The Digital Download – Alston & Bird’s Privacy & Data Security Newsletter – November 2023

Alston & Bird
Contact
LinkedIn
Facebook
X
Send
Embed

Alston & Bird

Publications and Advisories

Selected U.S. Privacy and Cyber Updates

FTC Approves New Data Breach Notification Requirement for Non-Banking Financial Institutions

On October 27, 2023, the Federal Trade Commission (FTC) approved an amendment to the Safeguards Rule requiring nonbanking financial institutions to notify the FTC of any notification event where customer information of 500 or more individuals was subject to unauthorized acquisition. The amendment becomes effective 180 days after publication in the Federal Register. Importantly, the amendment requires notifying only the FTC—which will post the information publicly—and not the potentially impacted individuals.

FBI Cautions Organizations on Dual Ransomware Attacks

On September 27, 2023, the Federal Bureau of Investigation (FBI) issued a Private Industry Notification highlighting two concerning ransomware trends and providing companies with guidance on mitigating potential threat actor activity.

CISA and NSA Highlight Technology Gaps in New Guidance on Identity and Access Management

On October 4, 2023, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) published “Identity and Access Management: Developer and Vendor Challenges,” an advisory document developed by the Enduring Security Framework (ESF). The ESF is a CISA- and NSA-led cross-sector, public-private working group that works to address risks to U.S. national security systems and threats to critical infrastructure. This latest publication follows the ESF’s “Identity and Access Management: Recommended Best Practices for Administrators” advisory released earlier this year.

CISA Releases Advisory Concerning Chinese-Backed Threat Actor

On September 27, 2023, the NSA, FBI, CISA, Japanese National Police Agency, and Japanese National Center of Incident Readiness and Strategy for Cybersecurity released a joint cybersecurity advisory concerning the recent activity of a threat actor, known as BlackTech, that has been linked to the People’s Republic of China (PRC). The advisory states BlackTech is manipulating router firmware without detection to target a wide variety of entities in the government, industrial, technology, media, and telecommunications sectors. This includes multiple entities that support the Japanese and U.S. militaries.

New York Continues to Focus on Companies’ Data Security Practices

On October 5, 2023, the Office of the New York State Attorney General announced a $49.5 million multistate settlement with a donor management software company related to a 2020 data breach. Attorney General Letitia James also announced two settlements related to data breaches with entities that operate in the education industry. In both instances, the entities paid the ransom and received evidence of deletion of the stolen data.

California Privacy Protection Agency Releases Draft Regulations on Risk Assessments

On August 28, 2023, the California Privacy Protection Agency (CPPA) released two sets of draft regulations under the California Consumer Privacy Act (CCPA), one for risk assessments and another for cybersecurity audits, as part of the CPPA’s informal rulemaking process.

Penn State University Hit with False Claims Act Suit for Alleged Cybersecurity Deficiencies

On September 1, 2023, the Eastern District of Pennsylvania unsealed a qui tam False Claims Act lawsuit (originally filed on October 5, 2022) alleging Penn State University failed to provide adequate security for covered defense information as contractually required by the Defense Federal Acquisition Regulation Supplement in Section 252.204-7012.

California Proposes Annual Audits to Assess Sufficiency and Compliance of Company Cybersecurity

In August 2023, the CPPA released a discussion draft of proposed regulations under the CCPA. Importantly, the proposed regulations set forth more detailed obligations for companies’ cybersecurity programs, including routinely assessing and filing audits with the CPPA. Though these draft regulations are not yet part of an official rulemaking, the CPPA met to discuss the proposed regulations on September 8, 2023, providing additional insight into the CPPA’s priorities and what may ultimately be enacted.

Oregon Enacts Comprehensive State Privacy Law

On July 18, 2023, Oregon Governor Tina Kotek signed the Oregon Consumer Privacy Act (OCPA) into law, making Oregon the eleventh state to enact a comprehensive state privacy law. The OCPA will take effect on July 1, 2024; however, the effective date for covered nonprofits is delayed until July 1, 2025. While the OCPA aligns with some existing comprehensive state privacy laws, the various distinctions serve to highlight the fracturing data privacy and protection regulatory landscape that is emerging in the United States.

NIST Cybersecurity Framework 2.0 Released for Public Comment

On August 8, 2023, the National Institute of Standards and Technology (NIST) released the initial drafts of “Cybersecurity Framework 2.0” and “Cybersecurity Framework 2.0 Core with Implementation Examples” for public comment. This marks the first significant update to the NIST Cybersecurity Framework since its initial release in 2014. The update is intended to address current and future cybersecurity threats of all organizations and to make it easier for organizations to use the Framework. An updated Framework is important because the FTC has routinely relied on the existing Framework to determine whether a company’s data security practices are reasonable and not unfair or deceptive in violation of Section 5 of the FTC Act.

Oregon Becomes the Fourth State to Enact a Data Broker Law

On July 27, 2023, Oregon Governor Tina Kotek signed into law a bill relating to the registration of business entities that qualify as data brokers. Effective January 1, 2024, the law will require data brokers to annually register with the Oregon Department of Consumer and Business Services. The law makes Oregon the fourth state to enact a data broker law, following Vermont, California, and Texas.

Selected Global Privacy and Cybersecurity Updates

China Releases Major Changes in Its Draft Regulations on Cross-Border Data Flows

In September 2023, the Cyberspace Administration of China (CAC) released draft regulations regulating the cross-border flow of personal information and important data out of the PRC. The comment period for these regulations concluded on October 15, 2023, and the regulations may change if the CAC incorporates responses to any comments; however, the current draft regulations provide valuable insight into how the CAC intends to regulate cross-border data flows. Overall, the regulations represent a loosening of the CAC’s requirements for data transfers and an easing of the compliance burden—a welcome sign for multinational businesses with a presence in the PRC.

UK Government Makes a Bridge to the EU-U.S. Data Privacy Framework

On September 21, 2023, the UK adopted the Data Protection (Adequacy) (United States of America) Regulations 2023, also referred to as the “UK-U.S. Data Bridge.” The UK-U.S. Data Bridge will allow companies to legitimately transfer personal data from the UK to the United States on the basis of the recently enacted EU-U.S. Data Privacy Framework.

Why the New EU-U.S. Data Privacy Framework May Be Good News for Life Sciences Companies in the U.S.

U.S.-based life sciences companies can be subject to the EU General Data Protection Regulation (GDPR), even if they do not have any subsidiary, affiliate, or other physical presence in the EU. This can be the case if, for example, a pharmaceutical or medical device company in the United States acts as a sponsor of a clinical study that is conducted in one or more EU Member States with the help of local investigators or hospitals. The GDPR imposes restrictions on international data transfers and provides only limited options for justifying transfers of personal data to recipients in countries outside the EU. Sponsors in the United States may want to consider joining the EU-U.S. Data Privacy Framework—the successor to the EU-U.S. Privacy Shield—which has applied since July 10, 2023 to provide coverage for the transfer of study-related data from Europe to the United States.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Alston & Bird | Attorney Advertising

Written by:

Alston & Bird
Alston & Bird
Contact
more
less

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide