michal-jakubowski-oQD9uq4Rd4I-unsplash

As we move into 2023, Biometric Information Privacy remains a constantly evolving field, with states enacting new statutes, technology evolving, plaintiffs raising new theories, and cases being filed daily. Keeping up with biometric laws can be a daunting task for these reasons.

On February 7, 2023, we led a webinar looking at some of the recent developments in this ever-changing area of law, and how companies can adapt. Topics included:

  • Questions that have finally been answered, and which areas remain unresolved
  • How to remain in compliance and avoid violations
  • What’s next for information privacy and protection

You can check out the video recording here: The Here and Now of BIPA: Updates and Developments in Biometric Privacy | Seyfarth Shaw LLP

ian-noble-fNUQTZgFpUQ-unsplash

In a January 11, 2023 op-ed published in the Wall Street Journal, President Joe Biden urged “Democrats and Republicans to come together to pass strong bipartisan legislation to hold Big Tech accountable.”  He warned that the “risks Big Tech poses for ordinary Americans are clear. Big Tech companies collect huge amounts of data” about technology users, including “the places we go,” and argued that “we need serious federal protections for Americans’ privacy. That means clear limits on how companies can collect, use and share highly personal data,” including location data.

Potential Privacy Rules—Legislation or Regulation?

With Republicans taking charge in the House of Representatives and Democrats retaining control of the Senate in the upcoming legislative term, it seems an inauspicious time for passage of comprehensive national privacy legislation.  The American Data Privacy and Protection Act had broad bipartisan support and appeared to have momentum in Congress in the latter half of 2022, but foundered in large part due to resistance from California privacy regulators concerned that federal legislation would preempt the California Consumer Privacy Act (CCPA). 

Inaction by Congress is not going to stop privacy regulation in the United States, however, and without a comprehensive national policy, businesses face an increasingly complex patchwork of laws and rules.  In addition to California’s privacy law, enacted by that state in 2018, the Virginia Consumer Data Protection Act took effect on January 1, 2023, and similar laws in Colorado, Connecticut, and Utah will take effect during the year.  Meanwhile, the Federal Trade Commission (FTC) appears poised to issue its own privacy rules after announcing that it was “exploring rules to crack down on harmful commercial surveillance and lax data security” in an August 2022 Advance Notice of Proposed Rulemaking.

The FTC’s notice met fierce opposition from members of Congress and industry participants during the public comment period, which closed in November 2022.  Three Republican senators submitted a letter warning that new FTC privacy rules would “only add to the compliance burden facing small businesses” and that “Congress is the only appropriate venue for developing rules for data privacy and security and to set a truly national standard.”  The Alliance for Automotive Innovation submitted a comment encouraging the FTC to eschew rulemaking in favor of working with Congress to develop a comprehensive national privacy law, while the National Automobile Dealers Association submitted a comment questioning whether privacy issues even fell within the scope of the FTC’s authority to regulate unfair or deceptive acts or practices.

After reviewing the public comments it has received, the FTC may decide to issue a formal notice of proposed rulemaking; at least three FTC commissioners appear to agree that national privacy regulation is needed.  With state privacy laws and potential FTC rulemaking threatening to impose an increasingly heavy regulatory burden on businesses, Congress may have no choice but to act in 2023.

“Big Tech,” Antitrust Enforcement, and Automakers

Meanwhile, as reflected in President Biden’s January 11 op-ed, “Big Tech” remains a bipartisan target of choice for perceived anticompetitive abuses; this focus on “Big Tech” could have an impact on automakers, as well.  In a high-profile November 2, 2022 letter sent to FTC Chair Lina Khan and Jonathan Kanter, head of the Antitrust Division of the U.S. Department of Justice (DOJ), Senator Elizabeth Warren called for increased oversight of “Big Tech’s expansion into the automotive industry,” warning that in her view, technology companies “are leveraging their market power in the mobile operating system, digital app markets, and data infrastructure spheres to become the dominant players in the automotive sphere.”

According to Senator Warren, these companies are using “all-or-nothing” bundling tactics to expand their anticompetitive grasp of the automobile market; for example, by Google requiring automakers to purchase an entire suite of services to access popular apps like Google Maps.  She also expressed concern that “Big Tech is also laying the groundwork for potentially anticompetitive uses of data generated by its new role in the automobile industry” developing autonomous vehicles, and warned that if these technology companies use their access to massive quantities of location and other vehicle data “to obtain an advantage over companies that are shut out of the market, the effects will be difficult to reverse.” 

Senator Warren urged the FTC and DOJ to exercise their oversight authority to deter such abuses, and to review with skepticism potential acquisitions by “Big Tech” companies of emerging companies developing competing technologies.  Congress substantially increased the budgets of both the FTC and the DOJ Antitrust Division at the end of 2022, and automakers should anticipate increased scrutiny for “Big Tech” partners in 2023.

guillaume-perigois-0NRkVddA2fw-unsplash

On 16 November 2022, EU Regulation 2022/2065, better known as the Digital Services Act (“DSA”), came into force. The DSA is a key development in the use of online services in the European Union (“EU”), with an impact on online services as significant as the one which the General Data Protection Regulation (“GDPR”) had upon the collection, use, transfer, and storage of data originating in the EU on 25 May 2018.

Ambit

The DSA sets out rules and obligations for digital services providers that act as intermediaries in their role of connecting consumers with goods, services, and content.  

Its goal is to regulate and control the dissemination of illegal or harmful content online, provide more consumer protection in online marketplaces, and to introduce safeguards for internet users and users of digital services. It also introduces new obligations for major online platforms and search engines to prevent such platforms being abused.

Continue Reading The EU Digital Services Act: Overview and Impact
emile-perron-xrVDYZRGdw4-unsplash (1)

Ransomware attacks have become one of the most common and pervasive cybercrimes perpetrated against U.S. companies. A bad actor, often from overseas, will gain access to upload malware onto a company’s network storage or application platforms that encrypts all files it can access. A message or text file is usually left with instructions on how to contact the attacker to pay a ransom for the decryption key. In the worst case, a ransomware attack can freeze the business operations by effectively removing access to the company’s critical systems and rendering them useless. Aside from the business impact, what legal implications are created by a ransomware attack?

Privacy

The greatest legal concern is one of privacy. By definition, ransomware attacks gain access to the internal systems maintained or owned by a business. However, not all ransomware attacks are created equal and privacy obligations differ from one attack to another.

Continue Reading Ransomware Attacks – Harmless Annoyances or Catastrophic Events?
clay-banks-LjqARJaJotc-unsplash (1)

We have seen a market driven push for companies to embrace diversity and inclusion (D&I) policies over the last few years, which reflects a key shift in social and cultural norms for many organisations. Increasingly, consumers, staff and senior business leaders expect proactive steps to be taken for D&I objectives. Research demonstrates a strong business case for promoting diversity, although some suggest that viewing it through a lens of fairness is more effective. Regardless of the rationale, there are very sound reasons for companies to be embracing a diverse and inclusive workforce.

In pursuit of this objective, global businesses might assume that diversity reporting obligations apply in Australia in the same way they do in other jurisdictions and that overseas policies will be suitable for use here. With the best of intentions, following guidance from reputable external organisations focussed on general strategies to promote D&I, businesses might default to policies and practices designed overseas.

So what’s the problem? Many companies are unaware of the local compliance issues in Australia that need to be met when collecting diversity data and implementing these programs:

Continue Reading When Good Intentions Fail: Is Your D&I Policy Inadvertently Unlawful?
ian-hutchinson-U8WfiRpsQ7Y-unsplash (2)

As we have been covering, the Supreme Court has overturned Roe v. Wade in their Dobbs v. Jackson Women’s Health Organization, leaving it to states to regulate access to abortion in their territory. The Biden Administration’s response to the overturning of Roe v. Wade in Dobbs v. Jackson Women’s Health Organization is taking shape and it has directed the Federal governmental agencies to look at what they can and should do to protect women’s health and privacy. Over the last few weeks, those agencies have been weighing in.

Initially, during the week of June 27th, we saw the following agency activity:

Continue Reading Federal Government Response to Dobbs Begins to Take Shape
markus-spiske-gcgves5H_Ac-unsplash

Introduction

On March 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) proposed mandates for cybersecurity disclosures by public companies. If adopted, these mandates seek to provide investors a deeper look into public companies’ cybersecurity risk, governance, and incident reporting practices. SEC chair Gary Gensler noted in a statement regarding the proposed mandates that cybersecurity incidents continue to become a growing risk with “significant financial, operational, legal, and reputational impacts.”

“The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk. Investors want to know more about how issuers are managing those growing risks.” – Gary Gensler, SEC Chairperson

Continue Reading SEC Proposes Mandatory Cybersecurity Disclosures by Public Companies
towfiqu-barbhuiya-FnA5pAzqhMM-unsplash

Introduction

On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The Act will require critical infrastructure organizations (defined below) to report cyber attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. The Act also creates an obligation to report ransomware payments within 24 hours.

According to the Federal Bureau of Investigation’s 2021 Internet Crime Report, released on March 23, 2022, cyber incidents rose 7% from 2020, with potential losses topping $6.9 billion. Many of the most threatened organizations fall into the critical infrastructure sector, and in 2021 alone, cyber incidents caused oil and food shortages, as well as supply chain threats. With cyber incidents reaching all-time highs in 2021, the legislation purports to protect U.S. critical infrastructure entities and investigate cyber crimes moving forward. The Act suggests that reporting obligations are being implemented to ensure that the government can support in the response, mitigation, and protection of both private and public companies that are covered under the Act. Within 24 months, CISA’s director is required to issue a proposed rule, and must issue a final rule 18 months after making the proposal. The legislation also authorizes the Director of CISA to issue future regulations to amend or revise that rule.

Covered Entities

While the reporting obligations will not be in effect until the Director of CISA clarifies which entities are officially covered in the final rule, the Act refers to the Presidential Policy Directive 21 (2013) to provide some guidance. With reference to the Directive, the industries that might be covered as critical infrastructure entities include: chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial bases; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems. When a covered entity “reasonably believes” that it has experienced a “substantial” cyber incident, the 72-hour reporting obligation will trigger. They will have 24 hours to report any ransom payments, even if the ransomware attack does not fall within the defined coverage of cyber incidents. If a covered entity both pays a ransom and suffers a substantial cyber incident, it may submit a single report to CISA.

Covered Cyber Incidents

The Act directs CISA, in the final rule, to include a clear description of the types of substantial cyber incidents that would trigger a reporting obligation. A covered incident, at a minimum, would include a “substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes;” a disruption of operations due to a denial of an attack on an entities’ network or technology systems, or an unauthorized access or disruption to operations caused by a compromised supply chain or service provider. The Act adds that the final rule should also highlight considerations such as the sophistication of tactics used in the attack, the sensitivity to the data at issue, the number of individuals actually or potentially affected by the attack, and the potential impacts on industrial control systems. In finalizing the rule, CISA’s Director will need to issue regulations regarding which entities and incidents are covered; the manner, timing and form of reports; and the necessary steps to take for information preservation.

The Expanded Role of the Cybersecurity and Infrastructure Security Agency

The legislation expands CISA’s role in managing cyber reporting for the U.S.’s critical infrastructure sector. Among the responsibilities described in the Act are CISA’s oversight in rulemaking, assessing reported incidents, enforcement, coordinating and sharing information with other federal agencies, and moving forward with other Federal cyber initiatives. Once the final rule is enacted, CISA will conduct an outreach and education campaign on the current and upcoming cybersecurity initiatives of the initiatives mentioned in the Act are below:

  • Cyber Incident Reporting Council: The Council is to “coordinate, deconflict, and harmonize Federal incident reporting requirements.” It would be led by the Department of Homeland Security in consultation with the Attorney General and other Federal agencies.
  • Ransomware Vulnerability Warning Pilot Program: CISA will be required to implement this program no later than one year after the law’s enactment. The program’s goal, leveraging existing authorities and technologies, will be to develop procedures for identifying information systems at risk for ransomware attacks, and to notify the owners and operators of those vulnerable systems.
  • Ransomware Threat Mitigation Activities: To mitigate ransomware threats, CISA will establish a Joint Ransomware Task Force in consultation with the FBI, the National Cyber Director, and the Attorney General. The task force is “to coordinate an ongoing nationwide campaign against ransomware attacks and identify and pursue opportunities for international cooperation.” In carrying out these responsibilities, there will be a priority on implementing intelligence-driven systems that disrupt cyber criminals. To do so, the task force will consult “with relevant private sector, State, local, Tribal, and territorial governments and international stakeholders to identify needs and establish mechanisms.”

Guidance for Organizations

The Act’s reporting obligations will not take effect until CISA implements a final rule. Companies may get involved in the rulemaking process once CISA releases the proposed rule in the Federal Register. When the proposed rule is issued within the next two years, public commentary is taken into consideration from anywhere between 30 and 60 days. If a company has the desire to notify authorities of malicious cyber activity, they can utilize the FBI’s Internet Crime Complaint Center (IC3) or the CISA Incident Reporting System. While waiting for the rule to be drafted, companies should be taking steps to bolster internal cybersecurity protocols. CISA’s website provides updates, resources, and tools for organizations, as well as individuals, to ensure heightened security procedures. The final rule for mandatory reporting may be a few years out, but organizations and individuals should protect themselves and their assets now.

romain-dancre-doplSDELX7E-unsplash (3)

There’s been a lot of debate in mainstream and social media in the past week about major Australian corporates removing pay secrecy clauses from their employment contracts. The Financial Services Union is keeping sustained pressure on employers in that industry to remove the clauses from their employment contracts. The Labor Party has made it known that, if elected, it intends to amend the Fair Work Act to prohibit these kinds of clauses, as part of their commitment to achieving gender pay equity.

The Australian position on pay secrecy clauses is different to that of other leading economies. Pay secrecy clauses have been made legally unenforceable in the United States of America and the United Kingdom, with the worthy aim of decreasing discrimination and disempowerment of employees. In 2021, the European Union also announced a proposal to make pay transparency a binding measure for its member states.

But there are sound reasons for employers to include pay secrecy clauses in employment contracts. As with all complex issues, there are trade-offs that must be considered in arriving at a balanced final position. Requiring employees to keep their pay levels confidential can assist with preventing workplace tension and conflict, particularly in sectors where a significant proportion of pay is discretionary. Pay secrecy clauses can also provide an easy ‘out’ for employees who aren’t comfortable divulging their remuneration to others.

Before making any decisions about removing pay secrecy clauses from your employment contracts, there are some important practical considerations to work through:

  1. What exactly are you prepared to allow? Whilst an employer may be open to removing pay secrecy clauses, there may still be good reasons to moderate employees’ public statements that could potentially damage the employer’s brand or reputation. If appropriate, set clear boundaries around when and with whom employees are permitted to discuss their pay.
  2. Protect employees who don’t want to disclose. How will you ensure that workers who don’t wish to share their private pay information don’t feel pressured to do so? Consider developing a communication policy to guide behaviours and expectations around disclosures.
  3. Quarantine employees’ choices about disclosing their pay from other decision-making processes. Employees must not be dismissed or subject to other adverse action because they have made complaints or enquiries about their pay, or (if pay secrecy prohibitions are introduced) because they have exercised, or propose to exercise, any right to disclose or withhold their pay details. Be clear on the proper process and channels for raising genuine complaints. Consider training your leaders on effectively separating an employee’s disclosure (or not) from other decisions about their access to promotions or other opportunities, disciplinary action or termination, and handling sensitive pay discussions, queries, and complaints appropriately.
  4. Be prepared to answer tough questions about pay gaps. There are good reasons to remove pay secrecy clauses if that is the only way to ensure transparency about pay. Employers can also consider alternative approaches such as providing detailed information about pay that does not identify individual employees. Whichever policy position is taken – arm yourself with knowledge – do pay differentials exist in your workforce? Are there sound merit-based reasons for the gaps, or is gender (or another protected characteristic) the underlying reason, and if so, what is being done to address this? Understanding the reason for gaps in pay, whether based on gender or any other attribute, requires a detailed analysis of data and a regression analysis which can help to flush out causal relationships between gender or other attributes and variable matters such as percentage pay rises or discretionary pay.
  5. Be mindful of privacy obligations. Disclosing details about an individual’s pay data for purposes other than those directly related to the employment relationship with that individual (for example, as part of broader pay equality initiatives) without their informed consent may expose the employer to a privacy complaint. If you need to share pay data, can this be done at an aggregated, anonymised level?

It’s unlikely that removing pay secrecy clauses will resolve gender pay gaps in and of itself – the question is whether it is a necessary step along the way in light of alternative measures that may not have the same unintended consequences. And when well-executed, pay transparency might also be leveraged as a powerful motivational and cultural factor.

In the second program in the 2022 Trade Secrets Webinar Series, Seyfarth partners Jesse Coleman, Dan Hart, and Caitlin Lane discussed how to identify the greatest threats to trade secrets, provided tips and best practices for protecting trade secrets abroad, and covered enforcement mechanisms and remedies internationally and in the US.

As a follow up to this webinar, our team wanted to highlight:

  • US Law provides two key statutes with civil remedies for protecting trade secrets where the misappropriation occurs extraterritorially – ITC Section 337 (19 U.S.C. § 1337) and the Defend Trade Secrets Act, 18 U.S.C. § 1837-each with different remedies, requirements of applicability, and pros/cons.
  • Employers should ensure that their employment agreements include favorable choice-of-law, venue, and forum-selection clauses to increase the likelihood that any subsequent legal proceeding for trade secret misappropriation occurs in a location that is likely to recognize and protect the company’s intellectual property.
  • Employers should form a well-rounded, strategic approach to global defense of trade secrets and leverage multiple protective mechanisms including restrictive covenants, notice periods, contractual agreements and statutory protections.
  • Restrictive covenants should be tailored for jurisdictional requirements and nuances – one-size does not fit all when it comes to protecting trade secrets across multiple countries.
  • Employers should implement a holistic strategy for protecting trade secrets at every stage of the employment relationship, from onboarding to pre-litigation enforcement efforts post-termination, with coordination between HR, Legal, IT, and other stakeholders within the company.
  • Practical measures should also be taken to protect confidential information and trade secrets, including limiting access to sensitive information, using exit interviews, and (provided that applicable privacy laws are followed) monitoring use of company IT resources and conducting forensic investigations of departing employees’ computer devices.