Cybersecurity Is an Affair of States Too
February 26, 2019
Companies face ever-increasing threats that they—and the private information of their customers—will be subjected to assault from malicious online actors, who are often part of transnational criminal organizations. While the Federal Trade Commission and other federal agencies are often seen as the lead enforcers of privacy and consumer protection laws in the United States, states are increasingly taking a more prominent role in cybersecurity matters.
This month, New Mexico Attorney General Hector Balderas, who recently became Chair of the bipartisan Conference of Western Attorneys General (CWAG), announced an initiative that will bring together leaders from corporate, nonprofit, and government sectors to use technology to bolster cybersecurity. For example, the initiative calls for increased enforcement of child online privacy protection laws, and strengthening and collaborating on data-breach notification laws. According to CWAG, the effort will also tackle human trafficking by creating a multi-district system that uses secure and encrypted communications between state law enforcement officials. Through this initiative, this group of state attorneys generals aims to promote collaboration in combatting shared cybersecurity threats.
The CWAG initiative follows significant cybersecurity privacy law developments in California. In response to the growing cybersecurity threat, there has been a spate of new legislation in the last few years. In June 2018, California enacted the California Consumer Privacy Act (CCPA), a sweeping digital privacy law, granting consumers more control over their personal information online and in some contexts offline data collection as well. The CCPA aims to accomplish three major goals for consumers:
- ensure their right to know what information companies are collecting about them, the purposes for such information collection, and whom companies are sharing information with;
- make it easier for consumers to instruct businesses not to sell personal information in certain circumstances; and
- permit both state attorney general and private civil lawsuits against companies in the event of a qualifying data breach resulting from the failure to use reasonable security measures.
These new regulatory requirements and proposals coincide with the California Attorney General’s recent settlements with private companies over alleged privacy violations. Last month, Aetna agreed to pay the state $935,000 for a 2017 privacy breach that affected 1,991 Californians and 12,000 total patients. Plaintiffs also received more than $17 million in a private class-action settlement. Aetna had allegedly violated California privacy laws when it sent patients instructions for their HIV medications in an envelope that inadvertently revealed their HIV status. In addition to paying the fine, Aetna was required to implement mailing procedures to ensure the confidentiality of medical data and to designate an employee who would be responsible for the integrity of the new mailing program. The Aetna settlement is one of the latest in a series of state attorney general privacy enforcement actions.
If the provisions of the CCPA are replicated in other states—and, given the interest of attorneys general from around the country, it is likely that they will—any company that mishandles consumers’ data could face substantial liability in multiple jurisdictions. Keeping apprised of these regulatory and enforcement developments while shoring up defenses against hackers is a challenging endeavor, but doing so will pay off by significantly lowering future legal risk.
This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Randall W. Edwards, an O’Melveny partner licensed to practice law in California, Daniel R. Suvor, an O’Melveny partner licensed to practice law in California, Scott Pink, an O’Melveny special counsel licensed to practice law in California, and Antoinette Rangel, an O’Melveny associate licensed to practice law in New York, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
© 2019 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.