On June 2, 2021, Nevada Governor Steve Sisolak signed SB260, a bill that will amend the state’s existing privacy notice legislation, NRS 603A.300 to .360 (“Existing NV Privacy Law”). SB260 amends the Existing NV Privacy Law by exempting certain persons and information collected about a consumer from the law’s privacy requirements, expanding the types of entities that must facilitate consumer privacy opt-out rights, providing new and updated definitions, authorizing the opportunity to remedy a failure to comply with certain requirements, and updating other provisions to reflect the addition of data broker entities. Most notably, SB260’s addition of “data broker” to the existing statutory framework, in addition to the updated definition of “sale”, provides consumers with a broader opt-out right and likely brings more entities under the scope of the law. That said, even after the amendments, the Nevada law remains narrower than the California Consumer Protection Act (“CCPA”), as well as the forthcoming California Privacy Rights Act (“CPRA”) and Virginia Consumer Data Protection Act (“VCDPA”) that go into effect on January 1, 2023.
The U.S. Department of Homeland Security’s Transportation Security Administration (“TSA”) issued a Security Directive, “Enhancing Pipeline Cybersecurity” on May 28, laying out new cybersecurity requirements for operators of liquids and natural gas pipelines and LNG facilities designated as critical infrastructure.
The Biden administration issued a lengthy Executive Order, “Improving the Nation’s Cybersecurity,” on May 12, which it described as the “first of many ambitious steps” toward modernizing U.S. cybersecurity defenses. The White House simultaneously issued an explanatory fact sheet and background press call.
Pursuant to the Order, government agencies will be required to deploy multifactor authentication, encryption, endpoint detection response, and logging and operate under the principle of a “zero-trust” environment. A clear purpose of the Order is to improve the security of commercial software, including by establishing baseline security requirements based on industry best practices. As the White House press briefer stated, the Order will impose “the power of federal procurement to say, ‘If you’re doing business with us, we need you to practice really good — really good cybersecurity. And, most importantly, we really need you to focus on secure software development.’”
There just may be a new cybersecurity regulator in town.
In an effort it describes as “an important step” toward safeguarding more than $9.3 trillion in retirement assets, the U.S. Department of Labor (DOL) published its first cybersecurity guidance last week (Cybersecurity Guidance). The Cybersecurity Guidance is directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act of 1974 (ERISA) as well as plan participants and beneficiaries. Significantly, the Cybersecurity Guidance formally states the DOL’s position that cybersecurity is a matter of fiduciary responsibility under ERISA, stating that ERISA requires plan fiduciaries to take appropriate precautions to mitigate cybersecurity risks.
On March 17, 2021, California officials announced the appointment of five board members of the California Privacy Protection Agency ( the “CPPA”), the first data protection agency in the United States. The CPPA, created by the California Privacy Rights Act (“CPRA”) which California voters approved in November 2020, is charged with promulgating the CPRA regulations; enforcing the CCPA and CPRA; and educating consumers about their privacy rights.
For over two and a half years, California has enjoyed the spotlight of having the most comprehensive data privacy law in the United States. On March 2, 2021, Virginia forced California to share the honors, when Democratic Gov. Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA).
The VCDPA, which will not enter into effect until January 1, 2023, borrows heavily from the California Consumer Privacy Act (CCPA) and the European Union (EU) General Data Protection Regulation (GDPR). Perhaps because Virginia was able to benefit from the experience of businesses that have spent the better part of the last five years implementing the GDPR or the CCPA, the Virginia law is less prescriptive and more straightforward than its predecessors, with (one would hope) a correspondingly lighter implementation burden on companies. Nonetheless, there is just enough different in the VCDPA that businesses with a connection to Virginia will need to evaluate whether the law applies to them and how they will comply.
While an exegesis of the VCDPA is beyond the scope of today’s Data Matters post, this alert is designed to assist such efforts in three ways. First, we lay out the VCDPA’s scope, providing preliminary insight into which businesses the law will cover. Second, we highlight the key ways the VCDPA differs from — and, more important, extends beyond — the CCPA and GDPR so that businesses will have an initial sense of what, if any, unique obligations the VCDPA will place on them. Finally, for completeness’s sake, the post briefly summarizes the law’s key elements.
On February 4, 2021, the New York Department of Financial Services (NYDFS) issued Circular Letter No. 2 announcing a Cyber Insurance Risk Framework (the Framework) that describes industry best practices for New York-regulated property/casualty insurers. Issuance of the Framework is notable as it represents the first official guidance by a U.S. regulator concerning the increasingly critical issue of cyberinsurance. And while circular letters do not establish new legal requirements or have the force of law, they do set forth the department’s interpretation of the requirements of existing laws and regulations.1
On December 15, 2020, the U.S. Federal Deposit Insurance Corporation (FDIC) approved and the federal banking agencies jointly announced on December 18 a notice of proposed rulemaking, Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (NPR).1 The NPR is a joint proposal by the Office of the Comptroller (OCC), the Board of Governors of the Federal Reserve System (Board), and the FDIC.
On December 10, 2020, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released a proposed rule (the Proposed Rule) that would make a number of key changes to the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009 (collectively, HIPAA). HHS stated that the Proposed Rule is intended to reduce burdens that may limit or discourage care coordination and case management communications among individuals and HIPAA-covered entities while continuing to protect the privacy of individuals. The proposed changes are designed to lead to increased data access, sharing, and portability and to further HHS’s emphasis on patients’ right of information access, which has been highlighted through a series of enforcement actions in 2020. If enacted as proposed, the amendments would require healthcare providers and electronic health records (EHR) vendors to update policies and disclosures related to information access and perhaps even to redesign certain EHR processes. Comments are due 60 days after publication in the Federal Register.
The results are in, and California voters have approved the California Privacy Rights Act (CPRA) which was listed on the ballot as Proposition 24. The law, most of which does not go into effect until January 1, 2023, will substantially overhaul and amend the California Consumer Privacy Act (CCPA) which went into effect just this year, on January 1, 2020, with final regulations issued just a few months ago, on August 14, 2020. And indeed, CCPA obligations continue to evolve, with proposed amendments to the regulations proposed by the Attorney General’s Office mid-October 2020.