Decoded Technology Law Insights, V 5, Issue 4, May 2024

Eric Kinder, Nicholas Mooney II, Shane Riley, Alexander Turner
Spilman Thomas & Battle, PLLC
Contact
LinkedIn
Facebook
X
Send
Embed

Volume 5, Issue 4

Welcome

Welcome to the fourth issue of 2024 of Decoded - our technology law insights e-newsletter.

Thank you for reading!

MIT Report Details New Cybersecurity Risks

“Cloud misconfigurations, more sophisticated ransomware, and vendor exploitation attacks are contributing to rising cyberattacks.”

Why this is important: Worldwide spending on cybersecurity and risk management is projected to hit $215 billion in 2024. Most companies are aware of cybersecurity threats and are taking steps to improve their defenses. However, threat actors are still finding ways past companies’ defenses as data breaches hit an all-time high in 2023.

A ecent report identified three attack vectors threat actors are using and companies need to consider when evaluating their defenses:

  • Cloud misconfiguration. The article makes a startling point about the experience of IT personnel and how the security of cloud storage may suffer. As companies race to store data in the cloud, many IT organizations and their personnel are not experienced in the nuances of cloud configurations and procedures in order to properly secure data. The article recommends addressing this issue early in the build cycle of storage systems and earlier in the hiring process of IT personnel.
  • Ransomware. Ransomware attacks are evolving. What once was an attack where threat actors take control of a company’s data and refuse to return it until they get paid has morphed into attacks where the actors also steal personal data and threaten to release the company’s data on the dark web. Ransom with blackmail to boot. Moreover, Ransomware-as-a-Service is on the rise, essentially providing a product that bad actors can use to attack companies. Encrypting data when it is “at rest” helps make data useless to attackers.
  • Vendor exploitation attacks. The services vendors provide for companies also provide a way into those companies’ systems. Companies should consider making a cybersecurity audit part of any vendor on-boarding process.

The article offers additional ways in which companies can guard against these new attack vectors. It’s worth a read. If you’d like to talk more about your company’s defenses and any of these issues, contact Spilman’s data privacy group. --- Nicholas P. Mooney II

FTC Finalizes Updates to Health Breach Notification Rule

“The FTC underscored the Health Breach Notification Rule's applicability to health apps and emerging technologies outside the scope of HIPAA.”

Why this is important: The Federal Trade Commission (FTC) implemented the Health Breach Notification Rule (HBNR) more than 10 years ago. The HBNR requires vendors of personal health records, personal health record-related entities, and other third-party service providers that are not subject to HIPAA to notify the FTC and impacted individuals in the event of a breach of individuals’ protected health information (PHI). While these rules were drafted before the advent of the proliferation of the use of health apps, the FTC issued a policy statement in September 2021 clarifying that health apps and connected device companies are subject to the HBNR. The FTC has now clarified a variety of questions regarding the application of the HBNR to health apps and other tech. These changes include:

  • PHR-related entities now include “entities that offer products and services through the online services, including mobile applications, of vendors of personal health records.” 
  • Additionally, the FTC stated that “only entities that access or send unsecured PHR identifiable health information to a personal health record — rather than entities that access or send any information to a personal health record — qualify as PHR-related entities.”
  • The FTC also confirmed that “breach of security” means an unauthorized acquisition of identifiable health information as the result of a data security breach.
  • Covered entities are now authorized to utilize email to provide breach notifications, but they will also have to include more information in those notifications, including the name or identity of any third parties that acquired unsecured PHRs as a result of the breach.
  • The FTC must now expand the time to provide it notice of the breach. If the breach impacts 500 or more individuals, a covered entity now has the same time to notify the FTC as it does individuals, 60 days.  

These changes to the HBNR will go into effect 60 days after they are published in the Federal Register. --- Alexander L. Turner

NIST Launches a New Platform to Assess Generative AI

“NIST GenAI will release benchmarks, help create ‘content authenticity’ detection (i.e. deepfake-checking) systems and encourage the development of software to spot the source of fake or misleading AI-generated information.”

Why this is important: This initiative by NIST comes at a time when deep-fake creation is at an all-time high and only rising. Deep-fakes are AI-generated or overlaid videos and other content that are digitally altered to replace the likeness of one person convincingly with another, often famous, person. OpenAI, currently embroiled in a copyright lawsuit brought by the New York Times over its text generation platform, is also currently developing tools to detect and verify AI-generated content. OpenAI’s initiative is aimed at its own image generation program, DALL-E, and they admit that much more will need to be done to fight the exponential proliferation and believability of deep-fakes online. --- Shane P. Riley

GAO: Policy Concerns Still Loom Over Biometric Identification Tech

“The accuracy of biometric identification technologies – such as facial recognition tech – has improved over time, but a new report from the Government Accountability Office (GAO) reveals that more could be done from a policy perspective to ensure the safe use of those kinds of technologies.

Why this is important: This new report from the GAO was developed as part of the broad government research initiatives set out in the Research and Development, Competition, and Innovation Act, passed in 2022. In addition to reflecting the survey of research conducted by the GAO, the report also incorporates technical comments from 10 additional government agencies. One key takeaway is that industry stakeholders continue to report more examples of negative effects of biometric use than positive – indicating that overcoming those negative effects remains a policy priority for industry leaders. Those negative effects include false arrests caused by misidentification and additional barriers to access of public benefits and services. Facial recognition technologies in particular are susceptible to error due to lack of sensitivity in accurately differentiating ethnically diverse faces and images. The data used to train these models are limited due, in part, to the challenges of implementing testing and research in “real world” situations. Collecting a facial image or scan at an airport checkpoint is one thing, linking that data point to demographic indicators such as income level or the need for public services is something else entirely. If an individual is unable to upload a quality image due to low bandwidth, they may be misidentified when seeking public assistance or updating their records, and as a result, can face additional hurdles to accessing public services. It will be critical that individual privacy and data accuracy strike a delicate balance in the ongoing development of these technologies. --- Brian H. Richardson

State-Sponsored Russian Hackers Linked to Breach of Texas Water Treatment Plant

“On January 18 the group was able to induce a tank overflow at a Texas water treatment plant, and has made similar incursions in France and Poland.”

Why this is important: Readers of Decoded will remember that we previously reported on warnings from the Biden administration that foreign threat actors may be targeting our country’s critical infrastructure. This article gives an example of that targeting. Recently, a group of Russian threat actors deployed attacks on water treatment plants in France, Poland, and the U.S. The attack in the U.S. did not contaminate any water, but instead caused water tanks to overflow and essentially waste water for about 30 minutes. This attack is believed to have been committed by a group calling itself the Cyber Army of Russia Reborn, which claims to be an independent “hacktivist” group. However, some commentators believe that this Cyber Army is linked to Sandworm, another threat actor group, and Sandworm is controlled by Russia’s military intelligence service. If the attackers behind this latest threat aren’t linked to the Russian military, this latest attack still signals an ongoing problem that the critical infrastructure in the U.S. is a target and is vulnerable. If the attackers are linked to the Russian military, it’s evidence that Moscow is willing to unleash attacks on critical infrastructure. The article has many more insights into the attacks on critical infrastructure here and abroad. If you’d like to discuss these issues more, regardless of whether your company is part of U.S. critical infrastructure, contact Spilman’s data privacy group. --- Nicholas P. Mooney II

Illinois Considers How Best to Neuter Its Landmark Biometric Privacy Law

“But pols think they have a way to also protect people’s identifiers from being misused in ways that would disadvantage them for life.”

Why this is important: Illinois’ revolutionary Biometric Information Privacy Act (BIPA) was intended to protect Illinois citizens’ biometric data from indiscriminate collection and use. The BIPA requires businesses to obtain express consent before collecting biometric data. However, following its passing, unintended consequences became apparent. The BIPA includes a provision that allows impacted citizens to bring private rights of action against a business that collected biometric data without permission. It also allows for the recovery of statutory damages of between $1,000 and $5,000 for each time biometric data is scanned. The result is that businesses have been besieged with class action lawsuits regarding the use of fingerprint time clocks and locks that have resulted in the payment of hundreds of millions of dollars by Illinois businesses. The beleaguered business community has asked the Illinois Legislature to amend the BIPA in order to provide a respite from the aggressive plaintiffs’ bar. In response, the Illinois State Senate has proposed a bill that will amend the BIPA and alleviate some of the litigation pressure businesses are experiencing. These amendments to the BIPA include:

  • Changing the ability of impacted individuals being able to obtain statutory damages from each scan to just the first scan;
  • Businesses would no longer have to obtain express consent for the collection of biometric data if the biometric identifier is used only for security, the data is held no longer than reasonably necessary to process, and there is a documented deletion schedule; and
  • The proposed amendment also addresses the issue of biometric timeclocks and locks. These devices will be covered by the amended BIPA if they produce a mathematical representation of a fingerprint instead of a picture of the fingerprint.

If these amendments to the BIPA pass, then this will greatly benefit the business community in Illinois. The question remains on whether other states that have modeled similar legislation on the BIPA also will make similar changes to their biometric information protection statutes. --- Alexander L. Turner

NATO Releases First International Strategy on Biotechnology and Human Enhancement Technologies

“The aim is to embrace these emerging solutions lawfully and responsibly, while developing a trusted relationship with innovators and the public and protecting the Alliance against misuse of these technologies by strategic competitors and potential adversaries.”

Why this is important: NATO Allies are taking the lead on developing governing standards for the implementation of biotechnology and human enhancement technologies (collectively, BHE). BHE has the ability to transform society, the economy, security, and defense in ways that may be unforeseeable. These can include the proliferation of new types of bioweapons and interventions that enable individuals to operate beyond normal human limits.

The NATO BHE Strategy aims to outline a responsible approach to developing and using these new technologies in security and defense, particularly within the Allied forces, and enhance NATO’s safeguards against the adversarial use of BHE. In this effort, they are guided by six core principles: lawfulness, responsibility and accountability, safety and security, human agency, informed consent, and sustainability.

The next steps for the strategy include forming expert and advisory groups and sub-groups, as well as deciding how to put NATO’s Innovation Fund to best use in this mission. Equal parts interesting and unnerving, the NATO BHE Strategy is poised to usher in a new era of defense and is sure to present tremendous funding opportunities for businesses working on research and development in the field of BHE. --- Shane P. Riley

FTC Bans Noncompetition Agreements

By Eric E. Kinder

On April 23, the Federal Trade Commission (FTC) approved on a split vote a proposed rule that bans virtually all employment noncompetition agreements nationwide. The rule was first proposed in 2023 and is scheduled to go into effect 120 days after it is formally published, which, for now, would be approximately late August 2024. Currently, there are four states that have banned noncompetition agreements in total (California, Minnesota, Oklahoma, and North Dakota) and a number of other states that have significantly restricted their use.

The final FTC rule bans as an unfair method of competition “any term or condition of employment that prohibits a worker from, penalizes a worker for, or functions to prevent a worker from” either seeking or accepting later work in the United States with a different person; or operating a business in the United States after the conclusion of their employment. Only noncompetes that are tied to the sale of a business are exempt from this rule and still permitted going forward. 

Click here to read the entire article.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Spilman Thomas & Battle, PLLC

Written by:

Spilman Thomas & Battle, PLLC
Spilman Thomas & Battle, PLLC
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Spilman Thomas & Battle, PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide