In the fast-paced, ever-evolving world of privacy and cybersecurity law, gathering the biggest news from 2019 was no small feat – from new laws and landmark cases, to major technological developments and international guidelines, it was a busy year for anyone trying to stay up to date. But Octillo has narrowed down the top privacy and cybersecurity stories that shaped last year:
New NYS DFS Cybersecurity Regulation Milestone
March 1, 2019 was a new milestone deadline for the New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR 500) (“Regulation”) that went into effect two years prior. This milestone involved evaluating Third-Party Service Providers, a potentially cumbersome and time-consuming process for businesses.
New York also made headlines when the SHIELD ACT was passed in the legislature and signed into law. Broadening breach notification requirements and mandating reasonable safeguards for NY state residents’ data, the new law’s detailed cybersecurity requirements are an important development for anyone doing business in New York. Octillo also reiterates that additional requirements of the SHIELD Act will go into effect in on March 22, 2020, so the clock is ticking for businesses to take steps to be compliant.
California Consumer Privacy Act (CCPA)
With the groundbreaking CCPA legislation taking effect January 1, 2020, businesses across the country spent the past year racing to understand and implement some of the strictest guidelines the US has seen regarding the collection and processing of personal information of California residents. Navigating CCPA compliance with the patchwork of other privacy laws continues to be a business challenge.
New York Privacy Act (emerging law)
Not to be outdone by west coast competition, New York launched the New York Privacy Act in May 2019 – a sweeping piece of legislation that Wired Magazine called “even bolder” than the CCPA. The bill would provide NY residents more control over their data than people in any other state. While efforts to push the legislation forward stalled last summer, lawmakers are expected to consider the bill again when they reconvene in Albany for the 2020 legislative session. Octillo expects similar efforts from other states to follow in the year ahead.
General Data Protection Regulation (GDPR)
Businesses across the globe continued to wrestle with the world's strongest data protection rules, even as the European Data Protection Board issued new guidance on the application of the GDPR outside of Europe this past November. Octillo covered the criteria for determining the applicability of the GDPR to a US-based company here. Octillo expects the GDPR to be an ongoing topic of interest as other legislators draft their own versions of this expansive privacy law.
Uptick in ADA Litigation
This past year Octillo witnessed an onslaught of litigation under Title III of the Americans with Disabilities Act, as users with a variety of disabilities challenged the accessibility of online businesses. In October, the United States Supreme Court denied a petition filed by the pizza conglomerate Domino’s, sending a relatively clear statement that Title III of the ADA does in fact apply to websites. That means companies looking to build or grow their businesses online and through mobile applications in 2020 should certainly make accessibility a priority. Octillo’s team of current and former web developers and web design business owners round out our Octillo Accessibility Team.
FTC Enforcement Actions
The FTC was busy last year cracking down on companies and issuing sizable fines for Facebook and Google, and a landmark $700 million settlement with Equifax for its 2017 data breach that potentially impacted the personal data of 147 million people. FTC commissioners issued strong statements regarding the personal liability of directors and officers in these kinds of cases.
The Internet of Things (IoT)
Steadily growing access to broadband and a surge in wifi-enabled devices made 2019 a big year for IoT. As the number of IoT devices and applications is estimated to grow into the billions over the next year, lawmakers are starting to take notice - both California and Oregon moved to pass laws in 2019 requiring companies that manufacture IoT-ready products to implement reasonable security features. Octillo notes that businesses will need to work harder than ever this year to understand not only the technology, but the fast-changing legal landscape surrounding IoT.
Health Data Breaches
There was a significant increase in reported HIPAA breaches, with HHS reporting 462 major health data breaches affecting a total of nearly 41 million individuals (as of December 11). Five of the top ten breaches from 2019 on the HHS “wall of shame” stem from Business Associate compromises, highlighting the continued vulnerability of patient records and the increased importance of vetting the policies and practices of business partners that access or maintain protected health information (PHI) and personally identifiable information (PII). Each of the 10 largest breaches reported over 200,000 records that were impermissibly accessed or disclosed. 2019 also saw a significant increase in hacking and IT incidents, underscoring the importance of maintaining sufficient safeguards to protect against phishing attempts and malware-related breaches.
AI in Business Practices
From streamlining CRM systems to testing cybersecurity, artificial intelligence (AI) continued to influence and disrupt virtually every business process in every industry. In the healthcare sector, AI has changed the way hospitals, providers and insurers do business, offering the promise of more efficient diagnosis and treatment, improved clinical work flows and broader reach. But a June 2019 class action lawsuit filed against University of Chicago Medical Center and Google illustrated the potential risks involved in AI development using clinical data, and the challenge of balancing the massive amounts of clinical data needed to inform AI with individual privacy and control of sensitive information. As former tech business owners, Octillo lawyers want to drive innovation with use of these new technologies while understanding standards and laws that may impact such development.
TCPA filings were down in 2019, but businesses continued to fight for clarity on how the law applies to rapidly changing technology and methods of communication. As voice phone calls become a thing of the past, businesses continue to turn to texting as a marketing and communications tool – which their clients demand and seek. This past November, Capital One sought some important clarifications from the FCC around the scope of consent and text opt-outs, hoping for more solid guidelines around following up with clients who opt out of one communication stream but not another. These types of rulings will be imperative for businesses to help create better marketing policies, tailor text alert programs, and ultimately prevent potential costly litigation.
Health Access Rights
The OCR spent significant time and resources on the Right of Access Initiative in 2019, which was designed to “vigorously enforce” patients’ rights to timely access to their health information at a reasonable cost. In a recent settlement from the initiative this past September, a hospital paid a $85,000 fine and was forced to adopt a corrective action plan after failing to provide a mother timely access to records about her unborn child. HIPAA requires covered health care providers to provide medical records within 30 days of the request, although many states require even shorter time frames. Access rights will continue to be a major issue in 2020 as the OCR forges ahead with this initiative.
So, what are some of the key takeaways from 2019? Although the biggest issues and breaking news spanned many industries and legal topics, one thing is abundantly clear: in the upcoming year it will be imperative for business owners to consult with qualified legal tech experts who can help navigate the shifting technology and cybersecurity landscape. At Octillo we counsel global businesses both big and small that transcend industries to work proactively and efficiently to implement legally defensible privacy and security programs that can stand the test of time in this patchwork of privacy law both nationally and internationally. We are excited for what 2020 is sure to bring in this exciting space.
Attorney Advertising: Prior results do not guarantee a similar outcome.