On May 20, 2019, an amendment to the Oregon Consumer Identity Theft Protection Act passed unanimously in the Oregon House and Senate, and Governor Kate Brown signed the bill into law on May 24, 2019. This amendment changed the title of the state’s data protection law to the “Oregon Consumer Information Protection Act.” It also expanded the scope of the law, updating the types of information considered “personal information” and mandating vendor notification of breaches.
The amendment expands the definition of “personal information” to include user names or other information used to access a consumer’s online account. Breaches of this information would require notification pursuant to the requirements of the act.
In addition, vendors now are directly regulated under the act. The amendment adds a definition of “covered entity”—a person owning, licensing, maintaining, storing, managing, collecting, processing, acquiring or otherwise possessing personal information in the course of its activities. Persons contracting with such covered entities to maintain, store, manage, process or otherwise access personal information in the course of services provided to or on behalf of a covered entity are deemed “vendors” under the act.
The amendment specifies that vendors who discover a data breach, or who have reason to believe that a breach occurred, must notify the applicable covered entity no later than ten (10) days following discovery. Subcontractor vendors must notify the vendor with which they contract. If a breach involved personal information of more than 250 consumers, or if the vendor cannot determine how many consumers are impacted by a breach, the vendor is required to notify the Oregon Attorney General (unless the applicable covered entity has already done so).
Health care organizations and vendors regulated under HIPAA are exempt from the requirements of the act if the breached information is subject to HIPAA and they comply with their obligations under HIPAA. However, they must notify the Oregon Attorney General if the breach impacts more than 250 consumers.
The amendment to the act takes effect on January 1, 2020.
The California Supreme Court has ruled that colleges and universities have a legal duty to protect or warn their students from foreseeable violence in the classroom or during “curricular activities.” Recognizing that courts traditionally have not found a “special relationship” between colleges and their adult students warranting the imposition of a duty to protect, the court distinguished cases involving alcohol-related injuries, off-campus behavior and social activities unrelated to school, in which colleges have little control over student behavior. But, the court held such a special relationship existed when students “are engaged in activities that are part of the school’s curriculum or closely related to its delivery of educational services.” In these settings, the court reasoned: “[s]tudents are comparatively vulnerable and dependent on their colleges for a safe environment. Colleges have a superior ability to provide that safety with respect to activities they sponsor or facilities they control. Moreover, this relationship is bounded by the student’s enrollment status. Colleges do not have a special relationship with the world at large, but only with their enrolled students. The population is limited, as is the relationship’s duration.”
As to foreseeability, the court stated the operative inquiry was “whether a reasonable university could foresee that its negligent failure to control a potentially violent student, or to warn students who were foreseeable targets of his ire, could result in harm to one of those students.” The court further stated, “[w]hether a university was, or should have been, on notice that a particular student posed a forseeable risk of violence is a case-specific question, to be examined in light of all the surrounding circumstances.” In this regard, relevant considerations included: 1) prior threats or acts of violence by the student, particularly if targeted at an identifiable victim; 2) opinions of examining mental health professionals; and 3) observations of students, faculty, family members and others in the school community. The court noted, in an appropriate case, a college’s duty to protect its students from foreseeable harm “may be fully discharged if adequate warnings are conveyed to the students at risk.”
The court rejected several public policy arguments that were advanced against imposition of a new duty to protect related to mental health treatment of students. For example, colleges now may be discouraged from offering comprehensive mental health and crisis management services, and rather than become engaged in the treatment of their mentally ill students, have an incentive to expel anyone who might pose a remote threat to others. The court acknowledged that colleges would now be forced “to balance competing goals and make sometimes difficult decisions,” and the duty might “give some schools a marginal incentive to suspend or expel students who display a potential for violence.” The court further allowed that its duty to protect “might make schools reluctant to admit certain students, or to offer mental health treatment.” But, pointing to laws such as the Americans with Disabilities Act (42 U.S.C. 12101 et seq.), the court said colleges were restricted in this area and suggested schools might “have options short of expelling or denying admission to deal with potentially violent students.” The court did not address federal privacy laws, which prevent the disclosure of students’ medical and mental health history, or how colleges could operate within the confines of those laws to “warn” students of potential threats.
The court also discounted the concern that legal recognition of a duty might deter students from seeking mental health treatment, or being candid with treatment providers, for fear that their confidences would be disclosed. The court pointed to the long-standing duty in California of psychotherapists to warn about patient threats, the initial fears the special duty would deter patients from seeking treatment and being open with therapists, and subsequent empirical studies that showed no evidence patients had been discouraged from going to therapy or discouraged from speaking freely once there.
The court was careful to clarify that the duty to protect it had articulated did not automatically create liability for a college and its holding was not to be interpreted “to create an impossible requirement that colleges prevent violence on their campuses.” The court stated: “[c]olleges are not the ultimate insurers of all student safety. We simply hold that they have a duty to act with reasonable care when aware of a foreseeable threat of violence in a curricular setting. Reasonable care will vary under the circumstances of each case. Moreover, some assaults may be unavoidable despite a college’s best efforts to prevent them. Courts and juries should be cautioned to avoid judging liability based on hindsight.”
A concurring justice wrote the majority opinion was “likely to create confusion” as it offered “no guidance as to which non-classroom activities qualify as either ‘curricular’ or ‘closely related to the delivery of educational services’ or what factors were relevant to that determination.”
The full opinion may be found here.
The decision by the Federal Communications Commission (FCC) to roll back the net neutrality rules it established during the Obama era has many critics. A flurry of executive orders, state legislation and legal posturing in recent weeks have signaled that many of the strongest proponents of net neutrality safeguards are governors, state legislators and attorneys general across the country. State actions to combat the FCC’s desire for a “light-touch” with respect to regulation of the internet will start taking effect in the coming months and promise to test the limits of state authority in the online world.
As we explained in a December blog post, when the FCC issued its Restoring Internet Freedom Order on January 4, 2017, the agency repealed its own rules under the Open Internet Order of 2015 that prevented Internet service providers (ISPs) from blocking access to certain websites, limiting the speed of access to websites or charging more to deliver certain preferred content at higher speeds. Broadly speaking these core aspects of “net neutrality” were intended to constrain commercial actors from prioritizing certain websites, content or users over others; however, critics contend that a net neutrality regulatory regime inhibits market forces that otherwise promote competition and innovation. Tech giants tend to favor net neutrality, while ISPs do not, but recent polling suggests that a vast majority of the American public opposes the FCC’s repeal of net neutrality rules.
In response to this widespread dissatisfaction, state actors are stepping up to combat the FCC repeal. One potent line of attack has been the use of executive orders to quickly impose net neutrality requirements on certain ISPs with state contracts. Governor Steve Bullock of Montana was the first to issue an order last month, which will apply to new and renewed government contracts signed after July 1, and Governor Andrew Cuomo of New York followed shortly thereafter with an order that applies to new and renewed contracts signed after March 1. This week, New Jersey Governor Phil Murphy joined the effort and signed an executive order requiring all ISPs doing business in New Jersey to adhere to the principles of net neutrality and stating that New Jersey will only contract with ISPs who support a free and open internet. These executive orders are narrowly tailored to evade federal preemption concerns, but they could prove effective since many large ISPs (such as AT&T, Verizon, Time Warner and Frontier) will be subject to the rules when serving customers in Montana and/or New York. Gov. Bullock also posted a template of his executive order online to make it as easy as possible for other governors to follow his lead.
State legislatures are also getting into the action. As of January 2018, at least 17 states have proposed net neutrality bills seeking to prohibit ISPs from blocking, throttling or degrading internet traffic; engaging in paid prioritization of certain websites; or unreasonably interfering with a user’s ability to access the internet. These bills are almost certain to invite legal challenges from the FCC on preemption grounds, and many commentators are concerned about a patchwork of state regulation becoming unworkable for ISPs trying to provide affordable internet service across many states. However, state lawmakers continue to press forward with a wide array of bills and Senate Democrats are trying to muster bipartisan support for federal legislation as well.
It is too soon to tell if states will have success in their efforts to enact net neutrality protections, or how state action may hold up if subjected to judicial review. Perhaps in a hedge, New York’s Attorney General Eric Schneiderman is leading a group of 21 states in filing a lawsuit to challenge the Restoring Internet Freedom Order directly. The future of net neutrality remains very much in the air, but keep an eye out for developments as this is sure to remain a hot topic for months to come.
Over 30 employment class actions claiming violations of the Illinois Biometric Information Privacy Act have been filed in Illinois courts in recent months. Our latest Employment Law Alert addresses important developments relating to the Act and may be viewed here.
Delaware has enacted significant amendments to its 2005 data breach notification law. The changes multiply the types of breaches of personal information that trigger notification to victims, and expand protection for affected state residents. Any “person” that does business in the state and “owns, licenses, or maintains personal information” is covered, including virtually any business form, government entities, “or any other legal or commercial entity.” Covered entities are now required to implement and maintain reasonable procedures and practices to protect personal information that is collected or maintained in the regular course of business.
The new notification provisions oblige a company with sufficient evidence of a security breach involving personal information to determine the risk of harm to affected state residents. Personal notice to victims must take place within 60 days of the discovery of the breach unless the company reasonably determines that the breach of security is “unlikely to result in harm to the individuals whose personal information has been breached.” This notification window can be narrowed if required under federal law. Substitute notice, consisting of e-mail notification, notice on a company’s website and notice through major statewide media, is permitted if the cost of providing notice will exceed $75,000 or the number of affected state residents exceeds 100,000. Data breaches impacting more than 500 residents must be reported to the state’s attorney general. Delaware joins two other states (California and Colorado) in mandating a year of free credit monitoring services for state residents whose social security numbers are compromised.
The definition of protected “personal information” has been broadened to include:
- medical history, treatment and diagnosis information;
- unique biometric data;
- health insurance policy numbers or unique identifiers;
- passport numbers;
- individual taxpayer identification numbers; and
- usernames or e-mail addresses together with passwords or security questions/answers that permit access to an online account.
Data breaches of encrypted personal information do not implicate the law’s mandates unless the breach is reasonably believed to include the encryption key rendering the personal information readable or usable.
Companies doing business in Delaware have until April 14, 2018, to meet the new requirements. Entities in industries already subject to stringent data breach law and regulations by their primary or functional state or federal regulators—including HIPAA or the Gramm-Leach-Bliley Act—are exempt, as long as existing procedures include data breach notice to Delaware residents.
The amendment to the Act can be found here.
Effective January 1, 2018, businesses owning or licensing personal information of Maryland residents will be subject to expanded reporting requirements for certain information breaches.
The Maryland Personal Information Protection Act (the “Act”) currently requires notification of breaches of information that include an individual’s first name or first initial and last name in connection with one or more of the following:
Social Security number;
driver’s license number;
financial account number (including credit or debit card number that, when combined with a security code or password, would permit access to an individual’s account); or
taxpayer identification number.
The amended Act expands the definition of “personal information” to include the individual’s first name or first initial and last name in combination with one or more of the following:
state identification card number;
passport number or other federally-issued identification number;
health insurance policy information that, combined with a unique identifier, permits access to an individual’s health information;
health information created by a hospital, clinician or other HIPAA-regulated entity, including medical history, treatment, diagnosis or medical condition;
biometric data (including fingerprints, voice prints, retinal images or other unique biological characteristics that can be used to authenticate an individual’s identity; or
username or e-mail address combined with a password or security question and answer.
If this information is encrypted, redacted or otherwise protected in a manner that renders the data unreadable or unusable, a security incident does not trigger a reportable breach under the Act.
Prior to this amendment, an entity was required to provide a breach notification as soon as reasonably practicable. The amendment to the Act now requires notification to individuals as soon as reasonably practicable, but not later than 45 days following the conclusion of the entity’s breach investigation. In contrast, entities that are regulated by HIPAA are permitted 60 days to report breaches of unsecured protected health information. The amendment to the Act specifies that HIPAA breach notification compliance equates to compliance with the Act; however, entities experiencing a breach triggering notification under both HIPAA and the Act should carefully analyze the applicable reporting timeframes, as one security incident may include both breaches of health information and identifiable non-health information outside of HIPAA but covered by the Act.
The amendment to the Act allows for the provision of electronic notice to an individual, subject to certain exceptions, if a breach is limited to information regarding an individual’s e-mail account. HIPAA-regulated entities should take care in such situations; HIPAA likely would require written notice of such a breach, as an e-mail address is an element of protected health information.The amendment to the Act can be found here.
The first half of the California 2017–2018 legislative session is drawing to a close, which means that the roster of privacy and data security bills likely to make it into law this year is becoming clearer. Any bill introduced this year had to be passed by its house of origin by June 20, and must then be passed by the other house no later than September 15, 2017, or the process is required to start over again next year. The following bills made it over the first hurdle and are awaiting action by the second house.
Broadband and consumer privacy: In March 2017, Congress reversed Obama era regulation that imposed limits on the right of internet service providers (ISPs) to gather, use and sell personal data they obtain in the course of providing ISP services. Since then, many state legislatures have rushed to fill the breach, including California. AB 375 would prohibit ISPs from using, disclosing or selling customer personal information absent affirmative opt-in consent. The bill would not prohibit use and analysis of aggregate data, and contains the usual exceptions for laws enforcement uses or subpoenas. AB 375 passed the Assembly on May 11 and is awaiting assignment to the appropriate Senate committee for further action.
Law enforcement surveillance: SB 21 would require law enforcement agencies to develop policies about how they use surveillance technology and disclose those policies in open meetings. It passed the Senate on May 21 and now is awaiting action in the Assembly.
State sharing of immigration data with the federal government: Two pending privacy bills are best understood as part of the California pushback against the Trump administration’s immigration policies. SB 31 would bar state agencies from providing federal authorities with information on religious affiliation obtained in the course of their administrative functions, while SB 244 would require that state agencies like DMV, educational institutions and medical services providers use personal information in that they gather, especially information on immigration status, only for their normal regulatory or administrative purposes and not share such information with the federal government. SB 31 passed the Senate on April 3 and SB 244 on June 1, 2017. Both are now awaiting action in the Assembly.
Naked people: Existing law makes it a misdemeanor to use a concealed device to make a video recording of a naked person or someone in a state of “partial undress,” or to record images “through or under” clothing. SB 784 would allow imposition of a $1000 fine on top of existing penalties for a violation of that provision, and include the cost incurred by the victim in removing such images from the internet in calculating the amount of restitution due to the victim. The bill passed the Senate on June 1, 2017, and is awaiting action in the Assembly.
Internet of Things: Finally, one bill that did not make it over the hurdle this year is SB 327. That bill would have attempted to regulate collection of personal data by devices in the “Internet of Things.” The so-called “teddy bears and toasters” act would require consumer devices that can both collect personal data and connect to the internet to have point of sale warnings as well as real-time disclosure whenever the device is transmitting personal data. The bill has been withdrawn from further consideration in 2017 but is likely to be brought up for reconsideration in the second half of the current session, in 2018.
The state of Oregon is the latest to join the nationwide movement to prohibit employers from asking applicants about their prior salary history in connection with its legislative efforts to eliminate pay disparity. While provisions in existing law already prohibited pay disparity between “the sexes,” on June 1, 2017, Governor Kate Brown signed into law House Bill 2005, otherwise known as the Oregon Equal Pay Act of 2017 (“the Act”). The Act significantly expands the scope of pay disparity protections afforded to applicants and employees pursuant to Oregon law. The final version of the Act passed both the Oregon senate and house unanimously, garnering tremendous bipartisan support.
The Act outlaws discrimination “between employees on the basis of a protected class in the payment of wages or other compensation for work of comparable character.” This extends the protections of the Act to employees regardless of their race, color, religion, sex, sexual orientation, national origin, marital status, veteran status, disability or age.
Importantly, the Act prohibits employers from seeking the salary history of an applicant or employee from the employee or his or her current or former employer. An employer is, however, permitted to request from a prospective employee an authorization to confirm prior compensation after making an offer of employment that includes an amount of compensation. The law also prohibits employers from screening job applicants based on current or past compensation or determining compensation for a position based upon an applicant’s current or past compensation. This is not, however, intended to prevent an employer from considering the compensation of a current employee during a transfer, move or hire of the employee to a new position within the same employer.
Further, the Act permits employers to pay employees different compensation for comparable work if the difference in compensation is due to a bona fide factor related to the position and is based on (1) a seniority system, (2) a merit system, (3) a system measuring earnings by quantity or quality of production, (4) workplace location, (5) travel (if necessary), (6) education, (7) training or (8) experience.
Employers who violate the Act may be subject to complaints made by applicants or employees to the Oregon Bureau of Labor and Industries or private civil lawsuits. The Act, however, provides a number of employer defenses, including conducting an “equal pay analysis” of the employer’s pay practices that can be utilized to limit exposure.
Most of the provisions included in the Act will become effective between the fall of 2017 and January 1, 2019. Employers covered by the Act should review their applications and hiring practices now and reach out to local employment counsel to ensure timely compliance with the Act.
On May 16, 2017, Washington Governor Jay Inslee signed into law, House Bill 1493, regulating the collection, retention and use of biometric identifiers. Washington joins Illinois and Texas as states with enacted biometric privacy laws. As technology allows for diverse ways to confirm a person’s identity, more states will enact similar measures, with comparable legislation pending in Alaska, Connecticut, Massachusetts and New Hampshire.
The Washington law designed a “biometric identifier” to encompass “data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas or irises or other unique biological patterns or characteristics that are used to identify a specific individual.” A person may not “enroll” a biometric identifier in a database for a commercial purpose without notice, obtaining consent or providing a mechanism to prevent subsequent use. The term “enroll” is defined “to capture a biometric identifier of an individual, convert it into a reference template that cannot be reconstructed into the original output image and store it in a database that matches the biometric identifier to a specific individual.”
A biometric identifier enrolled for a commercial purpose may be used or disclosed in a way inconsistent with the original terms under which it was provided, unless a new consent is obtained. The form of required notice and consent is “context-dependent” given “through a procedure reasonably designed to be readily available to affected individuals.”
The sale, lease or disclosure of a biometric identifier for a commercial purpose, without the individual’s consent, is prohibited unless it is: consistent with the database enrollment, protection and retention requirements; necessary in providing a product or service; necessary in completing a financial transaction authorized by the individual; expressly required under federal or state law; or in compliance with a court order. Any person in possession of biometric identifiers enrolled for a commercial purpose must protect against unauthorized access and ensure their retention only for a reasonably necessary period. The limitations on disclosure and retention do not apply if the biometric identifiers have been unenrolled.
Perhaps in response to the class action lawsuits that have been filed under Illinois’ Biometric Information Privacy Act, the Washington law does not allow for a private right of action. Instead, the Washington law may be enforced solely by the attorney general under the state’s consumer protection act.
We will continue to monitor and report on legislative developments in this evolving area of privacy law, particularly as biometric data is shared more frequently in daily personal and professional endeavors.
On March 15, the New Mexico Legislature passed the “Data Breach Notification Act,” which has been transmitted to Governor Susana Martinez. If enacted, New Mexico will become the forty-eighth state with a data notification law, leaving only South Dakota and Alabama without such laws.
The Act requires individuals to be notified should their personal information be involved in a security breach, and also states that consumer reporting agencies, the attorney general’s office and card processors in certain circumstances must be notified as well. The timeframe for individual notice is “in the most expedient time possible,” but no later than 30 calendar days after the discovery of the security breach unless delayed reporting is appropriate due to a law enforcement investigation or out of necessity to determine the scope of the breach. The Act defines a “security breach” as the unauthorized acquisition of computerized data that compromises the security or integrity of personally identifying information.
A person who owns or licenses personally identifying information must “implement and maintain reasonable security procedures and practices appropriate for the nature of the information.” The Act requires the “proper disposal” of records containing personal identifying information of a New Mexico resident when such records are no longer reasonably needed for business purposes. Proper disposal means shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable.
The Act does not account for medical information or health insurance data. The legislation also specified that it “shall not apply to a person subject to the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996.”
“Personal identifying information” includes an individual’s first name or first initial and last name in combination with one or more of the following:
• Social Security number
• Driver’s license number
• Government-issued identification number
• Account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a person’s financial account
• Unique biometric data, including the person’s fingerprint, voiceprint or retina or iris image.
The definitional inclusion of biometric data is especially significant, as states are recognizing the growing prevalence of biometric identifiers in transactions.
While affording no individual private cause of action, the Act authorizes the attorney general to bring an action on behalf of affected individuals. Businesses or organizations violating the Act may face a civil penalty up to $25,000 or, in the case of failed notification, $10 per instance of failed notification, up to a maximum of $150,000.