Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

State Actions:  

• California Advances Privacy and Cyber Regulations:
  • CPPA Releases Revised Draft Cybersecurity Audit Regulations: The California Privacy Protection Agency (“CPPA”) released a revised draft of the regulations governing cybersecurity audits under the California Privacy Rights Act (“CPRA”). The revised draft applies to businesses that have a certain (yet to be defined) annual gross revenue and meet one of three forthcoming thresholds based on the amount of personal information, sensitive information, or children’s information that the business processes annually. The revised draft also requires cybersecurity audits to assess and document any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect consumers. As with the ADMT proposal, below, the CPPA has not yet started the formal rulemaking process and these revised regulations are solely meant to facilitate discussions within the CPPA board and the public.
  • CPPA Releases Revised Draft Automated Decision-Making Technology Regulations: The CPPA published draft regulations governing automated decision-making technology (“ADMT”) under the CPRA. The draft regulations propose a broad definition for ADMT that includes any system, software, or process that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decision-making. The draft regulations provide consumers with the right to access information about a business’s use of ADMT and opt-out of uses of ADMT for decisions that produce legal or similarly significant effects or that involve profiling: (1) in their capacity as an employee, student, job applicant, or independent contractor; or (2) in a publicly accessible place. The draft regulations also require businesses to provide notice about a business’ use of ADMT, the purposes for using the ADMT, and the consumer’s rights to access or opt-out.
  • Data Broker Registration with CPPA to Begin: As of January 1, 2024, data brokers will be required to register with the California Privacy Protection Agency (CPPA) instead of the California Attorney General’s Office. This is one of the modifications to California’s existing data broker law made by the California Delete Act. Data brokers must register with the CPPA by January 31, following each year in which they meet the definition of a data broker.
  • California Bar issues AI Guidance for Attorney Use of AI Tools: The California State Bar’s Committee on Professional Responsibility and Conduct issued guidance regarding use of generative AI in the practice of law.  Entitle “Practical Guidance for the Use of Generative Artificial Intelligence in the Practice of Law,” the guidance sets forth the initial recommendations of the Committee on such topics as client confidentiality, attorney competence and billing arrangements.
• Colorado approves GPC as Opt-Out Mechanism: On December 28, 2023, the Colorado Attorney General’s Office published its list of recognized universal opt-out mechanisms (UOOMs), a requirement under the state’s privacy law. Controllers subject to the Colorado Privacy Act must recognize those UOOMs by July 1, 2024. The Office’s list identifies only one acceptable UOOM – the Global Privacy Control (GPC). The Office also issued a GPC implementation guide for publishers.  If your business is subject to the CPA, it must begin to honor GPC signals.
• Other State Privacy Laws Go Into Effect: The new year will bring two new data privacy laws into effect – the Utah Consumer Privacy Act (UCPA) and Oregon’s data broker registration law (HB 2052).
  • Utah: The UCPA (effective December 31, 2023), is one of the more business-friendly data privacy laws passed to date. The law has one of the highest applicability thresholds of any consumer data privacy law, applying to controllers or processors that (1) conduct business in Utah, (2) have annual gross revenues of $25,000,000 or more, and (3) either process the personal data of 100,000 or more state residents in a calendar year or derive 50% of their gross revenue from the sale of personal data and control or process the personal data of 25,000 or more Utah residents. Unlike many of the other state data privacy laws, the UCPA does not require consent to process sensitive data but rather requires only notice and an opportunity to opt out. It also does not require controllers to conduct data protection assessments for high-risk processing activities.
  • Oregon: In Oregon, HB 2052 requires data brokers to register with the Department of Consumer and Business services as of January 1, 2024. The Department published temporary rules in late November. The law defines “data broker” as “a business entity or part of a business entity that collects and sells or licenses brokered personal data to another person.”
• New Jersey passes comprehensive state privacy law: The New Jersey Legislature approved the state’s comprehensive privacy bill, Senate Bill 332. Notably, SB 332 contains attorney general rulemaking authority as well as provisions for universal opt-out mechanisms and children’s privacy provisions. The bill still requires governor approval and is likely not to take effect until 2025 at the earliest.
• New York Takes Enforcement Actions:
  • NYDFS settles with First American Title Insurance Company – The New York State Department of Financial Services (DFS)  announced that First American Title Insurance Company (First American) will pay a $1 million penalty to New York State for violations of DFS’s Cybersecurity Regulation stemming from a large-scale cybersecurity breach discovered in May 2019. In May 2019 when First American senior management learned of a vulnerability in the application whereby any individual in possession of the link used to access EaglePro could access not only their own documents without authentication, but also those of individuals in unrelated transactions. DFS’s investigation found that, in violation of the Department’s Cybersecurity Regulation, First American failed to maintain and implement effective governance and classification, access controls and identity management, and risk assessment policies and procedures. As a result, EaglePro lacked sufficient access controls designed to prevent unauthorized users from gaining access to consumers non-public information. In addition to penalties, the company has agreed to implement significant remedial measures to better secure consumer data.
  • NY Attorney General reaches $400K Settlement, Other Action with Healthplex – On December 8, 2023, New York Attorney General Letitia James reached a $400,000 settlement and Assurance of Discontinuance with third party dental administrator Healthplex following the investigation of a November 24, 2021 phishing attack against Healthplex where the threat actor gained access to an email account of a Healthplex employee containing over twelve years of email, including enrollment information of insureds. The investigation determined that the threat actor had access to the employee’s account for less than one day, but during that time, may have had access to member data, including personal information. The New York Attorney General found that Healthplex’s data security measures were insufficient prior to the incident as O365 accounts did not enable multi-factor authentication at the time, and the logs were unable to determine which emails were accessed by the threat actor.

Regulatory: 

• SEC’s Material Cyber Incident Disclosure Rules Take Effect: The Security and Exchange Commission (“SEC”)’s new Form 8-K rules for reporting material cybersecurity incidents went into effect this month for filers other than smaller reporting companies. The new rules require reporting to the SEC within four business days from the determination of materiality. Incident response will potentially become more complicated as timely compliance with the new Form 8-K requirements will now need to be considered.
• HHS Announces Next Steps To Enhance Health Care Cybersecurity: On December 6, 2023, the United States Department of Health and Human Services released a concept paper outlining the Department’s strategies for improving cybersecurity in the health care field. The paper details four pillars for action that include “publishing new voluntary health care-specific cybersecurity performance goals, working with Congress to develop supports and incentives for domestic hospitals to improve cybersecurity, and increasing accountability and coordination within the health care sector. The efforts are aimed at stemming the increasing frequency of cybersecurity incidents affecting health care institutions (which saw a 93% increase in large breaches and a 278% increase in large breaches involving ransomware). 

• S. Department of Defense (DOD) Publishes Rule on Cybersecurity Maturity Model Certification (CMMC) Program: The DOD announced a new rule to codify CMMC 2.0, a framework published by the DOD in 2021. The CMMC program rule will apply to all DOD subcontractors and contractors that process, store or transmit Federal Contract Information or Controlled Unclassified Information on contractor information systems. CMMC generally contains tiers with differing cybersecurity requirements depending on the type of information involved. The rule also outlines a phased approach to implementation. 

• CFPB Director Addresses Privacy Protections: Consumer Financial Protection Bureau (CFPB) Director Rohit Chopra recently issued public comments on the agency’s notice of proposed rulemaking (NPRM) restricting how financial institutions handle consumer data. The “Personal Finance Data Rule” would give consumers the right to control their data, including allowing consumers to switch providers more easily and more conveniently manage accounts from multiple providers. CFPB anticipates that the rule will accelerate a shift toward open banking, where consumers would have control over data about their financial lives and would gain new protections against companies misusing their data.  The final rule is expected in fall 2024.

• FCC Adopts New Data Breach Notification Rules for Safeguarding Information: The Federal Communications Commission adopted rules on December 13, 2023, to modify their prior data breach notification rules to ensure that providers of telecommunications, interconnected Voice over Internet Protocol, and telecommunications relay services safeguard sensitive customer information. The scope of the prior laws has been expanded to cover certain personally identifiable information that carriers and TRS providers hold, as well as expands the definition of “breach” to include inadvertent access, use, or disclosure of customer information. Carriers and TRS providers are also required to now notify the Commission of breaches.
• FTC Proposes Rule to Increase COPPA Privacy Requirements: On December 20, 2023, the FTC proposed a rule to increase the Children’s Online Privacy Protection Act’s (COPPA) privacy requirements. This is the FTC’s first proposed rulemaking since 2013. COPPA currently requires companies to obtain parental consent to collect data from children under 13, but the proposed rule would require targeted advertising opt-ins, increased data retention limits, enhanced data security requirements. The proposed rule would also allow schools and school districts to authorize ed-tech providers to collect children’s data. [FTC’s Proposed Rule).

Litigation & Enforcement: 

• FTC Settles on Rite Aid Complaint in First AI-Bias Settlement: the Federal Trade Commission (“FTC”) announced its settlement of an enforcement action against retail pharmacy chain Rite Aid over alleged violations of Section 5 of the FTC Act (Section 5) stemming from its use of facial biometric technology. The Rite Aid matter provides several key takeaways for managing the significantly increased risks that now exist in connection with heightened FTC scrutiny over the commercial use of artificial intelligence and biometric technologies. Under the settlement, Rite Aid is banned from using AI for five years and thereafter must comply with the governance program in the parties’ consent order. [Consent Order].

• HHS-OCR Settles First Ever Phishing Cyber-Attack Investigation: On December 7, 2023, U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with a Louisiana medical group specializing in emergency medicine, occupational medicine, and laboratory testing, following the investigation of a phishing attack that affected the electronic protected health information of approximately 34,862 individuals. This marks the first settlement OCR has resolved involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA). OCR’s investigation revealed that, prior to the 2021 reported breach, the medical group failed to conduct a risk analysis to identify potential threats or vulnerabilities to electronic protected health information across the organization and had no policies or procedures in place to regularly review information system activity to safeguard protected health information against cyberattacks. As a result, the medical group agreed to pay $480,000 to OCR and to implement a corrective action plan that will be monitored by OCR for two years.
• No Art. III Standing in Private Mode Tracking Case: The United States District Court for the Western District of Washington recently dismissed a class action lawsuit alleging invasion of privacy and related claims against Microsoft.  The plaintiffs alleged that Microsoft, through its Edge internet browser, improperly and “surreptitiously” collected data about users’ browsing history, internet searches, and shopping behavior and linked it with “unique user identifiers.”  The plaintiffs claimed this also occurred when using Edge’s “private” mode.  The court dismissed the case because the plaintiffs lacked standing.  With respect to the privacy-focused claims, the court held that the plaintiffs’ browsing history, internet searches, and shopping behavior was not considered personal, private, or sensitive information.  Turning to the plaintiffs’ claims that the data was their property and Microsoft’s collection caused a diminution in value, the court also rejected the plaintiffs’ standing on that claim.  The court found that the plaintiffs did not allege how the collection of the relevant data caused them to lose value or economic benefit.

International Updates:

• EU Reaches Agreement on Artificial Intelligence: On December 8, 2023, the European Union reached a political agreement on the landmark first-of-its-kind Artificial Intelligence Act. The Act, briefly summarized below, is the world’s first comprehensive regulation of artificial intelligence and is based on risk and harm categorizations:
  • Application: The Act will apply to public and private actors inside and outside the EU if the AI system is placed in the EU market or affects people located in the EU. The Act will apply to AI developers as well as vendors that use, but did not themselves develop, AI systems.
  • Risk Categorization: The Act takes a risk-based approach, assigning levels of risk for AI-systems (minimal, high, unacceptable risk). The risk classification structure is based on the intended purpose of the AI system and depends on the function performed by the AI system and on the specific modalities for which the system is used. The risk categorization process will include evaluation of how the AI system may threaten fundamental rights or lead to bias/discrimination.
  • Enforcement & Penalties: After adoption by the European Parliament and the Council, the Act will be fully applicable 24 months after entry into force, with a graduated approach that includes Member States gradually phasing out prohibited systems. The Act sets forth penalties for infringement and non-compliance not to exceed 35 million Euros or 7% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Industry Updates:

• U.S. Senate Confirms Cyber Director: The Senate in December confirmed Harry Coker to lead the Office of the National Cyber Director at the White House. Coker is replacing Chris Inglis, who retired in February of 2023. After his confirmation, Coker spoke favorably about the efforts of the Cybersecurity and Infrastructure Security Agency to push “secure-by-design”—which looked to shift responsibility for cybersecurity from end-users to software and hardware developers and manufacturers. He added that focus on the marketplace needs to be more on “secure-to-market” instead of just on “first-to-market” and that government incentives should be used to shape that change.
• FBI Disrupts BlackCat/ALPHV Ransomware Group: The notorious BlackCat/ALPHV ransomware gang suffered an outrage of its negotiation and data leak sites after the FBI was able to breach some of the group’s servers. This allowed the FBI to also monitor the group’s activities and obtain decryption keys for approximately 500 victims. The gang has since wrestled control of its domain back, but the extent to which its operations are able to recover is questionable. This allowed for the avoidance of payment of $68 million in ransom payments. The FBI estimates that this group has demanded over $500 million in ransom payments and made $300 million in actual ransom payments from more than 1,000 victims.