Decoded - Technology Law Insights, V 5, Issue 2, March 2024

Nicholas Mooney II, Brian Richardson, Shane Riley, Alison Sacriponte, Alexander Turner, Hugh Wellons
Spilman Thomas & Battle, PLLC
Contact
LinkedIn
Facebook
X
Send
Embed

Volume 5, Issue 2

Welcome

Welcome to the second issue of 2024 of Decoded - our technology law insights e-newsletter.

Business today is characterized by relentless change. To assist our clients in navigating this dynamic landscape, we pride ourselves on our ever-evolving practice. For 2024, we developed our report titled "ReSolutions" to show how Spilman's evolution translates into real, impactful enhancements to client service. To continue our commitment to next level client service, we proudly announce we have joined forces with a group of top-tier attorneys from Huntington, West Virginia. Click here to learn more and watch the full interactive presentation.

Thank you for reading!

 

HHS Cybersecurity Performance Goals and the Healthcare Industry

By Alexander L. Turner

The healthcare industry is a major target for cyberattacks because of all of the personal information collected from patients. Recognizing that the healthcare industry is such a ripe hunting ground for cybercriminals, the U.S. Department of Health and Human Services (HHS) has unveiled cybersecurity performance goals (CPGs) targeted to assist the healthcare industry avoid these attacks. HHS is recommending Essential CPGs best practices.

Click here to read the entire article.

 

Biden-Harris Administration Announces First-Ever Consortium Dedicated to AI Safety

“Consortium includes more than 200 leading AI stakeholders and will support the U.S. AI Safety Institute at the National Institute of Standards and Technology.”

Why this is important: Recently, the U.S. Secretary of Commerce announced the creation of the first U.S. AI Safety Institute Consortium. The consortium’s inaugural cohort of members includes well-known entities ranging from the biggest names in tech, like Amazon, Apple, and Intel, to the nation’s most prestigious universities, like Princeton, MIT, and Johns Hopkins University, including two prominent universities located in Pittsburgh, PA – University of Pittsburgh and Carnegie Mellon University.

The consortium aims to include a cross section of all stakeholders that may be affected by the rise of AI across the country. Its stated mission is to support the development and deployment of safe and trustworthy AI products and systems. While it is yet to be seen what may come out of such a broad consortium effort, it is undeniable that national and global attention and concern surrounding AI is growing as fast as AI itself. --- Shane P. Riley

 

Finance Most Breached Industry in 2023

“In 2023, finance was the most breached industry, accounting for 27% of the breaches handled by Kroll, compared to 19% in 2022.”

Why this is important: The headline to this article, that the finance industry was the most breached industry in 2023 according to Kroll, an international company providing cyber risk and financial advisory services, is only half the story. The article explains that the finance industry overtook healthcare as the most breached industry last year. The professional services industry jumped two spots from the fifth most targeted industry to third in 2023. Kroll attributes this to the rise in business email compromise attacks. The other half of this article warns companies that they are only as secure as the organizations within their environment. Third-party risk (risk to a company as a result of other companies in its supply chain or ecosystem) became a hot topic last year, due largely to the CLOP ransomware group’s exploitation of the MOVEit Transfer vulnerability, which other sources have estimated as involving over 1,000 organizations and 60,000,000 individuals. This article provides at least two warnings. First, if your company is in the finance industry, understand that you’re the top target for threat actors. Second, when auditing your company’s security policies and response plan, don’t forget to audit the third-parties in your ecosystem. Spilman’s data privacy and security team works with companies to evaluate and reduce potential exposure to cyber incidents. If you have questions or would like to discuss these issues, give our team a call. --- Nicholas P. Mooney II

 

Behavioral Characteristics as a Biometric: Something to Keep an Eye(Scan) On

“Looking closely at the nuances of the mosaic of laws that will impact the collection and use of biometrics in the U.S., it seems behavioral characteristics may soon play a much larger role.”

Why this is important: States and regulatory authorities are moving quickly to respond to the public and consumer demand for better privacy assurance and protections regarding their personal data. The unique ways these bodies define “biometric data” can include, or sometimes more importantly exclude, certain characteristics from coverage within those protections. Some jurisdictions define biometric data in a way limited to fingerprints, voiceprints, retina or iris scans, while other are more expansive and are including unique behavioral characteristics or gestures. Some limit the data to only those collected through “automatic measurements.” Interestingly, Virginia’s statute, the Virginia Consumer Data Protection Act (Va. Code § 59.1-575), defines biometric data to include a “voiceprint”, but to exclude an “audio recording or data generated therefrom.” While a voiceprint is a mathematical model of a human voice and does not contain an audio recording, the Virginia definition seems at odds with itself by excluding “data generated” from video or audio recordings from its definition of “biometric data.” Perhaps the General Assembly can explain how it believes a voiceprint is created, if not through data generated from some initial form of audio recording. Interested parties that rely upon or collect biometric data in their operations would do well to track how these definitions are being implemented in the jurisdictions in which they operate. This is still a very untamed legislative landscape. --- Brian H. Richardson

 

Amid High-Profile CAR-T Safety Probe, FDA’s Peter Marks Offers First Glimpse at Data Under Review

“Previously, the FDA has characterized the outcomes of the secondary cancers as ‘serious,’ including cases of hospitalization and death.”

Why this is important: Many commentators, including this one, have raved about the potential of CAR-T to treat cancer with a genetically modified treatment. CAR-T, as some will recall, is a method, using genetic engineering, to adjust a patient’s own white blood cells to recognize and attack a cancer. It does this in part through the T-cells. Patients treated by five of the six such commercial products in the market have developed rare, secondary, T-cell cancers after treatment. Correlation ≠ causation, but this is not good. Many of these products treat very serious, even deadly, cancers, so the risk of a secondary cancer may be a consideration rather than a bar, but this method of developing cancer treatments will receive much more testing by the FDA and the EU. --- Hugh B. Wellons

 

New SEC Cyber Disclosure Rules will Force Companies to Develop Incident Response Plans

“Looking closely at the SEC crackdown, it could prove to be just the nudge companies need to finally prepare the kind of proper incident response plans that would help them with fast-turnaround reporting.”

Why this is important: On September 5, 2023, the SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules went into effect. These rules require publicly traded companies to disclose “material” cybersecurity incidents within four business days. “Material” means an incident where “there is a substantial likelihood that a reasonable shareholder would consider it important” in relation to making an investment decision. The disclosure guidelines require:

  • Disclosure of cybersecurity incidents within four business days, including a description of the nature, scope, timing, and material or likely material impact;.
  • Implementation of detailed processes for assessing, identifying, and managing material risks from cybersecurity threats; and
  • A description of the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks.

Enforcement of these new rules began in December 2023.

There is confusion regarding when the four-day disclosure countdown begins. It is not when the cyberattack is discovered. It instead begins when the cyberattack is determined to be “material,” which can vary from case to case. Regardless, time is of the essence, and public companies should not rely on the application of a “grace period” when complying with the disclosure rule. Consequently, companies subject to the disclosure rule should implement a response plan now so that they are prepared to comply with the disclosure rule within the tight disclosure period. If your organization needs assistance developing a robust response plan in order to be able to timely comply with the SEC disclosure rule, please contact a member of Spilman’s Cybersecurity & Data Protection Practice Group for help. --- Alexander L. Turner

 

Navigating Privacy in 2024: Three Trends to Expect

"As more states pass not just comprehensive privacy laws, but narrow legislation that focuses on children’s privacy, data brokers, and hopefully, the emerging trend of privacy-for-profit, the pressure to find solutions that support compliance, while saving resources in an unsettled market, is only going to grow."

Why this is important: In the rapidly evolving landscape of privacy regulations, 2024 will be a year of significant developments. With an increasing number of states enacting comprehensive privacy laws and addressing specific areas such as children's privacy and data broker transparency, businesses are facing mounting pressure to ensure compliance while navigating an unsettled market. Key trends expected this year include: (1) heightened regulatory scrutiny on data brokers, exemplified by recent actions like New Jersey's comprehensive privacy law and a landmark FTC enforcement against data broker Outlogic; (2) the emergence of privacy-for-profit models, epitomized by Meta's subscription-based service in the EU, which has sparked debates over the commodification of privacy rights; and (3) the rise of privacy-enhancing technologies. Offering hope amidst privacy concerns, such technologies like differential privacy, decoupling, and secure multi-party computation provide innovative solutions to protect individual data while allowing for effective data analysis. As companies strive to adapt to these trends, 2024 is poised to be a year of proactive solutions aimed at supporting compliance in the dynamic realm of data privacy. --- Alison M. Sacriponte

 

FTC Proposal Looks to Bolster Children’s Privacy Online With Stronger Restrictions on Personal Information Monetization

“The new amendments would bolster children’s privacy by further restricting how companies can collect, use and monetize the data of underage users, shifting a greater deal of responsibility in this area to service providers.”

Why this is important: The 60-day comment period for the FTC’s proposal for additional provisions to be added to the Children’s Online Privacy Protection Rule (COPPA Rule) recently closed. Despite the ongoing debate regarding whether the COPPA Rule should be updated (it was last updated in 2013) or whether a new comprehensive data privacy law should be enacted, the FTC has gone forward with new proposed provisions to COPPA. These new provisions would, among other things, (1) expand parental consent requirements to include the provision of children’s data to any third parties (unless the data collection is considered “integral” to provision of the service), (2) prohibit a company from requiring consent as a term of service, (3) close a loophole that exempted from consent and notification requirements if a service provider declared that the data was solely for internal use, (4) require service providers to publicly disclose the specific internal function for which such data is collected, and (5) essentially prohibit a service provider from sending unsolicited text messages to children in order to entice them to return to the provider’s platform. Spilman’s data privacy and security team is monitoring the progress of the FTC’s proposed additions. If you’d like to discuss the FTC’s proposal or have any questions about online privacy related to children, give our team a call. --- Nicholas P. Mooney II

 

Shapiro Unveils $40M Tech-Centric Plan to Stimulate Pennsylvania’s Economy

“Robotics, agriculture, energy, life sciences and manufacturing are focuses of the new Statewide Economic Development Strategy.”

Why this is important: This new plan comes in response to a years-long trend of Pennsylvania being out-spent by its neighbors when it comes to economic development incentives. The would-be newly created Pennsylvania Innovation Fund would provide a flexible fund to help leverage the state’s world-renowned research and development capabilities, most notably its research universities, and turn them into local and regional economic engines.

Gov. Shapiro has stated this new economic plan would not require raising state taxes. Despite this, the proposal is not likely to make it through the Republican-controlled State Senate without amendments aligned with their concerns and priorities. --- Shane P. Riley

 

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Spilman Thomas & Battle, PLLC | Attorney Advertising

Written by:

Spilman Thomas & Battle, PLLC
Spilman Thomas & Battle, PLLC
Contact
more
less

Spilman Thomas & Battle, PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide