Top Privacy and Cybersecurity Trends of 2021Year in Review: 2021’s Top Privacy and Cybersecurity Trends

Year in Review: 2021’s Top Privacy and Cybersecurity Trends

Despite the ongoing COVID-19 pandemic, 2021 proved to be another incredibly busy year for consumer privacy and cybersecurity. In this blog post, we revisit some of the most important domestic and international privacy and cybersecurity trends of the past year. 

 

New State Consumer Privacy Laws 

On the heels of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), Virginia and Colorado became the next two states to enact comprehensive consumer privacy laws. Signed into law by Governor Ralph Northam back in March, the Virginia Consumer Data Protection Act (VCDPA) becomes effective on January 1, 2023 and applies to all companies who operate a business or produce products or services that are targeted to residents of Virginia and meet certain thresholds. Months later in July, Governor Jared Polis signed the Colorado Privacy Act (CPA) into law. Set to go into effect on July 1, 2023, the CPA applies to controllers that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado and meet certain thresholds. Both the VCDPA and the CPA carve out several exemptions for entities that are already covered under the privacy and security requirements of other federal laws. Unlike the CCPA and the VCDPA, however, the CPA does not provide an exemption for non-profit organizations. Furthermore, neither the VCDPA nor the CPA offer a private right of action. 

Other notable state privacy developments include New York’s new rules on employee electronic monitoring as well as Nevada’s SB260 amendment, which expanded the right to opt-out of sales and created new requirements for “data brokers”. 

As we head into 2022, we anticipate that the patchwork of state consumer privacy laws will continue to grow. Octillo recommends that businesses take proactive steps to first evaluate what laws and regulations apply to their business and then develop a comprehensive roadmap and plan to mature their data privacy and security posture both internally and externally.   

 

Continued Focus on Cybersecurity 

Threat actors in 2021 continued to launch increasingly sophisticated ransomware and cyberattacks against businesses of all sizes and in all industries. In the wake of highly disruptive attacks such as SolarWinds and the Colonial Pipeline ransomware attack, both the federal government and also state governments sought to increase their focus on cybersecurity standards. For example, the New York State Department of Financial Services (NYDFS) issued guidance to cyber insurers in the form of the Cyber Insurance Risk Framework. The Cybersecurity and Infrastructure Security Agency (CISA) also regularly issued advisories informing businesses of vulnerabilities. In an effort to secure critical infrastructure, President Biden signed an Executive Order on “Improving the Nation’s Cybersecurity” in May. The new Civil Cyber-Fraud Initiative announced by the Department of Justice back in October further indicates the increasing importance of developing and maintaining resilient cybersecurity protocols.  

The federal government’s response to this year’s exponential increase in ransomware attacks has led several high-profile threat actors – such as DarkSide, REvil, and Black Matter – to take their dark web platforms offline.  At the same time, however, new variants of ransomware are constantly emerging and there is significant evidence that experienced cyber criminals are rebranding to evade law enforcement rather than shutting down their operations.   

In this complex threat landscape, companies across industries are wisely seeking to secure or renew cyber liability coverage in an increasingly competitive market.  Insurers are asking meaningful questions about applicants’ security programs and expecting strong safeguards in place.  For organizations of all sizes, the past year has shown that cybersecurity incidents are now a question of when rather than if.  

Octillo’s Incident Response Team urges businesses to develop plans and procedures to mitigate cyber and legal risk. Octillo recommends businesses continue to dedicate internal resources to refining compliance programs and testing incident response plans through tabletop training exercises. 

 

Health Privacy and Compliance Challenges 

Our lives have become increasingly digitized, and 2021 was no different – especially with the COVID-19 pandemic. The proliferation of apps and technologies handling personal health data led the FTC to confirm back in September that the requirements contained in the agency’s Health Breach Notification Rule extend to health apps and connected device companies. And as the world continued to operate under the shadow of the COVID-19 pandemic, businesses faced – and will continue to face – uncertainty regarding new federal vaccination and testing policies. Octillo’s Data Security and Privacy Compliance and Health Law Teams recommend businesses take stock of their employee data collection practices in their efforts to prevent the spread of COVID-19. 

 

Biometrics Class Actions, BIPA Claims Accrual, and Statute of Limitations 

In 2021, litigation under Illinois’ Biometric Information Privacy Act (BIPA) remained at the forefront of the data privacy landscape. As we noted back in JanuaryMarch, and April, BIPA’s private right of action has contributed in part to an increase in the number of class actions. In September, the First District of the Illinois Appellate Court found that the statute of limitations period could range from one year to as much as five years depending on the nature of the alleged violation. But as the year closed out, Illinois courts continued to wrestle with the issues of BIPA claims accrual and statute of limitations. As this blog post goes to press, the U.S. Court of Appeals for the Seventh Circuit had just issued its decision in Cothron v. White Castle, certifying the issue of BIPA claims accrual to the Illinois Supreme Court.  

 

Website Accessibility Litigation and What Counts as a Place of Public Accommodation 

The Octillo Accessibility Team continues to see a drastic increase in litigation filed under Title III of the Americans with Disabilities Act (ADA) as well as the rapidly evolving caselaw surrounding website accessibility claims. 2021 is set to be a record-breaking year, with approximately of 4,000 new lawsuits filed this year alone, with most of these cases filed against small to medium sized businesses. The issue of whether websites qualify as places of public accommodates under the ADA continued to take shape in 2021. For example, in May the Eleventh Circuit Court of Appeals held in Gil v. Winn-Dixie Stores that a website is not a “place of public accommodation” under Title III of the ADA, creating a clear conflict with 9th Circuit authority that has held a website is a place of public accommodation if there is a nexus to a brick and mortar location. In September, the United States District Court for the Eastern District of New York issued a decision in Winegard v Newsday LLC, which also concluded that a website is not a “place of public accommodation” under Title III of the ADA. Despite this unsettled landscape, we anticipate more litigation to come around the specific statutory definition of what constitutes a “public accommodation.” 

Nevertheless, there is no end in sight for companies facing lawsuits under the ADA. Accordingly, Octillo recommends that businesses with any online presence or mobile application take proactive steps and prioritize accessibility internally. Minimizing legal risk through a digital accessibility compliance buildout that includes both a full scale audit of digital assets and internal and external policy development is recommended for all businesses looking ahead in to 2022.  

 

Telephone Consumer Protection Act (TCPA) 

TCPA class actions are numerous. Octillo’s TCPA team has charted the complex legal landscape surrounding text message marketing and telemarketing throughout the course of 2021. In April, we covered the decision by the Supreme Court of the United States in Facebook v. Duguid et al., which narrowed the scope of the TCPA down to systems that utilize random number generators. In November, we covered Florida’s new telemarketer requirements. As we head into 2022, TCPA compliance will continue to be an important area of focus for businesses. Businesses that leverage text messaging marketing as part of their consumer outreach should evaluate compliance initiatives and stay up to date on this fast moving area of the law. 

 

More Global Privacy and Cybersecurity Developments 

Privacy and cybersecurity continued to be areas of significant focus on an international scale. For example, China’s new Data Security Law (DSL) and new Personal Information Protection Law (PIPL) became effective on September 1 and November 1, respectively. Along with the Cybersecurity Law (CSL) of 2017, these two new laws have added a set of new cross-border requirements for international companies seeking to do business in China. Furthermore, following the Schrems II decision, which invalidated the EU-US Privacy Shield, the EU Commission released new standard contractual clauses (SCCs) intended to provide more flexibility and options for cross-border data exchange. The new SCCs are applicable for all new contracts entered into as of September 27, and businesses have until December 27, 2022 to transition all contracts using the older SCCs to ones with the new SCCs. Additionally, Québec’s Bill 64, which received royal assent a few months ago, has a series of new requirements coming into effect within the next couple of years for businesses both within and outside the province. 

On the global data privacy class action front, the UK Supreme Court’s recent decision in Lloyd v. Google suggests that opt-out class action cases for data privacy claims will be very difficult to bring. 

 

Conclusion and Key Takeaways 

In the midst of the ongoing COVID-19 pandemic and a rise in sophisticated cyberattacks, 2021 saw many privacy and cybersecurity trends and developments. There were new laws and regulations on both a domestic and an international scale. Case law in relevant areas developed rapidly, with some issues still unresolved as we embark on 2022. Things do not seem to be slowing down at all in the realm of privacy and cybersecurity. Octillo’s team of attorneys and technologists work with businesses of all sizes and industries to develop comprehensive scalable data security and privacy infrastructures to navigate this fast moving area. 

*Attorney Advertising. Prior results do not guarantee similar outcomes. 

Subscribe to our newsletter. 

0
DOJ Cyber-Fraud InitiativeUnder New Cyber-Fraud Initiative, DOJ Will Sue Federal Contractors For Failure to Maintain Cybersecurity Standards and Report Incidents

Under New Cyber-Fraud Initiative, DOJ Will Sue Federal Contractors For Failure to Maintain Cybersecurity Standards and Report Incidents

The Department of Justice has announced a new “Civil Cyber-Fraud Initiative” in which the Department will pursue civil actions for damages against federal contractors that fail to maintain cybersecurity standards and fail to report cybersecurity incidents and breaches.

 

What Is the Civil Cyber-Fraud Initiative?

On October 6, 2021, Deputy Attorney General Lisa Monaco declared that the DOJ will use its existing authority under the False Claims Act to bring civil litigation against entities or individuals that put U.S. information or systems at risk by either:

  • Knowingly providing deficient cybersecurity products or services;
  • Knowingly misrepresenting their cybersecurity practices or protocols; or
  • Knowingly violating obligations to monitor and report cybersecurity incidents and breaches.

Monaco explained that “for too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it.  Well that changes today … because we know that puts all of us at risk.”

 

How Will Enforcement Work?

Under the False Claims Act, the government can recover treble damages, plus a penalty amount that is linked to inflation, against companies that make false statements in connection with work that is funded by the government.  The new initiative will apply to federal government contractors, federal grant recipients, and other recipients of federal funding.  The statute of limitations for False Claims Act litigation is three years.

 

The Cyber-Fraud Initiative will be conducted by the Civil Division’s Commercial Litigation Branch, Fraud Section.  The False Claims Act also authorizes Qui Tam litigation, a type of whistleblower activity in which private parties can initiate litigation on behalf of the government and receive a percentage of the government’s recovery if the claim is successful.  The DOJ’s press release announcing the Cyber-Fraud Initiative indicated that qui tam litigation would apply to the new initiative.

 

The new initiative is part of the DOJ’s ongoing comprehensive cyber review, which was ordered by Deputy Attorney General Monaco in May 2021 and follows a recent series of cybersecurity attacks that has motivated the Biden administration to bolster cybersecurity resiliency and pursue threat actors.

 

What Should Federal Contractors Do Next?

While cybersecurity incidents and breaches always exposed companies to considerable litigation risk, and the DOJ’s new initiative only increases that risk.  The DOJ’s new initiative demonstrates the increasing importance of developing and maintaining resilient cybersecurity protocols.  Octillo closely monitors developments in laws and regulations governing cybersecurity. Octillo’s team of highly skilled attorneys and technologists are uniquely situated to assist clients as they navigate these changes.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

BiometricsIllinois Appellate Court Finds that Statute of Limitations for BIPA Claims Could be as Much as Five Years, Adding to Already Considerable Class Action Exposure

Illinois Appellate Court Finds that Statute of Limitations for BIPA Claims Could be as Much as Five Years, Adding to Already Considerable Class Action Exposure

On September 17, 2021, the First District of the Illinois Appellate Court issued the first appellate opinion regarding the applicable statute of limitations for claims arising under Illinois’ Biometric Information Privacy Act (“BIPA”).  In a mixed decision, the First District found that the limitations period could range from 1 year to as much as 5 years depending on the nature of the alleged violation at issue.

 

The implications of the First District’s decision are momentous, because many BIPA lawsuits are class actions.  In addition to expanding the pool of potential plaintiffs, a five-year limitations period greatly increases the potential class size and, consequently, defendants’ potential damages exposure.

 

Background

By way of background, Illinois enacted BIPA in 2008 after a company called Pay-by-Touch started a pilot program at Chicago-area retail stores to enable customers to pay for purchases using fingerprint scans linked to their credit cards. When Pay-by-Touch subsequently filed for bankruptcy after collecting customers’ biometric and financial account information, the bankruptcy trustee listed the customers’ biometric information as an asset and sought to sell it to pay off creditors.  This motivated the Illinois legislature to enact BIPA.

 

BIPA’s Requirements

BIPA contains five different subsections regulating the use of biometric information.  The differences between the following five subsections were critical to the First District’s decision:

  • First, anyone in possession of biometric information must develop a publicly-available retention policy.

 

  • Second, prior to collecting any biometric information, the collecting party must disclose the purpose and length of time for which the information will be used, and obtain a release from the subject of the information.

 

  • Third, biometric information cannot be disclosed without the authorization of the subject.

 

  • Fourth, a party cannot profit from the sale of biometric information under any circumstances.

 

  • Finally, a party must protect biometric information using the standard of care in the industry, and at least the same protection measures that the party uses for other personal and confidential information.

 

Debate Over Limitations Period

BIPA itself does not specify the applicable statute of limitations, and the plaintiff and defense bars have disagreed on the applicable limitations period.  Prior to the First District’s decision, the litigation in the trial courts has centered around three potential limitations periods, including the following:

  • One-year period for actions based on “publication of matter violating the right of privacy.” 735 ILCS 5/13-201;

 

  • Two-year period for personal injuries or “statutory penalties.” 735 ILCS 5/13-202; or

 

  • Five-year period for “all civil actions not otherwise provided for.” 735 ILCS 5/13-205.

 

The Subject Lawsuit

An employee sued his former employer alleging that his employer required him to clock-in for work using a biometric time clock, and that his employer violated BIPA by failing to obtain his informed consent, failing to have a retention policy, and disclosing his information to third parties such as the time clock vendor.

 

The plaintiff stopped working for the defendant in January 2018, and he filed suit in March 2019.  The employer moved to dismiss the lawsuit, arguing that the suit was time-barred because the one-year limitations period for “publication of matter violating the right of privacy” applied.  The plaintiff of course disagreed and argued that the five-year period for “civil actions not otherwise provided for” applied.  The trial court agreed with the plaintiff but certified the question for interlocutory appeal.

 

The Appellate Court’s Decision

On appeal, the First District found that the applicable limitations period depends on which of the five BIPA subsections is at issue.  More specifically, the First District found that the one-year limitations period is limited to matters involving “publication.”  Using this framework, the First District found that only two of BIPA’s subsections involve publication: the prohibition of unauthorized disclosure and the prohibition of the sale of biometric information.  On the other hand, the First District found that the other three requirements (the retention policy requirement, informed consent requirement, and standard of care requirement) can be violated without any publication, and therefore are subject to the five-year limitations period.

 

For the case at hand then, applying the First District’s decision means that the plaintiff’s allegations regarding his employer’s failure to obtain his informed consent and failure to have a retention policy were subject to the five-year limitations period and therefore timely.  In contrast, the plaintiff’s allegations of unauthorized disclosure were subject to the one-year limitations period and therefore barred.

 

Not the Last Word

The First District’s decision likely will not be the last word on the limitations period for BIPA claims.  A separate appeal regarding the limitations period for BIPA claims – Marion v. Ring Container Technologies – is pending in Illinois’ Third District. (The First District covers Chicago, and the Third District covers North-Central Illinois and Chicago’s southern suburbs). The parties to both cases are likely to seek further appeal to the Illinois Supreme Court, and the Supreme Court will have a good reason to weigh in on the novel issue, especially if the Third District reaches a contradictory decision.

 

It is also noteworthy that the First District’s decision did not address the potentially applicable two-year limitations period for “statutory penalties.”

 

Potential Legislative Reform

In addition to these appellate decisions, the Illinois legislature could also take action.  In its spring term, the legislature advanced a bill out of committee that would dramatically reform BIPA.  The legislature did not hold a final vote on that bill before the conclusion of its spring term, but new appellate decisions could motivate the legislature to renew the reform effort.

 

Octillo will continue to monitor any developments regarding BIPA and will update its guidance accordingly.  Our team of experienced attorneys, who are also devoted technologists, are especially equipped with the skills and experience necessary to not only develop a comprehensive and scalable biometric privacy compliance program but also handle any resulting litigation.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes.

Website AccessibilityEastern District of New York Holds a Website By Itself is Not Place of Public Accommodation

Eastern District of New York Holds a Website By Itself is Not Place of Public Accommodation

Website class actions alleging violations of the Americans with Disabilities Act (“ADA”) continue to dominate the court systems. These lawsuits are indiscriminate involving businesses of all sizes across a myriad of industries. Commonly, these lawsuits involve a plaintiff who suffers from a disability and attempted to access a business’s website, alleging that the website itself should be considered a place of public accommodation, but their disability hindered their enjoyment of the business’s services. Nevertheless, a court in the Eastern District of New York has unequivocally concluded that a website is not a “place of public accommodation” within the meaning of Title III of the ADA.

Winegard v. Newsday LLC

On July 31, 2019, Plaintiff Jay Winegard, a legally deaf individual residing in Queens, New York, filed an action in the Eastern District of New York against the news service provider Newsday. Winegard alleged that Newsday violated the Americans with Disabilities Act, the New York State Human Rights law, and the New York State Civil Rights Law, and the New York City Human Rights Law in failing to provide closed captioning on two of the videos it hosted on its website.

On May 1, 2020, Newsday filed a Motion to Dismiss, arguing, in relevant part, that Newsday is not a place of public accommodation within the meaning of Title III of the ADA.

On August 16, 2021, while initially observing that the Second Circuit has not squarely resolved whether a website itself is a place of public accommodation, the Eastern District of New York concluded that “the ADA excludes, by its plain language, the websites of businesses with no public-facing, physical retail operations from the definition of” places of public accommodation. In reaching its conclusion, the court relied heavily upon the text of the ADA, noting that the ADA’s definition of places of public accommodation were overwhelmingly comprised of physical locations.

Echoing the recent Eleventh Circuit holding in Gil v. Winn-Dixie, the court further called upon Congress to clarify whether the places of public accommodation include websites and further remarked that in the thirty-one years since the passage of the ADA, Congress has failed to add non-physical places to the definition of places of public accommodation.

Finally, the court in Winegard concluded that previous Second Circuit reliance on Pallozzi v. Allstate Life Insurance Co. is misplaced, as that matter dealt with the enjoyment of insurance services which still had to procured at a physical location.

What does this mean going forward?

Whereas the Court’s decision in Winegard may not initially upend all website-based ADA claims in the Second Circuit, it is yet another example of the eroding argument that websites are automatically places of public accommodation. To that end, it is important that companies are proactive and prioritize accessibility to put themselves into a legally defensible position.

At Octillo, we have a team of highly skilled attorneys and technologists who are uniquely situated to help clients navigate website accessibility and work towards national and international standards with other privacy and security laws. Octillo works with clients at all stages of accessibility analysis and is here to help make your company ADA compliant and help ensure your company has the right tools in place to mitigate risk.

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes.  

Online Shopping11th Circuit Holds a Website is Not a Place of Public Accommodation in Gil v. Winn-Dixie Stores

11th Circuit Holds a Website is Not a Place of Public Accommodation in Gil v. Winn-Dixie Stores

Website class actions alleging violations of the Americans with Disabilities Act (“ADA”) have been on the rise in recent years – involving small and large businesses alike.  These lawsuits generally involve a plaintiff who suffers from a disability and attempted to access a business’ website, but their disability hindered their enjoyment of the full range of the website’s services.  Moreover, these website class action lawsuits began their rapid proliferation in June 2017 after a Southern District of Florida court held that Winn-Dixie grocery store chain had violated the ADA because the inaccessibility of its website had denied the plaintiff the full and equal enjoyments of the goods, services, facilities, privileges, advantages, or accommodations that that grocery store offered.  However, now the Eleventh Circuit has unequivocally clarified that a website is not a “place of public accommodation” within the meaning of Title III of the ADA.

The District Court: Gil v. Winn-Dixie Stores

In 2017, Plaintiff Juan Carlos Gil, who is legally blind, sued the grocery retailer Winn-Dixie, alleging the business violated the Americans with Disabilities Act (ADA) because the website was allegedly inaccessible to Gil due to its incompatibility with Gil’s screen reading software.  Gil wanted to order his prescriptions for pickup and to download online coupons onto his rewards card for store use.  The Southern District of Florida concluded that as Winn-Dixie’s website was not accessible to the screen reader users, it had violated the ADA.  Moreover, the court determined that as the website was heavily integrated with Winn-Dixie’s physical stores, acting as a gateway to the physical store, the court did not need to consider whether websites were places of public accommodation under the ADA.  Finally, the Southern District of Florida, issued a detailed injunctive relief order, requiring Winn-Dixie to make its website conform to the Web Content Accessibility Guideline 2.0 Level AA – a privately developed set of criteria for web accessibility that has not been adopted as a legal standard under the ADA for the public accommodation websites.  In response to this finding, Winn-Dixie allocated $250,000 to update their site to make it more accessible to those with significant visual impairment.

 The Circuit Court: Gil v. Winn-Dixie Stores 

Winn-Dixie immediately appealed the Southern District of Florida’s holding, seeking further clarification on three issues:

  1. Whether Gil has standing to bring this case;
  2. Whether websites are places of public accommodation under Title III of the ADA; and
  3. Whether the district court erred in its verdict and judgment in favor of Gil, including the court’s injunction.

In April 2021, the Eleventh Circuit held, in relevant part that:

  1. Winn-Dixie did not violate the ADA because its website is not a place for public accommodation; and
  2. Winn-Dixie’s website did not pose an intangible barrier to his access to goods, services, privileges, or advantages to Winn-Dixie’s physical stores.

In reaching its conclusion, the Eleventh Circuit focused on two important facts:

  1. No goods or services could be purchased on Winn-Dixie’s website; and
  2. All interactions with Winn-Dixie can be, although need to be, initiated on the website must be completed in store: prescription pickups and redemption of coupons.

Therefore, the Winn-Dixie website had limited functionality and purchases could not be made on the Winn-Dixie website.

What does this mean going forward?

After this recent decision, there are now three different theories of liability for website accessibility adopted by the federal courts of appeal. The Eleventh Circuit states that in order to establish a violation of the ADA based on an inaccessible website, a plaintiff must show the inaccessibility of the website prevented him/her from accessing goods, services, privileges, or advantages of a physical place of public accommodation. The Ninth Circuit has held that a plaintiff must show that an inaccessible website has a nexus to a physical place of public accommodation to establish ADA liability. The First Circuit has held that a plaintiff would have a strong argument under current precedent that a website that falls into one of twelve categories of business in ADA’s definition of the term “public accommodation” would be covered under the ADA, even if it has no physical place of public accommodation. The statutory definition of a ‘public accommodation’ is “an expansive list of physical locations,” that does not include websites.

It is unclear what the impact of the Winn Dixie decision will be, although it is anticipated that it will not have a tremendous impact on the number of website accessibility lawsuits filed because plaintiffs can choose to file in a different circuit court where the precedent is more favorable. The likelihood that the Supreme Court will take up this issue has increased due to the new conflict between the Eleventh and Ninth Circuits as to when an inaccessible website belonging to a physical place of public accommodation violates the ADA.

Many lawsuits filed in the past few years involve the threshold issue of whether and to what extent Title III applies to websites, leaving the courts left to decide. Case law is developing rapidly in this area because website accessibility claims have become a big business for the plaintiff’s bar. It is important that companies are proactive and prioritize accessibility to put themselves into a legally defensible position.

At Octillo, we have a team of highly skilled ADA attorneys and technologists who are uniquely situated to help clients navigate website accessibility and work towards national and international standards with other privacy and security laws from both a litigation defense perspective but also with unique technical experience. Octillo works with clients at all stages of the accessibility analysis and is here to help make your company evaluate your ADA compliance posture and implement a legally defensive plan to mitigate risk.

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes.  


1 2