Recent Privacy Updates
California AG Seeks Expedited Review of CCPA Regulations
On June 1, California Attorney General Xavier Becerra submitted the final California Consumer Protection Act (“CCPA”) regulations to the Office of Administrative Law (“OAL”) for review. The final regulations are substantively identical to the second set of modified proposed regulations, which were released in March.
Attorney General Becerra is asking for an expedited review of the proposed regulations so that they can take effect on July 1. Becerra’s request starts a process in which the OAL has 30 working days, plus an additional 60 calendar days to the COVID-19 pandemic, to confirm the regulations comply with state statutes. OAL will then either approve the rulemaking action and file the proposed regulations with the Secretary of State or disapprove the rulemaking action. If the request for expedited review is denied, and the final regulations are filed with the Secretary of State on or before August 31, they will take effect on October 1, 2020. If that filing occurs after August 31, the regulations will not take effect until January 1, 2021.
Prior to the effective date, companies should take a close look at the final regulations, evaluate what changes they will need to make to their CCPA compliance programs, and map out their final compliance checklist and timeline.
Citrix Agrees to Settlement Over Employee Data Hack
Citrix Systems Inc. (“Citrix”) agreed to settle a class action alleging it was at fault for hackers stealing the information of more than 24,000 current and former employees. The settlement amount is reported to be over $2.3 million.
In March 2019, the FBI alerted Citrix that hackers likely gained access to the Citrix network by exploiting weak passwords. It is believes that the hackers had access to the system for six months before being discovered. Employees sued Citrix in three cases (later consolidated into one), alleging the company was negligent for the theft of information that included their names, Social Security numbers, and bank account numbers.
According to the proposed settlement filed in the District Court for the Southern District of Florida, Citrix would pay for credit monitoring services and up to $15,000 per class member for breach-related expenses, among other things. The settlement agreement also directs Citrix to boost cybersecurity training and reinforce data protections.
Potential Changes to State Insurance Privacy Laws
On May 5, the National Association of Insurance Commissioner’s (“NAIC”) Privacy Protections Working Group met via conference call to review the long-standing state insurance privacy laws regarding the collection, use and disclosure of personal information gathered in connection with insurance transactions and to make recommendations regarding any updates or modifications to NAIC models. This charge comes in the wake of significant changes to the privacy law landscape, most notably from the California Consumer Privacy Act (“CCPA”).
Most of the personal data that insurers collect is currently exempted from the CCPA so insurers are, for the most part, relieved from complying with the CCPA’s consumer rights requirements. However, as more states consider privacy laws similar to, or more aggressive than, the CCPA, it is an open question whether insurers will be similarly exempted.
The Working Group has begun the process of assessing the NAIC’s existing model laws to consider adding elevated consumer rights and privacy protections similar to the CCPA. Look for updates on any changes to the model laws in future editions of the Technology & Intellectual Property Update.