Selected Developments in U.S. Law

Japan’s Personal Information Protection Committee Releases Guidance on Contact Tracing Mobile Apps to Combat COVID-19
On May 1, the Personal Information Protection Committee in Japan released guidance (only available in Japanese) on the use of contact tracing mobile apps as one of the mechanisms to combat the spread of COVID-19 and highlighted five essential consideration points.

COVID-19 Is Not a Free Pass for Privacy and Security Compliance
In the wake of stay-at-home orders stemming from the COVID-19 pandemic, companies have rushed to provide work-from-home options for many, if not all, of their employees. As exigency fades into the new normal, however, the California attorney general and New York’s Department of Financial Services (NYDFS)—two key privacy and security regulators—have indicated that COVID-19 does not give businesses an exception from compliance and will not delay enforcement activity. Businesses cannot lose sight of their privacy and security compliance programs and should reassess these programs in light of changes that have occurred while transitioning to a work-from-home environment.

Cyber Hygiene and Cyber Threats in the Age of COVID-19
The shift to remote work in response to the coronavirus (COVID-19) pandemic poses cybersecurity and information technology risks to companies, particularly due to an expanded work-from-home environment. In the midst of this environment, cybercriminals enjoy a target-rich world. We have also seen an explosion of cybercriminal activity taking advantage of the unique uncertainties of the COVID-19 pandemic. A recent FBI alert highlights the large volume of complaints related to COVID-19 scams, and media reports and government guidance point to the proliferation of phishing and similar exploits. At the same time, non-COVID-19 threats persist.

FTC Cautions Against Biased Outcomes in Use of AI and Algorithms
As the health care and financial impacts of COVID-19 continue to evolve with the global pandemic, the use of artificial intelligence (AI) technology and associated risks have received greater attention. On April 8, 2020, the FTC posted an extensive summary of its recent enforcement actions, studies, and guidance regarding the use of AI tools and algorithms. The summary weaves together a handful of FTC enforcement actions and the FTC’s 2016 report on Big Data and 2018 hearings on AI, algorithms, and predictive analysis. The FTC’s compilation is intended to aid companies managing the risks associated with the use of AI, design algorithms, evaluate training data, and develop an audit/accountability program to ensure their use of AI tools does not result in biased outcomes.

CCPA Plaintiffs Testing Whether Any CCPA Violation Can Be Used to Bring Class Actions
Plaintiffs’ counsel have started to lay the groundwork in the last few weeks for a broad private right of action under the California Consumer Privacy Act (CCPA). Alston & Bird has published an advisory that evaluates this recent CCPA litigation and offers practical advice to companies as they build CCPA compliance. 

Location and Mobile Data in the Fight Against COVID-19 – An Overview of U.S. and Global Efforts
As cases continue to mount globally, governments are increasingly seeking to leverage consumer geolocation and other mobile device data to assist with fighting the spread of COVID-19. Location data can be of significant value to public health models, such as models that determine areas where social-distancing measures are needed or test whether such measures are effective. In some areas, governments are also using location data for contact tracing or for measures designed to monitor and enforce quarantine of individuals who have tested positive for COVID-19 or persons they have come into contact with.

In Response to COVID-19, NYDFS Delays While CA AG Declines to Change CCPA Timing
According to a report from the International Association of Privacy Professionals, the California attorney general has confirmed that enforcement of the CCPA will not be delayed due to the COVID-19 pandemic. “We’re committed to enforcing the law as early as July 1,” said a representative of the attorney general’s office. The statement from the attorney general’s office goes on to emphasize the importance of data security, which may suggest that data security will be an initial focus of enforcement efforts.

New York Financial Regulator Requires COVID-19 Risk Assessment, Operational Planning
Last week, the NYDFS issued letters to all its licensed financial institutions. Based on these letters, all NYDFS licensees must assess and plan for the financial risk of COVID-19 and, separately, develop operational plans for managing their response to the virus. The NYDFS requires written responses “as soon as possible,” but within 30 days in any case. As a result, impacted businesses should be actively preparing responses to the NYDFS’s detailed request, if they have not already.

California Attorney General Issues Second Round of Modifications to CCPA Regulations
On March 11, 2020, California Attorney General Xavier Becerra announced a second round of modifications to the draft regulations his office is preparing for the CCPA. The updates contain a number of material modifications to the initial CCPA regulations that Becerra’s office released in October 2019. 

DOJ Releases Guidance on Gathering Threat Intel from the Dark Web 
The Cybersecurity Unit (CsU) of the Computer Crime and Intellectual Property Section of the Criminal Division of the U.S. Department of Justice (CCIPS) has released its guidance, Legal Considerations When Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources. The CsU prepared the guidance—with input from the FBI, Secret Service, and Office of Foreign Assets Control—to help companies assess the legal risk associated with information security practitioners gathering intelligence from online forums where computer crimes are discussed and planned and stolen data is bought and sold. The guidance also addresses the legality of situations when private actors attempt to purchase their own stolen data (or stolen data belonging to others but with the “data owners’” authorization), malware, or security vulnerabilities from potentially criminal actors.

High-Profile Settlements, Strengthened Data Security Orders, and COPPA: The FTC’s 2019 Privacy and Data Security Update
Each year, the Federal Trade Commission (FTC) publishes a report on its consumer privacy and data security activities during the prior year. On February 25, 2020, the FTC released its 2019 Privacy and Data Security Update. The update contains a summary of the FTC’s enforcement, advocacy, and rulemaking actions as well as its privacy and security-related workshops, consumer education and business guidance, and international engagement. The update is a useful way to see what the FTC focused on in the prior year and where to expect continued interest.

FBI Releases IC3 2019 Internet Crime Report
The FBI’s Internet Crime Complaint Center (IC3) has released its 2019 Internet Crime Report on trends and statistics of suspected cybercrimes from 2019. The report gathers data from 467,361 complaints, an increase from prior years, with dramatic losses exceeding $3.5 billion. In addition to an explanation of the IC3’s history and operations, the report includes six “hot topics” from 2019: business email compromise, IC3 Recovery Asset Team (RAT), RAT successes, elder fraud, tech support fraud, and ransomware.

The Updated CCPA Regulations: Alston & Bird Detail the 30 Key Business Impacts
California Attorney General Xavier Becerra released updated regulations to the CCPA. The updates contain a number of material modifications to the initial CCPA regulations that Becerra’s office released in October 2019.

DOJ Indicts Chinese Military Personnel for Involvement in 2017 Equifax Breach
On February 10, 2020, the U.S. Department of Justice announced charges against four members of China’s People’s Liberation Army (PLA) for their alleged involvement in the 2017 Equifax hack that resulted in the theft of the personal information of 145 million Americans. In the nine-count indictment, the four individuals, Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei, members of the PLA’s 54th Research Institute, were charged with computer fraud, economic espionage, and wire fraud for allegedly conspiring to hack into Equifax’s networks, maintain unauthorized access to those computers, and steal sensitive information, including trade secrets.

SEC Releases Detailed Set of “Cybersecurity and Resiliency Observations”
On January 28, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released a detailed set of observations culled from thousands of examinations of registered investment advisers, broker-dealers, clearing agencies, national exchanges, and other SEC registrants. These observations represent the most detailed compilation of strategies and tools that OCIE has observed to promote effective cybersecurity programs. 

California Releases Modified CCPA Regulations
On February 7, 2020, the California Office of the Attorney General released modified regulations to the CCPA. The modified regulations update the initial proposed regulations, which were previously published on October 11, 2019. 

EU and United Kingdom Updates

UK ICO Publishes the Final Version of Its Age Appropriate Design Code
On January 21, 2020, the UK ICO published the final version of its Age Appropriate Design Code, which sets out 15 standards that online services should meet to protect children’s privacy. The Design Code applies not only to online services squarely aimed at children but also online services likely to be accessed by children.

[View source.]