post here).
From Massachusetts to New Mexico, a handful of state legislatures also have ...
Recently the state of New Mexico enacted the Data Breach Notification Act, making it the 48th state in the United States to enact a statute requiring notice to individuals impacted by a data breach. In doing so, New Mexico follows some trends we've been predicting at the state level. These trends include covering encrypted data in the definition of personal information if the encryption key is accessed as well, and – importantly – requiring that companies engage in reasonable security measures to protect personal information in their possession. New Mexico also joins a handful of ...
We don’t see a lot of data breach litigation here in the Fourth Circuit, so it is notable that the Fourth Circuit Court of Appeals issued an opinion recently that weighs in on the standing debate (For more on the debate: Constitutional Standing Provides Fertile Battleground In Data Breach Litigation). In Beck v. McDonald, the plaintiffs in two consolidated cases sought to establish Article III standing based on the harm from embarrassment, mental distress, inconvenience, the increased risk of future identity theft and the cost of measures to protect against it after (i) a ...
A common and understandable concern of companies that suffer a data breach is whether the victims can sue the company. It is tempting to assume that the victims won’t sue if they do not suffer identity theft or monetary loss through misuse of the data. Not all victims, or courts, agree. As a result, standing, a constitutional prerequisite to bringing a lawsuit in federal court that is most often conceded rather than litigated, has become a focal point in data breach litigation where “risk of future harm,” rather than actual misuse of data, forms the basis of the victims’ claims.
To ...
The Federal Trade Commission, continuing its quest to be the enforcer of consumer privacy rights, has come down hard this month on ASUSTeK and LabMD for their failure to have adequate data security standards. Because the FTC has taken the position that its complaints and orders set the standard for adequate data security (DataPoints: Reading the Section 5(a) Tea Leaves: What the end of 2015 may suggest about the FTC priorities in 2016), companies subject to FTC jurisdiction should take heed.
LabMD cannot seem to catch a break. Although an ALJ dismissed the FTC’s claim against LabMD ...
EU Member States (the Article 31 Committee) approved today the EU-US Privacy Shield. The next step is formal adoption. The full press release can be found here.
The approval of the Privacy Shield is good news for companies who transfer personal data from the EU to the US. Although legal challenges to the Privacy Shield are likely, the Privacy Shield was designed to address the shortcomings cited by the European Court of Justice in the now invalidated Safe Harbor self-certification scheme and should have a better chance of standing up to those legal challenges.
Related DataPoints Posts:
Tandy Mathis and Karin McGinnis
Good information governance requires not only protecting the security of sensitive and proprietary information; it often requires pursuing legal action against those who threaten the secrecy and value of a company’s trade secrets. The Defense of Trade Secrets Act (“DTSA”) both provides another tool for companies to pursue misappropriators of trade secrets and makes it more difficult for companies to quickly seize misappropriated trade secrets through court action. Given the challenges of the DTSA, companies should bolster their efforts ...
On June 13, 2016, the United States government asked the Irish High Court to be joined as amicus curiae (friend of the court) in the case brought by the Austrian privacy activist Max Schrems against Facebook attacking the use of model contract clauses to transfer EU citizens’ data from the EU to the U.S. as violating fundamental privacy rights. This is an unusual request for the U.S. government to seek to intervene in private ligation, particularly in foreign courts. However, the stakes are high should Facebook lose, and the U.S. government’s surveillance practices are at the ...
On February 24, 2016, President Obama signed into law the Judicial Redress Act giving citizens of certain “covered countries” access to U.S. courts to protect their privacy and take legal action against U.S. government agencies if their personal data is unlawfully disclosed. The Act provides that the U.S. Secretary of State, the Treasury Secretary and the Secretary of Homeland Security, will designate which countries and “regional economic integration organizations” (REIOs) will be “covered countries.” To be designated, however, the countries and REIOs must ...
by Privacy & Data Security Member Karin McGinnis
On the same day that groundhog Punxsutawney Phil predicted an early Spring, the EU College of Commissioners brought some sunshine of its own, announcing yesterday that it has reached an agreement with the U.S. on transfers of personal data from the EU to the U.S. Details on the “Privacy Shield” are sketchy, and the EU Commission still must confer with the Article 29 Working Party and draft a decision document setting forth the terms. But this is welcome news for companies on both sides of the pond. More good news came today. The Article ...
by Privacy & Data Security Member Karin McGinnis
The Federal Trade Commission’s PrivacyCon event brings together the FTC, researchers and academics to discuss the latest research and trends related to consumer privacy and data security. Much of the discussion today centered on Big Data, coming on the heels of the FTC’s report, Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues, which can be found here. Also prominent were concerns about web transparency and whether consumers in fact understand what data is collected on them and how it will be used. FTC ...
In just two years, social media password protection has gone from a privacy advocate’s dream to an employer’s harsh reality in many states. Maryland became the first state (in 2012) to enact legislation that prevented employers from requesting the user names or passwords to an employee’s or applicant’s personal social media accounts. Two states quickly joined Maryland in 2012 by passing similar password privacy laws, and nine more states added privacy protections in 2013.
So far in 2014, six states – Louisiana, New Hampshire, Oklahoma, Rhode Island, Tennessee and ...
About Data Points: Privacy & Data Security Blog
The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. We provide transparent and cutting-edge insight on critical issues and dynamics. Our team informs business decision-makers about the information they must protect, and what to do if/when security is breached.