On June 27, 2024, the U.S. Securities and Exchange Commission (the “SEC”) issued new guidance on the agency’s guidelines for cybersecurity incident disclosures pursuant to Item 1.05 of Exchange Act Form 8-K (“Form 8-K”). As has been the SEC’s practice over the past few years when issuing new guidance on Form 8-K, the agency provided the supplemental interpretations in the form of questions and answers.
The SEC’s guidance is focused on ransomware payments and the assessment of such payments under Form 8-K’s disclosure requirements. The guidance clarifies that making a ransom payment before the expiration of Form 8-K’s four-day reporting requirement for material cybersecurity incidents will not necessarily obviate the need to report such an incident. The guidance also notes that depending on the facts and circumstances, a series of ransomware attacks over time, either by a single threat actor or multiple threat actors, may need to be reported, even if each incident is individually determined to be immaterial.
Takeaway: As the agency’s guidance reflects, issuers can expect reports of cybersecurity incidents to face considerable scrutiny from the SEC. SEC guidance makes clear that ransom payments do not relieve an issuer from the need to assess the materiality of the cybersecurity event (which was likely obvious in any event). They also noted that in the event of multiple ransomware attacks, they should consider whether such attacks collectively should be deemed to be material and therefore reportable. Again, in reality, this does not come up much as a practical matter. When dealing with a ransom attack, issuers should engage counsel early, not only to assist them in handling the incident, but also to advise as to disclosure obligations that may be implicated by the cybersecurity incident.
Federal Court Invalidates HHS Guidance Limiting the Use of Tracking Technology on Healthcare Websites
The federal Health Insurance Portability and Accountability Act (“HIPAA”) generally restricts the disclosure by healthcare providers of individually identifiable health information (“IIHI”). In December 2022, the U.S. Department of Health and Human Services Office of Civil Rights (“OCR”) issued a bulletin titled "Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” (the “OCR Guidance”). In response to a challenge by the American Hospital Association (“AHA”), a federal district court in the Northern District of Texas held the OCR Guidance invalid. See Am. Hosp. Ass’n v. Becerra, 2024 WL 3075865 (N.D. Tex. June 20, 2024) (Opinion avialable here).
The OCR Guidance took the position that the use of such tools by HIPAA covered entities even on publicly accessible websites could constitute an impermissible disclosure of IIHI. For example, it states that “if an individual were looking at a hospital’s webpage listing its oncology services to seek a second opinion on treatment options for their brain tumor, the collection and transmission of the individual’s IP address, geographic location, or other identifying information[,] showing their visit to that webpage is a disclosure of [protected health information] to the extent that the information is both identifiable and related to the individual’s health or future health care.” The OCR Guidance triggered a wave of private litigation against healthcare companies.
The federal court in Texas held that even under a deferential standard of review, revealing where a user navigates on a public website is not “protected health information.” In the Court’s words: “if an IP address corresponds to Person A, and Person A looks up symptoms of Condition B,” a third party might theoretically “connect the dots between a person’s IP address and the searches performed,” but such data alone “would never reveal that Person A affirmatively had Condition B.” Id. at *2. Put another way, even if a third party might draw inferences about the users’ reasons for visiting the site, the tracking data does not directly reveal actual medical information. Accordingly, the Court vacated the portion of the OCR Guidance relating to public websites.
Takeaway: In response to this ruling, OCR has said it is evaluating next steps. It may appeal the decision or issue revised guidance. In the meantime, the Court’s decision is a regulatory win for healthcare providers who use such tools. It also has broader implications for those companies defending the myriad of class actions that have arisen trying to extrapolate from the OCR guidance and the FTC’s (arguably unfair) stance on the Health Breach Notification Rule with respect to the use of tracking technologies.
UK Data Regulator Closes Investigation Relating to Snapchat’s AI Chatbot
The UK Information Commissioner’s Office (“ICO”) has retracted its provisional ban on the ‘My AI’ feature of the Snapchat messaging app. The ICO had previously found that Snap Inc. had failed to conduct a data protection impact assessment (“DPIA”) that complied with the UK GDPR, but Snap has now conducted a more thorough DPIA.
‘My AI’ is a chatbot based on OpenAI’s GPT. The Snapchat website highlights its versatility: ‘My AI can answer a burning trivia question, offer advice on the perfect gift for your BFF's birthday, help plan a hiking trip for a long weekend or suggest what to make for dinner,’ but also warns that ‘it’s possible My AI’s responses may include biased, incorrect, harmful, or misleading content.'
In October 2023 the ICO issued a Provisional Enforcement Notice which identified deficiencies in Snap’s DPIA. The original DPIA did not: (a) contain sufficient details of the data processing associated with My AI; (b) properly assess the necessity and proportionality of Snap’s processing activities; (c) properly assess the risks associated with using data collected through My AI for targeted advertising directed at children; or (d) include measures to address various additional risks identified by the ICO. However, Snap subsequently revised its DPIA and the ICO has now concluded that the revised DPIA contained significantly greater depth and complied with the UK GDPR requirements. The ICO therefore decided not to proceed with its prior proposal to ban My AI.
Takeaway: By basing its enforcement action in relation to My AI on the requirement for a DPIA and whether Snap has conducted an adequate internal assessment of the technology, the ICO has side-stepped the thorniest issues relating to whether My AI substantively complies with the UK GDPR. Some may see this as a failure to take the bull by the horns. Instead, the ICO seemingly has demonstrated a collaborative approach by allowing Snap to retrospectively improve its DPIA following the ICO’s provisional decision.
SEC Settles Charges Against RR Donnelley in Connection with 2021 Ransomware Incident
On June 18, 2024, the U.S. Securities and Exchange Commission (“SEC”) issued a cease-and-desist order (the “Order”) that settled the agency’s charges against R.R. Donnelley & Sons Co. (“RRD”) in connection with alleged violations “of the Exchange Act’s disclosure controls and procedure and internal accounting control provisions.” Under the settlement, RRD neither admits nor denies the SEC’s findings.
RRD is a global provider of business communication and marketing services. The SEC’s charges stemmed from RRD’s response to a 2021 ransomware attack. According to the SEC, RRD did not respond in a timely manner to the ransomware attack on its network that took place between November and December of 2021. As outlined in the Order, RRD’s internal intrusion detection system began issuing alerts on November 29, 2021. However, despite these alerts, RRD only began to actively respond to the attack on December 23, 2021, after another company (sharing RRD’s network) alerted the Chief Information Security Officer “about potential anomalous internet activity emanating from [RRD’s] network.” In the interim, “the threat actor was able to utilize deceptive hacking techniques to install encryption software on certain RRD computers . . . and exfiltrated 70 Gigabytes of data,” including personal identification and financial information from RRD’s clients.
The SEC alleged that RRD did not have effective procedures to report cybersecurity concerns within the company and “failed to carefully assess and respond to alerts of unusual activity in a timely manner.” Thus, RRD had failed to devise and maintain a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances against unauthorized access to RRD’s assets. RRD’s assets include information technology systems and networks containing sensitive business and client data. In its press release relating to the Settlement, RRD “provided meaningful cooperation” “throughout the investigation,” and that cooperation is “reflected in the terms of [the] settlement.”
Takeaway: The SEC’s enforcement action against RRD under the “internal controls” provision of the Exchange Act reflects a departure from its typical practice. Typically, the SEC has invoked this provision to penalize companies for alleged internal control failures that impact financial reporting or accounting controls. Here, however, the SEC has invoked the statute to punish a company due to the perceived inefficacy of its cybersecurity system. While there remains a question as to whether the SEC’s broadened application of the Exchange Act will stand, pending litigation currently underway in federal court, the SEC’s actions continue to reflect the agency’s determination to crack down on insufficient or inadequate cybersecurity systems. Thus, companies should take special care when designing and implementing such cybersecurity systems, including establishing methods to periodically assess their systems’ efficacy.
Gaming Company Tilting Point Media Reaches a $500,000 Settlement for Allegedly Unlawful Use and Sharing of Children’s Data
On June 18, 2024, the California Attorney General (the “California AG”), and the Los Angeles City Attorney (the “LA City Attorney”) jointly announced that Tilting Point Media LLC (“Tilting Point”) had agreed to a settlement of $500,000 for alleged violations of the California Consumer Privacy Act (“CCPA”), Children’s Online Privacy Protection Act (“COPPA”), and California Unfair Competition Law (“UCL”). Tilting Point has not admitted any liability in connection with this settlement.
According to the California authorities’ Complaint, filed on June 18th, all charges stem from Tilting Point’s development of a mobile game called “SpongeBob-Krusty Cook-Off” which included personalized advertising and in-app purchases. The California AG alleged in its Complaint that Tilting Point failed to implement safeguards to obtain parent consent “before collecting, disclosing, selling, or sharing personal information of consumers under the age of 13.” Specifically, Tilting Point allegedly used all users’ information for web tracking and marketing via third-party SDKs, even though the game was directed (at least in part) to children under age 13. Furthermore, the California AG and LA City Attorney alleged that Tilting Point violated the CPPA by failing to implement the necessary safeguards to obtain affirmative “opt-in” authorization before collecting, disclosing, selling, or sharing personal information of consumers at least 13 years of age and under 16 years of age. They also alleged that Tilting Point had inadequate age-gating to identify users under age 13.
Under the settlement, Tilting Point agreed to pay $500,000 in civil penalties and implement several remedial measures. Among the relevant measures, Tilting Point must now: (i) obtain consent before selling children’s personal information or sharing personal information for cross-context behavioral advertising; (ii) use only neutral age screens that encourage children to enter their age accurately; (iii) appropriately configure its software development kits (“SDKs”) to comply with laws governing the privacy of children’s data; (iv) implement and maintain a SDK governance framework to review and the use and configuration of SDKs within its applications; and (v) implement and maintain a program to assess and monitor its ongoing compliance with all agreed upon measures. Additionally, pursuant to its obligation to implement and maintain a compliance program, Tilting Point must also provide annual reports to the California AG and the LA City Attorney for the next three years.
Takeaway: The California authorities’ actions are representative of the overall national trend towards increased government enforcement against technology companies relating to the sharing of user data and especially data collection from children. Companies that provide services targeted to minors or otherwise collect minors’ personal data, should take special care to implement, maintain, and monitor strict procedures related to any collection disclosure, sale, or sharing of said data.
