Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

State Actions:

• Tennessee’s ELVIS Act Signed Into Law – On March 21, Tennessee Governor Bill Lee signed the Ensuring Likeness, Voice, and Image Security (ELVIS) Act of 2024. Among other things, the Act seeks to prevent the misappropriation of a person’s voice (such as a performer’s) using artificial intelligence. The Act also prohibits providing artificial intelligence tools that have the main purpose of re-producing another person’s voice or likeness without authorization. The law takes effect on July 1, 2024.
• Kentucky Passes Comprehensive Privacy Law – Kentucky’s general assembly has passed a comprehensive privacy law modeled after the Virginia Consumer Data Protection Act. Once signed by the Kentucky governor, the new law will provide additional protections for Kentucky consumer personal information and require businesses that are operating in Kentucky or produce products or services targeted to Kentucky residents that during a calendar year control or process personal data of at least (1) 100,000 consumers or 2) 25,000 consumers and derive over 50% of gross revenue from the sale or personal data to put specific measures in place to protect personal information, including data protection impact assessments. This will add Kentucky to the ever-growing list of state privacy laws for businesses to keep track of.

Regulatory:

• White House Office of Management and Budget Issues Government Wide AI Policy – The United States Office White House Office of Management and Budget (“OMB”) has released its first government wide policy to address AI development and risk management. The new policy requires all government departments and agencies to adopt specific governance structures and risk management processes for the evaluation, development, and use of AI. The policy focuses on areas to help implement requirements from President Biden’s executive order regarding the safe, secure, and trustworthy development of AI. Like other OMB and United States Agency policies, entities working in the AI space will start to see a ripple effect as industry and agencies start to implement this policy’s requirements.
• HHS OCR Announces Investigation of the Change Healthcare Cyberattack – The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced in a March 13, 2024 letter that they are initiating an investigation of Change Healthcare (Change), a unit of UnitedHealth Group (UHG), that suffered a cybersecurity incident in late February that disrupted health care and billing information systems nationwide. HHS OCR’s investigation will focus on whether a breach of protected health information occurred and Change and UHG’s compliance with HIPAA’s privacy, security, and breach notification rules. The letter also reminds covered entities that engage with business associates of their regulatory responsibilities under HIPAA to ensure that business associate agreements are in place and that timely breach notifications to HHS and affected individuals occur.
• HHS OCR Updates Its Guidance on Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates – On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) updated its guidance from December 1, 2022, to increase clarity for regulated entities and the public as to when individually identifiable health information (IIHI) is disclosed through the use of online tracking technology by covered entities regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates. In the 2024 update, HHS OCR clarifies that, “the mere fact that an online tracking technology connects the IP address of a user’s device (or other identifying information) with a visit to a webpage addressing specific health conditions or listing health care providers is not a sufficient combination of information to constitute IIHI if the visit to the webpage is not related to an individual’s past, present, or future health, health care, or payment for health care.”

• Two Tech Support Companies Agree to Pay $26 Million to Settle FTC Charges That They Deceived Consumers into Buying Repair Services Through Deceptive Marketing – The Federal Trade Commission announced on March 14, 2024 a settlement with two tech support companies who duped consumers into buying tens of millions of dollars of unnecessary computer repair services in violation of the FTC Act and the Telemarketing Sales Rule. Impacted consumers received fake Microsoft Windows pop-ups, which stated that the consumers’ computer or system was infected with viruses and urged consumers to “scan” their computers to avoid permanent damage. The FTC alleged that the companies’ scans would identify purported serious issues that needed immediate attention, and the companies urged consumers to purchase its software online to “fix” the alleged problems or remove alleged viruses and malware. Even after purchasing the software, the companies’ telemarketers attempted to further upsell additional services to the unsuspecting consumers. Under the settlement, the companies are required to pay $26 million, which the FTC intends to use to provide redress to deceived consumers.

• FTC Releases 2023 Privacy and Data Security Update – On March 28, 2024, the Federal Trade Commission (FTC) released their 2023 Privacy and Data Security Update, which details actions and initiatives taken in relation to AI, healthcare and children’s privacy, and geolocation data. The FTC also reiterated their focus on companies that fail to implement reasonable data security measures to protect consumer data, and their work to ensure companies comply with the Fair Credit Reporting Act’s requirements for companies that use data to determine creditworthiness, insurance eligibility, suitability for employment, and to screen tenants.

• New Hampshire Enacts Comprehensive Consumer Privacy Law – New Hampshire, this month, joined the ever-swelling ranks of states with comprehensive consumer privacy law. The new law is touted as allowing consumers to view what personal data is collected by companies, how it is held, and to have that information deleted upon request, with the Governor saying, “This law provides transparency about what information is collected, why, and confidence that in the age of AI, steps are taken to protect that data.”

• CISA’s Proposed Rule for Critical Infrastructure Act Cyber Incident Reporting – The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires the Cybersecurity and Infrastructure Security Agency (CISA) promulgate rules implementing the statute’s reporting requirements. The newly proposed rule, which is open for comments, proposes an aggressive reporting timeline for covered entities. Ransom payments would need to be reported within 24 hours, and other defined cyber incidents would need to be reported in 72 hours. The proposed rule outlines several exemptions to navigate various reporting requirements.

Litigation & Enforcement:

• Domino’s Sued For BIPA Violations – On March 13, three named plaintiffs filed a putative class action lawsuit against Domino’s Pizza, Inc. for violations of Illinois’ Biometric Information Privacy Act (BIPA). The lawsuit claims that Domino’s Pizza’s use of co-defendant ConverseNow’s artificial intelligence technology in connection with telephone orders violated BIPA by collecting “voiceprints” of the proposed class members. The lawsuit seeks injunctive relief as well as statutory damages of $5,000 for each violation of BIPA.

• Spyware Class Action Allowed to Proceed Against Kohl’s – In Esparza v. Kohl’s, a consumer filed a putative class action against Kohl’s including alleged statutory violations of the California Invasion of Privacy Act (“CIPA”) and the California Computer Data Access and Fraud Act (“CDAFA”). The plaintiff alleged that Kohl’s customer service chat feature on its website permitted a third-party software provider to secretly install eavesdropping malware that planted a persistent cookie on Plaintiff’s device, obtaining personal information and sharing the information with other companies. The district court denied Defendant’s motion to dismiss the CIPA and CDAFA claims. With respect to the CIPA claim, the district court ruled that, despite a split in authority, third-party software providers who embed code onto a party’s website do not fall within the relevant “party exemption” under CIPA. And on the CDAFA claim, the district court followed a “broad interpretation” of the “without permission” element of the CDAFA, holding that it is not limited to conduct that circumvents a device barrier or hacks a computer system and that spyware satisfies the element. The district court also held that an IP address constitutes data under the CDAFA.

• BIPA Claims Are Not Precluded by the Illinois Artificial Intelligence Video Interview Act – In Deyerler v. HireVue, a judge in the Northern District of Illinois recently ruled that an alleged violation of BIPA is not precluded by Illinois’ Artificial Intelligence Video Interview Act (AIVIA). HireVue argued that BIPA and AIVIA are in direct conflict because AIVIA specifically regulates using artificial intelligence to analyze video submissions by job applicants, AIVIA should preclude BIPA claims in this space. The judge disagreed and reasoned that the requirements of the two statutes aren’t necessarily in conflict but are instead “concurrent obligations.” The court also rejected HireVue’s other arguments for dismissal, allowing the case to proceed.

• US and UK Sanction Chinese Government Front Company and Individuals Linked to APT 31 – The US and UK announced that they were imposing sanctions on a front company for the Chinese government (Wuhan Xiaoruizhi Science and Technology Company) and two individuals (Zhao Guangzong and Ni Gaobin). All three have been linked to APT 31, a group that has repeatedly targeted companies in critical infrastructure sectors, including the Defense Industrial Base, information technology, and energy sectors.

• Apple Faces Privacy Suit Over AirTag Use – The class action privacy lawsuit filed last year against Apple was allowed to proceed earlier this month. The lawsuit alleges that Apple failed to do enough to prevent the use of Apple’s AirTags to stalk and harass individuals. The court allowed certain plaintiffs’ claims under theories of negligence and strict product liability – based on inadequate safety features – to survive. The court did note, however, that “it’s a close question.”

• Spyware Class Action Allowed to Proceed Against Meta – In a consolidated putative class action, In re Meta Pixel Tax Filing Cases, plaintiffs brought several state and federal claims against Meta arising from Meta’s alleged collection of their personal financial data through tracking tools installed on tax preparation websites including H&R Block, TaxAct, and TaxSlayer. All told, the putative Plaintiffs brought 16 counts, including under the federal wiretap statute, state privacy and consumer protection statutes, and California common law. Meta moved to dismiss them all. The district court dismissed 7 of the counts for failure to state a claim with leave to amend. The district court denied Meta’s motion to dismiss the other 9 counts, including under the California Invasion of Privacy Act §§631, 632 and 635, the Illinois Eavesdropping statute, the federal Wiretap Act, and the Missouri Wiretap Act, which will proceed. This is one of many recent spyware class actions that survived a motion to dismiss.

International Updates:

• Belgium’s Data Protection Authority Offers Data Protection Guidance for Elections – On March 20, Belgium’s Data Protection Authority, the Autorité de protection des données (“APD”) issued guidance on targeted political advertising (translation required) ahead of Belgium’s Federal Election in June. The APD stated that political solicitation efforts must remain compliant with privacy laws, including the EU General Data Protection Regulation. Additionally, the APD noted that election candidates may not reuse publicly available data for election advertising purposes.

• National Cyber Security Centre (Ireland) Issues Alert on Ivanti Products – Multiple vulnerabilities have been discovered in Ivanti products (Neurons and Standalone Sentry), a remote-working software solutions company. These vulnerabilities involve the potential for threat actors with access to an authenticated user to perform file writes to a server, as well as the potential for an unauthenticated user to execute arbitrary OS commands. Patches are available.

• UK Accuses China State Affiliates of Malicious Cyber Activity – The UK government has openly accused Chinese state-affiliated bodies and individuals of targeting state infrastructure and politicians. Two recent campaigns have been identified as intending to disrupt democratic processes, including the UK Electoral Commission. Compromises have been confirmed. The UK stated its belief that these events are a small part of a larger coordinated campaign.

Industry Updates:

• CIS Releases Mapping of the CIS Controls to NIST Framework 2.0 – The Center for Internet Security (CIS) has released “CIS Critical Security Controls, Mappings to Nation Institutes of Standards and Technology (NIST) Cybersecurity Framework (CSF), Version 2,” which maps the latest version of the Controls, Version 8, to the recently released Version 2 of NIST’s CSF. The CIS Controls are a prioritized set of Safeguards to mitigate against the most prevalent cyberattacks against systems and networks, currently containing 18 controls. The CSF is a more comprehensive framework that includes six core functions – Govern, Identify, Protect, Detect, Respond and Recover, with categories and subcategories for each of them. For businesses and organizations that use the CIS Controls, the mappings can be used to compare them to the more comprehensive CSF to consider additional safeguards. For those that use the CSF, the CIS Controls can help to identify specific measures to meet CSF categories and subcategories.
• CISA and NSA Release Cybersecurity Information Sheets on Cloud Security Best Practices – On March 7, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) released five joint Cybersecurity Information Sheets to provide recommended best practices/mitigation measures to improve the security of cloud environment(s). They include:
  • Use Secure Cloud Identity and Access Management Practices
  • Use Secure Cloud Key Management Practices
  • Implement Network Segmentation and Encryption in Cloud Environments
  • Secure Data in the Cloud
  • Mitigate Risks from Managed Service Providers in Cloud Environments

These information sheets provide helpful federal guidance for businesses and organizations to review their cloud security and the security of their cloud service providers.

• Microsoft Copilot for Security Now Generally Available – Microsoft announced that Copilot for Security, its generative artificial intelligence tool, is generally available as of April 1, 2024. Microsoft explains that “Copilot brings insights from across Microsoft Security products and those of other software vendors, delivering natural language guidance to increase team efficiency and manage daily workflows. Copilot isn’t a replacement for these tools; Instead, it enables security and IT professionals to access, summarize, and act on insights from their existing tools faster.” Copilot and other emerging generative AI security tools provide new options for businesses and organizations to consider for addition to their cybersecurity toolkits.
• Data Breaches Were Up 72% in 2023 According to The Identity Theft Resource Center – The Identity Theft Resource Center (ITRC) released its 2023 Data Breach Report. Some of the findings from 2023 include a 78% increase in data compromises last year from the 1,801 reported in 2022. However, the ITRC reported a 16% decrease in the estimated number of victims in 2023’s breaches as compared to 2022. Healthcare and financial services industries experienced the highest number of data compromises in 2023.The number of phishing and ransomware attacks decreased slightly, while malware and zero-day attacks saw a very significant increase. In addition, data exposure via emails and correspondence increased by 590% from 2022.