On March 11th, 2020, Virginia Governor Northam signed the Insurance Data Security Act (the “Act”) — HB 1334 — imposing requirements on all entities regulated by the Virginia Bureau of Insurance (“BOI” or the “Bureau”) to:

• maintain an information security program,
• investigate all cybersecurity events,
• notify the Commissioner of Insurance of cybersecurity events, and
• notify consumers affected by cybersecurity events.

As the federal, state, and local governments and industry grapple with how to respond to and prevent the spread of COVID-19, a group of senior Republican senators recently announced consumer privacy legislation designed to protect personal “covered data” collected from consumers relating to personal health, geolocation, and proximity. The proposed legislation is a response to contact tracing solutions aimed at tracking the virus and those who may have been exposed to it.

The COVID-19 Consumer Data Protection Act of 2020

Senate Commerce Committee Chairman Roger Wicker (R-MS), Communications, Technology, Innovation, and the Internet Subcommittee Chairman John Thune (R-SD), Consumer Protection, Product Safety, Insurance, and Data Security Subcommittee Chairman Jerry Moran (R-KS), and Senator Marsha Blackburn (R-TN), who sits on both the Commerce and Judiciary Committees, introduced the COVID-19 Consumer Data Protection Act of 2020 (the “Act”) on May 7. According to the sponsors, the legislation is intended to provide consumers more transparency, choice, and control over the collection and use of their personal data, and to hold businesses accountable to consumers if these businesses use personal COVID-19-related data for purposes unrelated to the pandemic. As Subcommittee Chairman Moran stated, “while many businesses have taken well-intentioned steps to develop technological solutions to tracking, containing and ending the COVID-19 pandemic, Congress must address potentially harmful practices that could stem from these innovations if not held accountable.”

The COVID-19 pandemic has impacted nearly every facet of society in unpredictable ways, and the laws and regulations governing calls and text messages are no exception. The Federal Communications Commission (FCC) issued a recent declaratory ruling clarifying when calls and text messages relating to COVID-19 are permissible under the TCPA’s “emergency purposes” exception, but most businesses will not be able to rely on that exception. In certain states, COVID-19 state-of-emergency declarations have triggered widespread restrictions on telemarketing. In non-COVID-19 news, debate continues over what constitutes an “automatic telephone dialing system” (ATDS) under the TCPA, and — in a surprising turn of events — the 2nd U.S. Circuit Court of Appeals has joined the 9th Circuit in adopting a broad definition.

Due to the COVID-19 pandemic, 42 states, Puerto Rico and the District of Columbia have adopted shelter-in-place or similar orders. As a result, more employees than ever before are working from home. This sudden increase in telework has created new challenges for employers, including balancing the need to protect their trade secrets and confidential information, with the need to ensure that employees can work effectively from home. This article discusses the unique risks to trade secret protection created by telework arrangements and suggests ways employers can mitigate those risks.