Holland & Knight - California Consumer Privacy Act Newsletter - July 2019 by Holland & Knight

Will New York Be the Next State to Adopt Robust Data Privacy and Security Laws? 纽约会是下一个通过强而有力的数据隐私和网络安全法律的州吗？ July 2019 | 2019 年 7 月

Holland & Knight is a U.S.-based global law firm committed to provide high-quality legal services to our clients. We provide legal assistance to companies doing business or making investments in the United States and Latin America. With more than 1,300 professionals in 28 offices, our lawyers and professionals are experienced in all of the interdisciplinary areas necessary to guide clients through the opportunities and challenges that arise throughout the business or investment life cycles. We assist clients in areas such as international business, mergers and acquisitions, technology, healthcare, real estate, environmental law, private equity, venture capital, financial services, taxation, intellectual property, private wealth services, data privacy and cybersecurity, labor and employment, ESOPs, regulatory and government affairs, and dispute resolutions.

霍兰德奈特律师事务所是一家位于美国的全球性法律事务所，我们致力于向客户提供高质量的法律服务。我们向在美国及拉丁美洲进行商业活动或投资的公司提供他们所需的各类法律协助。我们在 28 个办公室的 1300 多名对各领域有经验的律师及专业人员能够协助客户处理他们在经营或投资过程中所遇到的各种机会及挑战。我们向客户提供法律协助的领域包括国际商业、企业并购、科技法律、医疗法律、房地产、环保法律、私募基金、创投基金、金融法律服务、税务、知识产权、私人财富管理法律服务、信息隐私及网络安全、劳动及雇佣法律、员工持股计划、法令遵循及政府法规、及争议解决。

Will New York Be the Next State to Adopt Robust Data Privacy and Security Laws? By Mark H. Francis

HIGHLIGHTS: •

The signing of the California Consumer Privacy Act (CCPA) into law in June 2018 imposed significant new privacy obligations on businesses that have personal information about California residents and set off a burst of privacy legislation across the U.S.

•

Various privacy bills have been introduced in dozens of other states and also in Congress, and others are still in the works – a key issue being whether and to what extent a federal bill would preempt state privacy laws.

•

New York has seen two noteworthy legislative developments on privacy protections in the past few months: the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) and the New York Privacy Act (NYPA).

____________________________________________________________________________ In June 2018, the California Consumer Privacy Act (CCPA) was signed into law, imposing significant new privacy obligations on businesses that have personal information about California residents. (California Civil Code § 1798.100, et seq.) The CCPA, which goes into effect Jan. 1, 2020, among other things requires businesses to respond to consumers' requests for disclosure or deletion of their personal information, as well as honor requests not to sell a consumer's information to a third party. The enactment of CCPA set off a burst of privacy legislation across the U.S. Legislators in dozens of other states have introduced similar privacy bills. Various privacy bills have also been introduced in Congress, and others are still in the works – a key issue being whether and to what extent a federal bill would preempt state privacy laws. But despite all of this activity over the past year, no such privacy law has yet to be enacted in any state or in Congress. The many proposed bills either remain under review in legislative committees, or have failed to proceed fast enough to be passed into law during 2019 legislative sessions. The only exception appears to be a relatively narrow Nevada law passed on May 30, 2019, that prohibits a business from selling personal information for monetary consideration following a verified consumer request not to do so. (Nevada SB220, NRS Ch. 603A, effective Oct. 1, 2019.) With this background, New York has seen two noteworthy legislative developments on privacy protections in the past few months. The SHIELD Act In June 2019, the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) was passed by both the New York Senate and Assembly, and it is now due to be delivered to Gov. Andrew Cuomo for his signature. (See S5575B; A5635. The SHIELD Act was previously pursued in the 2017-2018 Copyright © 2019 Holland & Knight LLP All Rights Reserved

legislative session as S6933). In addition to expanding breach notification obligations, the law introduces broad new cybersecurity requirements. A. Expanding Breach Notification Obligations This bill amends General Business Law Section 899-aa with respect to breach notification in a number of key respects, including: •

expanding the definition of personal information to include 1) financial account numbers that can be used to identify an individual's financial account without additional identifying information, security code, access code or password; 2) biometrics information; and 3) a user name or email address in combination with a password or security question and answer that would permit access to an online account

•

revising the meaning of what constitutes "unauthorized access" to personal information

•

exempting notice for an "inadvertent disclosure" where it is reasonably determined that the exposure "will not likely result in misuse of such information, or financial harm"

•

increasing the fines the State Attorney General can seek for violations of the statute, as well as the increasing the statute of limitations

B. New Cybersecurity Obligations The SHIELD Act goes further than just breach notification, introducing a series of new security requirements in Section 899-bb that are similar in some respects to those previously enacted in Massachusetts (M.G.L. Ch. 93H and 201 CMR 17.00). Specifically, businesses that maintain private information of New York residents must "develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data." This requirement can be fulfilled either by: 1. complying with regulations such as Title V of the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) or the New York State Department of Financial Services Cybersecurity Requirements (23 NYCRR 500), or 2. implementing a data security program that includes: a. reasonable administrative safeguards such as: i. designating one or more employees to coordinate the security program ii. identifying reasonably foreseeable internal and external risks iii. assessing the sufficiency of safeguards in place to control the identified risks iv. training and managing employees in the security program practices and procedures Copyright © 2019 Holland & Knight LLP All Rights Reserved

v. selecting service providers capable of maintaining appropriate safeguards, requiring those safeguards by contract, and vi. adjusting the security program in light of business changes or new circumstances b. reasonable technical safeguards such as: i. assessing risks in network and software design ii. assessing risks in information processing, transmission and storage iii. detecting, preventing and responding to attacks or system failures, and iv. regularly testing and monitoring the effectiveness of key controls, systems and procedures c. reasonable physical safeguards such as: i. assessing risks of information storage and disposal ii. detecting, preventing and responding to intrusions iii. protecting against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information, and iv. disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed These new data security requirements appear to go beyond the Massachusetts regulations in some respects (such as disposal of personal information) and appear to expand New York consumerrelated obligations for security much like CCPA has done for privacy. There are some mitigating factors. First, the law includes some flexibility within its language and is subject to risk-based decisions. Second, the law recognizes that a small business can comply where its security program is appropriate for its size and complexity, such as in view of the nature and scope of its activities and the sensitivity of personal information it maintains. Third, the Attorney General can pursue civil penalties for violations, but there is no private right of action. The New York Privacy Act The New York Privacy Act (NYPA), introduced on May 9, 2019, referred to the Senate's Consumer Protection Committee. (See S5642.) The Act goes much further than the CCPA, incorporating many additional concepts from the European Union's General Data Protection Regulation (GDPR) such as data controllers and processors, as well as adopting a "data fiduciary" standard. The law excludes personal data that is subject to GLBA or HIPAA, or maintained for employment records. A. Fiduciary Duties The NYPA's key fiduciary requirements (Section 1102) include the following. Copyright ÂŠ 2019 Holland & Knight LLP All Rights Reserved

•

Personal data of consumers may not be used, processed or transferred to a third party without a consumer's express and documented consent.

•

Every controller and data broker must "exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances."

•

Personal data, or data derived from it, may not be used in a manner that "(i) will benefit the online service provider to the detriment of an end user; and (ii) (A) will result in reasonably foreseeable and material physical or financial harm to a consumer; or (B) would be unexpected and highly offensive to a reasonable consumer."

•

Personal data cannot be disclosed, sold or shared with another party except where the recipient "enters into a contract that imposes the same duties of care, loyalty, and confidentially toward the consumer" and where the discloser "take[s] reasonable steps to ensure" the recipient complies with those obligations, "including by auditing, on a regular basis, the data security and data information practices" of the recipient.

•

Privacy risks are broadly defined to include financial and economic harm, physical harm, psychological harm (e.g., anxiety, embarrassment), inconvenience or expenditure of time, adverse outcomes (e.g., employment, housing, education, healthcare), reputational harm, disruption or intrusion from unwanted commercial communications, price discrimination, and various effects reasonably foreseeable, contemplated by or expected by the assessor of privacy risk.

•

The fiduciary duty shall "supersede any duty owed to owners or shareholders"

B. Consumer Rights The Act also introduces six consumer rights (Section 1103). 1. Disclosure: Upon request, a controller must confirm whether a consumer's personal data is being processed and or sold to data brokers, and provide access to the personal data and the names of third-party recipients. 2. Correction: Upon request, correct inaccurate personal data. 3. Deletion: Upon request, delete personal data if no longer necessary for the purposes of collection, including where consent was withdrawn, but excluding certain legal or public interest retention needs. 4. Restrict processing: Upon request, cease processing where restricted by the consumer or accuracy of data is disputed by the consumer. 5. Portability: Personal data must be provided in a structured, commonly used and machinereadable format if 1) consent is required, processing is necessary for performance of a pending or existing contract and 2) processing is by automated means. Copyright © 2019 Holland & Knight LLP All Rights Reserved

6. Profiling: Profile-based decisions with legal or other similarly significant effects – such as denial of consequential services or support (e.g., financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities and healthcare services) – may not be made except where otherwise permitted by law and measures are taken to safeguard consumers' rights and interests. The Act provides 30 days to respond to such requests, subject to a 60-day extension when necessary. Information must generally be provided free of charge. C. Transparency The Act also includes new requirements for the public privacy notice (Section 1104), which are similar to the CCPA in many respects but also include some key differences, such as: •

disclosure of "the names and categories of third parties, if any, with whom the controller shares personal data" (emphasis added)

•

those who "engage in profiling" must provide in advance "meaningful information about the logic involved and the significance and envisaged consequences of the profiling," and

•

disclosure on how to object to the sale or processing of personal data for direct marketing purposes

D. Liability The Act includes a tough liability provision, deeming a violation as "an unfair or deceptive act in trade or commerce and an unfair method of competition," granting enforcement authority to the Attorney General where civil penalties shall be assessed based on "the number of affected individuals, the severity of the violation, and the size and revenues of the covered entity" where each affected individual counts as a separate violation, as does each provision that is violated. (Sections 1109(3) and (4)). The Act also includes a private right of action, providing that "any person who has been injured by reason of a violation of this article may bring an action [] to enjoin such unlawful act, or to recover his or her actual damages, or both []. The court may award reasonable attorney's fees to a prevailing plaintiff." (Section 1109(3)). Conclusion and Considerations Although the NYPA had a single sponsor and is just beginning review in a Senate committee, it presents a broader range of potential legal frameworks that legislators may pursue in New York or other states. As the CCPA and proposed NYPA highlight in regard to data privacy, as Massachusetts Regulation 201 CMR 17.00 and the SHIELD Act highlight in regard to data security – and as 50 different state laws highlight in regard to breach notification – businesses of all shapes and sizes face increasing regulatory compliance costs and risk exposure with the expansion of fragmented, state-based privacy regimes in the absence of a comprehensive federal framework. Copyright © 2019 Holland & Knight LLP All Rights Reserved

纽约会是下一个通过强而有力的数据隐私和网络安全法律的州吗？原文作者：Mark H. Francis

重点摘要 •

2018 年 6 月签署成为法律的《加州消费者隐私法案》（CCPA）对保存加州居民个人信息的企业加诸了重大的新的隐私义务,并在全美各地开启了许多隐私法案的立法风潮。

•

各种不同的隐私法案在其他大约 12 个州及国会中被提出，且还有其他法案正在拟定之中 --- 而一个重要的问题是联邦法案是否及在什么程度内会取代州的隐私法律。

•

纽约州在过去几个月中出现了两个值得关注的关于隐私保护的立法发展：即《中止骇客及增进电子数据安全法案》（SHIELD 法案）及《纽约州隐私法案》（NYPA）。

2018 年 6 月，《加州消费者隐私法案》（CCPA）被签署成为法律，它对保有加州居民个人信息的企业加诸了重大的新的隐私义务（加州民法第 1798.100 及其后条款）。将在 2020 年 1 月 1 日生效的 CCPA，除了其他规定外，要求企业回应消费者所提出将他们的个人信息揭露或删除的要求，并接受其要求不将消费者的信息出售给第三方。 CCPA 的制定开启了在全美各地许多隐私法律的制定。在其他约 12 个州的立法人员引进了相似的法案。许多不同的隐私法案也在国会中被引进，且还有其他法案正在拟定之中 --- 而一个重要的问题是联邦法案是否及在什么程度内会取代州的隐私法律。虽然在过去一年中有这么多的活动发生，还没有任何隐私法案在任何州或国会中被通过制定。这些许多法律提案不是仍然在立法机构的委员会中被审议，或是未能够快地推展以在 2019 年的立法会期中被通过而成为法律。唯一的例外看来是一个 2019 年 5 月 30 日所通过适用范围相对较窄的内华达州法律，而该法禁止企业在收到经确认的消费者要求不得如此作后，仍然将其个人信息出售以取得金钱回报（2019 年 10 月 1 日起生效的内华达州 SB220 法案,内华达州法律第 603A 章）。在这个背景下，纽约州在过去几个月中出现了两个值得关注的关于隐私保护的立法发展。 SHIELD 法案 2019 年 6 月，纽约州的参议院及众议院通过了《中止骇客及增进电子数据安全法案》（SHIELD 法案），而该法案正在送交给 Andrew Cuomo 州长签署中（请见 S5575B; A5635。SHIELD 法案在 2017 到 2018 的立法会期中被以 S6933 法案寻求制定）。除了扩大数据泄露通知的义务，该法案引进了广泛的新的网络安全要求。

•

扩大个人信息的定义，使其包括 1)无需其他额外的身份信息、安全密码、进入号码或密码即可用来识别个人财务账户的财务账户号码；2）生物测定信息；及 3）与密码或安全确认问题及回复连结即可允许进入网上账户的用户名称或电邮地址

•

对什么将构成“未经授权接触”个人信息的定义进行修改

•

免除“不经意揭露”时进行通知的要求，而不经意揭露是指可合理确认揭露“将不太可能造成该等信息遭不当适用或造成财务损害的揭露”

•

对州检查总长对该法案的违反可寻求的处罚金额的增加，及增长诉讼时效的期间

B.新的网络安全义务 SHIELD 法案除了对数据泄露的通知有所规范外，也在 899-bb 条中引进了一系列与马萨诸塞州之前所制定的法律的规定相似的新的安全要求 (M.G.L. Ch. 93H 及 201 CMR 17.00)。具体而言，保存纽约州居民私人信息的企业必须“开发、执行及维持为保护私人信息（包括但不限于数据的去除）的安全，保密性及完整性的合理保护措施。这个要求可以以下列各方式符合： 1. 遵守相关法规，例如《Gramm-Leach-Bliley 法案》(GLBA)的第 5 章、《健康保险可变更及责任法案》（HIPPA）或《纽约州财务服务网络安全部的要求》(23 NYCRR 500)，或 2. 执行一个包括如下的数据安全计划： a. 合理行政安全措施，例如： i. 指定一个或多个员工来联系安全计划 ii. 发现合理可预见的内部及外部风险 iii. 评估现有管控已发现风险的安全措施是否足够 iv. 对管理人员进行安全计划操作及程序的训练 v. 选择能够维持合适安全措施的服务供应商，并以合约要求安全措施，及 vi. 根据商业的改变或新的情况调整安全计划 b. 合理技术安全措施，例如： i. 对网络系统及软件设计的风险进行评估 ii. 对信息处理、传输及保存的风险的评估 iii. 对攻击或系统损坏的侦测、防止及回应，及 Copyright © 2019 Holland & Knight LLP All Rights Reserved

iv. 对主要的控制、系统及程序的有效性的经常测试及监督 c. 合理的实体安全措施，例如： i. 对信息保存及去除风险的评估 ii. 对侵入的侦测、防止及回应 iii. 对收集、运送、毁坏及去除私人信息时防止对该等私人信息的未经授权接触或使用，及 iv. 在私人信息不再为商业目的所需后的合理时间内，以消除电子媒体的方式去除私人信息使其无法被读取或重建这些新的数据安全要求看来在某些方面超越了马萨诸塞州规定的要求（例如对个人信息的去除），且如 CCPA 对隐私所造成的影响一样，看来扩大了纽约州对消费者安全的义务的要求。而也存在一些缓减因素。首先，该法案在其文字中包括了一些弹性且受制于一些基于风险的决定。其次，该法案承认一个小型的企业能按与其规模及复杂度相称的安全计划符合该法案的要求，例如视其活动的性质及范围及其保存的个人信息的敏感性而制定的安全计划。第三，检察总长可对违反追究民事处罚责任，但没有赋予私人诉讼权利。纽约州隐私法案《纽约州隐私法案》（NYPA）是在 2019 年 5 月 9 日被提出，及提到参议院的消费者保护委员会 (请见 S5642.)。这个法案比 CCPA 还多了许多要求规定，其加入了许多来自欧洲的《通用数据保护条例》（GDPR）的额外概念，例如数据控制人及处理人、及采行了一“数据信托”标准。该法案排除受 GLBA 或 HIPAA 规范的个人数据、或为雇佣记录所保存的数据的适用。 A. 信托责任 NYPA 的主要信托要求（第 1102 条）包括下列。 •

在没有取得消费者的明示及以文件确认的同意，消费者的个人数据不得被使用、处理、或移转给第三人。

•

每一个控制人及数据经纪人必须“行使其作为一个信托人关于保护消费者个人信息不受隐私风险所被期待应行使的注意、忠诚及保密义务；且应基于消费者的最大利益按合理消费者在该情况下所期待的方式行事，而不考虑到机构控制人或数据经纪人的利益。

•

个人数据、或因其所产生的数据不得以下列方式使用：“(i)如其将对线上服务提供商产生利益而有损最终使用人的利益；且（ii）（A）将对消费者产生合理可预见及重大的身体或财务伤害；或（B）将不为合理消费者所期待且对其产生高度冒犯。”

•

个人数据不得被揭露、销售或与其他方分享，除非数据接收人“签署一加诸相同注意义务、忠诚及保密义务的合约”且揭露人“采取合理步骤以确保“数据接收人遵守这些义务“，包括定期查核数据接收人的数据安全及数据信息做法”。

•

隐私风险被宽泛地定义为包括财务及经济损害、身体损害、心理损害（例如焦虑及难堪）、不便或时间花费、不利结果（例如雇佣、住房、教育、医疗上的不利结果）、声誉上的损害、被不想要的商业通讯所打挠或侵犯、价格歧视、及其他许多隐私风险评估人所考量到或预见的合理可预期的效果。

•

信托义务应“超越并取代任何对事业所有人或股东的义务”

B. 消费者权利该法案也引进 6 个消费者权利 (第 1103 条). 1. 揭露权: 被要求时，控制人必须确认是否消费者的个人信息被处理及被出售给数据经纪人，且提供接触个人数据的方法及第三方接收人的名称。 2. 更正权: 被要求时，更正不正确的个人数据。 3. 删除权: 被要求时，删除不再为收集目的所需的个人数据，包括同意被撤回时，但排除为某些法律或公共利益所保存的数据。 4. 限制处理权: 被要求时，停止处理消费者所限制处理的数据、或正确性被消费者所质疑的数据。 5. 可移植性: 如 1) 需取得同意时、数据处理为履行一待签订或现有的合约时，及 2）是以自动化方式处理数据时，个人数据必须以一结构化、一般使用方式及可机器判断的形式提供。 6. 分析: 会有法律及其他相似重大影响的基于数据分析所作出的决定– 例如拒绝其后服务或支持（例如财务或贷款服务、住房、保险、教育入学、刑事正义、雇佣机会及医疗服务）- 除非法律另外允许或已采取措施保护消费者的权利及利益外，不得为之。该法案提供 30 天回复该等要求的时间，并于必要时可延长至 60 天。一般应免费提供信息。 C. 透明性该法案也包括一为公共隐私通知的新的要求（第 1104 条），而该等要求在许多方面与 CCPA 的要求相似，但也包括一些主要不同之处，例如： •

揭露“控制人分享个人数据的第三人（如有的话）的名称及类别”（加重强调）

•

“从事数据分析”的人必须事前提供“有关数据分析所涉的逻辑及其重要性及预见后果的有意义的信息”，及

•

揭露如何对为直接行销目的所做的个人数据销售及处理加以拒绝

D. 责任该法案包含了严厉的责任条款，将一违反视为“在贸易上及商业上的不公平及欺骗性行为及不公平竞争的方式”、将执法权限授予检察总长，而民事惩罚应基于“受影响的个人的人数、违反的严重性、及涉及事业机构的规模及营收金额”而定，且每一受影响的个人算作一次对一个个别条款的的违反（第 1109（3）及（4）条）。该法案也包括一个私人诉讼权利，规定“任何因违反该条款而受损害的人得提起诉讼制止该等非法行为、或对其实际所遭受的损失进行求偿，或同时要求两者。法院可以判合理律师费给胜诉的原告（第 1109（3）条）。结论及考量虽然 NYPA 曾有一个法案支持人且刚开始在参议院的委员会被审查，它是纽约州或其他州的立法人员所追求的规范范围较为广泛的法律框架的一个表征。如同 CCPA 及提案中的 NYPA 对数据隐私的强调、马萨诸塞州法规（201 CMR 17.00）及 SHIELD 法案对数据安全的强调 – 且如同 50 各州法对数据泄露通知的强调 – 在各自分头发展的州的隐私法律的扩展及欠缺一个全面的联邦框架下，所有各种不同态样及大小的企业都将面临增加的法规遵循成本及风险曝露

Team Contacts 我所数据保护团队联系方式 Paul Bond Partner | Philadelphia 215.252.9535 paul.bond@hklaw.com

Zalika Pierre Associate | New York 212.513.3584 zalika.pierre@hklaw.com

Mark H. Francis Partner | New York 212.513.3572 mark.francis@hklaw.com

Ashley L. Shively Partner | San Francisco 415.743.6906 ashley.shively@hklaw.com

John P. Kern Partner | San Francisco 415.743.6918 john.kern@hklaw.com

Stacey Hsiang Chung Wang Partner | Los Angeles 213.896.2480 stacey.wang@hklaw.com

Mark S. Melodia Partner | New York 212.513.3583 mark.melodia@hklaw.com

You May Also Contact Our China Practice Attorneys For Assistance 您也可以中文与我们下列律师联系以取得协助 Hongjun Zhang, Ph.D. Partner | Washington, D.C. 202.457.5906 hongjun.zhang@hklaw.com

Mike Chiang Senior Counsel | San Francisco 415.743.6968 mike.chiang@hklaw.com