By the Data Security & Privacy Team

Introduced by Senator Brian Schatz (D-HI), the ranking member of the Communications Technology Innovation and Internet Subcommittee of the United States Senate, the Data Care Act of 2018 (the “Act”) seeks to enact Federal privacy legislation that will incentivize “online service providers” to protect certain types of personal data or risk civil penalties brought by both Federal and State agencies.[1]

Introduced to the Senate on December 12, 2018, the Bill was succinctly designed to “establish duties for online service providers with respect to end user data that such providers collect and use.”  The bill defines “online service provider” as any entity that is both “engaged in interstate commerce over the internet…” and “in the course of its business, collects individual identifying data about end users…”  The term “end users” is further defined as any “individual who engages with the online service provider or logs into or uses services provided by the online service provider over the internet or any other digital network.” In other words, anyone that logs into any online network, is now an “end user.” And, almost any entity that affords the opportunity to log into a network becomes an “online service provider” who is now tasked, under threat of concurrent state and federal criminal penalties, with protecting certain types of data. [2]

The following types of information are protected from disclosure under the Act and referred to as “sensitive data:”

  • Social security numbers;
  • First and last names or first initial and last name accompanied by the following:
    • The individual’s year of birth;
    • Mother’s maiden name; or
    • Individual’s geolocation.
  • Biometric data (example: thumb print);
  • User name and password or email address and password;
  • Financial account numbers (example: credit or debit card number);
  • Personal information of minor children (as defined in section 1302 of the Children’s Online Privacy Protection Act of 1998);
  • Driver’s license number, military identification number, passport number or any number issued on a similar item of government identification;
  • Information relating to an individual’s mental or physical health; and
  • Nonpublic communications or user-created content by an individual. [3]

The Act imposes not only a duty of care to “reasonably secure individual identifying information from unauthorized access,” but also a duty of “loyalty,” that “will prevent the reasonably foreseeable material from physical or financial harm to the end user.” The duty of confidentiality further prohibits the “online service provider” from selling or disclosing any information that it keeps on its “end users” and imposes the duty to take reasonable steps to ensure a “duty of care” by entities to which the online service provider discloses or sells information.[4] In the event of the breach, the online service provider must inform the Federal Trade Commission in accordance with 5 U.S.C. § 553. Thus, the Act looks to “online service providers” to police each other.

Consistent with the growing pressure on businesses to institute cybersecurity measures, the Act codifies the ability of multiple states and multiple state agencies to bring civil actions against offenders.  Specifically, the Act permits both state Attorney General’s offices, as well as any other state consumer protection agency, to bring civil actions against any offender without much limiting language.  Accordingly, an online retail distributor qualifying as “online service provider” could face civil and criminal penalties from all 50 states, as well as simultaneous penalties from the Federal Government for the same offense.

If passed, this Act will go into effect within 180 days of its enactment.  With a Federal Government shutdown currently in place without an anticipated opening date, it is unknown when the Act will be signed into law.  However, the political blogs are not anticipating substantial opposition to the act if addressed this year.[5]  Therefore, the Act (along with six similar privacy-specific proposals) is essentially giving a 6 month warning to businesses with an online presence that their failure to stringently protect and adhere to a “duty of loyalty” to their customers could very well result in federal charges and penalties, as well as lawsuits in multiple (if not all 50) states.

*****************************************************

[1] https://www.congress.gov/bill/115th-congress/senate-bill/3744.

[2] https://www.congress.gov/bill/115th-congress/senate-bill/3744.

[3] https://www.congress.gov/bill/115th-congress/senate-bill/3744.

[4] https://www.congress.gov/bill/115th-congress/senate-bill/3744.

[5]https://www.fastcompany.com/90288030/inside-the-upcoming-fight-over-a-new-federal-privacy-law

By the Data Security & Privacy Team

Adding publicity to the recent string of security breaches, Gemalto’s Breach Level Index released information on October 9, 2018 stating that for the first half of 2018, approximately 291 records were stolen or exposed every single second.[1]  Gemalto estimates that 945 data breaches led to the release of 4.5 billion data records being compromised worldwide, which increased approximately 133% in the last year.  These data breaches came from varying industries, with health care representing 27% of data breach incidents and the financial sector following with an estimated 14% of the data breach incidents.  Of all the data and records stolen, it is estimated that just 1% of this data was encrypted and only 9% of the security breaches were the result of an accidental loss.

This information comes as more than just a P.S.A. Both threatened and actual data security breaches pose a significant legal threat to all types of businesses – large and small, global and local. Therefore, many forward thinking organizations are increasing their security systems and updating policies to mitigate potential legal claims for security breaches.

While the question of whether or not the fear of identity theft following a data breach is sufficient to constitute standing for a class action is largely undecided in the United States, the United Kingdom’s High Court already answered in the affirmative. More than 5000 current and former employees of Morrison’s, an online supermarket, are suing their former employer in a class action for damages related to a data leak that resulted in exposure to potential identity theft and financial losses. In 2014, a former Morrison’s employee leaked 100,000 names, addresses, bank account details and salaries of his co-workers online and sent it to a newspaper.[2] While Morrison’s spent more than 2 million pounds to mitigate the effects of and remedy the breach, the issue of monetary damages that it may owe its former employees remains outstanding.

The Morrison’s matter was the first data leak class action in the United Kingdom.[3] In 2017, the High Court ruled that Morrison’s was vicariously liable for this criminal data breach by its former employee and allowed those affected by the data breach to claim compensation for distress. Morrison’s is presently appealing this ruling.[4]

No similar legal battle has yet played out so openly in the United States, as Target’s 2017 data breach resulted in a multi-million dollar settlement with the affected customers.  However, with the ongoing and ever increasing number of cyber threats and attacks on both private and public organizations, it is expected that victims of data breaches may become the next wave of class action plaintiffs.

____________________________________________

[1]https://www.gemalto.com/press/Pages/Data-Breaches-Compromised-4-5-Billion-Records-in-First-Half-of-2018.aspx

[2] https://www.bbc.com/news/uk-england-42193502

[3] https://www.theregister.co.uk/2018/10/09/morrisons_data_breach_appeal/

[4] https://www.bbc.com/news/uk-45793598

 

By the Data Security & Privacy Team

On September 27, 2018, Gov. John Bel Edwards declared October to be Cybersecurity Awareness Month in the State of Louisiana, signing a Proclamation in front of members of the Louisiana Cybersecurity Commission.  By signing this Proclamation, Gov. Edwards is simultaneously kicking off a Cybersecurity Awareness Campaign promulgated by the Louisiana Cybersecurity Commission.   The goal of the Louisiana Cybersecurity Commission, the Proclamation, and Cybersecurity Awareness Month Campaign is to enhance and improve Louisiana’s cybersecurity ecosystem.  Gov. Edwards stated at the Proclamation signing that, “There is no doubt that Louisiana is a leader in cybersecurity.”  He emphasized that “No state has more protections for its citizens and its businesses than Louisiana.”  Gov. Edwards referenced upcoming proposed legislation concerning cybersecurity protections for Louisiana citizens and businesses during his remarks following the Proclamation signing.  The Proclamation signing and the formation of the Louisiana Cybersecurity Commission follow Louisiana’s recently updated data breach notification laws that went into effect earlier this year. Copies of both the Proclamation and Cybersecurity Awareness Campaign Model can be found on the Louisiana Cybersecurity Commission’s website found here.

Kean Miller attorneys will continue to update their clients on relevant cybersecurity news and changes in any relevant legislation and regulations.  If you have any questions concerning this, please contact Sarah Anderson and Jessica Engler from Kean Miller.