Business Law Journal

[This is the third in a series of blog posts on how businesses should prepare for the California Privacy Rights Act which will enter into force on January 1, 2023]

When the California Privacy Rights Act (“CPRA”) takes effect on January 1, 2023, it will bring changes to several key areas of privacy law.  AALRR has already covered changes regarding (a) employee data here; and (b) data retention requirements here. 

[This is the second in a series of blog posts on how businesses should prepare for the California Privacy Rights Act which will enter into force on January 1, 2023]

When the California Privacy Rights Act (“CPRA”) takes effect on January 1, 2023 it will bring sweeping changes to data retention requirements in California.^[1]  Historically, many companies have over-retained data (and understandably so, since most risks under older laws related to a failure to keep data).  The CPRA changes the data-retention landscape significantly by requiring companies to justify and disclose their retention policies, and to limit retention periods to only the time necessary to fulfill the company’s disclosed purpose for retaining.

[1] Final regulations under the CPRA are still pending and the information provided herein is subject to modification. This guidance also does not cover data retention principles under statutes other than CPRA.

[This is the first in a series of blog posts on how businesses should prepare for the California Privacy Rights Act which will enter into force on January 1, 2023]

Although since January 1, 2020, the California Consumer Privacy Act (“CCPA”) has required covered businesses (as defined below) to provide notice to California employees and job applicants regarding the types of personal information that a business collects, certain key employee exemptions previously limited the privacy-related requirements for employers and corresponding rights of employees and job applicants.  However, those exemptions are set to expire on January 1, 2023.

We have yet to realize the full effect of the COVID-19 pandemic and its impact on the global economy. According to recent reports from China’s National Bureau of Statistics, nearly 20% of Chinese citizens, aged 16 – 24, are unemployed.[1]  University graduates are likely to be more affected in China this year than at any point in China’s history with over 10-million Chinese graduates fighting their way into a job market with the worst-prospects ever.[2]  The Chinese government’s strict adherence to a zero-tolerance Covid policy has devastated major manufacturing activities throughout the country, leading to an overall decline in China’s sustained economic momentum coming out of the pandemic.[3] 

[1] China’s National Bureau of Statistics – Unemployment Report as of July, 2022.

[2] Pollard M., 2022, June 23. Analysis: Record numbers of Chinese graduates enter worst job market in decades. Reuters. Retrieved from https://www.reuters.com/world/china/record-numbers-chinese-graduates-enter-worst-job-market-decades-2022-06-23/

[3] Mayger J., Ma A., Liu Y. Hancock T., 2022, September 14. China Braces for a Slowdown That Could Be Even Worse Than 2020. Bloomberg News. Retrieved from https://www.bloomberg.com/news/articles/2022-09-14/china-economic-growth-forecasts-keep-sinking-as-risks-multiply

With the looming economic downturn, clients, retailers and small businesses are looking to cut costs wherever possible.  Lately, these cost cutting measures have had a significant impact on warehouse operators or companies that store goods, who are caught in the middle of these cost cutting attempts. 

Since its passage in 1990, the Americans with Disabilities Act (ADA) has required “places of public accommodation” to make modifications to promote accessibility for disabled persons.  But what about websites?  We previously discussed the practical and legal complications of the ADA and California’s corresponding Unruh Civil Rights Act with an earlier post here.  Although they can be accessed by the public, a website is not a physical location, even though it may sell physical goods and services.  This question has split Federal Courts of Appeal for years.  Some have held that websites only exist in cyberspace and therefore are not “places” governed by the ADA.  Others have held that a website does qualify as a “place,” so long as it is advertising goods and services provided at a specific physical facility.  The California Court of Appeal had not addressed this issue or its implications for the Unruh Act.

A federal magistrate judge in the Northern District of California recently rejected a Chinese company’s attempt to invoke China’s recent Personal Information Protection Law (“PIPL”) to limit discovery obligations in the United States.  In Cadence Design Sys., Inc. v. Syntronic AB, No. 21-cv-03610-SI, United States Chief Magistrate Judge Joseph C. Spero refused to limit the PIPL’s legal obligations exception to Chinese laws and China-recognized orders.  On June 24, 2022, the Court denied defendants’ motion for reconsideration of the Court’s earlier order compelling Defendant Syntronic (Beijing) Technology R&D Center Co., Ltd. (“Syntronic Beijing”) to produce computers in the possession and custody of defendants in China, for inspection in the United States.  While on its face China’s PIPL would seemingly prohibit production of these China-stored computers into the United States without the consent of current and former individual employees (who have refused to consent), the Court ruled that its order in the case created a legal obligation sufficient to invoke the legal obligation exception under PIPL Article 13.

Paperwork is an inevitable and often tedious part of doing business.  When that paperwork becomes routine and time consuming, the natural inclination is to skim documents or rely on industry-developed shortcuts.  While this can save you time in the short-term, doing this risks exposing you and your company to massive liability. And while you can directly control your own actions, the risk of liability does not end there.  Many companies choose to outsource that paperwork to third-parties and trust them to do their jobs. But even when you have good practices internally, when the third parties that work for you do not follow best practices, you can still be put at risk.  The recent California Court of Appeals decision in Bergstrom v. Zions Bancorporation is a clear example of how reliance on third-party agents and a third-party’s use of shortcuts can expose your company to massive liabilities. 2022 WL 1419910 (2022).

More than ever, companies aspire to increase the reach of their businesses by opening secondary or satellite offices in different states.  While this can be an effective tool for expansion, it opens the business to potential liability in multiple forums which may have different or contradicting rules and regulations, particularly when addressing the rights of employees. As with many legal complexities associated with cross-border transactions, one of the most common ways to limit this uncertainty is through the use of forum selection clauses—contractual provisions which dictate the applicable law or potential legal forums for disputes arising out of those contracts.

Consumer privacy continues to be an ever evolving and active area of law, and one that continues to prove important to consumers and therefore consequential for businesses.  A recent study published by Cisco reports that 86% of consumers “care about data privacy” and want more control over their data.  Even technology company leaders have recognized the importance of consumer privacy.  Apple CEO Tim Cook recently characterized privacy as a fundamental human right, and increased unease over unregulated data collection seems to be a bipartisan concern.  As privacy and data security has gained space in the national consciousness, federal authorities have sought to increase their oversight, which could have wide-ranging implications for businesses. 

Facebook may provide the impetus for a federal privacy law

Facebook regulation has been in the news most often in discussions relating to Section 230 protections of technology companies, but the recent testimony from Facebook whistleblower Frances Haugen may also provide a needed spur for a federal privacy law.  During the October 5, 2021 U.S. Senate Committee on Commerce, Science, and Transportation's Subcommittee on Consumer Protection, Product Safety, and Data Security hearing, Haugen testified, and committee members commented, on the need for Congress to act on federal privacy legislation.  Senator Amy Klobuchar, D-Minn., even explicitly called for the drafting of a comprehensive federal privacy law.  Ms. Haugen added that simply updating existing U.S. privacy laws would be insufficient to address privacy concerns. 

Haugen’s testimony only added to the momentum in the Committee on Commerce, Science, and Transportation.  The Committee held a hearing on September 29, 2021 on “Protecting Consumer Privacy,” which examined the need for a comprehensive privacy law, better safeguards of consumer privacy rights and creating a privacy bureau of the Federal Trade Commission (FTC).  There was bipartisan recognition of the importance of a federal privacy framework. Senator Roger Wicker, R-Miss., called on the Biden administration to appoint a senior staffer to lead the charge on a federal privacy law and make a comprehensive federal data privacy law a reality, while Committee Chair Senator Maria Cantwell, D-Wash., stressed the threat to consumer privacy from the unbridled collection of personal data and the troubling impact on consumers when companies have failed to do enough to safeguard the information they collect. Additionally, remarks during the hearing also suggested the Committee members generally were open to the possibility of a private right of action in any federal privacy law. 

A number of former FTC officials and privacy experts testified at the hearing, including the newly appointed head of the California Privacy Protection Agency, Ashkan Soltani, also a former FTC official and former senior White House advisor on privacy matters.  The former FTC officials stressed the need for comprehensive federal privacy legislation with strong consumer rights protections and urged lawmakers to include enhanced enforcement authority and resources for the FTC.  Although the FTC enforcement of privacy issues has steadily trended upward, the former FTC officials testified that the federal consumer watchdog agency is insufficiently staffed and does not have time for forceful enforcement with its current resources.  The former FTC officials stressed the necessity of staffing increases at the FTC in parity with the growing tech industry, and the creation of a bureau dedicated to privacy and security issues at the FTC, arguing that without a comprehensive federal privacy law, the behavior of companies is unlikely to change.  The witnesses also pushed back on some members of the Senate requesting the FTC take up rulemaking relating to data privacy, emphasizing that congressional action is needed to pass new federal privacy law. 

Federal enforcement and oversight of cybersecurity matters

Earlier this month, the United States Department of Justice (DOJ) announced a new initiative for pursuing enforcement relating to cyber measures that seeks to hold accountable entities or individuals that put U.S. information or systems at risk.  The Civil Cyber-Fraud Initiative will utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients. The False Claims Act is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations.  Under the Initiative, the DOJ will utilize the FCA to pursue civil enforcement actions against government contractors that knowingly fail to follow required cybersecurity standards and reporting requirements—the latest indication of the heightened risks of noncompliance with cybersecurity-related obligations for contractors. The Initiative, which will be led by the Civil Division’s Commercial Litigation Branch, Fraud Section, will combine the department’s expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems.  In announcing the Initiative, Deputy Attorney General Lisa Monaco stated, “For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it . . . that changes today.”

The DOJ’s announcement comes amid a flurry of regulatory and legislative activity related to cybersecurity.  Agencies are in the process of implementing President Biden’s broad May 12, 2021, Executive Order on Improving the Nation’s Cybersecurity (EO 14028), which calls for new requirements for information technology contractors to share information about potential cyber threats, among other things.  President Biden also signed into law the “K-12 Cybersecurity Act of 2021,” which requires the Cybersecurity and Infrastructure Security Agency (CISA) to study the cybersecurity risks facing elementary and secondary schools and develop recommendations that include voluntary guidelines designed to assist schools in facing those risks.  Last month the Senate Homeland Security Committee also advanced a bill that would require hospitals and oil and natural-gas pipeline companies, among other critical infrastructure operators, to report cyberattacks and ransom payments within 72 hours. The Department of Homeland Security has also said it would require "high-risk" rail and transit systems to report cyber incidents and implement plans to address cyberattacks.

The importance of a robust cybersecurity program

The number of data breaches and ransomware attacks has exponentially increased in 2021.  Data breaches continue to occur with alarming frequency and success. Linkedin, Volkswagen, Facebook, T-Mobile, Bonobos, and Experian have all suffered data breaches this year.  In Southern California, U.C. San Diego Health was reportedly the victim of a phishing scheme that a recent class action complaint alleges may have resulted in a data breach of approximately half a million patients over the period of four months.  The multi-count class action complaint, including a claim under the California Consumer Privacy Act (CCPA), was filed in federal district court in San Diego in September.  However, breaches are not limited to just customer data.  Public relations firm 5W reportedly suffered a data breach in August 2021 that impacted its employees’ data, including allegations that some of its current and former employees’ names and Social Security numbers may have been exposed.

Similarly, the volume of suspected ransomware payments flagged by U.S. banks has nearly doubled from last year.  Ransomware payments reportedly reached more than $400 million globally in 2020 and topped $81 million in the first quarter of 2021 alone, with North America becoming the biggest ransomware target.  Recent target examples include Sinclair Broadcast Group, a nationwide operator of TV stations, announced that it had suffered a cybersecurity incident which encrypted some of its servers and work stations with ransomware and stole data from the company's network.  Another media conglomerate, Cox Media Group, was also reportedly the target of a ransomware attack earlier this year.  But ransomware strikes are not limited to particular industries.  Hospitals and health care organizations are persistent targets impacting patient health and safety. Educational institutions are also not immune.  In another recent incident, Howard University in Washington, D.C., had to cancel classes last month after being hit by ransomware.

Cybersecurity incidents expose businesses to regulatory enforcement actions as well as costly private class action litigation.  As always, the best strategy for businesses is to proactively take action to prevent or minimize the risk of cybersecurity incidents before they happen by implementing a robust cybersecurity program.  This can include minimizing data retention, implementing sufficient technological protections such as virus and malware programs, encrypting data when possible, keeping software updated, implementing secure data backup practices, conducting regular audits, reviewing contracts with vendors and other entities that have access to information, and, particularly important, training employees in implementing security practices and identifying potential phishing scams or other suspicious activity.  If you do suffer a cybersecurity incident, make sure to immediately contact reliable counsel to oversee your response, guide you through any applicable legal requirements, and ensure the best course of action to address and mitigate any harm.

Conclusion

If you have any data security or privacy related questions, contact the authors and the other attorneys in the Data Security and Privacy Team at Atkinson Andelson Loya Ruud & Romo to help you navigate any potential actions and preventative security measures you can take.  If your business is faced with a lawsuit or regulatory enforcement action, AALRR has a team of data privacy litigators well-versed in the law ready to step in and defend you.

This AALRR post is intended for informational purposes only and should not be relied upon in reaching a conclusion in a particular area of law. Applicability of the legal principles discussed may differ substantially in individual situations. Receipt of this or any other AALRR publication does not create an attorney-client relationship. The firm is not responsible for inadvertent errors that may occur in the publishing process. 

© 2021 Atkinson, Andelson, Loya, Ruud & Romo