Employers with operations in California should be aware of the California Consumer Privacy Act (“CCPA”), a new privacy law that applies to data collected about California-based employees.   HR professionals should be aware that, although the CCPA refers to “consumers,” as currently drafted the CCPA’s definition of a “consumer” will apply to California-based employees.

Which employers will have to comply with the CCPA?

Employers with employees in California will need to comply with the CCPA if their business falls into one of the following three categories:

1. Their business buys, sells, or shares the “personal information” of 50,000 “consumers” or “devices”;

2. Their business has gross revenue greater than $25 million; or

3. Their business derives 50% or more of its annual revenue from sharing personal information.

What are the key implications of having to comply with the CCPA?

The Employers who

Bryan Cave is proud to present the third version of our in-house counsel’s guide to data privacy and security. The guide provides an overview of laws relevant to a variety of data matters topics, statistics that illustrate data privacy and security issues, and a breakdown of these data-related issues. It covers a range of privacy and security issues that apply in the HR and employee benefits areas, including HIPAA compliance and enforcement.

You may download a copy of the 2018 guide by clicking here.

The facts surrounding the Anthem breach continue to evolve as does Anthem’s handling of the situation.

Based on the current status of the investigation, and Anthem’s current reactions to the incident, there are steps which group health plan sponsors should consider taking to fulfill their own HIPAA and fiduciary obligations with respect to group health plans affected by the Anthem breach. These steps include the following:

• Have business associate agreements and other relevant documents reviewed to assess the plan sponsor’s rights and obligations with respect to the breach.
• Request from Anthem:
  • additional information about the breach;
  • confirmation concerning the steps that will be taken to protect the plan sponsor’s employees and affected individuals;
  • more extensive victim protection, client indemnification, and paid notification than Anthem is currently proposing to offer; and
  • confirmation that any state notification requirements will be satisfied on behalf plans