Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

State Actions:

• New Jersey Enacts Consumer Data Protection Law: New Jersey’s consumer data protection law, New Jersey Senate Bill – S332, was established on January 16, 2024, when it was signed into law by the governor. New Jersey is the first state to implement data privacy legislation in 2024. The NJDPA defines personal data as data that is “linked or reasonably linkable to an identified or identifiable individual.” The law applies to data controllers, who determine how data is processed, that are either (i) conducting business in New Jersey or (ii) that produce products or services targeted to New Jersey residents based on the number of consumers. The law also applies to processors of data. The NJDPA will be effective January 2025.
• California’s Assembly Bill No. 352 Imposes New Data Management Requirements for Sensitive Health Data: California’s Assembly Bill No. 352 (AB 352), which went into effect on January 1, 2024, requires certain businesses that electronically store or maintain medical information related to gender-affirming services, abortion and abortion-related services, and contraception to develop capabilities, policies, and procedures, on or before July 1, 2024, to limit user access privileges and segregate medical information related to those services. The bill also prohibits cooperation with any out-of-state inquiry or investigation, or from providing medical information to another state or a federal law enforcement agency that would identify an individual seeking or obtaining an abortion or abortion-related services that are legal under California law, unless the request for medical information is authorized in accordance with specified conditions. The bill would exempt a healthcare provider from liability for damages or from civil or enforcement actions relating to cooperating with, or providing medical information to, another state or a federal law enforcement agency before January 31, 2026, if the provider of health care is working diligently and in good faith to come into compliance with the prohibition.
• Utah Cyber Audit Finds Majority of Gov’t Entities Non-Compliant: A recent audit conducted by Utah’s state auditor found that 2/3 of the government entities reviewed failed to meet the requirements of Utah’s Governmental Internet Information Privacy Act. The review of over 1600 organizations found that only 34% had the requisite privacy policy statement on their website.
• NH Set to Join States with Comprehensive Privacy Laws: New Hampshire’s Senate recently concurred with House amendments to a proposed comprehensive privacy bill. The action paves the way for passage of the bill later this spring. If enacted, the law will cover entities controlling or processing data of more than 35,000 state residents (or 10,000 residents and generating 25% revenue from data sales). The law, if signed, would take effect on 1/1/2025 and require a 60-day notice and cure period for the first year, at which point the attorney general has discretion to provide an opportunity to cure.
• California Privacy Protection Agency Launches New Informational Website for Consumers: The California Protection Agency launched a new website, ca.gov, as a resource for California consumers to learn about their privacy rights. The website provides information to California consumers on the protections provided under the California Consumer Protection Act (CCPA), among other information.

Regulatory:

• Protecting Genetic Data Is An Enforcement Priority For the FTC: On January 5, 2024, the Federal Trade Commission (FTC) reiterated in a blog post that protecting biometric information, including genetic data, is a top priority for them. The FTC’s post summarizes lessons targeted at companies that collect, process, and store customer genetic information for DNA-based products or services by recounting three enforcement actions against sellers of genetic testing products. The sensitivity of biometric data is high, and so too is the risk of harm. The FTC makes it clear that if you collect or store genetic data, you must apply appropriate security measures commensurate with the sensitivity of that data. Customer accounts should be properly secured to deter data thieves from procuring sensitive data. And claims about genetic testing should be supported accurate and supported by science. The FTC’s guidance suggests that additional enforcement actions may be forthcoming for misuses of biometric information and its’ potential harm to consumers.
• California AG Focuses on Streaming Services Privacy Practices: The California Attorney General Bob Bonta has announced that his office will be focusing on popular streaming services compliance with the CCPA. The investigative sweep will be looking to determine if the streaming services are in compliance with the CCPA’s opt-out requirements, and whether or not the businesses are making it easy for consumers to opt-out of the sale of their personal information. The CCPA has strict requirements for honoring consumer rights. Businesses should continue to work to ensure compliance with the CCPA as Attorney General Bonta will continue to seek enforcement.
• Cloud Security Alliance Launches the AI Safety Initiative: On December 12, 2023, Cloud Security Alliance (CSA) announced the launch of the AI Safety Initiative in partnership with Amazon, Anthropic, Google, Microsoft, and OpenAI, joined by a broad coalition of experts from the Cybersecurity & Infrastructure Security Agency (CISA), other governments, academia and a range of industries. The Initiative plans to craft and share reliable guidelines for AI safety and security. It’s landing page is at cloudsecurityalliance.ai. Users and potential users of AI should understand and keep up with guidelines published by groups like this to ensure that the growing adoption of AI is done securely
• CISA Joins Australian-led Guidance on How to Use AI Systems Securely: On January 23, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) announced that it has collaborated with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) on Engaging with Artificial Intelligence—joint guidance, led by ACSC, on how to use AI systems securely. The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and security agencies from several other countries also collaborated with ACSC on the guidance. The guidance provides AI users with an overview of AI-related threats and steps that can help them manage AI-related risks while using AI systems. Cybersecurity is a critical consideration for all users of today’s rapidly developing AI. This publication provides consensus security guidance.

Litigation & Enforcement:

• George Carlin Estate sues for AI Comedy Routine: Comedian George Carlin’s estate and rights holders sued a podcast for utilizing AI to create and broadcast a “George Carlin” comedy routine. The complaint alleges claims for copyright infringement for the use of George Carlin’s material to train the AI engine, and violation of publicity rights for using George Carlin’s name and likeness.

International Updates:

• CJEU Reaffirms Broad Scope of Controllership in EU GDPR Decision: The Court of Justice of the European Union (CJEU) has interpreted EU General Data Protection Regulation in a recent ruling. CJEU has held that a controller can be liable for processing carried out by its processor. A controller will not be liable where a processor processes personal data for its own purposes, acts in a manner that is incompatible with the arrangements set by the controller, or if it’s reasonable to conclude the controller didn’t agree to the processing. Conversely, a controller may be held liable if exert influence over the processing of personal data for their own purposes, and determines the means and purposes of such processing. Liability may be assessed even if there is no contract between the controller and processor.
• Italy Declares ChatGPT Violates GDPR: The Italian data protection authority (“DPA”), Italian Garante, has notified OpenAI that it believes the company’s AI platform ChatGPT violates provisions of the GDPR. The details of the allegations have not been released but based on the Italian DPA’s temporary ban on ChatGPT in March 2023, the concerns are likely based on the use of personal information to train the AI’s algorithm and no age verification process in place for minors. OpenAI now has 30 days to respond to the Italian DPA’s claims. This is a good reminder that while new AI regulations are on the horizon in the EU, companies developing AI still need to worry about compliance with existing privacy regimes such as the GDPR.
• Countries Sanction Russian Hacker Involved in Medibank Breach: Three countries, Australia, the United States, and the United Kingdom, have imposed sanctions on Alexander Ermakov, a Russian hacker involved in the Medibank breach. Medibank is an Australian insurance company that was affected by a breach in which approximately 10,000,000 individuals were impacted. This is the first coordinated trilateral action between the US, Australia, and the United Kingdom. The sanction makes it a criminal offense to provide the hacker with any assets, including cryptocurrency wallets or ransom payments. The U.S. action freezes the Russian hacker’s U.S. assets and generally bars Americans from dealing with him.

Industry Updates:

• Ransomware Payment Rate Drops to Record Low: According to data provided by Coveware, the percentage of ransomware victims that pay a ransom is at an all-time low, just 29% of ransomware victims. Coveware points to two key factors as driving this trend: (1) the increasing resilience of business networks and (2) an increasing reluctance to pay solely for an unverifiable promise of a criminal to delete data. For Coveware, Akira was most prominent ransomware variant in the fourth quarter of 2023.
• Ring Camera App Stops Sharing Footage to Law Enforcement Without Warrant: The Ring camera app has announced that it will stop sharing footage directly with law enforcement agencies upon request. Ring will now require a warrant to provide footage to law enforcement on an “emergency basis.”
• Microsoft Under Attack by Threat Actor Group Midnight Blizzard: On January 12, 2024, Microsoft detected a security incident on their corporate systems by the nation state actor Midnight Blizzard. Midnight Blizzard is a Russian state-sponsored threat actor group, also known as Nobelium. The incident occurred after the threat actor used a password spray attack to compromise a legacy non-production test tenant account. This gave the threat actor access to a small number of Microsoft corporate email accounts, allowing the threat actor to exfiltrate some emails and documents. Microsoft is applying their current security standards and internal business procedures, which in turn might cause disruption to existing business processes.
• NIST Identifies Types of Cyberattacks That Manipulate Behavior of AI Systems: The National Institute for Standards and Technology (NIST), on January 4, 2024, released Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations(NIST.AI.100-2), which describes adversarial machine learning threats, mitigations strategies, and their limitations. It is important for all users of artificial intelligence systems to understand and address the threats, how to protect against them, and the limitations of mitigation measures.
• Jury Awards Centripetal $151 million in Cybersecurity System Patent Suit: A federal jury awarded Centripetal Networks $151.5 million in damages against Palo Alto Networks for Palo Alto’s patent infringement. Centripetal claimed that Palo Alto’s Cortex cybersecurity platform, next-generation firewalls and other software infringed four of Centripetal’s patents. The jury agreed that Palo Alto infringed all four patents.