Articles in this issue

• SEC Finalizes Cybersecurity Disclosure Rules for Public Companies
• U.S. Regulators Target Hospitals and Telehealth Providers Using Online Tracking Tech
• Highlights from the California Privacy Protection Agency Board’s July 2023 Meeting
• California’s Attorney General Announces New Enforcement Sweep under California Consumer Privacy Act Aimed at Employers

SEC Finalizes Cybersecurity Disclosure Rules for Public Companies

On July 26, 2023, the Securities and Exchange Commission (“SEC”) voted to adopt new rules requiring public companies to make certain disclosures regarding material cybersecurity incidents and periodic disclosure of a company’s cybersecurity risk management, strategy and governance in annual reports (the “Final Rule”). The Final Rule is largely similar to the rules proposed by the SEC in March 2022, with some significant changes, outlined below.

New Form 8-K Item 1.05 will require companies to disclose any cybersecurity incident they determine to be “material” and to describe the material aspects of its nature, scope and timing and the incident’s impact or reasonably likely impact. This disclosure must be filed within four business days of determining an incident was material, which a company must do “without unreasonable delay.” New Regulation S-K Item 106 will require companies to describe in annual reports their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats and whether the threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition. Item 106 will also require companies to describe the board’s oversight of and management’s role in assessing risks from cybersecurity threats; foreign private issuers (“FPIs”) must make a similar disclosure on Form 20-F. FPIs must also furnish on Form 6-K information on material cybersecurity incidents that they disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange, or to security holders.

The Final Rule applies to public companies, including smaller reporting companies, foreign private issuers, and business development companies, but does not apply to investment companies registered under the Investment Company Act of 1940. The Final Rule will become effective 30 days following publication in the Federal Register. Disclosures on Form 10-K and Form 20-F will be required beginning with annual reports for fiscal years ending on or after December 15, 2023. Disclosures on Form 8-K and Form 6-K will be required beginning on the later of December 18, 2023, or 90 days after the date of publication in the Federal Register. Smaller reporting companies will have 270 days after the date of publication in the Federal Register or until June 15, 2024, whichever is later, before they must begin providing the Form 8-K disclosure.

A Dechert OnPoint that discusses the Final Rule in greater detail is forthcoming.

Takeaway: Once effective, the Final Rule will significantly expand issuers’ cybersecurity disclosure obligations. In addition, the four business day filing requirement will impose an increased burden on companies during what likely is a crisis situation. Companies will want to review their cybersecurity disclosure procedures to ensure conformity with rule requirements, while also considering the level at which the new disclosure requirements can be satisfied without endangering their cybersecurity programs. As we have noted previously, it is often difficult for companies to assess materiality so soon after a breach. The “facts” as presumed in that early period are often very different once a forensic exam is completed, and a good forensic exam takes time. Companies will need to work closely with counsel and the engaged forensic firm to determine materiality. The notice obligation kicks in four business days from when that determination is made, not from the moment a company determines there was a breach.

U.S. Regulators Target Hospitals and Telehealth Providers Using Online Tracking Tech

On July 20, 2023, the U.S. Federal Trade Commission (“FTC”) and the Office for Civil Rights of U.S. Department of Health and Human Services (“HSS”) sent a joint letter to approximately 130 hospital systems and telehealth providers, cautioning them about privacy and security risks related to the use of online tracking technologies on their websites and mobile applications.

In the letter, the agencies highlighted their concern that by embedding online tracking technologies into websites and apps, such companies may be automatically collecting users’ sensitive personal health information without their knowledge and unlawfully disclosing such information, which may include health conditions, diagnoses, medications and medical treatments, to third parties without users’ permission. The agencies emphasized the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) related legal risks associated with the use of online tracking technologies in the healthcare sector. The agencies asserted, however, that even for healthcare companies and platforms to which HIPAA does not apply, the use of such technologies can give rise to liability under the FTC Act and FTC Health Breach Notification Rule (“HBNR”) when the collection and disclosure of sensitive personal health information is not authorized by users.

The joint letter follows the FTC’s September 2021 memorandum (in which it announced that it would start enforcing the HBNR and took the position that the rule did not apply solely to cybersecurity intrusions) and multiple FTC enforcement actions against digital health platforms under the HBNR. The FTC’s Office of Technology has also issued guidance on its concerns regarding pixel tracking.

Takeaway: As stated by Samuel Levine (Director of the FTC’s Bureau of Consumer Protection), “[t]he FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies…” Companies operating in the healthcare space, including companies that operate websites, digital platforms or mobile applications that offer health-related services, need to act swiftly to understand and address the data flows that may result from their use of online tracking technologies.

Highlights from the California Privacy Protection Agency Board’s July 2023 Meeting

The California Privacy Protection Agency (the “Agency”) Board of Directors held a public meeting on July 14, 2023, to discuss its position on enforcement of the amended regulations approved in March 2023, the status of future California Consumer Privacy Act (“CCPA”) regulations, enforcement priorities, and to endorse pending privacy legislation in California.

At the meeting, Michael Macko, Deputy Director of Enforcement at the Agency, addressed the California Superior Court’s ruling on June 30, 2023 which held that the new CCPA regulations that the Agency adopted pursuant to the California Privacy Rights Act (“CPRA”) amendments to the CCPA cannot be enforced until March 29, 2024, which is exactly one year after they were finalized. Mr. Macko stated that “[t]here is no vacation here from enforcement,” noting that “nothing” prevents enforcement of the CPRA’s statutory amendments to the CCPA. Mr. Macko also noted that the Agency would prioritize three areas for enforcement: (1) the sufficiency of companies’ privacy notices and policies, (2) companies’ responses to consumer requests exercising the right to delete, and (3) companies’ implementation of mechanisms to respond to consumer requests (including the right to opt-out of sale). As Mr. Macko further emphasized, “[w]e expect vigorous enforcement over the coming year, and by March 2024, we would expect to see robust compliance with the entire set of regulations.”

In addition, the Agency’s New Rules Subcommittee previewed potential future CCPA regulations governing cybersecurity audits, risk assessments, and automated decision-making technology. In particular, the Subcommittee stated that it hopes to provide draft regulations on these topics by the next meeting in September 2023.

The Board also endorsed several bills currently pending in the California legislature. The bills include:

AB 947, which would expand the CCPA’s definition of “sensitive personal information” to include personal information that reveals a consumer’s citizenship or immigration status.

AB 1194, which would clarify that certain exemptions from the CCPA’s protections do not apply to personal information related to accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including abortion services.

AB 1546, which would extend the California Attorney General’s (“AG”) statute of limitations, allowing the AG to initiate a civil action within five years (rather than one year) of a CCPA violation.

SB 362, which would bring California’s Data Broker Registration law under the authority of the Agency and would direct the Agency to establish an “accessible deletion mechanism” allowing consumers to, in a single request, ask all registered data brokers to delete their information.

Takeaway: The Agency has issued a robust response to the California Superior Court’s restrictions on its ability to enforce the most recent set of CCPA regulations in the near-term and indicated that it will continue enforcing the statute and existing regulations. As a priority, businesses will want to ensure that they have addressed their obligations regarding privacy notices and have developed mechanisms for appropriately responding to consumer rights requests. Businesses will also want to gear-up to interpret and address forthcoming new regulations that may be made available as soon as September.

California’s Attorney General Announces New Enforcement Sweep Under California Consumer Privacy Act Aimed at Employers

On July 14, 2023, California Attorney General Rob Bonta (“AG”) announced an “investigative sweep” targeting large employers in the state and focusing on how those companies handle personal information of employees and job applicants in compliance with the California Consumer Privacy Act (“CCPA”).

In its original form that went into effect January 1, 2020, the CCPA exempted HR-related personal information (such as personal information of California resident employees and job applicants) from nearly all of the law’s requirements. The HR-related exemptions fell away on January 1, 2023, when the California Privacy Rights Act amendments to the CCPA went into effect. As a result, the CCPA’s full suite of privacy protections now extend to HR-related personal information of California residents, such as employee and job-applicant personal information, and such individuals now have rights in relation to their personal information. Companies lobbied extensively to prevent California resident HR-related personal information from being subject to the CCPA.

The specifics of the letters and their recipients have not been disclosed.

Takeaway: The AG’s investigative sweep announcement illustrates that the AG intends to enforce the CCPA in relation to California resident employee and job applicant personal information. All businesses that are subject to the CCPA, and especially those in California, will want to ensure their CCPA compliance programs extend fully to California resident HR-related personal information.