As we have discussed here previously, the coronavirus outbreak has driven many companies further into the digital workplace, putting new strains on information technology systems and related privacy and security compliance controls. Despite these burdens on companies, few regulators have offered relief from their privacy and security requirements. As detailed below, while the Securities Exchange Commission (“SEC”), the Department of Health and Human Services (“HHS”), and the New York Department of Financial Services (“NYDFS”) are offering some relief from regulatory requirements, the broader trend is for regulators on both sides of the Atlantic to maintain, and even heighten, data privacy and security compliance expectations.
Given the implications of the current crisis on the safeguarding of protected health information (“PHI”), HHS has been very active in issuing guidance on health data privacy and security compliance, issuing limited waivers in some cases, while reinforcing the importance of regulatory compliance outside of these exceptions.
HHS issued a limited waiver of penalizations, effective March 15, 2020, for covered entities’ failure to comply with certain Health Insurance Portability and Accountability Act (“HIPAA”) requirements, including the requirement to obtain a patient’s permission to speak with family members or friends involved in the patient’s care, the requirement to distribute a notice of privacy practices, and the patient’s right to request privacy restrictions. The waiver applies to providers located in any emergency area identified in a public health emergency declaration, that has implemented disaster protocols, for up to 72 hours from the time a hospital makes that declaration.
Additionally, the OCR announced on March 30, 2020 that it will not impose penalties against covered health care providers that leverage telehealth platforms that may not comply with the HIPAA Privacy Rule during the coronavirus pandemic.
On April 2, 2020, the OCR issued a Notification of Enforcement Discretion, which states that HHS will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule for uses and disclosures of PHI by HIPAA-covered business associates for public health and health oversight activities related to the coronavirus pandemic. This enforcement discretion will be exercised if, and only if: (i) the disclosure or use is made in “good faith” for public health activities and health oversight activities; and (ii) the business associate informs the covered entity within ten days after the use or disclosure occurs.
Most recently, on April 9, 2020, the OCR issued an additional Notification of Enforcement Discretion to lift potential HIPAA penalties related to noncompliance for certain covered health care providers, including some large pharmacy chains, and their business associates that may choose to participate in the operation of a Community-Based Testing Site (“CBTS”), which includes mobile, drive-through, or walk-up sites that only provide coronavirus specimen collection or testing services to the public in good faith. This exercise of enforcement discretion was effective immediately on April 9, 2020, but has a retroactive effect to March 13, 2020.
Notwithstanding these limited exceptions, the OCR issued a February 2020 bulletin, emphasizing that covered entities and their business associates must continue to comply with HIPAA’s data privacy and cybersecurity rules when sharing protected health information.
While the SEC has not issued any specific relief from data privacy or security expectations, the SEC did issue an order on March 25, 2020 that provides companies that are unable to comply with their filing obligations as a result of the coronavirus with additional time to file certain reports that would otherwise have been due between March 1 and July 1, 2020 (expanding on a similar order issued March 4). For more detail on the SEC’s Order and disclosure considerations, consult Davis Polk’s March 26 client memo.
The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) also issued a March 23, 2020 statement encouraging registered entities to take advantage of regulatory relief programs, and stating that reliance on such programs will not be utilized as a risk factor for determining whether to commence an examination. In addition, the OCIE stated that it is conducting examinations off-site whenever possible and will work with registrants on the timing of its requests, availability of registrant personnel, and other matters to minimize disruption.
Contrary to the federal agencies, California has indicated it will not offer any relief from upcoming California Consumer Privacy Act (“CCPA”) enforcement plans. An advisor to the Office of the California Attorney General has stated that the Attorney General’s office does not intend to delay the enforcement of the CCPA, which went into effect on January 1, 2020 and for which enforcement begins on July 1, 2020, despite calls by businesses and advertising trade groups for the California Attorney General to delay enforcement. The advisor expressed a commitment to enforcing the law starting July 1 and encouraged businesses to be particularly mindful of data security given the health crisis.
On top of the impending Attorney General enforcement, businesses must remain mindful of the private right of action under Cal. Civ. Code § 1798.150 for unauthorized access and disclosure of personal information, which is already being utilized by litigants, including in a March 30, 2020 class action lawsuit alleging CCPA violations by a videoconferencing company.
New York’s Attorney General, Letitia James, has given no indication that she would delay enforcement of the March 21, 2020 requirement that companies that own or license data of New York residents must implement “reasonable” data security administrative, technical and physical safeguards as part of the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act”). See our prior blog post here for more information about these SHIELD Act requirements.
In contrast, the New York Department of Financial Services (“NYDFS”) is offering some relief, having announced that it has extended the deadline for submitting a Certification of Compliance with its cybersecurity requirements (NYCRR 500) from April 15, 2020 to June 1, 2020.
Even as it extended this deadline, the Superintendent of the NYDFS, Linda A. Lacewell, issued an order on March 12, 2020 emphasizing that regulated entities that move to remote working arrangements are expected to continue to maintain appropriate safeguards and controls relating to data protection and cybersecurity.
Further to this directive, the NYDFS issued an April 13, 2020 industry letter to regulated entities highlighting several coronavirus-related risks that regulated entities should consider as part of their obligations under 23 NYCRR Part 500, and reiterating the requirement for regulated entities to report cybersecurity events within 72 hours pursuant to 23 NYCRR Section 500.17(a). Risks highlighted by the NYDFS include:
- Making remote access as secure as possible, including through multi-factor authentication and encryption of data in transit;
- Securing company-issued devices through mobile device management and endpoint detection technology;
- Ensuring compensating security controls where employees are using personal devices for company activities;
- Configuring video- and audio-conferencing technology to prevent unauthorized access and issuing training to employees on use of this technology;
- Reminding employees not to use personal communication tools, such as email accounts, for sharing of nonpublic information;
- Reminding employees of increasing fraud and phishing attempts and revisiting training and authentication protocols given remote work conditions; and
- Coordinating with critical vendors to ensure they are adequately addressing coronavirus-related risks.
The European Union, like California, has indicated no change to its enforcement plans.
On March 19, 2020, the European Data Protection Board (the “EDPB”) adopted a formal statement on the processing of personal data in the context of the coronavirus outbreak in which it reinforced the importance of compliance with the EU General Data Protection Regulation (the “GDPR”). Article 6(1)(d)-(e) and Article 9(2)(c) and 9(2)(g)-(i) of the GDPR account for epidemics, including providing the legal grounds to enable employers and public health authorities to process personal data without the need to obtain the consent of the data subject. For example, Article 9(2)(g) and 9(2)(i) of the GDPR applies when the processing of personal data is necessary for the employers for reasons of public interest in the area of public health or to protect vital interests or to comply with another legal obligation.
With some Member States’ governments seeking to monitor the spread of coronavirus by using mobile location data, the EDPB also stated that the least intrusive measures should be adopted, and should more invasive measures such as the tracking of individuals be implemented, such methods should be subject to greater cybersecurity procedures and safeguards, including providing individuals utilizing electronic communication services the right to a judicial remedy, with companies assessing the proportionality of the measure in terms of duration and scope, limited data retention, and purpose limitation.
- Consider applicability of extended deadlines and limited waivers. Public companies and NYDFS-regulated entities may be entitled to additional time to submit filings regarding cybersecurity risks. HIPAA-regulated entities may also be entitled to waivers of data-sharing and telehealth requirements.
- Review cyber and privacy risk disclosures. Given the impact of transitioning to remote working environments, businesses should consider updates to data privacy and security risk disclosures and ensure continuity of controls on material nonpublic information disclosures.
- Ensure CCPA, SHIELD Act compliance. Despite the fact that aspects of these laws have gone or are due to go into effect during the current crisis, regulators have offered no indications of relaxed requirements or enforcement. In particular, businesses subject to the CCPA should ensure that compliance processes are in place by the enforcement start date of July 1, 2020.
- Despite court closures, data breach civil litigation risks persist. With the FBI reporting that cyberattacks are on the rise during the coronavirus outbreak, businesses should remain aware that data breaches may trigger civil litigation from affected customers or shareholders, including under the CCPA.
- Continue to monitor for updated governmental guidance. With the legal world in flux as it continues to respond to the coronavirus outbreak, it will be important for companies to monitor governmental guidance regularly for any updates regarding cybersecurity and data privacy regulations. Continue to follow this blog, follow the Davis Polk Coronavirus Updates page, follow the Davis Polk Coronavirus Updates blog, and reach out to your Davis Polk contact for further assistance.
Law Clerk Marissa Elena Bannon contributed to this post.