The BR Privacy & Security Download: April 2022
Welcome to this month's issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.
STATE & LOCAL LAWS & REGULATIONS
Utah Passes Utah Consumer Privacy Act
Utah has become the fourth state to pass its comprehensive privacy law, the Utah Consumer Privacy Act (“UCPA”). Of all its predecessors, the UCPA most closely follows the Virginia Consumer Data Protection Act (“VCDPA”) and provides consumers the rights to access and delete personal data and opt-out of the processing of personal data for the purposes of targeted advertising and the sale of personal data. The UCPA also requires consumers to be given notice and an opportunity to opt-out of the processing of their sensitive data and requires opt-in parental consent for the processing of personal data of children under 13. The UCPA does not provide for a private right of action. Utah’s Attorney General has the exclusive authority to enforce the UCPA with the assistance and consultation of the Division of Consumer Protection, to whom consumers may submit complaints for alleged violations. The UCPA provides for a 30-day cure period and will take effect December 31, 2023.
California Attorney General Issues Opinion on Consumer Right to Access Inference Data under the CCPA
The California Attorney General issued an opinion concluding that under the California Consumer Privacy Act (“CCPA”), “a consumer has the right to know internally generated inferences about that consumer, unless a business can demonstrate that a statutory exception to the [CCPA] applies.” The opinion explains that inferences are themselves “personal information” for purposes of the CCPA (and therefore disclosable) when two conditions exist. First, the inference is drawn from any personal information subject to the CCPA. Second, the inference is used to “create a profile about a consumer,” or in other words to predict a salient consumer characteristic. Since the inferences a business holds about a consumer, are in fact personal information under the CCPA, businesses must disclose the inferences to a consumer upon request. If a business withholds on the grounds of trade secret, the business bears the burden of demonstrating that the inferences themselves are trade secrets under applicable law.
California Proposes to Amend Data Broker Registration Law
The California Senate introduced SB 1059 to amend California’s data broker registration law, which requires data brokers to register with and provide certain information to the California Attorney General. SB 1059 seeks to bring the current data broker registration law in alignment with the California Privacy Rights Act (“CPRA”). More specifically, SB 1059 broadens the definition of data brokers to include businesses that knowingly collect and share (as defined by the CPRA) information and adds new requirements to annual registration, making it mandatory for data brokers to report: (i) whether they have experienced data breaches; (ii) whether they collect data of minors; and (iii) instructions on how consumers may exercise their rights to know, delete, and correct personal information, as well as how to opt-out of the sale or sharing of personal information and how to limit the use and disclosure of sensitive personal information. SB 1059 also increases the $100-per-day civil penalty for non-compliance to $200 per day and expands enforcement authority to include the California Privacy Protection Agency along with the California Department of Justice.
Updates on Status of State Comprehensive Privacy Bills
As previously reported, Connecticut and Iowa introduced their respective comprehensive privacy bills in February. Connecticut’s bill has advanced to the Senate floor from the General Assembly’s General Law Committee for further debate and consideration. Connecticut’s bill closely tracks the Colorado Privacy Act (“Colo PA”) with noticeably lower thresholds than its predecessors and a 60-day cure period during the period between July 1, 2023, and December 31, 2024. If passed, the bill would take effect July 1, 2023. Iowa’s privacy bill has advanced from the House to the Senate with one month of Iowa’s legislative session remaining. Iowa’s bill provides for a 30-day cure period and if enacted, Iowa’s bill will take effect January 1, 2024. The Oklahoma House of Representatives passed the Oklahoma Computer Data Privacy Act (HB 2969), which generally mirrors the CCPA. The Oklahoma House of Representatives passed a version of this bill last year, but the bill stalled in the Senate Judiciary Committee. The Oklahoma Computer Data Privacy Act does not provide a cure period and if enacted, will take effect January 1, 2023. On the other hand, Florida has once again failed to pass its comprehensive privacy bill before the close of its legislative session.
Colorado Attorney General Seeks Comments for Rulemaking for the Colo PA
The Colorado Attorney General’s Office (“Colo AG”) is seeking informal comments to better understand the public’s thoughts and concerns about the focus for future rulemaking for the Colo PA. The Colo AG is seeking comments on 16 topics, including dark patterns, data brokers, data protection assessments, and the universal opt-out mechanism, which the Colo PA uniquely requires be provided to consumers to enable them to exercise their right to opt-out of the sale of personal data and the processing of personal data for purposes of targeted advertising and profiling. Any information sent as part of this information gathering process will not be considered part of the rulemaking record. The Colo AG will hold public hearings once draft regulations are published to allow for the submission of formal comments and for further engagement in the rulemaking process. Colorado Attorney General Phil Weiser has previously stated that the draft regulations for the Colo PA will be posted this fall.
Indiana Amends Its Data Breach Notification Law
Indiana Governor Eric Holcomb signed into law HB 1351, which amends Indiana’s data breach notification law to require entities to notify individuals affected by a data breach within at least 45 days of discovery of the breach. HB 1351 allows for “reasonable” delays, specified as “(1) necessary to restore the integrity of the computer system; (2) necessary to discover the scope of the breach; or (3) in response to a request from the attorney general or a law enforcement agency to delay disclosure because disclosure will: (A) impede a criminal or civil investigation; or (B) jeopardize national security.” HB 1351 will take effect July 1, 2022.
FEDERAL LAWS & REGULATIONS
SEC Proposes Cybersecurity and Incident Disclosure Rules
The Securities and Exchange Commission (“SEC”) announced proposed rule amendments that would require current reporting about material cybersecurity incidents with periodic reporting to provide updated information about such incidents, and periodic standardized reporting about registrant’s cybersecurity risk management, strategy, and governance. Under the proposed amendments, public companies would be required to report a cybersecurity incident on a Form 8-K within four days of determining the incident is material, creating a challenging deadline that would require effective internal procedures for escalation and review of cybersecurity incidents. The proposed amendments would also require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks and its board of directors’ oversight of cybersecurity risk as well as require annual reporting or certain proxy disclosures about the board of directors’ cybersecurity expertise, if any.
Cyber Incident Reporting for Critical Infrastructure Act Signed into Law
President Biden signed into law the Consolidated Appropriations Act 2022, which includes the Cyber Incident Reporting for Critical Infrastructure Act. The act requires companies that power the country’s critical infrastructure to report “substantial” cyber incidents to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours and to report payments made for ransomware attacks within 24 hours.
Healthcare Cybersecurity Act Introduced in Senate
Senators introduced the Healthcare Cybersecurity Act (the “Act”), which seeks to strengthen cybersecurity in the healthcare sector by requiring coordination between CISA and the U.S. Department of Health and Human Services. The Act requires CISA to coordinate with and make resources available to information sharing and analysis organizations and other entities to develop products specific to the needs of healthcare and public health sector entities and to share information relating to cyber threat indicators and appropriate defensive measures. The Act would also require CISA to provide training to healthcare and public health sector asset owners on cybersecurity risks and ways to mitigate risks to information systems, as well as mandate that CISA conduct a study on cybersecurity risks facing the healthcare sector. The study would explore strategies for securing medical devices and electronic health records, and how data breaches impact patient care.
President Biden’s State of the Union Remarks Emphasize Children’s Privacy
President Biden’s State of the Union remarks highlighted the need to enhance online privacy measures for the personal information of children. President Biden stated, “It’s time to strengthen privacy protections, ban targeted advertising to children, demand tech companies stop collecting personal data on our children.” He further stated that social media platforms must be held “accountable for the national experiment they’re conducting on our children for profit.” With several bills already in Congress relating to children’s privacy, including but not limited to the Children and Teens’ Online Privacy Protection Act, Kids Internet Design and Safety Act, and Kids Online Safety Act, President Biden’s remarks further underscore that a key focus of the federal government will be the privacy of children’s data and foreshadow that more bills to protect the privacy of children may be proposed as children's online activities increase.
White House Issues Executive Order on Development of Digital Assets
President Biden issued the highly-anticipated Executive Order to ensure the responsible development of digital assets (i.e., digital and cryptocurrencies). The Executive Order is intended to balance incentivizing innovation in the digital asset space with risk protection. One of the stated intentions is exploring a U.S. Central Bank Digital Currency (“CBDC”) that would be backed by the Federal Reserve. Generally, the Executive Order issues directives in the following five categories: (1) policy and actions related to U.S. CBDC; (2) measures to protect consumers, investors, and businesses; (3) actions to promote financial stability, mitigate systemic rick, and strengthen market integrity; (4) actions to limit illicit finance and associated national security risks; and (5) policy and actions related to fostering international cooperation and U.S. competitiveness.
Federal Court Refuses to Dismiss SolarWinds Securities Fraud Claims
A Texas federal court refused to grant SolarWinds’ motion to dismiss securities fraud claims in a lawsuit filed by SolarWinds investors. The court found that statements made by a company executive in charge of information security in interviews advertising what he described as the company’s “heavy-duty hygiene” on cybersecurity and the fact that his photo appeared near security statements on the company’s website were enough to plausibly plead that the executive acted at least recklessly when touting SolarWinds security measures.
FTC Orders App to Delete Illegally Collected Children’s Data and Algorithms Derived from Data
The Federal Trade Commission (“FTC”) announced a settlement with WW International, Inc. and its subsidiary Kurbo, Inc. (collectively, “WW”) related to a weight loss app marketed for use by children as young as eight. The FTC alleged that WW did not properly obtain consent from parents to collect children’s data by using an app signup process that encouraged younger users to falsely claim they were over 13 and continuing to allow access to the app to users that indicated they were under 13 without seeking parental consent, among other things. The settlement requires WW to delete all personal information illegally collected from children in violation of the Children’s Online Privacy Protection Act (“COPPA”) and, in an enforcement first, requires WW to destroy any affected work product such as algorithms that used data illegally collected from children in violation of COPPA.
DOJ Announces Civil Cyber-Fraud Initiative Settlement
The Department of Justice (“DOJ”) announced the first settlement under its Civil Cyber-Fraud Initiative. Through this initiative, the government intends to use the False Claims Act to hold accountable entities and individuals who place at risk U.S. information or systems by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. Under the terms of the settlement, Comprehensive Health Services LLC (“CHS”), which contracted to provide global medical services at government-run facilities in Iraq and Afghanistan, agreed to pay nearly $930,000 to resolve claims against it. CHS submitted claims for payment for the cost of a secure electronic medical record system that would store the medical files and confidential identifying information of U.S. service members, diplomats, officials, and contractors who received care in Iraq. CHS allegedly failed to disclose to the government that it did not consistently store that information on the secure system, leaving the information vulnerable and accessible to individuals who should not have had access to it.
FTC Settles Enforcement Action against E-commerce Platform for Delay in Breach Notifications and Lax Security
The FTC announced a settlement with the current and former owners of e-commerce platform CafePress. The FTC alleged that CafePress failed to implement reasonable security measures to protect the sensitive information of buyers and sellers stored on its network by storing social security numbers and password reset answers in clear text, retaining data for longer than necessary, and failing to apply protection to well-known threats. According to the FTC complaint, the security failures were exploited by hackers who accessed millions of unencrypted names, physical addresses, and security questions and answers, more than 180,000 unencrypted social security numbers and tens of thousands of partial payment card numbers and expiration dates. The FTC alleged that the company failed to promptly investigate the breach and failed to notify affected individuals for seven months despite receiving a warning from a foreign government only two months after the incident urging the company to notify affected customers. The proposed settlement requires payment of $500,000 in redress to victims of the data breach, provision of adequate notification to affected customers, and third-party assessment of the owners’ information security programs.
HHS Announces Four HIPAA Enforcement Actions
The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced the resolution of three investigative matters and one matter before an administrative law judge relating to alleged non-compliance with the Health Insurance Portability and Accountability Act (“HIPAA”). Two of the cases were completed as part of OCR’s right of access initiative and alleged a failure to provide patients with a copy of their medical records. The other two cases alleged impermissible disclosure of protected health information online and to a third-party marketing company, respectively.
State Attorney Generals Band Together to Launch Investigation against TikTok
California, Florida, Kentucky, Massachusetts, Nebraska, New Jersey, Tennessee, and Vermont are investigating TikTok for its promotion to children and young adults because of potential harm to the physical and mental health of consumers. The State Attorneys General will examine whether the company is violating any state consumer protection laws and putting minors and young adults at risk. TikTok’s techniques for boosting the duration of time people spend on the platform will also be evaluated.
INTERNATIONAL LAWS & REGULATIONS
U.S. and EU Announce Agreement on New Data Transfer Mechanism
President Biden and European Commission President Ursula von der Leyen announced that the U.S. and EU have agreed in principle to a new transatlantic data privacy framework that will provide a legal mechanism for transfer of personal data from the EU to the U.S. The two sides had been in discussions since the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield in July of 2020. Details of the new framework have not been released, but the White House stated that the U.S. has committed to implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, and to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities. Companies that wish to participate in the new framework will be required to self-certify their adherence to Privacy Shield Principles. The U.S. and EU will continue to work to finalize the details of the agreement.
UK International Data Transfer Agreements Effective
The UK International Data Transfer Agreement (“IDTA”) and the international data transfer addendum (“Addendum”) to the European Commission’s standard contractual clauses became effective on March 21, 2022. The IDTA and Addendum replace the standard contractual clauses for transfers of UK personal data outside of the UK. The Addendum is intended to be used in conjunction with the EU standard contractual clauses when transfers involve both EU and UK personal data. The UK Information Commissioner’s Office is developing additional tools and guidance on cross-border data transfers for organizations, including guidance on how to use the IDTA and guidance on transfer risk assessments.
EDPB Adopts Guidelines on Social Media Dark Patterns
The European Data Protection Board (“EDPB”) adopted guidelines on dark patterns in social media platform interfaces. The guidelines are intended to offer practical recommendations to platform designers and users on assessing and avoiding “dark patterns” that violate European Union General Data Protection Regulation (“GDPR”) requirements. The guidelines provide examples of dark patters and present recommended best practices for different use cases. The guidelines also provide specific recommendations for designers of social media user interfaces to facilitate compliance with the GDPR.
NOYB, a non-profit entity founded by privacy activist Max Schrems, announced that it has sent a second round of complaints to website operators who are not in compliance with European requirements to obtain consent of data subjects prior to placing cookies on end user devices and browsers. NOYB sent an initial round of complaints in May 2021. In part because of the first round of complaints, European regulators have been actively pursuing enforcement actions against companies that do not have mechanisms designed to obtain specific, informed, and unambiguous consent as required by the GDPR. NOYB has also been involved in filing a series of complaints against companies using cookies that transfer personal information to the U.S., resulting in decisions from the Austrian and French data protection authorities that use of such cookies do not comply with the GDPR because adequate safeguards for the transferred personal data are not maintained.
LIVE CLE WEBINAR
The Winding Road of Data Privacy & Security Regulation: Enforcement Trends & Best Practices
Wednesday, April 27, 2022
1:00—2:00 p.m. ET | 10:00—11:00 a.m. PT
As an array of federal and state regulators—from the SEC, DOJ, and OCC to state attorneys general—ramp up their scrutiny of companies’ data privacy and cybersecurity practices, businesses are facing tension over how to comply with an evolving regulatory framework.
Blank Rome LLP and Withum invite you to join us for a complimentary webinar led by knowledgeable attorneys from Blank Rome’s Privacy, Security & Data Protection and White Collar Defense & Investigations Groups, and cyber and IT security experts and advisors from Withum, who will provide in-depth analysis of:
Trends in Data Privacy and Enforcement
- Industry focus: Healthcare/Life Sciences, Consumer/Retail, and Financial Services
- Where is the scrutiny/how is it evolving?
- Which regulators/agencies are focused on which industries?
The Changing Data Security Landscape
- Trends in threat actors
- Regulator scrutiny of cyber security practices
- Importance of vendor management and operational readiness
The Power of Regulators
- How far can the regulators go?
- How much are you required to reveal to regulators/government agencies/the public?
Contact Courtney Litman for more information.
NOW AVAILABLE ON DEMAND
PropTech Privacy Primer: Where Your Data Resides & How to Protect It
Led by Blank Rome Partners Sharon R. Klein and Jennifer J. Daniels, this 30-minute briefing provides a foundational overview of PropTech privacy issues, including a discussion of what type of information is at risk, where this information “lives,” and how real estate owners and stakeholders can take affirmative steps to safeguard sensitive data.
Protecting Information from Insider Threats and External Hackers
In this 30-minute webinar session, Jayme L. Butcher and Sharon R. Klein discuss how to address the challenges of employees and business partners misappropriating confidential information from the inside as well as the latest on external hacking threats, and how companies can best protect their critical assets from these dual threats.
RECENT PUBLICATIONS & MEDIA COVERAGE
- Q1 Biometric Privacy Litigation Update (Biometric Privacy Insider)
- New Utah Privacy Law ‘Lighter’ than Predecessors (Compliance Week)
- Real Questions Abound in the Virtual World of the Metaverse (The Legal Intelligencer)
- Tattoo Recognition Technology is Gaining Acceptance as a Crime-Solving Technique (The Northern Illinois University Law Review)
- Sensor Ships: Managing Big Data Generated in the Maritime World (MAINBRACE: March 2022)
- Utah Becomes the Fourth State to Pass Comprehensive Privacy Law (Blank Rome Client Advisory)
- Cyber Reporting Requirements Keep Policyholders on Toes (Law360)
- SEC Proposes New Cybersecurity Rules (Blank Rome Client Advisory)
- A Perfect Storm for Directors: More Risk with Less Protection (NACD PSW/USC Marshall Corporate Directors Symposium)
- California Legislature Introduces Expansive Biometric Privacy Law (Biometric Privacy Insider)
- Future Proofing Privacy Compliance with Impending State Regulatory Regimes (Pratt’s Privacy & Cybersecurity Law Report)
- Recent Trends in U.S. State Data Privacy and Security Law (In-House Defense Quarterly)
- Is Your Company Prepared for the New Cyber Incident Reporting Requirements? (Government Contracts Navigator)
- A Safe Bet? Privacy and Security Law for Online Sports Wagering in New York State (New York Law Journal)
AVAILABLE TO DOWNLOAD
Advancing Diversity, Equity & Inclusion at Blank Rome and Beyond
We are excited to present the 2021–2022 edition of Perspectives, Blank Rome’s diversity, equity, and inclusion (“DEI”) report. In this edition, you will find:
- A review of Blank Rome’s strategic partnerships, initiatives, accolades, and programming of the past year;
- Interviews with department and affinity group leaders;
- An inside look at Blank Rome’s Fifth Annual Women’s Leadership Summit;
- An overview of our ongoing actions to further racial equity, inclusion, and social justice;
- And more!
To learn more about Blank Rome’s diversity, equity, and inclusion initiatives, please visit blankrome.com/diversity-inclusion.