As if businesses did not already have enough to address with the COVID-19 pandemic and compliance with the California Consumer Privacy Act (the “CCPA”), businesses need to consider the California Privacy Rights Act (the “CPRA”), which will almost certainly be on the November ballot. Structured as an amendment to the CCPA and also known as
Chiara holds the certificate for CIPP/US for U.S. private-sector privacy from the International Association of Privacy Professionals (IAPP), the global standard in privacy certification.
When open source developers call us asking to confirm that they can use the trademark or name of an open source project for their newly forked project, they do not get the black and white answer “Yes” that they desire but rather the grey area lawyer response – “It depends on what you propose to…
As cities and states gradually open up, companies have begun to assess under what circumstances they can re-open the workplace – and in particular, what health-related personal information can and should be collected. When it comes to monitoring employees, generally speaking, privacy and employment law are increasingly overlapping as more stringent laws are adopted, and COVID-19 has brought this overlap to the forefront. Our employment team at Hopkins & Carley has provided a number of resources and webinars on the employment-related issues of COVID-19 and what can and cannot be done (available here). Here we will focus on the intertwined privacy implications of allowing individuals – employees and non-employees – back into offices and facilities, particularly with respect to the California Consumer Privacy Act (CCPA).
What are the CCPA’s notice requirements?…
Continue Reading Returning to Work: CCPA Considerations
While this post may not fit under the header of the “Privacy Hacker”, I wanted to step aside from privacy and security and share some insight on common issues and topics with which we are assisting clients during this unprecedented time.
Contract Interpretation and Updates
Clients are seeking our guidance on contract interpretation, including the ability to terminate contracts. With the supply chain disruptions that flow through the entire chain, force majeure clauses are now being closely scrutinized. Depending on the law that governs the contract, force majeure events may or may not excuse performance: factors hinge on whether the event causing the failure to perform was foreseeable and if performance is truly impossible (as opposed to much more difficult or expensive to perform). Notably, not being able to pay generally is not considered a breach that can be excused due to a force majeure event.
While some force majeure clauses are written broadly and refer to “events beyond the reasonable control” of a party to the contract, other clauses refer to an enumerated list of events. It is questionable how courts will interpret the broad clauses and whether or not a pandemic or quarantine will be read into the clause if there is only a broad catch-all statement. Again, this will depend on the law that governs the contract, a fact-specific analysis and of course how the language actually reads. Even when a contract lacks a force majeure clause, common law defenses to performance, such as impossibility, impracticability and frustration of purpose, should be considered. Without question, this is an intertwined, case-by-case analysis.…
Continue Reading A Spectrum of Issues in the Time of COVID-19
As businesses struggle to navigate the new reality created by Covid-19, there are a few things to keep in mind both in the short and long term, when it comes to privacy and security.
Security & WFH.
With employees working remotely, now more than ever organizations are at risk of cybersecurity incidents. Malicious players will seek to exploit increased vulnerabilities in this age of WFH, and with IT teams scrambling to ensure that all of their employees can connect remotely and remain productive, some of the most obvious risks should not be overlooked:
- A large number of organizations had not anticipated the need for laptops or other devices for ALL of their employees. As such, many workers across the country are now using their personal devices to perform their jobs, which may include handling proprietary and/or personal information. However, a number of these personal devices will not only lack some of the basic security tools and software (e.g., firewalls or antivirus software) and controls on what can be downloaded, but may also already contain some unsavory software or applications that increase the risk or malware distribution. In fact, some personnel may shortcut and use personal email accounts to transfer documents, which adds yet another level of risk, as further noted below. Add to this mix the exchange, transfer, and processing of proprietary and personal information, and this could lead to some very problematic unintended or unauthorized disclosures.
- To connect and get work done, workers need a WiFi network, and unfortunately, some employees may be using unsecured WiFi networks. This could potentially be a very big problem if employees are accessing information via an unsecured or vulnerable WiFi network – such as a neighbor’s unsecure network. Some of the many risks of using unsecured WiFi networks include eavesdropping – which enables malicious players to access and capture everything remote workers are doing online including login credentials, emails, and other or proprietary information – as well as exposure to malicious attacks. No doubt, it is important to ensure that employees are using secure WiFi networks coupled with company VPN’s to prevent any malicious scanning activity.
- Many organizations lack specific policies that specifically warn employees NOT to use personal email or messaging applications lacking encryption when they exchange the organization’s confidential information. Some of these policies, also commonly referred to as “BYOD” policies, are intended to inform workers of what they can and cannot do with their devices. Consider Bob sending a personal email to a friend and colleague that Mike in marketing tested positive for COVID-19 (i.e., sensitive health information) or an employee transferring customer lists with personal data via unencrypted messages. WFH devices aside, employees should also be reminded not to toss confidential documents in household garbage bins, to turn off smart devices that are voice-activated, and to take calls that involve confidential information in a “private area” of the home. Failing to clarify policies with personnel is very risky. Now would be a good time to remind employees of how they should minimize these risks.
Ensuring that your organization’s IT and legal teams are working closely together to develop policies and procedures will help identify and minimize these increasing cybersecurity risks.…
Continue Reading SHORT AND LONG TERM PRIVACY CONSIDERATIONS TO NAVIGATE OUR NEW REALITY
Gone are the days of thinking your business only needs to comply with certain privacy laws if it’s a “tech” company – or one that handles particularly sensitive information such as health information. Under the California Consumer Privacy Protection Act (“CCPA”), which went into effect on January 1, 2020, even brick and mortar companies must provide notices of their privacy practices at the point of collection, and this includes a number of retailers, wineries and restaurants (or restaurant groups).
Not so long ago, technology and the restaurant industry were worlds apart. If you wanted a reservation, you’d leave a voicemail that would be transcribed only to be deleted shortly thereafter. Loyalty cards were punch cards with no name attached. And if the wait for brunch was too long, you’d add your first name to a scrappy list that was discarded at the end of the day, or be handed a small buzzing device to let you know when your table was ready. Those “carefree” (or data-free) days have been replaced with a multitude of interconnected applications that all require the collection of personal information in some way – and importantly, that hang on to this information for longer periods. Restaurants and restaurant groups that collect the personal information of California residents and meet any one of the CCPA thresholds (i.e., over $25 million in annual revenue, collection of data on more than 50,000 consumers or 50% of revenue from sales) must comply with California’s stringent new law. Because the definition of personal information under CCPA is very broad and includes online identifiers, email addresses, and location data, as well as offline data (just to name a few), many successful restaurant groups are likely to fall within these thresholds and be subject to the CCPA.…
Continue Reading How CCPA Affects Brick & Mortar Industries: Restaurants
Continue Reading CCPA Is Here: What Does It Look Like So Far?
The California Consumer Privacy Act (CCPA) goes live in six weeks. While many companies have been working on mapping their data for some time, others are just getting started. Some of the issues left open by the language of the CCPA and the proposed regulations have yet to be resolved, but there is no question…
As part of our blog series, we share some of the most frequently asked questions that we receive from organizations across different industries regarding data privacy and security, and more specifically GDPR and CCPA. This is the second FAQ in our series.
Even though the California Consumer Privacy Act (“CCPA”) will be effective January 1, 2020, the time to plan for compliance is now. It may seem as though you have plenty of time to prepare but it is a mistake to not start preparing. Indeed with the twelve-month lookback provisions, companies must have proper records of personal information that they collected as of January 1, 2019.
There are many nuanced questions to consider that may not be apparent on a cursory read of the CCPA or the proposed Attorney General regulations. Some basic common questions arise when companies first hear about the CCPA, as follows.…
Continue Reading Privacy FAQ #2 – CCPA
Similar to the months before the GDPR went into effect at the end of May 2018, companies are now actively preparing for compliance with the California Consumer Privacy Act (CCPA). As California leads the pack of states in terms of privacy and technology laws, other states have followed suit, including Nevada.
Continue Reading From the Golden State to the Silver State – Privacy Law in Nevada