- October 27, 2022 – Kathleen Benway, Alex Brown, and Ashley Miller published “Consumer Protection/FTC Advisory: FTC Settles with Drizly for Alleged Security Failures.”
- October 25, 2022 – Kim Peretti, Kellen Dwyer, and Mario Ayoub published “Uber Exec Trial Is a Lesson in Handling Data Breach Incidents” in Law360.
- October 19, 2022 – Kellen Dwyer published “The Fallout from the First Trial of a Corporate Executive for ‘Covering Up’ a Data Breach” in Lawfare.
- October 10, 2022 – Kim Peretti, Kellen Dwyer, and Mario Ayoub published “Privacy, Cyber & Data Strategy / White Collar, Government & Internal Investigations Advisory: Lessons from DOJ’s First Prosecution of a Company Executive Covering Up a Data Breach.”
- August, 30, 2022 – Kathleen Benway, Kim Peretti, Nanci Weissgold, and Lance Taubin’s article “What CFPB, FTC Data Security Crackdown Means for Cos.” was published in Law360.
- August 23, 2022 – Kathleen Benway, Kim Peretti, Nanci Weissgold, and Lance Taubin published “Privacy, Cyber & Data Strategy / Financial Services & Products Advisory: CFPB and FTC Looking to Ramp Up Data Security Requirements.”
- August 8, 2022 – Sean Sullivan published “Patient Cyber Harm: Strategies and Tips for Prevention, Preparation, Risk Management, and Transparency” in American Health Law Association’s Health Law Connections.
Selected U.S. Privacy and Cyber Updates
California Privacy Protection Agency Issues Notice of Modifications to Proposed CPRA Regulations
On November 3, 2022, the California Privacy Protection Agency (CPPA) issued a notice of modifications to the proposed regulations implementing the California Privacy Rights Act (CPRA). These proposed modifications come in response to public comments on, and are meant to clarify, previously issued modifications.
FTC Takes Action Against Ed Tech Provider for Failure to Secure Student’s Personal Information
On October 31, 2022, the FTC announced it has taken action against education technology provider Chegg Inc. for its “careless” cybersecurity practices that exposed sensitive personal information of millions of its customers and employees. This action highlights the FTC’s continued efforts to aggressively protect consumer personal data.
California Privacy Protection Agency Approves Modifications to CPRA Regulations
On October 29, 2022, the CPPA board approved modifications to the proposed regulations under the CPRA. The modifications will largely be based on the modified proposed regulations published on October 17, but the CPPA board directed the CPPA staff to make changes pursuant to the CPPA board meeting on October 28 and 29.
Website Analytics (Session Replay) Litigation Is Not Dead
On October 18, 2022, in Popa v. Harriet Carter Gifts Inc., No. 21-2203, the Third Circuit denied rehearing on its ruling that allows a class action alleging wiretapping claims based on the use of session replay software to proceed. The Third Circuit’s ruling, and subsequent denial of a request for rehearing, is a reminder that session replay litigation is not dead but very much alive. Companies should remain informed of these developments.
Recent FTC Order Has Implications for Executive Liability and Corporate Data Minimization Practices
On October 24, 2022, the Federal Trade Commission (FTC) announced a proposed consent order against Drizly LLC, an online marketplace for alcohol delivery, and its CEO over the company’s alleged security failures that led to a data breach in 2020, which exposed the personal information of approximately 2.5 million Drizly customers. Drizly and its CEO were allegedly made aware of potential security deficiencies two years before the incident and did not take corrective action. The proposed order, in which the FTC alleges that Drizly had unfair information security practices and made deceptive security statements, is significant because it not only highlights the need for data minimization but also personally names and imposes requirements on the company’s CEO to implement an information security program, even if he moves to a different company.
NYDFS Announces Significant Cybersecurity Settlement with EyeMed Vision Care
On October 18, 2022, EyeMed Vision Care LLC entered into a consent order with the New York Department of Financial Services (NYDFS) relating to a cybersecurity event from 2020 that exposed consumer nonpublic information to an unauthorized individual. EyeMed agreed to pay NYDFS a $4.5 million penalty, in addition to implementing mandatory remediation measures, including a comprehensive cybersecurity risk assessment of its information systems (and corresponding action plan for NYDFS’s review and approval).
California Privacy Protection Agency Publishes Updated CPRA Regulations
On October 17, 2022, the CPPA published its first set of modified proposed regulations under the CPRA. The modified regulations have been published in preparation for a CPPA board meeting on October 21 and 22 to discuss possible actions regarding the proposed regulations.
The White House Introduces New Blueprint for an AI Bill of Rights
On October 4, 2022, the White House Office of Science and Technology released the “Blueprint for an AI Bill of Rights” to guide the development and use of artificial intelligence (AI) in the United States. The White House recognized that while AI is a powerful driver of innovation, the technology can also be wielded as an invasive surveillance tool. Given AI’s growing decision-making role in sensitive domains such as housing, banking, health care, and criminal justice, there is a concern that algorithms “plagued by bias and discrimination” may lead to disparate and harmful outcomes.
On August 9, 2022, the Conference of State Bank Supervisors released two cybersecurity tools for nonbank financial services institutions to prepare for state cybersecurity exams and, ultimately, improve cybersecurity maturity. Developed by a multistate team of cybersecurity examination experts, the Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program are a set of cybersecurity questions used by state examiners to assess the ability of nonbank financial services companies to comply with applicable cybersecurity and data protection requirements.
SEC Sends a Message to Investment Advisers: Take Secure Data Disposal Seriously
On September 20, 2022, the Securities and Exchange Commission (SEC) settled an enforcement action with a large, registered investment adviser for alleged violations of the Safeguards Rule and the Disposal Rule of Regulation S-P that arose in the context of a data disposal process, imposing a $35 million penalty. Specifically, the SEC order alleged a failure to (1) adopt written policies and procedures reasonably designed for the protection of customer information; and (2) take reasonable measures to protect the personally identifiable information of 15 million customers during the disposal of data and other data decommissioning projects.
NHTSA Updates Its Guidance on Cybersecurity Best Practices for the Safety of Modern Vehicles
On September 7, 2022, the U.S. Department of Transportation’s National Highway Traffic Safety Administration released an updated edition of its “Cybersecurity Best Practices for the Safety of Modern Vehicles,” the prior edition of which was published in 2016. This most recent edition of this nonbinding guidance leverages agency research, industry voluntary standards, and findings from cybersecurity research conducted over several years. Additionally, the guidance was updated based on public comments received on the draft that was published in the Federal Register last year.
CISA Issues Request for Information Prior to Required CIRCIA Rulemaking
On September 12, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information seeking input from stakeholders on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Signed by President Biden in March, CIRCIA requires CISA to develop and implement regulations requiring covered entities to report information about covered cyber incidents and ransom payments to CISA.
Sephora Ordered to “Make Up” for CCPA Violations
On August 24, 2022, California Attorney General Rob Bonta announced a $1.2 million settlement with Sephora to account for alleged violations of the CCPA. This is the first CCPA enforcement action taken by the California AG that has resulted in a fine and settlement.
FTC Issues Advance Notice of Proposed Rulemaking on Commercial Surveillance and Data Security
On August 22, 2022, the FTC published its advance notice of proposed rulemaking (ANPR) to request public comment on commercial surveillance and data security practices. The ANPR comes as Congress is considering the federal American Data Privacy and Protection Act.
Selected Global Privacy and Cybersecurity Updates
UK’s National Cyber Security Centre Releases 2022 Annual Review
On November 1, 2022, the United Kingdom’s National Cyber Security Centre (NCSC) released its 2022 Annual Review, which reports on the state of cybersecurity threats in the country. As the UK’s technical authority for cybersecurity, the NCSC releases an annual report covering the cyber threats from the prior 12 months and analysis of potential future challenges.
On October 18, 2022, the European Data Protection Board published a proposed updated version of its regulatory guidance on personal data breaches under the EU GDPR. The proposed updated guidance seeks to place heavier personal data breach notification obligations on controllers that are established in the United States (and other non-EU countries) and subject to the EU GDPR’s extraterritorial application provisions.
Events
- December 1, 2022 – Kim Peretti, Kellen Dwyer, and BJay Pak will present “Crypto Primer – Digital Currency Security and Incident Response.”
- November 4, 2022 – Cara Peterman was the moderator and Dorian Simmons was a panelist on “Practical Tips on Cybersecurity for Corporate Lawyers” during the Society of Corporate Governance 2022 Southeastern Chapter Fall Conference.
- November 2–4, 2022 – David Keating moderated the panel on “The Purpose Limitation Under CPRA: Balancing Societal Interests in Limiting Use Rights in Data Against the Potential Impact on Innovation” and Kim Peretti moderated the panel “Breach Reporting Trends: Fundamental Shifts on the Horizon” during the Privacy + Security Forum, Fall Academy.
- October 20, 2022 – Amy Mushahwar was a panelist on “The Hidden Figures of Cybersecurity’s Talent Gap” during CyberWire’s annual Women in Cybersecurity reception.
- October 20, 2022 – David Teske and BJay Pak presented “Data Strategy Webinar – NFTs: They’re Not Just for Bored Apes Anymore.”
- October 10–11, 2022 – Kim Peretti was a panelist on “A Wolf in Sheep’s Clothing? How Data Protection Laws Regulate AI” during the fourth annual ABA Science & Technology Law Section’s AI & Robotics 2022.
- September 22, 2022 – Wim Nauwelaerts was a panelist on “Cyberattacks on the Supply Chain: Incident Response Strategies” during the Incident Response Forum Europe 2022.
- September 8–9, 2022 – Amy Mushahwar presented “Proving Cyber Smart Design to Regulators and Business Partners” during the 2022 ADAS & Autonomous Vehicle Technology Expo.
- August 30, 2022 – Kim Peretti and Cara Peterman presented “Women in Cyber – SEC Cyber Risk and Incident Disclosures: Current Trends and Looking Ahead.”
In the News
- October 20, 2022 – Kellen Dwyer is featured in The Lawfare Podcast discussing the fallout from the verdict in the data breach reporting trial of Uber’s former chief security officer.
- October 12, 2022 – Dan Felz is quoted in S&P Global on how the FTC commercial surveillance rules and SEC breach reporting rules may expand the role of incident reporting in the market.
- October 11, 2022 – Peter Swire is quoted in Bloomberg Law on how the U.S. government’s commitment to a new data privacy pact with Europe will not be a compromise.
- October 7, 2022 – David Teske, Amy Mushahwar, Lance Taubin, Sara Guercio, and others are noted in Global Legal Chronicle for representing APM Human Services International Limited in its planned acquisition of Equus Workforce Solutions.
- October 7, 2022 – Peter Swire is quoted in IAPP on the new redress system in the recent White House Executive Order on the U.S. national security agencies’ use of EU and U.S. personal data.
- September 9, 2022 – Alex Brown is quoted in Nextgov on the current legal and regulatory landscape of the FTC’s proposed privacy rulemaking.
- August 17, 2022 – Wim Nauwelaerts is quoted in The Pink Sheet on the General Data Protection Regulation and what it means for conducting Food and Drug Administration inspections in the European Union.
- August 3, 2022 – Dan Felz and others are noted in Global Legal Chronicle for representing J.P. Morgan Real Estate Income Trust Inc. in its $5 billion initial public offering of common stock.
Press Releases
APM to Acquire Equus Workforce Solutions
David Teske, Amy Mushahwar, Lance Taubin, Sara Guercio, and others are noted for representing APM Human Services International Limited in its planned acquisition of Equus Workforce Solutions.
FLEETCOR Technologies Acquires Accrualify Inc.
David Teske, Dan Felz, Yin Zhao, and others are noted for representing FLEETCOR Technologies Inc. in its acquisition of Accrualify Inc.
Alston & Bird Earns Broad Recognition in 2023 Best Lawyers and Ones to Watch
Two hundred and forty-two Alston & Bird attorneys have been selected by their peers for inclusion in the 2023 edition of The Best Lawyers in America©, and 99 firm attorneys have been selected for the second edition of Best Lawyers: Ones to Watch.
“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti, David Keating, and Jim Harvey. It is edited by Paul Greaves and Dorian Simmons. For additional updates, please be sure to visit our blog at www.alstonprivacy.com. The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.