Cybersecurity Is an Affair of States Too

Companies face ever-increasing threats that they—and the private information of their customers—will be subjected to assault from malicious online actors, who are often part of transnational criminal organizations. While the Federal Trade Commission and other federal agencies are often seen as the lead enforcers of privacy and consumer protection laws in the United States, states are increasingly taking a more prominent role in cybersecurity matters.

This month, New Mexico Attorney General Hector Balderas, who recently became Chair of the bipartisan Conference of Western Attorneys General (CWAG), announced an initiative that will bring together leaders from corporate, nonprofit, and government sectors to use technology to bolster cybersecurity. For example, the initiative calls for increased enforcement of child online privacy protection laws, and strengthening and collaborating on data-breach notification laws. According to CWAG, the effort will also tackle human trafficking by creating a multi-district system that uses secure and encrypted communications between state law enforcement officials. Through this initiative, this group of state attorneys generals aims to promote collaboration in combatting shared cybersecurity threats.

The CWAG initiative follows significant cybersecurity privacy law developments in California. In response to the growing cybersecurity threat, there has been a spate of new legislation in the last few years. In June 2018, California enacted the California Consumer Privacy Act (CCPA), a sweeping digital privacy law, granting consumers more control over their personal information online and in some contexts offline data collection as well. The CCPA aims to accomplish three major goals for consumers:

• ensure their right to know what information companies are collecting about them, the purposes for such information collection, and whom companies are sharing information with;
• make it easier for consumers to instruct businesses not to sell personal information in certain circumstances; and
• permit both state attorney general and private civil lawsuits against companies in the event of a qualifying data breach resulting from the failure to use reasonable security measures.

The law will not go into effect until 2020, but the CCPA is already having national implications. On February 26th, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson unveiled SB 561, new legislation to modify the CCPA. SB 561 would remove the onus for the Attorney General’s to provide his or her opinion on CCPA compliance to businesses and instead states that the Attorney General may provide guidance on how to comply, softening the Attorney General’s advisory role. The proposed changes would also eliminate language that allows companies to cure CCPA violations before enforcement actions are taken. The proposal also adds a private right of action to “any consumer whose rights under this title are violated,” which dramatically expands the individual rights protected under CCPA, along with increased litigation risk for businesses. Last month, a new bill titled the “Washington Privacy Act” (WPA) was introduced in the Washington State Senate similar to CCPA in its protection of personal data collected online and offline. Washington would be the second state to adopt a comprehensive privacy law and more states will likely follow. State attorneys general from North Carolina, Oregon, Virginia, and Washington say they are looking to California for guidance on new legislation to bolster consumer data privacy laws in their states.

These new regulatory requirements and proposals coincide with the California Attorney General’s recent settlements with private companies over alleged privacy violations. Last month, Aetna agreed to pay the state $935,000 for a 2017 privacy breach that affected 1,991 Californians and 12,000 total patients. Plaintiffs also received more than $17 million in a private class-action settlement. Aetna had allegedly violated California privacy laws when it sent patients instructions for their HIV medications in an envelope that inadvertently revealed their HIV status. In addition to paying the fine, Aetna was required to implement mailing procedures to ensure the confidentiality of medical data and to designate an employee who would be responsible for the integrity of the new mailing program. The Aetna settlement is one of the latest in a series of state attorney general privacy enforcement actions.

If the provisions of the CCPA are replicated in other states—and, given the interest of attorneys general from around the country, it is likely that they will—any company that mishandles consumers’ data could face substantial liability in multiple jurisdictions. Keeping apprised of these regulatory and enforcement developments while shoring up defenses against hackers is a challenging endeavor, but doing so will pay off by significantly lowering future legal risk.

---

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Randall W. Edwards, an O’Melveny partner licensed to practice law in California, Daniel R. Suvor, an O’Melveny partner licensed to practice law in California, Scott Pink, an O’Melveny special counsel licensed to practice law in California, and Antoinette Rangel, an O’Melveny associate licensed to practice law in New York, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2019 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising.  Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.