Business Law Journal

Consumer privacy continues to be an ever evolving and active area of law, and one that continues to prove important to consumers and therefore consequential for businesses.  A recent study published by Cisco reports that 86% of consumers “care about data privacy” and want more control over their data.  Even technology company leaders have recognized the importance of consumer privacy.  Apple CEO Tim Cook recently characterized privacy as a fundamental human right, and increased unease over unregulated data collection seems to be a bipartisan concern.  As privacy and data security has gained space in the national consciousness, federal authorities have sought to increase their oversight, which could have wide-ranging implications for businesses. 

Facebook may provide the impetus for a federal privacy law

Facebook regulation has been in the news most often in discussions relating to Section 230 protections of technology companies, but the recent testimony from Facebook whistleblower Frances Haugen may also provide a needed spur for a federal privacy law.  During the October 5, 2021 U.S. Senate Committee on Commerce, Science, and Transportation's Subcommittee on Consumer Protection, Product Safety, and Data Security hearing, Haugen testified, and committee members commented, on the need for Congress to act on federal privacy legislation.  Senator Amy Klobuchar, D-Minn., even explicitly called for the drafting of a comprehensive federal privacy law.  Ms. Haugen added that simply updating existing U.S. privacy laws would be insufficient to address privacy concerns. 

Haugen’s testimony only added to the momentum in the Committee on Commerce, Science, and Transportation.  The Committee held a hearing on September 29, 2021 on “Protecting Consumer Privacy,” which examined the need for a comprehensive privacy law, better safeguards of consumer privacy rights and creating a privacy bureau of the Federal Trade Commission (FTC).  There was bipartisan recognition of the importance of a federal privacy framework. Senator Roger Wicker, R-Miss., called on the Biden administration to appoint a senior staffer to lead the charge on a federal privacy law and make a comprehensive federal data privacy law a reality, while Committee Chair Senator Maria Cantwell, D-Wash., stressed the threat to consumer privacy from the unbridled collection of personal data and the troubling impact on consumers when companies have failed to do enough to safeguard the information they collect. Additionally, remarks during the hearing also suggested the Committee members generally were open to the possibility of a private right of action in any federal privacy law. 

A number of former FTC officials and privacy experts testified at the hearing, including the newly appointed head of the California Privacy Protection Agency, Ashkan Soltani, also a former FTC official and former senior White House advisor on privacy matters.  The former FTC officials stressed the need for comprehensive federal privacy legislation with strong consumer rights protections and urged lawmakers to include enhanced enforcement authority and resources for the FTC.  Although the FTC enforcement of privacy issues has steadily trended upward, the former FTC officials testified that the federal consumer watchdog agency is insufficiently staffed and does not have time for forceful enforcement with its current resources.  The former FTC officials stressed the necessity of staffing increases at the FTC in parity with the growing tech industry, and the creation of a bureau dedicated to privacy and security issues at the FTC, arguing that without a comprehensive federal privacy law, the behavior of companies is unlikely to change.  The witnesses also pushed back on some members of the Senate requesting the FTC take up rulemaking relating to data privacy, emphasizing that congressional action is needed to pass new federal privacy law. 

Federal enforcement and oversight of cybersecurity matters

Earlier this month, the United States Department of Justice (DOJ) announced a new initiative for pursuing enforcement relating to cyber measures that seeks to hold accountable entities or individuals that put U.S. information or systems at risk.  The Civil Cyber-Fraud Initiative will utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients. The False Claims Act is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations.  Under the Initiative, the DOJ will utilize the FCA to pursue civil enforcement actions against government contractors that knowingly fail to follow required cybersecurity standards and reporting requirements—the latest indication of the heightened risks of noncompliance with cybersecurity-related obligations for contractors. The Initiative, which will be led by the Civil Division’s Commercial Litigation Branch, Fraud Section, will combine the department’s expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems.  In announcing the Initiative, Deputy Attorney General Lisa Monaco stated, “For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it . . . that changes today.”

The DOJ’s announcement comes amid a flurry of regulatory and legislative activity related to cybersecurity.  Agencies are in the process of implementing President Biden’s broad May 12, 2021, Executive Order on Improving the Nation’s Cybersecurity (EO 14028), which calls for new requirements for information technology contractors to share information about potential cyber threats, among other things.  President Biden also signed into law the “K-12 Cybersecurity Act of 2021,” which requires the Cybersecurity and Infrastructure Security Agency (CISA) to study the cybersecurity risks facing elementary and secondary schools and develop recommendations that include voluntary guidelines designed to assist schools in facing those risks.  Last month the Senate Homeland Security Committee also advanced a bill that would require hospitals and oil and natural-gas pipeline companies, among other critical infrastructure operators, to report cyberattacks and ransom payments within 72 hours. The Department of Homeland Security has also said it would require "high-risk" rail and transit systems to report cyber incidents and implement plans to address cyberattacks.

The importance of a robust cybersecurity program

The number of data breaches and ransomware attacks has exponentially increased in 2021.  Data breaches continue to occur with alarming frequency and success. Linkedin, Volkswagen, Facebook, T-Mobile, Bonobos, and Experian have all suffered data breaches this year.  In Southern California, U.C. San Diego Health was reportedly the victim of a phishing scheme that a recent class action complaint alleges may have resulted in a data breach of approximately half a million patients over the period of four months.  The multi-count class action complaint, including a claim under the California Consumer Privacy Act (CCPA), was filed in federal district court in San Diego in September.  However, breaches are not limited to just customer data.  Public relations firm 5W reportedly suffered a data breach in August 2021 that impacted its employees’ data, including allegations that some of its current and former employees’ names and Social Security numbers may have been exposed.

Similarly, the volume of suspected ransomware payments flagged by U.S. banks has nearly doubled from last year.  Ransomware payments reportedly reached more than $400 million globally in 2020 and topped $81 million in the first quarter of 2021 alone, with North America becoming the biggest ransomware target.  Recent target examples include Sinclair Broadcast Group, a nationwide operator of TV stations, announced that it had suffered a cybersecurity incident which encrypted some of its servers and work stations with ransomware and stole data from the company's network.  Another media conglomerate, Cox Media Group, was also reportedly the target of a ransomware attack earlier this year.  But ransomware strikes are not limited to particular industries.  Hospitals and health care organizations are persistent targets impacting patient health and safety. Educational institutions are also not immune.  In another recent incident, Howard University in Washington, D.C., had to cancel classes last month after being hit by ransomware.

Cybersecurity incidents expose businesses to regulatory enforcement actions as well as costly private class action litigation.  As always, the best strategy for businesses is to proactively take action to prevent or minimize the risk of cybersecurity incidents before they happen by implementing a robust cybersecurity program.  This can include minimizing data retention, implementing sufficient technological protections such as virus and malware programs, encrypting data when possible, keeping software updated, implementing secure data backup practices, conducting regular audits, reviewing contracts with vendors and other entities that have access to information, and, particularly important, training employees in implementing security practices and identifying potential phishing scams or other suspicious activity.  If you do suffer a cybersecurity incident, make sure to immediately contact reliable counsel to oversee your response, guide you through any applicable legal requirements, and ensure the best course of action to address and mitigate any harm.

Conclusion

If you have any data security or privacy related questions, contact the authors and the other attorneys in the Data Security and Privacy Team at Atkinson Andelson Loya Ruud & Romo to help you navigate any potential actions and preventative security measures you can take.  If your business is faced with a lawsuit or regulatory enforcement action, AALRR has a team of data privacy litigators well-versed in the law ready to step in and defend you.

This AALRR post is intended for informational purposes only and should not be relied upon in reaching a conclusion in a particular area of law. Applicability of the legal principles discussed may differ substantially in individual situations. Receipt of this or any other AALRR publication does not create an attorney-client relationship. The firm is not responsible for inadvertent errors that may occur in the publishing process. 

© 2021 Atkinson, Andelson, Loya, Ruud & Romo

Consumer privacy continues to be an ever evolving and active area of law and California is still leading the way.  In today’s update, we discuss the latest developments in enforcement and litigation for California consumer privacy law. 

The CPRA and the Privacy Protection Agency Inches Closer

The California Privacy Rights Act (CPRA), approved by voters as a ballot proposition in November 2020, supplements and expands the current California Consumer Privacy Act (CCPA), and established the California Privacy Protection Agency (CPPA or the “Agency”), which is vested with full power and authority to enforce the CCPA (including the additional requirements added by the CPRA).  The Agency had already appointed a Board of Directors and been holding regular meetings, but has recently taken additional important steps in its formation. 

Consumer privacy continues to be an ever evolving and active area of law and California is still leading the way. 

New Amendments to the CCPA and the CPRA

Earlier this month Governor Gavin Newsom signed bills into law that amend the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

Seventeen years ago, in 2004, the California Legislature enacted the Labor Code Private Attorneys General Act of 2004 (“PAGA”).  Appropriately dubbed a “bounty hunter” law, PAGA authorizes any current or former “aggrieved” employee of a California employer to file suit to seek statutory penalties for essentially any violation of the California Labor Code together with attorney’s fees, hence the incentive for plaintiff attorneys to bring such cases.  Specifically, under PAGA a current or former employee who is “aggrieved” by a violation of the California Labor Code can seek in addition to damages and liquidated damages, civil penalties on the employee’s behalf and on behalf of all other similarly “aggrieved” (i.e., affected) current and former employees.  The recoverable civil penalties are up to $100 per employee per pay period for an initial violation and $200 per employee per pay period for each subsequent violation, plus attorney’s fees and litigation costs.  When such penalties are awarded, the plaintiff current or former employee along with all other similar “aggrieved” employee will receive 25% of the penalties together with their attorney’s fees as a “bounty,” with the balance of the penalties payable to a State agency known as the California Labor and Workforce Development Agency. 

Following the Supreme Court’s recent ruling narrowing the patent assignor estoppel doctrine, employers may have more difficulty shielding their patents from challenges by former employee-inventors and their new employer-competitors.

On April 5, 2021, the Supreme Court put an end to the decade-long copyright dispute between tech giants Google and Oracle America.  In a 6-2 decision authored by Justice Breyer, the Supreme Court held in Google LLC v. Oracle America, Inc., 593 U.S. ___ (2021), that Google’s copying of approximately 11,500 lines of code from Oracle’s Java SE Application Programming Interface (“API”) was “fair use” and, therefore, did not constitute copyright infringement.  The Court’s decision will undoubtedly have ramifications for decades to come on the “fair use” doctrine in commercial works, and in particular in the use of computer code in commercial software.

The two questions before the Court were:  (1) whether the Java SE code that Google copied was entitled to copyright protection in light of the Copyright Act’s inclusion of computer programs as copyrightable material and its prohibition on protection for “processes” and “methods of operation,” and (2) assuming the code was copyrightable, whether Google’s use qualified as “fair use.”  Recognizing that “a holding for Google on either question presented would dispense with Oracle’s copyright claims,” the Court only answered the fair use inquiry.  In view of “the rapidly changing technological, economic, and business-related circumstances,” the Court exercised judicial restraint by stating it would “not answer more than is necessary to resolve the parties’ dispute.”  Although Google could have prevailed had the Court found that the API was not copyrightable, the Court saved that question for another day and assumed for the sake of argument that it was.

Justice Breyer, joined by Chief Justice Roberts and Justices Sotomayor, Kagan, Gorsuch, and Kavanaugh, focused on the fair use defense by analyzing each of the four statutory factors enumerated in 17 U.S.C. § 107:  (1) the purpose and character of the use; (2) the nature of the copyrighted work; (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and (4) the effect of the use upon the potential market for or value of the copyrighted work.  The Court found that each factor weighed in Google’s favor, thereby reversing the Federal Circuit’s decision to the contrary.

Justice Thomas, joined by Justice Alito, dissented, stating that the majority erred by not answering the question of copyrightability and that the fair use factors actually favored Oracle.  The dissent criticized the majority’s approach of sidestepping the question of whether the API was copyrightable, arguing that the majority’s failure to address the issue distorted its fair use analysis and ultimately rendered the code as “less worthy of protection.”

The Court’s decision sets an important precedent as it has the potential to significantly expand the fair use doctrine, even in non-computer software contexts.  If you are an author, musician, programmer, or other content creator, or have been accused of copyright infringement, it is important to consult with experienced intellectual property counsel to determine how the decision impacts you.

AALRR has a dedicated group of attorneys on its Intellectual Property Team with the experience and expertise to vigorously enforce your copyrights and defend you against claims of copyright infringement.  Attorneys on the Firm’s Intellectual Property Team can also assist you with registration of your copyrights with the United States Copyright Office.  Contact the authors for assistance with your copyright and other intellectual property needs.

This AALRR post is intended for informational purposes only and should not be relied upon in reaching a conclusion in a particular area of law. Applicability of the legal principles discussed may differ substantially in individual situations. Receipt of this or any other AALRR publication does not create an attorney-client relationship. The Firm is not responsible for inadvertent errors that may occur in the publishing process. 

© 2021 Atkinson, Andelson, Loya, Ruud & Romo

The California homestead exemption has been amended effective January 1, 2021.  Under the new law, the homestead exemption now protects home equity equal to the median home price in the county where the debtor resides, not to exceed $600,000, or $300,000, whichever is greater.  The exemption adjusts annually for inflation.  The homestead exemption should be taken into consideration when the defendant may be personally liable for the judgment.

A California appeals court recently determined that debtors who attempt to avoid debt collection by moving their assets out of state and into a different legal form may be liable for fraudulent transfer under California law.  On January 7, 2021, the California Court of Appeals issued a decision in Nagel v. Western (2021) 59 Cal.App.5th 740.  In Nagel the court held that under California’s Uniform Voidable Transactions Act (the “UVTA”), “physically relocating personal property and transmitting or transporting sale proceeds out of state, then transmuting them into a different legal form, may constitute a direct or indirect mode of parting with assets or one’s interests in those assets.”  This means that such transfers would fall under the fraudulent transfer prohibitions of the UVTA.  In short, debtors can no longer feel safe trying to shield their assets from creditors by moving them out of state and changing their form.  And Creditors have a new mechanism at their disposal to try to access those assets despite such maneuverings on the part of the debtors.

In a recent letter to members of the U.S. Senate Finance Committee, dated February 18, 2021, the United States Treasury Inspector General for Tax Administration (the “Inspector General”) outlined a potential disagreement with the Criminal Investigations Division of the Internal Revenue Service (“Criminal Investigations”) regarding the need for a search warrant to utilize databases containing cell phone users’ GPS data.  On one hand, the Inspector General indicated that courts may use “similar logic” to expand a 2018 Supreme Court decision requiring a search warrant to access cell-site location information to likewise apply to GPS data provided to applications operated by third parties.  On the other hand, the letter provides the stated position of Criminal Investigations, which asserts that “Cell Site Location Information [] is distinct from [] opt-in app data,” in apparent reference to the division’s prior claim that GPS data collected by cell phone applications does not require a search warrant because it has been “voluntarily” provided to a third-party.

On January 6, 2021, the Department of Labor (“DOL”) announced the new final rule for worker classifications called the “economic reality” test. The new DOL final rule provided that two core factors were to be examined to determine whether a worker is properly classified as an independent contractor under federal law: (1) the nature and degree of control over the work; and (2) the worker’s opportunity for profit or loss based on initiative and/or investment. As previously discussed here, these requirements are much less stringent than the “ABC” test adopted by California, which requires that the worker perform work outside the usual course of the hiring entity’s business and that the worker is customarily engaged in an independently established business of the same nature.