Establishes New Board Subcommittee and Leverages Automation and Analytics to Drive Further Improvements in Quality, Consistency, and Efficiency of CSF Assessments and Reports

FRISCO, Texas – September 4, 2019 – HITRUST, a leading data protection standards development and certification organization, continues its commitment to improving and ensuring the quality, consistency, and efficiency of information security and privacy assessments with the establishment of a new Quality Assurance Subcommittee of its Board of Directors, release of new Assurance Advisories, and introduction of new quality verification capabilities within the HITRUST MyCSF.

The unique approach of HITRUST’s Assurance Program affords numerous oversight and quality advantages over other assurance programs and certifying bodies, most notably that HITRUST has centralized the assurance and compliance aspects for all HITRUST CSF reporting. This translates into HITRUST CSF Assessment Reports being more consistent and more reliable than other reports which do not centralize robust reporting and review processes. Many advantages are gained by incorporating assessment requirements, assessment guidance, assessor training, assessment platform, and automated and manual quality assurance reviews into a single holistic program across the overall assurance ecosystem. This approach enables HITRUST to continuously monitor adherence to assessment requirements by assessed entities, assessor firms, and the HITRUST Assurance team.

Leveraging this centralized reporting and oversight enables continuous improvement to each aspect of the HITRUST CSF Assurance Program thereby increasing efficiency, integrity, transparency, consistency and ultimately the ‘rely-ability’—a term defined by HITRUST as the ability to rely upon, or trust, the information provided by another—of the HITRUST CSF Assessment Reports.

To provide additional governance and oversight of the CSF Assurance Program, a new Quality Assurance Subcommittee of the Board of Directors is being formed. This further demonstrates HITRUST’s recognition of the importance of quality and consistency.

Ken Vander Wal, HITRUST’s Chief Compliance Officer and Chairman of the new Quality Assurance Subcommittee, spoke to his new role, saying, “I view the role of the Quality Subcommittee similar to that of an Audit Committee. It will independently review what controls and processes HITRUST has in place to ensure quality and consistency across the entire program, review metrics used by HITRUST to measure quality at every level of the process, provide feedback where changes are required, and make recommendations for process improvements when appropriate.”

Other prominent subcommittee members include Kevin Charest, Divisional Vice President and Chief Information Security Officer, Health Care Service Corporation; Robert Booker, Chief Information Security Officer, UnitedHealth Group; and Mike Calhoun, Director of Benefit Plan and Supplier Governance, AT&T. The subcommittee will be briefed on key indicators quarterly by HITRUST’s Vice President of Assurance, Bimal Sheth, and HITRUST’s Vice President of Compliance, Jeremy Huval.

HITRUST also recently released new Assurance Advisories which introduce an updated assessment scoring rubric, updated PRISMA control maturity weightings, and a new automated quality checking capability that will be released in the HITRUST MyCSF platform. These advisories are based on analysis and feedback into areas that can improve upon HITRUST’s assurance process.

  • HITRUST’s scoring rubric assists organizations and their assessors in assessment scoring level determinations. This rubric’s recent enhancements bring improved usability, added clarity, and better harmonization with HITRUST’s Risk Analysis Guide. Key changes include adding definitions for assessment terminology, assessment examples and guidance, and inclusion of a scoring lookup table for each of the five levels of HITRUST’s PRISMA maturity model (Policy, Procedure, Implemented, Measured, and Managed).
  • The PRISMA maturity model’s updated point weightings better reflect the value that each maturity level brings to an organization’s risk management stance. The increased weighting of the Implemented level, which is now worth double any other single level, aligns to the priority that mature organizations place on the implementation and operation of controls relative to other maturity levels.
  • The use of quality-focused analytics is reflective of HITRUST’s ongoing commitment to innovation. Dozens of automated routines will help identify potential issues prior to submissions of an assessment. Potential scoring inconsistencies, compliance gaps, and commenting issues will be brought to the attention of organizations and their assessors before submitting the assessment for assurance review by HITRUST. This automation also equips HITRUST to perform Quality Assurance checks in a more timely manner— reducing the lead time between assessment submission and report issuance.

To read more about the newly implemented Assurance Advisories, visit https://hitrustalliance.net/csf-assurance-bulletin/.

Read the full press release here.

The post HITRUST Further Invests to Ensure ‘Rely-Ability’ of Information Risk Assessments appeared first on HITRUST.

Source

Establishes New Board Subcommittee and Leverages Automation and Analytics to Drive Further Improvements in Quality, Consistency, and Efficiency of CSF Assessments and Reports

FRISCO, Texas – September 4, 2019 – HITRUST, a leading data protection standards development and certification organization, continues its commitment to improving and ensuring the quality, consistency, and efficiency of information security and privacy assessments with the establishment of a new Quality Assurance Subcommittee of its Board of Directors, release of new Assurance Advisories, and introduction of new quality verification capabilities within the HITRUST MyCSF.

The unique approach of HITRUST’s Assurance Program affords numerous oversight and quality advantages over other assurance programs and certifying bodies, most notably that HITRUST has centralized the assurance and compliance aspects for all HITRUST CSF reporting. This translates into HITRUST CSF Assessment Reports being more consistent and more reliable than other reports which do not centralize robust reporting and review processes. Many advantages are gained by incorporating assessment requirements, assessment guidance, assessor training, assessment platform, and automated and manual quality assurance reviews into a single holistic program across the overall assurance ecosystem. This approach enables HITRUST to continuously monitor adherence to assessment requirements by assessed entities, assessor firms, and the HITRUST Assurance team.

Leveraging this centralized reporting and oversight enables continuous improvement to each aspect of the HITRUST CSF Assurance Program thereby increasing efficiency, integrity, transparency, consistency and ultimately the ‘rely-ability’—a term defined by HITRUST as the ability to rely upon, or trust, the information provided by another—of the HITRUST CSF Assessment Reports.

To provide additional governance and oversight of the CSF Assurance Program, a new Quality Assurance Subcommittee of the Board of Directors is being formed. This further demonstrates HITRUST’s recognition of the importance of quality and consistency.

Ken Vander Wal, HITRUST’s Chief Compliance Officer and Chairman of the new Quality Assurance Subcommittee, spoke to his new role, saying, “I view the role of the Quality Subcommittee similar to that of an Audit Committee. It will independently review what controls and processes HITRUST has in place to ensure quality and consistency across the entire program, review metrics used by HITRUST to measure quality at every level of the process, provide feedback where changes are required, and make recommendations for process improvements when appropriate.”

Other prominent subcommittee members include Kevin Charest, Divisional Vice President and Chief Information Security Officer, Health Care Service Corporation; Robert Booker, Chief Information Security Officer, UnitedHealth Group; and Mike Calhoun, Director of Benefit Plan and Supplier Governance, AT&T. The subcommittee will be briefed on key indicators quarterly by HITRUST’s Vice President of Assurance, Bimal Sheth, and HITRUST’s Vice President of Compliance, Jeremy Huval.

HITRUST also recently released new Assurance Advisories which introduce an updated assessment scoring rubric, updated PRISMA control maturity weightings, and a new automated quality checking capability that will be released in the HITRUST MyCSF platform. These advisories are based on analysis and feedback into areas that can improve upon HITRUST’s assurance process.

  • HITRUST’s scoring rubric assists organizations and their assessors in assessment scoring level determinations. This rubric’s recent enhancements bring improved usability, added clarity, and better harmonization with HITRUST’s Risk Analysis Guide. Key changes include adding definitions for assessment terminology, assessment examples and guidance, and inclusion of a scoring lookup table for each of the five levels of HITRUST’s PRISMA maturity model (Policy, Procedure, Implemented, Measured, and Managed).
  • The PRISMA maturity model’s updated point weightings better reflect the value that each maturity level brings to an organization’s risk management stance. The increased weighting of the Implemented level, which is now worth double any other single level, aligns to the priority that mature organizations place on the implementation and operation of controls relative to other maturity levels.
  • The use of quality-focused analytics is reflective of HITRUST’s ongoing commitment to innovation. Dozens of automated routines will help identify potential issues prior to submissions of an assessment. Potential scoring inconsistencies, compliance gaps, and commenting issues will be brought to the attention of organizations and their assessors before submitting the assessment for assurance review by HITRUST. This automation also equips HITRUST to perform Quality Assurance checks in a more timely manner— reducing the lead time between assessment submission and report issuance.

To read more about the newly implemented Assurance Advisories, visit  https://hitrustalliance.net/csf-assurance-bulletin/.

Read the full press release here.

The post HITRUST Further Invests to Ensure ‘Rely-Ability’ of Information Risk Assessments appeared first on HITRUST.

Source

On August 5, 2019, President Trump issued Executive Order 13884 (“Venezuela EO”) blocking all property of the Government of Venezuela (“GOV”), a significant escalation of sanctions against the regime of President Maduro.  Statements issued by the White House and State Department indicate that this escalation is meant to target the Maduro regime for its continued abuses of human rights and repression.  The US Department of Treasury’s Office of Foreign Assets Control (“OFAC”) concurrently issued 12 amended general licenses and 13 new general licenses, new and revised FAQs, and guidance related to the provision of humanitarian assistance and support to the Venezuelan people.

The Venezuela EO targets only the GOV and entities owned 50% or more or otherwise controlled by the GOV, and thus does not place Venezuela under a full territorial embargo. Transactions with private Venezuelan parties that can be effected without the involvement of the GOV remain permissible.

The new sanctions prohibit virtually all US Person dealings with the GOV by blocking the property and interests in property of the GOV that are in the United States, that come within the United States, or that come within the possession or control of US Persons (i.e., US companies and their branches, US banks, US citizens and permanent resident aliens, any person physically located in the United States). GOV funds, contracts or other property interests that come into the possession or control of US Persons must be blocked and reported to OFAC.

The GOV is defined broadly under the Venezuela EO and includes:

  • any political subdivision, agency, or instrumentality thereof, including the Central Bank of Venezuela (“CBV”) and Petroleos de Venezuela (“PdVSA”);
  • any person owned or controlled, directly or indirectly, by the foregoing, which potentially expands the reach of the prior sanctions against PdVSA so that they now cover PdVSA affiliates that are less than 50% owned but still controlled by PdVSA; and
  • any person who has acted or purported to act directly or indirectly for or on behalf of any of the foregoing, including as a member of the Maduro regime.

The Venezuela EO also includes expansive authority to block any other person determined by the US Government to (i) have “materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, any person” who is blocked under the Venezuela EO, or (ii) to be owned or controlled by, or have acted on behalf of any person who is blocked under the Venezuela EO. Thus, even non-US companies could be exposed to the risk of collateral designation as Specially Designated Nationals (“SDNs”) if they materially assist or provide goods or services to GOV entities.

Newly Issued General Licenses

OFAC has concurrently amended and issued numerous general licenses authorizing certain activities by US Persons. Below we highlight several key general licenses.

  • Wind Down of Transactions with the GOV

Newly issued General License 28 authorizes all transactions and activities ordinarily incident and necessary to the wind down of operations, contracts, or other agreements involving the GOV that were in effect prior to August 5, 2019. All wind down activities must be completed by September 4, 2019. General License 28 does not extend the authorization of wind-down periods that have expired for PdVSA, CBV, or other GOV entities that were previously designated as SDNs.

  • Intellectual Property Related Transactions

Newly issued General License 27 authorizes certain transactions, including payments of fees to the GOV related to the filing, receipt, renewal, maintenance, and prosecution of patents, trademarks, copyright, and other forms of intellectual property. General License 27 does not authorize assignments, licensing or other transfers of intellectual property to the extent such activities involve the GOV, for example, where recordal or the payment of fees is required or where the assignment is to a GOV entity. This general license does not have an expiration date.

  • Transactions with the Government of the Interim President of Venezuela

Consistent with the US Government’s official recognition of Juan Guaidó as the Interim President of Venezuela, newly issued General License 31 authorizes US Persons to engage in all otherwise prohibited transactions involving (i) the Venezuelan National Assembly; (ii) the Interim President of Venezuela Juan Guaidó and his representatives and staff; and (iii) any person appointed by Guaidó to the board of directors or as an executive officer of a GOV entity, unless otherwise prohibited under relevant sanctions. This general license does not have an expiration date.

  • Transactions Related to Port and Airport Operations in Venezuela

New General License 30 authorizes all transactions and activities involving the GOV that are ordinarily incident and necessary to operations or use of ports and airports in Venezuela. Exports or reexports of diluents, whether directly or indirectly, to the GOV are prohibited.  This general license does not have an expiration date.

  • Dealings Between Financial Institutions and the GOV

In newly issued FAQ 680, OFAC advises that it expects financial institutions to conduct due diligence on their own direct customers (including, for example, their ownership structure) to confirm that those customers are not persons whose property and interests in property are blocked. With regard to other types of transactions where a financial institution is acting solely as an intermediary and fails to block transactions involving a sanctions target, OFAC will consider the totality of the circumstances surrounding the bank’s processing of the transaction to determine what, if any, regulatory response is appropriate.

In addition, newly issued General License 21 authorizes: (i) US financial institutions to debit any account blocked pursuant to the Venezuela EO or EO 13850 held by that financial institution in payment or reimbursement for normal service charges owed by the owner of the blocked account, and (ii) transfers of funds or credit by US financial institutions between blocked accounts by their branches or offices, as long as no transfers are made from accounts in the United States to accounts outside the United States and provided that the transfer is from one blocked account to another blocked account held in the same name. Normal service charges include charges in payment or reimbursement for interest due; cable, telegraph, internet, or telephone charges; postage costs; custody fees; small adjustment charges to correct bookkeeping errors; as well as minimum balance charges, notary and protest fees, and charges for reference books, photocopies, credit reports, transcripts of statements, registered mail, insurance, stationery and supplies, and other similar items. This general license does not have an expiration date.

  • Humanitarian Assistance and Support for the Venezuelan People, Sales of Ag/Med Commodities

OFAC amended General License 20A (authorizing official activities of certain international organizations) and issued several general licenses to ensure the continued flow of humanitarian goods and services to the Venezuelan people including, General License 22 (goods and services related to Venezuela’s mission to the United Nations), General License 23 (authorizing funds transfers related to certain third-country diplomatic/consular funds), General License 24 (transactions involving telecommunications and mail), General License 25 (export/reexport for the exchange of communications over the Internet), General License 26 (emergency and medical services), and General License 29(transactions involving certain activities by nongovernmental organizations). These general licenses do not have an expiration date. OFAC also issued Guidance emphasizing that OFAC will maintain a favorable specific licensing policy for supporting the provision of humanitarian assistance, and all specific license applications will be reviewed on a case-by-case basis.

Amended General Licenses

  • Transactions with PDVH, CITGO, and NYNAS AB

Most dealings with PDV Holding, Inc. (“PDVH”), CITGO Holding, Inc. (“CITGO”), and Nynas AB and their subsidiaries continue to be authorized (although still subject to certain limitations) under amended General License 7C (valid for 18 months from the effective date of General License 7C or its subsequent renewal), General License 2A (no expiration), and General License 13C (valid through October 24, 2019).

  • Transactions with PdVSA

Amended General License 8C continues to authorize all transactions and activities ordinarily incident and necessary to operations in Venezuela involving PdVSA or its 50%-or-more-owned subsidiaries that are otherwise prohibited by Executive Order 13850 and now the Venezuela EO, for the following entities and their subsidiaries: Chevron Corporation; Halliburton; Schlumberger Limited; Baker Hughes; and Weatherford International. This amended General License 8C does not, however, appear to cover such operations involving PdVSA entities that are less than 50% owned by PdVSA but nonetheless still controlled and now blocked under the new Venezuela EO. (Valid through October 24, 2019.)

Amended General License 10A continues to authorize US Persons in Venezuela to purchase from PdVSA or its 50%-or-more-owned subsidiaries (again, apparently not including entities less than 50% owned but still controlled by PdVSA) refined petroleum products for personal, commercial, or humanitarian uses, but it does not allow the commercial resale, transfer, exportation, or reexporation of those products. It also clarifies that payments of taxes, fees, and import duties to, and purchase or receipt of permits, licenses, or public utility services from, the GOV related to the purchase of such products are authorized. This general license does not have an expiration date.

  • Dealings in Debt and Securities

General License 3F was amended to cover transactions otherwise prohibited by the Venezuela EO. US Persons can continue to engage in transactions related to, provide financing for, and otherwise deal in bonds that (i) are specified in the Annex to General License 3F provided that any divestments or transfer of, or facilitation of divestment or transfer of, any holdings in those bonds are to a non-US person; or (ii) were issued prior to the effective date of Executive Order 13808 by US Person entities owned or controlled, directly or indirectly, by the GOV (e.g., CITGO Holding, Inc.). The wind-down of financial contracts and other agreements entered into prior to February 1, 2019 at 4:00 p.m. EST involving the specified bonds is also authorized. (Valid through September 29, 2019.)

General License 9E was also amended to explicitly cover transactions otherwise prohibited by the Venezuela EO. US Persons can continue to engage in (i) transactions that are ordinarily incident and necessary to dealings in any debt of, or equity in, PdVSA or any entity owned 50% or more by PdVSA (but again, apparently not those entities less than 50% owned but still controlled by PdVSA) (together, “PdVSA securities”) issued prior to August 25, 2017, provided that any divestment or transfer of, or facilitation of divestment or transfer of, any holdings in such debts must be to a non-US person, (ii) transactions that are ordinarily incident and necessary to dealing in bonds issued prior to August 25, 2017 by the following PdVSA entities and their subsidiaries: PDVH, CITGO, and Nynas, and (iii) transactions ordinarily incident and necessary to wind-down of financial contracts or other agreements that were entered prior to January 28, 2019 at 4:00 p.m. EST involving PdVSA securities.  The latter authorization is valid through September 29, 2019.

  • Sales of Ag/Med Commodities

Amended General License 4C continues to authorize US Persons to engage in certain transactions ordinarily incident and necessary to the export/reexport from the United States or by US Persons of agricultural commodities, medicine, medical devices, replacement parts and components for medical devices, and now also software updates for medical devices, to Venezuela or to persons in third countries purchasing specifically for resale to Venezuela. This general license does not have an expiration date.

  • Dealings with the CBV, Banco Bicentenario del Pueblo, and Banco del Tesoro

Amended General License 15B and General License 16B now cover Banco del Tesoro (in addition to the previously covered Banco de Venezuela and Banco Bicentenario del Pueblo), but otherwise remain unchanged.(Valid through March 21, 2020.)

  • Transactions Related to Integracion Administradora de Fondos de Ahorro Previsional, S.A.

Amended General License 18A continues to authorize certain transactions ordinarily incident and necessary to maintain or operate Integracion Administradora de Fondos de Ahorro Previsional, S.A., whose fund administrator is owned 50% or more by Bandes Uruguay. This general license does not have an expiration date.

All of the above-described general licenses are subject to important terms and limitations. Companies should, therefore, carefully review the amended and newly issued general licenses and other relevant regulations when considering dealings with and/or exports/reexports to or involving Venezuela

***

The foregoing is intended only to provide a general summary of recent developments regarding the escalation of US sanctions and export controls targeting Venezuela. If you have any questions about how these changes might affect your company or if you require advice on any specific transactions or plans, please contact one of the members of Baker McKenzie’s International Commercial Practice Group.

The post US Government Escalates Sanctions Against the Government of Venezuela appeared first on Global Compliance News.

Source

A vexing issue under the California Consumer Privacy Act is how to interpret the definition of “sale” and how to know if exceptions – like that for a “service provider” – apply.

When asked, most companies state honestly they do not “sell” customer data, but the CCPA defines the term in a surprisingly broad way that sweeps in any arrangement involving an exchange of value (“consideration”) between the business and a third party or another business for the personal information. The definition of sale may expansively apply to disclosures to vendors that process data for their own analytics or other secondary purposes.

In general, the CCPA imposes strict requirements on the “sale” of personal information (e.g., “Do Not Sell My Personal Information” button on homepages, rights to opt out, and the like). Businesses should, therefore, conduct due diligence on a case-by-case basis as to whether to seek shelter from the definition of “sale” under the CCPA for disclosures to a “service provider.” The due diligence should involve a review under the existing contractual terms and may require modifications to the underlying agreement and obligations of the parties.

What qualifies as a ‘service provider’?

The CCPA distinguishes between service providers and third parties by describing a third party in the negative and the requirements for a written contract that governs a data transfer between parties. Under the law’s construction, a “service provider” is:

(1) A legal entity organized for profit.

(2) That processes personal information on behalf of a business.

(3) To which the business discloses a consumer’s personal information for a business purpose.

(4) Pursuant to a written contract that prohibits the legal entity from retaining, using, or disclosing the personal information for any purpose (including a commercial purpose) other than performing the services specified in the contract.

Businesses must also:

(5) Provide proper notice to consumers about personal information sharing practices.

(6) Obligate the service provider from further collecting, selling or using the personal information except as necessary to perform the business purpose.

In addition, if the service provider agrees to additional contractual terms to assure that it does not qualify as a “third party,” the business will benefit from certain liability protection. In particular, the business would need to include a provision in the written contract that

(7) Prohibits the recipient from:

(a) Selling the personal information.

(b) Retaining, using or disclosing the personal information for any purpose other than performing the services.

(c) Retaining, using or disclosing the personal information outside of the direct business relationship between the recipient and the business.

The business would also need to:

(8) Obtain a certification that the recipient understands these restrictions and will comply with them.

In practice, the provisions required under elements (7) and (8) largely overlap with those of elements (1) through (6), but they are treated separately here to help understand how they may be applied to actual scenarios.

How does the service-provider exception play out in practice?

Website-hosting provider

A website-hosting provider would be a logical vendor to consider as a service provider, depending on the specifics of the arrangement. For example, does the provider assert broad rights to use personal information collected on the site for its own purposes? Does the provider exchange any consideration with third-party advertising agencies with respect to cookies and other tags placed on users of the site?

These factors would suggest that the vendor might not meet element (6) and might be reluctant to enter into a written contract that significantly cuts back on these rights. Also, what about element (3), which suggests that the business must physically disclose the data to the vendor and the vendor cannot directly collect the data from the consumer? It seems unlikely that a vendor should be disqualified from the service-provider exception on this basis alone, as there is no strong public policy reason why an agent cannot be hired to collect data on behalf of a business, but because there is no official guidance on this point, it will be important to track this issue carefully.

Customer relationship management provider

A CRM provider would also seem to be a good candidate for the service-provider exception, again depending on the specifics. For example, what if the CRM provider uses personal information of multiple customers to perform broad market analysis and forecasting of trends and provide that data back to each of its business customers as a service?

Although the data is not shared in identifiable form across the different business customers, the underlying analysis would use the personal information and would benefit multiple customers. This appears to raise an issue under element (6) and a potential concern for the contractual obligations under elements (4), (7) and (8). The extent of the concern, however, could potentially be reduced by further contractual terms. For example, if the “business purpose” as defined in the services contract included an obligation for the provider to deidentify data and to use the data for analytics in order to provide the market and trending analysis back to the business customer, this could bring these activities closer to a use on behalf of the business and the definition of “service provider.”

Independent auditor

Unlike the prior two examples, an independent auditor is an example that might be at odds with the core definition of a service provider and omitted from the exception. The federal securities laws generally require publicly held companies to engage an independent auditor to report on the accuracy of financial reports that the company files with the U.S. Securities and Exchange Commission. By definition, the auditor is not collecting and analyzing information “on behalf of” the company when it analyses data, including personal information, as an independent assessor of the company’s financial statements. As such, an independent auditor likely does not meet element (2) where it does not act “on behalf of” the business.

What are the other options?

If the vendor is not a “service provider,” does that mean the disclosure is always a “sale”? No.

The business should examine whether there are other grounds to show that the disclosure is not a sale. For example, regarding the independent auditor, the business could say that there is no valuable consideration exchanged for the personal information obtained in the audit given that an auditor does not in any meaningful sense pay for the data. The business could also assert the independent auditor is not a “third party” that triggers the “sale” provision if the business imposes a written contract that includes elements (7) and (8). Note that these elements do not include the “on behalf of” requirement that applies to service providers, so it might fit for an independent auditor.

Ultimately, in preparation for the CCPA, each business should conduct a due diligence process across its personal information sharing arrangements to determine whether disclosures that do not appear to meet the exceptions described above are subject to other exceptions to sale, such as sharing at the direction of the consumer. A thoughtful assessment is needed given the newness of the rules and the complexity of arrangements in the digital age.

*This article was first published on iapp.org.

The post US: How to Know If Your Vendor is a ‘Service Provider’ Under CCPA appeared first on Global Compliance News.

Source

Background

On 27 March 2019, in Lorenzo v. SEC, the US Supreme Court handed the Securities and Exchange Commission (the “SEC”) a victory. In this case, the Supreme Court held that Francis Lorenzo, an investment banker, could be liable under Rule 10b-5 for disseminating material misleading statements even though he had not made the statements.

Lorenzo refines the law that previous cases had established regarding the liability of “non-makers” of material misleading statements. Certainly, this case expands the applicability of the anti-fraud liability under Rule 10b-5.

The statutory foundation of the anti-fraud liability in the United States

Section 10(b) of the Securities Exchange Act of 1934 imposes liability on any person who employs a manipulative or deceptive device in connection with the purchase or sale of a security. Rule 10b-5 specifies the type of conduct that gives rise to liability. In particular, the conduct can consist of:

  • the employment of any device, scheme, or artifice to defraud (subparagraph (a));
  • the making of a material misstatement or the omission to state a material fact that makes the statement misleading (subparagraph (b)); or
  • any act or practice which operates as a fraud (subparagraph (c)).

Section 10(b) and Rule 10b-5, however, do not apply primary liability to aiders and abettors. An aider and abettor is a person who knowingly or recklessly provides substantial assistance to another person who violates the securities law. Thus, an aider and abettor can only be secondarily liable with respect to a primary violation of the securities law, such as Section 10(b) and Rule 10b-5.

The law before Lorenzo

Historically, the Supreme Court had denied a right of action under Rule 10b-5(b) for material misstatements against a party who had not made the statements. According to the Supreme Court, such right of action amounted to an impermissible claim for a primary violation against an aider and abettor. In particular, the Supreme Court denied such right in Central Bank of Denver v. First Interstate Bank of Denver, 511 US 164 (1994), Stoneridge Investment Partners v. Scientific-Atlanta, 552 US 148 (2008), and Janus Capital Group, Inc. v. First Derivative Traders, 564 US 135 (2011).

In these cases, the defendants were not the makers of the statements. In Central Bank, Central Bank was the indenture trustee. In Stoneridge, Scientific Atlanta and Motorola were clients of the issuer. In Janus, Janus Capital Management and Janus Capital Group were, respectively, the issuer’s investment adviser and the investment adviser’s controlling entity. Despite that all the defendants had knowingly or intentionally participated in the “making” of the material misstatements, none of them was found to have violated Rule 10b-5(b). The logic behind the holdings, as explained in Janus, was that the defendants did not have ultimate authority over the content of the statements and how and whether to communicate the statements.

The Supreme Court, however, only considered Rule 10b-5(b). Nothing was held on the application of Rule 10b-5(a) or (c) to a non-maker of material misstatements. This is where Lorenzo refines the law.

Lorenzo v. SEC

Francis Lorenzo, the defendant, was a director of an investment banking firm engaged in a $15 million bond offering. Lorenzo, under instructions of his supervisor, contacted via email potential investors stating that the issuer had intellectual property assets worth $10 million while in reality the assets were almost worthless. Significantly, Lorenzo and his supervisor knew that the assets were almost worthless.

The Supreme Court held Lorenzo liable under Rule 10b-5. Even though Lorenzo could not be liable under Rule 10b-5(b) for making material misstatements as his supervisor had “ultimate authority” (and so was a maker) over the misstatements, Rule 10b-5(b) is not exclusive of Rule 10b-5(a) or (c). Thus, Rule 10b-5(a) and (c) can apply to a claim filed for material misstatements against a non-maker. The Supreme Court stated that if Rule 10b-5(b) prevented the application of Rule 10b-5(a) and (c), then a non-maker could never be liable as primary violator of Rule 10b-5 even though such non-maker had intentionally, knowingly or recklessly disseminated material misstatements.

Overseas application of Lorenzo

The rule devised in Lorenzo may also apply overseas. In Robert Morrison v. National Australia Bank, 561 US 247 (2010), the Supreme Court held that Rule 10b-5 applies any time a security is purchased or sold in the United States or if a security purchased or sold is listed on a US stock exchange. Lorenzo’s holding, however, will not apply where the foreign securities transaction has no connection with the United States.

Conclusion

Lorenzo has provided the SEC and private parties with a sharper weapon. In the future, non-makers can be liable as primary violators under Rule 10b-5. This means that anyone, including investment bankers acting as underwriters or placement agents, could be held liable through their active and knowing participation in the distribution of a misstatement made by a different person. Whether Lorenzo will actually translate in an increase in litigations by the SEC and private parties against investment bankers (or any other non-maker), however, is difficult to predict as Lorenzo’s outcome was facilitated by Lorenzo’s admission of his knowing dissemination of a material misstatement.

The post The implications of Lorenzo v. SEC on Rule 10b-5 appeared first on Global Compliance News.

Source

Launches initiative to extend duration between assessments by factoring in control maturity scoring and integrating continuous monitoring

FRISCO, Texas – August 8, 2019 – HITRUST, a leading data protection standards development and certification organization, today announced a new initiative to incentivize information security teams working towards better information security control maturity. HITRUST also disclosed findings confirming that control maturity scoring is a valid method of evaluating and predicting ongoing control effectiveness and residual information risk.

Based on an analysis of CSF Assessment data collected over a 10-year period, HITRUST has concluded that when an organization’s controls within scope of a CSF Assessment are operated at or above a HITRUST CSF maturity level of 79, there is a 99 percent likelihood these controls will continue to operate in a similar manner going forward. This finding is significant in two ways: CSF Assessments above a maturity score of 79 are prospective, and organizations with higher HITRUST CSF maturity scores have fewer control failures, posing less risk to their customers.

As part of the new initiative, HITRUST is updating its CSF Assurance program with guidance on what qualifies as mature information security control scores. HITRUST is also offering more flexibility for organizations that have obtained CSF control maturity by extending the period between CSF Assessments and giving organizations incentives and credit for implementing an effective continuous monitoring program. Conversely, those organizations that demonstrate a low level of information security control maturity, typically implementation level or a CSF maturity score below 79, will undergo annual CSF Assessments.

“HITRUST is pioneering a new approach to control maturity scoring,” said Kevin Charest, divisional vice president and chief information security officer, Health Care Service Corporation. “These updates to the CSF Assurance program will continue to support organizations who are striving to enhance their information security programs by achieving higher levels of control maturity and making improved, risk-based decisions that help enhance security frameworks and meet their stakeholders’ information risk management needs.”

While information control maturity scores are integral to understanding control effectiveness, that is only the case when the scores are accurate and reliable, based on a comprehensive methodology, such as the HITRUST CSF Assurance and Assessor programs. HITRUST is unique and has been a leader with its assurance program having incorporated control maturity for the last 12 years along with annual updates and enhancements to improve its accuracy, consistency, and quality.

“The HITRUST CSF, and CSF Assurance programs, were designed to provide transparency, integrity, consistency and ultimately ‘rely-ability’ of maturity scores in the CSF Assessment Report,” said Bryan Cline, chief research officer, HITRUST. “This additional guidance should provide further incentives for organizations to increase their CSF maturity scores.”

The failure of security controls in recent high-profile breaches highlights the importance and urgency of the problem, re-emphasizing why self-attestations, rudimentary third-party assessments, and reputational risk evaluation scoring methods are limited, often inaccurate and subjective while not providing a means to evaluate or predict future control effectiveness.

“We see the use of information security control maturity scores as a driver for internal discussions on risk tolerance and external discussions for requirements on third-party vendors, as well as with cyber insurance underwriters as the basis for coverage and premiums,” said Michael Parisi, vice president of assurance strategy & community development, HITRUST.

HITRUST intends to formally release the program updates in 2020, which will include changes to the CSF, CSF Assurance, and the MyCSF platform.

Call to Action

HITRUST is seeking mature organizations to participate in this new initiative; interested organizations can learn more and sign up here.

The approach is outlined in a position paper also released today titled, “Improving Information Risk Management and Reporting in a Cyber World,” which can be downloaded from Content Spotlight.

About the HITRUST Approach

HITRUST understands information risk management and compliance and the challenges of assembling and maintaining the many and varied programs, which is why our integrated approach ensures the components are aligned, maintained and comprehensive to support an organization’s information risk management and compliance program. More information on the approach can be found on the HITRUST Approach page.

Read the full press release here.

The post HITRUST Finds Information Security Control Maturity is Key Indicator to Measuring and Predicting Cyber Risk appeared first on HITRUST.

Source

Law360 (July 3, 2019, 1:11 PM EDT) — Three recent decisions arising under the National Labor Relations Act highlight that ambiguity and inattentiveness are the twin banes of labor and employment attorneys. In all three cases, the dispute arose because two personnel policies or approaches overlapped, opening the way for conflicting claims. As these cases demonstrate, letting the National Labor Relations Board decide, “who is on first” can have significant consequences and can trigger an onslaught of litigation. Unfortunately, instead of resolving the uncertainty, these three NLRB decisions merely pushed the dispute into another forum where additional litigation may occur to resolve the underlying issues.

Danger From Overlapping Policies

The first decision arose in a workforce with two different bargaining units.[1] The first unit had negotiated a workplace harassment policy that placed the responsibility of resolving workplace harassment complaints in the hands of a third party: an arbitrator who had the power to issue a binding decision.

While the policy provided only bargaining-unit employees could initiate harassment complaints, it allowed complaints against bargaining-unit employees, as well as employees outside the bargaining unit, and nonemployees. The second unit was subject to a nonharassment policy that created a committee of union and employer members who established rules governing unit-member conduct. During two rounds of contract negotiation, the second unit had rejected the employer’s proposal to incorporate third-party arbitration procedures similar to those the first union had in place.

The facts underlying the dispute arose when two employees, each a member of a different bargaining unit, got into an argument, and exchanged curse words and racial slurs. After the confrontation, one employee, who was a member of the arbitration-process unit, filed a harassment complaint in that process. The arbitrator concluded that the other employee, who was a member of the bargaining unit that had rejected arbitration, had violated the policy and ordered the employee suspended for 30 days. When the employer announced it was suspending that employee, his union filed a charge with the NLRB.

In a divided 2-1 decision, over a lengthy and rigorous dissent by member Marvin Kaplan, members Lauren McFerran and William Emanuel found the employer had violated its duty to bargain (imposed by Section 8(a)(5) of the NLRA) when it applied the arbitration harassment policy to the nonconsenting bargaining unit. The majority reasoned that the employee against whom the claim was brought was protected by his own unit’s policy, which stated that it was the exclusive remedy. Further, his unit had repeatedly and consistently rejected proposals to incorporate the arbitration procedure.

Because the employer could not have misunderstood the unit’s decision not to be bound by arbitration procedures, the board found that the employer unlawfully modified the labor agreement. Further, this unilateral change occurred without giving the unit an opportunity to bargain over significant changes to the disciplinary system — a substantial term and condition of employment. Accordingly, the NLRB held the employer unlawfully changed terms and conditions of the employment without prior notice and opportunity to bargain.
In dissent, Kaplan suggested the two policies could coexist. In his view, after the third party arbitration harassment process concluded, the second union could grieve the discipline as being improper using the grievance procedure in its collective bargaining agreement. Kaplan’s approach is not new. In fact, it is the approach adopted in W.R. Grace v. United Rubber Workers.[2] In that decision, the U.S. Supreme Court held the employer to its collective bargaining agreement, which required it to apply strict seniority when making layoff decisions, and to the terms of a voluntary consent decree, which required the use of racial preferences.

Intervention in Federal Lawsuits

The second decision involved the application of a mandatory statutory arbitration policy to a discharged and formerly union represented ex-employee’s lawsuit.[3] The NLRB’s decision in Anheuser Busch was triggered when the employer filed a motion in a federal district court seeking to compel the arbitration of the now ex-employee’s discrimination claim. This procedural posture is a reminder that employment lawyers need to be aware of labor laws. In Anheuser Busch, the NLRB, by a 2-1 majority, ruled the motion to compel arbitration did not violate the employer’s duty to bargain.

The dispute occurred after Anheuser Busch had adopted a mandatory arbitration policy that all job applicants were required to sign. However, the arbitration policy did not apply to union-represented employees. The former employee had applied for work, signed the arbitration policy and was hired into a union-represented position. Six years later, in March 2010, he was terminated. The union filed a contractual grievance claiming that the discharge was not issued fairly and impartially.

Ultimately, a “multi plant grievance committee” upheld the termination. Subsequently, the terminated employee filed a discrimination charge, and upon receipt of his notice of right to sue, filed a federal discrimination suit on April 3, 2012, whereupon the employer filed a motion to compel arbitration. The employee then filed an unfair labor practice charge with the NLRB claiming the attempt to apply the mandatory arbitration procedure to him violated the employer’s duty to bargain and requesting the NLRB order the employer to withdraw the motion to defer to arbitration.

In another 2-1 decision the NLRB majority concluded otherwise. In its view, it could not interfere with the pending court litigation as neither of the two exceptions to abstention which would have permitted its intervention in ongoing litigation identified by the Supreme Court in Bill Johnson’s Restaurants v. NLRB were applicable.[4]

Under Bill Johnson’s Restaurants, the NLRB may intervene in court litigation where the lawsuit is baseless and filed with a retaliatory purpose. Litigation that is not both baseless and retaliatory may violate the NLRA only if it falls within one of two exceptions: (1) a suit that is preempted by federal law, and (2) a suit that has an illegal objective. The general counsel argued that NLRB intervention was appropriate because the second exception applied: that is, the claim had an illegal objective. The majority rejected the illegal objective claim finding that a unilateral change was not the equivalent of an “illegal objective.” The dissent, McFerran, disagreed on this point.

The district court had stayed its ruling on the motion to compel while the NLRB considered this issue. The majority closed its opinion by noting it was in no way suggesting how the court should rule. Consequently, the employer is back in court to continue litigating a discharge that occurred on May 3, 2010.

No Signed Agreement Proves Costly

In the third decision, Cetta v. NLRB,[5] the D.C. Circuit enforced the NLRB’s decision in a striker replacements case, Michael Cetta Inc. d/b/a Sparks Restaurant.[6] In Cetta, the court faulted an employer for not obtaining striker replacements’ signatures on their offer letters. The case is a vivid reminder of the value of documents and suggests the trend toward paperless or a policy-free human resources regimen is a fraught one.

In December 2014, 36 waiters and bartenders at Spark’s Restaurant went on strike against their employer. After nine days, the strikers abandoned the strike and made an unconditional offer to return to work. The employer refused their offer to return to work claiming that it had lawfully hired “permanent replacements” to fill the striking employees positions. Under long-standing NLRB precedent, economic strikers must be reinstated when their replacements are temporary, however they do not have to be reinstated immediately when permanent replacements have been hired.

The NLRB rejected the employer’s “permanent replacement” rational using an objective evidence standard. In order to show that it lawfully hired permanent replacements, the employer must show that there was a mutual understanding between the employer and the replacements that their employment was permanent.

The NLRB found that because the offer letters given to the replacement employees were unsigned, they did not demonstrate that the replacement workers considered themselves permanent replacements. No replacement workers testified. Consequently, under well-established precedent the employer was obligated to discharge the replacement workers and return the strikers to their former positions. Because it had failed to do so, the employer committed an unfair labor practice and was ordered to discharge the replacements, reinstate the strikers and pay them back pay for the period (now totaling over five years) they had been out of work.

In Belknap v. Hale,[7] the Supreme Court held that an employer could avoid breach of contract suits brought by replacement workers discharged as part of a strike settlement or by order of a court or arbitrator. The court held that employers could avoid these suits if they obtained the replacement workers’ signatures on documentation acknowledging that discharge could occur as part of a strike settlement. In light of the D.C. Circuit’s opinion in Cetta, a Belknap letter serves a significant additional role — it is objective evidence the strike replacements are permanent.

If history is any indicator, the discharged replacement workers will now sue their former employer claiming their terminations were a breach of their contracts of employment and that they were permanent replacements.

Courts and the board apply the rules pertinent to strike situations with rigorous exactitude. Employers facing strike situations by union represented or unrepresented employees would be well served to dot their i’s and cross their t’s.

Cautions for Employers

Employers should avoid overlapping or inconsistent policies or arrangements. Where there is overlap, there is the potential for conflicting claims and these situations are riddled with potential hurdles. As the adage goes, anything that can go wrong will: A litigant will discover and leverage the overlap at the worst possible time.

Employers and their employment counsel should keep the National Labor Relations Act in mind even if their workforces are nonunion. It was only a few years ago that then-NLRB General Counsel Richard Griffin caused a stir by rewriting employee handbooks. The expiration of his term does not mean non-union employers can ignore the NLRA; the NLRA has a myriad of applications to even nonunion workers.

Finally, employers should be mindful of the serial litigation, which can result if policies are not thoughtfully formulated and implemented.

In Pacific Maritime Association, the employer went through the third-party harassment process and a NLRB trial and appeal. The NLRB’s decision leaves open the possibility that the employer may have a second arbitration proceeding or a suit to confirm an award. The decision also points to the undesirability of micro units. In Anheuser Busch, the employer went through a grievance process, an agency investigation, an NLRB trial and appeal, and is in the midst of a federal lawsuit.

The employer in Spark’s Restaurant has endured a strike, an NLRB trial and appeal, and a court of appeals decision. Depending on the applicable statute of limitation, it may still face a state court wrongful discharge claim from the replacement workers.

All three May decisions were presaged by decisions issued by the Supreme Court in 1983. This underscores the premium of consulting experienced labor counsel.


The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc. or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] Pacific Maritime Associates, 367 NLRB No. 121 (2019).

[2] W.R. Grace v. United Rubber Workers461 U.S. 757 (1983).

[3] Anheuser-Busch, 267 NLRB No. 132 (2019).

[4] Bill Johnson’s Restaurants v. NLRB, 461 U.S. 731 (1983)

[5] Cetta v. NLRB, No. 18-1165 (D.C. Cir. May 20, 2019)

[6] Michael Cetta, Inc. d/b/a Sparks Restaurant, 366 NLRB No. 97 (2018).

[7] Belknap v. Hale, 463 U.S. 491 (1983).

The post US: Overlapping Policies Prove Costly To Employers appeared first on Global Compliance News.

Source

Launches initiative to extend duration between assessments by factoring in control maturity scoring and integrating continuous monitoring

FRISCO, Texas – August 8, 2019 – HITRUST, a leading data protection standards development and certification organization, today announced a new initiative to incentivize information security teams working towards better information security control maturity. HITRUST also disclosed findings confirming that control maturity scoring is a valid method of evaluating and predicting ongoing control effectiveness and residual information risk.

Based on an analysis of CSF Assessment data collected over a 10-year period, HITRUST has concluded that when an organization’s controls within scope of a CSF Assessment are operated at or above a HITRUST CSF maturity level of 79, there is a 99 percent likelihood these controls will continue to operate in a similar manner going forward. This finding is significant in two ways: CSF Assessments above a maturity score of 79 are prospective, and organizations with higher HITRUST CSF maturity scores have fewer control failures, posing less risk to their customers.

As part of the new initiative, HITRUST is updating its CSF Assurance program with guidance on what qualifies as mature information security control scores. HITRUST is also offering more flexibility for organizations that have obtained CSF control maturity by extending the period between CSF Assessments and giving organizations incentives and credit for implementing an effective continuous monitoring program. Conversely, those organizations that demonstrate a low level of information security control maturity, typically implementation level or a CSF maturity score below 79, will undergo annual CSF Assessments.

“HITRUST is pioneering a new approach to control maturity scoring,” said Kevin Charest, divisional vice president and chief information security officer, Health Care Service Corporation. “These updates to the CSF Assurance program will continue to support organizations who are striving to enhance their information security programs by achieving higher levels of control maturity and making improved, risk-based decisions that help enhance security frameworks and meet their stakeholders’ information risk management needs.”

While information control maturity scores are integral to understanding control effectiveness, that is only the case when the scores are accurate and reliable, based on a comprehensive methodology, such as the HITRUST CSF Assurance and Assessor programs. HITRUST is unique and has been a leader with its assurance program having incorporated control maturity for the last 12 years along with annual updates and enhancements to improve its accuracy, consistency, and quality.

“The HITRUST CSF, and CSF Assurance programs, were designed to provide transparency, integrity, consistency and ultimately ‘rely-ability’ of maturity scores in the CSF Assessment Report,” said Bryan Cline, chief research officer, HITRUST. “This additional guidance should provide further incentives for organizations to increase their CSF maturity scores.”

The failure of security controls in recent high-profile breaches highlights the importance and urgency of the problem, re-emphasizing why self-attestations, rudimentary third-party assessments, and reputational risk evaluation scoring methods are limited, often inaccurate and subjective while not providing a means to evaluate or predict future control effectiveness.

“We see the use of information security control maturity scores as a driver for internal discussions on risk tolerance and external discussions for requirements on third-party vendors, as well as with cyber insurance underwriters as the basis for coverage and premiums,” said Michael Parisi, vice president of assurance strategy & community development, HITRUST.

HITRUST intends to formally release the program updates in 2020, which will include changes to the CSF, CSF Assurance, and the MyCSF platform.

Call to Action

HITRUST is seeking mature organizations to participate in this new initiative; interested organizations can learn more and sign up here.

The approach is outlined in a position paper also released today titled, “Improving Information Risk Management and Reporting in a Cyber World,” which can be downloaded from Content Spotlight.

About the HITRUST Approach

HITRUST understands information risk management and compliance and the challenges of assembling and maintaining the many and varied programs, which is why our integrated approach ensures the components are aligned, maintained and comprehensive to support an organization’s information risk management and compliance program. More information on the approach can be found on the HITRUST Approach page.

Read the full press release here.

The post HITRUST Finds Information Security Control Maturity is Key Indicator to Measuring and Predicting Cyber Risk appeared first on HITRUST.

Source

In 2018, California enacted the California Consumer Privacy Act (“CCPA”), the first state-level “omnibus” privacy law, which imposes broad obligations on businesses to provide state residents with transparency and control of their personal data. This year, Maine and Nevada have followed suit and passed legislation focused on consumer privacy, and Pennsylvania has a consumer privacy bill currently under legislative review. Other states in which US companies do business saw similar legislation, such as Hawaii, Illinois, Massachusetts, Mississippi, New Mexico, New York, Rhode Island, Texas, and Washington. However, those state bills did not pass this year. Nonetheless, companies should consider that those state bills could be reintroduced and garner support should privacy become a hot topic for state residents and the US generally going forward.

The chart, which can be accessed above, provides a high-level summary of the new state privacy laws that have been enacted, and it also summarizes the Pennsylvania bill, which, if signed into law, will become effective immediately. We will provide updates regarding the Pennsylvania bill as they become available, and we will continue to track state-level consumer privacy legislative efforts. If you have any questions, please do not hesitate to reach out to the Contact Partners listed.

Click here to download the chart.

The post US State Omnibus Privacy Laws – A Primer appeared first on Global Compliance News.

Source

Selling or trading personal information — a common practice in the adtech industry — is increasingly under regulatory scrutiny and legislators around the world are contemplating measures that put clear limits around such practices, increase transparency and put consumers in control over their data. By way of example, the German competition agency has been investigating the adtech sector for some time, the UK is following suit and Australia is contemplating a code for social media and online platforms which trade in personal information.

As of 1 July 2019 (Maine), and 1 October 2019 (Nevada), some companies will have to comply with additional requirements and restrictions regarding personal information selling under new U.S. state laws that seem inspired by, but are not as broad as the California Consumer Privacy Act (CCPA) (for detailed articles on the CCPA, please see an alert by Lothar Determann here and an article by Brian Hengesbaugh and Harry Valetk here). Maine’s Act to Protect the Privacy of Online Customer Information requires prior opt-in to data selling (the CCPA requires offering opt-out) and introduces new notice requirements, but only for broadband providers. Nevada’s Senate Bill 220 applies to any operator of online services, within or outside Nevada, but not offline and “selling” is more narrowly defined than under the CCPA.

Maine’s Act to Protect the Privacy of Online Customer Information

Who and what data are protected?

Customers of broadband Internet access service that are physically located and billed for service received in Maine are protected with respect to their customer personal information, defined as:

  • personally identifying information about a customer, including but not limited to the customer’s name, billing information, social security number, billing address and demographic data
  • information from a customer’s use of broadband Internet access service, including but not limited to web browsing history and a number of other categories of data

The definition of “customers” is much more limited than the definition of “consumers” under the CCPA. Unlike the CCPA, which generally protects California residents, online and offline, even when they are physically outside the state, under the Maine law customers must subscribe to broadband services and both be physically located in Maine and billed for services received in Maine to be protected under the law.

The definition of protected information is also more limited than under the CCPA. While the CCPA covers any information relating to a California resident or household, the Maine law only protects data relating to broadband services. Data relating to broadband services, however, is broadly protected under the Maine law.

Who must comply?

Unlike the CCPA, which applies to most businesses world-wide and in all industries, the Maine law is limited to providers of broadband Internet access service operating within Maine.

“Broadband Internet access service” means a mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all Internet endpoints, including any capabilities that are incidental to and enable the operation of the service, excluding dial-up Internet access service.

“Provider” means a person who provides broadband Internet access service.

How to comply?

Provide notice, seek express opt-in consent before collecting personal information, and protect personal information.

Providers must provide notice of its obligations and customers’ rights under the law to its customers at the point of sale and on their publicly accessible website. Just as the CCPA, because of its prescriptive details (e.g. disclosing an opt-out right with respect to non-personally identifiable information pertaining to a customer) this adds another jurisdiction specific disclosure requirement for companies.

Subject to several exemptions including to provide the service, providers must seek express prior opt-in consent before using, disclosing, selling or permitting access to a customer’s personal information. Any consent given may be revoked at any time. Unlike the CCPA, which defines “sale” of personal information broadly as any sharing for “monetary or other valuable consideration,” the Maine law is silent on the definition of sale.

Like the CCPA, the Maine law includes an antidiscrimination right and a provider may not refuse to serve a customer who does not provide consent or charge a penalty or offer a customer a discount based on the customer’s decision to provide or not provide consent. But unlike the CCPA, under the Maine law there is no carve out permitting charging a different price or offering a different level of services if that difference is reasonably related to the value provided by the customer’s data.

The following is exempted from the law’s opt-in requirements and a provider may collect, retain, use, sell and permit access to customer personal information without customer approval:

  • for the purpose of providing the service from which such information is derived or for the services necessary to the provision of such service
  • to advertise or market the provider’s communications-related services to the customer
  • to comply with a lawful court order
  • to initiate, render, bill for and collect payment for broadband Internet access service
  • to protect users of the provider’s or other providers’ services from fraudulent, abusive or unlawful use of or subscription to such services
  • to provide geolocation information concerning the customer to:
    • for the purpose of responding to a customer’s call for emergency services, a public safety answering point; a provider of` emergency medical or emergency dispatch services; a public safety, fire service or law enforcement official; or a hospital emergency or trauma care facility
    • the customer’s legal guardian or a member of the customer’s immediate family in an emergency situation that involves the risk of death or serious physical harm
    • a provider of information or database management services solely for the purpose of assisting in the delivery of emergency services in response to an emergency. Providers that use, disclose, sell or permit access to customer personal information beyond the exemptions will have to build in an express opt-in option when selling services to new customers and reach out to existing customers to seek their express opt-in (and if they don’t get it, stop existing practices that would be prohibited from July 1, 2019). But notably, providers may sell customer personal information as necessary to provide their services which may suggest that sharing with commonly relied upon service providers that routinely use information for analytics and to improve its own services would not trigger the opt-in requirement.

If the provider receives written notice from the customer notifying the provider that the customer does not permit the provider to use, disclose, sell or permit access to non-customer personal information the provider collects pertaining to such customer (opt-out), the law also prohibits the provider from using, disclosing, selling or permitting access to such information.

As already required by numerous data privacy and security laws in other U.S. states and jurisdictions around the world, providers must take reasonable measures to protect customer personal information from unauthorized use, disclosure or access.

Sanctions and remedies

Maine’s Act to Protect the Privacy of Online Customer Information does not provide for sanctions and remedies specific to violations of that law. The sanctions and remedies can be found in chapter 15 of Maine’s title 35-A on Public Utilities.

If a provider violates title 35-A on Public Utilities, causes or permits a violation of the title or omits to do anything that the title requires it to do it may be liable in damages to the person injured as a result.

For willful violations, the Maine Public Utilities Commission may impose an administrative penalty for each violation in an amount that does not exceed $5,000 or .25% of the annual gross revenue that the provider received from sales in Maine, whichever amount is lower. Each day a violation continues constitutes a separate offense. The maximum administrative penalty for any related series of violations may not exceed $500,000 or 5% of the provider’s annual gross revenue that the provider received from sales in Maine, whichever amount is lower. For a violation in which a provider was explicitly notified by the commission that it was not in compliance and that a failure to comply could result in the imposition of administrative penalties, the commission may impose a penalty that does not exceed $500,000. The commission may also require disgorgement of profits or revenue realized as a result of a violation. The commission may, in an adjudicatory proceeding, suspend or revoke the authority of a provider to provide service upon a finding that the provider is unfit to provide safe, adequate and reliable service at rates that are just and reasonable.

Nevada’s Senate Bill 220

Who and what data are protected?

Consumers who reside in Nevada are protected with respect to their covered information.

Covered information means “any one or more of the following items of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator in an accessible form: … A first and last name … Any other information concerning a person collected from the person through the Internet website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable.”

Compared to the CCPA, the Nevada law defines consumer in a more limited (and more intuitive) way as “a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes”. Also, unlike the CCPA, the Nevada law only protects consumers when seeking or acquiring those things “from the Internet website or online service of an operator.” But like the CCPA, the law lacks any limiting reference to Nevada residents having to be physically located in Nevada to be protected.

The Nevada law’s definition of covered information is more limited compared to the CCPA’s any “information that . . . relates to . . . a particular consumer or household,” because it does not extend to household information and is limited to information collected by an operator online and maintained in an accessible form.

Who must comply?

Unlike the CCPA, only “operators”, as opposed to the CCPA’s broadly defined “businesses”, must comply.

Subject to certain exemptions as noted below, “Operator” means a person who owns or operates an Internet website or online service for commercial purposes; collects and maintains covered information from Nevada resident consumers who use or visit the Internet website or online service; and purposefully directs its activities toward Nevada, consummates some transaction with Nevada or a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution.

Like the CCPA, this definition would cover many businesses without a physical presence in Nevada but with a commercial website accessed by Nevada residents.

Similarly to the CCPA, the key exemptions are financial institutions or its affiliates that are subject to the Gramm-Leach-Bliley Act and entities that are subject to the Health Insurance Portability and Accountability Act of 1996, and third parties that operate, host, or manage an Internet website or online service on behalf of its owner, and generally, manufacturers of motor vehicles or persons who repairs or services motor vehicles are also exempt.

How to comply?

Every operator of an online service purposefully addressed to Nevada consumers must establish a designated request address through which a consumer may submit a verified request directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer and respond to such requests. There is no language in the text of the bill limiting this obligation to establish a request address and respond to requests to businesses that are currently selling information.

Nevertheless, given that the Nevada law defines “selling” only as exchanging personal information specifically for monetary consideration and for onward licensing or sale, far less companies should be affected by the opt-out right than by the CCPA. Most businesses do not sell personal information for monetary considerations. The legislative history indicates that the Nevada bill is targeted to businesses that are selling information for specific monetary consideration. Thus, the definition of “selling” under the Nevada law should be interpreted far more narrowly than potentially broad interpretation of the CCPA, which could be understood to cover any exchange of personal information for any valuable consideration, monetary or otherwise – and by extension pretty much any contract, given that contracts by definition involve consideration.

First of all, any contracts not involving payments are excluded from the Nevada law. Second, even contracts involving payments are arguably not covered by the Nevada law’s definition of “selling” if the payment is intended for a service and the data sharing is coincidental, given the definitional focus on monetary consideration for information under the Nevada law. This may leave only arrangements whereby online operators are paid specifically for personal information of Nevada-based consumers./

Those operators who currently do sell personal information for monetary considerations should consider stopping the practice, given the increasing hostility to such forms of data monetization. Or, companies can establish a designated address for consumers to opt-out of data selling, respond to opt-out requests within 60 days, and stop data selling when requested.

Most operators must already, under existing Nevada law, provide a website privacy notice with information about its data collection practices. The new requirement to also establish a designated request address must be implemented either by establishing an email address, toll-free number or Internet website.

Subject to broad exemptions, sale is defined as the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons. The following is exempted from the definition of sale:

  • the disclosure of covered information by an operator to a person who processes the covered information on behalf of the operator
  • the disclosure of covered information by an operator to a person with whom the consumer has a direct relationship for the purposes of providing a product or service requested by the consumer
  • the disclosure of covered information by an operator to a person for purposes which are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator
  • the disclosure of covered information to a person who is an affiliate (controls, is controlled by or is under common control with another company) of the operator
  • the disclosure or transfer of covered information to a person as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the person assumes control of all or part of the assets of the operator. An operator who has received a verified request from a consumer not to sell their personal information shall respond within 60 days after receiving the request and must not sell any covered information collected about the consumer. If the operator determines that an extension is reasonably necessary, the operator may extend by not more than 30 days the period to respond and must notify the consumer of such extension.

Sanctions and remedies

The Nevada Attorney General can bring a civil action for an injunction or penalties up to $5,000 for each violation.

Further resources you may be interested in

Your must-have resource for Global Data Privacy, Baker McKenzie’s 2019 Global Data Privacy & Security Handbook, now combines and consolidates our renowned privacy-related handbooks into one resource. We have revised our content to make it more concise, comparable and practice-relevant while still providing detailed overviews of the increasingly complex and sophisticated data privacy and security standards in around 50 countries.

Click here to download the handbook.

The post US: Maine and Nevada’s New Data Privacy Laws and the California Consumer Privacy Act Compared appeared first on Global Compliance News.

Source