The BR Privacy & Security Download: December 2022
Welcome to this month's issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.
STATE & LOCAL LAWS & REGULATIONS
Pennsylvania Amends Its Data Breach Notification Law
Pennsylvania Governor Tom Wolf signed SB 696 into law, amending Pennsylvania’s data breach notification law. SB 696 broadens the definition of “personal information,” which triggers data breach notification obligations, to include medical information (i.e., any individually identifiable information contained in an individual's current or historical record of medical history, medical treatment, or diagnosis created by a health care professional), health insurance information (i.e., an individual's health insurance policy number or subscriber identification number in combination with an access code or other medical information that permits misuse of an individual's health insurance benefits), and a username or e-mail address in combination with a password or security question that would permit access to an online account. SB 696 further allows for electronic notice if the affected personal information consists of a username or e-mail address in combination with a password or security question and exempts covered entities and business associates governed by HIPAA. SB 696 takes effect on May 2, 2023.
NYDFS Releases Proposed Amendments to Cybersecurity Rules
The New York Department of Financial Services (“NYDFS”) released its second proposed amendments to its regulations on Cybersecurity Requirements for Financial Services Companies (“NYDFS Cybersecurity Rule”). Among other changes, the amendments make substantial changes to the security requirements of the NYDFS Cybersecurity Rule by requiring covered entities to conduct penetration testing annually, implement monitoring processes to ensure prompt notification of new security vulnerabilities, maintain written policies and procedures for vulnerability management and conduct automated vulnerability scans, review and update risk assessments annually, and require the use of multi-factor authentication or reasonably equivalent controls for remote access to systems, third-party applications, and privileged accounts. The proposed amendments also define three new security events that must be reported to the NYDFS within 72 hours: unauthorized access to privileged accounts, deployment of ransomware within a material part of a covered entity’s systems, and any cybersecurity event affecting a third-party service provider that also affects the covered entity. The 60-day public comment period for the proposed amendment ends on January 9, 2023.
CPPA Proposes New Modifications to Draft CPRA Regulations
The California Privacy Protection Agency (“CPPA”) announced updated draft regulations for the California Privacy Rights Act (“CPRA”). The draft regulations include key changes to the CPPA’s October draft, including a potential enforcement reprieve from the July 1, 2023 compliance date and data minimization requirements. Many stakeholders welcome the potential delay in enforcement as certain provisions, including employee data rulemaking, will likely not be finalized until after the CPRA’s January 1, 2023 operative date.
Colorado AG Publishes Public Comments to Draft CPA Rules
The Colorado Attorney General's Office (“COAG”) has posted over sixty stakeholder comments on its rulemaking comment website regarding the proposed draft rules for the Colorado Privacy Act (“CPA”). The posted submissions include comments to and questions about proposed CPA provisions, including input from the three November 2022 stakeholder meetings hosted by the COAG. Written comments must be submitted by January 18, 2023.
Pennsylvania Introduces AI Registry Bill
Pennsylvania has introduced HB 2903, which seeks to establish an artificial intelligence (“AI”) registry. Specifically, HB 2903 would task the Department of State (“Department”) with establishing and maintaining a registry of businesses operating AI systems in the state. HB 2903 would require the Department to coordinate with other state agencies to develop a registry form to collect information from businesses, including a business’ IP address, the type of code utilized for AI, the intent of the software, personal information of a designated person of contact, and a signed statement or electronic consent to the Department’s collection and use of such information for registry purposes.
FEDERAL LAWS & REGULATIONS
Federal Trade Commission Extends Deadline for Compliance with Financial Data Security Rule
The Federal Trade Commission (“FTC”) announced that it has extended the deadline for companies to comply with some of the changes the FTC implemented in the Safeguards Rule. The Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. The deadline for complying with the updated requirements of the Safeguards Rule is now June 9, 2023. The provisions of the updated rule that are specifically affected by the six-month extension are requirements for financial institutions including, designating a qualified individual to oversee their information security program; developing a written risk assessment; limiting and monitoring who can access sensitive customer information; encrypting all sensitive information; training security personnel; developing an incident response plan; periodically assessing the security practices of service providers; and implementing multi-factor authentication or another method with equivalent protection for any individual accessing customer information.
U.S. Department of Health and Human Services Office for Civil Rights Publishes Bulletin on Online Tracking Technologies
The Office for Civil Rights (“OCR”) issued a bulletin to highlight the obligations of covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) when using online tracking technologies. Notably, the OCR has taken the position that tracking technologies that collect an individual’s e-mail address and/or IP address when the individual visits a covered entity’s or business associate’s webpage to search for available appointments with a health care provider are considered a disclosure of protected health information, requiring either a business associate agreement to be in place with the tracking technology vendor or the individual’s authorization for the disclosure. The OCR made clear that website banners that ask individuals to accept or reject a website’s use of tracking technologies, such as cookies, do not constitute a valid HIPAA authorization. Relatedly, two healthcare entities have proactively reported their past use of web tracking technologies in patient portals as a data breach to OCR. The entities reported that the affected information included names, contact information, COVID vaccine status, appointment procedures, and insurance information.
HHS Proposes Amendment of Substance Use Disorder Patient Records Regulations
The Office for Civil Rights and the Substance Abuse and Mental Health Services Administration (“SAMHSA”) announced proposed amendments to the Confidentiality of Substance Use Disorder (“SUD”) Patient Records under 42 CFR part 2 (“Part 2”). The proposed changes intend to increase coordination among providers treating substance use disorders and increase protections against disclosure to avoid discrimination in treatment. Proposed changes include permitting the use and disclosure of Part 2 records based on a single patient consent given once for all future uses and disclosures for treatment, payment, and health care operations; permitting redisclosure of Part 2 records as permitted by the HIPAA Privacy Rule, with certain exceptions; extending patient rights under the HIPAA privacy rule relating to accounting of disclosures and requesting restrictions; and updated breach notification requirements.
State Attorneys General Write Letter in Support of FTC Privacy and Security Rulemaking
A bipartisan coalition of 33 state attorneys general wrote a comment letter to the FTC in response to its Advanced Notice of Proposed Rulemaking on Commercial Surveillance and Data Security. In the letter, the Attorneys General stated that the traditional “notice and choice” approach to privacy is “largely failing consumers” and recommended that the FTC instead consider data minimization approaches similar to those taken by California, Virginia, Colorado, Utah, and Connecticut in those states’ comprehensive privacy laws. The Attorneys General also encouraged the FTC to consider the risks in commercial surveillance practices that use sensitive data such as location, biometric, and medical data. The Attorneys General believe such an approach would be more effective to combat what they called “the alarming amount of sensitive consumer data that is amassed, manipulated, and monetized” by companies.
CISA Releases Draft Cybersecurity Performance Goals
The Cybersecurity and Infrastructure Agency (“CISA”) released a draft version of its Cross-Sector Cybersecurity Performance Goals (“CPGs”). The CPGs are responsive to President Biden’s July 2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, which required CISA, in coordination with the National Institute of Standards and Technology, to develop baseline cybersecurity performance goals that are consistent across all critical infrastructure sectors. The CPGs are intended to be a baseline set of cybersecurity practices broadly applicable across critical infrastructure. The draft CPGs are divided into eight categories: account security, device security, data security, governance and training, vulnerability management, supply chain, response and recovery, and other. For each category, the CPGs describe the risks that are intended to be addressed, the ultimate security outcome, and recommended actions to achieve the outcome. Compliance with the CPGs is voluntary. CISA is currently seeking comments on the draft CPGs.
NLRB General Counsel Takes Strong Stance Against Intrusive Electronic Monitoring Practices
General Counsel for the National Labor Relations Board (“NLRB”) issued a memorandum in firm support of employee privacy against overly-intrusive employer monitoring technologies and abusive automated management practices that tend to interfere with employees’ ability to exercise unionization rights under the National Labor Relations Act (“the Act”). The memo suggests a new framework and interagency approach when reviewing employers’ surveillance and management practices under the Act, wherein an employer is presumed to have violated the Act if the employer’s practices (e.g., use of GPS tracking devices or keyloggers), viewed as a whole, tends to interfere with or prevent an employee from engaging in protected activities. When the employer’s business interests outweigh employee rights, the employer must disclose its technologies, practices, and reasons, or demonstrate that special circumstances require such use.
FTC Brings Enforcement Action against Education Technology Provider
The FTC announced an enforcement action against an education technology provider, Chegg Inc. (“Chegg”), for failing to implement certain data security safeguards, which resulted in four separate data breaches between 2017 and 2020. Three of the data breaches involved phishing attacks that successfully targeted Chegg’s employees and one involved unauthorized access by a former contractor to a third-party cloud database that exposed the personal information of approximately forty million customers. The FTC’s proposed order requires Chegg to, among other things, implement a comprehensive information security program, encrypt certain sensitive data at rest, implement multifactor authentication to help users and employees secure their accounts, provide appropriate phishing training to employees, limit the amount of data collected and stored to what is minimally necessary, and allow customers to access and delete personal information collected about them.
FTC Settles with Vonage for Failing to Allow Customers to Cancel their Voice Over Internet Protocol Services
The FTC has reached a settlement with Vonage, a Voice over Internet Protocol (“VoIP”) service provider. The FTC alleged that Vonage violated the FTC Act and the Restore Online Shoppers’ Confidence Act by making it difficult for customers to cancel their VoIP subscriptions, requiring its customers to pay an early termination fee that was not clearly disclosed when signing up for Vonage’s services, and continuing to charge customers even after they canceled. Vonage agreed to the FTC’s proposed order, which requires Vonage to pay $100 million for refunds to customers; have customers’ express, informed consent to be charged; and be upfront with customers about the terms of any “negative option” plans that begin with a free trial but require the customer to take action to avoid being charged. The proposed order also prohibits Vonage from using dark patterns to frustrate customers’ cancellation efforts, demonstrating the FTC’s focus on manipulative user interface designs used on websites and mobile apps.
States Attorneys General Reach $16 Million Settlement with Consumer Credit Reporting Company and Telecommunications Company
Forty states’ attorneys general reached a settlement with a major consumer credit reporting company and nationwide telecommunications company for two separate data breaches. The first data breach involved a threat actor accessing portions of the consumer credit reporting company’s database that stored the personal information of approximately fifteen million individuals who applied for services offered by the telecommunications company. The second data breach involved a threat actor posing as a private investigator and retrieving the sensitive personal information of approximately 200 million individuals from a database the credit reporting company purchased. The consumer credit reporting company has agreed to pay a total of $13.67 million in connection with the two data breaches, strengthen its data security practices, and provide five years of credit monitoring to affected individuals. The telecommunications company has agreed to pay $2.43 million and strengthen its vendor oversight by contractually requiring vendors to have certain security safeguards in place (e.g., encryption, strong passwords, and patching).
OCR Releases Video Guidance on Recognized Security Practices
The Office for Civil Rights (“OCR”) released video guidance to explain how it will consider “recognized security practices” when undertaking enforcement actions for violation of the Health Insurance Portability and Accountability Act (“HIPAA”). The new guidance follows a 2021 amendment to the HITECH Act of 2009 that required OCR to consider regulated entities’ implementation of recognized security practices during the 12 months prior to OCR making an enforcement decision. The video explains that there are three categories of recognized security practices a regulated entity can implement: the NIST Cybersecurity Framework, practices outlined in Section 405(d) of the Cybersecurity Act of 2015, and other practices that were “developed, recognized, or promulgated by statute or regulation.” To determine whether an entity has implemented recognized security practices, the video explains that OCR will invite a regulated entity to voluntarily present evidence of implemented recognized security practices.
SolarWinds Settles Shareholder Lawsuit, Announces SEC Enforcement Action
SolarWinds Corp. (“SolarWinds”) stated in an 8-K filing that it is entering into a settlement agreement with a class of shareholders who sued SolarWinds regarding alleged misrepresentations about a 2020 security incident in which a backdoor was inserted into the company’s Orion product by malicious actors believed to be associated with Russian intelligence agencies. SolarWinds will pay $26 million to fund the claims of class members. In the same 8-K filing, SolarWinds also stated that it received a “Wells Notice” from the Securities and Exchange Commission (“SEC”) “with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures.” The Wells Notice indicates that the SEC has made a preliminary determination to recommend that the SEC file an enforcement action for violation of U.S. securities laws.
LinkedIn Prevails Against hiQ Labs in Data Scraping Suit
The court in hiQ Labs, Inc. v. LinkedIn Corp. granted LinkedIn Corp. (“LinkedIn”) motions for summary judgment filed against hiQ Labs, Inc. (“hiQ”) in the long-running data scraping litigation. The court found that hiQ, a start-up that developed employee data analysis products, scraped data from public LinkedIn profiles to develop hiQ products and hired independent contractors, known as “turkers,” to create false LinkedIn profiles for hiQ’s quality assurance purposes. The court ruled in favor of LinkedIn’s breach of contract claim, finding that LinkedIn’s User Agreement unambiguously prohibited data scraping and false accounts. The court also ruled in favor of LinkedIn’s motion under the federal Computer Fraud and Abuse Act because hiQ not only violated LinkedIn’s User Agreement, but also attempted to avoid detection by LinkedIn’s technical defenses and circumvent LinkedIn’s User Agreement enforcement efforts.
INTERNATIONAL LAWS & REGULATIONS
European Council Adopts Cybersecurity Regulation
The European Council adopted legislation to update the current directive on the security of network and information systems. The new directive, known as “NIS2,” sets a baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health, and digital infrastructure. NIS2 seeks to harmonize cybersecurity requirements and implementation across the EU’s member states. The NIS2 directive will be published in the Official Journal of the European Union and will become effective 20 days following the publication. EU member states will have 21 months from the effective date of the NIS2 directive to incorporate the provisions into their national laws.
UK ICO Publishes New Guidance on International Data Transfers and Transfer Risk Assessment Tool
The United Kingdom Information Commissioner’s Office (“UK ICO”) released new guidance on the rules for transfers of personal data from the UK to entities outside of the EU. The guidance describes the rules on international transfers of personal data and reviews the steps to take to determine how to make a transfer of personal data to locations outside of the UK in compliance with UK privacy laws. The UK ICO also provides specific guidance on transfer risk assessments, which are used to determine whether restricted transfers are covered by appropriate safeguards and a transfer risk assessment tool for companies to use.
India Proposes Draft Data Protection Bill
India’s Ministry of Electronics and Information Technology proposed a new draft of the Digital Personal Data Protection Bill (“Draft Law”). The Draft Law applies to personal data that is either collected online or offline and then retained in digital format. The Draft Law provides individuals, called “data principles,” with several rights, including the right to information, the right to correction, and the right to erasure personal data. The Draft Law also requires the processing of personal data to be pursuant to one of the legal bases enumerated in the law, such as consent, and contains prior notice, data security, data breach notification, and data retention requirements. In a change from prior versions, the new Draft Law does not include data localization provisions. However, the Draft Law allows the government to specify which countries personal data may be transferred to. The Draft Law provides for penalties of up to 5 billion Rupees (approximately $61 million), depending on the violation.
Australian Parliament Passes Amendment to Privacy Legislation
The Australian Parliament approved amendments to the Privacy Act of 1988, the country’s comprehensive federal privacy legislation. The amendments increase fines for violations of the law to up to the greater of (i) AU$50 million, (ii) three times the value of the benefit derived from the violating conduct, or (iii) 30 percent of the adjusted turnover during the period 12 months prior to the date the violating conduct ceased or the period of non-compliance with the Privacy Act, whichever is longer. The amendment comes in the wake of several high-profile data breaches in the telecommunications and healthcare sectors affecting Australian data subjects.
RECENT PUBLICATIONS & MEDIA COVERAGE
Is Your Company Prepared for the New Cyber Incident Reporting Requirements? (The Temple 10-Q)
First California Consumer Privacy Act Enforcement Action Settlement and Sunsetting of Employee Data Exemptions Signal Significant Compliance Challenges Ahead (Pratt's Privacy & Cybersecurity Law Report)
We thank Ann Huang for her writing assistance with this newsletter.