Selected U.S. Privacy and Cyber Updates
New York AG Seeks Comments on Rulemaking for Minors’ Online Protection Laws
On August 1, 2024, New York Attorney General Letitia James issued two advanced notices of proposed rulemaking (ANPRs) for the Stop Addictive Feeds Exploitation for Kids Act (SAFE Act) and the Child Data Protection Act (CDPA), which New York Governor Kathy Hochul signed into law on June 20, 2024. The ANPRs invite interested parties to submit comments on the rules that James plans to promulgate for the SAFE Act and CDPA.
6th Circuit Upholds 20-Year Sentence of Chinese Spy Convicted of Espionage Crimes, Attempting to Steal Trade Secrets
On August 7, 2024, the Sixth Circuit upheld a Chinese spy’s 20-year prison sentence for attempting to steal aviation trade secrets from General Electric. Yanjun Xu, a deputy director in China’s Ministry of State Security, was responsible for trying to steal aviation-related proprietary information.
NYDFS Issues Final Circular Letter Guidance on Use of AI in Insurance Underwriting and Pricing
On July 11, 2024, the New York Department of Financial Services released Insurance Circular Letter No. 7, which establishes guidelines on the use of artificial intelligence systems and external consumer data and information sources in insurance underwriting and pricing.
CISA Releases Findings from Its AI Pilot Program on Detecting Critical Vulnerabilities
On July 28, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) announced that it piloted an AI-enabled vulnerability program to help detect and remediate vulnerabilities in the U.S. government’s critical networks, systems, and software, as required by Executive Order 14110.
Senate Passes Bill for Kids Online Safety and Privacy Act
On July 30, 2024, in a 91–3 vote, the U.S. Senate passed the Kids Online Safety and Privacy Act. The bill, which combines the bills for the Kids Online Safety Act (KOSA) and the Children and Teens’ Online Privacy Protection Act (CTOPPA), aims to expand online safety and privacy protections for individuals under the age of 17.
U.S. Court Rules Against Online Travel Booking Company in Web-Scraping Case
On July 18, 2024, a federal jury in Delaware found that an online travel booking company violated the Computer Fraud and Abuse Act (CFAA) by accessing portions of a European airline’s website without permission and “with intent to defraud” the airline. In particular, the jury unanimously found that the online travel company violated the CFAA by using a third-party service provider to scrape the airline’s website to find and resell airline tickets to its own customers at an additional charge. The jury further found that the online travel company’s scraping activity caused damage to the airline of at least $5,000, which the airline alleged resulted from service interruptions to its website, data, and underlying database, amounts spent by the company attempting to prevent the unauthorized scraping, and other losses.
CPPA Holds Preliminary Stakeholder Session on Accessible Deletion Mechanism Under Delete Act
On June 26, 2024, the California Privacy Protection Agency (CPPA) held a stakeholder session to provide information and gather stakeholder input on the CPPA’s mandate to build an accessible deletion mechanism known as the Delete Request and Opt-Out Platform (DROP) as required by the California Delete Act. DROP will allow consumers to request the deletion of their personal information held by data brokers through a single request. Generally, the public comments addressed concerns about potential administrative and technical burdens on data brokers, clarifying and confirming the scope of deletion requests, and verifying deletion requests.
Pennsylvania Amends Data Breach Notification Law
Pennsylvania’s governor has approved amendments that significantly overhaul the commonwealth’s data breach notification law. The amendments make a number of material changes, including adding a regulator notification requirement, lowering the threshold of impacted Pennsylvania residents triggering a notification requirement to the consumer reporting agencies, slightly tweaking the definition of “personal information,” and adding a requirement to offer credit monitoring and to pay for a credit report for impacted individuals who are not able to obtain one for free. The amended law goes into effect on September 26, 2024.
CPPA Board Declines to Advance CCPA Regulations to Formal Rulemaking; CPPA Highlights Enforcement Priorities
On July 16, 2024, the CPPA board declined to advance to formal rulemaking California Consumer Privacy Act (CCPA) draft regulations on cybersecurity audits, risk assessments, automated decision-making technology, insurance companies, and updates to existing regulations. The CPPA board voted against advancing the regulations during its board meeting when it also received an update on CPPA enforcement priorities.
California AG Announces $500,000 Settlement with Mobile Game App Company for Unlawful Collection and Sharing of Children’s Data
On June 18, 2024, California Attorney General Rob Bonta and Los Angeles City Attorney Hydee Feldstein Soto announced a settlement with a video game developer and publisher over allegations that the company violated the CCPA, the federal Children’s Online Privacy Protection Act, and California’s Unfair Competition Law. The settlement requires the company to pay $500,000, implement certain privacy practices for the protection of children, and provide annual reports under regulatory monitoring for three years. This case marks the third public CCPA enforcement action by the California AG to date, following prior settlements in August 2022 and February 2024.
SEC Corporation Finance Provides Additional Guidance on the Disclosure of Material Cybersecurity Incidents in Form 8-K
On June 24, 2024, the Division of Corporation Finance of the Securities and Exchange Commission (SEC) issued five new Compliance and Disclosure Interpretations (C&DIs) related to the disclosure of “material” cybersecurity incidents in Item 1.05 of Form 8-K. The C&DIs present hypothetical fact patterns related to ransomware attacks and insurance reimbursement for damages related to cybersecurity incidents.
SEC Settlement Suggests the Agency’s Attempt to Regulate Cybersecurity Controls
On June 18, 2024, the SEC announced a $2.125 million settlement with R.R. Donnelley & Sons Co. relating to the company’s 2021 ransomware attack. The settlement, and the SEC’s accompanying cease-and-desist order, portend the agency’s continued and increasing oversight over registrants’ cybersecurity policies and practices.
New York State Department of Health Revises Proposed Hospital Cybersecurity Regulations
In May 2024, the New York State Department of Health issued revisions to proposed regulations on hospital cybersecurity that it first released in November 2023. The proposed revised regulations were subject to public comment that ended on July 1, 2024 and applied to general hospitals licensed under Article 28 of the New York State Public Health Law.
DOJ Announces $11.3 Million in Settlements for FCA Violations
On June 17, 2024, the Department of Justice (DOJ) announced a settlement with two U.S.-based consulting companies that agreed to pay a combined total of $11.3 million to resolve allegations that they violated the False Claims Act by failing to comply with cybersecurity requirements in government contracts. According to the DOJ, the companies failed to meet cybersecurity requirements in contracts intended to ensure the security of New York’s emergency rental assistance program application, which provided rental assistance to individuals in need during the COVID-19 pandemic.
White Paper on Clarifying Definitions in the Protecting Americans’ Data from Foreign Adversaries Act of 2024
On May 14, 2024, Peter Swire published a white paper at the Cross-Border Data Forum, analyzing the definitions in the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA), which was passed on April 24, 2024 and took effect on June 23, 2024. The white paper discusses some ambiguities in the text of the new law and the consequences that may result from differing interpretations of the language. It also includes an appendix comparing the PADFAA definitions to those in the Executive Order on bulk sensitive data.
Data Breach Notification Requirements Under the Safeguards Rule Now in Effect
On May 13, 2024, new breach notification requirements under the FTC’s Gramm–Leach–Bliley Act Safeguards Rule came into effect. These new FTC rules represent a significant change for financial institutions overseen by the FTC, requiring a new form of regulatory notification that covers a much wider range of incidents.
Tennessee Law Designed to Combat Deepfakes Set to Take Effect in July
On July 1, 2024, the Tennessee Ensuring Likeness, Voice, and Image Security (ELVIS) Act will go into effect, bolstering the limitations on the unauthorized commercial use of an individual’s voice. The ELVIS Act, which amends the Tennessee Personal Rights Protection Act of 1984, was enacted in response to the growing proliferation of AI-generated and deepfake music that has mimicked the work of many stars and celebrities. The ELVIS Act broadly proscribes the distribution of “an individual’s voice or likeness” if the distributor has knowledge that use of the voice or likeness was not authorized by the individual. The ELVIS Act specifically targets deepfakes by also proscribing distribution of a person’s voice, image, or likeness if the unauthorized user “distributes, transmits, or otherwise makes available an algorithm, software, tool, or other technology, service, or device, the primary purpose or function of which is the production of” a particular, identifiable individual’s photograph, voice, or likeness.
SEC Corporation Finance Director Clarifies That Form 8-K Item 1.05 Disclosures Should Be Limited to “Material” Cybersecurity Incidents
On May 22, 2024, the director of the Division of Corporation Finance of the SEC issued further guidance on the disclosure of cybersecurity incidents on Form 8-K. The statement builds on and provides additional clarity to companies seeking to comply with the SEC’s 2023 cybersecurity rules, which require public companies to disclose “material cybersecurity incidents” under Item 1.05 of Form 8-K.
LockBit Takedown Indicates Shifting DOJ Cyber Strategy and Has Implications for Ransomware Victims
On May 7, 2024, the United States unsealed an indictment against Dimitry Yuryevich Khoroshev, one of the leaders of the Russian-based ransomware group LockBit, for his alleged involvement in developing and distributing the LockBit ransomware. According to the indictment, Khoroshev performed both administrative and operational roles for the cybercrime group, including upgrading the LockBit infrastructure, managing LockBit affiliates, and recruiting new developers for the ransomware. Since emerging in 2020, LockBit has become one of the most prolific ransomware groups in the world, targeting over 2,500 victims worldwide and allegedly receiving more than $500 million in ransom payments, according to DOJ statistics. The group licenses its ransomware software of the same name to affiliate cybercriminal groups, which use the software to encrypt and steal data from victims’ systems. LockBit itself provides support and receives a portion of any ransom payment typically made in exchange for system decryption and promises to delete the stolen data.
NIST Cybersecurity Framework 2.0 Prioritizes Governance and Flexibility
In early 2024, the National Institute of Standards and Technology (NIST) issued an update to its Cybersecurity Framework (CSF) with the release of version 2.0, the first update since April 2018 (version 1.1). While the core components of the CSF remain, there are two thematic changes. First, CSF 2.0 no longer applies just to critical infrastructure organizations but rather explicitly aims to assist all organizations in managing and reducing risks across industries and sectors, regardless of their cybersecurity sophistication. Second, it adds “Govern” as a sixth core function, alongside Identify, Protect, Detect, Respond, and Recover. CSF 2.0 also contains significant additions and a refocus on cybersecurity supply chain risk management (C-SCRM), which is not too unsurprising given organizational reliance on third-party vendors and supply chain attacks.
Selected Global Privacy and Cybersecurity Updates
Dutch Data Protection Authority Warns That Using AI Chatbots Can Lead to Personal Data Breaches
On August 6, the Dutch Data Protection Authority (DPA) issued guidance cautioning companies about the potential data protection risks associated with the use of AI-powered chatbots. In its guidance, the DPA reports that it has recently received several notifications of personal data breaches caused by employees sharing personal data with a chatbot that uses AI.
What to Tell Your C-Suite About the EU AI Act
On July 12, 2024, the European Union’s long-awaited Artificial Intelligence (AI) Act was finally published. It entered into force on August 1, 2024. The AI Act is a landmark legal framework that imposes obligations on both private and public sector actors that develop, import, distribute, or use in-scope AI systems.
EU Artificial Intelligence Act Signed into Law
On June 13, 2024, the AI Act was signed into law. The AI Act will impose obligations on both private and public sector actors that provide, import, distribute, or deploy in-scope AI systems. It also contains obligations that apply to general-purpose AI models.
[View source.]