CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘personal information’

Currently pending in the Massachusetts legislature is Bill S.120 entitled “An Act Relative to Consumer Data Privacy”

Posted on: April 25th, 2019

By: Eric Martignetti

The proposed bill defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or the consumer’s device.” “Personal information” includes “biometric information.” “Biometric information” is “an individual’s physiological, biological or behavioral characteristics, including an individual’s DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity,” including “imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.”

Under the proposed bill, a business that collects a consumer’s personal information shall, at or before the point of collection, notify a consumer of: (1) the categories of personal information it will collect; (2) the business purpose for which their personal information will be used; (3) the categories of third parties to whom the business discloses their personal information; (4) the business purpose for the third-party disclosure; and (5) the consumer’s right to request a copy of their personal information, the deletion of their personal information, and the right to opt out of the disclosure of their personal information to third parties. Also, a business must include these five items either in its online privacy policy or on its website.

Under the proposed bill, a business shall also make reasonably available to consumers two or more methods, including a link on the home page of its website, for submitting a consumer verified request. Through a consumer verified request, a consumer can request: (1) the specific pieces of personal information the business has collected about them; (2) the sources from which their personal information was collected; (3) the names of third parties to whom the business disclosed their personal information; and (4) the business purpose for third-party disclosure.

The proposed bill applies to a “business” that: (1) “is organized or operated for the profit or financial benefit of its shareholders or other owners”; (2) “collects Massachusetts consumers’ personal information”; and (3) “has annual gross revenues in excess of $10,000,000” or “derives 50 percent or more of its annual revenues from third party disclosure of consumers’ personal information.”

The proposed bill carves out an exception for “a business collecting or disclosing personal information of the business’s employees so long as the business is collecting or disclosing such information within the scope of its role as an employer.” This exception would, in most cases, protect employers from lawsuits brought by employees under the Act.

The proposed bill creates a private right of action for consumers. In a private right of action, a consumer need not suffer a loss of money or property, and they may recover $750 in statutory damages of their actual damages, whichever is greater. A consumer may also recover costs and attorneys’ fees.

If you have any questions or would like more information, please contact Eric Martignetti at [email protected].

California Passes New Comprehensive Data Privacy Law

Posted on: July 16th, 2018

By: Kacie Manisco

California has passed a sweeping data privacy law that will result in dramatic changes to how businesses in the state handle consumer data. AB 375, which will take effect on January 1, 2020, grants consumers more control over and insight into the dissemination of personal information, but imposes significant obligations on certain businesses in order to achieve those goals.

The law will apply to any California business that: (1) has an annual gross revenue over $25 million; or (2) alone or in combination, annually buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50% or more of its annual revenues from selling consumers’ personal information.

The new legislation is similar in nature to the European Union’s General Data Protection Regulation (GDPR) and is intended to provide residents of California the most comprehensive consumer privacy rights in the country. To that end, AB 375 requires covered businesses to give California residents:

  • The right to seek disclosure of any personal information collected by the business, up to twice a year;
  • The right to be informed of what categories of data will be collected, prior to its collection, and to be informed of any changes to this collection;
  • The right to request deletion of information collected by the business;
  • The right to opt-out of the sale of personal information;
  • Mandated opt-in before the sale of a minor’s information;
  • Protection of consumer data through reasonable security procedures and practices.

Additionally, one of the most significant aspects of the law creates a private right of action for any consumer for data breaches, without the requirement that the consumer prove injury before being awarded damages. The law provides, “any consumer whose nonencrypted or nonredacted personal information…is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information” may be subject to a civil lawsuit. A consumer would be entitled to recover actual damages or statutory damages of between $100 and $750 per consumer per incident (whichever is greater), plus injunctive or declaratory or other relief.

While AB 375 does not take effect until 2020, California businesses should begin the process of reviewing these new complex requirements and evaluating the applicability of the regulations to its operations. Specifically, businesses should begin to assess the types and scope of data it currently collects (and has collected and stored in the past) that may be covered by the law. Moreover, organizations should minimize their exposure in handling personal data, keeping only the data directly necessary for business and legal needs.

If you have any questions or would like more information, please contact Kacie Manisco at [email protected].

Supreme Court Declines to Hear Data Breach Standing Case

Posted on: February 23rd, 2018

By: Amy C. Bender

The ongoing issue of when a plaintiff has grounds (“standing”) in data breach cases saw another development this week when the U.S. Supreme Court declined to weigh in on the debate.

CareFirst, a BlueCross BlueShield health insurer, suffered a cyberattack in 2014 that was estimated to have exposed data of 1.1 million customers. Affected customers filed a federal class action lawsuit in the District of Columbia claiming CareFirst failed to adequately safeguard their personal information. CareFirst asked the court to dismiss the case, arguing that, since the customers had not alleged their stolen personal data had actually been misused or explained how it could be used to commit identity theft, the customers had not suffered an injury sufficient to give them standing to sue and the court therefore lacked jurisdiction to hear the case. The court agreed with CareFirst and dismissed the case. Notably, in this particular breach, CareFirst maintained the hackers had not accessed more sensitive information such as the customers’ Social Security or credit card numbers, and the court found the customers had not alleged or shown how the hackers could steal the customers’ identities without that information. In other words, the mere risk to the customers of future harm in the form of increased risk of identity theft was too speculative.

The customers appealed this decision, and the appellate court reversed, finding the district court had read the customers’ complaint too narrowly. The appellate court reasoned that the customers actually had asserted their Social Security and credit card numbers were included in the compromised data and that they had sufficiently alleged a substantial risk of future injury.

In response, CareFirst filed a petition with the Supreme Court asking it to review the appellate decision. This would have been the first pronouncement on this issue from the high court in a data breach class action lawsuit, a move long-awaited by lower courts, lawyers, and their clients in order to gain more clarity on the application of prior decisions like Spokeo in the specific context of data breach litigation. However, the Supreme Court denied the request (without explanation, as is typical).

As we have reported here and here, courts continue to grapple with the contours of standing in data breach cases. We will continue to monitor and report on developments in this still-evolving area of the law.

If you have any questions or would like more information, please contact Amy Bender at [email protected].

 

You’ve Got Mail! – EEOC Charge Filing Process Is Now Available Online Across the Country

Posted on: November 17th, 2017

By: William E. Collins, Jr.

For many people, “You’ve Got Mail” evokes fun memories of Tom Hanks and Meg Ryan bickering and then falling in love over the internet in the popular 1998 romantic comedy.  Now, however, this phrase may evoke far less pleasant emotions (at least for employers) as the EEOC announced earlier this month that its online Public Portal is available nationwide for employees to file charges.

The EEOC has been working on the roll-out of the Public Portal for years and, after piloting the Portal in the EEOC’s Charlotte, Chicago, New Orleans, Phoenix, and Seattle offices earlier this year, the EEOC has now launched the Public Portal nationwide.  The EEOC anticipates that the Public Portal will streamline the charge process and open up the intake and charge systems to more employees.

Not only can an employee provide and update personal information through the Public Portal, an employee can proceed with the normal intake process.  While the portal will not let employees immediately submit charges, the portal allows an employee to ask the EEOC representatives questions, provide them with information, and upload supporting documentation. At that point, an employee may digitally sign and file a charge online that is prepared with the help of an EEOC representative.

Because the EEOC plans to provide access to charging parties that have charges currently pending and the Public Portal allows instant communication with these charging parties, there is hope that the Public Portal will provide a more efficient and streamlined resolution for the 84,254 charges filed in the Agency’s 2017 fiscal year.  Because, however, the Public Portal provides an additional mechanism that is a faster, more immediate path toward filing a charge, commentators anticipate that employers could see an increase in the number of charges filed with the Agency.

While the exact impact of the EEOC’s Public Portal remains to be seen, employers should take this opportunity to:

  • Review and develop their internal reporting and complaint policies and procedures;
  • Ensure managers and supervisors have received appropriate training; and
  • Ensure key leadership and human resources representatives know what to do if they receive notice of a charge.

If you have any questions or would like more information, please contact Will Collins at [email protected].