Publications and Advisories
- July 31, 2023 – Dave Brown, Kate Hanniford, Kim Peretti, Julia Mediamolle, Cara Peterman, Sierra Shear, Kristen Bartolotta, and Kezia Osunsade published “Securities Law, Securities Litigation, and Privacy, Cyber & Data Strategy Advisory: SEC Adopts New Cybersecurity Disclosure Rules for Public Companies.”
- July 11, 2023 – Kathleen Benway, Sara Pullen Guercio, Sarah Beach, and Hyun Jai Oh published “Privacy, Cyber & Data Strategy / Consumer Protection/FTC / Health Care Advisory: FTC Continues Its Focus on Health Privacy.”
- July 1, 2023 – Kathleen Benway, David Keating, Sara Pullen Guercio, and Hyun Jai Oh published “Limit Your Health Data Sharing and Call Me in the Morning: Federal Trade Commission Prescribes Enforcement of the Health Breach Notification Rule” in Pratt’s Privacy & Cybersecurity Law Report.
- June 30, 2023 – Dan Felz, Ted Kang, and Paul Monnin published “Multinational Aspects of SEC Investigations” in SEC Compliance and Enforcement Answer Book.
- June 27, 2023 – Peter Swire published “Oceans Apart: The EU and US Cybersecurity Certification Standards for Cloud Services” in European Law Blog.
- June 26, 2023 – Wim Nauwelaerts published “EU: EDPB’s Finalized Guidelines on International Data Transfers Under the GDPR Explained” in Data Guidance.
Selected U.S. Privacy and Cyber Updates
FTC Launches Investigation into Creator of ChatGPT
In mid-July, the Federal Trade Commission (FTC) reportedly opened an investigation into OpenAI, the maker of ChatGPT, sending the company an extensive civil investigative demand (CID). While FTC investigations are not normally public, the Washington Post published what appears to be part of the CID. This investigation comes on the heels of FTC Chair Lina Khan stating her intention to use existing consumer protection law to protect people from the potential dangers of generative artificial intelligence. President Joe Biden’s Administration has signaled that they will take a “whole of government” approach to using existing law to combat any potentially harmful outcomes of artificial intelligence.
FTC Seeks Comments on a New Verifiable Parental Consent Mechanism Under COPPA
On July 19, 2023, the FTC announced that it is seeking comment on an application for a new verifiable parental consent mechanism under the Children’s Online Privacy Protection Act. The application, submitted jointly by the Entertainment Software Rating Board, Yoti, and SuperAwesome, requests the FTC to approve Yoti’s “Facial Age Estimation” technology as a method to obtain parental consent. The request for public comment was published in the Federal Register on July 20, 2023. Interested parties have until August 21, 2023 to submit comments.
Chinese Hackers Exploit Gap in Cloud Environment Used by U.S. Government
According to recent reports issued by Microsoft and U.S. government agencies, hackers recently exploited a gap in Microsoft’s cloud environment, enabling the malicious actors to access the email accounts of employees at the U.S. Commerce and State Departments. The hackers victimized 10 organizations in the United States, including the U.S. government, and 25 organizations worldwide. The U.S. government has not yet attributed the attack to any country or group, though Microsoft disclosed that the attack came at the hands of a “China-based threat actor.”
HHS and FTC Fire a Warning Shot at Health Care Companies Using Online Tracking Technologies
On July 20, 2023, the Office for Civil Rights of the U.S. Department of Health and Human Services and the FTC published a joint letter sent to approximately 130 hospital systems and telehealth providers. The letter warns that certain online tracking technologies that “may be present” on the recipients’ mobile apps or websites could be “impermissibly disclosing consumers’ sensitive personal health information to third parties.”
California Attorney General Launches CCPA Investigative Sweep for Employers
On July 14, 2023, California Attorney General Rob Bonta launched investigations into large California employers’ compliance with the California Consumer Privacy Act as it relates to their processing of employee and job applicant personal information.
Texas Becomes Tenth State to Enact a Comprehensive State Privacy Law
On June 18, 2023, Texas Governor Greg Abbott signed the Texas Data Privacy and Security Act (TDPSA) into law, making Texas the latest contributor to the growing patchwork of comprehensive U.S. state privacy laws. The TDPSA takes effect July 1, 2024, except for provisions that enable consumers to designate authorized agents to exercise on the consumers’ behalf rights to opt out of data sales and targeted advertising, which take effect on January 1, 2025.
NYDFS Releases Revised Proposed Second Amendment of Its Cybersecurity Regulation
On June 28, 2023, the New York Department of Financial Services (NYDFS) published an updated proposed Second Amendment to its Cybersecurity Regulation in the New York State Register, updating its previous proposed Second Amendment published November 9, 2022. While the new language is largely similar to the previous draft, the NYDFS incorporated a number of changes as a result of the 60-day comment period.
SEC’s Proposed Cybersecurity Rules Delayed Yet Again
On June 13, 2023, the U.S. Securities and Exchange Commission published its spring 2023 rulemaking agenda that delayed finalizing the proposed Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies and proposed rule on Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies until at least October 2023. The proposed rules were originally intended to be finalized in April 2023.
CL0P Ransomware Gang’s Exploitation of MOVEit Vulnerability: What It Means for Companies
On June 7, 2023, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency released a Joint Cybersecurity Advisory in connection with a recent zero-day (or previously undetected) vulnerability in Progress Software’s managed file transfer software, exploited by the CL0P ransomware group. CL0P publicly claimed responsibility for exploiting the vulnerability on June 5, 2023 and has a well-established history of targeting vulnerabilities in file transfer software, gaining notoriety in 2021 after the group exploited the zero-day vulnerability in Accellion’s File Transfer Appliance.
NYDFS Penalizes bitFlyer $1.2 Million for Violations of Cybersecurity Regulation
On May 1, 2023, bitFlyer USA Inc. entered into a consent order with the NYDFS for multiple deficiencies in its cybersecurity program, most notably for the failure to conduct periodic risk assessments to sufficiently inform the program’s design. BitFlyer operates a cryptocurrency trading platform and provides custodial wallet services for U.S. dollars and digital currencies, holding a virtual currency license (commonly referred to as a BitLicense) under the NYDFS virtual currency regulation. By virtue of its BitLicense, bitFlyer is a “covered entity” and must comply with the NYDFS Cybersecurity Regulation, as well as the NYDFS cybersecurity-specific requirements for virtual currency licensees, which contain substantially similar requirements as those set forth in the NYDFS Cybersecurity Regulation.
Selected Global Privacy and Cybersecurity Updates
International Data Transfers: European Commission Gives Green Light to EU-U.S. Data Privacy Framework
On July 10, 2023, the European Commission (EC) adopted its long-awaited adequacy decision approving the EU-U.S. Data Privacy Framework. By doing so, the EC confirmed that personal data transferred to the United States under the framework is adequately protected in line with the EU General Data Protection Regulation’s international data transfer rules.
Council of Europe Launches Model Contractual Clauses for Transfers of Personal Data
On June 16, 2023, the Council of Europe’s Committee of Convention 108+ (the Convention for the Protection of Individuals with Regard to the Processing of Personal Data) adopted model contractual clauses for cross-border data flows. The model contractual clauses are intended to cover the transfers of personal data to countries that are not parties to Convention 108+. According to the Council of Europe, the model contractual clauses have the potential to bridge similar data transfer tools – such as the EC’s standard contractual clauses (SCCs) – and to contribute to the convergence towards appropriate data protection standards globally.
Joint Regulatory Guidance Aims to Help Companies Transfer Personal Data Across ASEAN and EU Member States
On May 23, 2023, the EC and the Association of Southeast Asian Nations (ASEAN) published guidance that identifies commonalities and differences between the EU SCCs and ASEAN’s model contractual clauses to assist companies with their efforts to comply with data transfer rules in both regions. The guidance includes a reference guide that compares the EU SCCs and the ASEAN model contractual clauses and will shortly be complemented by an implementation guide providing best practices for companies that plan to use both sets of clauses.
[View source.]