Decoded - Technology Law Insights, V 5, Issue 1, January 2024

Nicholas Mooney II, Brian Richardson, Shane Riley, Alison Sacriponte, Alexander Turner, Hugh Wellons
Spilman Thomas & Battle, PLLC
Contact
LinkedIn
Facebook
X
Send
Embed

Volume 5, Issue 1

Welcome

Welcome to 2024! We are very pleased to continue with our fifth year of publishing Decoded.

Thank you for reading!

The Current Status of Privacy Laws Across the United States

By Alexander L. Turner and Malcolm E. Lewis

Unlike the General Data Protection Regulation (GDPR) in the European Union (EU), the United States does not have a nationwide comprehensive data privacy law. Instead, the United States applies a sectoral approach to its privacy landscape, which allows privacy regulations to only apply to specific industries. As a result, states across the country have stepped into the void and passed their own data privacy laws to protect their own residents’ data. California was the first to pass a state privacy legislation and has the most comprehensive state privacy laws with the enactment of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

The CCPA was signed into law in June 2018 and was subsequently amended by the CPRA in November 2020. The CPRA established the California Privacy Protection Agency (CPPA), which implements and enforces California’s privacy laws. Following California’s implementation of the CCPA and CPRA, many other states have implemented their own data privacy laws. In 2023, multiple state privacy laws became effective, including the Colorado Privacy Act (signed into law in 2021), the Connecticut Data Privacy Act (signed into law in 2022), the Utah Consumer Privacy (signed into law in 2022), and the Virginia Consumer Data Protection Act, (signed into law in 2021).

Continuing this trend, in 2024, three more state privacy laws will come into effect. These new privacy laws include the Montana Consumer Data Privacy Act, Oregon Consumer Privacy Act, and Texas Data Privacy and Security Act. Click here for a brief summary of what these three new privacy laws require.

Paying Ransom isn’t an Ethical Decision, It’s a Business Decision Based on Risk

“But a blanket statement opposing ransomware payments is shortsighted and could restrict businesses and other organizations from doing what’s best for them when under attack.”

Why this is important: The United States and the International Counter Ransomware Initiative (CRI) have a unified stance against ransomware, which emphasizes improving defensive capabilities and information sharing while advocating against ransom payments. Despite the need for a united international effort, the complexity of ransomware attacks makes it difficult to advocate for a blanket opposition to ransom payments, or any one-size-fits-all policy. The circumstances surrounding a ransomware attack require a multi-faceted approach to finding a solution. Ultimately, choosing whether to pay ransom isn’t a moral or ethical decision; it is a business decision based on risk reduction and protecting stakeholders. This article suggests key questions for organizations to consider in responding to ransomware attacks: Can the business recover if paying the ransom? What decision best protects the interests of customers, employees, and other stakeholders? What’s the sensitivity of the compromised data? How reputable is the threat actor?

Such considerations can help an organization determine the best course of action. Even if an organization has no intention of paying ransom, initiating communication early is vital to ensuring the organization is in the best possible position to make a thoughtful decision. Enlisting incident response experts who are trained to remediate crises is in an organization’s best interest. --- Alison M. Sacriponte

Unmasking the Cybersecurity Gap: Why Relying Solely on Compliance Checklists Falls Short

“Choosing to view compliance as the endpoint rather than a stepping stone can create a dangerous illusion of security for any business.”

Why this is important: Cybersecurity preparedness is not a static endeavor. Cybersecurity threats are ever evolving, so your preparedness also needs to evolve. Unfortunately, many IT managers have adopted a static approach to cybersecurity that relies heavily on checklists to ensure compliance. However, mere compliance with industry regulations and cybersecurity standards alone creates a false sense of security. While complying with industry regulations and cybersecurity standards is a strong foundation for a strong cybersecurity plan, bad actors are getting more sophisticated with their attacks, and know the weak points created by merely complying with industry regulations and cybersecurity standards. Therefore, the best approach to cybersecurity is a holistic and methodical approach that takes time. A holistic approach requires “continuous monitoring, threat intelligence integration, incident response planning, automation, employee training, collaborative threat sharing and most important of all, automated patching.” While compliance guidance suggests critical patches should be applied in a timely manner, that term is not defined. This leads to unnecessary delays in closing avenues of attack due to an individual’s own definition of what constitutes a timely manner. By engaging in automatic patching, the process of closing avenues of attack is streamlined without interrupting business operations. If you need assistance with implementing a dynamic and comprehensive cybersecurity plan, please contact a member of Spilman’s Technology Practice Group for help. --- Alexander L. Turner

Proposed Changes to US Children’s Privacy Rules Count Biometrics as Personal Data

“Any changes would likely be somewhat easier to implement given that the current FTC’s two Republican commissioners resigned in the last year in protest of what they said was Kahn’s activist agenda.”

Why this is important: The U.S. Federal Trade Commission (FTC) plans to update the Children’s Online Privacy Protection (COPPA) rule, which governs commercial access to children’s personal data. The FTC, now led by Chair Lina Khan and two other Democrats, is seeking public input on the proposed changes. The key modifications include altering the use of digital tools to surveil children for data, particularly biometrics, and enhancing companies' responsibility in safeguarding children's personal information. The commission also aims to include biometric identifiers in the definition of personal information, responding to consumer groups' advocacy. The proposed updates will undergo a 60-day comment period after being published in the Federal Register. --- Shane P. Riley

"A Real Achilles' Heel": Medical Devices could be Hacked Next, Officials Fear

“Hackers have especially targeted health systems for their valuable troves of patient data and in some cases have temporarily knocked systems offline, disrupting patient care.”

Why this is important: The U.S. FDA and other governmental and watchdog groups have identified a likely “next” focus for hacking: medical devices. This article explains how medical devices provide personal medical records information (either in the device, itself, or by backdoor to hospital records) and how shutting them down creates a ransom risk. What if a rural hospital has an active emergency practice and one primary MRI machine, which is shut down by a hacker? What would that hospital do to access that machine? Hacking into personal devices endanger both health and freedom. Imagine an insulin-dependent diabetic loses control of her monitor and insulin pump! This danger has existed for some time, but the risk of hacking seems to be growing. Further measures to protect these devices are expensive, but what other choice do we have? --- Hugh B. Wellons

New California Personal Data Bill Grants State Citizens the Right to Have PII Deleted by Data Brokers

“The Delete Act (SB 362) expands an existing right under state law to have personal data deleted, but streamlines the process so that one request will be sent to all brokers.”

Why this is important: California’s new law is the first in the nation that consolidates requests to have personal data deleted such that a resident can send one request that applies to all 800 of the data brokers in California. Residents also have the ability to add themselves to a “do not track” when making the deletion request so other data brokers cannot create a new file on them. Certain provisions of the new law do not come into effect until 2026 and others not until 2028. Data brokers already have launched a campaign against the law, advising it could devastate their industry. Brokers also point to the fact they currently are permitted to aid law enforcement by providing collected information without the need for a warrant or subpoena. They also argue consumers will miss out on targeted advertising of products of interest. However, for now, the Delete Act is law in California, and brokers should begin steps to ensure they comply by the deadlines in that act. --- Nicholas P. Mooney II

Rejecting BIPA Settlement with Google, Some Plaintiffs Regroup for New Suit

“Sixty plaintiffs were disappointed when they learned that they would net $95 each for settling their suit charging Google with violating the U.S. state of Illinois’ Biometric Information Privacy Act.”

Why this is important: Illinois Biometric Information Protection Act (BIPA) requires companies collecting the biometric data of Illinois residents to first obtain written authorization and to also inform them how that information is going to be used and stored. This law has created a firestorm of class action litigation in Illinois, including lawsuits against employers that utilize fingerprint time clocks and makeup companies for virtual “try-on” tools. One such suit was against Google related to it having programed its photos app to scan the faces of people included in uploaded photos in alleged violation of the BIPA. Google decided to settle the matter for $100 million. While this is a very large settlement, class members were underwhelmed by the amount they would be receiving. After the removal of attorneys’ fees and costs, and due to the large size of the class, each class member was to receive only $95. However, 60 class members were unwilling to agree to the settlement because they believed they should receive between $1,000 to $5,000 for each time images of their faces were impermissibly scanned by Google. Consequently, these 60 class members withdrew from the class and plan to file a new suit against Google.  

The BIPA is generating a large amount of class action litigation that is resulting in large settlements. However, as Google has learned, even a large settlement may not resolve all of its BIPA related issues, and it will have to incur additional litigation costs and potentially have to pay more in damages. If you are a company operating in Illinois, it is best you have counsel review your privacy activities, especially if you are collecting any biometric data to ensure compliance with the BIPA. Failure to comply with the BIPA can result in years of costly civil litigation depleting your company’s resources and distracts you from your corporate goals. If your company operates in Illinois, and would like to discuss your compliance with the BIPA, please contact a member of Spilman’s Technology Practice Group for help. --- Alexander L. Turner

3D Printing in Healthcare: From Surgical Tools to Organ Transplant Breakthroughs

“3D printing is having a transformative impact on the way surgery and dentistry is performed, and how prosthetics and implants are designed, allowing the creation of custom, personalized items fit for the patient or the particular task at hand.”

Why this is important: The article explores the applications of 3D printing in healthcare, emphasizing its transformative impact on surgery, dentistry, prosthetics, and organ transplants. It provides a historical overview of 3D printing methods, from stereolithography to modern techniques like fused deposition modeling (FDM). The versatility of 3D printing is highlighted, with over 18 methods and various modifications available for manufacturing custom products in different materials.

In healthcare, 3D printing is used for surgical aids, training models, specialized instruments, and prosthetics. The technology allows iterative changes based on immediate feedback, leading to the production of patient-specific training models for surgeons. The article also addresses issues with traditional prosthetics and how 3D printing enables the creation of more comfortable and customizable prosthetics, even offering examples of companies like Openbionics producing custom designs.

There have been further breakthroughs in 3D-printed organs, where biomaterials are used to create implantable scaffolds, tissues, and organs. Various bioinks containing living cells are employed, making 3D-printed organs more biocompatible. The technology is still in its early stages, with methods like cell seeding being one of the broadly employed approaches. Customized 3D-printed organs offer advantages in terms of biocompatibility, shape, and size, tailoring the organs to best suit individual patients. --- Shane P. Riley

How Aging, Injury and Capture Impact the Challenge of Change in Biometric Identifiers

“Fingerprints, faces, irises and palms tell different stories and are subject to change in different ways.”

Why this is important: The reliability and security of biometric identifier technology are largely driven by the complexity and sensitivity of the algorithm behind it. But, the implementation of the algorithm requires systems and hardware with compatible sensitivity. For example, a software application using facial recognition security protocols optimized for cameras capable of 12 MP resolution may not operate with the same degree of sensitivity on a device that only has 8MP resolution capability. Similarly, a fingerprint recognition protocol optimized for 500 dpi resolution may have diminished effectiveness on a device that only produces 350 dpi resolution scans. Who should bear the risk associated with those gaps in implementing these technologies? The manufacturer? Developer? Licensee? Or perhaps the live-body end user relying on the biometric for access-control? Presentation Attack Detection is used to counter the growing onslaught of exploitation of biometric shortcomings by distinguishing between a “live” presentation, and a spoof or fake. Incorporating measures of “liveness” detection can help bridge the gaps caused by hardware differences across devices, or changes to biometric characteristics in the human body over time, due to growth, aging, or injury, and mitigate risks inherent with their use. --- Brian H. Richardson

State of New York Makes Moratorium on Facial Recognition Technology in Schools Permanent

“The order was accompanied by the initiation of the study of the pros and cons of these systems, originally to be completed by July 2022.”

Why this is important: Technology now provides options for stopping a threat before it materializes, whether it be in law enforcement, private businesses, or, in this instance, schools. A few years ago, one school district in the State of New York had implemented the use of facial recognition technology to provide “an early warning on potential outsider mass shooters or sex offenders that might enter school grounds.” The technology used a database of potential threats. To allay privacy concerns, the district advised it would not enter any students into that database. In December 2020, then Governor Andrew Cuomo issued a temporary moratorium on the use of that technology in connection with the initiation of a study of the its benefits and concerns. The study was completed, and New York passed a law prohibiting the use of facial recognition technology in state schools. Some of the findings that appear to provide support for the law include the fact that 70 percent of school shooters from 1980 to 2019 were current students at the time of the attack. A threat database that does not include current students would seem to miss the mark on the majority of potential threats. The number of false positives also was significant. The article notes a lawsuit by parents of some students over privacy concerns. This article shows that, while a use case for a technology system may seem obvious, the devil is in the details and potential privacy concerns must always be weighed. --- Nicholas P. Mooney II

 

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Spilman Thomas & Battle, PLLC | Attorney Advertising

Written by:

Spilman Thomas & Battle, PLLC
Spilman Thomas & Battle, PLLC
Contact
more
less

Spilman Thomas & Battle, PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide