Overlapping authority in cybersecurity enforcement actions creates risk
The risk of overlapping jurisdiction in the data protection space increases both with the frequency of reported breaches and the adoption of new data protection regimes in the various states.
Data protection regulation in the United States is famously fragmented. A patchwork of federal and state requirements overlap, and periodically conflict, when it comes to the protection of consumer data. And these overlapping regulatory regimes do not even agree when it comes to the definition of “consumer.”
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), defines a “consumer” as “a California resident,” whether that person is acting in a personal or business capacity, even in the employment arena. Realizing the broad reach of this definition, the California Legislature included a carve-out in an early amendment to CCPA that excluded employment-related and certain business-to-business information from the scope the Act.
This carve-out was extended, but is now set to expire at the end of 2022, which will vastly expand the definition of “consumer” rights under CCPA. By contrast, more recent state-law data protection regimes, such as the Virginia Consumer Data Protection Act, effective Jan. 1, 2023, restrict protections to consumers “acting in an individual or household context [and not] in a commercial or employment context.”
Hence, an organization subject to these two regimes will be forced, as of Jan. 1, 2023, to treat the personal information of California employees differently from that of Virginia employees. Such complexity is, of course, anathema to the goal of creating a uniform data protection program across an organization. The same holds true in relation to regulatory enforcement concerning the security of personal information.
In this fractured legal landscape, an organization can potentially have many masters when it comes to securing personal data and the systems in which such data is processed. Hence, a single reported data breach can bring with it the risk of multiple regulators investigating and potentially seeking relief against the breached organization.
In this regard, regulatory notice of a data breach to state authorities, currently required in over 30 states, can be a risky endeavor. Many states publicly release the details of a reported breach, regardless of how small the incident was or whether it involved any demonstrable harm to consumers. And certain authorities regularly initiate investigative action with reported breaches, for example via a data request, seeking more detail concerning the incident.
This overlapping authority and jurisdiction can lead to so-called “piling on,” where one investigation by or settlement with a regulatory authority is followed by another. Case in point, the recent EyeMed consent order, entered into by EyeMed Vision Care—a provider of vision benefits—and the New York State Department of Financial Services (DFS) as of Oct. 18, 2022 (the EyeMed Consent Order).
EyeMed is licensed by DFS to sell health insurance in New York, and therefore subject to DFS’s Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Part 500. Part 500 became effective on March 1, 2017 and, as DFS notes in the EyeMed Consent Order, was a “first in the nation” regulatory attempt on the state level to set uniform cybersecurity standards for an industry with nationwide reach.
DFS adopted Part 500 without a specific mandate by the New York State Legislature. DFS’s authority to do so has not been litigated, but given the trend toward more regulation in the data protection space and the risks inherent in challenging the authority of a core industry regulator, such action seems unlikely at best.
The EyeMed Consent Order stands out as one of the largest fines issued by DFS under Part 500: $4.5 million. It also marks the first reported instance of DFS obtaining a fine and other mandatory relief against an organization that had previously been subject to a fine—of $600,000, no less—and mandatory relief obtained by another New York State agency, specifically the New York Attorney General.
The Attorney General’s authority in relation to data protection sprang originally from the state’s unfair and deceptive acts and practices (UDAP) statute, N.Y. Gen. Bus. Law §349, but was recently expanded by N.Y. Gen. Bus. Law §899-bb, which was adopted as part of the N.Y. SHIELD Act and became effective in March 2020. Under §899-bb, at least on the statute’s face, the attorney general has authority over any organization worldwide that processes the defined “private information” of even a single New Yorker.
DFS’s jurisdiction is more limited, reaching to those organizations that operate or are required to operate “under a license […] or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law.” See 23 N.Y.C.R.R. §500.01(c). This includes, of course, insurance providers such as EyeMed, but also state-chartered banks, mortgage lenders, law firms that issue title insurance, and even retailers that offer service plans, such as on a new smart device or vehicle.
The EyeMed settlements are remarkable not only for their size; they also demonstrate the risks inherent in serving multiple regulatory masters when it comes to data protection. The DFS Consent Order and the Attorney General’s Assurance of Discontinuance with EyeMed, although similar in general form and content, diverge from each other materially.
In relation to the larger DFS penalty, EyeMed agreed to neither seek a tax deduction nor credit in relation to the penalty, despite what DFS noted as EyeMed’s “commendable cooperation throughout [the]investigation.” See In re EyeMed Vision Care, New York State Department of Financial Services Consent Order ¶ 46.
Further sharpening the impact of the penalty, EyeMed agreed to neither seek nor accept “directly or indirectly, reimbursement or indemnification with respect to payment of the penalty amount, including but not limited to, payment made pursuant to any insurance policy.” See id. at ¶ 44. Regulatory fines, however, can be insurable in New York, depending on the circumstances. See J.P. Morgan Sec. v. Vigilant Ins. Co., 37 N.Y.3d 552, 564 (2021) (“[W]here a sanction has both compensatory and punitive components, it should not be characterized as punitive in the context of interpreting insurance policies.”).
By contrast, neither the form Assurance of Discontinuance used by the New York Attorney General, nor the general form of UDAP consent order used by the Federal Trade Commission, include such a provision.
The EyeMed Consent Order and Assurance of Discontinuance also differ in the non-monetary relief sought, applying different requirements to many of the same elements of EyeMed’s information security program. Indeed, in relation to the program itself, the DFS Consent Order requires a program compliant with Part 500, whereas the Assurance of Discontinuance requires a program compliant with N.Y. Gen. Bus. Law §899-bb.
These two regimes do overlap considerably, but the fact remains that the EyeMed program, like any information security program subject to both Part 500 and §899-bb, will have to speak the languages of both regimes, and satisfy DFS and the Attorney General respectively, in the event of regulatory scrutiny.
Commendably, §899-bb attempted to address this complexity, by providing that an entity subject to and compliant with one of a select number of overlapping data protection regimes, among which Part 500 is included, could, by way of such compliance, satisfy the requirements of §899-bb. Such a “compliant regulated entity,” as defined in §899-bb, is only “compliant” until it is not, however.
Notably, EyeMed had certified compliance with Part 500 to DFS as required under those regulations for four years prior to its breach, but was determined in the Consent Order to be non-compliant in each such year.
Adding to this complexity, the Federal Trade Commission can up the regulatory ante by submitting proposed settlements for public review and comment. This has been seen, most recently, in the proposed Drizly settlement, which arose out of the theft of personal information of approximately 2.5 million Drizly customers.
The proposed Drizly settlement was made available on Oct. 24, 2022 for a 30-day public comment period. The proposed Drizly consent order does not contain a monetary payment but, remarkably, requires any business where the current Drizly CEO, James Cory Rellas, is or becomes a majority owner, or is employed or functions as a chief executive officer or other senior officer with responsibility for information security, in the next 10 years to ensure that its information security program complies with the consent order, including annual evaluation and adjustment of the security safeguards applied in that program.
This is a marked escalation of potential enforcement by the FTC in the data protection space, and represents yet another divergence from the path taken by parallel regulators such as DFS and the New York Attorney General.
It remains to be seen whether any EyeMed-related settlement is forthcoming from the FTC, but the risk of overlapping jurisdiction in the data protection space increases both with the frequency of reported breaches and the adoption of new data protection regimes in the various states. In this regard, the “piling on” risk demonstrated by the EyeMed settlements will remain a facet of U.S. data protection law for the foreseeable future.
Paul Greene is partner and chair of the privacy and data security practice group at Harter Secrest & Emery. He can be reached at fgreene@hselaw.com.