More states, including Ohio, are working on comprehensive consumer privacy laws that could impact how companies share data. In our August 2021 Privacy and Security Roundup, we cover the nuances in the various legislation, more ransomware and supply chain attacks and news of a messaging app used as a Trojan horse by the FBI.
A new comprehensive consumer privacy law
On July 8, 2021 Colorado became the third state to enact a comprehensive privacy law known as the Colorado Privacy Act (CPA). Similar to the California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA), Colorado’s legislation aims to give consumers greater control over their personal data. Notably, the CPA shares some features with the E.U.’s GDPR including a requirement for “controllers” to conduct data protection assessments for certain processing activities and requires controllers and “processors” enter into contracts that provide specific instructions concerning how person data is processed.
Effective July 1, 2023, the CPA broadly provides the right to:
- Opt-out of processing of personal data;
- Access, correct or delete personal data; and
- Obtain a portable copy of the data.
As with the CCPA, CDPA and GDPR, the Colorado Privacy Act has extraterritorial reach and applies to entities that conduct business or produce products/services that intentionally target Colorado residents and either: (1) control or process personal data of 100,000 consumers (defined as Colorado residents) per year; or (2) derive revenue or receive a discount from the sale of personal data and control or process the personal data of at least 25,000 consumers.
Significantly, the CPA does not apply to personal data governed by Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), Children’s Online Privacy Protection Rule (COPPA), and Family Educational Rights and Privacy Act (FERPA) and explicitly omits individuals acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context. While the CPA does not provide a private right of action and is enforced by the Colorado Attorney General, effective Jan. 1, 2025, the CPA includes a sunset provision on a 60-day cure period to rectify non-compliance. In the case of an enforcement action, no explicit fine amounts are within the statute. However, a violation of the CPA is classified as a deceptive trade practice, meaning penalties are governed by Colorado’s Consumer Protection Act and a noncompliant entity could potentially face penalties of up to $20,000 per violation. Generally, commenters view the CPA as incremental, suggesting companies may not need to roll out substantially new compliance measures. That said, as with any new state privacy legislation, the biggest hurdle may be compliance with rules that have subtle and nuanced differences.
Ohio may soon Join California, Colorado and Virginia in enacting a comprehensive data privacy law
On July 12, 2021, Ohio lawmakers introduced HB 376, the Ohio Personal Privacy Act (OPPA). Overall, the legislation’s reach appears somewhat more limited in comparison to California’s CCPA and Colorado’s CPA. Specifically, the OPPA would apply to entities that conduct business in Ohio or produce products or services targeted to consumers in the state and:
- Have annual gross revenues generated in Ohio greater than $25 million;
- Control or process personal data of 100,000 or more consumers (defined as Ohio residents acting individually or in a household context) in a calendar year; or
- During a calendar year, derives over 50 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 or more consumers.
OPPA would not apply to GLBA-governed data, HIPAA-covered entities or business associates, higher education institutions and business-to-business transactions, among other carve outs. Also, certain data sets would be outside the scope of the OPPA, including HIPAA protected health information, certain types of FCRA-related data, data under FERPA and employment-related data.
While still early in the legislative process, the OPPA also includes a unique safe harbor in line with the Ohio Data Protection Act to encourage businesses to adopt the National Institute of Standards and Technology (NIST) privacy framework. Specifically, a company would have an affirmative defense where it creates, maintains and complies with a written privacy program that reasonably conforms to the NIST framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.”
Some clarity on transatlantic data flow: Modernized standard contractual clauses
On June 4, 2021, the European Commission adopted a new set of standard contractual clauses (SCCs) effective June 27. Under the European Union (E.U.) General Data Protection Regulation (GDPR), SCCs are a key mechanism for the lawful transfer of data from the E.U. to third countries and provide a contractual means to protect the personal data of E.U. citizens. As discussed in this blog by Porter Wright’s Katja Garvey, the release of modernized SCCs for international data transfers was highly anticipated due to the scope of uncertainty created by the Schremes II decision in July 2020. Not only did this decision invalidate the EU-US Privacy Shield, another significant lawful basis for international data transfers from the E.U., the decision called into question the validity of the previous iteration of SCCs. The new SCCs account for the Schremes II decision and are the European Commission’s attempt to address realities faced by modern business. Notwithstanding concerns of the intelligence community, for global businesses the new SCCs are a significant development and will allow companies to meet GDPR requirements when transferring personal data from the E.U. to third countries. For more details, please see Katja’s post on our Technology Law Source blog.
Items to know and keep in mind going forward
More fallout from Colonial Pipeline: Ransomware gains are not out of reach to law enforcement
Ransomware attacks continue to garner headlines and the attention of businesses. In one widely-publicized attack, the world’s largest meat processing company reportedly made the difficult decision to pay a ransom equivalent to $11 million, while ransomware attackers allegedly managed to disrupt several local east coast television stations. Yet, in a somewhat more positive development, the FBI’s seizure of $2.3 million in bitcoins from the Colonial Pipeline ransomware payment upends the misconception that the bitcoin is wholly untraceable. Without a doubt, the most surprising factor behind this development was the FBI’s ability to obtain the attacker’s private key. While the distributed ledger behind bitcoin and the public keys used to conduct transactions are public, the private keys used to keep wallets secure are another matter. It is unclear how the FBI managed to obtain the private key. However, the FBI likely did not rely on any underlying vulnerability in the blockchain technology. Assuming the FBI would like to preserve its ability to seize such ransom payments in the future, naturally there are few publically available technical details. While seizure of similar payments from a banking institution is not a novel occurrence, commentators have noted the FBI seizure here may be seen as a positive step towards further legitimizing cryptocurrencies like bitcoin which some believed were outside the reach of law enforcement.
Another widespread supply chain attack
The FBI and the U.S. Cybersecurity and Infrastructure Security Agency confirmed on July 4, 2021, that Kaseya, company that provides IT services and management provided to enterprise clients, was the victim of a ransomware attack. The attack exploited a vulnerability in the company’s “VSA” platform, a cloud-based IT management and remote monitoring service utilized by multiple managed service providers and their customers. For context, a managed service provider (MSP) is an entity that remotely manages, oversees and completes day-to-day services for businesses’ IT systems. Following discovery of the compromise, Kaseya leadership indicated that only a small percentage of its customers were affected. However, as demonstrated by the SolarWinds attack, compromising a vendor’s software to push malicious updates to customers means that the actual impact is almost certainly more widespread. This is underscored by the fact that Kaseya’s clientele includes MSPs utilized by many small and medium sized businesses, and commentary suggests that as many as 1,500 downstream networks were compromised. Although the company announced that it obtained the decryptor from a trusted third party three weeks after the initial attack, it is still unknown whether Kaseya paid the $70 million ransom for the universal key. Moreover, Kaseya’s tightlipped response to the incident has led to frustration given that network owners may have already spent significant resources to restore their systems. More broadly, this latest and widely publicized incident may hint at future hybrid attacks that couple a supply chain vulnerability and ransomware with widely disruptive and potentially lucrative consequences.
ANOM: The FBIs fake encrypted messing platform
June 8,2021 saw revelations that a government-run encrypted phone tailored for criminal activity led to a wave of arrests that began in Australia and stretched across Europe. The FBI operated its own encrypted device company, “ANOM,” which sold more than 12,000 encrypted devices and services to criminal syndicates operating across the globe. As part of the operation, criminal users allegedly promoted and communicated on the system “lawfully operated by the FBI,” enabling the agency to catalog millions of messages related to criminal activity that users thought were protected from law enforcement. According to the unsealed warrant, ANOM devices located outside the U.S. were configured to “blind copy” all messages to an FBI-controlled platform. However, for ANOM devices located in the U.S., the FBI used an arrangement with Australian authorities (and possibly an E.U. partner) as a work-around to a proscription on collection against U.S. persons. Despite the success touted by the Department of Justice, the techniques employed by “Operating Trojan Shield” raise several complicated legal questions about privacy and surveillance.