New legislation out of Hartford means that Connecticut joins Massachusetts in imposing strict state requirements for data protection. S.B. 949. Additionally, the new law amends Connecticut’s data breach notification law, making Connecticut the first in the nation to affirmatively require entities that experience a reportable data breach to offer free credit monitoring to residents affected by the breach. The legislation further imposes significant new requirements on health insurers, as well as contractors that receive confidential information from state agencies, to maintain minimum data security protections. While health insurers have until 2017 to come into full compliance, the requirements for state contractors are effective as of July 1, 2015.
The National Telecommunications and Information Administration (“NTIA”), housed within the U.S. Commerce Department, has been facilitating a multistakeholder process to develop privacy safeguards for the commercial use of facial recognition technology since December of 2013—with the first in person meeting held in February 2014. NTIA seeks to create a voluntary, enforceable code of conduct applying the administration’s privacy framework, including its proposed Consumer Privacy Bill of Rights, to facial recognition technology in a commercial context. After a little over a year in talks, and shortly after the NTIA’s 12th meeting, the process has broken down. On Monday, June 15, a joint statement signed by representatives of multiple privacy advocacy groups, including the Center for Democracy and Technology, the Electronic Frontier Foundation, Consumer Watchdog and the ACLU, declared that they “have decided to withdraw from further negotiations” because the process has been unable to elicit agreement “on any concrete scenario where companies should employ facial recognition only with a consumer’s permission.” The joint statement further argues that “[t]he position that companies never need to ask permission to use biometric identification is at odds with consumer expectations, current industry practices, as well as existing state law.”
On May 4, 2015, an intermediate appellate court in California held that the Song-Beverly Credit Card Act of 1971 (Song-Beverly), Cal. Civil Code § 1747.08, does not apply to online transactions involving the sale of merchandise that the buyer chooses to pick up at a retail store.
Connecticut Attorney General George Jepsen has announced the creation of a new Privacy and Data Security Department within the AG’s office. The Department will be tasked with handling all consumer privacy investigations and litigation, as well as educating the public and businesses about protecting sensitive data. Assistant Attorney General Matthew Fitzsimmons, who previously chaired a privacy and data security task force within the AG’s office, will head the new department and its dedicated team of lawyers. The AG has not received any additional funding for the Department.
Yesterday, the United States established a new sanctions program designed to deter and financially target foreign parties who engage in, support or profit from “significant malicious cyber-enabled activities.” Declaring a national emergency, President Barack Obama issued an executive order authorizing the Secretary of the Treasury, in consultation with the Attorney General and Secretary of State, to identify as Specially Designated Nationals and Blocked Persons (SDNs) cyber-actors whose activities significantly harm the national security, foreign policy or economic health or financial stability of the United States. The U.S. government has not yet designated any parties under this new sanctions program. Once parties are so designated, U.S. companies must cease doing business with them and report any blocked property to the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC).
Montana Governor Steve Bullock has signed a bill, H.B. 74, that will toughen the state’s breach notification law. The bill expands the definition of “personal information” covered by the law to include medical record information (as further defined by the state’s Insurance Information and Privacy Protection Act), taxpayer identification number, or other identification number issued by the Internal Revenue Service. The revised law also requires organizations to notify the Attorney General’s Consumer Protection Office in the event of a breach. Insurance entities such as licensees or insurance support organizations must also provide notification to the state Insurance Commissioner. Notice to these regulators must identify the number of affected individuals, state the date and distribution method of the notice to affected individuals, and include a copy of the notice provided to individuals. The law takes effect October 1, 2015.
On March 2, Wyoming Governor Matt Mead signed a bill, S.F. 36, amending the state’s data breach notification law to revise the state’s definition of “personal information” and to specify the type of information required in notices to individuals. The amendment removes from the definition of “personal information” an individual’s demand deposit account, savings account, employee identification number, place of employment, and mother’s maiden name. At the same time, it adds new data elements to the definition, including taxpayer identification number, birth or marriage certificates, biometric data, medical history and health insurance information. The new law also specifies that a notification letter to individuals affected by a breach must include the types of personal identifying information that were the subject of the breach, a general description of the breach, the approximate date of the breach, and the actions taken to protect the affected system from further breaches.
On November 11, 2014, the Connecticut Supreme Court held in Emily Byrne v. Avery Center for Obstetrics and Gynecology, P.C. (“Avery Center”) (SC 18904) that the federal Health Insurance Portability and Accountability Act (“HIPAA”) does not preempt state common law negligence and emotional distress claims against medical providers who improperly breach the confidentiality of a patient’s medical records and that “HIPAA may inform the applicable standard of care in certain circumstances.” In reaching its decision, the high court reversed the trial court’s dismissal of plaintiff Emily Byrne’s state common law causes of action for negligence and negligent infliction of emotion distress against Avery Center for releasing information about her pregnancy without her authorization in complying with a subpoena in a paternity action. Although other states have reached similar holdings, the Connecticut ruling is notable in light of the passage of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, which expanded HIPAA liability to business associates. As such, covered entities as well as their business associates risk increased exposure under HIPAA and state laws, including negligence, invasion of privacy and state privacy claims.
Republicans scored historic victories in Tuesday night’s midterm elections, retaking the Senate majority for the first time since 2006 by adding at least seven seats and possibly as many as 10. The GOP increased its majority in the House of Representatives by at least 13 seats (with some races still undecided), achieving the largest House Republican majority since the Hoover Administration. And Republicans added three more governors to their ranks.
California has been experiencing a wave of putative class actions under the California Invasion of Privacy Act (“CIPA”). A decision this week by a federal court judge in California could halt new case filings and lay the groundwork for the dismissal of pending actions.
Consumer class actions under California’s Song-Beverly Credit Card Act have been shaped by significant case law developments over the last few years. Friday’s Ninth Circuit decision in Sinibaldi v. Redbox is a decisive victory for retailers of rented goods which will allow them wide latitude to collect personal information, such as zip codes, when using credit cards as a form of security.