Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

State Actions:  

• California Regulatory Activity Continues to Heat Up: August was an active month for California regulators, who issued draft regulations, announced an enforcement probe and launched an online consumer complaint portal:
  • Cybersecurity Audits & Risk Assessment Draft Rulemaking: In advance of its Sept. 8 Board meeting, the California Privacy Protection Agency (CPPA) issued draft regulations on Risk Assessments and Cybersecurity Audits.  The drafts expressly state that they are intended “to facilitate Board discussion and public participation” and are “subject to change.” Nonetheless, the drafts provided insight into how the Agency will address audits and assessments.  For example, the Risk Assessment draft proposal requires businesses to conduct risk assessments where processing of consumer personal information “presents a significant risk to consumer privacy,” and identifies seven instances in which a risk assessment would be required, to include the selling/sharing of personal information and for automated decision making or to train artificial intelligence models. 
  • California Auto Enforcement Probe: The CPPA also announced its intent to probe how automotive companies are complying with the California Consumer Privacy Act, as amended by the California Consumer Privacy Rights Act (“CCPA”). In announcing the enforcement probe, Ashkan Soltani, CCPA’s Executive Director, said “Modern vehicles are effectively connected computers on wheels. They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle.” For further analysis of the enforcement probe, check out Clark Hill’s Client Alert.
  • California Consumer Complaint Portal Now Live: The California Privacy Protection Agency launched its Consumer Complaint Portal and related FAQs for consumers to direct their privacy-related complaints and suspected violations of the California Consumer Protection Act (CCPA).
  • California Delete Act Passes Assembly: The California Delete Act, CA SB 362, unanimously passed the State Assembly, and full enactment of the law is expected soon.  Among other things, CA SB 362 would require data brokers to respect a “universal opt-out request” for any California resident. It would create a “one-stop shop” for asserting rights over hundreds of entities that collect, aggregate and resell consumer personal information.
• New York Unveils Statewide Cybersecurity Strategy: On August 9, GovernorKathy Hochul announced New York’s first-ever statewide cybersecurity strategy to protect the state’s digital infrastructure from cyber threats. The cybersecurity strategy articulates a set of high-level objectives and agency roles and responsibilities, as well as outlines how existing and planned initiatives will be woven together in a unified approach. The plan’s commitment to improve cybersecurity, includes a $90 million investment for cybersecurity in Fiscal Year 2024; $500 million to enhance healthcare information technology; and  $7.4 million for law enforcement entities to expand their cybercrime capabilities.
• New York Bill on Electronic Monitoring and Automated Employment Decision Tools Introduced: New York Employers could face new restrictions on the electronic surveillance of workers and the growing use of automated decision-making and artificial intelligence (AI) technology to make employment decisions.  Senate Bill (S) 07623 regulates so called “bossware,” prohibits “automated employment decision tools” that are used to “substantially assist or replace discretionary decision making” unless such tools are subjected to a bias audit “no more than one year prior to the use of such tool” for which a summary of results are made publicly available on the website of the employer or employment agency. Employers would also be prohibited from relying solely on an output from an AEDT “when making hiring, promotion, termination, disciplinary, or compensation decisions.”

Federal Actions: 

• US Passes Federal Cybersecurity Vulnerability Reduction Act of 2023: US lawmakers have introduced H.R.5255 – Federal Cybersecurity Vulnerability Reduction Act of 2023, which mandates all federal contractors to have a vulnerability disclosure policy to ensure that any software flaws are fixed before they can be exploited. These vulnerability disclosure policies provide how security researchers should notify organizations once a flaw is discovered, and the rewards offered for reporting. The policies would be consistent with the guidelines from the National Institute of Standards and Technology (“NIST”). The bill would require CISA and NIST to work with the National Cybersecurity Director to review federal contract requirements and language for vulnerability disclosure policies.
• NIST Releases a Draft Version 2.0 of the NIST Cybersecurity Framework: On August 8, 2023, the National Institute of Science and Technology (NIST) issued an Initial Public Draft of the NIST Cybersecurity Framework 2.0. The original Framework was released in February 2014 as voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk. The draft adds a sixth, overarching function, Govern, to the five core security functions in the earlier versions (Identify, Protect, Detect, Respond, and Recover).Govern provides the organizational context (risk management strategy; cybersecurity supply chain risk management; roles, responsibilities, and authorities; policies, processes, and procedures; and oversight) for implementing the other functions. While it is a draft, it provides a thorough analysis of the Govern function that businesses and organizations can use to implement or update governance in their cybersecurity programs.
• FBI Issues Guidance for Cryptocurrency Scam Victims: On August 24, 2023, the Federal Bureau of Investigation (FBI) published a Public Service Announcement, “FBI Guidance for Cryptocurrency Scam Victims.” It suggests that victims” immediately submit a report to the FBI Internet Crime Complaint Center(IC3) at ic3.gov or contact your local FBI Field Office and provide as much transaction information as possible.” It includes a list of the most important transaction information.
• Biden Administration and Private Industry Combine Efforts to Strengthen K-12 Cybersecurity: On August 7^st the Biden Administration announced a multi-agency effort to provide K-12 school systems with additional funding and resources to strengthen their cybersecurity posture. As part of this effort CISA released a guide to building a defensible and resilient educational infrastructure and has committed to providing tailored assessments for K-12 school districts. Private industry contributions include:
  • Amazon Web Services
    • Creation of $20 million cyber grant for K-12 districts
    • Free cybersecurity training
    • No cost incident response assistance
    • Architect review for companies providing mission critical applications to K-12 districts
  • Cloudflare
    • Free suite of Zero Trust cybersecurity tools for districts with less than 2,500 students
  • Powerschool
    • Will provide free and subsidized “security as a service” courses, training, tools, and resources to all U.S. schools and districts
  • Google
    • Provide a guidebook on hardening Google software and hardware
  • D2L
    • Free cybersecurity courses
    • Information security review for the core D2L integration partners
• CISA Offers Free Safety, Cyber and Security Assessments for Education: In a LinkedIn post on August 12, 2023, with the hashtag #BacktoSchool, CISA announced that it provides free assessments of safety, cyber and security plans and protocols for K-12 and beyond. It includes a link to a directory of CISA Regional Offices to contact for more information.

Litigation & Enforcement: 

• No Copyright Protection for Generative AI Content: On August 18, 2023, a federal court held that U.S. Copyright law does not protect content created by Generative AI because “human creativity is the sine qua non at the core of copyrightability, even as that human creativity is channeled through new tools or into new media.” In sum, the Court held that “[h]uman authorship is a bedrock requirement of copyright.” See Thaler v. Perlmutter, No. 1:22-cv-01564 (D.D.C. Aug. 18, 2023), available here.
• Risk of Litigation After Health Data Breach On The Rise: A recent report released by Bloomberg Law shows a rise in monthly class action filings related to breaches of health data. Bloomberg reports that the monthly average of class action filings this year is nearly double the rate from 2022. This increase is in part a result of the continually increasing use of technology as part of the provision of healthcare, the proliferation of ransomware attacks, and growing consumer awareness of privacy issues. Healthcare entities will need to continue to be vigilant in their preparation and response to cybersecurity incidents. The best way to minimize potential impact, and the looming threat of litigation, is to plan, practice, and implement appropriate security and response measures.
• Experian fine proposed due to failure to provide ‘opt-out’ messages for malicious marketers: The Federal Trade Commission has proposed a fine against Experian of $650,000 for failing to provide consumers with the ability to opt-out of unsolicited email marketing messages, as required under the CAN-SPAM Act. According to the FTC, after signing up for an account to manage their Experian credit report information, Experian would then send consumers marketing emails promoting other Experian services, but not provide consumers a mechanism to opt-out of future marketing emails, which violated the CAN-SPAM Act.
• HIPAA Enforcement Signals Need to Monitor Web Tracking Software: The U.S. Department of Health and Human Services, Office of Civil Rights (HHS OCR) recently signaled that entities covered by HIPAA need to be paying closer attention to web tracking software used on their websites or risk potential HIPAA violations and fines. Of particular concern is the fact that this software monitors visitor searches, what clinics, physicians, or procedures they may be interested in, and other details that disclose information about a patient’s health conditions. As such, the companies providing such software need to be treated like any other entity with which the covered entity shares protected health information—including requiring that a business associate agreement be in place between the companies and that risk assessments be conducted of the risks associated with such activity. HHS OCR has said that they are “heavily scrutinizing” this area and will be issuing enforcement actions and other penalties where appropriate going forward.

International Updates:

• India Finally Passes the Digital Personal Data Protection Act: On August 9, 2023, India passed the Digital Personal Data Protection Act (DPDPA), which could have a significant impact on U.S. companies that offer goods or services to India residents. The DPDPA mandates that companies can only process users’ personal data with the user’s consent or for certain legitimate purposes only if users are notified of the personal data to be processed and the purpose for doing so, as well as ways users can exercise their opt-out rights or file a complaint with the Personal Data Protection Board established under the DPDPA. The law prohibits behavioral monitoring and targeted advertising directed at minors. The law proposes penalties of up to 2.5 billion rupees ($30m) for violations and noncompliance.
• EU Digital Services Act Goes Into Effect For “Very Large Online Platforms”: On August 25, 2023, the EU Digital Services Act (“DSA’) that was passed in July 2022 went into effect for entities that the EU has designated as “very large online platforms.” The DSA defines “very large online platforms” as those that have 45 million monthly users in the EU. Nineteen companies have been designated as fitting this definition, including fifteen in the US. Examples include Google, Facebook, Amazon, the Apple App Store, Booking.com, and search engines such as Bing and Google Search. Moving forward, companies will need to provide means for users to report illegal content and for the platforms to remove such content, be more transparent in how their profiling algorithms work, and comply with the DSA’s restrictions on certain targeted advertising. While the DSA only currently applies to “very large online platforms,” the impact may reach beyond that as they determine how to comply with the DSA. On the horizon in 2024, all covered entities must comply with the DSA.
• Switzerland’s revised data protection law is enforceable as of September 1, 2023: Switzerland’s revised data protection law is enforceable as of September 1, 2023,  and tightens restrictions on the collection and use of personal data. Notably, the extraterritorial scope of the revised law is broader than that of the General Data Protection Regulation and applies to activities that have an effect in Switzerland even if they are initiated from abroad. Companies processing personal data of Swiss residents that do not have a corporate seat in Switzerland are required to appoint a representative in Switzerland. See here for unofficial English translation.
• United Arab Emirates Issues the First Adequacy Decision Regarding the California Consumer Privacy Act: On August 7, 2023, the Commissioner of Data Protection of the Dubai International Financial Centre in the United Arab Emirates (DIFC) issued the first adequacy decision regarding the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020, the CCPA), recognizing the essential equivalence of the CCPA with the Data Protection Law, DIFC Law No. 5 of 2020 (DP Law 2020). The decision helps to facilitate the transfer of data between the DIFC and entities based in California in accordance with the DP Law 2020 without requiring such entities to apply additional contractual measures. The issuance of the adequacy decision involved an assessment by the Commissioner of California’s data protection regime through a review of California’s laws and regulations, and consideration of the grounds for lawful and fair processing, the existence of data protection principles and data subjects’ rights, international and onward data transfer restrictions, measures regarding security of processing and breach reporting and accountability.

Industry Updates:

• Twilio Adds “AI Nutritional Labels” to its Offerings & Salesforce Publishes Acceptable AI Policy: In what may be the first of many voluntary attempts at AI transparency, Twillo, which helps businesses automate communications with their customers, announced that it will add “AI nutrition labels” on the AI services it offers its businesses clients, clearly outlining how their data will be used.   Among other things, the labels will report what AI models Twilio is using, whether those models are being trained on customer data, whether features are optional and whether there is a “human in the loop.”
• Leading Industry Actors Publish AI Policies: Salesforce published its AI Acceptable Use Policy prohibiting the use of Salesforce’s tools in certain instances including for automated decision making with legal effects. Relatedly, the New York Times added language to its terms of use prohibiting scraping of its news content for AI/LLM models.
• OWASP Releases Top Ten Vulnerabilities for Large Language Models: On August 1^st the Open Worldwide Application Security Project (OSWAP) released its first list of the top ten vulnerabilities for large language models. As background, OWSAP is a nonprofit, open-source organization that seeks to create and make available to everyone information security related content and tools. Its annual “Top Ten” list is incorporated into several cybersecurity frameworks and federal guidance on cybersecurity practices. The list is notable as it helps to conceptualize the types of security risks posed to Large Language Models. Organizations employing these models should incorporate ways to defend against and detect these types of attacks in the governance structure.
• October Is Cybersecurity Awareness Month: Mark your calendars, October is the 20th Annual National Cybersecurity Awareness Month in the United States, cosponsored by the Cybersecurity and Infrastructure Agency (CISA) and the National Cybersecurity Alliance. This year’s campaign will focus on using strong passwords and password managers, using multi-factor authentication, recognizing and reporting phishing, and updating software. The CISA and NCA websites have resources for businesses and organizations to prepare their own Cybersecurity Awareness Month campaigns for themselves and their employees, customers, and memberships.