Social distancing imperatives and the resulting surge in remote work polices have led to increased demand for the use of electronic signatures in commercial transactions. Although the method of execution is just one factor to consider when determining the validity and enforceability of a contract, electronic signatures — when appropriately deployed — can provide a convenient replacement for manual wet-ink signatures in many transactions. The U.S. Electronic Signatures in Global and National Commerce Act (E-SIGN), as well as the widespread adoption at the state level of the Uniform Electronic Transactions Act (UETA) or comparable electronic signature laws, provide that electronic signatures and electronic records cannot be denied legal effect, validity or enforceability solely because they exist in electronic form. As workforces suddenly shift to remote operations with siloed employees lacking access to typical office services, yet still facing the same business needs and time demands, companies are reevaluating their electronic signature and records policies and technologies.
This post seeks to help parties navigate issues arising from COVID-19 risks from an employment and privacy law perspective in both the United States and Europe.
Novel coronavirus (COVID-19) presents significant issues for employers to navigate and significant consequences for employees across industries as COVID-19 reduces consumer spending, disrupts supply chains and presents challenges for managing workforces globally. Employers should be aware of their responsibilities and proactively put in place action plans to address this growing problem. Designing these plans, and addressing requested or mandated leaves and other restrictions on employee work, presents myriad employment law issues that may vary by jurisdiction. Employers are also likely to confront privacy questions as they seek information on employees’ and others’ health and travel across jurisdictions. In developing a plan, employers will want to consider these issues in a holistic and coordinated manner.
On January 31, 2020, the Department of Defense released its latest version of the Cybersecurity Maturity Model Certification (“CMMC”) for defense contractors. Under the CMMC plan, DOD contractors will be required to obtain a cybersecurity rating from Level 1 through Level 5. Self-certification will not be permitted. Given the significant investment of industry resources the CMMC may require, the DOD eased some concerns by announcing that it would roll out the CMMC program out in stages. A new Defense federal Acquisition Regulation Supplement (“DFARS”) clause is expected in the spring of 2020, and CMMC requirements are anticipated to be included in certain limited Requests for Information released starting June 2020. Ultimately, all DOD contracts will include a minimum cybersecurity requirement by 2026. (more…)
Just as companies were starting to recover from their exertions to put in place California Consumer Privacy Act (“CCPA”) compliance programs before the law’s January 1, 2020 entry into force, the California Attorney General (“AG”) provided an early February surprise. CCPA watchers long expected that the AG would revise the CCPA regulations he initially proposed on October 10, 2019. But when the AG actually released his proposed regulations on February 7 – a proposal he subsequently modified slightly on February 10 – both the timing and breadth of the revisions were surprising. In short, the revisions were both sooner and more significant than expected.
The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released a report on Cybersecurity and Resiliency Observations based on practices seen in prior exams. OCIE published the overview of practices to help market participants when considering “how to enhance cybersecurity preparedness and operational resiliency,” while acknowledging that there is not a “one-size fits all” approach. The report links cybersecurity to resiliency and business continuity planning, explicitly merging two concepts on which the OCIE has previously focused into a single topic.
While much of the New Year attention has been focused on California due to the effective date of the California Consumer Privacy Act, a new Oregon law also went into effect on January 1, 2020 complicating compliance with data breach obligations. The law is unique among state data breach notification laws in that it imposes a direct obligation on vendors to provide regulatory notice to the state. It also requires vendors to provide notice to the data owner within 10 days. This new regulatory notice requirement may take some control away from data “owners” that typically manage (and often contractually demand sole control over) initial regulator communications with regard to incidents impacting their data. However, the new requirement may also incentivize service providers to take more responsibility for incident response.
On December 4, 2019, the Senate Commerce Committee addressed data privacy in a hearing titled, “Examining Legislative Proposals to Protect Consumer Data Privacy.” The hearing focused on the two leading privacy proposals that were put forward in the week leading up to the hearing, the Consumer Online Privacy Rights Act (COPRA), introduced by Sen. Maria Cantwell, D-Wash., ranking member on the Committee, and a Staff Discussion Draft of the United States Consumer Data Privacy Act of 2019 (CDPA), introduced by Sen. Roger Wicker, R-Miss., Chairman of the Committee. The competing proposals share many similarities, including their scope of covered data and entities, as well as their approaches to consumer transparency and access. However, as witness testimony during the hearing revealed, the proposals diverge on a few critical issues.
In the evening of December 17, 2019, Californians for Consumer Privacy, the consumer privacy rights organization led by Alastair Mactaggart that propelled California towards the U.S.’s first comprehensive privacy legislation, tweeted the Attorney General’s release of the title and summary for Initiative 19-0021. This Initiative would substantively amend and essentially replace the California Consumer Privacy Act (“CCPA”) with the proposed Consumer Privacy Rights Act of 2020—also known colloquially as CCPA 2.0. (more…)
As submitted for the comment period on Initiatives – Active Measures for Initiative 19-0021 on November 8, 2019.
Dear Mr. Mactaggart,
As privacy practitioners, we share your passion and dedication to the development of information privacy and data protection law in the United States. We acknowledge your achievement in pushing for the enactment of the California Consumer Privacy Act (CCPA) and contributing to the ongoing national conversation to advance privacy rights. Your commitment to these issues is clear, and we commend the seriousness of your work in addressing privacy rights in accordance with your vision.
We write in the spirit of constructive development of privacy regulation, and offer the following comments in the hope of contributing to the goal we share with you: improving the quality and effectiveness of U.S. privacy and data protection law while ensuring the continued innovation and flexibility that so benefit our society. Although we often advise the regulated community on privacy and data protection matters, the views expressed here are our own.
At the outset, we note that there are important improvements in your proposed initiative relative to the enacted CCPA. Many of your new initiative’s provisions could serve to move privacy and data security law in a positive direction. In this vein, we note the following: (more…)
This fall, scrutiny has increased on children’s privacy with the FTC and New York Attorney General’s announcement of the largest fine ever for violations of the Children’s Online Privacy Protection Act (“COPPA”), followed by FTC public workshops on updating the COPPA Rule. Combined with increased requirements for the sale of teen personal information under the California Consumer Privacy Act (“CCPA”), and calls for triple fines for children’s privacy violations under a potential CCPA 2.0 referendum for 2020, children’s privacy has come to the forefront of privacy risks.