What You Need to Know About Data Privacy and Cybersecurity: Current trends, laws and pending legislation
Attorney Q&A with Sasha Beling and Zach Oubre
In recent months, cybercrimes across the U.S. have tripled, and several high-profile breaches of personal data have impacted as many as 3.5 billion people. As cyberattacks and data breaches increase threats against businesses and governments, federal and state lawmakers are ramping up legislative efforts to combat these trends.
On Data Privacy Day 2021, McAfee & Taft launches a new Q&A video series focused on “What You Need to Know About Data Privacy and Cybersecurity.” In this first Q&A, McAfee & Taft attorneys Sasha Beling and Zach Oubre review recent developments on the state, federal and international levels that govern how business collect, use and protect people’s personal information. They also discuss what to watch for this year as legislators and regulators strive to catch up to the increasing threats to individuals, businesses and governmental entities on all levels with legislation and regulations.
Q: Currently, what federal or state laws govern how businesses collect, use and protect people’s personal information?
Sasha Beling: The U.S. currently doesn’t have a single, comprehensive federal law that regulates data privacy and the use of personal information. There is a patchwork of federal and state laws and regulations and common law principles that overlap and sometimes contradict one another. Recent increases in data security breaches have led to an expansion of this patchwork, which is becoming one of the fastest-growing areas of legal regulation.
Q: What significant changes have you seen with data privacy laws at the state level?
Zach Oubre: The most significant was the California Consumer Protection Act, or what’s been come to known as the CCPA. Modeled after the European GDPR, the CCPA went into effect on January 1st of 2020 and began to be enforced in July of 2020. It imposes obligations on businesses that collect or receive personal information from California residents and importantly, the law is not limited necessarily to businesses that operate out of the state of California. And so that was probably the most significant change at the state level.
Another huge change in 2020 came in November where the CCPA was amended by the California Privacy Rights Act, and that amended the CCPA in a few ways, the most notable being the creation of the first government agency dedicated to the protection of consumer information. And that’s out of California. That agency will be enforcing the CCPA in the coming years. It’s something to watch out for.
And then in early 2020, a lot of other states proposed bills to enact laws similar to the CCPA like Washington and Maine. But a lot of those bills died primarily due to COVID-19 and states dealing with the pandemic. But one notable thing that took place in a state other than California was in Illinois. That state continues to have litigation concerning its Biometric Information Privacy Act, and Facebook settled a class action suit underneath that act in 2020 for whopping $650 million. So 2020 saw a significant change in U.S., state level, privacy, law and enforcement.
Q: What significant changes have you seen with data privacy laws at the federal level?
Beling: At the federal level in 2020, we saw numerous pieces of legislation addressing data privacy and cybersecurity issues, but many of those weren’t passed. At the end of 2020, the Internet of Things Cybersecurity Act was signed into law, which established minimum security requirements for Internet of Things connected devices that are owned or controlled by the federal government. Simply, Internet of Things — or IoT devices — refers to electronic devices that are capable of being connected to the internet, such as your router or smart TV or smart refrigerator.
Q: What significant changes have you seen with data privacy laws internationally?
Beling: There were significant changes that occurred outside the U.S. that could impact you as companies. For example, for the past several years, companies have been able to use the EU-U.S. Privacy Shield Framework as a way to transfer personal information of European users to the United States. However, in July of 2020, European Court invalidated the EU-U.S Framework. It puts some companies in a hotspot because if they didn’t use one of the other mechanisms that’s outlined in the GDPR and they were using this framework, they needed to find a new mechanism through the regulation. But a lot of companies didn’t want to do those frameworks just because it was more onerous. This was like the least onerous for U.S. companies to do. And now kind of put them in a bind of, okay, either they need to scramble to try to get one of those other mechanisms in place, or see if the U.S. and EU come to another framework.
Q: What should we watch for in 2021 and beyond with legislation and regulation among states?
Beling: In 2021, we expect to see states introduce legislation addressing data privacy and cybersecurity issues. For example, Washington has reintroduced for the third time legislation regulating the use and collection of personal information of Washington residents. New York has proposed legislation addressing safeguards and use of biometric identifiers. Oklahoma has introduced legislation that gives Oklahoma residents more control over the use and collection of their personal information. The Oklahoma legislation has also provided a private right of action for Oklahoma residents, for companies that fall foul of the requirements of this legislation should it pass.
This new Oklahoma legislation is new for Oklahoma businesses for having to safeguard and protect how they use personal information of Oklahoma residents. Some Oklahoma businesses may be familiar, already familiar with this because a lot of the proposed concepts that are in the California law of the California Consumer Protection Act have been carried over into this legislation. Should this legislation become law as drafted, some of the ramifications can be regulatory fines or exposure to a personal right of action from an Oklahoma resident. We’ll continue to watch this legislation as it makes its way through the Oklahoma Legislative session this year. And once we know more and whether or not this bill will become law, we’ll have further developments as to the legal requirements and what Oklahoma companies can expect with this legislation.
Q: What should we watch for in 2021 and beyond with legislation, enforcement and litigation at the federal level?
Oubre: Expect a lot of changes in 2021, 2022, 2023, as states like Oklahoma continue to propose and potentially enact bills governing the collection and use of consumer data by businesses. There is likely to be a greater push for a law at the federal level for consistency among enforcement so that businesses know what they have to do across the United States, rather than look at all these individual state laws for what their obligations are.
The Biden administration is expected to focus on the passage of a federal cybersecurity law, try to push the FTC to enforce current law, and to work with European nations to try to harmonize the differences between privacy law abroad versus those here domestically. And that’s expected largely because the Vice President, Harris, in 2012, who’s the AG of California created the Privacy Enforcement and Protection Unit in that state. So there’s likely to be a push at the federal level in the next four years for a federal cybersecurity law.
And another thing to watch out for in the realm of cybersecurity at the federal level is the Supreme Court’s stand on TransUnion v. Ramirez, and whether or not individuals have standing to be a class member in a class action revolving around a data breach if those individuals didn’t suffer actual harm from a theft of their identity or other fraud with their private banking information or their Social Security number. So currently, there’s a split among circuits as to whether or not you can have a class action of people that are only theoretically and potentially harmed by data breach or those that are actually harmed because someone took their Social or their credit card or just falsely impersonated them. And this Supreme Court will hopefully in the summer of this year, give us clarity as to those items .
So things to watch out for: a lot of movement at the federal level and state level in cybersecurity in 2020 and 2021, and it’s certainly going to be a very fluid fast-moving area of law as the future progresses.