This week, Consumer Reports published a Model State Privacy Act. The Consumer advocacy organization proposed model legislation “to ensure that companies are required to honor consumers’ privacy.” The model legislation is similar to the California Consumer Privacy Act, but seeks to protect consumer privacy rights “by default.”  Some additional provisions of the model law include a broad prohibition on secondary data sharing, an opt-out of first-party advertising, and a private right of action in addition to enforcement by state Attorneys General.

While the introduction of a model privacy law is an interesting development, we also continue to track state privacy laws in multiple states right now, as several states have recently introduced consumer privacy legislation. Connecticut, Massachusetts, Illinois, Minnesota, New York and Utah recently saw the introduction of new privacy legislation. As legislative sessions move forward into 2021, we expect even more states to follow suit.

Our list of pending state privacy legislation includes:

We will continue to provide updates as these bills move forward.

New York Governor Andrew Cuomo recently announced his proposal for a comprehensive data security law that will “provide New Yorkers with transparency and control over their personal data and provide new privacy protections.” The proposal also would establish a Consumer Data Privacy Bill of Rights that would guarantee “the right to access, control, and erase the data collected from them; the right to nondiscrimination from providers for exercising these rights; and the right to equal access to services.”

According to the state of New York’s website announcing the initiative, the proposal also “expressly protects sensitive categories of information including health, biometric and location data and creates strong enforcement mechanisms to hold covered entities accountable for the illegal use of consumer data. New York State will work with other states to ensure competition and innovation in the digital marketplace by promoting coordination and consistency among their regulatory policies.”

This proposal is promising and, if passed, it would mean that New York would join California in enacting a comprehensive consumer privacy law. We will follow the proposal closely to see if this new proposal will add to New York’s Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), which passed in 2017 and established cybersecurity regulations for the financial services industry.

Canon U.S.A. Inc. (Canon) was hit with a class action lawsuit in the U.S. District Court for the Eastern District of New York this week for the ransomware attack that exposed current and former employees’ personal information in November 2020. The plaintiffs reside in Ohio, New York, Florida and Illinois, and allege that Canon was negligent in protecting employee data and violated state trade practice laws by failing to guard against such an attack. The plaintiffs further allege that Canon failed to notify the affected individuals in a timely manner.

The attack on Cannon occurred in August 2020 and affected current and former employees from 2005 to 2020, as well as their beneficiaries and dependents. The information affected included Social Security numbers, driver’s license numbers, financial account numbers, electronic signatures, and dates of birth. The plaintiffs are seeking certification of a nationwide class.

On December 18, seven states have entered into a settlement agreement with e-retailer Cafe-Press for $2 million stemming from a 2019 data breach that exposed information of approximately 22 million consumers. The breach affected consumers’ personal information, including usernames and passwords, Social Security numbers and/or Taxpayer Identification numbers.

Of the $2 million, $750,000 will be an immediate payment divided among the states: New Jersey, New York, Connecticut, Indiana, Kentucky, Michigan and Oregon.

According to the settlement agreement, if CafePress improves its data privacy practices, the states have agreed to suspend the balance of the settlement. Those improvements include implementing a comprehensive cybersecurity program that is updated and assessed regularly, a data breach notification plan (including preparation, detection, analysis, containment, eradication and recovery), as well as other safeguards like encryption, segmentation and penetration testing. CafePress must also update its disclosures to consumers including information on account closure and data deletion. The company must also have a third-party risk assessment for the next five years.

If you live within a one and a half-mile radius of the east side of the Walmart store in El Paso, Texas in a single-family home, within a one-mile radius of the North Las Vegas Walmart store in a single-family home, or within a one-mile radius of the Cheektowaga, New York Walmart store, then you are eligible to take part in the COVID-19 testing delivery-by-drone pilot program. It works like this: A drone drops off a testing kit with a self-administered nasal swab; the patient then ships the sample to Quest Diagnostics using a pre-paid shipping envelope. The results are provided to the patient online.

With the rising number of COVID-19 cases in these areas, the hope is to provide more testing and accessibility.

This program is available only while the supplies last. It is offered Monday through Saturday from 9:30 a.m. to 4:30 p.m. and Sunday from 10 a.m. to 4:30 p.m. This is yet another example of drones potentially increasing efficiency and improving accessibly for health care.

Binary Check Ad Blocker Security News

Continuing its enforcement priority of assisting patients with obtaining access to their health records, the Office for Civil Rights (OCR) recently settled its ninth case with a covered entity that it alleged failed to provide proper access of health records to a patient.

NY Spine Medicine, a medical practice providing neurological and pain management series to patients in New York and Florida, agreed to settle allegations of failing to provide a patient access to her medical records for $100,000 and a corrective action plan.

The OCR alleges that the patient made multiple requests for her medical records from NY Spine Medicine in 2019, but the patient did not receive the diagnostic films she specifically requested. She complained to the OCR which started an investigation. The OCR determined that “NY Spine’s failure to provide timely access to all of the requested medical records was a potential violation of the right of access standard. As a result of OCR’s investigation, the complainant received all of the requested medical records in October 2020.”

The OCR has made it very clear that providing patients with timely access to their health information is a high priority, so careful consideration of this priority is essential when responding to patients’ requests for their records.

Binary Check Ad Blocker Security News

As our previous post stated, the commercial use of drones, or small unmanned aerial systems (sUAS), for urban real estate and construction has gained some traction with the passage of the New York City Council’s bill requiring the Department of Buildings (DOB) to study the feasibility of using sUAS to inspect building facades. With this new bill, as well as other metropolitan cities that will surely follow suit, one of the biggest issues on the forefront for the public at large is privacy.

Think about it: how would you feel if a drone flew over your house while you were in your private backyard, enclosed by a fence, sunbathing? Watering your garden? Playing soccer with your kids? Or sitting at your desk and a drone hovered by your window? Your answer probably rests on who was flying the drone and the reason for flying the drone. However, if you are like many others across the U.S., you would probably have some privacy concerns. As bills like the New York City Council’s pass, the public wants to know how the proliferation of such drones will affect their privacy and what the legal limits are for these drones.

The Federal Aviation Administration’s (FAA) sUAS regulations (Part 107) do not address privacy issues. Essentially, as long as the drone operator is compliant with operational restrictions and has obtained appropriate waivers and permissions as needed, there are no other federal restrictions regarding flights when it comes to preserving public privacy -even over your backyard or in front of your office window in the skyscraper in which you work.

If you look at the public perception of drones and privacy, of 1,047 participants cited in a 2019study by the College of Aviation at Embry-Riddle Aeronautical University, most people said they were not concerned about hobbyists, construction or real estate companies, but were more concerned with drones operated by the government, military or law enforcement, with unmarked drones generating the most privacy concerns.

So where do we stand on privacy and drones in the United States? Well, it’s a gray area. As noted above, the FAA’s Part 107 rule does not specifically deal with privacy issues, and the FAA does not (and has not agreed to) regulate how sUAS gather data on people or property. The FAA says that it “strongly encourages all [s]UAS pilots to check local and state laws before gathering information through remote sensing technology or photography.” Where does that leave us? Where should companies look for guidance?

In 2016, privacy groups and industry stakeholders participating in the National Telecommunications & Information Administration (NTIA) Multi-Stakeholder process released a set of best practices for commercial and private drone use. Participants included Amazon, AUVSI, Center for Democracy and Technology, Consumer Technology Association, CTIA, FPF, Intel, X (formerly Google X), New America’s Open Technology Institute, PrecisionHawk, SIIA, Small UAV Coalition, and many media organizations. Those ”best practices” included:

  • Informing others of your use of drones (i.e., where reasonable, providing prior notice to individuals of the general timeframe and area where you may anticipate using a drone to collect identifiable data);
  • Showing care when operating drones or collecting and storing personally identifiable data (i.e., retaining only information that you must retain and de-identifying information when possible);
  • Limiting the use and sharing of identifiable data;
  • Securing identifiable data; and
  • Monitoring and complying with evolving federal, state and local drone laws and regulations.

This is a great place to start as it brings us back to the basics of privacy. Whether it’s the collection of information from consumers or employees or data gathered through the use of a drone, it all comes down to transparency. However, these are only best practices – not laws or regulations. So, is there any accountability? The industry, the FAA, and local and state lawmakers are working on it. Right now, we have to look to a smorgasbord of privacy and aviation laws and apply them to drone flights and data collection.

From a federal perspective, the FAA Part 107 rules do not allow for flights over people unless the pilot obtains a special waiver. In New York City for example, you’d be hard pressed to find a street that isn’t densely packed with people. Further, most of New York City is controlled Class B airspace because of its airports. Again, to fly in these areas, the pilot would need FAA authorization. This is not to say that the FAA won’t issue a waiver or provide the authorization.

But, the FAA has now proposed a rule for flights over people, Which would allow drone flights over people if the drone falls within one of three new categories, which are based on injury-risk factors. Drones in the highest-risk category would be prohibited from hovering over open-air assemblies of people unless they are in a closed or restricted-access area, such as a stadium, and have been notified authorities of the drone operation. Further, any drone that will fly over people must bear a label identifying its category, except those in the lowest-risk category (i.e., drones weighing .55 pounds or less). Manufacturers of drones weighing more than .55 pounds that want them to qualify for flights over people must certify that the drones meet specified impact-force thresholds and will not contain exposed propellers or rotating parts that will cut human skin. They also must provide pilot instructions, allow FAA inspections, have procedures to notify the FAA and the public of safety defects, and keep records related to the drones. NOTE: nowhere in this proposed rule is the issue of privacy addressed. Again, the industry and stakeholders must weigh in and create a standard if the law lags behind.

However, recently, the FAA also proposed a rule on remote identification of sUAS. The rule would facilitate the collection and storage of certain data such as identity, location, and altitude regarding an unmanned aircraft and its control station. The period for comment on the FAA’s published notice of proposed rulemaking on remote identification closed on March 2, 2020. The FAA is now targeting 2021 as the launch of its remote ID program, which would permit police officers, aviation authorities and other public officials to search for a drone by a broadcast unique identifier to find out who the operator is. Will this put the public more at ease? If a drone is hovering, with no markings, and you call your local police department, presumably they’d be able to identity the individual operator and take action. We’ll see what the future holds.

While the future of drones and privacy is unclear and still evolving, one thing is certain – to ensure that drone technology benefits society as a whole, any proposed frameworks should include an eye towards privacy.