Privacy In Pandemic: Senators Announce Covid-19 Data Privacy Bill
May 11, 2020 —
Kyle Janecek & Jeffrey Dennis – Newmeyer Dillion"Data! Data! Data!. . . I can't make bricks without clay." This classic statement from Sherlock Holmes in The Adventure of the Copper Beeches takes on a new meaning in the COVID-19 pandemic. With the plans to begin contact tracing the spread of the COVID-19 pandemic slowly moving towards the forefront, a valid and important issue presents itself: how do we treat and protect the data we so desperately need to trace, track, and address the pandemic? U.S. Senators Wicker, Thune, Moran, and Blackburn introduced a possible solution to this problem with the COVID-19 Consumer Data Protection Act, as announced on April 30, 2020. So what does the Act entail? What information is protected? What action would businesses need to take towards individuals, such as consumers or even employees, in order to comply with this new legislation?
WHAT IS THE COVID-19 CONSUMER DATA PROTECTION ACT?
The Act is meant to address the concern regarding data collection and privacy due to large companies, like Google and Apple, adjusting the software within their devices to facilitate digital contact tracing. The Act can be broken up into three parts - the treatment of information; the privacy notice requirements; and the transparency requirements.
First, the Act prohibits the collection, processing, or transfer of certain categories of data without notice and the affirmative express consent of the individual, in order to:
- Track the spread of COVID-19,
- Trace the spread of COVID-19 through contact tracing, or
- Determine compliance with social distancing guidelines without the requisite notice to individuals and their express consent.
To accomplish this, the Act also restricts entities in their ability to collect excessive information, stating that an entity cannot collect information beyond what is reasonably necessary to conduct any of the three COVID-19 related purposes listed in the statute. The entity must also provide reasonable administrative, technical, and physical data security policies and practices to protect the information collected. Furthermore, in the event that the entity stops using the information for any of the three COVID-19 purposes, it must delete or de-identify the information it has collected.
Next, the Act describes the requirements for notice to individuals. In order to legally collect, process or transfer the information, the entity needs to provide the consumer with prior notice of the purpose, processing, and transfer of the data through their privacy policy within 14 days of the enactment of the law. This policy would have to:
- Disclose the consumer's rights in a clear and conspicuous manner prior to or at the point of collection,
- Be available in a clear and conspicuous manner to the public,
- Include whether the entity will transfer any of the information it collects in order to track or trace COVID-19 or determine compliance with social distancing,
- Describe its data retention policy, and
- Generally describe its data security measures.
Notably, many of these are already requirements common to many privacy policies, including the disclosure regarding the transfer of an individual's information.
In addition, an individual must give their affirmative express consent to such collection, processing and transfer. In other words, an individual must "opt-in" to having their information collected. This would be done through a checked box or electronic signature, as the law prohibits entities from inferring consent through a failure by the individual to take an action stopping the collection. Furthermore, the individual would also need the ability to expressly withdraw their consent, with the entity then having to cease collection, processing, or transfer of the information within 14 days of the revocation. In essence, due to the restriction on transferal, this may result in businesses opting to delete or de-identify data upon a revocation.
Finally, the entity would have to abide by certain reporting and transparency requirements, namely a monthly public report stating how many individuals had information collected, processed or transferred, and describing the categories of the data collected, processed or transferred by the entity and why. This is akin to the California Consumer Privacy Act's treatment of categories of information, though it would require this information to be released on an ongoing, monthly basis.
WHAT DATA IS COVERED?
Notably, the Act only affects a very limited scope of data. The Act covers geolocation data (exact real-time locations), proximity data (approximated location data), and Personal Health Information (any genetic/diagnosis information that can identify someone). This could cover information like Bluetooth communication or real-time tracking based on a cell phone's geolocation features. Notably, Personal Health Information does not include any information that may be covered under HIPAA or the broader categorization of "Biometric" data (i.e. retinal scans, finger prints, etc). Furthermore, and more generally, "publicly available information" is excluded, which includes information from telephone books or online directories, the news media, "video, internet, or audio content" as well as "websites available to the general public on an unrestricted basis." The latter of which potentially would push any and all information made available through social media (i.e. Facebook or Twitter) into the definition of "publicly available information."
HOW IS IT ENFORCED?
Generally, the law would be enforced by the FTC, under the provisions regarding unfair or deceptive acts or practices, similar to other enforcement actions arising out of privacy policies. Notwithstanding, state attorney generals may also bring actions to enforce compliance and obtain damages, civil penalties, restitution, or other compensation on behalf of the residents of the state.
WHAT SHOULD MY COMPANY DO?
If your entity plans on collecting information for tracking COVID-19, measuring social distancing compliance, or contact tracing, it is advisable to include language in your privacy policy now. This could be as simple as adding an additional provision within your privacy policy stating that the entity will retain information to conduct one of the three COVID-19 purposes as laid out in the statute. In addition, this also means that should the entity collect and use employee information for contact tracing, tracking the spread of COVID-19 or ensuring compliance with social distancing measures, it will need to disclose some of the specifics of that process to the employees and have them opt-in for the process. Finally, for contact tracing purposes, any individual that shares their diagnosis will have to opt-in for the entity to legally collect, process, and transfer that information to others.
While the time to reach compliance is unknown, it is more important than ever to form a compliance plan for privacy legislation if you do not already have a plan in place. If you decide to prepare with us, our firm has created a 90 day California Consumer Privacy Act compliance program (which can be expedited) where our team will collaborate with you to determine a scalable, practical, and reasonable way for you to meet your needs, and we will provide a free initial consultation. For further inquiries or questions related to COVID-19, you can consult with a Task Force attorney by emailing NDCovid19Response@ndlf.com or contacting our office directly at 949-854-7000.
Kyle Janecek is an associate in the firm's Privacy & Data Security practice, and supports the team in advising clients on cyber related matters, including policies and procedures that can protect their day-to-day operations. For more information on how Kyle can help, contact him at kyle.janecek@ndlf.com.
Jeff Dennis (CIPP/US) is the Head of the firm's Privacy & Data Security practice. Jeff works with the firm's clients on cyber-related issues, including contractual and insurance opportunities to lessen their risk. For more information on how Jeff can help, contact him at jeff.dennis@ndlf.com.
Read the court decisionRead the full story...Reprinted courtesy of
Lewis Brisbois Ranks Among Top 25 Firms on NLJ’s 2021 Women in Law Scorecard
July 25, 2021 —
Jana Lubert - Lewis BrisboisLewis Brisbois has been ranked among the top 25 law firms included in the National Law Journal's (NLJ) 2021 Women in Law Scorecard (Women’s Scorecard), moving up from 27th place to 23rd place this year. In addition, of the top 25 firms in the Women’s Scorecard, Lewis Brisbois had the highest number of female minority partners.
The Women’s Scorecard is produced as part of the annual NLJ 500 firm head count report, and only the largest 350 firms are eligible to be included on the scorecard. A firm’s score is determined by adding the percentage of female attorneys and percentage of female partners. Diversity staffing counts were based on a firm’s average full-time attorneys in 2020, excluding contract and temporary attorneys.
Read the court decisionRead the full story...Reprinted courtesy of
Jana Lubert, Lewis BrisboisMs. Lubert may be contacted at
Jana.Lubert@lewisbrisbois.com
Wilke Fleury and Attorneys Recognized as ‘Best Law Firm’ and ‘Best Lawyers’ by U.S. News!
November 08, 2017 —
Wilke FleuryWilke Fleury is pleased to announce its inclusion in the 2018 editions of ‘Best Law Firms’ in America and ‘Best Lawyers’ in America. The two award categories reflect excellence in legal service – firms included in the 2018 “Best Law Firms” list are recognized for professional excellence by clients and peers and Best Lawyers® has become universally regarded as the definitive guide to legal excellence.
Wilke Fleury Recognized in U.S. News 2018 Edition ‘Best Law Firms’ in America
Wilke Fleury is honored to be recognized among the nation’s Best Law Firms by U.S. News – Best Lawyers.
“Firms included in the 2018 “Best Law Firms” list are recognized for professional excellence with persistently impressive ratings from clients and peers. Achieving a tiered ranking signals a unique combination of quality law practice and breadth of legal expertise.”
Wilke Fleury Attorneys Elected to U.S. News 2018 Edition ‘Best Lawyers’ in America
Congratulations to
David A. Frenznick and
Ernest James Krtil on their election to the 2018 Edition ‘Best Lawyers in America.’
Read the court decisionRead the full story...Reprinted courtesy of
Wilke Fleury
Big Data Meets Big Green: Data Centers and Carbon Removal Compete for Zero-Emission Energy
October 15, 2024 —
Robert A. James, Sidney L. Fowler & Ashleigh Myers - Gravel2Gavel Construction & Real Estate Law BlogArtificial intelligence, data centers, carbon removal and zero-emission power may sound like a winning line (plus the Free Space) on a 2024 Buzzword Bingo card. But the concepts have come into dramatic real-world tension as private and public actors seek to accommodate the digital and environmental imperatives for green energy.
After years of fairly stable demand, punctuated by declines during the pandemic and economic slumps, electricity demand is projected to double by 2050. A principal cause is the rapid expansion in the power needed to energize and cool servers amid explosive growth in the number and size of data centers, crypto miners, and other point sources of computation. Data centers were 3% of U.S. demand and are projected to be up to 9% or more by 2030; AI will drive a 160% surge in data center demand by 2030. A commentator notes, “We haven’t seen [growth like] this in a generation.”
Reprinted courtesy of
Robert A. James, Pillsbury,
Sidney L. Fowler, Pillsbury and
Ashleigh Myers, Pillsbury
Mr. James may be contacted at rob.james@pillsburylaw.com
Mr. Fowler may be contacted at sidney.fowler@pillsburylaw.com
Ms. Myers may be contacted at ashleigh.myers@pillsburylaw.com
Read the court decisionRead the full story...Reprinted courtesy of
Hunton Insurance Recovery Partner Michael Levine Quoted on Why Courts Must Consider the Science of COVID-19
March 15, 2021 —
Latosha M. Ellis & Matt Revis - Hunton Insurance Recovery BlogOne year into the COVID-19 pandemic, courts have issued hundreds of rulings in COVID-19 business interruption lawsuits, many favoring insurers. Yet those pro-insurer rulings are not based on evidence, much less expert opinion evidence. For insurers, ignorance is bliss.
Despite early numbers in federal courts favoring insurers (state court decisions actually favor policyholders), the year ahead holds promise for policyholders. Fundamental science is the key. Indeed, as researchers continue to broaden their knowledge about COVID-19, it has become increasingly clear that scientific evidence supports coverage for policyholders’ claims.
Reprinted courtesy of
Latosha M. Ellis, Hunton Andrews Kurth and
Matt Revis, Hunton Andrews Kurth
Ms. Ellis may be contacted at lellis@HuntonAK.com
Read the court decisionRead the full story...Reprinted courtesy of
Injury to Employees Endorsement Eliminates Coverage for Insured Employer
February 01, 2021 —
Tred R. Eyerly - Insurance Law HawaiiThe court granted summary judgment to the insurer based upon an endorsement which barred coverage for injuries to employees. Northfield Ins. Co. v. Z&J Mgt. LLC, 2020 N.Y. Misc. LEXIS 10801 (N.Y. Sup. Ct. Dec. 18, 2020).
Ravi Sooklal sued his employer, Z&J Management LLC (Z&J), for injuries at the job site. Northfield, who had issued a CGL policy to Z&L, denied coverage based upon two endorsements. The first was titled "Injury to Employees of Insureds" and the second was "Employers' Liability." Northfield sued for a declaratory judgment and now moved for summary judgment.
Read the court decisionRead the full story...Reprinted courtesy of
Tred R. Eyerly, Damon Key Leong Kupchak HastertMr. Eyerly may be contacted at
te@hawaiilawyer.com
Former NJ Army Base $2B Makeover is 'Buzzsaw' of Activity
June 14, 2021 —
Tom Stabile - Engineering News-RecordTake a developed property the size of New York City’s Central Park with 5 million sq ft of building area, program in new construction or renovation over 20 years and across three dozen parcels for 1,600 housing units, 300,000 sq ft of civic or government space, 500,000 sq ft for retail and 2 million sq ft of offices, and you have a pretty ambitious undertaking. The $2-billion effort to redevelop Fort Monmouth, a decommissioned former U.S. Army base in the thick of New Jersey’s suburban sprawl, is all kinds of ambitious.
Reprinted courtesy of
Tom Stabile, Engineering News-Record
ENR may be contacted at ENR.com@bnpmedia.com
Read the full story... Read the court decisionRead the full story...Reprinted courtesy of
Carillion Fallout Affects Major Hospital Project in Liverpool
October 30, 2018 —
Peter Reina - Engineering News-RecordManagers of a 90%-complete, 646-bed hospital in Liverpool will take charge of the project after unravelling a public-private partnership with the contractor Carillion Plc, which collapsed ignominiously in January (ENR 1/22 p. 12). Following cancellation of the contractor’s other large U.K. hospital P3, near Birmingham, project lenders face large losses.
Read the court decisionRead the full story...Reprinted courtesy of
Peter Reina, ENRMr. Reina may be contacted at
reina@btinternet.com