Privacy In Pandemic: Senators Announce Covid-19 Data Privacy Bill
May 11, 2020 —
Kyle Janecek & Jeffrey Dennis – Newmeyer Dillion"Data! Data! Data!. . . I can't make bricks without clay." This classic statement from Sherlock Holmes in The Adventure of the Copper Beeches takes on a new meaning in the COVID-19 pandemic. With the plans to begin contact tracing the spread of the COVID-19 pandemic slowly moving towards the forefront, a valid and important issue presents itself: how do we treat and protect the data we so desperately need to trace, track, and address the pandemic? U.S. Senators Wicker, Thune, Moran, and Blackburn introduced a possible solution to this problem with the COVID-19 Consumer Data Protection Act, as announced on April 30, 2020. So what does the Act entail? What information is protected? What action would businesses need to take towards individuals, such as consumers or even employees, in order to comply with this new legislation?
WHAT IS THE COVID-19 CONSUMER DATA PROTECTION ACT?
The Act is meant to address the concern regarding data collection and privacy due to large companies, like Google and Apple, adjusting the software within their devices to facilitate digital contact tracing. The Act can be broken up into three parts - the treatment of information; the privacy notice requirements; and the transparency requirements.
First, the Act prohibits the collection, processing, or transfer of certain categories of data without notice and the affirmative express consent of the individual, in order to:
- Track the spread of COVID-19,
- Trace the spread of COVID-19 through contact tracing, or
- Determine compliance with social distancing guidelines without the requisite notice to individuals and their express consent.
To accomplish this, the Act also restricts entities in their ability to collect excessive information, stating that an entity cannot collect information beyond what is reasonably necessary to conduct any of the three COVID-19 related purposes listed in the statute. The entity must also provide reasonable administrative, technical, and physical data security policies and practices to protect the information collected. Furthermore, in the event that the entity stops using the information for any of the three COVID-19 purposes, it must delete or de-identify the information it has collected.
Next, the Act describes the requirements for notice to individuals. In order to legally collect, process or transfer the information, the entity needs to provide the consumer with prior notice of the purpose, processing, and transfer of the data through their privacy policy within 14 days of the enactment of the law. This policy would have to:
- Disclose the consumer's rights in a clear and conspicuous manner prior to or at the point of collection,
- Be available in a clear and conspicuous manner to the public,
- Include whether the entity will transfer any of the information it collects in order to track or trace COVID-19 or determine compliance with social distancing,
- Describe its data retention policy, and
- Generally describe its data security measures.
Notably, many of these are already requirements common to many privacy policies, including the disclosure regarding the transfer of an individual's information.
In addition, an individual must give their affirmative express consent to such collection, processing and transfer. In other words, an individual must "opt-in" to having their information collected. This would be done through a checked box or electronic signature, as the law prohibits entities from inferring consent through a failure by the individual to take an action stopping the collection. Furthermore, the individual would also need the ability to expressly withdraw their consent, with the entity then having to cease collection, processing, or transfer of the information within 14 days of the revocation. In essence, due to the restriction on transferal, this may result in businesses opting to delete or de-identify data upon a revocation.
Finally, the entity would have to abide by certain reporting and transparency requirements, namely a monthly public report stating how many individuals had information collected, processed or transferred, and describing the categories of the data collected, processed or transferred by the entity and why. This is akin to the California Consumer Privacy Act's treatment of categories of information, though it would require this information to be released on an ongoing, monthly basis.
WHAT DATA IS COVERED?
Notably, the Act only affects a very limited scope of data. The Act covers geolocation data (exact real-time locations), proximity data (approximated location data), and Personal Health Information (any genetic/diagnosis information that can identify someone). This could cover information like Bluetooth communication or real-time tracking based on a cell phone's geolocation features. Notably, Personal Health Information does not include any information that may be covered under HIPAA or the broader categorization of "Biometric" data (i.e. retinal scans, finger prints, etc). Furthermore, and more generally, "publicly available information" is excluded, which includes information from telephone books or online directories, the news media, "video, internet, or audio content" as well as "websites available to the general public on an unrestricted basis." The latter of which potentially would push any and all information made available through social media (i.e. Facebook or Twitter) into the definition of "publicly available information."
HOW IS IT ENFORCED?
Generally, the law would be enforced by the FTC, under the provisions regarding unfair or deceptive acts or practices, similar to other enforcement actions arising out of privacy policies. Notwithstanding, state attorney generals may also bring actions to enforce compliance and obtain damages, civil penalties, restitution, or other compensation on behalf of the residents of the state.
WHAT SHOULD MY COMPANY DO?
If your entity plans on collecting information for tracking COVID-19, measuring social distancing compliance, or contact tracing, it is advisable to include language in your privacy policy now. This could be as simple as adding an additional provision within your privacy policy stating that the entity will retain information to conduct one of the three COVID-19 purposes as laid out in the statute. In addition, this also means that should the entity collect and use employee information for contact tracing, tracking the spread of COVID-19 or ensuring compliance with social distancing measures, it will need to disclose some of the specifics of that process to the employees and have them opt-in for the process. Finally, for contact tracing purposes, any individual that shares their diagnosis will have to opt-in for the entity to legally collect, process, and transfer that information to others.
While the time to reach compliance is unknown, it is more important than ever to form a compliance plan for privacy legislation if you do not already have a plan in place. If you decide to prepare with us, our firm has created a 90 day California Consumer Privacy Act compliance program (which can be expedited) where our team will collaborate with you to determine a scalable, practical, and reasonable way for you to meet your needs, and we will provide a free initial consultation. For further inquiries or questions related to COVID-19, you can consult with a Task Force attorney by emailing NDCovid19Response@ndlf.com or contacting our office directly at 949-854-7000.
Kyle Janecek is an associate in the firm's Privacy & Data Security practice, and supports the team in advising clients on cyber related matters, including policies and procedures that can protect their day-to-day operations. For more information on how Kyle can help, contact him at kyle.janecek@ndlf.com.
Jeff Dennis (CIPP/US) is the Head of the firm's Privacy & Data Security practice. Jeff works with the firm's clients on cyber-related issues, including contractual and insurance opportunities to lessen their risk. For more information on how Jeff can help, contact him at jeff.dennis@ndlf.com.
Read the court decisionRead the full story...Reprinted courtesy of
The ALI Restatement – What Lies Ahead?
July 30, 2018 —
Adam M. Berardi & Sara C. Tilitz - Complex Insurance Coverage ReporterThe American Law Institute voted on May 22, 2018 to approve the final draft of its “Restatement of the Law of Liability Insurance.” This was the culmination of an eight-year project that evolved through 29 drafts resulting in a nearly 500-page final product. At least nine courts cited to the Restatement while it was still in draft form. On June 28, 2018, White and Williams LLP had the privilege of hosting a seminar about the Restatement, chaired by the Reporter for the Restatement, University of Pennsylvania Law Professor Tom Baker, and Randy Maniloff of White and Williams, author of “General Liability Insurance Coverage, Key Issues In Every State.” The seminar was geared toward assisting members of the liability insurance community in navigating the key provisions of the Restatement, including how they compare and contrast with existing case law and the role the Restatement may play in courts’ decision-making processes going forward.
Reprinted courtesy of
Adam M. Berardi , White and Williams, LLP and
Sara C. Tilitz, White and Williams, LLP
Mr. Berardi may be contacted at berardia@whiteandwilliams.com
Ms. Tilitz may be contacted at tilitzs@whiteandwilliams.com
Read the court decisionRead the full story...Reprinted courtesy of
Netherlands’ Developer Presents Modular Homes for Young Professionals
March 05, 2015 —
Beverley BevenFlorez-CDJ STAFFBuilder Magazine reported that Heijmans, a development and building company based in The Netherlands, believes their new modular home, the Heijmans ONE, is a solution for young professionals looking for an affordable, urban option.
“As a designer, I believe prefabricated architecture can beautifully balance quality, experience and economic feasibility,” the project's architect Tim van der Grinten, of Moodbuilders Architecture, told Builder Magazine. “The architecture of this compact house is characterized by natural materials, space, openness and identity. It is a clearly recognizable property that you can make your own.”
Read the court decisionRead the full story...Reprinted courtesy of
Yes, Indeedy. Competitive Bidding Not Required for School District Lease-Leasebacks
October 01, 2014 —
Garret Murai – California Construction Law BlogRemember when you discovered that the tooth fairy wasn’t real?
It was kind of a bummer on one hand learning that it wasn’t a fairy that magically appeared to swap your tooth for cold hard cash, but rather your mom or, visual horrors, dad.
At the same time, it was, to your nearly-halfway-to-a-decade-on-this-planet-wizened-six-year-old mind, confirmation of what you had a sneaking suspicion was the case in any event.
And, so it is with the next case.
Lease-Leasebacks
In California, most public school construction projects are built using the traditional design-bid-build project delivery method in which a design professional designs the project, the project is put out for competitive bid and the selected contractor builds the project.
But not all school construction projects are built this way.
Read the court decisionRead the full story...Reprinted courtesy of
Garret Murai, Kronick Moskovitz Tiedemann & GirardMr. Murai may be contacted at
gmurai@kmtg.com
Sales of Existing U.S. Homes Decrease on Fewer Investors
September 24, 2014 —
Jeanna Smialek – BloombergPurchases of previously owned U.S. homes unexpectedly declined in August for the first time in five months as investors retreated from the market.
Existing home sales dropped 1.8 percent to a 5.05 million annual pace, from a revised 5.14 million pace in July, the National Association of Realtors reported today in Washington. The median forecast of 72 economists in a Bloomberg survey called for 5.2 million. The share of properties sold to investors was the lowest in almost five years.
As wage gains are slow to materialize and credit conditions remain tight, it has been difficult for first-time homebuyers to enter the housing market to make up the decrease in investor activity. Employment growth and easier lending rules could help would-be buyers to feel more secure in taking the plunge into homeownership.
Read the court decisionRead the full story...Reprinted courtesy of
Jeanna Smialek, BloombergMs. Smialek may be contacted at
jsmialek1@bloomberg.net
Construction Defects Are Not An Occurrence Under New York, New Jersey Law
June 18, 2014 —
Tred R. Eyerly – Insurance Law HawaiiThe New York Supreme Court, Appellate Division, determined there was no coverage for construction defects under New York or New Jersey law. Nat'l Union Fire Ins. Co. of Pittsburgh, PA v. Turner Constr. Co., 2014 N.Y. App. Div. LEXIS 3546 (N.Y. App. Div. May 15, 2014).
The property owner retained Turner Construction to serve as the general contractor. Turner subcontracted with Permasteelisa North America Corporation to design and build the exterior wall, a "curtain wall," which consisted of granite and glass.
A segment of the pipe rail system fell to the street from the eighth floor of the building. An investigation determined that more than 20% of the pipe rail connections surveyed did not conform to the building plans. Additional problems included inconsistencies in the method of rail attachment, bent brackets on the pipe rail system, cracked glass louvers, cracked glass panels, and water infiltration.
Read the court decisionRead the full story...Reprinted courtesy of
Tred R. Eyerly, Insurance Law HawaiiMr. Eyerly may be contacted at
te@hawaiilawyer.com
How the Cumulative Impact Theory has been Defined
November 30, 2020 —
David Adelstein - Florida Construction Legal UpdatesLargely in the federal contract arena, there is a theory referred to as “cumulative impacts” used by a contractor to recover unforeseeable costs associated with a multitude of changes that have an overwhelming ripple effect on its efficiency, particularly efficiency dealing with its original, base contract work. In other words, by dealing with extensive changes, there is an unforeseeable impact imposed on the contractor relative to its unchanged or base contract work. Under this theory, the contractor oftentimes prices its cumulative impact under a total cost approach with an examination on its cost overrun. However, this is not an easy theory to prevail on because there needs to be a focus on the sheer number of changes, causation supporting the impact, and whether there were concurrent impacts or delays that played a role in the ripple effect. See, e.g., Appeals of J.A. Jones Const. Co., ENGBCA No. 6348, 00-2 BCA P 31000 (July 7, 2000) (“However, in the vast majority of cases such claims are routinely denied because there were an insufficient number of changes, contractor-caused concurrent delays, disruptions and inefficiencies and/or a general absence of evidence of causation and impact.”).
To best articulate how the cumulative impact theory has been defined, I want to include language directly from courts and board of contract appeals that have dealt with this theory. This way the contractor knows how to best work with their experts with this definition in mind–and, yes, experts will be needed–to persuasively package and establish causation and damages stemming from the multitude of changes. While many of these definitions are worded differently, you will see they have the same focus dealing with the unforeseeable ripple effect of the extensive changes.
Read the court decisionRead the full story...Reprinted courtesy of
David Adelstein, Kirwin Norris, P.A.Mr. Adelstein may be contacted at
dma@kirwinnorris.com
General Contractor Cited for Safety Violations after Worker Fatality
September 17, 2015 —
Beverley BevenFlorez-CDJ STAFFThe general contractor of Washington’s SR 520 Floating Bridge Project was cited by the Washington Department of Labor & Industries (L&I) “for serious safety violations following the death of worker Joe Arrants in March.” According to EHS Today, “Arrants was killed when he fell approximately 60 feet to the dock below.”
EHS Today reported that during the investigation, L&I found that the fall protection systems were not used “in accordance with fall protection standards and the manufacturer’s recommendation during forming and stripping operations.” Furthermore, there was no “lifesaving skiff immediately available,” or “a ring buoy with at least 90 feet of line, which would make rescue difficult if a worker fell into the water,” and the contractor did not ensure that the hand tools and equipment were in good, working condition.
Read the court decisionRead the full story...Reprinted courtesy of
