Privacy In Pandemic: Senators Announce Covid-19 Data Privacy Bill
May 11, 2020 —
Kyle Janecek & Jeffrey Dennis – Newmeyer Dillion"Data! Data! Data!. . . I can't make bricks without clay." This classic statement from Sherlock Holmes in The Adventure of the Copper Beeches takes on a new meaning in the COVID-19 pandemic. With the plans to begin contact tracing the spread of the COVID-19 pandemic slowly moving towards the forefront, a valid and important issue presents itself: how do we treat and protect the data we so desperately need to trace, track, and address the pandemic? U.S. Senators Wicker, Thune, Moran, and Blackburn introduced a possible solution to this problem with the COVID-19 Consumer Data Protection Act, as announced on April 30, 2020. So what does the Act entail? What information is protected? What action would businesses need to take towards individuals, such as consumers or even employees, in order to comply with this new legislation?
WHAT IS THE COVID-19 CONSUMER DATA PROTECTION ACT?
The Act is meant to address the concern regarding data collection and privacy due to large companies, like Google and Apple, adjusting the software within their devices to facilitate digital contact tracing. The Act can be broken up into three parts - the treatment of information; the privacy notice requirements; and the transparency requirements.
First, the Act prohibits the collection, processing, or transfer of certain categories of data without notice and the affirmative express consent of the individual, in order to:
- Track the spread of COVID-19,
- Trace the spread of COVID-19 through contact tracing, or
- Determine compliance with social distancing guidelines without the requisite notice to individuals and their express consent.
To accomplish this, the Act also restricts entities in their ability to collect excessive information, stating that an entity cannot collect information beyond what is reasonably necessary to conduct any of the three COVID-19 related purposes listed in the statute. The entity must also provide reasonable administrative, technical, and physical data security policies and practices to protect the information collected. Furthermore, in the event that the entity stops using the information for any of the three COVID-19 purposes, it must delete or de-identify the information it has collected.
Next, the Act describes the requirements for notice to individuals. In order to legally collect, process or transfer the information, the entity needs to provide the consumer with prior notice of the purpose, processing, and transfer of the data through their privacy policy within 14 days of the enactment of the law. This policy would have to:
- Disclose the consumer's rights in a clear and conspicuous manner prior to or at the point of collection,
- Be available in a clear and conspicuous manner to the public,
- Include whether the entity will transfer any of the information it collects in order to track or trace COVID-19 or determine compliance with social distancing,
- Describe its data retention policy, and
- Generally describe its data security measures.
Notably, many of these are already requirements common to many privacy policies, including the disclosure regarding the transfer of an individual's information.
In addition, an individual must give their affirmative express consent to such collection, processing and transfer. In other words, an individual must "opt-in" to having their information collected. This would be done through a checked box or electronic signature, as the law prohibits entities from inferring consent through a failure by the individual to take an action stopping the collection. Furthermore, the individual would also need the ability to expressly withdraw their consent, with the entity then having to cease collection, processing, or transfer of the information within 14 days of the revocation. In essence, due to the restriction on transferal, this may result in businesses opting to delete or de-identify data upon a revocation.
Finally, the entity would have to abide by certain reporting and transparency requirements, namely a monthly public report stating how many individuals had information collected, processed or transferred, and describing the categories of the data collected, processed or transferred by the entity and why. This is akin to the California Consumer Privacy Act's treatment of categories of information, though it would require this information to be released on an ongoing, monthly basis.
WHAT DATA IS COVERED?
Notably, the Act only affects a very limited scope of data. The Act covers geolocation data (exact real-time locations), proximity data (approximated location data), and Personal Health Information (any genetic/diagnosis information that can identify someone). This could cover information like Bluetooth communication or real-time tracking based on a cell phone's geolocation features. Notably, Personal Health Information does not include any information that may be covered under HIPAA or the broader categorization of "Biometric" data (i.e. retinal scans, finger prints, etc). Furthermore, and more generally, "publicly available information" is excluded, which includes information from telephone books or online directories, the news media, "video, internet, or audio content" as well as "websites available to the general public on an unrestricted basis." The latter of which potentially would push any and all information made available through social media (i.e. Facebook or Twitter) into the definition of "publicly available information."
HOW IS IT ENFORCED?
Generally, the law would be enforced by the FTC, under the provisions regarding unfair or deceptive acts or practices, similar to other enforcement actions arising out of privacy policies. Notwithstanding, state attorney generals may also bring actions to enforce compliance and obtain damages, civil penalties, restitution, or other compensation on behalf of the residents of the state.
WHAT SHOULD MY COMPANY DO?
If your entity plans on collecting information for tracking COVID-19, measuring social distancing compliance, or contact tracing, it is advisable to include language in your privacy policy now. This could be as simple as adding an additional provision within your privacy policy stating that the entity will retain information to conduct one of the three COVID-19 purposes as laid out in the statute. In addition, this also means that should the entity collect and use employee information for contact tracing, tracking the spread of COVID-19 or ensuring compliance with social distancing measures, it will need to disclose some of the specifics of that process to the employees and have them opt-in for the process. Finally, for contact tracing purposes, any individual that shares their diagnosis will have to opt-in for the entity to legally collect, process, and transfer that information to others.
While the time to reach compliance is unknown, it is more important than ever to form a compliance plan for privacy legislation if you do not already have a plan in place. If you decide to prepare with us, our firm has created a 90 day California Consumer Privacy Act compliance program (which can be expedited) where our team will collaborate with you to determine a scalable, practical, and reasonable way for you to meet your needs, and we will provide a free initial consultation. For further inquiries or questions related to COVID-19, you can consult with a Task Force attorney by emailing NDCovid19Response@ndlf.com or contacting our office directly at 949-854-7000.
Kyle Janecek is an associate in the firm's Privacy & Data Security practice, and supports the team in advising clients on cyber related matters, including policies and procedures that can protect their day-to-day operations. For more information on how Kyle can help, contact him at kyle.janecek@ndlf.com.
Jeff Dennis (CIPP/US) is the Head of the firm's Privacy & Data Security practice. Jeff works with the firm's clients on cyber-related issues, including contractual and insurance opportunities to lessen their risk. For more information on how Jeff can help, contact him at jeff.dennis@ndlf.com.
Read the court decisionRead the full story...Reprinted courtesy of
California Supreme Court Protects California Policyholders for Intentional Acts of Employees
July 02, 2018 —
William S. Bennett – Saxe Doernberger & Vita P.C.Recently, the California Supreme Court ruled that liability insurers are obligated to cover negligent supervision, hiring, and retention claims against employers resulting from the intentional acts of their employees.
The case, Liberty Surplus Insurance v. Ledesma & Meyer Construction, case no. S236765 (2018), involved an insurance coverage dispute between a construction company, Ledesma & Meyer Construction (“L&M”), and its insurers, Liberty Insurance Underwriters, Inc. (“Liberty”) and Liberty Surplus Insurance Corp (“Liberty Surplus”). Liberty was L&M’s primary insurer, while Liberty Surplus had the excess policy. L&M had contracted with the San Bernardino Unified School District to renovate a school building while the school was still in session. In a separate action, another court found that an L&M employee sexually assaulted a 13-year-old student while working at the project.
Read the court decisionRead the full story...Reprinted courtesy of
William S. Bennett, Saxe Doernberger & Vita P.C.Mr. Bennett may be contacted at
wsb@sdvlaw.com
California Department of Corrections Gets Hit With the Prison Bid Protest Blues
October 16, 2018 —
Garret Murai - California Construction Law Blog“I’m breakin’ rocks in the hot sun . . . I fought the law and the law won . . . I needed money ’cause I had none . . . I fought the law and the law won” – The Clash, I Fought the Law (1978)
In the recent case, West Coast Air Conditioning Company, California Department of Corrections and Rehabilitation, Case No. D071106 (February 22, 2018), those lyrics could be aptly revised to, “the law fought the courts and the courts won.”
West Coast Air Conditioning Company, Inc. v. California Department of Corrections
In February 2015, the California Department of Corrections and Rehabilitation (CDCR) published an invitation for bids for a new central air conditioning plant for the Ironwood State Prison in Blythe, California. West Coast Air Conditioning Company, Inc., Hensel Phelps Construction Co., and four other companies submitted bids.
Read the court decisionRead the full story...Reprinted courtesy of
Garret Murai, Wendel, Rosen, Black & Dean LLPMr. Murai may be contacted at
gmurai@wendel.com
Heavy Rains Cause Flooding, Mudslides in Japan
July 31, 2023 —
Associated Press - BloombergTOKYO (AP) — Torrential rain pounded southwestern Japan, triggering floods and mudslides and leaving two people dead and at least six others missing, officials said Monday.
Rain falling in the regions of Kyushu and Chugoku since the weekend caused flooding along many rivers, triggered mudslides, closed roads, disrupted trains and cut the water supply in some areas.
The Japan Meteorological Agency issued an emergency heavy rain warning for Fukuoka and Oita prefectures on the southern main island of Kyushu, urging residents in riverside and hillside areas to take maximum caution. More than 1.7 million residents in vulnerable areas were urged to take shelter. The emergency warning was downgraded later Monday to a regular warning.
Read the court decisionRead the full story...Reprinted courtesy of
Bloomberg
Mediation Fails In Federal Lawsuit Seeking Damages From Sureties for Alleged Contract Fraud
August 17, 2020 —
Richard Korman - Engineering News-RecordAfter mediation failed, a federal whistle blower lawsuit over alleged fraud against two contractors, which also targets sureties and a surety bond producer, is moving forward. The parties have asked a U.S. district court judge in Washington, D.C. to rule on outstanding motions in preparation for a possible trial.
Richard Korman, Engineering News-Record
Mr. Korman may be contacted at kormanr@enr.com
Read the full story... Read the court decisionRead the full story...Reprinted courtesy of
Court Rules on a Long List of Motions in Illinois National Insurance Co v Nordic PCL�
May 10, 2012 —
CDJ STAFFThe case Illinois National Insurance Co. v Nordic PCL, et al. “involves a dispute about whether insurance benefits are available to a general contractor who built structures that allegedly have construction defects. Plaintiffs Illinois National Insurance Company (‘Illinois National’) and National Union Fire Insurance Company of Pittsburgh, PA (‘National Union’) (collectively, the ‘Insurers’), commenced this action for declaratory relief against Defendant Nordic PCL Construction, Inc., f/k/a Nordic Construction, Ltd. ("Nordic"), on August 23, 2011.”
�The court was asked to rule on a long list of motions: “Counterclaim Defendants’ Request for Judicial Notice in Support of Their (1) Motion to Dismiss the Counterclaim and (2) Motion to Strike Portions of the Counterclaim, ECF No. 16 (‘Request for Judicial Notice’); Counterclaim Defendants’ Motion to Dismiss Counterclaim Filed October 24, 2011, ECF No. 14 (‘Motion to Dismiss Counterclaim’); Counterclaim Defendants’ Motion to Strike Portions of the Counterclaim Filed October 24, 2011, ECF No. 15 (‘Motion to Strike’); Third-Party Defendant Marsh USA, Inc.’s Motion to Dismiss or, in the Alternative, Stay Proceedings in Favor of Pending State Action, ECF No. 33 (‘Marsh’s Motion To Dismiss Or Stay’); Defendant and Third-Party Plaintiff Nordic PCL Construction, Inc., f/k/a Nordic Construction Ltd.’s Substantive Joinder to Third-Party Defendant Marsh USA Inc.’s Motion to Dismiss or, in the Alternative, Stay Proceedings in Favor of Pending State Action, ECF No. 36 (‘Nordic’s Joinder’); and Third-Party Defendant Marsh USA, Inc.’s Motion for Judgment on the Pleadings on Counts V and VI of Defendant/Third-Party Plaintiff Nordic PCL Construction, Inc.’s Third-Party Complaint, ECF No. 29 (‘Marsh’s Motion for Judgment on the Pleadings’).”
�In result, the court reached the following decisions: “The court GRANTS IN RELEVANT PART the Insurers’ Request for Judicial Notice to the extent it covers matters relevant to these motions; GRANTS IN PART the Insurers’ Motion to Dismiss Counterclaim, but gives Nordic leave to amend the Counterclaim in certain respects; DENIES the Insurers’ Motion to Strike; DENIES Marsh’s Motion To Dismiss Or Stay and Nordic’s Joinder; and GRANTS Marsh’s Motion for Judgment on the Pleadings.”
�The court provides a bit of background on the case: “This action arises out of alleged construction defects involving two projects on which Nordic acted as the general contractor. Nordic is a defendant in a pending state court action with respect to one of the projects and says it spent more than $400,000 on repairs with respect to the other project. Nordic tendered the defense of the pending state court action to the Insurers and sought reimbursement of the cost of repairs already performed. The Insurers responded by filing this action to determine their rights under the insurance policies issued to Nordic.”
�Furthermore, the court presented a brief procedural history: “The Insurers commenced this declaratory action in this court on August 23, 2011. The Complaint asserts two claims, one seeking a declaration that the Insurers have no duty to provide a defense or indemnification regarding the Safeway Action, the other seeking such a declaration regarding the Moanalua Claims. Along with its Answer, Nordic filed a Counterclaim against the Insurers. The Counterclaim asserts breach of contract, breach of the covenant of good faith and fair dealing, misrepresentations and omissions of material fact, and bad faith, and seeks declaratory relief against the Insurers.”
�The procedural history continues: “Nordic also filed a Third-Party Complaint against Marsh, the broker that had procured the Policies from the Insurers for Nordic. Nordic alleges that it reasonably believed that the Policies would provide completed operations insurance coverage for the types of construction defects alleged in the Safeway Action and Moanalua Claims. The Third-Party Complaint asserts breach of contract, negligence, promissory estoppel, breach of fiduciary duties, implied indemnity, and contribution and equitable subrogation.”
�In conclusion, “The court GRANTS IN RELEVANT PART the Insurers’ Request for Judicial Notice. With regard to the Insurers’ Motion to Dismiss Counterclaim, the court GRANTS the motion as to Count I (breach of contract), Count II (duty of good faith and fair dealing), Count III (fraudulent and negligent misrepresentation), the portion of Count IV (bad faith) premised on fraud, and Count IV (declaratory relief). The court DENIES the motion as to Count IV (bad faith) that is not premised on fraud. Except with respect to the "occurrence" issue, which the court disposes of here on the merits, and Count V, which concerns only a form of relief, Nordic is given leave to amend its Counterclaim within three weeks of the date of this order. The court DENIES the Insurers’ Motion to Strike, DENIES Marsh’s Motion to Dismiss or Stay and Nordic’s Joinder, and GRANTS Marsh’s Motion for Judgment on the Pleadings with respect to Counts V and VI of the Third-Party Complaint.”
�Read the court’s decision…
� Read the court decisionRead the full story...Reprinted courtesy of
Third Circuit Affirms Use of Eminent Domain by Natural Gas Pipeline
November 28, 2018 —
Anthony B. Cavender - Gravel2GavelOn October 30, the U.S. Court of Appeals for the Third Circuit decided the case of Transcontinental Gas Pipe Line Co., LLC v. Permanent Easements for 2.14 Acres, et al. , affirming the District Court’s grant of a preliminary injunction to Transcontinental Gas Pipe Line Company, LLC (Transcontinental). This case involves the construction of the “Atlantic Sunrise Expansion Project,” a natural gas pipeline that runs through Pennsylvania, Maryland, Virginia, North Carolina and South Carolina.
Under the Natural Gas Act (NGA), pipeline companies can exercise powers of eminent domain when they are acting in the public interest. The Third Circuit cautions that this is a “standard” eminent domain power, and not a “quick take” that is permitted under another statute.
Read the court decisionRead the full story...Reprinted courtesy of
Anthony B. Cavender, PillsburyMr. Cavender may be contacted at
anthony.cavender@pillsburylaw.com
Structural Health Check-Ups Needed but Are Too Infrequent
August 16, 2021 —
Jeff Rubenstone - Engineering News-RecordKnowing when a building is structurally deteriorating, and actually doing something about it can be very different things, as the collapse in Surfside, Fla., has shown this month. And while onsite visual inspections are still the common kind of structural assessment, other methods can assess the health of a building or piece of infrastructure and determine its soundness (see p. 69).
Reprinted courtesy of
Jeff Rubenstone, Engineering News-Record
Mr. Rubenstone may be contacted at rubenstonej@enr.com
Read the full story... Read the court decisionRead the full story...Reprinted courtesy of
