Welcome to this month's issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice.
STATE & LOCAL LAWS & REGULATIONS
Broadband Carriers Withdraw Lawsuit Challenging Maine ISP Opt-In Privacy Law
Four broadband internet service provider (“ISP”) lobbying organizations filed to voluntarily dismiss the federal lawsuit against Maine in ACA Connects et al. v. Frey, which challenged Maine’s law requiring “express affirmative consent” to disclose, sell, or permit access to ISP customers’ personal information. Plaintiffs argued that the law’s applicability to only broadband ISPs, but not other online companies, violated the First Amendment. Unlike other states that have favored “opt-out” laws, Maine’s “opt-in” privacy law is modeled after similar Federal Communications Commission (“FCC”) rules that were nullified in 2017, and the plaintiffs believe the nation will not follow Maine’s lead. Plaintiffs must pay $55,000 to Maine for costs incurred from litigation.
CPPA Holds Meeting to Discuss CPRA Rulemaking
The California Privacy Protection Agency (“CPPA”) Board held a public meeting to discuss ongoing preparations for the California Privacy Rights Act (“CPRA”), which becomes effective on January 1, 2023. The Board confirmed that the next draft of regulations will include “quite a few changes,” but did not offer a specific timeline for when the draft will be available. In response to multiple concerns raised about the burden businesses will face in complying with the CPRA, given the delays in the rulemaking process, the Board indicated they may consider requesting the legislature to delay enforcement actions. The Rulemaking Process Subcommittee also proposed a rulemaking process that would include two separate staff presentations where Board members could also draft and propose amendments. The Board raised numerous concerns, including the time commitment and burdens to the Board, agency, and public.
California Governor Signs California Age-Appropriate Design Code Act
California Governor Gavin Newsom signed the landmark California Age-Appropriate Design Code Act (the “Act”) into law. The Act, which takes effect on July 1, 2024, is modeled after the U.K. Age-Appropriate Design Code and its definitions offer broader protections than the federal Children’s Online Privacy Protection Act (“COPPA”). The Act prohibits companies that provide online services, products, or features that are likely to be accessed by children under the age of 18 from collecting or using a child’s personal information, including geolocation, or encouraging a child to disclose such information. The Act also establishes the California Children’s Data Protection Working Group to help study and implement the Act. New York has followed California’s lead and introduced a children’s privacy bill, S.B. 9563, mirroring California’s protections, including a required data protection impact assessment, privacy-by-default settings, and prohibitions against certain data practices.
California Adopts Smart Device Labeling Legislation
California Governor Gavin Newsom approved Assembly Bill 2392 (“A.B. 2392”), which adds a new safe harbor to the California Internet of Things Security Law (the “Security Law”). The Security Law, which came into effect on January 1, 2020, requires all Internet-connected devices (e.g., smart appliances and online security cameras) sold or offered for sale in California to have “reasonable security features” that are appropriate to the nature and function of the device. Under A.B. 2392, manufacturers of Internet-connected devices may comply with the Security Law by conforming to the baseline labeling scheme required by the National Institute of Standards and Technology (“NIST”) for consumer Internet of Things (“IoT”) products, including satisfying a conformity assessment and using a binary label that can be understood by non-technical consumers.
FEDERAL LAWS & REGULATIONS
Pelosi Releases Statement Opposing ADPPA in Current Form
U.S. House of Representatives Speaker Nancy Pelosi released a statement opposing the American Data Privacy and Protection Act (“ADPPA”) in its current form, echoing concerns from other California lawmakers over the federal bill’s preemption provisions which would diminish existing state consumer privacy protections. According to the statement, under the ADPPA, California consumers would lose existing protections, including certain rights to opt-out of the sale or use of personal data and the right to delete. The Energy and Commerce Committee rejected an amendment that would set the ADPPA provisions as a floor, thereby allowing states to continue innovating with stronger protections. Although the ADPPA’s House sponsor, Representative Frank Pallone (D-N.J.), and Speaker Pelosi have both indicated a willingness to compromise, it remains unclear what the final legislation will become.
DHS Cybersecurity Begins Cybersecurity Grant Program for State and Local Governments
The Department of Homeland Security (“DHS”) unveiled the State and Local Cybersecurity Grant Program (the “Program”), which will provide $1 billion in funding to state, local, and territorial (“SLT”) governments over four years to strengthen cybersecurity of critical infrastructure and protect against cyberthreats. The Program is intended to offer SLT governments critical resources, including partnerships with federal agencies and community assistance to build cybersecurity capability and capacity. Under the Program, states must allocate at least 80 percent of their funding to local and rural communities, with a minimum of 25 percent going to rural areas and 3 percent to tribal governments. Funds are intended to help establish cyber governance frameworks, address key vulnerabilities, and help build a 21st-century cybersecurity workforce.
Privacy and Civil Liberties Oversight Board Seeks Public Comments on FISA Section 702
The Privacy and Civil Liberties Oversight Board (the “Board”) is seeking public comments regarding the Board’s oversight project examining Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) in anticipation of the December 2023 sunset date and Congressional consideration of its reauthorization. Section 702 authorizes the National Security Agency (“NSA”) to conduct warrantless surveillance of foreigners, and to compel U.S. electronic service providers to share communications to or from the foreign target, including international communications of U.S. citizens collected incidentally. The White House strongly supports Section 702 as indispensable to national security, but privacy and civil liberties advocates have challenged Section 702’s constitutionality and the adequacy of existing safeguards. The comment submission period closes on October 31, 2022.
FTC Issues Dark Patters Report
The Federal Trade Commission (“FTC”) released the Bringing Dark Patterns to Light report, which describes the growth in scale and sophistication of manipulative design practices, or “dark patterns,” that take advantage of consumers’ cognitive biases to influence consumer behavior. The report focuses on four common dark pattern techniques that have been utilized as commerce has gone digital: (1) misleading and disguised advertisements to induce false beliefs, (2) difficult-to-cancel or deceptive subscriptions that may lead to unauthorized charges, (3) hidden key terms and fees or delayed disclosure, and (4) obscured privacy choices regarding consumer information. The report concludes with a warning that the FTC will act against companies that employ dark patterns.
CISA Solicits Comments on Cyber Incident Reporting Requirements
The Cybersecurity and Infrastructure Security Agency (“CISA”) issued a Request for Information (“RFI”) and notice of public listening sessions to solicit public input in developing proposed regulations for cyber incidents and ransom payment reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). CIRCIA requires reporting of cyber incidents within 72 hours. In particular, CISA will focus on defining the terminology to be used, as well as the form, manner, content, and procedures of reporting. Public comments may be submitted in writing to the RFI by November 14, 2022, or through participating in one of the public listening sessions. CISA will publish a Notice of Proposed Rulemaking (“NPRM”) by March 2024, which will also be open for public comment, and a Final Rule will be issued within 18 months of the NPRM’s publication.
Executive Order Directs CFIUS to Screen Deals for Risks to Data and Cybersecurity
President Biden signed Executive Order 14083 (“EO 14083”), providing direction on the risks that the Committee on Foreign Investment in the United States (“CFIUS”) should consider when reviewing transactions with foreign investments. EO 14083 directs CFIUS to consider five specific factors: (1) a transaction’s effect on the resilience of critical U.S. supply chains that may have national security implications; (2) a transaction’s effect on U.S. technological leadership in areas affecting U.S. national security, including but not limited to microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, and climate adaptation technologies; (3) industry investment trends by a particular investor or group of investors from the same country within a specific industry or sector that may have consequences for a given transaction’s impact on U.S. national security; (4) cybersecurity risks that threaten to impair national security, including potential risks to national elections, critical infrastructure or critical energy infrastructure, including smart grids; and (5) risks to U.S. persons’ sensitive data, including health, digital identity, or other biological data.
FTC Hosts Privacy Rulemaking Public Forum
The FTC hosted a virtual public forum on “commercial surveillance and data security practices that harm consumers and competition.” The public forum, which included panel discussions and public comments, was conducted to guide the FTC in determining whether to proceed with rulemaking under Section 18 of the FTC Act, otherwise known as Magnusson-Moss rulemaking, as well as to inform any potential rulemaking. In their remarks, the Commissioners discussed using Section 18 to expand the definition of what constitutes “unfair” data privacy practices beyond violations of procedural “notice and choice” based privacy protections. The Commissioners also discussed imposing broader substantive requirements for safeguarding consumer data, including use of industry standard information security frameworks and limiting the collection and processing of certain consumer data. The public forum follows the FTC’s Advanced Notice of Proposed Rulemaking on data security practices issued on August 11, 2022.
NHTSA Publishes Final Cybersecurity Best Practices for the Safety of Modern Vehicles
The National Highway Traffic Safety Administration (“NHTSA”) published the final Cybersecurity Best Practices for the Safety of Modern Vehicles (“2022 Cybersecurity Best Practices”), an update to the 2016 edition, which provides guidance to the automotive industry to improve vehicle cybersecurity safety during vehicles’ lifecycles. The 2022 Cybersecurity Best Practices provides recommendations, including but not limited to establishing governance for identifying and preventing cybersecurity risks, creating processes and procedures to report and eradicate security incidents, implementing risk assessments in the design, manufacturing, and selling of vehicles, and auditing processes and procedures to ensure effectiveness. The 2022 Cybersecurity Best Practices is updated based on public comments received on the draft that was published in the Federal Register in 2021.While the document is nonbinding, it contains important best practices that will influence the industry going forward.
U.S. LITIGATION
SolarWinds Derivative Suit Dismissed
The Delaware Chancery Court granted a motion to dismiss a derivative suit against the directors of SolarWinds Corporation (“SolarWinds”) for allegedly breaching their fiduciary duty of loyalty by failing to oversee the company’s cybersecurity risk. SolarWinds was at the center of a major security incident in December 2020, in which Russian hackers attacked up to approximately 18,000 of SolarWinds’ clients by hiding malware code in SolarWinds’ Orion software. Vice Chancellor Sam Glasscock III held that plaintiffs failed to allege demand futility with sufficient particularity, as required to pursue litigation derivatively on behalf of the company. The court also found that plaintiffs failed to plead sufficiently particularized facts from which to infer bad faith on the part of directors to support their failure of oversight claim.
Third Circuit Sets Standard for Establishing Standing in Data Breach Cases
The Third Circuit Court of Appeals reinstated a putative class action in Clemens v. ExecuPharm Inc., holding that there was sufficient risk of imminent harm after a data breach to confer standing when the information affected by the data breach had been posted on the dark web. In March 2020, the known hacker group “CLOP” allegedly stole employee data consisting of both financial and personal information (e.g., social security numbers and government identification numbers) held by ExecuPharm Inc. (“ExecuPharm”). Jennifer Clemens, a former ExecuPharm employee, brought a putative class action on behalf of other current and former ExecuPharm employees, which the district court dismissed, holding that allegations of increased risk of identity theft resulting from a data breach does not confer standing. The Third Circuit reversed this decision, holding that the plaintiff faced a substantial risk of future identity theft because of the type of information affected by the breach and the fact that such information was posted on the dark web. The Third Circuit also found emotional distress, or the money spent on mitigation measures like credit monitoring services, made the plaintiff’s injury concrete.
U.S. ENFORCEMENT
SEC Settles with Financial Services Firm for Improperly Disposing Personal Information
The U.S. Securities and Exchange Commission (“SEC”) has settled with a financial services firm for $35 million over allegations of violations of the Safeguards and Disposal Rules under Regulation S-P. The SEC found that since 2015, the firm hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the personal information of approximately 15 million customers. Moreover, the SEC found the firm failed to properly monitor the moving company’s work, as the moving company sold thousands of devices containing unencrypted customer personal information and were eventually resold on an internet auction site. While the firm recovered some of the devices, most were not recovered.
SEC and CFTC Issue $1.8B in Fines for Recordkeeping Violations
The SEC and Commodity Futures Trading Commission (“CFTC”) issued fines in connection with settlements with 11 banks relating to the banks’ employees’ use of texting for work-related communications. Fines for individual banks ranged from $16 million to $225 million. The banks are required by SEC and CFTC rules to keep copies of business-related communications sent and received by employees. The SEC and CFTC alleged that the use of texts resulted in a failure to archive a significant number of business-related communications in violation of those rules. Each of the banks maintained policies prohibiting the use of text messaging for business-related communications. Pursuant to the settlement, each firm admitted to the compliance failures and have agreed to implement compliance program improvements.
INTERNATIONAL LAWS & REGULATIONS
China Security Assessment Requirements for Cross-Border Transfers Come Into Effect
Security assessment measures (the “Measures”) promulgated by the Cyberspace Administration of China (“CAC”) became effective on September 1, 2022. Under the Measures, organizations transferring data across Chinese borders must carry out security assessments in certain circumstances and report such assessments to the CAC. These circumstances include when the organization is transferring “important data,” when the organization is an operator of critical information infrastructure, when a transfer involves the data of over 1 million individuals or when cumulative transfers of data of over 100,000 individuals in any calendar year, and in other situations defined by CAC regulation. “Important data” is any data which, if altered, or illegally acquired or used, may endanger national security, the operation of the economy, social stability, public health, or security. Organizations must consider the legal basis and necessity of processing and transferring of data, the risks to the data, the availability of avenues for redress, and data protection responsibilities provided in the contract with the recipient of the data, among other factors when conducting security assessments.
European Commission Introduces IoT Security Requirements
The European Commission published a draft Cyber Resilience Act (“CRA”) to set common cybersecurity standards for connected devices and software. The CRA aims to ensure that manufacturers improve the security of products with digital elements throughout the design and development lifecycle, provide a coherent cybersecurity framework that facilitates compliance for hardware and software manufacturers, enhance the transparency of the security attributes of products with digital elements, and enable business and consumers to use products with digital elements securely.
German Court Rules it’s OK to Use EU Subsidiaries of U.S. Cloud Service Providers
The German Higher Regional Court of Karlsruhe (“OLG Karlsruhe”) repealed a decision by the Procurement Chamber of the German state of Baden-Württemberg that had held that the mere risk of access to personal data stored in the EU by U.S. authorities is a cross-border data transfer that does not comply with the EU General Data Protection Regulation (“GDPR”). The OLG Karlsruhe held that the fact an EU entity is a subsidiary of a U.S. company is not a sufficient indication that the EU entity would fail to fulfill its legal obligations with respect to the processing of personal data. Effectively, the Procurement Chamber cannot assume that an EU subsidiary of a U.S. company would violate EU data protection law. The decision is welcome news for U.S. cloud service providers during a time when personal data transfers to the U.S. have increasingly been under regulatory scrutiny.
EDPB Picks Topic for Next Coordinated Action
The European Data Protection Board (“EDPB”) announced it has decided on a topic for its second coordinated enforcement action. The EDPB selected the designation and position of the data protection officer as its enforcement topic and will work to further specify details of proposed action in the coming months. Last year, the EDPB selected the use of cloud services by the public sector as its first coordinated action and expects to issue a report on the outcome of its first coordinated action before the end of 2022. The coordinated enforcements are part of an initiative to streamline enforcement and cooperation among data protection authorities in the EU.
Danish Data Protection Authority Joins Growing List That Finds Use of Widely Used Website Analytics Tool Unlawful
The Danish Data Protection Authority became the latest EU data protection regulator to find that the use of a popular website analytics tool violates GDPR because it allows companies to send personal data outside of the EU without adequate protections. The Danish authority stated that companies cannot continue to use the tool without supplementary measures that include pseudonymization of personal data. The decision follows similar findings issued during the past year by the Austrian, French, and Italian data protection authorities.
RECENT PUBLICATIONS & MEDIA COVERAGE
We thank Ann Huang for her writing assistance with this newsletter.
