In 2019, Aaron Ford was elected as Nevada's 34th attorney general after serving six years in the Nevada Senate, including as both Minority and Majority Leader. Ford brings a well-rounded perspective to his role, having represented small and large businesses, municipalities and individuals in private practice before shifting his career to public service. At the beginning of his term, Ford outlined the priority areas of his administration, including what he calls the "Three Cs," which are consumer protection, civil rights and criminal justice reform. He believes the job of his office is justice and sees each day as an opportunity to help and advocate for Nevadans of all walks of life.
The Privacy Advisor: Data breaches continue to plague both businesses and consumers in the United States, and your office often takes action against businesses whose data security practices fail to adequately protect the personal information of Nevada residents. Although Nevada law does not require attorney general notification when Nevada residents are affected, are there circumstances when you recommend businesses notify or communicate with your office about a breach? And do you have any additional insight you can offer into how your office assesses and addresses data incidents?
Attorney General Ford: Typically, my office recommends businesses notify or communicate with our office if the company is based in Nevada, the data breach impacts a large number of Nevada residents, and/or the breach involves a large amount of sensitive data. Nevada Revised Statute 603A.220 sets a reasonableness standard for notifying consumers their data has been compromised. Businesses should also consider whether it is reasonable to notify the Office of the Nevada Attorney General after a breach has occurred. Generally, we recommend businesses err on the side of caution when considering whether to report a breach. Businesses should also work with law enforcement as soon as possible after the data breach.
When we receive notice of a data breach that may impact a large number of Nevadans, we conduct an investigation, usually with the assistance of the company, to evaluate how the breach occurred and what security measures the company had in place to protect the consumers' personal information. Depending on the facts around the incident, the office may decide to take further action.
The Privacy Advisor: Although the comprehensive California Consumer Privacy Act, which became effective Jan. 1, 2020, has garnered the most attention by the press and privacy advisors, Nevada's data privacy law (Senate Bill 220), which provides consumers with a right to opt out of the sale of their data, actually went into effect Oct. 1, 2019, three months before the CCPA. Your office has sole responsibility for enforcement of this law. As SB 220 is new and has yet to be interpreted by the courts, can you offer any advice to businesses trying to determine how best to comply?
Ford: Always be transparent with consumers. A company's website should freely inform consumers about their rights to opt out of the sale of certain items of personal information and identify those categories. Then, make it easy for consumers to submit a verified request if they desire to opt out of the sale of their personal information. We also recommend businesses respond to all opt-out requests promptly, no later than 60 days after receiving the request. If a business does not collect or sell data, we recommend they explain this to consumers to avoid unnecessary data collection through an opt-out.
The Privacy Advisor: You were a strong advocate for data privacy even before you became the attorney general. As a Nevada senator in 2017, you introduced SB 538, which requires privacy notice disclosures for operators of websites and online services doing business in Nevada. With the combination of SB 220 and SB 538, and as other privacy laws stall in other states, Nevada is a leader in privacy protections. What privacy-related issues do you hope the Nevada Legislature will target next?
Ford: It would be a good idea for the legislature to follow the efforts of some other states to include biometric data as "personal information" that is covered under Nevada's privacy laws. As technology continues to evolve, fingerprints, voices and retinal images will increasingly be used as ways to authenticate a user's identity. Nothing is more personal than the characteristics that are unique to each person, such as their voice and fingerprints. The Legislature may also wish to consider enhancing enforcement authority for data breaches.
The Privacy Advisor: You have also advocated for a federal privacy law publicly supporting draft legislation introduced in February 2019 by former Nevada Attorney General and U.S. Sen. Catherine Cortez Mast, D-Nev., the Digital Accountability and Transparency to Advance Privacy Act. The goal of the DATA Privacy Act is to strengthen consumer data privacy protections, ensure corporations are focusing on implementing new data security standards and essential privacy protections, and increase research into privacy technologies while shielding small businesses from unnecessary regulation. The law would be jointly enforced by the U.S. Federal Trade Commission and state attorney generals, with no private right of action. What would you like to see covered by a federal privacy law, and how do you think it should be enforced?
Ford: The proposed legislation within the DATA Privacy Act contains the protections for the type of conduct that should be covered. Uniform privacy standards are helpful to businesses that previously had to navigate the differing standards of various states. Additionally, the proposed legislation will improve consumers' understanding of what data is protected and will give them more control over their personal information. Co-enforcement between the FTC and state attorneys general is important so that, for example, my office has the ability to protect Nevadans impacted by data breaches or who do not wish to have their information sold. State attorneys general are equipped to handle the enforcement of the privacy rights of its residents and can handle the issues unique to their states.
The Privacy Advisor: Speaking of enforcement, some state attorneys general have turned to the plaintiffs' bar to either represent or serve as co-counsel with the state in non-privacy contexts, and some local governments have hired private counsel for data breach litigations. The plaintiffs' bar expects that this work relating to privacy will increase in 2020. What are your thoughts on governments retaining outside counsel for privacy-related litigation?
Ford: That depends on the facts and circumstances of each case. For example, it would depend on whether the government is acting as an enforcer or dealing with a ransomware attack or the consequences of how it decided to respond to a ransomware attack. When it comes to enforcement, every case is unique, and it is possible a particularly complex case might warrant considering the option of outside counsel. However, attorneys general across the nation have staff in their offices that possess the experience and aptitude necessary to represent the states' interests in privacy-related cases. Attorney general staff, including in my own office, have been at the forefront of privacy law enforcement and education.
The Privacy Advisor: Children are more susceptible to deception and exploitation than adults, and their privacy rights are increasingly at issue with their use of electronic devices. In 2019, the FTC began reviewing the Children's Online Privacy Protection Rule, and you joined 25 other attorneys general in a Dec. 9, 2019, letter to offer your perspectives regarding potential changes in the law, such as expanding the scope to include third parties that profit from the data collected and expanding the definition of personal information to include biometric, health care and genetic information. COPPA is enforced by both the federal government and state attorneys general, and lately, some states have been taking a more active role in COPPA enforcement. Does Nevada have specific plans to protect the privacy of children, either through COPPA or more generally through consumer protection law?
Ford: I can mention a couple of efforts. One of my bill draft requests for the upcoming legislative session will include a proposal to eliminate the current four-year statute of limitations to prosecute violations of Nevada's deceptive trade laws. The same bill draft request will also include a proposal to impose heightened penalties for deceptive trade practices that are directed toward minors. How are those relevant? Well, there is often a deceptive trade aspect to many violations of privacy laws, such as when a company makes certain representations to consumers about its privacy policies or practices but then suffers a breach because it did not actually follow those advertised policies or practices. In the case of children, the actual harm from a data breach may not arise until years later when they are old enough to have significant assets. Providing heightened penalties for practices directed toward minors should give companies the incentive to adopt and follow procedures that protect our children and their information. Then, eliminating the statute of limitations may allow us to seek relief in those cases where the adverse consequences cannot be identified until years later.
I think it is also important to educate this audience and encourage them to be more proactive in protecting their personal information. Last year, my Bureau of Consumer Protection visited several urban and rural high schools and gave presentations to students about the value of their personal information and ways they can protect it.
The Privacy Advisor: What can people in the privacy field expect from attorneys general and your office, in particular, in 2020?
Ford: Through the end of this year and in 2021, my office will continue to be vigilant in its efforts to protect Nevada consumers and residents. Privacy protections, including data privacy, are even more important in today's digital world. My office will continue to educate Nevadans about the importance of taking their own steps to protect their and their children's data. In addition, my office will bring enforcement actions on its own or with other state attorneys general to ensure those that keep consumer data also keep it protected.
As the most recent example of one such enforcement action, my office, along with the attorneys general of 42 other states, recently settled with a company over a massive data breach that affected millions of Americans and hundreds of thousands of Nevada residents. After working with the company to settle, the company not only agreed to pay millions of dollars to affected states, but also to terms that require them to strengthen their data security policies.
Photo by Kitera Dent on Unsplash
Originally published by IAPP, 24 June 2020
This article is presented for informational purposes only and is not intended to constitute legal advice.