RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Posts Tagged ‘data breach’

New Jersey’s Continued Push to Expand its Data Breach and Privacy Laws

Posted on: July 1st, 2020

By: Zachary Danner

Following in the steps of California and other states considering consumer privacy legislation, New Jersey’s legislators have recently introduced a number of bills that would establish specific notification requirements for the collection and use of personally identifiable information (“PII”). While current law requires businesses to notify consumers if there is an unauthorized access to electronically stored personally PII, there is no current law in New Jersey that requires businesses to notify consumers when and if their PII is being collected or shared with a third party. There also is not an existing process for a consumer to request information about the collection or sharing of his or her PII or to request that it be destroyed.

However, there are two bills currently being considered by the New Jersey Senate and Assembly that would require specific steps by a business before collecting PII or sharing it with a third party. These bills also establish requirements for businesses handle PII that it collects from consumers to ensure its security and privacy. The following is a summary of the key provisions of each bill under consideration.

I. Senate Bill S1257

In February 2020, Senate Bill S1257, introduced by Assembly Member Troy Singleton, was referred to the Senate Commerce Committee. In short, if approved and signed, the bill would require commercial internet websites and online services to notify consumers of the collection and disclosure of PII and would allow the consumer to opt-out of the sale of their PII.

The notification to consumers prior to collection of PII must be clearly and conspicuously posted on the business’s website or online service, or in another prominently accessible location that the business maintains for consumer privacy settings, and include the following information:

  1. The categories of PII collected through the website or online service about a consumer who uses or visits the website or service;
  2. All third parties with which the operator may disclose a consumer’s PII;
  3. Whether a third party may collect PII about a consumer’s online activities over time and across different websites or online services when the consumer uses the operator’s website or online service;
  4. A description of the process for a consumer to review and request changes to any of his or her PII that is collected by the website or online service;
  5. The process by which the operator notifies consumers who use or visit the website or online service of material changes to the notification currently posted on the website; and
  6. One or more designated addresses that a consumer may use to request information under the bill.

As to selling information with third parties, the bill would require a business to provide a link on its website or online service that allows a consumer, by verified request, to opt out of the sale of the his or her PII to any third party. A consumer may request from the business information about his or her PII that was disclosed and the names and contact information of the third parties that received his or her PII. Once the request is received, the business must respond to the consumer within 60 days provide the information for all disclosures of PII that occurred in the prior 12 months. This information is to be provided free of charge.

The bill also creates protections for consumers who opt out of the sale of their PII. It specifically prohibits a business from discriminating against or penalizing a consumer who opts out. However, the business would not be prohibited from offering consumers discounts, loyalty programs, or other incentives for the sale of their PII, or from providing different services to consumers that are reasonably related to the value of the relevant data.

Lastly, the proposed legislation does not include a private right of action for alleged violations. Rather, the Attorney General is to have sole authority to enforce a violation of the statute, if it were to be adopted and put into law in its current form.

II. Assembly Bill A3255

A second similar, but even more consumer-friendly bill, was proposed to the General Assembly in February 2020. Assembly bill A3255, introduced by Assembly Member John J. Burzichelli, was referred to the Assembly’s Science, Innovation, and Technology Committee for consideration. 

This bill requires that businesses follow certain requirements concerning the collection of a consumer’s PII. Unlike Senate Bill S1257, Assembly Bill A3255 specifically prohibits a business from collecting a consumer’s PII unless a consumer affirmatively opts in to the collection. At or before the point of collection, a business that collects a consumer’s PII must inform consumers about the categories of PII to be collected and the purposes for which the categories of PII will be used. Further, the business may not collect other categories of PII or use PII collected for other purposes without providing the consumer prior notice. 

If the business wants to sell a consumer’s PII to a third party, the bill requires that it provide each consumer with notice that PII may be sold and that the consumer has the “right not to opt-in” to the sale of his or her PII.  Even if a consumer initially agrees to the sale of his or her PII, the consumer can at any time rescind that authorization, and the business must immediately stop selling the consumer’s PII.

A consumer also would have the right to request information about the disclosure of his or her PII. If a business receives a verifiable request from a consumer, it must promptly take steps to disclose and deliver, free of charge, the PII that was disclosed to a third party. The information may be delivered by mail or electronically, and if provided electronically, it must be in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide PII to a consumer at any time, but is not to be required to provide PII to a consumer more than twice in a 12-month period.

The bill also provides that a consumer has a right to request that a business delete any PII it has collected from the consumer. Like Senate Bill S1257, this statute would also prohibit discrimination against any consumer who chooses to opt out of the sale of his or her PII to third parties.

Any violation of the bill would constitute an unlawful practice and violation of the New Jersey Consumer Fraud Act, which would be punishable by a monetary penalty of up to $10,000 for a first offense and $20,000 for a subsequent offense. However, a grace period would be provided to the business, allowing it 30 days to cure any alleged violation after being notified of the alleged noncompliance before it is assessed a penalty.

III. Takeaways from the proposed legislation

If adopted into law, each of these statutes would change the way businesses in New Jersey operate with regard to the collection and use of consumer information. Clearly, the California Consumer Privacy Act is the model by which New Jersey and other states are now looking to model themselves. As businesses in California already know, complying with these requirements is onerous and can take time. Therefore, businesses should stay informed on the proposed legislation and be aware of New Jersey’s developing efforts to protect PII, as they could have a significant impact on their operations.

Please be sure to visit our firm’s blog for updates and other up-to-date news and analysis of data security and privacy issues. If you have questions or would like more information, please contact Zachary Danner at [email protected].

An Arbitration Clause May Present A Defense To A Data Breach Class Action – But At What Cost?

Posted on: June 10th, 2020

By: Bill Cheney

A common defense strategy in response to data privacy and security class actions is to file a motion to compel arbitration.  The arbitration forum has a number of advantages, including efficiency, speed, lower costs, expertise, and confidentiality, which makes it an attractive alternative to class litigation.  The confidentiality that can be offered by arbitration is particularly attractive in data breach class actions, as the public nature of litigation and the often media attention given to same can interfere with a company’s efforts to repair its reputation and good will.  Moreover, with the Supreme Court’s decision in Lamps Plus, Inc. v. Varela, 139 S. Ct. 1407, 203 L.Ed.2d 636 (2019), which held that a parties’ agreement to class arbitration must be explicit and may not be inferred, there is more certainty that the arbitration will be on an individual basis and allow the parties to truly realize these benefits. 

Now, however, there is a new consequence to consider before filing a motion to compel arbitration in response to a data breach class action – mass arbitration.  On April 27, 2020, United States District Judge Richard D. Bennett dismissed a class action lawsuit filed in the District of Maryland against Chegg, Inc.  The lawsuit stemmed from a 2018 data breach experienced by Chegg, Inc. Chegg, Inc. subsequently filed a Motion to Compel Arbitration and Dismiss.  Judge Bennett found that there was “no triable issue” as to whether the arbitration provision in Chegg, Inc.’s Terms of Use, requiring individual arbitration, was agreed to, and dismissed all claims and ordered the parties to proceed to arbitration.

The result appeared to be a win for Chegg, Inc.  However, in less than a month, over 15,000 demands for arbitration were filed with the American Arbitration Association on behalf of those allegedly affected by the data breach.  In filing fees alone – the American Arbitration Association requires businesses to pay a nonrefundable fee of $300 once the consumer claimant meets the filing requirements – Chegg, Inc. will now have to incur over $4,500,000. 

Mass arbitration, like this, has been on the rise in the employment context, being instituted against employers such as Uber, Chipotle and DoorDash.  Moreover, several companies specialize in locating consumers and coordinating mass arbitration claim filings.  It is now a very real potential repercussion that must be accounted for in evaluating whether to proceed with a motion to compel arbitration in response to data privacy and security class actions. Otherwise, a perceived effective defense strategy may have dire consequences and put the plaintiffs in the driver’s seat.  

If you have questions or would like more information, please contact Bill Cheney at [email protected].

Georgia High Court to Rule on Damages Required for Data Breach Claims

Posted on: September 3rd, 2019

By: Amy Bender

The Georgia Supreme Court soon will weigh in on the ongoing debate within the courts of when individuals may bring claims based on data breaches involving their personal information when they have not suffered any actual financial harm.

In what is now, however unfortunate, a familiar story, the plaintiffs in Collins et al. v. Athens Orthopedic Clinic, P.A. were patients at a medical clinic that experienced a ransomware attack that provided the hacker access to their personal information stored on the clinic’s computer database, such as their Social Security number, date of birth, and medical history. The hacker then posted the information on the Dark Web and another website. The clinic did not provide credit monitoring, identity theft protection, or other remedies to its victim patients, which the patients then had to purchase themselves. One of the plaintiffs also experienced fraudulent credit card charges, although she actually did not allege those changes were the result of the clinic’s data breach.

Instead of claiming any violation of a data breach statute, the plaintiffs brought claims under Georgia state law for negligence, breach of contract, unjust enrichment, declaratory judgment, Georgia Uniform Deceptive Trade Practices Act, and attorney’s fees. The trial court dismissed the claims before trial, and the Georgia Court of Appeals agreed, finding measures such as credit monitoring and identity theft protection and their associated costs, which are designed to prevent exposure to future, speculative harm, were not sufficient proof of the damages required to establish any of their claims.

The Georgia Supreme Court agreed to review the case and recently heard oral argument. A decision is expected within the next few months. At oral argument, some of the justices seemed skeptical of the lower courts’ rulings and the argument that the plaintiffs needed to wait until they had been victimized by identity fraud before they could file suit. However, no ruling has been made yet.

Courts around the country have taken differing views on whether the mere exposure of personal information, without more, is enough to be considered “damages” or if the plaintiff must prove additional financial harm. (See our related blog posts here, here, and here.) The upcoming Georgia Supreme Court decision hopefully will shed light on this issue and serve as a helpful guide for both organizations and individuals, at least within the State of Georgia.

Another takeaway from this case is that it usually is prudent for an organization that has experienced a data breach exposing personal information of its patients or clientele to bear the cost of credit monitoring and identity theft services, in addition to implementing strong data security measures that may prevent such an attack from occurring in the first place. Indeed, although not mandatory in Georgia and most other states, a handful of other states do require that these services be offered to affected individuals at no cost when they are notified of a data breach. Although these costs can be high, they can be covered by the organization’s cyber liability insurance policy and likely pale in comparison to the time and money the organization may spend defending a lawsuit arising out of the breach.

For more information or for assistance with data security or response measures, contact FMG’s Data Security, Privacy & Technology team.

Massachusetts’ Will-o’-the-WISP

Posted on: April 24th, 2019

By: Zach Moura

Massachusetts revised its data breach notification law, effective April 10, 2019, to change the minimum standards for what companies should include in a Written Information Security Plan, or WISP. Companies that experience a data breach incident must now confirm in their breach notice to the Massachusetts Attorney General whether the company maintains a WISP and identify any steps taken or planned to take relating to the incident, including updating the WISP. The requirements apply to companies that handle personal information belonging to Massachusetts’ residents no matter where the company itself is located.

The revisions also reshape the requirements for notifications to impacted individuals. In data breach incidents in which Massachusetts residents’ Social Security numbers are exposed, Massachusetts now requires companies to offer 18 months of free credit monitoring services to impacted individuals. Entities must also now certify to the state’s Attorney General and Office of Consumer Affairs and Business Regulation (“OCABR”) that the credit monitoring services comply with the statute, and provide the name of the person responsible for the breach of security, if known. The revisions also obligate the OCABR to publicly post the sample notice on its website within one business day.

The new statute calls for rolling and continuous notifications to all impacted individuals as they are identified, rather than allowing a business to first determine the total number of impacted individuals before notifying them all at the same time. And if an investigation reveals more information on the data breach that, if known, would have been provided to the impacted individuals in the original notice, additional notices must be sent. Entities must also now identify any parent or affiliated corporation in the notification letter.

For any questions about the above, or whether a WISP complies with Massachusetts law, please contact Zach Moura at [email protected].

Bold New Changes to Massachusetts’ Data Breach Notification Law

Posted on: March 15th, 2019

By: Michael Kouskoutis

Effective April 11, 2019, Massachusetts’ data breach notification law will compel notifying entities to follow several additional and unprecedented requirements when responding to a data breach.

First, the notifying entity must report to the state’s Attorney General whether it has implemented a written information security program (WISP). In the event the entity has no WISP in place, follow up inquiries and perhaps even penalties may result.

If applicable, notifying entities will also have to inform affected individuals of the name of their parent corporation or affiliated companies, which could generate negative publicity for companies whose subsidiaries suffer a data breach. Notably, the statute provides no threshold level of ownership before triggering this provision.

Further, the entity will not be permitted to delay notifications on the ground that the total number of residents has not yet been determined. In effect, the entity may have to issue breach notifications on a rolling basis instead of waiting for the investigation to conclude.

Lastly, Massachusetts’ Office of Consumer Affairs and Business Regulation will publish on its website the entity’s individual notification letter in addition to other details about the breach. It will also assist Massachusetts residents in filing public records requests to the Attorney General to obtain state agency notification letters.

These changes are not the type we have seen other states make in recent years; Massachusetts is taking a very bold step towards a more involved notification procedure. We will be monitoring changes to other data breach notification laws to see whether other states follow Massachusetts’ lead. If you have any questions or would like more information, please contact Michael Kouskoutis at [email protected].