The BR Privacy & Security Download: June 2022
Welcome to this month's issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.
STATE & LOCAL LAWS & REGULATIONS
CPPA Releases First Draft Regulations
The California Privacy Protection Agency (“CPPA”) released its first draft California Privacy Rights Act (“CPRA”) regulations (“Draft Regulations”) ahead of the CPPA Board meeting on June 8, 2022. The timeframe for finalization of the Draft Regulations is not yet set. The CPPA must still issue a Notice of Proposed Rulemaking to begin the formal rulemaking process, which will be followed by a 45-day public comment period. The Draft Regulations have been created by revising existing California Consumer Privacy Act (“CCPA”) regulations, leaving the overall structure of the CCPA regulations intact. Notable components of the Draft Regulations include mandatory recognition of opt-out preference signals, new notice of collection requirements for when a first party allows a third party to collect personal information from consumers, extensive requirements when obtaining consent, and a statement that cookie management tools by themselves are not sufficient to effectuate sale opt-out requests or requests to limit the use of sensitive information. The Draft Regulations do not address all 22 regulatory topics required by the CPRA statute and so the CPPA must issue more regulations at a later date to address regulatory topics such as opting out of automated decision making, cybersecurity audits, risk assessments, and other matters.
Connecticut Enacts the Connecticut Data Privacy Act
Connecticut Governor Ned Lamont has signed the Connecticut Data Privacy Act (“CDPA”) officially enacting the state’s comprehensive privacy law. As previously reported, the CDPA most closely resembles Colorado and Virginia privacy laws and provides Connecticut consumers with the rights to access and delete personal data; correct inaccuracies in personal data; and opt out of the processing of personal data for the purposes of targeted advertising, sale, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects. The CDPA also requires consumer consent before processing sensitive data such as data revealing a health condition, personal data collected from a known child, and precise geolocation data. The CDPA provides sole enforcement authority to the Connecticut Attorney General and does not provide for a private right of action. The CDPA will take effect July 1, 2023.
Kentucky and Maryland Enact Insurance Data Security Laws
Kentucky and Maryland have joined 20 other states in enacting insurance data security laws modeled off the National Association of Insurance Commissioners’ (“NAIC”) Insurance Data Security Model Law (MDL-668). Both the Kentucky and Maryland laws require insurance carriers to develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards and to notify the relevant state insurance commissioner within three business days from determining that a cybersecurity event (i.e., an event resulting in unauthorized access to, disruption of, or misuse of an information system or nonpublic information stored on an information system) has occurred. Both laws further require insurance carriers to require third-party service providers to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information accessible to or held by the service provider. Kentucky’s law takes effect January 1, 2023, and Maryland’s law takes effect on October 1, 2022. Both laws provide insurance carriers a one-year grace period to comply with the requirements for a written information security program and a two-year grace period to implement the third-party service provider oversight requirement.
California Governor Signs Blockchain Executive Order
California Governor Gavin Newsom signed an executive order to help support and foster the development of blockchain technology within the state. Under the executive order, California has seven priorities: (1) create a transparent and consistent business environment for companies operating in blockchain, including crypto assets and related financial technologies; (2) create a regulatory approach to crypto assets harmonized between federal and state authorities, explore and establish public-serving use cases (such as incorporating blockchain technologies into state operations), and build research and workforce pipelines; (3) collect feedback from a broad range of stakeholders for potential blockchain applications and ventures, with particular attention to crypto assets and related financial technologies; (4) engage in a public process and exercise statutory authority to develop a comprehensive regulatory approach to crypto assets; (5) engage in and encourage regulatory clarity via progress on the processes outlined in President Biden’s Executive Order on Ensuring Responsible Development of Digital Assets; (6) explore opportunities to deploy blockchain technologies to address public-serving and emerging needs; and (7) identify opportunities to create a research and workforce environment to power innovation in blockchain technology, including crypto assets.
North Carolina Prohibits Public Entities from Making Ransomware Payments
North Carolina became the first state to pass a law prohibiting state and local government entities from making ransomware payments. The prohibition passed as part of North Carolina’s budget appropriations act and prohibits any state or local government entity from submitting payment to, or even communicating with, an entity that has committed a ransomware attack. State and local government entities are required to report ransomware incidents to the North Carolina Department of Information Technology. New York and Pennsylvania are also considering bills that would restrict or prohibit ransomware payments, with New York’s proposed legislation prohibiting ransomware payments by both public agencies and private companies.
Arizona Amends Data Breach Reporting Law
Arizona Governor Doug Ducey signed HB 2146, which amends the state’s data breach notification law to require businesses that experience a data breach to notify the Arizona Department of Homeland Security. The new reporting requirement applies if the data breach affects more than 1,000 individuals and is intended to facilitate the Arizona Department of Homeland Security’s collection of information about cybersecurity incidents to help combat cybercrime.
FEDERAL LAWS & REGULATIONS
FTC Proposes Telemarketing Sales Rule Changes
The Federal Trade Commission (“FTC”) has proposed to amend the Telemarketing Sales Rule (“TSR”) to: (1) require telemarketers and sellers to maintain additional records of their telemarketing transactions, including a copy of each unique prerecorded message, records sufficient to show a seller has an established business relationship with a consumer, and records of the FTC’s Do Not Call Registry that were used to ensure compliance with the TSR; (2) prohibit material misrepresentations and false or misleading statements in business-to-business telemarketing transactions; and (3) establish a new definition of the term “previous donor” to prohibit telemarketers from using prerecorded messages to solicit charitable contributions from consumers on behalf of a non-profit charitable organization unless the consumer donated to that non-profit charitable organization within the last two years. The FTC is seeking public comment on its proposed amendments and on whether provisions to address the rise in tech-support scams and certain other issues should be added to the TSR. Comments are due within 60 days after the TSR’s publication in the Federal Register.
Department of Justice Releases Guidance on Artificial Intelligence and Disability Discrimination in Hiring
The U.S. Department of Justice (“DOJ”) released guidance on how algorithms and artificial intelligence can lead to disability discrimination in hiring and the violation of disability discrimination laws. The guidance describes common ways employers may use algorithms and artificial intelligence, such as in connection with showing job advertisements to targeted groups and to score applicants’ resumes. When using such hiring technologies, the DOJ states that employers must take care to avoid using technologies in ways that discriminate against people with disabilities, even when an employer uses third-party technology. The DOJ cautions employers to carefully evaluate the information used to build the hiring technology they use and to examine hiring technologies before use and regularly when in use to assess whether they screen out individuals with disabilities.
Bill Promoting Cybersecurity Information Sharing between the Department of Homeland Security and State and Local Governments Passed
Congress passed the State and Local Government Cybersecurity Act, which directs the U.S. Department of Homeland Security to improve cybersecurity information sharing and coordination with state, local, and tribal governments by, among other things, providing state and local governments with access to cybersecurity tools and policies and to assist with joint cybersecurity exercises. The law also requires the U.S. Department of Homeland Security to share cybersecurity threat, vulnerability, and breach data with state and local governments and to provide resources to help assist with recovery when attacks do occur.
FTC Releases Guidance on Breach Disclosures
The FTC released guidance on effective breach disclosures. The FTC noted that many state and sector-specific breach notification laws exist but stated that regardless of whether a data breach notification law applies to a particular security incident, failure to timely disclose information that helps parties mitigate reasonably foreseeable harm may be a violation of Section 5 of the FTC Act. The guidance summarized FTC enforcement actions in which a component of FTC Act Section 5 violations related to failures to provide timely or effective breach notifications. The FTC noted that in such enforcement actions it had cited failure to timely notify consumers and making misleading statements about a security breach as acts and omissions that violated the FTC Act because they prevented affected parties from being able to take measures to mitigate harm that may result from a breach.
Medical Supply Company Settles Health Data Breach Lawsuit
A proposed $9.76 million settlement by Solara Medical Supplies (“Solara”) to resolve a class action relating to a 2019 data breach that reportedly affected 114,007 individuals received preliminary court approval in the U.S. District Court for the Southern District of California. Solara was the victim of a phishing attack that compromised company employee e-mail accounts. Those e-mail accounts contained protected health information of patients and sensitive employee information, including names, medical information, financial account information, credit card numbers, driver’s license numbers, and social security numbers, among other information. The settlement proposal includes creation of a fund of $5.06 million to cover costs associated with the administration of the settlement, attorneys’ fees, and payments to class members, with all class members who submit a valid claim eligible to receive a $100 payment. The remaining $4.7 million was attributed to Solara commitments to take steps to improve its cybersecurity posture over the next five years.
FTC Adopts Policy Statement Showing Focus on Children’s Data in Open Commission Meeting
On May 19, 2022, the FTC held an open commission meeting in which the Commission discussed and unanimously passed a policy statement that announces the FTC’s prioritization of the enforcement of the Children’s Online Privacy Protection Act (“COPPA”) (“COPPA Policy Statement”). The FTC also announced a request for public comment on proposed amendments to the guides concerning the use of endorsements and testimonials in advertising (“Endorsement Guides”). Notably, during the meeting, Republican Commissioners Christine Wilson and Noah Phillips both remarked that the COPPA Policy Statement is being issued despite the fact that the FTC has yet to complete its review of the COPPA Rule, which was initiated by the FTC in 2019. Additionally, FTC Chairwoman Lina Khan clarified that compliance with the Endorsement Guides would not provide companies with a safe harbor when it comes to child-directed advertising, arguing that children under 13 are particularly at risk of being deceived by ads. Relatedly, the FTC announced during the meeting that it will hold an event on October 19, 2022, on protecting children from stealth advertising in digital media.
U.S. Senate Confirms Alvaro Bedoya to FTC
After a series of delays during the confirmation process, the U.S. Senate approved President Biden’s nomination of Alvaro Bedoya to the FTC. Bedoya succeeds Commissioner Rohit Chopra and now gives Democratic appointees a 3-2 majority on the FTC’s Board of Commissioners. As previously reported, Bedoya currently acts as the founding director of the Center on Privacy & Technology at Georgetown Law, where he is also a visiting professor. Bedoya’s scholarship has focused on the racial biases of government surveillance and facial recognition technology. Bedoya has also previously served as chief counsel of the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law. Bedoya’s confirmation will likely help enable the aggressive enforcement agenda set forth under FTC Chairwoman Lina Khan.
INTERNATIONAL LAWS & REGULATIONS
European Union Political Bodies Move Forward Online Platform Regulation, Data Use, and Security Proposals
European Union (“EU”) political bodies took action to move forward a number of proposals to regulate online platforms, improve data security, and enhance the availability of public-sector data. The European Parliament and EU member states reached consensus on the Digital Services Act (“DSA”), which provides accountability standards for online platforms regarding illegal and harmful content. The DSA requires mechanisms to easily flag content and challenge content moderation decisions, and the establishment of know-your-customer protocols for merchants using online marketplace platforms, among other things. Meanwhile, the Council of the EU and the European Parliament agreed on the form of a new cybersecurity directive (“NIS2”) to replace the current directive on network and information system security. NIS2 would require banks, energy suppliers, digital services, medical device makers, and other critical infrastructure providers to use enhanced measures to improve cybersecurity. Separately, the Council of the EU approved the Data Governance Act (“DGA”), which is intended to facilitate the reuse by private entities of certain categories of protected public-sector data, increase trust in data intermediation, and make it easer to make data voluntarily available for the common good, such as for medical research.
European Data Protection Board Issues Guidance on GDPR Fines
The European Data Protection Board (“EDPB”) issued guidance on the calculation of administrative fines under the EU General Data Protection Regulation (“GDPR”). The EDPB guidelines are designed to provide a uniform methodology for EU member state data protection authorities to use to calculate a fine under the GDPR. Under the guidance, data protection authorities would consider (1) the categorization of the violation, (2) the seriousness of the violation, and (3) the turnover, or revenue, of the business to establish a “starting point” for the calculation of a fine for each instance of sanctionable conduct. From there, data protection authorities would evaluate aggravating and mitigating factors that are identified in the guidance to determine if a fine should be increased or decreased, identify any relevant legal maximums that may apply to fines, and, finally, determine whether further adjustments may be required to ensure the fine meets requirements for effectiveness, dissuasiveness, and proportionality.
UK Announces Data Reform Bill
The UK government formally announced its intention to introduce a Data Reform Bill. The government stated that the Data Reform Bill would seek to reduce burden on businesses, boost the economy, and help innovation. UK currently operates under the UK version of the GDPR and the Data Protection Act of 2018, which were both put in place prior to Brexit. The UK has obtained an adequacy decision from the European Commission related to its data protection laws that is set to automatically expire in 2025. If the Data Reform Bill makes changes to UK law that are perceived by the EU to lessen data protection standards, renewal of the adequacy decision may be at risk, further complicating the international data transfer landscape.
European Commission Issues FAQs on Standard Contractual Clauses
The European Commission (the “Commission”) released a set of Frequently Asked Questions (“FAQs”) to provide practical guidance on the use of the standard contractual clauses (“SCCs”) adopted by the Commission in June 2021. The FAQs cover a variety of subjects, from basic background information about the SCCs to Schrems II requirements relating to local laws and government access to personal data in the jurisdiction of a data exporter. The FAQs are intended to provide practical guidance on the use of SCCs and assist stakeholders with GDPR compliance. The Commission states that the FAQs will be a “dynamic” source of information and will be updated as new questions arise.
RECENT PUBLICATIONS & MEDIA COVERAGE
- Proposed EU-US AI Risk Management Road Map May Crumble under Jurisdictional and Corporate Preferences (Global Data Review)
- Sensor Ships: Managing Big Data Generated in the Maritime World (Pratt’s Privacy & Cybersecurity Law Report)
- Feds Outline Broad Cyber Disclosures (Business Insurance)