On May 8, 2024, Paul Hastings Hosted the Cybersecurity Law Workshop at this spring’s Privacy + Security Forum with a panel on perspectives from cybersecurity regulators. The panel was moderated by Paul Hastings Global Chair of the Data Privacy and Cybersecurity Group Aaron Charfoos and featured Benjamin Wiseman (Associate Director, Division of Privacy and Identity Protection, Federal Trade Commission (FTC)), Tim Murphy (Senior Deputy Attorney General, Pennsylvania Office of Attorney General), and Jina John (Assistant Attorney, General Bureau of Internet and Technology (BIT), New York State Office of the Attorney General).

The panel covered enforcement trends and agency priorities as well as regulator perspectives on industry developments.

Here are some of the main takeaways from the panel—

Past Settlements Can Serve as Guideposts. Panelists highlighted that past cybersecurity and breach related settlements with regulators, including Attorneys General (AG) and the FTC, can serve as guideposts for organizations to understand agency priorities and regulator perspectives. For example, settlements from the New York AG’s office tend to be formulaic in what their provisions set out as reasonable. The FTC’s settlements can also serve as guideposts in the same way. FTC settlements in recent years have followed specific issue area themes including stopping sensitive data sharing, health privacy, ensuring artificial intelligence is not trained on data that was unlawfully obtained, data minimization, and kids’ and teens’ protections online.

Increased Focus on Tracking Technologies. Panelists explained that regulators are showing an increased focus on tracking technologies such as pixels. Specifically, there has been a growing focus among organizations on what pixels are used on their websites and what information those pixels may share with companies and third parties. For example, the New York AG settled with New York Presbyterian Hospital for $300,000 based on the AG office’s investigation into pixel tracking on the Hospital’s website. Speakers noted that this settlement serves as a way for organizations to look at existing laws and how the New York AG’s office is handling enforcement. Specifically, this settlement can provide organizations insight into the New York AG Office’s perspective on tracking technologies, such as pixels, and how they approach enforcement in this area. Speakers also emphasized that settlements such as this show that there is more focus among regulators on what it broadly means to protect health information rather than only from the perspective of the Health Insurance Portability and Accountability Act.

Regulator Inquiries do not Automatically Lead to Investigations. Panelists also emphasized that getting a letter of inquiry from a regulator does not necessarily mean that there will be a full investigation by that regulator into an organization. Panelists explained that sometimes inquiry letters are sent because they either lack sufficient information to understand a breach or to understand how a certain practice works within an industry. Upon receiving an inquiry, panelists recommend organizations get ahead of the questions the regulator may have by immediately starting a dialogue with the regulator.

The Privacy+Security Forum is hosted twice a year by Daniel Solove and Paul Schwartz, and brings together leading experts in the areas of privacy and security law. Paul Hastings was a sponsor for this spring’s Forum, which took place from May 8-10 in Washington, D.C.