Digital Download November 2022

The Digital Download – Alston & Bird’s Privacy & Data Security Newsletter – November 2022

Publications and Advisories

Selected U.S. Privacy and Cyber Updates

California Privacy Protection Agency Issues Notice of Modifications to Proposed CPRA Regulations

On November 3, 2022, the California Privacy Protection Agency (CPPA) issued a notice of modifications to the proposed regulations implementing the California Privacy Rights Act (CPRA). These proposed modifications come in response to public comments on, and are meant to clarify, previously issued modifications.  

FTC Takes Action Against Ed Tech Provider for Failure to Secure Student’s Personal Information

On October 31, 2022, the FTC announced it has taken action against education technology provider Chegg Inc. for its “careless” cybersecurity practices that exposed sensitive personal information of millions of its customers and employees. This action highlights the FTC’s continued efforts to aggressively protect consumer personal data.  

California Privacy Protection Agency Approves Modifications to CPRA Regulations

On October 29, 2022, the CPPA board approved modifications to the proposed regulations under the CPRA. The modifications will largely be based on the modified proposed regulations published on October 17, but the CPPA board directed the CPPA staff to make changes pursuant to the CPPA board meeting on October 28 and 29.

Website Analytics (Session Replay) Litigation Is Not Dead

On October 18, 2022, in Popa v. Harriet Carter Gifts Inc., No. 21-2203, the Third Circuit denied rehearing on its ruling that allows a class action alleging wiretapping claims based on the use of session replay software to proceed. The Third Circuit’s ruling, and subsequent denial of a request for rehearing, is a reminder that session replay litigation is not dead but very much alive. Companies should remain informed of these developments.  

Recent FTC Order Has Implications for Executive Liability and Corporate Data Minimization Practices

On October 24, 2022, the Federal Trade Commission (FTC) announced a proposed consent order against Drizly LLC, an online marketplace for alcohol delivery, and its CEO over the company’s alleged security failures that led to a data breach in 2020, which exposed the personal information of approximately 2.5 million Drizly customers. Drizly and its CEO were allegedly made aware of potential security deficiencies two years before the incident and did not take corrective action. The proposed order, in which the FTC alleges that Drizly had unfair information security practices and made deceptive security statements, is significant because it not only highlights the need for data minimization but also personally names and imposes requirements on the company’s CEO to implement an information security program, even if he moves to a different company.  

NYDFS Announces Significant Cybersecurity Settlement with EyeMed Vision Care

On October 18, 2022, EyeMed Vision Care LLC entered into a consent order with the New York Department of Financial Services (NYDFS) relating to a cybersecurity event from 2020 that exposed consumer nonpublic information to an unauthorized individual. EyeMed agreed to pay NYDFS a $4.5 million penalty, in addition to implementing mandatory remediation measures, including a comprehensive cybersecurity risk assessment of its information systems (and corresponding action plan for NYDFS’s review and approval).  

California Privacy Protection Agency Publishes Updated CPRA Regulations

On October 17, 2022, the CPPA published its first set of modified proposed regulations under the CPRA. The modified regulations have been published in preparation for a CPPA board meeting on October 21 and 22 to discuss possible actions regarding the proposed regulations.  

The White House Introduces New Blueprint for an AI Bill of Rights

On October 4, 2022, the White House Office of Science and Technology released the “Blueprint for an AI Bill of Rights” to guide the development and use of artificial intelligence (AI) in the United States. The White House recognized that while AI is a powerful driver of innovation, the technology can also be wielded as an invasive surveillance tool. Given AI’s growing decision-making role in sensitive domains such as housing, banking, health care, and criminal justice, there is a concern that algorithms “plagued by bias and discrimination” may lead to disparate and harmful outcomes.

CSBS Releases Cybersecurity Programs to Help Nonbank Financial Services Institutions Improve Cybersecurity Posture

On August 9, 2022, the Conference of State Bank Supervisors released two cybersecurity tools for nonbank financial services institutions to prepare for state cybersecurity exams and, ultimately, improve cybersecurity maturity. Developed by a multistate team of cybersecurity examination experts, the Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program are a set of cybersecurity questions used by state examiners to assess the ability of nonbank financial services companies to comply with applicable cybersecurity and data protection requirements.

SEC Sends a Message to Investment Advisers: Take Secure Data Disposal Seriously

On September 20, 2022, the Securities and Exchange Commission (SEC) settled an enforcement action with a large, registered investment adviser for alleged violations of the Safeguards Rule and the Disposal Rule of Regulation S-P that arose in the context of a data disposal process, imposing a $35 million penalty. Specifically, the SEC order alleged a failure to (1) adopt written policies and procedures reasonably designed for the protection of customer information; and (2) take reasonable measures to protect the personally identifiable information of 15 million customers during the disposal of data and other data decommissioning projects.

NHTSA Updates Its Guidance on Cybersecurity Best Practices for the Safety of Modern Vehicles

On September 7, 2022, the U.S. Department of Transportation’s National Highway Traffic Safety Administration released an updated edition of its “Cybersecurity Best Practices for the Safety of Modern Vehicles,” the prior edition of which was published in 2016. This most recent edition of this nonbinding guidance leverages agency research, industry voluntary standards, and findings from cybersecurity research conducted over several years. Additionally, the guidance was updated based on public comments received on the draft that was published in the Federal Register last year.

CISA Issues Request for Information Prior to Required CIRCIA Rulemaking

On September 12, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information seeking input from stakeholders on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Signed by President Biden in March, CIRCIA requires CISA to develop and implement regulations requiring covered entities to report information about covered cyber incidents and ransom payments to CISA.  

Sephora Ordered to “Make Up” for CCPA Violations

On August 24, 2022, California Attorney General Rob Bonta announced a $1.2 million settlement with Sephora to account for alleged violations of the CCPA. This is the first CCPA enforcement action taken by the California AG that has resulted in a fine and settlement.  

FTC Issues Advance Notice of Proposed Rulemaking on Commercial Surveillance and Data Security

On August 22, 2022, the FTC published its advance notice of proposed rulemaking (ANPR) to request public comment on commercial surveillance and data security practices. The ANPR comes as Congress is considering the federal American Data Privacy and Protection Act.  

Selected Global Privacy and Cybersecurity Updates

UK’s National Cyber Security Centre Releases 2022 Annual Review

On November 1, 2022, the United Kingdom’s National Cyber Security Centre (NCSC) released its 2022 Annual Review, which reports on the state of cybersecurity threats in the country. As the UK’s technical authority for cybersecurity, the NCSC releases an annual report covering the cyber threats from the prior 12 months and analysis of potential future challenges.  

Heavier Breach Notification Obligations for U.S. Companies Subject to the EU GDPR According to Proposed Regulatory Guidance from the EDPB

On October 18, 2022, the European Data Protection Board published a proposed updated version of its regulatory guidance on personal data breaches under the EU GDPR. The proposed updated guidance seeks to place heavier personal data breach notification obligations on controllers that are established in the United States (and other non-EU countries) and subject to the EU GDPR’s extraterritorial application provisions.  


In the News

  • October 20, 2022 – Kellen Dwyer is featured in The Lawfare Podcast discussing the fallout from the verdict in the data breach reporting trial of Uber’s former chief security officer.
  • October 12, 2022 – Dan Felz is quoted in S&P Global on how the FTC commercial surveillance rules and SEC breach reporting rules may expand the role of incident reporting in the market.
  • October 11, 2022 – Peter Swire is quoted in Bloomberg Law on how the U.S. government’s commitment to a new data privacy pact with Europe will not be a compromise.
  • October 7, 2022 – David Teske, Amy Mushahwar, Lance Taubin, Sara Guercio, and others are noted in Global Legal Chronicle for representing APM Human Services International Limited in its planned acquisition of Equus Workforce Solutions.
  • October 7, 2022 – Peter Swire is quoted in IAPP on the new redress system in the recent White House Executive Order on the U.S. national security agencies’ use of EU and U.S. personal data.
  • September 9, 2022 – Alex Brown is quoted in Nextgov on the current legal and regulatory landscape of the FTC’s proposed privacy rulemaking.
  • August 17, 2022 – Wim Nauwelaerts is quoted in The Pink Sheet on the General Data Protection Regulation and what it means for conducting Food and Drug Administration inspections in the European Union.
  • August 3, 2022 – Dan Felz and others are noted in Global Legal Chronicle for representing J.P. Morgan Real Estate Income Trust Inc. in its $5 billion initial public offering of common stock.

Press Releases

APM to Acquire Equus Workforce Solutions

David Teske, Amy Mushahwar, Lance Taubin, Sara Guercio, and others are noted for representing APM Human Services International Limited in its planned acquisition of Equus Workforce Solutions.

FLEETCOR Technologies Acquires Accrualify Inc.

David Teske, Dan Felz, Yin Zhao, and others are noted for representing FLEETCOR Technologies Inc. in its acquisition of Accrualify Inc.  

Alston & Bird Earns Broad Recognition in 2023 Best Lawyers and Ones to Watch

Two hundred and forty-two Alston & Bird attorneys have been selected by their peers for inclusion in the 2023 edition of The Best Lawyers in America©, and 99 firm attorneys have been selected for the second edition of Best Lawyers: Ones to Watch.  

“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti, David Keating, and Jim Harvey. It is edited by Paul Greaves and Dorian Simmons. For additional updates, please be sure to visit our blog at The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.

Media Contact
Alex Wolfe
Communications Director

This website uses cookies to improve functionality and performance. For more information, see our Privacy Statement. Additional details for California consumers can be found here.