Parkview Health Decision Highlights Vicarious Data Breach Liability Risk in the United States

A recent decision in Indiana highlights the data security liability risks facing employers based on the actions of their employees, extending vicarious liability even to cases where the employees were acting wholly for personal purposes. In SoderVick v. Parkview Health Sys., Inc., the Court of Appeals of Indiana reversed summary judgment in favor of the defendant, reviving claims of respondeat superior against Parkview Health Systems, Inc. (“Parkview”) where the hospital’s employee texted personal health information to a third party. No. 19A-CT-2671, 2020 WL 2503923 (Ind. Ct. App. May 15, 2020). We recently noted a decision of the Supreme Court of the United Kingdom in WM Morrison Supermarks plc v. Various Claimants (“Morrison”) where the Court made the contrary determination, ruling that the large supermarket chain Morrison could not be held vicariously liable as a matter of law for the intentional acts of a rogue employee who posted the payroll data of Morrison employees on the Internet. But as we also explained, businesses that collect personal information should be cautious about reading too much into that ruling: while the Court allowed the appeal in favor of Morrison, the decision turned on the particular facts of the case (where the rogue employee actively tried to damage his employer). The Parkview Health decision further underscores this need for caution, especially with increased remote work due to COVID-19 where the risk of employers being sued over security breaches caused by their employees is, unfortunately, ever-increasing. READ MORE

Legislative Update: Privacy Bills Not Immune to COVID-19 As Legislative Efforts Persist and Evolve

Today, we are all facing a public health crisis unlike any other we have seen in our lifetime. In addition to serious consequences to global health, the COVID-19 pandemic has created significant disruption in the legal system and privacy law initiatives have not been immune to the virus’s impact. With many state legislatures nearing or at the end of legislative sessions taken over by pandemic priorities, state privacy bill initiatives across the country are grinding to a halt. However, some lawmakers are pushing forward with targeted proposals to protect individual privacy in the face of COVID-19 and some states, particularly California, continue public and private efforts to bolster privacy in their jurisdiction. Below is a summary of the 2020 privacy legislative efforts to date and the impact COVID-19 has had on their progress. READ MORE

Wait…CCPA 2.0? What Is the California Privacy Rights Act of 2020 and Will It Become Law?

On May 4, 2020, Californians for Consumer Privacy announced that it submitted over 900,000 signatures to qualify the California Privacy Rights Act of 2020 (“CPRA”) for California’s November 2020 ballot. With the California Consumer Privacy Act of 2018 (“CCPA”) set to become enforceable on July 1, 2020, this new ballot initiative has left many wondering what the CPRA is and whether the CPRA will become law. We explore these questions further below.

READ MORE

Two Diverging Federal COVID-19 Privacy Bills Proposed

In recent days, Congress has introduced two divergent “emergency” bills to address privacy issues arising during the COVID-19 crisis. While both bills aim to protect personal data collected for the purposes of contact tracing and containing the spread of the illness, the bills – one led by Republicans, the other by Democrats – offer different approaches in key areas, including the scope of entities covered, preemption of state law, and whether to provide a private right of action. Given these differences, it is unlikely either bill will pass in its current form, barring significant concessions from each side of the aisle. Here is a high-level summary of the key points addressed in each bill: READ MORE

Seventh Circuit Bolsters Article III Standing for Actions Under the Illinois Biometric Information Privacy Act

On May 5, 2020, the Seventh Circuit held in Bryant v. Compass Group USA, Inc. that a plaintiff who asserted a violation of the Illinois Biometric Information Privacy Act’s (“BIPA’s”) notice and consent requirements had Article III standing to pursue her claim in federal court. With respect to BIPA’s retention schedule posting requirement, however, the Seventh Circuit found that allegations of a statutory violation did not, on their own, suffice to confer Article III standing. This decision will make it easier for defendants to keep BIPA claims in federal court, and its standing analysis has significant implications for BIPA cases, as well as other privacy and data security cases more broadly.

READ MORE

EDPB Tears Down Cookie Walls – Implementation of Cookies in Europe Becomes Even More Challenging

On May 4, the European Data Protection Board (“EDPB”)—an independent body which ensures that the General Data Protection Regulation (“GDPR”) is consistently applied within the EU—has updated its guidelines on consent under the GDPR, clarifying its requirements regarding the GDPR compliant use of cookies on a website. READ MORE

Prison Time for Personal Use of Company Computers? Supreme Court Grants Cert to Decide Whether Noncompliance With a Company’s Terms of Use Constitutes a Violation of the Computer Fraud and Abuse Act

On Monday, April 20th, the Supreme Court accepted cert in Van Burien v. United States to (hopefully) resolve a longstanding circuit split regarding the Computer Fraud and Abuse Act (or CFAA):  Does an individual exceed authorized access when he or she accesses a computer contrary to a policy or agreement limiting access (i.e., accessing a computer for a purpose beyond those permitted by the company). READ MORE

The French Data Protection Authority Publishes a Q&A to Recall the Main Characteristics of the Right to De-listing

On April 7, 2020, the French Data Protection Authority (the CNIL) published on its website a Q&A on the right to de-listing. The right to de-listing enables a data subject to request from a search engine to remove one or several results provided when a search request is carried out using the data subject’s name and surname.

The timing of this publication is interesting as it took place a few days after the decision of the French Highest Administrative Court (the Conseil d’Etat) on the so-called Google case.

READ MORE

Tale of Two Acts: Washington Facial Recognition Law Succeeds, Privacy Act Falters

On Tuesday, Washington Governor Jay Inslee signed into law legal restrictions on the use of facial recognition by public agencies (SB 6280), while the Washington Legislature previously reached an impasse on the proposed Washington Privacy Act (SB 6281) due to a few big ticket items, particularly whether the Act would be enforceable via a private right of action for Washington residents. READ MORE

Class Actions For Security Breaches in the UK Are Here To Stay

Today’s decision by the Supreme Court to allow the appeal in WM Morrison Supermarkets plc v Various Claimants may on first glance look like a significant setback to privacy advocates. However, the court’s unanimous judgment should be viewed with some relief by those arguing for greater privacy protections. Whilst the Supreme Court ruled that, on the facts, WM Morrisons Supermarkets plc (“Morrisons”) could not be held liable for the actions of its rogue former employee, the court said that, had it been necessary to decide the question, it would have held that the statutory data protection regime did not exclude the imposition of vicarious liability on employers. Furthermore, the decision also provides no protection to companies who have been held to be at fault for a data breach, since data subjects will have a direct right of action against the company in those cases and will not be relying on establishing vicarious liability. READ MORE