Last week, the Federal Trade Commission (the “FTC”) released a final rule amending the Standards for Safeguarding Customer Information (commonly referred to as the “Safeguards Rule”) promulgated under the Gramm-Leach-Bliley Act (“GLBA”). The final Safeguards Rule, approved by the FTC Commissioners along party lines, will require financial institutions to make significant changes in their information security programs. The FTC issued a Notice of Proposed Rulemaking proposing these changes in 2019.

The FTC has enforcement authority under the Safeguards Rule over financial institutions that are not banks, credit unions, insurance carriers, or SEC-registered investment advisers and investment companies.  Such financial institutions include non-bank lenders, check-cashing businesses, mortgage brokers, personal property or real estate appraisers, professional tax preparers and credit reporting agencies.

Under the current Safeguards Rule, these financial institutions are required to develop, implement, and maintain a reasonably designed, comprehensive, written information security program with appropriate administrative, technical, and physical safeguards relating to customer information. The final Safeguards Rule represents a significant shift towards more prescriptive requirements for information security, something towards which the FTC has been working for years.

“Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The updates adopted by the Commission to the Safeguards Rule detail common-sense steps that these institutions must implement to protect consumer data from cyberattacks and other threats.”

The final Safeguards Rule amends the current rule in five primary ways:

  • By including more detailed requirements for the development and establishment of an information security program. The current rule requires financial institutions to undertake a risk assessment and develop and implement safeguards to address identified risks.  The final Safeguards Rule requires that such risk assessment be written and that such safeguards address:
    • access controls;
    • data inventory and classification;
    • encryption;
    • secure development practices;
    • authentication;
    • information disposal procedures;
    • change management;
    • testing; and
    • incident response.
  • Although financial institutions must comply with more specific requirements than under the current Safeguards Rule, they retain the flexibility to design an information security program that is appropriate to their size and complexity, the nature and scope of their activities, and the sensitivity of any customer information they possess.
  • By requiring the designation of a single individual responsible for implementing and overseeing the financial institution’s information security program (referred to as a “Qualified Individual”) and requiring periodic reports to boards of directors or other governing bodies by such Qualified Individual that will provide senior management with awareness of their financial institutions’ information security programs.
  • By exempting financial institutions that maintain information on fewer than 5,000 consumers from the requirements to perform a written risk assessment, conduct continuous monitoring or annual penetration testing and biannual vulnerability assessments, prepare a written incident response plan, and prepare annual written reports for boards of directors or other governing bodies.
  • By expanding the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. The final Safeguards Rule now applies to “finders,” e., companies that bring together buyers and sellers of a product or service. Because the Safeguards Rule applies only to relationships and transactions that are “for personal, family, or household purposes,” finding services involving consumer transactions for customers (i.e., consumers with whom a financial institution has an ongoing relationship) will now be covered by the Safeguards Rule. This change will also bring the Safeguards Rule into harmony with other federal agencies’ safeguards rules, which include activities incidental to financial activities in their definition of financial institution.
  • By including several definitions and related examples, including of “financial institution,” in the Safeguards Rule itself rather than incorporate them by reference from the Privacy of Consumer Financial Information Rule promulgated under the GLBA (commonly referred to as the “Privacy Rule”). This will make the Safeguards Rule more self-contained and will allow readers to understand its requirements without having to reference the Privacy Rule.

Certain provisions of the final Safeguards Rule, including those relating to implementing safeguards, undertaking a written risk assessment, appointing a Qualified Individual, and conducting continuous monitoring or annual penetration testing, are effective one year after the date of publication of the final rule in the Federal Register; the remainder of the provisions are effective 30 days following publication.

In addition to the amendments to the Safeguards Rule described above, the FTC is also seeking comment on whether to amend the Safeguards Rule to require financial institutions to report certain data breaches and other security events to the FTC. The proposed amendment would require financial institutions to report a data breach affecting or reasonably likely to affect at least 1,000 consumers.  This notice must be provided via a webform on the FTC’s website within 30 days of discovery of the breach and must include certain specified disclosures. The FTC announced that it would soon publish a supplemental Notice of Proposed Rulemaking, after which the public will have 60 days to submit comments.

Shortly after Senator Bradley introduced Florida SB 1864, Representative Fiona McFarland (R-Dist. 72) introduced its House counterpart, Florida House Bill 9, on January 12, 2022.  While SB 1864 stalled in the Senate, Florida HB 9 passed the House on March 2 and was sent to the Senate on that date, where it has not advanced since.  Given that the legislative session ends this Friday, March 11 and the lack of obvious movement in the Senate, some have speculated recently that HB 9 may not make it to the finish line in time, raising the prospect of a special session later this year.  Notably, Florida Governor DeSantis has previously voiced his support of a comprehensive privacy bill, leading some to believe that Florida might finally pass a comprehensive privacy bill after almost passing one last year.  However, Gov. DeSantis did not specifically voice support for HB 9 and the presence of a private right of action in the bill, much like the one that failed last year, may be a sticking point.  Nonetheless, because legislation can advance quickly, many remain on the edge of their seats waiting for March 11 legislative deadline to pass.

Florida HB 9 has some important differences as compared to Florida HB 969, the bill considered last year (which was also introduced by Representative McFarland) that failed over a disagreement on inclusion of a broad private right of action.  These differences include that Florida HB 9 has a more limited private right of action, applicable only to companies meeting certain revenue thresholds that have committed specifically enumerated violations.  Additionally, among other things, HB 9 requires annual reports from the Attorney General to the Legislature and provides changes to data retention rules.  Below, we analyze HB 9, which is certainly inspired by other omnibus privacy laws and notably includes a number of concepts that closely mirror the CCPA.  That said, like other privacy laws on the books and introduced by various state legislatures, there are material differences that may make it difficult to apply a single, least common denominator approach across different jurisdictions.  If HB 9 passes, it would become effective on January 1, 2023, providing companies a short runway for coming into compliance.

I.     Definitions.

Florida HB 9 defines “personal information” broadly to include “information that is linked or reasonably linkable to an identified or identifiable consumer or household, including biometric information, genetic information, and unique identifiers to the consumer.” Section 501.173(2)(l).  Personal information specifically does not include:

  • Consumer employment contact information;
  • Deidentified or aggregate consumer information; or
  • Publicly and lawfully available information reasonably believe to be made available to the general public.

Under Section 501.173(2)(b), “‘biometric information’ means an individual’s physiological, biological, or behavioral characteristics that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. The term includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystrokes patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data containing identifying information.”

Florida HB 9 uses other familiar terms such as “controller,” “processor,” and defines “sell” in a similar manner as the CCPA.

II.     Scope.

Most of the key terms between Florida HB 9 and Florida SB 1864 are similar.  A significant difference, however, is the threshold for determining whether the proposed law applies to a particular business.  Florida HB 9 defines a controller as a for-profit business that does business in Florida, collects personal information about consumers, determines the purposes and means of processing personal information, and meets at least two of the following criteria:

  • Global annual gross revenue of more than $50 million;
  • Buys, receives, sells, or shares personal information of 50,000 or more consumers, households, and devices for targeted advertising in conjunction with third parties; or
  • Derives 50% or more of its global annual revenues from selling or sharing personal information.

Thus, smaller companies may prefer Florida HB 9 since it does not apply to companies earning less than $50 million globally per year unless they engage in significant targeted advertising and earn the majority of their global revenue from selling or sharing personal information.

III.     Exceptions.

Section 501.173(1) of Florida HB 9 outlines 27 categories of companies or information to which the bill would not apply, including:

  • Personal information collected and transmitted that is necessary for the sole purpose of sharing such personal information with a financial service provider to facilitate short term, transactional payment processing for the purchase of products or services;
  • Personal information collected, used, retained, sold, shared, or disclosed as de-identified personal information or aggregate consumer information;
  • Cooperation with law enforcement agencies concerning conduct or activity that the controller, processor, or third party reasonably and in good faith believes may violate federal, state, or local law;
  • Personal information collected through the controller’s direct interactions with the consumer, that is used by the controller or processor that the controller directly contracts with for advertising or marketing services to advertise or market products or services that are produced or offered directly by the controller;
  • Personal information of a person acting in the role of a job applicant or employee of a controller, that is collected by a controller, to the extent the personal information is collected and used solely within the context of the person’s role or former role with the controller;
  • Protected health information for purposes of the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and related regulations, and patient identifying information for purposes of 42 C.F.R. part 2, established pursuant to 42 U.S.C. § 290dd-2;
  • A covered entity or business associate governed by the privacy, security, and breach notification rules in 45 C.F.R parts 160 and 164, as long as the personal information is not used for targeted advertising, sold, or shared;
  • Information that is de-identified in according with 45 C.F.R. § 164 and derived from individually identifiable health information as described in HIPAA;
  • Information used only for public health activities and purposes as described in 45 C.F.R. § 164.512;
  • Personal information collected, processed, sold, or disclosed pursuant to the federal Fair Credit Reporting Act, Driver’s Privacy Protection Act of 1994, Gramm-Leach-Bliley Act (“GLBA”), and Family Educational Rights and Privacy Act;
  • A financial institution as defined in the GLBA to the extent the financial institution maintains personal information in the same manner as nonpublic information and does not use it for targeted advertising or sell or share it;
  • Personal information disclosed for the purpose of responding to an alert of a present risk of harm to a person or property, detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, or prosecuting those responsible for that activity; and
  • An identifier used for a consumer who has opted out for the sale or sharing of the consumer’s personal information for the sole purpose of alerting processors and third parties that the consumer has opted out of the sale or sharing of the consumer’s personal information.

IV.     Obligations.

Florida HB 9 creates many of the same obligations on controllers and processors that are included in other comprehensive privacy laws.  These include:

  • Maintaining an online privacy policy;
  • Providing notice at the point of collection;
  • Limiting the collection and use of personal information for only those purposes disclosed to consumers;
  • Requiring reasonable security procedures and practices;
  • Implement a retention schedule, subject to certain exemptions, that prohibits the use or retention of personal information (1) after the satisfaction of the initial purpose for which such information was collected or obtained, (2) after the expiration of the contract pursuant to which the information was collected or obtained, or (3) three years after the consumer’s last interaction with the controller; and
  • Responding to a consumer’s request to exercise his/her rights.

This requirement may create challenges for companies who have not previously needed to track their last interactions with consumers.  Florida HB 9’s private right of action, fortunately, does not apply to this retention requirement.   In a further nod to the CCPA, controllers “may charge a consumer who exercised any of the consumer’s rights . . . a different price or rate, or provide a different level or quality of goods or services to the consumer, only if that difference is reasonably related to the value provided to the controller by the consumer’s data or is related to a consumer’s voluntary participation in a financial incentive program.” Section 501.173(8)(a).  Controllers may also offer financial incentives to consumers, “if the consumer givers the controller prior consent that clearly describes the material terms of the financial incentive program.” Section 501.173(8)(b).  There are also specific contractual requirements mandated by HB 9, similar to what we have seen in some of the other comprehensive privacy bills.

V.     Consumer Rights.

Under Florida HB 9, consumers have a right to request that a controller disclose the following information: (1) the consumer’s personal information that the controller has collected; (2) the sources from which the consumer’s personal information was collected; (3) the specific pieces of personal information about the consumer that have been sold or shared; (3) the third parties to which the personal information about the consumer was sold or shared; and (5) the categories of personal information about the consumer that were disclosed to a processor.  Controllers must act on these requests, free of charge, within 45 days, although there is a 45 day extension available after informing the consumer.  Controllers are not required to provide personal information to a consumer more than twice in a 12-month period.

Consumers also have the right to request that a controller delete their personal information.  After receiving a verifiable consumer request to delete the consumer’s personal information, a controller would have 90 days to comply with the request, with ten delineated exceptions.  Controllers do not have to comply with consumer deletion requests if it is reasonably necessary for the controller or processor to maintain the consumer’s personal information to do any of the following:

  • Complete the transaction for which the personal information was collected;
  • Fulfill the terms of a written warranty or product recall;
  • Provide a good or service requested by the consumer, or reasonably anticipated to be requested within the context of a controller’s ongoing business relationship with the consumer, or otherwise perform a contract between the controller and the consumer;
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity or access; or prosecute those responsible for that activity or access;
  • Debug to identify and repair errors that impair existing intended functionality;
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws when the controller’s deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent;
  • Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the controller or that are compatible with the context in which the consumer provided the information;
  • Comply with a legal obligation, including any state or federal retention laws;
  • Reasonably protect the controller’s interests against existing disputes, legal action, or governmental investigations; and
  • Assure the physical security of persons or property.

Florida HB 9 also contains a right to correct inaccurate personal information and requires controllers to use commercially reasonable efforts to correct personal information, and direct processors to do the same, within 90 days of receiving a verifiable consumer request.  The bill is not clear on what a controller is supposed to do in the event it thinks that the information provided by the consumer is inaccurate.  Nine of the ten right to delete exceptions apply to the right to correct.  Controllers cannot rely on the peer-reviewed scientific research exception to deny a right to correct.

Finally, Florida HB 9 includes a right to opt out of the sale or sharing of personal information and requires an opt-in for personal information relating to minors.  A controller that receives an opt-out is prohibited from selling or sharing the consumer’s personal information beginning 4 calendar days after receipt of the opt-out.  If the bill passes, companies will be required to add another link to their homepages, this time entitled “Do Not Sell or Share My Personal Information.”  Controllers may also accept opt-out through global privacy controls.  Once a consumer opts-out, a controller must wait 12 months before requesting the consumer authorize the sale or sharing of the consumer’s personal information.

VI.     Enforcement.

Florida HB 9 grants the Florida Department of Legal Affairs (the “Department”) with enforcement authority by making violations of the bill an automatic violation of the Florida Deceptive and Unfair Trade Practices Act (“FDUTPA”) for purposes of regulatory enforcement.  FDUTPA provides for civil penalties of up to $10,000 per violation of the act (and up to $15,000 in certain situations). These penalties may be tripled if the violation:

  • Involves a consumer who the controller, processor, or person has actual knowledge is 18 years of age or younger without the required parental consent;
  • Involves the controller, processor, or third party’s failure to delete or correct a consumer’s personal information after receiving a verifiable consumer request or directions to delete or correct from a controller;
  • Involves the controller, processor, or third party continuing to sell or share the consumer’s personal information after the consumer opts-out; or
  • Involves the selling or sharing of personal information of a consumer 18 years of age or younger without obtaining the required consent.

After being notified of the violation, the Department has discretion to grant the controller or processor a 45-day period to cure the violation.  This cure period, however, does not apply if the controller, processor, or third party failed to delete or correct a consumer’s personal information after receiving a verifiable consumer request or directions to delete or correct from the controller.  The Department may only bring actions on behalf of a Florida consumer.  The Department is also obligated to report to the President of the Senate and Speaker of the House with the number of complaints received each year and their dispositions.

VII.    Private Right of Action.

Unlike its Senate equivalent, Florida HB 9 contains a private right of action for some consumers.  Florida HB 9’s private right of action would allow consumers to sue companies for $100-$750 per person, per incident, or actual damages, where the company:

  1. Fails to delete or correct the consumer’s personal information after receiving a verifiable consumer request;
  2. In the case of a processor, fails to delete or correct a consumer’s personal information after having been directed by a controller to do so;
  3. Continues to sell or share personal information after the consumer has opted out; or
  4. Sells or shares personal information of a consumer under the age of 18 without obtaining the required parental consent.

Florida HB 9 also permits a consumer to seek declaratory or injunctive relief for violations.  The bill does not create a private right of action for data breaches, which is prohibited by Florida’s current data breach law, Section 501.171(10).

Importantly, HB 9 places some restraints on Florida consumers bringing a civil action.  According to Section 501.173(10)(a)(1), a private civil action against companies with global annual gross revenues of less than $50 million is barred. Controllers, processors, or third parties with global annual gross revenues between $50 million to $500 million as subject to private claims, but the prevailing Florida consumer may not be awarded attorney fees or costs.  If the controller, processor, or third party has global annual gross revenues of more than $500 million, the prevailing consumer shall recover reasonable attorney fees and costs.  A prevailing defendant, however, may only recover attorney fees “if the court finds that there was a complete absence of a justiciable issue of either law or fact raised by the consumer or if the court finds bad faith on the part of the consumer, including if the consumer is not a Florida consumer.” Section 501.173(10)(d).  Accordingly, if passed, Florida HB 9 would be the first comprehensive U.S. privacy law that creates a private right of action for violation of the privacy provisions of the law.  For example, California’s private right of action is limited to data breaches of sensitive personal information.  Florida HB 9’s proposed private right of action will incentivize lawsuits from professional plaintiffs who will make mass deletion, correct, or opt-out requests in the hopes of catching companies off-guard and unable to respond within the time provided by the law.  The consumer will receive between $100-$750 per alleged violation or actual damages, while the consumer’s lawyer will be able to recoup their fees and costs only in certain situations.

As written, the current private right of action does not contain a cure provision.  That is, companies are not given the ability to fix whatever violation is alleged before having to defend against a lawsuit.

VIII.  Next Steps.

Florida HB 9 is currently in the Senate, having passed the House 103 to 8.  After passing through the various committees, it must also pass on the floor of the Senate.  All of these next steps must come to a conclusion by March 11, 2022, when the Florida legislative session comes to an end, unless the governor calls for a special session.

For more information please reach out to the authors.

On Friday, February 25, 2022, the Utah Senate unanimously passed SB 227, or the Utah Consumer Privacy Act.

Controllers and Processors Beware

SB 227 is an omnibus privacy bill that shares similarities with the Virginia Consumer Data Protection Act and the Colorado Privacy Act.  For instance, the bill imposes different obligations on a covered business depending on whether the business is acting as a controller (one who determines the purposes for processing data, alone or in coordination with others) or processor (one who processes data on behalf of a controller).

Controllers are responsible for transparency, purpose specification, and data minimization.  They must also obtain the consumer’s consent for any secondary uses, and must honor consumer rights (generally within 45 days of receipt of the consumer’s request).  Controllers are also responsible for safeguarding data privacy and security, non-discrimination, non-retaliation, and non-waiver of consumer rights.  Controllers are prohibited from processing certain data qualifying as “sensitive data” without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing.

Processors must follow a controller’s instructions and must enter into a contract that incorporates certain enumerated requirements (e.g., requirements pertaining to duty of confidentiality and data privacy and security safeguards) before processing data on behalf of the controller.

Applicability

The bill applies to:

  1. Businesses who (a) (i) conduct business in Utah; or produces a product or service targeted to consumers who are Utah residents; (b) has an annual revenue of $25,000,000 or more; and (c) satisfies one of more of certain enumerated thresholds (e.g., controls or processes the personal data of 100,000 or more consumers; or derives over 50% of gross revenue from the sale of personal data);
  2. “Personal Data,” which is information that can be linked (or is reasonably linkable to) an identified or identifiable individual, with exclusions; and
  3. “Biometric data,” which is “automatic measurements of an individual’s unique biological characteristics” that can identify a specific individual, excluding, among others, photographs or video recordings (or data derived from either).

The bill does not apply to, among others:

  1. Government entities;
  2. Business entities that are covered entities or business associates pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”); and
  3. Information subject to HIPAA, the Federal Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), or the federal Drivers Privacy Protection Act (“DPPA”).

Consumer Rights

The bill protects “consumers,” which are individuals who are Utah residents acting in an individual or household context, not in an employment or commercial context.  Consumers would have the rights of access, correction, deletion, portability, and right to opt-out of certain processing.  Consumers also have a right to opt-out of certain processing, including the “sale” of personal data.

The parents or legal guardians of consumers who are children (under 13 years old) may exercise consumer rights on behalf of the child.  The personal data of children is considered “sensitive data” under the Utah Consumer Privacy Act.  The bill as currently drafted requires controllers to process the personal data of known children according to the requirements of the federal Children’s Online Privacy Protection Act (“COPPA”).

No Right of Private Action

The bill as currently drafted does not grant a private right of action and explicitly precludes consumers from using a violation of the Act to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.

Risk of Enforcement Action

The Utah Consumer Privacy Act grants exclusive enforcement authority to the Utah Attorney General.  However, before the Attorney General initiates an enforcement action, the Attorney General must first provide the allegedly non-compliant business with (1) written notice (30 days before initiating enforcement action) and (2) an opportunity to cure (30 days from receipt of the written notice).

Prior Legislative History

The Utah Consumer Privacy Act was previously introduced in 2021 (as S 200) and in 2020 (as S 429).  In 2021, S 200 passed the first and second Senate floor readings, but failed to get a third Senate floor reading despite a substitute bill and fiscal note being distributed.  The Utah legislature closes on March 4, 2022.

Update as of March 3, 2022

On March 3, 2022, the Utah Senate passed the House Amendments to SB 227, and returned SB 227 to the House for signature of the Speaker.  The amended version of SB 227 passed with 22 Yay votes, 0 Nay votes, and 4 absentees. This means that the bill has passed the concurrence process. Once the bill is signed by the Speaker, it moves on to the ‘enrolling process,’ and then afterwards will be delivered to the Governor, in accordance with the Utah legislative process

What’s Next

In Utah, if a chamber passes a bill with amendments, the “the bill is sent back to originating [chamber] for concurrence of the amendment.”  Here, SB 227 passed in the Senate (where it was first introduced), then passed in the House with amendments, and afterwards was sent back to the Senate for concurrence.

If the Senate accepts the House amendments, SB 227 will be delivered to the Governor for action.  The Governor has 20 days from adjournment to (1) sign (or not sign the bill), after which the bill becomes law; or (2) veto the bill, in which case the bill does not become a law unless the Governor’s veto is overridden by the legislature.

Utah is inching closer to passing the Utah Consumer Privacy Act.  CPW will be here to keep you in the loop.

On Friday, February 25, 2022, the Utah Senate unanimously passed SB 227, or the Utah Consumer Privacy Act.

Controllers and Processors Beware

SB 227 is an omnibus privacy bill that shares similarities with the Virginia Consumer Data Protection Act and the Colorado Privacy Act.  For instance, the bill imposes different obligations on a covered business depending on whether the business is acting as a controller (one who determines the purposes for processing data, alone or in coordination with others) or processor (one who processes data on behalf of a controller).

Controllers are responsible for transparency, purpose specification, and data minimization.  They must also obtain the consumer’s consent for any secondary uses, and must honor consumer rights (generally within 45 days of receipt of the consumer’s request).  Controllers are also responsible for safeguarding data privacy and security, non-discrimination, non-retaliation, and non-waiver of consumer rights.  Controllers are prohibited from processing certain data qualifying as “sensitive data” without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing.

Processors must follow a controller’s instructions and must enter into a contract that incorporates certain enumerated requirements (e.g., requirements pertaining to duty of confidentiality and data privacy and security safeguards) before processing data on behalf of the controller.

Applicability

The bill applies to:

  1. Businesses who (a) (i) conducts business in Utah; or produces a product or service targeted to consumers who are Utah residents; (b) has an annual revenue of $25,000,000 or more; and (c) satisfies one of more of certain enumerated thresholds (e.g., controls or processes the personal data of 100,000 or more consumers; or derives over 50% of gross revenue from the sale of personal data);
  2. “Personal Data,” which is information that can be linked (or is reasonably linkable to) an identified or identifiable individual, with exclusions; and
  3. “Biometric data,” which is “automatic measurements of an individual’s unique biological characteristics” that can identify a specific individual, excluding, among others, photographs or video recordings (or data derived from either).

The bill does not apply to, among others:

  1. Government entities;
  2. Business entities that are covered entities or business associates pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”); and
  3. Information subject to HIPAA, the Federal Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), or the federal Drivers Privacy Protection Act (“DPPA”).

Consumer Rights

The bill protects “consumers,” which are individuals who are Utah residents acting in an individual or household context, not in an employment or commercial context.  Consumers would have the rights of access, correction, deletion, portability, and right to opt-out of certain processing.  Consumers also have a right to opt-out of certain processing, including the “sale” of personal data.

The parents or legal guardians of consumers who are children (under 13 years old) may exercise consumer rights on behalf of the child.  The personal data of children is considered “sensitive data” under the Utah Consumer Privacy Act.  The bill as currently drafted requires controllers to process the personal data of known children according to the requirements of the federal Children’s Online Privacy Protection Act (“COPPA”).

No Right of Private Action

The bill as currently drafted does not grant a private right of action and explicitly precludes consumers from using a violation of the Act to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.

Risk of Enforcement Action

The Utah Consumer Privacy Act grants exclusive enforcement authority to the Utah Attorney General.  However, before the Attorney General initiates an enforcement action, the Attorney General must first provide the allegedly non-compliant business with (1) written notice (30 days before initiating enforcement action) and (2) an opportunity to cure (30 days from receipt of the written notice).

What’s Next

The Utah Consumer Privacy Act was previously introduced in 2021 (as S 200) and in 2020 (as S 429).  In 2021, S 200 passed the first and second Senate floor readings, but failed to get a third Senate floor reading despite a substitute bill and fiscal note being distributed.  The Utah legislature closes on March 4, 2022.

It remains to be seen how the 2022 version of the Utah Consumer Privacy Act will fare in the Utah House, but CPW will be here to keep you in the loop.

CPW is pleased to announce that today David Oberly joins Squire Patton Boggs (US) LLP’s globally-recognized Data Privacy, Cybersecurity & Digital Assets Practice from Blank Rome, where he played an instrumental role in launching the firm’s Biometric Privacy Practice.  As a recognized thought leader in the biometric privacy space, David serves as a go-to expert for companies that utilize biometrics in their operations—counseling clients on the full range of regulatory compliance obligations applicable today, as well as on managing potential legal exposure and liability risks. David also regularly develops organization-wide biometric privacy compliance programs in connection with all types of biometric technologies.

In addition, David also serves as the trusted privacy advisor to companies across a wide variety of industries, providing compliance, risk management, and product guidance on a broad assortment of privacy, security, and data protection issues that companies face in today’s highly-digital world. David has particular expertise and experience in both counseling/advising and developing compliance programs in connection with consumer privacy laws, including the CCPA, CPRA, CDPA, and CPA. In this capacity, David routinely assists clients in understanding how consumer privacy laws impact their organizational data handling and security practices and has helped numerous companies operationalize compliance with today’s growing web of consumer privacy regulation. David also regularly provides guidance on compliance with a wide range of other state and federal privacy laws, including the New York SHIELD Act, NYDFS Part 500 Cybersecurity Regulation, Florida Security of Communications Act (FSCA), GLBA, HIPAA, and FCRA, among others.

David has deep experience in security incident response matters—both in terms of assisting clients in incident response and crisis management following data breach events and in counseling clients on concerns regarding potential security incidents. David’s expertise extends to a wide range of security incidents, including cloud data breaches, malware credit card breaches, employee phishing breaches, social media account takeover events, ransomware, and inadvertent data disclosure events. David is also experienced in handling all aspects of the incident response process, including post-incident forensic and regulatory investigations, notifications to impacted individuals and privacy regulators, interacting with law enforcement and regulators, and implementing post-incident remediation plans.  David’s advisory work is informed by his significant experience in defending and litigating high-stakes, high-exposure biometric privacy class actions, particularly those brought under the Illinois Biometric Information Privacy Act (BIPA), as well as deep experience in defending other types of privacy and consumer protection class litigation.

Welcome, David!

On November 18, 2021, the Office of the Comptroller of the Currency (the “OCC”), the Board of Governors of the Federal Reserve System (the “Board”), and the Federal Deposit Insurance Corporation (the “FDIC”) issued a final rule (the “Final Rule”) that requires any financial institution subject to their respective jurisdictions to notify its primary federal regulator of any “computer security incident” that rises to the level of a “notification incident,” as those terms are defined in the Final Rule, as soon as possible and no later than 36 hours after the institution determines that a notification incident has occurred.[1] The Final Rule also requires a service provider to a financial institution to notify each affected institution as soon as possible when the service provider determines that it has experienced a computer security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

The Final Rule follows a proposed rule announced by the same regulators in December 2020 (the “Proposed Rule”) and reflects some substantive revisions to the Proposed Rule.  The federal regulators received 35 comments from banks, service providers, and consumer advocacy groups, the majority of which supported the Proposed Rule and the need for prompt notice of significant data incidents involving financial institutions. However, some commenters took issue with definitions provided under the Proposed Rule and some of the specific notification provisions for financial institutions and service providers. The Final Rule takes effect April 1, 2022, and compliance is required beginning May 1, 2022.

For those financial institutions not subject to the jurisdiction of the OCC, the Board or the FDIC, note that the Federal Trade Commission (the “FTC”) is in the process of proposing amendments to the Safeguards Rule that would require nonbank financial institutions subject to the FTC’s jurisdiction to report certain data breaches and other security events to the FTC.

Relevant Definitions

Only those computer security incidents that rise to the level of notification incidents are required to be reported to federal regulators.

The Final Rule defines a “computer security incident” as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”  Note that this is more limited than the definition in the Proposed Rule, which would have included potential occurrences and occurrences that constituted a violation or imminent threat of violation of security policies, security procedures or acceptable use policies.

The Final Rule defines a “notification incident” as “a computer security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s—

  • Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  • Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
  • Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”

Reporting by Financial Institutions

Under the Final Rule, a financial institution must notify its primary federal regulator of a notification incident (as defined above) as soon as possible and no later than thirty-six (36) hours after the institution determines that a notification incident has occurred.  Note that this provides financial institutions with half as much time to report an incident as is allowed under either the EU’s General Data Protection Regulation or the New York Department of Financial Services’ cybersecurity regulations.  The federal regulators believe that the more onerous timing requirement is offset by the narrowed definition of “computer security incident” in the Final Rule compared to the Proposed Rule.

A financial institution may give notice in writing or verbally (including email or telephone) to the institution’s designated point-of-contact at the institution’s primary federal regulator. The federal regulators anticipate that financial institutions will share general information about the facts known at the time of the incident. No specific information is required in the notification other than that a notification incident has occurred. The Final Rule does not prescribe any form or template. The notifications, and any information related to the incident, would be subject to the regulator’s confidentiality rules.

The introduction to the Final Rule acknowledges that a financial institution will need to undertake a reasonable investigation to determine whether a notification incident has occurred and explicitly provides that the 36-hour notification period only starts once the financial institution has finally determined that a notification incident has occurred.

Helpfully, the Final Rule also acknowledges that not all data incidents are reportable and provides a non-exhaustive list of events that would rise to the level of a notification incident:

  • Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours);
  • A service provider that is used by a financial institution for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
  • A failed system upgrade or change that results in widespread user outages for customers and financial institution employees;
  • An unrecoverable system failure that results in activation of a financial institution’s business continuity or disaster recovery plan;
  • A computer hacking incident that disables banking operations for an extended period of time;
  • Malware on a financial institution’s network that poses an imminent threat to its core business lines or critical operations or that requires it to disengage any compromised products or information systems that support its core business lines or critical operations from Internet-based network connections; and
  • A ransom malware attack that encrypts a core banking system or backup data.

The Final Rule provides that affiliated financial institutions each have separate and independent notification obligations. Each financial institution needs to make an assessment of whether it has suffered a notification incident about which it must notify its primary federal regulator. Subsidiaries of financial institutions that are not themselves financial institutions subject to the Final Rule do not have notification requirements under the Final Rule. However, if a computer security incident were to occur at such a subsidiary, the parent financial institution would need to assess whether the incident was a notification incident for it, and if so, it would be required to notify its primary federal regulator.

Reporting by Service Providers

Only service providers performing services for a financial institution and that are subject to the Bank Service Company Act (the “BSCA”) are subject to the Final Rule. The Final Rule does not further define the services that are subject to the BSCA.  The Final Rule requires a service provider to notify each affected financial institution customer as soon as possible after the service provider determines that it has experienced a computer security incident that has “materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to a financial institution for four or more hours.”

Under the Final Rule, a service provider may comply with its duty by notifying a contact designated by the financial institution or, if no such contact has been designated, notifying the financial institution’s chief executive officer and chief information officer (or two individuals with comparable responsibilities).

The introduction to the Final Rule indicates that the federal regulators do not anticipate the Final Rule to add a significant burden to service providers, as many service providers are already subject to contractual requirements to provide notification to financial institutions in the event of a data incident.

Next Steps

In light of the Final Rule, we recommend the doing the following prior to the May 1, 2022, compliance deadline:

  • Financial institutions and service providers subject to the Final Rule should review their incident response plans and other relevant policies and procedures to ensure that they will be able to satisfy the onerous notice obligations under the Final Rule. For example, such plans and policies should provide for the escalation of suspected computer security incidents to a specific individual (preferably identified by his or her title) as soon as reasonably practicable.
  • Financial institutions should adopt procedures and develop relevant standards that will enable them to determine quickly whether a computer security incident rises to the level of a notification incident.
  • Financial institutions should include updated contact information for their primary regulators and service providers should document the appropriate points of contact for their customers specifically for the purpose of reporting computer security incidents.
  • Banks should update their form service provider agreements as well as agreements with current service providers to impose notice requirements that track the Final Rule.

[1] See 12 CFR Part 53 for the OCC, 12 CFR Part 225 for the Board and 12 CFR Part 304 for the FDIC.

In case you missed it, below is a summary of recent posts from CPW.  Please feel free to reach out if you are interested in additional information on any of the developments covered.

FTC Amends GLBA Safeguards Rule to Impose Significant New Privacy Obligations on Financial Institutions – Consumer Privacy World

Killware: The New Cyber Threat and What It May Mean for Data Breach and Cybersecurity Litigations – Consumer Privacy World

China Publishes New Draft Measure on Cross-Border Data Transfer – Consumer Privacy World

Eleventh Circuit Vacates Hunstein I, But Still Holds Mail Vendor Usage Violates FDCPA – Consumer Privacy World

Court Splits McDonald’s AI Drive-Thru Litigation, Some Claims Kicked Back to State Court – Consumer Privacy World

As seasoned data privacy and biometric litigators are already aware, the United States does not have a comprehensive federal law regulating the collection, processing, disclosure, and security of personal information (“PI”)—typically defined as information that identifies, or is reasonably capable of being linked to, an individual.  Rather, a patchwork of federal and state sectoral laws

Unlike the European Union and many countries, the US does not have a holistic, comprehensive federal law generally regulating privacy and the collection, processing, disclosure and security of “personal information” (typically defined as information that identifies, relates to, describes, is reasonably capable of being linked to, a particular individual). Rather, a patchwork of sectoral federal

This article originally published on February 23, 2021, by the American Bar Association, and is republished here with permission. For more information visit www.americanbar.org.   

The article expands on our original report on the Virginia Consumer Data Protection Act published on February 2, 2021.

Computer securityIn the coming days, Governor Ralph Northam is expected to sign into law the Virginia Consumer Data Protection Act (the “Act”), which, if enacted, will become effective on January 1, 2023. As a result, Virginia would become the second state in the US to enact a holistic data privacy law that purports to regulate the collection, use and disclosure of the personal data of its residents generally.

Overview and Quick Take

In many ways, the Act is similar to the California Consumer Privacy Act (the “CCPA”), the first holistic data privacy law in the US, and to the California Privacy Rights Act (the “CPRA”), which was enacted by ballot referendum in November 2020. It also shares some concepts with the EU’s General Data Privacy Regulation (the “GDPR”).  However, it is sufficiently dissimilar to each of those laws that a business developing a compliance strategy for the Act will not be able to rely solely on its previous compliance efforts in complying with the Act.

Continue Reading Virginia Set to Become Second State to Enact Holistic Data Privacy Law