CCPA Final Proposed Regulations Filed

The California Attorney General submitted the final proposed California Consumer Privacy Act (CCPA) regulations on June 1, 2020 to the California Office of Administrative Law (OAL) for review. According to the Attorney General’s submission, OAL has thirty working days to review the regulations, plus an additional sixty calendar days under the Governor’s Executive Order N-40-20 related to the pandemic, to review the regulations for procedural compliance under the Administrative Procedure Act. These are the last steps in the process of finalizing the CCPA regulations by the July 1, 2020 effective date. The entire list of documents submitted to OAL can be found here.

The Attorney General, in a statement filed with the regulations, requested expedited review of the regulations, despite the additional time provided by the Executive Order. The statement cited the CCPA’s July 1, 2020 statutory deadline to finalize the regulations and described the lengthy and extensive rulemaking process undertaken by the Attorney General’s Office. The statement requested that the OAL complete its review of the regulations within thirty business days so that enforcement can begin on July 1. The statement also said that once the final regulations are adopted, the Attorney General will begin enforcement of the regulations and will provide guidance to businesses for how to comply.

We will be reviewing the regulations in detail over the next several days so stay tuned for a more detailed analysis of the final regulations. We will also be looking forward to guidance from the Attorney General to businesses regarding compliance with the law and regulations.

Capital One Required to Produce Forensic Report in Class Action

As a litigator, when responding to any security incident, thoughtful consideration is given to the possibility that the security incident may wind up in litigation, and therefore, certain decisions are made in anticipation of that litigation. Without getting into the details of the legal doctrines of attorney-client privileges, work product doctrine, and in anticipation of litigation, suffice it to say that these doctrines are long-established in order for certain information and documents to be privileged and non-discoverable in litigation if the facts and circumstances warrant protection under these doctrines.

One consideration during a security incident is whether a forensic analysis is warranted. If so, the usual course is for the attorney handling the security incident to hire the forensic firm so that the forensic firm is providing services to the attorney and the results may be protected under a legal privilege doctrine. This has been upheld by one court following the Experian data breach.

This week, a different court ordered Capital One to hand over the forensic report completed after its data breach in 2018 to the plaintiffs in a class action litigation brought against it as a result of the data breach. The court distinguished coming to the opposite conclusion than the court in the Experian case did because Capital One already had on retainer the forensic firm that conducted the forensic analysis, and the firm was not hired by the attorney handling the security incident for that specific security incident.

This conclusion is monumental because many companies have a data security and/or forensic firm pre-engaged in the event of a security incident, so that no valuable time is wasted trying to find a firm after appropriate due diligence and the negotiation of a contract, and instead the firm can jump right in to assist with mitigation. Many cyber-liability insurance companies and counsel advise companies to pre-negotiate contracts with vendors in the event of a security incident in order to be able to start the analysis immediately without expending valuable time in an urgent situation.

The court’s decision brings into question the best path forward following a security incident, and whether companies should consider using outside counsel to hire the forensic firm to complete mitigation and analysis following a security incident to preserve applicable privileges. Most outside counsel practicing in this area have existing relationships with different vendors and have pre-negotiated contracts in place to save valuable time in such instances. Since different judges come to different conclusions, consulting with outside counsel regarding the different decisions in the Experian and Capital One cases is warranted.

Have Questions About CMMC? Don’t We All

I had the pleasure of participating as a panelist this week for companies primarily involved in the maritime industry, and one of the topics discussed was the Department of Defense’s (DOD) Cybersecurity Maturity Model Certification Program (CMMC). The discussion generated questions that I thought merited sharing.

Simply put, the DOD’s CMMC Program was designed to provide cybersecurity guidelines and certification for government contractors to achieve in order to bid on Requests for Proposals for government contracts. The purpose is to make sure that all contractors that have access to sensitive classified and non-classified information have a cybersecurity program in place to protect the data the contractor receives from DOD.

There are five levels of certification under CMMC. The idea is that DOD will designate and allow Assessment Organizations to assess the data security program of the defense contractor to determine whether it can be certified in one of the five levels. Once a contractor has been certified, it can bid on an RFP. The level of CMMC certification required will be published in the RFP, and contractors that have not reached that level of certification will not be permitted to bid on the contract. Obviously, for DOD government contractors, this is a huge compliance deal.

The problem is that it is estimated that 350,000 firms will need to be assessed for CMMC certification, and the Accreditation Body has not determined how the Assessment Organizations will be accredited, nor have any of the assessors been trained.

In the meantime, there is a lot of angst in the defense contractor community about how the CMMC is getting rolled out, the process by which the Assessment Organizations are going to assess the contractor and if the assessments will be consistent across contractors, how a dispute about an assessment will be resolved, and that DOD will not be determining the requirements—the assessors will be. Doesn’t this breed inconsistency and litigation? Perhaps. Another concern is that there are vendors marketing their services saying that if a defense contractor hires them, they will “guarantee” certification. It reminds me of companies that tout that they are “HIPAA certified,” giving health care entities the impression that there is such a thing as HIPAA certification, which does not exist.

The sense from the panel was that the CMMC requirements are here to stay, and if you are a government contractor, reviewing the requirements and preparing for them now is better than waiting until all the guidance and nuances are determined. The basic requirements are not new in the cybersecurity readiness arena, but keep in mind that the program may need some flexibility to respond to guidance as it is issued and more information about the assessment process is determined.

One thing was clear: be very wary of any vendor that pitches any type of guarantee of CMMC certification.

Toyota’s ‘Woven City’ for Developing Autonomy, Robotics and AI

Toyota plans to build a prototype ‘city’ of the future called Woven City, which is meant to be a ‘living laboratory’ that will serve as a home to full-time residents who will test and develop various technologies, including autonomy, robotics and artificial intelligence in a real-world environment. The city will be powered by hydrogen fuel cells and will sit on a 175-acre site at the base of Mount Fuji in Japan.

Toyota will issue an open invitation to other commercial and academic partners interested in collaborating as well as scientists and researchers from around the world to work on their own projects in this real-world incubator.

To help test autonomous vehicles, part of this city plan is to designate three different types of street usage: one for faster vehicles only; another for a mix of lower speed, personal mobility and pedestrians; and a third for park-like promenades for pedestrians only. Of course, the homes will also be set up with in-home robotics to help with daily living, and sensor-based artificial intelligence (AI) to check the health of occupants and take care of basic needs.

The plan is for the city to serve as residence for 2,000 people, with more being added as the project progresses.

Privacy Tip #240 – Update iPhone OS as Soon as Possible for Jailbreak Zero-Day Vulnerability

We have urged readers in the past to pay attention to the pushes received from mobile phone manufacturers to update operating systems. Although the pushes claim that new features are included, there are also patches included to plug known vulnerabilities. If you keep pushing “later,” and you don’t update as soon as possible, those vulnerabilities continue to subject you to risk until they are patched.

This week, it was reported by ZDNet that hackers have successfully exploited a zero-day vulnerability in the iOS, for which Apple has indicated it will release a patch in the next few days. A zero-day vulnerability means that it can be exploited before the manufacturer has released a patch. The last time an iOS zero-day vulnerability was successfully released was in 2014. In the past, Apple has been able to release a patch for known vulnerabilities within one day.

The zero-day vulnerability, released by UncOver, version 5.0.0 of a jailbreak package, allows users access and full control over the device, even if they are running the most recent iOS, v. 13.5.

It is always important to update your iOS (or any other Operating System) as soon as the manufacturer sends you notification, but in this case, it is especially important for iPhone users to update the iOS when notified by Apple because of this known vulnerability. Once you receive the notification, plug in your phone and run the patch. Don’t be tempted to hit “later.”

Balancing New Technology and Privacy When Using Drones in Land Use and Construction

The mixture of sheltering-in-place, warm weather, and increasing drone usage creates a combustible situation – literally. Drone shootings are on the rise as property owners seek to combat perceived trespass, nuisance and invasions of privacy.

These were some of the legal issues discussed during a webinar presented by the American Bar Association’s Section on Real Property Trusts and Estates (ABA RPTE) at its 32nd Annual Conference (held virtually for the first time) on May 15, 2020. The webinar focused on the legal landscape and issues to consider in counseling real estate and construction businesses on the commercial use of small unmanned aerial systems (sUAS). The panel included attorneys as well as an engineer, who presented drone video footage and computer graphics used to collect data more efficiently during land use evaluation, mid-construction and post-construction. Continue Reading

Texas Court System Hit with Ransomware

The Office of Court Administration in Texas (OCA) confirmed late last week that it is the victim of a ransomware attack. The OCA stated that it would not pay the ransom. “OCA was able to catch the ransomware and limit its impact, and will not pay any ransom…Work continues to bring all judicial resources and entities back online.”

According to the OCA, court filings and research were still available online through cloud services, including eFileTexas and reSearchTX, but websites and servers in its branch network were disabled and not available.

The OCA confirmed that no personal information was compromised. The OCA stated on its temporary website that additional training will be provided to employees following the successful attack.

Hackers Spoofing Zoom to Obtain Credentials and Passwords

After incidents of Zoom “bombing,” including a recent intrusion by hackers to disrupt a church service with foul content (don’t these guys have better things to do?), it has been reported that hackers are now taking advantage of the surge in the use of Zoom for videoconferencing to spoof Zoom invites to try to obtain users’ credentials.

First, when using any videoconferencing platform, you may wish to consider requiring that a password be used to get into the conference in order to reduce the risk of Zoom bombing.

Second, when receiving a videoconference invitation, as with any other email you receive, treat it like a potential phishing email that is a scam. Check to see who sent it to you, that it is someone you know and trust, and that the email address is correct, and don’t click on the invitation unless you are expecting it. Further, no videoconference invitation is going to request your user name and password, so just as you would not give your user name and password to a random email phishing for information, the same is true for accepting Zoom or other videoconferencing platform invitations.

Finally, when logging in to a videoconference, check that you are logging in to the actual site, and not a fake link that has been sent by a hacker.

Hackers are creative and up to speed on the technology businesses are using, particularly during the pandemic. Be aware that they are going to use all their creativity in new ways to try to spoof and scam you. Educate your employees on the newest tricks and encourage their continued vigilance to avoid becoming a victim of old tricks using new technology.

Privacy Tip #239 – Hackers Know How to Embarrass You

There have been numerous examples of how hackers can get hold of sensitive and deeply personal information and use it against individuals to embarrass and extort them into sending money or compromising pictures to the hackers to prevent the information from being posted on the web.

These examples include cyberbullying, online love scams, blackmail through the compromise of sexually explicit content or photographs, or pretending to be someone the user trusts. Once they get this sensitive personal content, knowing that people don’t want their family or friends to find out about it, they hit the user with a ransom demand. This has been going on for a very long time.

As hackers continue to find new ways to use old scams that have been successful, a recently reported example of hackers trying to use sensitive data against users is the Maze group, which hit two plastic surgery groups with ransomware, one in Seattle and the other in Nashville. Maze threatened to publish before-and-after pictures of patients who have undergone plastic surgery if the plastic surgery groups didn’t pay the ransom.

Apparently neither plastic surgery group did pay the ransom, and Maze now has posted the data, including the before-and-after pictures of patients, which researchers have said are identifiable.

Hackers will continue to find ways to embarrass or trick users into paying a ransom. They will victimize both individuals and companies that may have information or pictures that could be embarrassing or are deeply personal, in order to coerce a payment so the information is not disseminated.

Think about what you are doing online with your own personal information or pictures, and consider how you would feel if the information or photos on your phone or in your personal email were widely disseminated online. Then consider changing your behavior or deleting the material that you would be concerned about if it got into the hands of others.

OCR Issues Guidance About Media Access to Health Care Facilities

These days, news stations are frequently running stories concerning people being treated for COVID-19, the providers working tirelessly to care for them, and politicians visiting health care facilities for a first-hand look at the crisis. In response to the media interest, the Office for Civil Rights (OCR) issued guidance on May 5, 2020 to healthcare providers answering the question “Does the COVID-19 Public Health Emergency alter the HIPAA Privacy Rule’s restrictions on disclosures of protected health information to the media?” The guidance reminds them “that the HIPAA Privacy Rule does not permit them to give media and film crews access to facilities” in which patient health information may be accessible without the patients’ authorization. This includes any areas of the facility where patients’ protected health information (PHI) may be accessible in any form (e.g., written, electronic, oral, or other visual or audio form).

During the coronavirus pandemic, film crews and media representatives have parked themselves outside of hospitals and health care facilities and have shown patients being wheeled into hospitals from ambulances to dramatize the strain on the healthcare system and the number of people affected by the coronavirus. In addition, news reporting and special features have been produced to get an inside look into the pandemic from health care providers’ perspectives.

Health care providers often transport patients with large sheets covering the patients on stretchers so their identity cannot be disclosed, or show a patient on a respirator or in a bed without showing the patient’s face.

The guidance addresses the question “May HIPAA-covered health care providers allow media or film crews to film patients in their facilities where patients’ protected health information will be accessible without the patients’ authorization if the patients’ faces are blurred or their identities are otherwise masked in the video?”

The answer in the guidance is just plain “No.” It reminds healthcare providers that the HIPAA Privacy Rule does not permit them to give media and film crews access to facilities where patients’ PHI will be accessible without the patients’ prior authorization. As the guidance points out, patients are typically surrounded by PHI, including such things as their name or medical record number on room doors or identifying bracelets, notes about care written on bulletin boards, and real-time displays of heart or lung function. In addition, a patient’s presence in an area of a facility dedicated to treatment of a specific disease or condition (such as COVID-19) reveals that patient’s diagnosis.

With specific regard to the current COVID-19 public health emergency, the guidance explains that healthcare providers must obtain patients’ consent before the media can be given access to patients’ PHI. Masking or obscuring the patient’s face is insufficient, particularly if the blurring is done after the fact. “Prior, express authorization from the patient is always required.”

The OCR further stated that hospitals “may not allow media personnel access to the emergency department where patients are receiving treatment for COVID-19, without first obtaining each patient’s authorization for such filming.”

According to the guidance, the only time the media or film crew can access any part of the facility where patients’ PHI may be accessible is if “every patient who is or will be in the area, or whose PHI otherwise may be accessible to the media, has first signed a valid HIPAA authorization….Even then, covered health care providers must ensure that reasonable safeguards are in place to protect against unauthorized disclosures of PHI.”

The guidance describes reasonable safeguards that should be used to protect patient privacy whenever the media is granted access to facilities. Such safeguards can include installing computer monitor privacy screens to prevent the film crew from viewing PHI on computers, and use of opaque barriers to block access to the PHI of patients who did not sign an authorization.

LexBlog