Jones Day Cybersecurity, Privacy & Data Protection Attorney Spotlight: Jennifer C. Everett
As data privacy and security regulations are on the rise in the United States, workplace compliance is at the forefront for employers. With a background in labor & employment law, Jennifer Everett is a senior associate based in Washington, D.C., with 10 years of experience advising institutional clients on employment, privacy, and cybersecurity compliance matters.
Jennifer's practice focuses on advising U.S. and international companies on developing and maintaining sustainable privacy and cybersecurity governance programs. Jennifer routinely counsels clients on strategic compliance with U.S. and global privacy and cybersecurity laws and enterprise-wide cyber risk management. She helps companies implement effective cross-border data management programs and negotiates data provisions in complex commercial agreements.
Jennifer also regularly counsels employers on privacy and cybersecurity matters in the workplace. This includes counseling employers on privacy and data protection related to employee monitoring, workplace investigations, personal device (BYOD) policies, employee background checks, and e-discovery.
Regulatory—Policy, Best Practices, and Standards
NIST Director Discusses Future Development of Cybersecurity Framework
On March 4, the director of the National Institute of Standards and Technology ("NIST") discussed NIST's Cybersecurity Framework at the annual RSA conference. Acknowledging the Framework's increasing popularity over the last few years in both the private and public sector, the director announced that NIST will focus on expanding its use by federal agencies and small businesses. He also reemphasized NIST's continuing commitment to developing the Framework to keep up with technological advancements.
Regulatory—Consumer and Retail
IPEC Publishes Annual Intellectual Property Report
On February 4, the Office of the U.S. Intellectual Property Enforcement Coordinator ("IPEC") issued its Annual Intellectual Property Report to Congress. The report described efforts within the Executive Branch to promote the protection of intellectual property rights within and outside the United States, including the protection of trade secrets against cybercrime and cyber espionage. The report also discusses engagement with U.S. trading partners on intellectual property issues, legal authorities to protect against unfair trade practices, expanded law enforcement cooperation, and various intellectual property enforcement activities pursued by federal agencies.
FTC Launches Task Force to Monitor Competition in Technology Markets
On February 26, the Federal Trade Commission ("FTC") announced the creation of the Technology Task Force, which aims to monitor competition in U.S. technology markets, investigate any potential anticompetitive conduct, and take enforcement actions when warranted. The task force is intended to help enhance the agency's focus on competition in technology-related sectors of the economy, including markets in which online platforms compete.
Social Networking Provider Agrees to Record $5.7 Million COPPA Settlement
On February 27, the provider of a video social networking music application agreed to pay a record $5.7 million to settle FTC claims that the company illegally collected personal information from children. This is the largest civil penalty ever obtained by the Commission in a children's privacy case. The FTC's complaint alleged that the company violated the Children's Online Privacy Protection Act ("COPPA"), which requires that websites and online services directed to children obtain parental consent before collecting personal information from users under the age of 13. The operators allegedly knew children were using the app but nonetheless failed to seek parental consent before collecting names, email addresses, and other personal information from users under the age of 13.
FTC Releases 2018 Privacy and Data Security Update
On March 15, the FTC released its annual report highlighting the agency's work in privacy and data security in 2018. The FTC highlighted several of its 2018 enforcement actions against technology companies, including a settlement against a mobile payments company regarding the privacy settings in the company's mobile application, an expanded settlement with a ride-sharing company to resolve data security and privacy allegations, and an enforcement action against a supplier of children's products under COPPA.
SEC Announces Changes to Form N-PORT Submissions
On February 27, the Securities and Exchange Commission ("SEC") announced that the submission deadlines for registered investment companies filing nonpublic monthly reports on Form N-PORT will be extended. Reports must now be filed on a quarterly basis instead of monthly. This change is part of the SEC's effort to reduce the agency's cyber risk profile by adopting alternative reporting options that reduce the frequency and sensitivity of the data it collects.
SEC Names Gabriel Benincasa as Chief Risk Officer
On February 28, the SEC announced that Gabriel Benincasa has been named the Commission's first chief risk officer. This position was created "to strengthen the agency's risk management and cybersecurity efforts." As chief risk officer, Mr. Benincasa will coordinate the SEC's "efforts to identify, monitor, and mitigate key risks facing the Commission."
FTC Seeks Comment on Proposed Amendments to GLBA
On March 5, the FTC announced that it sought comments on proposed amendments to the FTC's Safeguards Rule and Privacy Rule under the Gramm-Leach-Bliley Act ("GLBA"). The proposal would add additional requirements for how financial institutions must protect customer information, such as requiring the encryption of customer data held or transmitted by the institution over external networks.
SEC Issues Privacy Risk Alert for Investment Advisers and Broker Dealers
On April 16, the SEC's Office of Compliance Inspections and Examinations ("OCIE") issued a Risk Alert for investment advisers and broker-dealers. The Risk Alert identified the most frequent compliance issues related to customer privacy notices and safeguard policies for customer information under Regulation S-P, including the failure to provide initial, annual, and opt-out privacy notices and a lack of written privacy policies and procedures. The Risk Alert also discussed the lack of policies reasonably designed to safeguard customer information, including a lack of secure login credentials, written incident response plan, or employee training, among others.
DHS Expands Cyber-Training Program
On March 21, the Department of Homeland Security ("DHS") Science and Technology Directorate awarded $5.9 million to Norwich University to expand the DECIDE cyber-training platform to the energy sector. The investment will allow organizations to identify vulnerabilities and develop mitigation strategies prior to a real-life crisis to ensure that organizations receive proper training to recognize and respond to potential cyber threats.
DOE Seeks to Reduce Cybersecurity Threats in Manufacturing
On March 26, the Department of Energy ("DOE") announced up to $70 million in funding for a Clean Energy Manufacturing Innovation Institute to focus on early-stage research for advancing cybersecurity in energy-efficient manufacturing. DOE stated that the Institute "will focus on understanding the evolving cybersecurity threats to greater energy efficiency in manufacturing industries, developing new cybersecurity technologies and methods, and sharing information and knowledge" with U.S. manufacturers. The Institute also will address the education and training needed for cyber-secure automated sensors.
USDOT Launches Council to Support Emerging Transportation Technologies
On March 12, the U.S. Secretary of Transportation announced the creation of the Non-Traditional and Emerging Transportation Technology ("NETT") Council within the U.S. Department of Transportation ("USDOT"). The NETT Council is charged with identifying and resolving jurisdictional and regulatory gaps that may impede the deployment of new technologies, such as autonomous vehicles. By streamlining discussion and review of these technologies, the secretary stated that the government can address "legitimate public concerns about safety, security and privacy without hampering innovation."
Congressional Committees Investigate Cyber Threat to Transportation
On February 26, the Committee on Homeland Security held a joint hearing titled "Securing U.S. Surface Transportation from Cyber Attacks" with the Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation and the Subcommittee on Transportation and Maritime Security. The hearing focused on securing U.S. surface transportation, such as railroads and highways, from digital threats.
Health Records Company Settles False Claims Act
On February 6, the U.S. Attorney's Office for the District of Vermont announced that a health records company would pay $57.25 million to resolve False Claims Act allegations. The complaint alleged that the company caused its users to submit false claims to the government by misrepresenting the capabilities of its electronic health records software. The government had argued that the software did not fully incorporate the standardized clinical terminology necessary to ensure the reciprocal flow of information concerning patients and the accuracy of electronic prescriptions.
HHS Proposes New Rules for Electronic Health Information
On February 11, the U.S. Department of Health and Human Services ("HHS") proposed new rules to support seamless and secure access, exchange, and use of electronic health information. The rules seek to solve the issue of interoperability and patient access in the U.S. health care system while reducing administrative burdens on providers. The rules would allow patients to access their health information electronically through third-party software applications connected to their data.
Diagnostic Medical Imaging Company Settles PHI Breach
On May 6, HHS announced that a medical imaging services company agreed to pay $3 million to settle a breach that exposed the protected health information ("PHI") of more than 300,000 individuals. The HHS Office of Civil Rights ("OCR") determined that the company's servers had allowed uncontrolled access to its patient PHI, which permitted search engines to index and store patient data for offline viewing. OCR determined that the company did not thoroughly investigate the security incident until several months after notice of the breach and did not notify individuals in a timely manner.
Regulatory—Defense and National Security
DOD Releases Cloud Strategy
On February 4, the Department of Defense ("DOD") released its Cloud Strategy, reasserting DOD's commitment to the cloud from an enterprise perspective. The strategy focused implementation activities in two areas: (i) standing up cloud platforms that are "ready to receive data and applications"; and (ii) migrating existing applications and developing new applications in the cloud.
DOD Launches Technology-Focused Website
On April 24, DOD launched a new public website to inform members of the military industry and academia on DOD's research, development, engineering, and technological efforts. The website will highlight innovations related to artificial intelligence, big data analytics, autonomy, robotics, and advanced computing, among other topics.
Litigation, Judicial Rulings, and Agency Enforcement Actions
Court Gives Preliminary Approval to $50 Million Data Breach Settlement
On February 26, a federal court in Pennsylvania gave preliminary approval to a $50 million settlement related to a data breach at a restaurant chain that allegedly compromised customers' credit and debit information through malware. Plaintiffs alleged that the company failed to keep up with advancements in security measures, such as chips that would create unique codes for each customer transaction.
Home Security System Provider May Face Additional $8.4 Million in Attorneys' Fees for Alleged TCPA Violations
On March 18, attorneys for class plaintiffs requested $8.4 million dollars in attorneys' fees against a technology company that provides cloud-based home monitoring and remote control services after settling a Telephone Consumer Protection Act ("TCPA") class action for $28 million dollars. The class accused the company of using "autodialers" and "recorded messages" to call millions of cellphones, residential lines, and people on the national "do not call registry." The settlement class included more than 1.2 million consumers.
GAO Calls for Federal Privacy Law
On February 13, the U.S. Government Accountability Office ("GAO") released a report calling for a federal privacy law based on interviews with former government officials, consumer advocates, academics, and industry professionals. The report calls for Congress to develop comprehensive internet data privacy legislation to enhance consumer protection. Specifically, GAO recommends: (i) enacting an overarching federal privacy statue; (ii) ensuring that the overseeing agency or agencies have notice-and-comment rulemaking authority; and (iii) providing authority to impose civil penalties for first-time violations.
Senators Introduce Bill Requiring Companies to Target Bias in Corporate Algorithms
On April 10, several U.S. senators introduced the Algorithmic Accountability Act, which would require companies to review artificial intelligence algorithms for bias or discrimination. The bill is aimed at companies that make more than $50 million per year, hold the data of at least one million people or devices, or primarily act as data brokers that buy and sell consumer data. The bill would also give the FTC authority to create regulations that require companies to conduct impact assessments of highly sensitive automated decision systems.
FTC Testifies Before Congress for Creation of National Privacy Law
On May 8, the FTC called for the enactment of a comprehensive federal data security law during testimony before the Senate Homeland Security and Government Affairs Subcommittee. The testimony was delivered by the Director of the Bureau of Consumer Protection and backed by a 5–0 vote approving its inclusion in the formal record. The testimony also requested that Congress permit the agency to enforce civil penalties to deter unlawful conduct, grant it jurisdiction over nonprofits and common carriers, and give it the authority to issue implementing rules under the Administrative Procedure Act.
California Attorney General Plans to Publish CCPA Rulemaking Notices in Fall 2019
On February 8, the California Office of the Attorney General announced it anticipates publishing a Notice of Proposed Regulatory Action regarding the California Consumer Privacy Act ("CCPA") in fall 2019. The CCPA delays enforcement until six months after the attorney general implements regulations, or July 1, 2020, whichever comes first. The regulations will establish procedures for protecting consumers' rights and provide guidance to businesses on compliance, including on issues such as the categories of personal information, exceptions necessary to comply with state or federal law, and rules and procedures regarding consumer opt-outs and notices.
State Attorneys General Urge FTC to Update Identity Theft Rules
On February 14, attorneys general from 31 states submitted a letter to the FTC to update its identity theft rules. The FTC originally adopted identity theft rules in November 2007, prior to substantial technological developments and growth in identity theft. The letter suggested adding a requirement that cardholders are notified by phone or email if a phone or email address associated with their account is changed, as well as changing "suspicious account activity" to include account access by new devices and repeated unsuccessful access attempts.
California Attorney General and Senator Introduce Legislation to Clarify CCPA
On February 25, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson announced legislation to strengthen and clarify the CCPA. The bill, SB 561, would remove companies' rights to cure CCPA violations within 30 days before enforcement can occur and would add a private right of action for consumers. In addition, the bill would remove requirements that the attorney general provide businesses and third parties with individual legal counsel on CCPA compliance, instead specifying that the attorney general may publish general guidance on compliance.
Mississippi Attorney General Requires Education Company to Strengthen Post-Breach Security Measures
On March 8, the Mississippi attorney general announced an Assurance of Voluntary Compliance with an education testing service provider that requires the company to strengthen its cybersecurity measures. Following a data breach involving student information, the company will be subject to various requirements, including prompt notification of a breach, encryption of students' personal information, and the appointment of a supervisor who will be responsible for security updates and patch management. Most significantly, the assurance requires the company to implement a comprehensive information security program involving annual risk assessments, privacy and cybersecurity training for employees, and designation of a chief information security officer.
Utah Passes New Internet Privacy Law
On March 28, the governor of Utah signed into law H.B.0057, Utah's Electronic Information or Data Privacy Law. The law protects data stored with third parties, including email and cloud storage providers, from unlimited government access and requires law enforcement to obtain a warrant before accessing such data.
North Dakota Passes Law Authorizing Legislative Study on Consumer Personal Data
On March 28, the governor of North Dakota signed into law HB 1485, which requires a study of issues related to personal data for one year during the 2019–2020 legislative term. The study will examine protections for consumers related to the disclosure of personal data, as well as enforcement and remedies. The study also will examine privacy laws of other states and applicable federal law. The bill originally began as a proposal with provisions similar to the CCPA, but the legislature ultimately decided to conduct a study for one year before implementing data privacy legislation. The law takes effect on August 1.
States Propose CCPA-Type Bills
In 2019, several states introduced proposed legislation similar to the CCPA, which California passed in 2018. These proposed bills are still under consideration in several states. Recent developments include:
- On February 5, Mississippi House Bill 1253 died in committee.
- On March 8, the Maryland Senate Finance Committee held a hearing on Senate Bill 613.
- On April 1, North Dakota passed House Bill 1485; however, the bill's text was replaced with an act providing for a legislative study of consumer personal data disclosures.
- On April 2, Texas left House Bill 4518 pending in the House Business and Industry Committee.
- On April 17, Connecticut amended Senate Bill 1108; the bill now establishes a task force to study possible methods for protecting consumer privacy. On April 25, the Senate passed the amended bill, and it is now under consideration by the House.
- On April 28, Washington did not pass Senate Bill 5376 as the bill did not make its way through the legislative process.
- On April 30, the Rhode Island Senate Judiciary Committee recommended Senate Bill 234 be held for further study.
- On May 2, Texas placed its amended House Bill 4390 on its General State Calendar. The amended version of House Bill 4390 removed provisions requiring covered businesses to implement certain risk assessments and to inform individuals and the public about their data collection and processing practices.
The following Jones Day lawyers contributed to this section: Tony Black, Shirley Chan, Meredith Collier, David Coogan, Jennifer Everett, Levent Hergüner, Jay Johnson, Christopher Markham, Mallory McKenzie, Mary Alexander Myers, Clinton Oxford, Mauricio Paez, Nicole Perry, Lauren Timmons, Kerianne Tobitsch, and Jenny Whalen-Ball.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.