The Matrix

With the passage of the Cybersecurity Affirmative Defense Act, Utah became the second state – after Ohio’s Data Protection Act in 2018 – to create an affirmative defense to certain causes of action stemming from a data breach.  The law provides an affirmative defense under Utah law and in Utah courts to certain tort claims arising out of a data breach if the company demonstrates that it created, maintained, and reasonably complied with a written cybersecurity program.  

With Governor Ralph Northam’s signature yesterday, the Consumer Data Protection Act (“CDPA”) became law, making Virginia the second state after California to enact a comprehensive privacy law (with apologies to Nevada, which also has passed more modest privacy legislation). Although similar in many respects to the California Consumer Privacy Act (“CCPA”), which was recently updated by the Consumer Privacy Rights Act (“CPRA”), the law contains terminology more consistent with the European Union’s General Data Protection Regulation (“GDPR”). 

On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit issued its opinion vacating the $4.3 million penalty that the U.S. Department of Health and Human Services (“HHS”) had levied against the University of Texas M.D. Anderson Cancer Center (“M.D. Anderson”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”).  Eye-popping penalty amounts for HIPAA and HITECH Act violations have picked up steam in recent years. However, the M.D. Anderson case is among the first such settlement to be litigated. The Fifth Circuit decision contains some critical takeaways as to key requirements under HIPAA and the enforcement actions available to HHS, and should be of particular interest to healthcare providers and also insurers writing cybersecurity policies.

In Tsao v. Captiva MVP Restaurant Partners, LLC, the Eleventh Circuit joined the federal appellate courts holding that a consumer’s exposure to a substantial risk of future identity theft, and efforts to mitigate the risk of future identity theft, are not sufficient to confer Article III standing. The decision highlights federal court’s struggle with the standing requirements in a data breach case, and possibly raises the likelihood that the U.S. Supreme Court will address the issue.

Over the last few weeks, the federal government has issued a number of trade sanctions and restrictions targeting the People’s Republic of China.  These include prohibitions on investments in certain companies deemed to be Chinese military companies, and further restrictions on any business relationships with an entity connected to Huawei.  This article discusses certain new restrictions with significant data, privacy and cybersecurity implications.

Given the speculation and concern over ransomware attacks impacting the 2020 U.S. election, the recent spate of private companies falling victim to such attacks, and the October 1, 2020 advisory issued by the Department of Treasury (“Advisory”), it is no surprise that ransomware is trending in cybersecurity.

On September 23, 2020, Representatives Bob Latta (R-Ohio) and Greg Walden (R-Ore.) re-introduced the “Safely Ensuring Lives Future Deployment and Research In Vehicle Evolution Act’’ or the ‘‘SELF DRIVE Act” to create a federal framework for autonomous vehicles (“AVs”).  The measure lacks bipartisan support and is not expected to reach the floor of the House of Representatives during this session.  But the continued effort demonstrates the importance that many lawmakers put on promoting a U.S.-led effort in the development of self-driving vehicles.  The matter likely will be among the key transportation themes before the next session of Congress, which convenes in January.  On the Senate side, policymakers have not advanced autonomous vehicle bills.  In the previous congressional session, an autonomous vehicle policy measure advanced in the House but came up short in the Senate.

In response to the Court of Justice of the European Union’s (CJEU) recent Schrems II decision that, among other things, invalidated the Privacy Shield Framework (previously covered in The Matrix), various agencies of the US Government co-published a White Paper providing background on US intelligence agencies’ data collection activities and limitations thereon. Although the White Paper is intended to “assist organizations in assessing whether their transfers offer appropriate data protection in accordance with the [CJEU’s] ruling,” the agencies stressed that it “is not intended to provide companies with guidance on EU law or what positions to take before EU regulators or courts.”

Undeterred by previous failed attempts to bolster Washington state laws protecting individual privacy, earlier this month Washington State Senator Reuven Carlyle announced on his Twitter account that the draft Washington Privacy Act 2021 (the “Bill”) is available for public comment. This is the State of Washington’s most recent attempt to strengthen protections for consumer privacy, following the lead of California and the California Consumer Protection Act (“CCPA”).

While the Bill contains many similarities to the State of Washington’s previous attempts, included with the Bill are new provisions related to contact tracing aimed to “instill public confidence on the processing and use of their personal and public health data during any global pandemic[.]” These new provisions apply protections related to the processing of certain “covered data” for the purposes of “detecting symptoms of an infectious disease, enabling the tracking of an individual's contacts with other individuals, or with specific locations to identify in an automated fashion whom individuals have come into contact with, or digitally notifying, in an automated manner, an individual who may have become exposed to an infectious disease, or other similar purposes directly related to a state of emergency declared by the governor[.]” The covered data subject to the new protections includes “personal data and one or more of the following: specific geolocation data, proximity data, or personal health data.”

While the new Bill presents the opportunity for the State of Washington to fill the gap created by the absence of comprehensive federal protection, the Bill still lacks a private right of action, which was one of the primary reasons for predecessor bill’s failure to pass. You can access the entire Bill here or view an overview, with helpful comparisons to the CCPA and the predecessor bill, here.