Federal Judge Concludes Entity Subject to CCPA Despite Assertion It Is Not a “Business”
Federal Judge Concludes Entity Subject to CCPA Despite Assertion It Is Not a “Business”
In Blackbaud Inc. Customer Data Security Breach Litigation, No. 3:20-mn-02972 (D.S.C. Aug. 12, 2021), a federal judge found that defendant, Blackbaud Inc. was subject to the CCPA despite its motion to dismiss asserting that it did not qualify as a “business” under the Act. The CCPA applies to for-profit entities that collect California consumers' personal information and either have annual gross revenues in excess of $25 million; annually buy, receive, sell, or share the personal information of 50,000 or more consumers, households, or devices; or earn more than half of its revenue from selling consumers' personal information. Blackbaud believed they were not a “business,” arguing instead that they were a “service provider” and therefore shielded from liability under the CCPA. The court disagreed. In addition to meeting this threshold, the court specifically noted that Blackbaud was registered as a data broker in California under a law that adopted the same definition of “business” as the CCPA and that it used consumer data to test and improve its offerings.
California AG Takes CCPA Enforcement Action Against Dealership-Manufacturer
SEC Fines Company for Misleading Investors About 2018 Cyber Incident
The SEC recently reached a settlement with Pearson plc wherein the London-based educational publishing company agreed to pay $1M to settle claims that it misled investors about a 2018 cyber intrusion involving the theft of millions of student records, including dates of births and email addresses, and had inadequate disclosure controls and procedures. In particular, in its semi-annual report, filed in July 2019, Pearson referred to a data privacy incident as a hypothetical risk, when in fact, the 2018 cyber intrusion had already occurred. Additionally, in a July 2019 media statement, Pearson stated that the breach may include dates of births and email addresses, when in fact, it knew that such records were stolen. In the same statement, Pearson asserted it had "strict protections" in place, when in fact, it failed to patch the critical vulnerability for six months after it was notified. The media statement also omitted that millions of rows of student data and usernames and hashed passwords were stolen. The FTC order also found that Pearson's disclosure controls and procedures were not designed to ensure that those responsible for making disclosure determinations were informed of certain information about the circumstances surrounding the breach.
Error – No Privilege Found: District Court Compels Production of Data Breach Report
In March 2020, a class action lawsuit was filed against a gas station and convenience store operator Rutter’s Inc. claiming that Rutter’s failed to adequately prevent and respond to an alleged breach exposing its customers’ financial data. During discovery, it was learned that third-party cybersecurity consultant Kroll Cyber Security LLC was hired to “conduct forensic analyses on Rutter’s card environment and determine the character and scope of the incident” and prepare an investigative report summarizing the same. Notably, Rutter’s and Kroll “understood Kroll’s work to be privileged.” In addition, even though Kroll was hired by Rutter’s outside counsel, Rutter’s paid Kroll directly. In June 2021, the plaintiffs filed a motion to compel the production of the report and related communications between Kroll and Rutter’s. In response, Rutter’s asserted that the report and communications were protected as work product and under the attorney-client privilege. The Middle District of Pennsylvania rejected these arguments because: (i) the report’s Statement of Work appeared limited to factual inquiries and the corporate deponent stated that it did not anticipate litigation at the time of the underlying investigation; and (ii) the cybersecurity consultant who prepared the report was not acting as an attorney, at the direction of an attorney, nor providing information to an attorney to assist with providing legal advice.
FTC Removes COPPA Safe Harbor Provider from List
For the first time ever, the FTC delisted a COPPA safe harbor provider. Specifically, the FTC delisted Aristotle International Inc. over concerns Aristotle “may not have sufficiently monitored its member companies to ensure they were complying with [Aristotle’s] guidelines.” The delisting comes after warning Aristotle, and receiving an “inadequate response.” In support of its decision, the FTC stated “[t]here is a clear conflict of interest when self-regulatory organizations are funded by the website operators and app developers they are supposed to police, so we will be closely scrutinizing other children’s privacy oversight outfits to determine whether they are living up to their obligations,” thus signaling the potential for further enforcement efforts under COPPA.
UK Information Commissioner Consults on Data Transfers, Including Approach to EU Standard Contractual Clauses
On August 11, 2021, the United Kingdom Information Commissioner launched a consultation on data transfers. The consultation is relevant to anyone who transfers personal data from the UK, or who provides services to UK organizations. The consultation considers whether the Information Commissioner should approve an addendum allowing the EU SCCs to be used for transfers of personal data from the UK. In addition, the consultation proposes (1) that the Information Commissioner will terminate the current, temporary approval of the 2001, 2004, and 2010 SCCs; (2) a new, UK-specific, international data transfer agreement; (3) an accompanying Transfer Risk Assessment; and (4) changes to existing UK guidance on data transfers. The deadline for responding to the consultation is October 7, 2021.
UK Children’s Code Effective September 2, 2021
The UK’s Age Appropriate Design Code (AKA the “Children’s Code”) went into effect September 2, 2021 after its one-year transition period expired. The code applies to providers of “information society services” (akin to internet service providers in the US) that process personal data and are likely to be accessed by children in the UK. The code requires, among other things, using a DPIA (“data process intake assessment”), applying age-gating principles to your data processing with some flexibility in application, and requiring that privacy information provided to users, and other published terms, policies and community standards be presented concisely, prominently, and in clear language suited to the age of the child. More information about the code can be found here.
China Passes New Personal Data Privacy Law, to Take
Effect Nov. 1
China's National People's Congress recently passed a law designed to protect online user data privacy (PIPL), set to take effect November 1, 2021. This law comes on the heels of China’s Data Security Law, which took effect on September 1, 2021. Some of PPIL’s requirements include, but are not limited to:
- “Separate consent” will be required for: (1) Providing personal information to a third party; public disclosures of personal information; personal information collected by devices installed in public place if used for purposes other than public security); processing of sensitive personal information; and providing personal information of an individual to a party outside the territory of China;
- All personal information processors (akin to controllers under GDPR) (PI Processors) must adopt necessary measures to ensure that processing activities of foreign recipients satisfy an equivalent level of protection provided in the PIPL;
- PI Processors must satisfy one of the following before exporting personal information outside of China: (1) passing security assessment as required for CIIOs and organizations processing personal information reaching a certain amount designated by the authority; (2) undergoing personal information protection certification conducted by certified institutions; (3) entering into a standard contract (which is to be formulated by the authority) with the foreign recipient; or (4) other circumstances provided in laws, regulations or by the authority.
- A data subject has the right to request a PI Processors to have his personal information transferred to another PI Processor provided that such transfer satisfies the requirements of the Cybersecurity Administration of China (“CAC”). The PI Processor then has an obligation to provide a channel for such transfer.
PI Processors are required to notify relevant personal information protection authorities and data subjects in the event a data incident has occurred, or is likely to occur.
- Related Practices