Privacy In Pandemic: Senators Announce Covid-19 Data Privacy Bill
May 11, 2020 —
Kyle Janecek & Jeffrey Dennis – Newmeyer Dillion"Data! Data! Data!. . . I can't make bricks without clay." This classic statement from Sherlock Holmes in The Adventure of the Copper Beeches takes on a new meaning in the COVID-19 pandemic. With the plans to begin contact tracing the spread of the COVID-19 pandemic slowly moving towards the forefront, a valid and important issue presents itself: how do we treat and protect the data we so desperately need to trace, track, and address the pandemic? U.S. Senators Wicker, Thune, Moran, and Blackburn introduced a possible solution to this problem with the COVID-19 Consumer Data Protection Act, as announced on April 30, 2020. So what does the Act entail? What information is protected? What action would businesses need to take towards individuals, such as consumers or even employees, in order to comply with this new legislation?
WHAT IS THE COVID-19 CONSUMER DATA PROTECTION ACT?
The Act is meant to address the concern regarding data collection and privacy due to large companies, like Google and Apple, adjusting the software within their devices to facilitate digital contact tracing. The Act can be broken up into three parts - the treatment of information; the privacy notice requirements; and the transparency requirements.
First, the Act prohibits the collection, processing, or transfer of certain categories of data without notice and the affirmative express consent of the individual, in order to:
- Track the spread of COVID-19,
- Trace the spread of COVID-19 through contact tracing, or
- Determine compliance with social distancing guidelines without the requisite notice to individuals and their express consent.
To accomplish this, the Act also restricts entities in their ability to collect excessive information, stating that an entity cannot collect information beyond what is reasonably necessary to conduct any of the three COVID-19 related purposes listed in the statute. The entity must also provide reasonable administrative, technical, and physical data security policies and practices to protect the information collected. Furthermore, in the event that the entity stops using the information for any of the three COVID-19 purposes, it must delete or de-identify the information it has collected.
Next, the Act describes the requirements for notice to individuals. In order to legally collect, process or transfer the information, the entity needs to provide the consumer with prior notice of the purpose, processing, and transfer of the data through their privacy policy within 14 days of the enactment of the law. This policy would have to:
- Disclose the consumer's rights in a clear and conspicuous manner prior to or at the point of collection,
- Be available in a clear and conspicuous manner to the public,
- Include whether the entity will transfer any of the information it collects in order to track or trace COVID-19 or determine compliance with social distancing,
- Describe its data retention policy, and
- Generally describe its data security measures.
Notably, many of these are already requirements common to many privacy policies, including the disclosure regarding the transfer of an individual's information.
In addition, an individual must give their affirmative express consent to such collection, processing and transfer. In other words, an individual must "opt-in" to having their information collected. This would be done through a checked box or electronic signature, as the law prohibits entities from inferring consent through a failure by the individual to take an action stopping the collection. Furthermore, the individual would also need the ability to expressly withdraw their consent, with the entity then having to cease collection, processing, or transfer of the information within 14 days of the revocation. In essence, due to the restriction on transferal, this may result in businesses opting to delete or de-identify data upon a revocation.
Finally, the entity would have to abide by certain reporting and transparency requirements, namely a monthly public report stating how many individuals had information collected, processed or transferred, and describing the categories of the data collected, processed or transferred by the entity and why. This is akin to the California Consumer Privacy Act's treatment of categories of information, though it would require this information to be released on an ongoing, monthly basis.
WHAT DATA IS COVERED?
Notably, the Act only affects a very limited scope of data. The Act covers geolocation data (exact real-time locations), proximity data (approximated location data), and Personal Health Information (any genetic/diagnosis information that can identify someone). This could cover information like Bluetooth communication or real-time tracking based on a cell phone's geolocation features. Notably, Personal Health Information does not include any information that may be covered under HIPAA or the broader categorization of "Biometric" data (i.e. retinal scans, finger prints, etc). Furthermore, and more generally, "publicly available information" is excluded, which includes information from telephone books or online directories, the news media, "video, internet, or audio content" as well as "websites available to the general public on an unrestricted basis." The latter of which potentially would push any and all information made available through social media (i.e. Facebook or Twitter) into the definition of "publicly available information."
HOW IS IT ENFORCED?
Generally, the law would be enforced by the FTC, under the provisions regarding unfair or deceptive acts or practices, similar to other enforcement actions arising out of privacy policies. Notwithstanding, state attorney generals may also bring actions to enforce compliance and obtain damages, civil penalties, restitution, or other compensation on behalf of the residents of the state.
WHAT SHOULD MY COMPANY DO?
If your entity plans on collecting information for tracking COVID-19, measuring social distancing compliance, or contact tracing, it is advisable to include language in your privacy policy now. This could be as simple as adding an additional provision within your privacy policy stating that the entity will retain information to conduct one of the three COVID-19 purposes as laid out in the statute. In addition, this also means that should the entity collect and use employee information for contact tracing, tracking the spread of COVID-19 or ensuring compliance with social distancing measures, it will need to disclose some of the specifics of that process to the employees and have them opt-in for the process. Finally, for contact tracing purposes, any individual that shares their diagnosis will have to opt-in for the entity to legally collect, process, and transfer that information to others.
While the time to reach compliance is unknown, it is more important than ever to form a compliance plan for privacy legislation if you do not already have a plan in place. If you decide to prepare with us, our firm has created a 90 day California Consumer Privacy Act compliance program (which can be expedited) where our team will collaborate with you to determine a scalable, practical, and reasonable way for you to meet your needs, and we will provide a free initial consultation. For further inquiries or questions related to COVID-19, you can consult with a Task Force attorney by emailing NDCovid19Response@ndlf.com or contacting our office directly at 949-854-7000.
Kyle Janecek is an associate in the firm's Privacy & Data Security practice, and supports the team in advising clients on cyber related matters, including policies and procedures that can protect their day-to-day operations. For more information on how Kyle can help, contact him at kyle.janecek@ndlf.com.
Jeff Dennis (CIPP/US) is the Head of the firm's Privacy & Data Security practice. Jeff works with the firm's clients on cyber-related issues, including contractual and insurance opportunities to lessen their risk. For more information on how Jeff can help, contact him at jeff.dennis@ndlf.com.
Read the court decisionRead the full story...Reprinted courtesy of
Construction Law Firm Opens in D.C.
January 13, 2014 —
CDJ STAFFStephen Palley, a lawyer in the Washington, D.C. area who was recognized in 2013 as a “DC Super Lawyer” for his work in construction litigation, has open his own firm, Palley Law, PLLC. Mr. Palley said that his practice “remains focused on addressing insurance issues faced by construction industry clients.” He also noted that “few firms focus specifically on construction insurance, so a significant part of my practice involves helping other lawyers with individual projects or disputes for their clients.”
Read the court decisionRead the full story...Reprinted courtesy of
Washington High Court Holds Insurers Bound by Representations in Agent’s Certificates of Insurance
March 16, 2020 —
Michael S. Levine & Michelle M. Spatz - Hunton Insurance Recovery BlogIn responding to a certified question from the Ninth Circuit in T-Mobile USA Inc. v. Selective Insurance Company of America, the Washington Supreme Court has held that an insurer is bound by representations regarding a party’s additional insured status contained in a certificate of insurance issued by the insurer’s authorized agent, even where the certificate contains language disclaiming any effect on coverage. To hold otherwise, the court noted, would render meaningless representations made on the insurer’s behalf and enable the insurer to mislead parties without consequence.
The certified question and ruling stem from T-Mobile USA’s appeal of the district court’s summary judgment ruling in favor of Selective Insurance Company on T-Mobile USA’s breach of contract and declaratory judgment claims. Selective issued the insurance policy at issue to a contractor of T-Mobile Northeast, LLC, a wholly owned subsidiary of T-Mobile USA. Through endorsement, the policy extended “additional insured” status to T-Mobile NE because the contract between T-Mobile NE and the insured required that T-Mobile NE be added as an additional insured. Additional insured status was not, however, extended to T-Mobile USA, as T-Mobile USA had not entered a written contract with the insured.
Reprinted courtesy of
Michael S. Levine, Hunton Andrews Kurth and
Michelle M. Spatz, Hunton Andrews Kurth
Mr. Levine may be contacted at mlevine@HuntonAK.com
Ms. Spatz may be contacted at mspatz@HuntonAK.com
Read the court decisionRead the full story...Reprinted courtesy of
HB24-1014: A Warning Bell for Colorado Businesses Amid Potential Consumer Protection Changes
February 26, 2024 —
Jennifer Brockel - Colorado Construction Litigation BlogHB24-1014 stands to eliminate the longstanding public impact requirement found within C.R.S. § 6-1-105(2) of the Colorado Consumer Protection Act (“CCPA”). While this proposed change professes the noblest intentions of “public peace, health or safety,” its effect portends a large detriment to Colorado business and an astronomical payday for Colorado plaintiffs’ attorneys.
Brief History
For over 100 years, Colorado recognized the need to protect its citizens from deceptive trade practices through a mechanism akin to the Federal Trade Commission Act that preceded it. In 1915, Colorado passed legislation prohibiting “untrue, deceptive, or misleading” advertising. C.L. 1921 § 6942 evolved into the broader protections afforded in the more recent consumer protection law from 1969 that prohibited “deceptive trade practices, and included protections from unfair, unconscionable, and deceptive acts or practices.”
Read the court decisionRead the full story...Reprinted courtesy of
Jennifer Brockel, Higgins, Hopkins, McLain & Roswell, LLCMs. Brockel may be contacted at
brockel@hhmrlaw.com
New Addition to the ASCE/SEI 7-22 Standard Protects Buildings from a 500-year Flood Event
June 05, 2023 —
The American Society of Civil EngineersReston, VA — The
American Society of Civil Engineers (ASCE) released a new update to their most widely used standard today,
ASCE/SEI 7-22 Minimum Design Loads and Associated Criteria for Building and Other Structures. As the increasing frequency of severe storms puts strain on communities across the globe, the design standard's
new flood load provisions will protect against 500-year flood events, which is a significant improvement to the 100-year flood hazard referenced in the previous version. The update — which is available in a supplement as a free download — is a significant revision of the design provisions in Chapter 5 to strengthen building resilience against the flood hazard. The ASCE 7 national loading standard is an integral part of building codes in the United States and around the globe.
"For more than 30 years, the ASCE 7 standard has been the authoritative source for the specification of minimum design loads and related criteria in the civil engineering community," said Tom Smith, ASCE Executive Director. "To ensure structures continue to be safe for the public, it is imperative that the standards we rely on are updated to account for emerging risks to the built environment. This Supplement is the most significant change to the standard's flood load provisions since the inception of ASCE 7 and will improve the safety and reliability of structures across the globe."
ABOUT THE AMERICAN SOCIETY OF CIVIL ENGINEERS
Founded in 1852, the American Society of Civil Engineers represents more than 150,000 civil engineers worldwide and is America's oldest national engineering society. ASCE works to raise awareness of the need to maintain and modernize the nation's infrastructure using sustainable and resilient practices, advocates for increasing and optimizing investment in infrastructure, and improve engineering knowledge and competency. For more information, visit www.asce.org or www.infrastructurereportcard.org and follow us on Twitter, @ASCETweets and @ASCEGovRel.
Read the court decisionRead the full story...Reprinted courtesy of
Insurers Reacting to Massachusetts Tornadoes
August 11, 2011 —
CDJ STAFFThe Patriot-Ledger reports that insurers could pay out as much as $200 million to cover homes damaged or destroyed in the tornadoes that hit central and southern Massachusetts in June, 2011. Joseph Murphy, Commissioner of the State Division of Insurance didn?t foresee problems with insurers covering these claims. “At this point, there doesn’t seem to be any one company overexposed in that area,” he told the Patriot-Ledger.
�Insurance executives did not think the tornadoes would cause them to raise rates. Steve Chevalier, CEO of NLC Companies, said, “it’s a major event for those impacted by it, but it’s not close to a financial hit to us.”
�One insurer noted that the winter weather generated more claims; however the cumulative value of those claims was $15 million.
�Read the full story…
Read the court decisionRead the full story...Reprinted courtesy of
UPDATE: Trade Secrets Pact Allows Resumed Work on $2.6B Ga. Battery Plant
April 19, 2021 —
Mary B. Powers - Engineering News-RecordConstruction on a $2.6-billion battery manufacturing plant near Atlanta can continue under an agreement reached April 11 between two rival South Korean auto battery makers—including SK Innovation, which is owner of the half-completed project.
Reprinted courtesy of
Mary B. Powers, Engineering News-Record
ENR may be contacted at ENR.com@bnpmedia.com
Read the full story... Read the court decisionRead the full story...Reprinted courtesy of
Building Inspector Refuses to State Why Apartments Condemned
August 06, 2014 —
Beverley BevenFlorez-CDJ STAFFIn Lockport, New York, “more than two dozen tenants have been locked out of their apartment building…but they have yet to find out why,” according to WIVB news. Brian Belson, Lockport’s building inspector, condemned the building and ordered the tenants to leave, providing only 15 minutes advanced warning. Once all of the tenants were out, the first floor windows and doors were boarded up.
At first, tenants were told that they would be able to return in a few days, but now they are being told it could be weeks. However, WIVB News reported that Brian Belson has not returned any of their phone calls, so they have “filed a Freedom of Information request at Town Hall, seeking that information.” Belson has five days to respond to the request.
Read the court decisionRead the full story...Reprinted courtesy of
