CCPA News: Amendments Signed into Law by the Governor and Draft Regulations Released by the Attorney General

Last week was a busy week for the California Consumer Privacy Act (CCPA), as Attorney General Xavier Becerra released draft regulations on October 10 and Governor Newsom signed several pending CCPA amendments into law on October 11. The CCPA amendments clarified several important issues, including:

  • employee information and business-to-business (B2B) communications are exempt from the CCPA until January 1, 2021
  • the definition of personal information includes information that is “reasonably” capable of being associated with a particular consumer or household, as opposed to “capable” of being associated with a consumer or household
  • elimination of the requirement of a toll-free number for customer contact if a business operates exclusively online and has a direct relationship with a consumer.

The draft regulations focus on consumer notices, business processes, verification requests and financial incentives. Specifically, the regulations address four notices required under the CCPA: (1) notice to consumers at or before the collection of personal information; (2) notice of the right to opt-out of sale of personal information; (3) notice relating to financial incentives; and (4) notice through a website privacy policy.

One theme regarding consumer notices that is obvious throughout the draft regulations is that consumer notices must be designed and presented to consumers so that they are easy to read and understandable to an average consumer. The draft regulations require the use of plain, straightforward language, a format that draws the consumer’s attention to the notice, and requires that the notice be in the languages in which the business provides consumer contracts. It requires businesses to create a button on their website or apps for California users to be able to opt out of the collection of their personal information.

With respect to business processes, the draft regulations establish processes for the following:

  • details regarding the content of a website privacy policy
  • methods for businesses to provide for consumers to submit requests
  • the process for businesses to respond to consumer requests
  • rules regarding how businesses can seek additional time to respond to consumer requests, including deletion requests
  • training requirements
  • record-keeping guidance so businesses can demonstrate compliance with the CCPA
  • procedures regarding verifiable consumer requests and deletion requests
  • rules regarding password-protected accounts so consumers may use their existing password authentication processes if the business implements reasonable security measures to detect fraud
  • processes for businesses to comply with the opt-in requirements regarding the sale of the personal information of minors under 13 years of age, and minors between the ages of 13 and 16
  • processes regarding discriminatory practices and financial incentive offerings
  • guidance regarding how to calculate the value of consumers’ data in designing financial incentives and to require the business to publicly disclose the estimated value of the consumer’s data and the method by which the amount was calculated.

The Attorney General stated that the law is designed to protect over $12 billion worth of personal information used for advertising every year and that the projected cost of compliance with the regulations will range from $467 million to $16.4 million over the next decade, including legal, operational, technical and business costs. He has indicated that he’ll be amending the draft regulations to conform with the recent amendments to the law. The deadline for the public to submit comments on the draft regulations is December 6 at 5 p.m. Four public hearings are scheduled in Sacramento, Los Angeles, San Francisco, and Fresno, California between December 2 and December 5. Final Regulations will be issued after the comment period.

Enforcement of the Regulations by the Attorney General will begin on July 1, 2020, which includes civil penalties of up to $7,500 per violation.

The CCPA also provides California residents the right to sue companies for data breaches of their personal information if the company fails to use reasonable security measures to protect it. Residents can seek damages of between $100 and $750 per consumer per incident under the law. This limited private right of action for a data breach is the first of its kind in the nation. The law allows consumers to sue following a data breach without having to prove they suffered actual harm or damages.

FBI Warns of Sharp Increase in Ransomware Attacks in Certain Sectors

The Federal Bureau of Investigations Internet Crime Complaint Center (IC3) recently issued a public service announcement warning private companies about the increasing numbers of ransomware attacks affecting private industry. According to the warning, “Although state and local governments have been particularly visible targets for ransomware attacks, ransomware actors have also targeted health care organizations, industrial companies, and the transportation sector.”

The ransomware attacks are initiated through “large scale or targeted phishing campaigns and exploiting software and Remote Desktop Protocol (RDP) vulnerabilities to get a foothold on their victims’ systems before encrypting their systems.”

The FBI is urging companies not to pay the ransom, and to contact the FBI in the event of an attack so it can use the information, along with information provided by other victims, to track the ransomware attackers, find them and hold them accountable, in order to prevent future attacks.

The FBI also recommends that companies:

  • Regularly back up data and verify its integrity
  • Focus on awareness and training
  • Patch the operating system, software, and firmware on devices
  • Enable anti-malware auto-update and perform regular scans
  • Implement the least privilege for file, directory, and network share permissions
  • Disable macro scripts from Office files transmitted via email
  • Implement software restriction policies and controls
  • Employ best practices for use of RDP
  • Implement application whitelisting
  • Implement physical and logical separation of networks and data for different org units
  • Require user interaction for end-user apps communicating with uncategorized online assets

Ransomware is extremely disruptive to business operations, so preparing for such incidents is mission critical, including deploying an incident response team and testing incident response plans.

Dental Practice Pays $10,000 Fine to OCR for Disclosing PHI on Social Media

Elite Dental Associates (Elite), located in Dallas, Texas has agreed to settle alleged HIPAA violations with the Office for Civil Rights (OCR) for $10,000.

The OCR alleged that it received a complaint from a patient in June of 2016 that Elite had disclosed the patient’s last name and details of the patient’s health condition on social media. After an investigation, the OCR “found that Elite had impermissibly disclosed the protected health information (PHI) of multiple patients in response to patient reviews on the Elite Yelp review page.”

The OCR further alleged that “Elite did not have a policy and procedure regarding disclosures of PHI to ensure that its social media interactions protect the PHI of its patients or a Notice of Privacy Practices that complies with the HIPAA Privacy Rule.”

According to the OCR, it “accepted a substantially reduced settlement amount in consideration of Elite’s size, financial circumstances, and cooperation with OCR’s investigation.”

In its press release, the OCR stated, “Social media is not the place for providers to discuss a patient’s care. Doctors and dentists must think carefully about patient privacy before responding to online reviews.”

The Settlement Agreement and Corrective Action Plan also requires Elite to be monitored for two years and to implement appropriate HIPAA-compliant policies and procedures.

From California to Nevada: Another State Privacy Law That You Need to Know

While we’ve discussed the California Consumer Privacy Act (CCPA) at length, Nevada was busy amending its internet privacy law and in the process beat California’s deadline for the effective date by three months. Nevada’s SB 220 is effective as of October 1, 2019.

This law prevents covered operators from selling individual’s personal information and allows consumers to submit verified requests to a business to exercise their opt-out rights. Covered operators must start accepting these requests from individuals now. Key provisions to note include:

  • SB 220 amends existing state law that requires an operator of an Internet website or online service that collects certain items of personally identifiable information about consumers in Nevada to make available a notice containing certain information relating to the privacy of covered information collected by the operator.
  • SB 220 revises the definition of the term “operator” to exempt certain financial institutions and entities that are subject to Gramm-Leach-Bliley Act, entities covered by the Health Insurance Portability and Accountability Act, and certain persons who manufacture, service or repair motor vehicles.
  • One of the most important provisions to note is that SB 220 requires an operator to establish a designated request address through which a consumer may submit a verified request directing the operator not to sell any covered information collected about the consumer. This consumer opt-out right is similar to opt-out rights that we’ve discussed previously regarding the CCPA.
  • “Sale” means the exchange of covered information for monetary consideration by the operator to a person for that person to then license or sell the covered information to additional persons.

The new law prohibits an operator who has received an opt-out request from a consumer from selling any covered information collected about the consumer. The law does not provide a private right of action to consumers; however, the Nevada Attorney General is authorized to seek a temporary or permanent injunction or seek to impose a civil penalty not to exceed $5,000 for each violation if the Attorney General has reason to believe that an operator, either directly or indirectly, has violated this law.

What’s next? Determine if your business needs to comply with this Nevada law. Generally speaking, businesses and other entities that operate a website and collect and maintain covered information about consumers who reside in Nevada and who use that website may need to review and update their website privacy policies; create processes for consumers to exercise their opt-out rights regarding the sale of their personal information; maintain a designated address for consumers to submit opt-out requests; and establish a process to respond to consumers within sixty (60) days of receipt of the opt-out request.

U.S. Supreme Court Declines to Hear Case on Whether Commercial Websites and Mobile Apps Subject to Title III of the Americans with Disabilities Act (the “ADA”)

The ADA was enacted in 1990 to prohibit discrimination against persons with disabilities. It did not include express rules about access to websites and mobile apps. But that hasn’t stopped a flood of lawsuits against companies based on claims their websites or mobile apps might not be accessible to people with disabilities, such as visual, hearing or limited manual dexterity.

According to UsableNet, a technology and accessibility company, nearly 2000 ADA-related lawsuits are expected to be filed by the end of 2019. UsableNet claims almost half of top 500 retailers have been sued since just the last two years.

In one such case, the pizza chain Domino’s was sued in federal District Court in California by a blind man who wasn’t able to order pizza on Domino’s website and mobile app. Domino’s claimed applicable law didn’t require it make its website accessible to people with visual impairments because websites and mobile apps generally didn’t exist in 1990 when the ADA was enacted. The plaintiff argued the ADA should apply, so long as the business contains physical locations in the US and is soliciting customers over the Internet. The District Court agreed with the plaintiff.

On appeal, the Ninth Circuit held that the ADA and California law applied to Domino’s websites and mobile apps, which were inaccessible by persons with visual disabilities. The Ninth Circuit then ordered the case to be sent back to the District Court for further rulings, but before that could happen, Dominos filed a petition for a Writ of Certiorari hearing with the United States Supreme Court, asking it to review whether its website is required to comply with ADA, or a comparable California state law.

To the disappointment of companies and the U.S. Chamber of Commerce, the Supreme Court recently decided not to review the Ninth Circuit decision. This means the Ninth Circuit court decision will stand, and the case will return to the District Court to determine whether and perhaps how Domino’s makes its website and mobile app accessible to all of its prospective customers.

The Supreme Court’s decision is difficult for companies, as there are no federal regulations or rules describing the steps they must take to comply. In 2017, the Justice Department withdrew its compliance guidance on this topic. Companies are typically left to negotiate a settlement regarding the applicable standards with the applicable plaintiff and court. Often that settlement requires compliance with the Web Content Accessibility Guidelines (WCAG), the international standards in digital accessibility for business websites that are set by the World Wide Web Consortium (W3C). Hopefully, the District Court in California can provide more guidance to companies to comply with the ADA and California law. Or perhaps, Domino’s will appeal again.

The case is known as Domino’s Pizza v. Guillermo Robles, No. 18-1539.

Department of Defense Subcontractors: Cybersecurity Compliance is Top Priority

The Office of the Under Secretary of Defense for Acquisition and Sustainment has been on a fast track mission to shore up the cybersecurity measures of defense contractors and the supply chain to the Department of Defense (DOD). It is in the process of developing a Cybersecurity Maturity Model Certification (CMMC) requirement for those vendors.

Many DOD vendors and subcontractors are small businesses, and could be left behind if they don’t focus on and invest in cybersecurity readiness.

It is the goal of the DOD to release CMMC Rev 1.0 in January 2020, and there have been public announcements that the DOD will be auditing existing contractors immediately to determine compliance with the requirements.

For those looking to get into the defense contractor industry, and who don’t already have a contract, it is anticipated that CMMC will be included in all Requests for Information starting in June of 2020, and in all Requests for Proposals in the fall of 2020.

In order to be certified, a company has to be accredited by a third-party company; no self-certification will be permitted. The CMMC model has 18 domains, and certification will be provided based upon the level requested, which is dependent on the work being performed for the DOD. The levels start with basic cyber hygiene and get more sophisticated from there. Certification of contractors will be dependent on the risk posed by the work being performed and the sensitivity of data shared and disclosed.

January is coming quickly, so DOD contractors should become familiar with CMMC and get ready to be audited. We are hearing that DOD is serious about getting audits started quickly and that they won’t have much tolerance if their contractors aren’t ready. This could have a huge impact on small contractors who are not prepared for the roll out of CMMC.

UPS Receives FAA Approval for Drone Deliveries

The Federal Aviation Administration (FAA) has granted UPS Flight Forward, Inc. (UPS) a Part 135 air carrier and operator certification for unmanned aircraft systems (UAS or drone) delivery. The certification was granted through the FAA’s UAS Integration Pilot Program and will allow UPS to perform revenue-generating package-delivery activities using drones. As a Part 135 operator, UPS will not have pre-set limits on the size or scope of its operations. Operationally, this allows UPS to fly an unlimited number of drones with an unlimited amount of remote operators in command, and also permits the drone and cargo to exceed the 55-pound limit set by the Small UAS Part 107 Rule. Additionally, UPS is permitted to operate beyond visual line of sight and at night without further authorization.

Moving forward, UPS has a long-term plan for:

  • Expansion of its drone delivery service to new hospitals and medical campuses;
  • Build-out of ground-based detect-and-avoid technology to enable safe drone operation and expansion of its delivery service;
  • Construction of a centralized operations control center;
  • Regular and frequent beyond-visual-line-of-sight operations; and,
  • Partnering with drone manufacturers to design and build new drones with different types of cargo capacities.

David Abney, CEO of UPS, said, “[UPS] will soon announce other steps to build out our [drone delivery service] infrastructure, expand services for healthcare customers and put drone to new uses in the future.”

Privacy Tip #211 – WhatsApp Users: Update Your App to Patch Vulnerability

WhatsApp has announced that it has patched a vulnerability that would have allowed hackers to access with malware the chat history of users. Android 8.1 and 9 could have been susceptible to the attack. However, WhatsApp is urging all users to update their app.

Although WhatsApp says it has patched the vulnerability and does not believe that it was exploited by attackers, it is urging users to update their apps so that the patch can be applied to thwart any exploitation.

WhatsApp users—heed the recommendation and go to the Apple App Store or Google Play Store and tap the WhatsApp update button so the patch can be applied as soon as it is issued.

URGENT/11 Cybersecurity Vulnerabilities Could Affect Medical Devices and Hospital Networks

On the heels of an FDA committee report concerning cybersecurity issues with medical devices [view related post] the U.S. Food and Drug Administration (FDA) issued an alert regarding cybersecurity vulnerabilities, referred to as “URGENT/11,” that could introduce risks for some medical devices and hospital networks.

According to the FDA’s October 1st notice, the URGENT/11 vulnerabilities exist in IPnet, a third-party software component that supports network communications between computers. It affects several operating systems that might impact certain medical devices connected to a communications network, such as wi-fi and public or home Internet, as well as other connected equipment such as routers, connected phones and critical infrastructure equipment. These cybersecurity vulnerabilities could allow a remote user to take control of a medical device and change its function, cause denial of service, or cause information leaks or logical flaws that could prevent a device from functioning properly, if at all.

At this time, although the FDA is unaware of any confirmed adverse events related to the URGENT/11 vulnerabilities, it notes that software to exploit the weaknesses is already publicly available. The FDA alert includes recommendations for manufacturers, health care providers, health care facility staff (including IT professionals), and patients to assess, communicate, and mitigate risks. Some medical device manufacturers are already actively determining which devices have operating systems affected by URGENT/11 and are identifying risk and remediation actions, including notification to health care providers and consumers as appropriate.

Devices found to be affected thus far include an imaging system, an infusion pump, and an anesthesia machine. However, the FDA expects that more medical devices will be identified that contain one or more of the vulnerabilities associated with the original IPnet software.

The FDA encourages patients and their health care providers to report suspected problems with medical devices through the MedWatch Voluntary Reporting Form. Further, the FDA is working closely with other federal agencies, manufacturers, and security researchers to identify, communicate and prevent adverse events related to the URGENT/11 vulnerabilities. More information on URGENT/11 can be found in a corresponding advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security.

Ransomware Attacks Double in 2019: Medical Providers Can’t Recover and Shut Down

Consistent with our experience, security firm McAfee has confirmed in a report that ransomware attacks have doubled in 2019. Medical providers have been hit hard this year, and one provider, Wood Ranch Medical, located in California, is permanently closing following a ransomware attack.

Wood Ranch was hit with a ransomware attack over the summer, and its electronic medical records (EMR) were encrypted. Wood Ranch did not pay the ransom, and then discovered that its back-up hard drives were also encrypted by the attackers. The damage was devastating, and because Wood Ranch was unable to recover its data, it is winding down and will cease operation on December 17, 2019.

This comes after Michigan Brookside ENT and Hearing Center was hit with a ransomware attack. The attackers requested payment of $6,500 to decrypt the provider’s system containing its patient records, which the provider refused to pay. In response, the hackers wiped the entire system, which forced Brookside to also shut its doors.

There is no indication that these attacks will not continue, and could force other medical providers to decide to shut their doors because they are unable to recover from an attack. These examples show how important it is to have a robust and tested back-up system for providers’ systems, including the EMR  (which is required by HIPAA), and an incident response program that can be implemented quickly to avoid the disastrous consequence of going out of business.