Pulse on Privacy – January 2024

News and Commentary Impacting Data Privacy and Cybersecurity Programs

In this edition, we update you on:

• New Jersey’s new consumer privacy law
• Data Privacy Day 2024 – ideas and resources
• First American Title’s incidents – initial lessons
• Boardroom liability – failing to oversee privacy and data security risks

New Jersey Data Privacy Act (NJDPA)

Does your organization offer products or services to New Jersey consumers? On January 16, New Jersey became the 13th state to pass a comprehensive consumer privacy law. The new law will take effect January 16, 2025. The NJDPA most closely resembles its 2023 predecessors in Connecticut and Virginia. We highlight key differences:

• While other state laws cover entities controlling or processing the personal data of 100,000 or more consumers or, alternatively, 25,000 consumers while generating a certain percentage of total revenue from the sale of their data, NJ broadens the 25,000-consumer threshold to include situations where the organization derives any revenue from the sale of personal data, regardless of relationship to overall revenues;
• NJ joins CA and CO among the states empowering an agency, in this case the Director of the Division of Consumer Affairs, to promulgate any necessary regulations, although the law sets no specific timeline to do so;
• “Sensitive data” is broader, sweeping in consumer financial account information (e.g., payment card with PIN or password), thereby putting such data on equal footing with racial, ethnic, health, genetic, biometric information, and information collected from children;
• “Biometric data” is broader, adding facial recognition and “behavioral patterns”, with the latter term arguably encompassing cookies, pixels, and other tracking technologies that track user “clicks” and online behavior;
• The NJDPA sets up a potential obstacle to standardizing a global opt-out preference signal or universal opt-out mechanism (“UOOM”) (such as the Global Privacy Control or GPC). The states to mandate use of a UOOM (CA, CO, MN, and TX) generally do so as one of the methods that an individual may use to opt out of two types of processing activity: personal data sales and targeted advertising. NJ’s law adds a third category of activity, requiring a UOOM for the individual to opt out of “profiling” (in short, automated decision making for loans, employment, housing, insurance, health care, and so on). If the states vary the number and types of opt-outs that may be signaled by a UOOM, it will be harder and therefore less likely for the market to develop and adopt a universal mechanism. 

(Next up: New Hampshire ’s Expectation of Privacy Act passed on January 18, 2024 and awaits the governor’s signature. We will update you on that law in our February newsletter.)

Action items before January 2025:

• Determine whether your organization comes within the NJDPA’s broader coverage threshold.
• Assess whether broader definitions of “sensitive data” and “biometric data” require updates to your public-facing privacy notice and internal privacy/infosec policies.
• Monitor the development of regulations that may clarify compliance obligations.
• Research market options for universal opt-out mechanisms.

International Data Privacy Day 2024

January 28 is International Data Privacy Day. Consider raising data protection awareness within your organization by:

• During the days leading up to and immediately following, add an agenda item to your team meeting or your board meeting that reviews the importance of data privacy to the business or a particular privacy law that applies to the business;
• Quiz team members on features of the companies’ privacy policy or related policies in the employee handbook;
• E-mail employees with resources that will help them protect their own personal data, like this guide about “How to protect yourself from deepfakes”;
• Access free Data Privacy Day materials and toolkits, including posters, quizzes, discussion topics, and other programming ideas offered by organizations like the National Cybersecurity Alliance and OneTrust.  

Privacy professionals interested in predictions for national and global data privacy regulation and enforcement in 2024, and how three global companies are tackling the increasing complexities, will enjoy this one-hour LinkedIn live discussion moderated by the International Association of Privacy Professionals.

Tough Times for First American Title

On December 21, 2023, the nation’s second largest title insurer, First American Title, disclosed that it had suffered an unspecified cyberattack that effectively caused it to shut down its website and unplug virtually all of its IT systems from the Internet. Commercial real estate attorneys reported that First American representatives had no access to company e-mail or phone systems, and were communicating exclusively by cell phone. The company had to stand up a new and separate website just to provide updates on the incident. Reports on that site and in filings with the Securities and Exchange Commission reflect that as of January 8, 2024, the company had contained the incident and had restored all of its systems. Although the company has stopped short of stating that this was a ransomware incident, it disclosed its belief that the attacker “exfiltrated data and encrypted data on certain non-production systems.” We are sure to learn more about the nature and scope of this incident in days to come.

Unfortunately for First American, this incident happened just weeks after it paid $1 million to settle an enforcement action by the New York Department of Financial Services (“NYDFS”) over a 2019 cyber incident. That incident involved a malfunction in the company’s proprietary EaglePro file transfer and storage application that allowed authorized users of the software to access the files of other, unrelated users. According to the NYDFS, the ultimate cause of the malfunction was First American’s failure “to maintain and implement effective governance and classification, access controls and identity management, and risk assessment policies and procedures.” Read the full consent order and remediation requirements here.

Takeaways: Imagine the worst-case scenarios that could take your business completely offline, and assess and test the adequacy of your incident response, business continuity, and disaster recovery plans and systems. Identify systems and applications that process sensitive data, review and test access controls to those systems, and monitor system access for unusual patterns and activity. Understand your regulatory reporting obligations, if any, concerning cybersecurity incidents. Review the adequacy of your cyber insurance coverage for the defense of regulatory actions.

Cyber and Privacy Liability in the Boardroom: Keeping an Eye on Caremark

As state consumer privacy laws proliferate and regulator guidance matures into actual regulation with penalties, we are monitoring court decisions on board director oversight liability. Caremark claims involve allegations that directors breach their fiduciary duty of loyalty when they make no good faith effort to implement reporting systems or controls regarding mission-critical business risks; or when having implemented such systems or controls, they consciously fail to monitor or oversee system operations and ignore “red flags” indicating that the company is violating law.

To date, courts that have examined Caremark claims related to board oversight of cybersecurity have dismissed such claims, at least in part, on the lack of evidence of any known violation of “positive law”. (See, for example, cases against the SolarWinds board in 2022 and the Marriott board in 2021.) In those cases, the courts declined to equate violations of non-binding industry standards like the Payment Card Industry Data Security Standard and regulatory guidance like former SEC cybersecurity guidance with violations of law. However, as standards and guidance become law (as we have seen with last year’s adoption of the SEC cybersecurity rule), query whether the courtroom door is open to Caremark claims where the board ignores violations of privacy and data security laws.

Takeaways: Determine whether cybersecurity and data privacy present mission-critical risks to your organization. Document that determination. Prepare the board to be able demonstrate good faith oversight. Establish and document board-level policies and systems for assessing and managing the company’s privacy and data security risks, and for reporting and responding to incidents. 

For further information or guidance on these issues, please contact:

Sherwin M. Yoder, CIPP/US, CIPP/E and CIPM
Partner
203.575.2649
syoder@carmodylaw.com

This information is for educational purposes only to provide general information and a general understanding of the law. It does not constitute legal advice and does not establish any attorney-client relationship.