The BR Privacy & Security Download: November 2023
Welcome to this month's issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.
STATE & LOCAL LAWS & REGULATIONS
California Attorney General Appeals Decision to Enjoin the California Age-Appropriate Design Code Act
California Attorney General Rob Bonta filed a notice of appeal to overturn a preliminary injunction issued by the U.S. District Court for the Northern District of California on September 18, 2023, which halted enforcement of the California Age-Appropriate Design Code Act (“CA AADC”). The appeal was submitted to the U.S. Court of Appeals for the Ninth Circuit. Attorney General Bonta stated in a press release, “We are filing a notice of appeal today to defend California’s first-in-the-nation children’s online safety law. We believe the district court decision is wrong, and that we should be able to protect our children as they use the internet. Big businesses have no right to our children’s data: childhood experiences are not for sale.” A diverse group of organizations representing youth, parents, educators, pediatricians, mental health providers, technologists, researchers, privacy groups, and advocates sent a letter to Attorney General Bonta supporting his decision to defend the CA AADC.
Utah Department of Commerce Proposes Rules to Regulate Social Media Companies
The Utah Department of Commerce published proposed rules for the Utah Social Media Regulation Act (“SMRA”), which was signed into law earlier this year. The proposed SMRA rules include a range of requirements on social media companies related to minors’ use of the platforms. The rules include an age verification process that requires social media companies to verify the ages of accountholders to determine whether they are minors. In addition, the SMRA prohibits social media platforms from allowing a minor to hold an account without the express consent of the minor’s parent or guardian. Finally, the law also includes restrictions on minors’ accounts that prohibit direct messaging and advertising, limit the collection and use of personal information from the account, and limit the hours minors can use their accounts. The SMRA will be enforceable by the Division of Consumer Protection and includes a private right of action.
California Amends CPRA Definitions
California Governor Newsom signed into law AB 947 (effective January 1, 2024) and AB 1194 (effective July 1, 2024), both amending the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CPRA”). AB 1194 clarifies that “personal information,” as defined under the CPRA, includes information about an individual’s reproductive health (including contraception, pregnancy, or abortion services) and that a consumer accessing, procuring, or seeking reproductive health services does not constitute a “risk of danger of death or serious physical injury” that would otherwise exempt such data from the protections and obligations imposed by the CPRA. AB 947 further expands the enhanced consumer rights (e.g., the right to opt out of the use or sharing of that information by a business) and protections with regard to consumers’ “sensitive personal information” under the CPRA to not only include personal information that reveals a consumer’s racial or ethnic origin (e.g., heritage) but also “citizenship or immigration status” (e.g., whether an individual sought asylum).
California Passes Bill Regulating Manufacturing and Use of In-Vehicle Cameras
California passed into law SB 296 to (1) require dealers and manufacturers of new motor vehicles equipped with in-vehicle cameras sold or leased in California to provide certain disclosures; (2) prohibit any image or video recording collected through an in-vehicle camera from being sold to a third party or used for advertising purposes; (3) restrict when images and video recordings may be shared, retained, downloaded, or otherwise accessed by third parties; and (4) prohibit any person or entity from compelling a manufacturer or other entity to build specific features for purposes of investigation or monitoring by law enforcement. “In-vehicle camera” means “any device included as part of a vehicle by the manufacturer that is designed to, or is capable of, recording images or video inside the cabin of the vehicle.” A manufacturer, person, or entity that knowingly sells or leases a vehicle equipped with an in-vehicle camera in violation of SB 296 is subject to enforcement by the Attorney General for injunctive relief and civil penalties up to $2,500 per vehicle.
FEDERAL LAWS & REGULATIONS
President Biden Issues Executive Order on AI
President Biden issued an Executive Order on safe, secure, and trustworthy AI (“EO”). The EO is intended to enhance AI safety, security, and privacy while advancing equity and civil rights by addressing algorithmic discrimination issues through training, technical assistance, and coordination between the Department of Justice and federal civil rights offices. The EO also directs the U.S. Department of Health and Human Services to create a program to evaluate potentially harmful AI-related healthcare practices and create resources on how educators can responsibly use AI tools. The administration also seeks to support workers with the EO by mandating the creation of a report on potential labor market implications of AI and to promote innovation and competition through grants for AI research.
FTC Publishes Blog on Consumer AI Concerns
The Federal Trade Commission (“FTC”) published a blog describing the various consumer concerns related to artificial intelligence (“AI”). The FTC organizes these concerns into three categories: (1) concerns about how AI is built – i.e., copyright and intellectual property infringement and the use of biometric and personal data to train AI models or generate voice prints; (2) concerns about how AI works and interacts with users – i.e., the harms from biases and inaccuracies in AI, and the limited pathways to appeal decisions for products using AI; and (3) concerns about how AI is applied in the real world – i.e., scams and fraud powered by AI and malicious use of AI. The FTC notes that it will watch the marketplace as more AI products emerge and are “invested in understanding and preventing harms as this new technology reaches consumers and applying the law.”
FTC Amends Safeguards Rule to Report Data Security Breaches
The FTC approved an amendment to the Safeguards Rule that requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, payday lenders, accountants and tax preparation services, real estate appraisers, and credit counselors, to notify the FTC of certain security breaches. The amendment requires non-banking financial institutions to report to the FTC any unauthorized acquisition of unencrypted, personally identifiable, nonpublic financial information of more than 500 customers within 30 days of discovery. Unauthorized acquisition is the acquisition of information without the authorization of the individual to which the information pertains. The notice to the FTC must include certain information about the event, such as the data range of the event (if it can be determined), the number of consumers affected or potentially affected, and a general description of the event. Such notices will be publicly available. The amendment will become effective 180 days after publication in the Federal Register.
CFPB Proposes Rule to Accelerate Shift to Open Banking
The Consumer Financial Protection Bureau (“CFPB”) has proposed the Personal Financial Data Rights Rule (“PFDR”) that would accelerate a shift toward open banking. The PFDR is intended to allow consumers to have control over their financial data and gain new protections against companies misusing this data. Under the PFDR rule, individuals would have the power to share data about their use of checking and prepaid accounts, credit cards, and digital wallets. The rule would also ensure that consumer banks provide personal financial data at no charge to consumers and enable individuals to walk away from inadequate services and products. Finally, the PFDR rule would provide protections to prevent unchecked surveillance and misuse of data. The PFDR requirements would be implemented in phases, with larger providers being covered sooner than smaller ones.
EPA Withdraws Public Water System Cybersecurity Rule
The Environmental Protection Agency (“EPA”) issued a memorandum withdrawing a March 2023 memorandum that interpreted existing regulations under the Safe Drinking Water Act as requiring states to address cybersecurity protections in regular safety audits. In July, the United States Court of Appeals for the Eighth Circuit blocked the EPA from implementing the new interpretation and the EPA issued the withdrawal as a result of the litigation. The EPA stated that cybersecurity in the water sector remains one of the EPA’s highest priorities, and that the agency encourages all states to voluntarily review public water system cybersecurity programs to ensure that any vulnerabilities are identified and corrected.
OCR Publishes Telehealth Resources for Providers and Patients
The U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) issued two resources to help with the privacy and security of protected health information (“PHI”) when using telehealth services. The first resource is for healthcare providers on “Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth.” While the Health Insurance Portability and Accountability Act (“HIPAA”) does not require healthcare providers to provide this education, the resource provides suggestions for discussing with patients: (1) telehealth options offered, (2) risks to PHI, privacy, and security practices of remote communication technology vendors, and (3) applicability of civil rights laws. The second resource entitled “Telehealth Privacy and Security Tips for Patients” provides recommendations patients can implement to protect and secure their PHI, such as conducting telehealth appointments in a private location, turning on multi-factor authentication or using encryption if available, and avoiding public Wi-Fi networks.
NY Court Holds Banking Customer Cannot Recover $8.5M Loss in Online Spoofing Attack
The U.S. District Court for the Southern District of New York granted summary judgment in favor of the defendant, Sterling National Bank (“Sterling”), in Niram, Inc. v. Sterling National Bank. Niram, Inc. (“Niram”), a customer of Sterling’s commercial banking services, filed suit under New York’s UCC and common law claims of gross negligence and breach of contract, seeking to recover $8.57 million after Niram became the target of a successful online “spoofing” fraud in which an attacker gained access to Niram’s president’s email account and directed employees to initiate wire transfers from Niram’s account at Sterling. Niram alleged that most of the sixteen total wire transfers would have been avoided if Sterling followed appropriate transfer and security protocols. The Court disagreed and held that the bank had no duty to refund its customer because Niram, through the acts of its agents, “authorized” Sterling to make the transfers, even if erroneously.
Blackbaud Settles with 49 States and D.C. Attorneys General for 2020 Data Breach
Blackbaud, represented by Blank Rome, reached a settlement with 49 state Attorneys General and the District of Columbia related to a ransomware attack the company suffered in 2020. With this resolution, Blackbaud has agreed to pay a total of $49.5 million to the 49 states and the District of Columbia. In addition, Blackbaud has agreed to comply with applicable laws, not to make misleading statements related to its data protection, privacy, security, confidentiality, integrity, breach notification requirements, and similar matters, and to implement and improve certain cybersecurity programs and tools.
We would also like to congratulate our good client, Blackbaud, Inc., for receiving the governance team of the year (small to mid-cap) award at the recent at Corporate Governance Awards, announced at a gala ceremony in New York. The Corporate Governance Awards celebrate outstanding achievements by the governance profession in many areas including hosting AGMs, compliance and ethics programs, ESG reporting, entity management, use of technology, proxy statements, investor engagement, and corporate transactions.
Thirty-Three Attorneys General File Multistate Lawsuit against Meta for Harms to Children
California Attorney General Bonta and a coalition of thirty-two other attorneys general filed a federal lawsuit against Meta Platforms, Inc. and affiliates (collectively, “Meta”) in the Northern District of California. The lawsuit alleged that Meta, among other things, violated the federal Children’s Online Privacy Protection Act (“COPPA”) and various state laws regarding false advertisements, unfair competition and trade practices, and consumer protections, in connection with (1) Meta’s business model of maximizing young users’ time and attention on its platforms; (2) employing harmful and psychologically manipulative product features while falsely assuring the public about the safety and suitability of said features; (3) publishing misleading reports on the rates of user harms; and (4) downplaying and refusing to address those harms to young users despite overwhelming evidence shown by both internal and independent research.
TransUnion to Pay $15 Million to Settle FCRA Violation Claims
The Federal Trade Commission (“FTC”) and Consumer Financial Protection Bureau (“CFPB”) obtained a $15 million settlement with TransUnion LLC and its subsidiary (“TransUnion”) over violations of the Fair Credit Reporting Act (“FCRA”). The FTC and CFPA state that TransUnion failed to ensure the accuracy of the information included in their tenant background screening reports. Specifically, TransUnion included inaccurate and incomplete eviction records about consumers, which hampered their ability to obtain housing. In addition, TransUnion included inaccurate labels in its reports, which mischaracterized the nature of information in consumers’ eviction records. TransUnion and its subsidiary will be required to take steps to cure the violations alleged to enable consumers to dispute inaccurate information in the future. Finally, out of the $15 million settlement, $11 million will be used to compensate consumers with the remaining $4 million deposited in the CFPB’s civil penalty fund.
INTERNATIONAL LAWS & REGULATIONS
European Union Court Rejects Interim Challenge to EU-U.S. Data Privacy Framework
The European Union’s General Court issued a ruling denying European Parliament member Phillippe Latombe’s request for interim relief halting the implementation of the EU-U.S. Data Privacy Framework (“DPF”). Latombe had challenged the legality of the DPF in his personal capacity on the basis that the DPF does not comply with the Charter of Fundamental Rights of the European Union and fails to comply with procedural requirements for valid legislation. The court ruled that the request failed because Latombe had not shown he would suffer serious harm absent a suspension of the DPF. Latombe’s challenge to the DPF will not be the last. Austrian privacy activist Max Schrems, whose efforts toppled two prior EU-U.S. data transfer frameworks, has already announced that he will be challenging the new EU-US Data Privacy Framework.
China Expected to Finalize Data Transfer Rules as Standard Contracts Grace Period Sunsets
The public comment period for the latest draft Provisions on Regulating and Facilitating Cross-Border Data Flows (the “Draft Provisions”) published by the Cyberspace Administration of China (“CAC”) has closed. Although the Draft Provisions lack a specific implementation date, new rules are expected to be finalized soon as the grace period to comply with the Standard Contract Measures under the Personal Information Protection law of China expires on November 30, 2023. Once adopted, the Draft Provisions will significantly change China’s data export rules, which may be satisfied under current law through any of the three data export compliance options, including new exemptions for certain types of data, purposes of transfer, and organization size. However, certain issues remain unresolved, such as the scope of “important data” and what criteria is used to measure and prove the “necessity” of certain data transfers.
United Kingdom’s Data Protection Authority Raises Alarm over Potential Snapchat Privacy Risks
The U.K. Information Commissioner’s Office (“ICO”) has issued a preliminary enforcement notice to Snap Inc. and Snap Group Ltd. (“Snap”) after an investigation found that Snap failed to adequately assess data protective risks posed by generative AI technology introduced by the company. In February 2023, Snap launched the “My AI” feature for UK Snapchat+ subscribers. The feature is powered by OpenAI’s ChatGPT technology, which enables a chatbot to generate humanlike text based on context and past conversations. According to the ICO, while Snap conducted a risk assessment prior to launching “My AI,” it failed to adequately identify and assess the data protection risks to users, particularly teenagers. The ICO’s preliminary enforcement notice will provide Snap an opportunity to make representations before a final notice is issued.
United Kingdom’s Information Commissioner’s Office Publishes Guidance on Lawful Workplace Monitoring
The U.K. Information Commissioner’s Office (“ICO”) published guidance to provide clarity and practical advice to help employers comply with the U.K.’s data protection laws while implementing monitoring in the workplace. The guidance includes various checklists to review considerations prior to implementing any monitoring, compliance requirements for monitoring tools that use solely automated processes, specific data considerations, and whether biometric data for employee timekeeping and attendance may be appropriate. In announcing the publication of the new guidance, the ICO called on organizations in both the public and private sectors to consider their legal obligations and workers’ rights prior to implementing any monitoring and provides good practice advice to help employers build trust with their workers by conducting any monitoring lawfully, transparently, and fairly.
Canadian Court Rules Search Engine Subject to Right to Be Forgotten
The Canadian Federal Court of Appeal ruled that Google is subject to Canadian federal privacy law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), and not covered by an exemption in the law for journalistic or artistic work. The case stems from an individual complaint to the federal Privacy Commissioner requesting the delisting of allegedly inaccurate and outdated information. The Privacy Commissioner had asked the Federal Court to rule on whether PIPEDA applied. The ruling clarifies that the Privacy Commissioner has the authority to review the complaint and determine whether to recommend to Google that it comply with the individual’s request.
RECENT PUBLICATIONS & MEDIA COVERAGE
Don’t Forget to Put SEC Cybersecurity Matters on Your Board Agenda This Fall! (Blank Rome Client Advisory)