Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

State Actions:  

• Nebraska Data Privacy Act (NEDPA): On April 17, 2024 the Nebraska Governor, Jim Pillen signed into law the Nebraska Data Privacy Act (NEDPA), providing Nebraska residents with additional rights over the collection, storage, and usage of their personal data. NEDPA applies to personal data collected during the existence of a “business to consumer relationship.” The passing of this bill adds Nebraska to the growing list of states that have enacted data privacy laws. The recent surge in consumer data privacy legislation has resulted in the creation of patchwork consumer privacy protection throughout the United States. Similar to other Acts that have been enacted, NEDPA will equip consumers with the rights to opt-out of targeted advertising, the right to correct inaccuracies in personal data, and the right to have their personal data deleted. NEDPA is expected to take effect January 1, 2025.
• The California Privacy Protection Agency’s First Enforcement Advisory Addresses Data Minimization: On April 2, 2024, the California Privacy Protection Agency’s Enforcement Division issued its first-ever enforcement advisory. The advisory addresses data minimization obligations related to consumer requests under the California Consumer Privacy Act. Data minimization emphasizes that businesses should collect consumers’ personal information only to the extent necessary to fulfill a specific and legal business purpose. The advisory is a reminder to businesses that they should carefully review whether they are applying the data minimization principle in their collection, use, retention, and sharing of consumers’ personal information.
• The Colorado Privacy Act is Amended to Protect Neural Data: Colorado enacted a bill on April 17, 2024 that will extend privacy rights to individuals’ neural data, making Colorado first state to pass a law that explicitly addresses neural data. The bill expands the definition of “sensitive data” in the Colorado Privacy Act to include neural data that is generated by neurotechnology such as brain imaging MRIs that provide insight into, monitor, or affect brain and nervous system activity. Businesses that collect, process, or share neural data are now subject to the same privacy requirements and consumer protections that apply to other types of personal information under the Colorado Privacy Act.

Regulatory:  

• Department of Homeland Security Releases Guidelines to Mitigate AI Risks to Critical Infrastructure: The Department of Homeland Security (DHS) partnered with Cybersecurity and Infrastructure Security Agency (CISA) to release a guide on mitigating risks posed by AI on critical infrastructure. The guide focuses on the risk of adversaries using AI to enhance, plan or scale attacks, the risk of AI systems in critical infrastructure being targeted in attacks, and the failure of AI in the critical infrastructure space due to design and implementation issues.
• Illinois Senate passes bill to amend the Biometric Information Privacy Act: The Illinois Senate passed a bill, which still requires House approval, clarifying that repeated instances of an unlawful capture of the same biometric information would constitute one violation under the law. This is in an effort to curtail runaway damages awards.
• FTC Orders Online Mental Health Provider to Pay Over $7 Million for Deceptive Data Sharing and Security Practices: On April 15, the Federal Trade Commission (“FTC”) announced a proposed order against an online mental health service provider, requiring the provider to pay more than $7 million for engaging in deceptive and unfair practices relating to the marketing of its data security practices. The FTC charged the provider with, amongst other things, violating Section 5 of the FTC Act covering deceptive privacy practices, deceptive data security practices, and unfair privacy and data security practices. The FTC’s complaint states that the company misrepresented how it would use and disclose patients’ personal information, and mishandled and exposed the personal information of hundreds of thousands of patients.
• NSA Issues Joint Guidance on Deploying AI Systems Securely: On April 15, 2024, the Nation Security Agency (NSA) released a Cybersecurity Information Sheet (CSI), “Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems.” The CSI is the first release from NSA’s Artificial Intelligence Security Center (AISC), in partnership with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and several international partners. It provides guidance on improving the confidentiality, integrity, and availability of AI systems.
• NIST Supplements Digital Identity Guidelines to Include Passkeys: On April 22, 2024, the National Institutes for Science and Technology (NIST) published a Supplement to NIST SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management, to provide interim guidance for agencies’ use of “syncable authenticators” like passkeys in both enterprise-facing and public-facing use cases. Passkeys use pairs of encrypted keys as an easy-to-use option to replace passwords. These guidelines are likely to be required for covered agencies and government contractors that elect to use this option and provide guidance for others. The Supplement is timely as passkeys are becoming increasingly available as password alternatives.

Litigation & Enforcement:

• Law Firm Settles Data Breach Case for $8 Million: Orrick, Herrington, & Sutcliffe has filed papers seeking approval of an $8 million settlement of class action litigation resulting from the law firm’s March 2023 data breach. The data breach at issue impacted the personal information of more than 600,000 people. In the proposed settlement, Orrick denies that it failed to properly protect information in its custody or that it had breached any duty to plaintiffs.
• White Castle BIPA Class Action Settlement On The Horizon?: On April 25, the United States District Court for the Northern District of Illinois gave preliminary approval to a class settlement in Cothron v. White Castle, which produced a seismic Illinois Supreme Court opinion on the Illinois Biometric Information Privacy Act (BIPA). The court gave preliminary approval to a settlement class that includes all individuals who worked for White Castle in Illinois and “used a finger-scanning device in the course of their employment without first executing White Castle’s Biometric Information Privacy Team Member Consent Form during the Class Period from December 6, 2013 to October 15, 2018.”  The proposed settlement provides for an over $9 million settlement fund, from which each class member is guaranteed to receive $968.  Class counsel has agreed to seek no more than 37.5% of the settlement fund as fees.  The Court set the final approval hearing for August 1, 2024.
• OCR Finalizes Rule to Protect Reproductive Health Privacy: On April 22, 2024, HHS OCR announced a final rule, titled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. This rule prohibits the disclosure of protected health information related to lawful reproductive health care in certain circumstances. The rule prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others that seek to obtain, provide, or facilitate reproductive health care that is lawful under the circumstances. Additionally, regulated health care providers, health plans etc. are required to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for prohibited purposes. Lastly, regulated health care providers, health plans, etc. are required to modify their Notice of Privacy Practices to support reproductive health care privacy.
• Privacy Case Against LexisNexis Dismissed: In Ramirez et al. v. LexisNexis Risk Solutions, plaintiffs filed a putative class action against LexisNexis including alleged violations of the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”) and claims for unjust enrichment, intrusion upon seclusion, and declaratory relief. Plaintiffs alleged that LexisNexis owns an online platform called Accurint to collect and aggregate sensitive personal information about consumers in the United States and then sells that information to corporations, law enforcement, and government agencies without plaintiffs’ consent or compensation. The Court dismissed the ICFA claim because (1) plaintiffs lacked standing because they were not consumers and the allegations did not establish a consumer nexus; (2) plaintiffs failed to allege any unfair business practices; and (3) plaintiffs failed to allege any actual damages. The Court dismissed the intrusion upon seclusion claim because the plaintiffs did not allege either an unauthorized intrusion into private information or any highly offensive or objectionable conduct. The Court dismissed the unjust enrichment claim because (1) unjust enrichment is not a standalone claim under Illinois law, and thus toppled alongside the plaintiffs’ failed ICFA and seclusion claims; and (2) plaintiffs failed to allege the requisite elements of unjust enrichment. Finally, the Court dismissed the declaratory judgment claim because it was barebones and did not add any allegations not included in the other claims. The Court granted plaintiffs leave to file an amended complaint, which is now due in May.
• New York Federal Judge Dismisses Case Against American Bar Association: On April 30, Judge Garaufis of the U.S. District Court for the Eastern District of New York dismissed a complaint filed by two members of the American Bar Association (“ABA”) arising from a March 2023 data security breach. The Plaintiffs brought claims for breach of implied contract, and violations of New York and Texas statutes.  While the Court found that the plaintiffs sufficiently alleged that an implied contract to protect ABA members’ sensitive information existed, the Court ruled that the Plaintiffs failed to allege how the ABA breached that contract.  Specifically, the Plaintiffs failed to identify which “commercially reasonable security measure” the ABA did not implement to protect their data.  The Notice of Data breach explained that members’ usernames and passwords were acquired by an unauthorized third party, but the passwords were not exposed in plain text.  Rather, the ABA used “hashed and salted” passwords, a process by which random characters are added to the plain text password, which is then converted on the ABA systems into cybertext.  The Court found that absent allegations identifying the security measure(s) that the ABA purportedly failed to implement, Plaintiffs could not sustain their breach of implied contract claim. The Plaintiffs’ statutory claims failed for related reasons as well as failures to allege other elements of those claims.

International Updates:

• The European Parliament approves Health Data Space: The Council of the EU and the European Parliament approved a provisional agreement to establish the European Health Data Space (“EHDS”). The EHDS is a portal which will allow patients to access and control their health data including information located in another EU member state. These electronic health records will include patient summaries, electronic prescriptions, medical imagery, and laboratory results. The provisional agreement still needs to be formally approved by the European Council and the European Parliament.
• The Czech Republic’s Data Protection Authority issues GDPR Fine: The Czech Republic’s data protection authority, Úřad pro ochranu osobních údajů (“UOOU”), has fined Avast Software CZK351 million. The complaint against Avast Software was lodged to UOOU by Consumer rights organization FACUA in 2020. Avast Software allegedly transferred personal data to marketers without properly anonymizing it and misinformed users about how their data would be used.
• EDPB issues bulletin on strategy for 2024-2027: The European Data Protection Board has issued its strategy for 2024-2027. Based around four pillars: (1) harmonisation and compliance promotion (2) reinforcing common enforcement culture (3) safeguarding data protection in developing digital landscapes and (4) contributing to global data protection dialogue. The EDPB also released an information note and template forms for the EU/US Data Privacy Framework redress mechanisms.
• Ireland Takes Part in NATO Cyber-Defence Brill: Ireland took part in an international NATO cyber-defence drill.  Ireland was one of 8 non-NATO countries participating.  Ireland personnel were paired on a team with personnel from South Korea involving a combined over 200 cyber defence personnel, including members of the Irish defence forces .  The exercise, Operation “Locked Shields,” was organised by the NATO Co-operative Cyber Defence Centre of Excellence (CCDCOE) based in Estonia.  Ireland’s participation was led by the National Cyber Security Centre (NCSC).

Industry Updates:  

• KnowBe4 Sued For Patent Infringement : On April 12, KnowBe4, a security awareness training company, was sued for patent infringement over some of its offerings. The plaintiff, PACSEC3, LLC (a non-practicing entity) claims that certain of firewall systems offered or made by KnowBe4 infringe a patent relating to defending a computer system against a data packet flood attack.  The plaintiff seeks treble damages, attorneys’ fees and an injunction, among other relief.
• GAO Releases Study on Biometric Technology Use: The purpose of the GAO’s study was to examine “the impact of biometric identification technologies on historically marginalized communities.” The study found that while the accuracy of  biometric identification technologies has improved, there are concerns with datasets on which biometric algorithms are being trained. The study also includes key considerations to address concerns about the use of biometric technologies.
• CEO of UnitedHealth Group Provides Details on the Change Healthcare Cyber Attack: Andrew Witty, the CEO of UnitedHealth Group, released written testimony on the Change Healthcare incident ahead of his appearance before the House Energy and Commerce Committee Subcommittee on Oversight and Investigations. He describes the threat actors as entering via the Change Healthcare Citrix portal and admits that Multi-Factor Authentication was not enabled for this portal. He also states that “…based on initial targeted data sampling to date, we found files containing protected health information (PHI) and personally identifiable information (PII), which could cover a substantial proportion of people in America.”