Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

State Actions:  

• California Court of Appeals Ruling Allows Enforcement of the California Privacy Rights Act Regulations: Following a court-ordered delay, the California 3rd District Court of Appeals issued a ruling on February 9, 2024 that allows the California Privacy Protection Agency (CPPA) to immediately begin enforcing the California Privacy Rights Act (CPRA) regulations concerning data processing agreements, consumer opt-out mechanisms, mandatory recognition of opt-out preference signals, dark patterns, and consumer request handling. The decision means that any new regulations promulgated by the CPPA could be enforced once approved by the Office of Administrative Law and not after a one-year delay. The CPPA is currently working on regulations concerning cybersecurity audits, risk assessments, automated decision-making technologies, revisions to the CCPA regulations, insurance, and data broker registry fees.

• California Attorney General Announces Settlement with DoorDash for Violations of Multiple Consumer Privacy Laws: On February 21, 2024, the California Attorney General announced a settlement with DoorDash over allegations that DoorDash sold California customers’ personal information without notice or an opportunity to opt out in violation of the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). The enforcement action alleged that in January 2020, DoorDash provided California customers’ personal information such as names, addresses, and transaction histories to a marketing cooperative. In exchange for providing that information, DoorDash was allowed to market its services to customers of the other businesses in the cooperative and the other businesses could market to DoorDash customers.  DoorDash agreed to pay a $375,000 civil penalty as well as comply with legal requirements applicable to businesses that sell personal information, review its marketing and analytics contracts and its use of technology to determine if it is selling or sharing consumer personal information; and provide annual reports to the California Attorney General.

Regulatory:  

• HHS Settles Montefiore Insider Data Breach Investigation: The U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”) announced it reached a settlement with Montefiore Medical Center relating to the theft of patient protected health information by an employee. Under the settlement Montefiore will pay $4.75 million and take certain corrective actions, including assessing its security risks and vulnerabilities and creating a risk management plan to mitigate the identified risks.  OCR will monitor Montefiore for two years to ensure compliance. 

• FTC Settles Privacy Lawsuit With Avast: The FTC settled its action against Avast, in which the FTC claimed that Avast collected and sold user data without consent. According to the FTC, Avast collected information on a wide range of topics including religious beliefs, health concerns, political preferences, location, and financial status, and then sold that information to third parties.  The settlement, among other things, prohibits Avast from misrepresenting its collection or use of data, requires it to delete information previously received and notify third parties that received that data to do the same, implement appropriate policies, and pay $16.5 million to the FTC to compensate victims.
• S. Patent and Trade Office Releases Inventorship Guidance on AI-assisted Inventions: On Monday, February 12, 2024, The U.S. Patent and Trademark Office (USPTO) released guidance that clarifies when it will grant patents for inventions created with the aid of artificial intelligence. This updated guidance clarifies how the USPTO will analyze inventorship issues where the innovation process involves the use of AI. The guidance from the USPTO states that patents can cover AI-assisted inventions “for which a natural person provided a significant contribution,” and provides guidelines for how that standard is met. The general principle behind this guidance is that patents can cover AI-assisted inventions for “for which a natural person provided a significant contribution…” because “patents function to incentivize and reward human ingenuity.”

• NIST Releases HIPAA Security Rule Resource Guide: NIST recently released a resource guide on compliance with HIPAA’s Security Rule. In addition to a map of the Security Rule’s standards and implementation specifics, the resource guide includes a list of publications on the topic as well as other helpful information.

• S. Sanctions Affiliates of Russia-Based LockBit Ransomware Group: On February 20, 2024, the U.S. Department of the Treasury announced that was designating two individuals, Ivan Gennadievich Kondratiev and Artur Sungatov, both Russian nationals, as affiliates of the Russia-based ransomware group LockBit. LockBit was the most deployed ransomware variant globally in 2022 and remains prolific today. This designation makes persons who make payments to these individuals, including ransom payments, subject to sanctions, including civil penalties. Understanding potential sanctions for dealing with a designated person or entity is an important consideration before making any payment in response to ransomware.

Litigation & Enforcement:  

• Ninth Circuit Affirms Sending Data Breach Actions to Arbitration: Plaintiffs brought class actions against five sporting goods e-commerce websites for various claims arising out of data breaches at the Defendants’ websites. The defendants moved to compel arbitration citing clauses in their terms of use (that also precluded class actions). The district court ordered the claims to arbitration. On appeal, the Ninth Circuit Court of Appeals held that (a) the plaintiffs had sufficient notice of the arbitration clause either by admitting to having seen the hyperlink to the terms of use, or by such a link being obvious on the ordering page, (b) the arbitration clause, even though it contained a class action bar, was not invalid, (c) the arbitration clause was not unconscionable, and (d) whether the data breach claims were subject to arbitration was, by the language of the clause, to be decided by the arbitrator. The Ninth Circuit therefore affirmed the order compelling arbitration and dismissing the plaintiffs’ individual and class action claims without prejudice.

• Supreme Court To Rule On Social Media Content Moderation Rules: On Monday, February 26, the United States Supreme Court heard arguments in two cases — Moody v. NetChoice and NetChoice v. Paxton — involving the constitutionality of Florida’s and Texas’s laws seeking to regulate large social media companies’ ability to moderate content. The decision has the potential to alter the way social media companies, and possibly the entire internet, operate going forward. A decision is expected before the Court recesses this summer.
• Data Breach Class Action Dismissed for Lack of Standing: In Liau et al v. Weee! Inc., former customers of an online grocery delivery service filed a class action arising out of a data breach. On February 22, 2024, the District Court granted Weee!’s motion to dismiss pursuant to Rule 12(b)(1) for lack of standing. The data leak included customer names, email addresses, and phone numbers, but not payment data or passwords. Plaintiffs’ alleged injuries were monitoring costs and receipt of spam calls and text messages. The Court found this insufficient to confer standing under Article III of the Constitution because the type of data at issue was “less sensitive” and did not create the same risk of identity theft or fraud, and thus the monitoring costs were not “reasonably incurred”. The Court also found that unsolicited calls generally do not constitute injury in fact and, even if they did, the unwanted spam in this case was not fairly traceable to the defendant’s actions. Having already been given two prior chances to amend, the Court denied leave to amend again and directed the clerk to enter judgment in defendant’s favor.

• $2.5M Data Breach Class Action Settlement Approved by Court: In Beasley et al v. TTEC Services Corp., plaintiffs filed a class action against a global provider of customer experience technology and services company after a data breach exposed the names and social security numbers of approximately 200,000 individuals. On February 21, 2024, the Court granted final approval of the proposed class action settlement. The settlement included a $2.5M non-reversionary settlement fund. Each class member who files a valid claim is entitled to a basic award of $100 or reimbursement of up to $5,000 for out-of-pocket expenses incurred because of the data breach. Each class member is also entitled to receive 36 months of free identity-theft protection services. The California settlement subclass is entitled to an additional $100 based on those class members’ California Confidentiality of Medical Act claims. The specific amounts of the monetary awards are subject to upward or downward proration depending on the final number of approved claims. The Court also approved $2,500 “service awards” for each class representative and allowed plaintiffs’ counsel to seek up to $750,000 in reasonable attorneys’ fees out of the settlement fund.
• Third Circuit Clarifies Test for Standing for Intangible Harm: As a matter of first impression, the Third Circuit Court of Appeals found that in determining whether an intangible harm suffices as a concrete injury for standing purposes, the “kind of harm” test, as opposed to the “element-for-element” approach is the proper framework. In Barclift v. Keystone Credit Services, LLC, a consumer brought a class action against a collection agency alleging that it violated the FDCPA when, without her consent, it shared her personal information with a third-party mailing vendor, which then mailed her a collection notice regarding her outstanding debt for medical services. The Third Circuit followed the “kind of harm” test comparing the consumer plaintiff’s intangible harm to similar harms recognized in torts.  The consumer plaintiff analogized her harm to that of public disclosure of her private information.  The Court held that because publication of the plaintiff’s information was only to a “single ministerial intermediary,” the plaintiff had not suffered the kind of privacy harm traditionally associated with public disclosure and affirmed the District Court’s dismissal of her Complaint because she lacks a concrete injury.
• BNSF Railway to Settles BIPA Class-Action Lawsuit: BNSF has agreed to pay $75 million to settle a class-action lawsuit accusing it of violating Illinois’ Biometric Information Privacy Act. The suit, the first trial brought under Illinois’ BIPA law, involved a class of 46,500 truck drivers and claimed that BNSF collected fingerprint scans from truck drivers without consent.

• LinkedIn Faces a Class-Action Lawsuit For Tracking User Data: A plaintiff has filed a class action lawsuit against LinkedIn claiming that LinkedIn unlawfully obtained personal disability information using a “tracking pixel.” The data, including communications, was allegedly improperly gathered when putative class members visited the California Department of Motor Vehicles website to apply, renew, or check status of a disability placard. The plaintiff also claims that LinkedIn used this data for “unlawful purposes” – specifically to generate substantial revenue from advertising and marketing services. The plaintiff asserts that LinkedIn is guilty of violating both the Driver’s Privacy Protection Act and the California Invasion of Privacy Act. 

• Federal Judge Finds Ohio Social Media Law Unconstitutional: A Federal Judge Ohio granted a preliminary injunction halting enforcement of Ohio’s law regulating social media as unconstitutional under the First Amendment. In making the ruling, the judge stated, “Foreclosing minors under sixteen from accessing all content on websites that the Act purports to cover, absent affirmative parental consent, is a breathtakingly blunt instrument for reducing social media’s harm to children.”

• S. and U.K. Disrupt LockBit Ransomware Variant: On February 20, 2024, the U.S. Department (DOJ) announced that it and the U.K. National Crime Agency’s (NCA) Cyber Division, working with the Federal Bureau of Investigation (FBI) and other international law enforcement partners, dealt a blow to ransomware group LockBit by seizing a number of its public-facing websites and seizing control of LockBit servers. This prevented LockBit and its associates from attacking and encrypting networks and extorting victims. According to the Press release, the LockBit ransomware group have executed attacks against more than 2,000 victims and receiving over $120 million in ransom payments. The Press Release also announced the release of decryption keys for the LockBit ransomware variant, and the indictment of two Russian individuals. While this action disrupts LockBit, at least for some time, it is important for businesses and organizations to understand the ransomware threat, defend against it, and prepare to respond to and recover from attacks. The Cybersecurity and Infrastructure Security Agency (CISA) Stop Ransomware website is the U.S. government’s one-stop resource on combatting ransomware.

International Updates:  

• European Data Protection Board Starts Third Coordinated Action Looking at Rights of Access Compliance: On February 28, the European Data Protection Board (“EDPB”) announced the launch of its coordination enforcement framework for 2024. The Coordinated Enforcement Framework for this year will focus on whether entities are complying with the right to access under the General Data Protection Regulation (“GDPR”), including whether entities are responding to individual requests to check whether their personal data is being processes in a compliant manner. Thirty-one different Data Protection Authorities across the European Economic Area will be participating.
• ENISA Advises for Stronger Cybersecurity Crisis Management Needs: ENISA (the EU agency for cybersecurity) has issued a new study on Best Practices for Cyber Crisis Management. The study is borne out of recently increased geopolitical instability and associated risks.  Focusing on crisis scenarios, it sets out a series of proposed best practices to enable and assist with the transition to the new NIS2 Directive, the EU-wide cybersecurity legislation for critical infrastructure.

• European Central Bank Cyber Resilience Testing to Take Place in 2024: The European Central Bank (ECB), which has a supervisory role for all banks in Europe, will be conducting a series of cyber resiliency testing during 2024. The testing will cover 109 banks throughout the EU and will simulate a cyberattack.  The exercise will be designed to assess the banks’ ability to respond and will involve post-“breach” feedback to each bank.  It is interesting to note that the presumption will be that the cyberattack succeeds, rather than looking to test the banks’ ability to prevent it happening. 

• France’s Data Protection Authority Reminds Health Care Firms of Data Safety Practices: On February 9th, France’s data protection authority, the Commission nationale de l’informatique et des libertés (“CNIL”), after carrying out inspections, gave formal notice to a number of healthcare organizations instructing them to take measures – including a robust authentication policy, access controls, enhanced confidentiality for certain files, and implement access logging with regular checks to identify potentially abnormal accesses – to ensure the security of electronic patient information, and reminding them that patient data must only be accessible to people who have a need to know. The CNIL intends to take corrective measures against additional healthcare organizations in 2024.

Industry Updates:  

• OpenAI Disrupts Malicious State Actors: OpenAI announced that it, in conjunction with Microsoft Threat Intelligence, disrupted five malicious state actors seeking to use OpenAI’s services to commit various cyberattacks. The threat actors were working on behalf of China, Iran, North Korea, and Russia.  They used OpenAI to identify targets, debug their code, and research technologies, among other activities.   Microsoft, which provided more details on the threat actors and their activities, stated it had “not identified significant attacks employing the [AI systems they] monitor closely.”
• ICO Approves Legal Services Certification Scheme: On February 13, 2024, the Information Commissioner’s Office (“ICO”) approved a certification scheme for legal service providers. These certification schemes help organizations demonstrate their compliance with the UK GDPR data protection requirements. This scheme applies to legal service providers acting as controllers, processors, or sub-processors.
• BlackCat/AlphV Back from the Dead: In December 2023 the DOJ and FBI, in partnership with other international law enforcement agencies seized assets including servers, decryption keys, websites and other information belonging to the ransomware group ALPHV/BlackCat. Since December, this group has leaked information on 70 victims. The group has also targeted healthcare entities itself, as well as calling for their targeting by other groups. This led to CISA publishing a cybersecurity advisory on February 27th. Subsequently, ALPHV/BlackCat attacked Change Healthcare, an electronic data interchange. This attack has resulted in numerous downstream problems, including an inability of providers to receive payments and of pharmacies to process prescriptions, among others.
• ConnectWise ScreenConnect Vulnerability Exploited by Ransomware Gangs: On February 22nd CISA added a vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog. The new listing relates to a vulnerability associated with ConnectWise ScreenConnect. This vulnerability and similar ones are used as frequent attack vectors by ransomware gangs.