Publications and Advisories
- February 10, 2023 – Kathleen Benway, David Keating, and Sara Pullen Guercio published “Privacy, Cyber & Data Strategy / Consumer Protection/FTC Advisory: Limit Your Health Data Sharing and Call Me in the Morning: FTC Prescribes Enforcement of the Health Breach Notification Rule for the First Time.”
- February 9, 2023 – Kim Peretti and Wevine Fidelis published “Privacy, Cyber & Data Strategy Advisory: Secure Data Disposal and Data Minimization.”
- February 3, 2023 – Rachel Lowe, Donald Houser, Dan Felz, and Ashley Escoe published “Privacy, Cyber & Data Strategy / Litigation Advisory: 2022’s Unwelcome Trend of Lawsuits Challenging Website Technology Is Here to Stay.”
- December 9, 2022 – Kim Peretti, Dan Felz, and Alysa Austin published “Privacy, Cyber & Data Strategy Advisory: AI Regulation in the U.S.: What’s Coming, and What Companies Need to Do in 2023.”
- November 28, 2022 – Kim Peretti, Cara Peterman, Lance Taubin, and Sierra Shear published “Mitigating the Risks in Era of Heightened Liability for CISOs” in Bloomberg Law.
Selected U.S. Privacy and Cyber Updates
The California Privacy Protection Agency (CPPA) issued an invitation for preliminary comments on proposed rulemaking on February 10, 2023 as it considers new rules for risk assessments, cybersecurity audits, and automated decision-making. The proposed rulemaking is pursuant to California Civil Code § 1798.185(a)(15)-(16), which directs the CPPA to draft regulations on these topics.
On February 3, 2023, the CPPA voted unanimously to approve the newest version of the draft California Consumer Privacy Act (CCPA) regulations. These regulations are substantively the same as those considered by the CPPA board during its October 2022 meeting. This vote marks the conclusion of a chapter that began in May 2022, when the CPPA first published draft proposed regulations.
On January 27, 2023, California Attorney General Rob Bonta announced a new investigative sweep under the CCPA. The announcement marks the third year in a row the attorney general’s office has initiated a significant enforcement or regulatory initiative on Data Privacy Day. In 2023, Bonta’s team is focusing on B2C mobile apps in several industries that allegedly fail to enable or process consumer opt-out requests or privacy requests submitted by authorized agents.
On January 6, 2023, the Federal Communications Commission (FCC) released a notice of proposed rulemaking (NPR) proposing to modernize the FCC’s data breach rules, launching a formal effort to gather information from the telecom industry on the issue of data breach reporting. The NPR, adopted on December 28, 2022, seeks to strengthen its rules with the goal of better protecting consumers from potential harm caused by data breaches involving customer proprietary network information. In its news release, the FCC states that it will look to better align its rules with recent developments in federal and state data breach laws covering other sectors. In the NPR, this proposed alignment includes expansion of the definition of a breach, changes to customer notification, and changes to reporting to the FCC and law enforcement.
The CPPA announced during its board meeting on December 16, 2022 that the regulations implementing the California Privacy Rights Act (CPRA) will not likely go into effect until April 2023. CPPA Executive Director Ashkan Soltani stated that the CPPA staff plans to publish the final draft of the CPRA regulations in late January. If the board approves the staff’s draft without making any changes, the CPPA will be able to submit the final rulemaking package, including a final statement of reasons, to the California Office of Administrative Law (OAL) in mid-February. OAL will then have 30 business days to review the package, and the regulations will immediately go into effect upon OAL’s approval.
The New York Department of Financial Services (NYDFS) released its proposed second amendment to the Cybersecurity Regulation on October 9, 2022. The NYDFS issued a minor amendment on April 2, 2020, revising the certification of compliance date (from February to April). The proposed second amendment follows the NYDFS’s “pre-proposed” draft from July 2022 and largely tracks those requirements, with a handful of changes identified. While the language proposed is not surprising and generally aligns with the NYDFS’s prior guidance and enforcement actions (and is still subject to a 60-day comment period), the enhanced requirements will impose significant cybersecurity obligations on covered entities if adopted.
On November 15, 2022, the Federal Trade Commission (FTC) announced that it is delaying the effective date of certain changes to the Gramm–Leach–Bliley Safeguards Rule. The Safeguards Rule, which first became operative in 2003, imposes certain security requirements on nonbanking financial institutions. The FTC amended the Safeguards Rule in December 2021, and several provisions under the amendment went into effect on January 9, 2022. Some sections, however, were set to become operative on December 9, 2022. The FTC’s decision extended the deadline to comply with those provisions by six months, to June 9, 2023.
Selected Global Privacy and Cybersecurity Updates
On December 13, 2022, the European Commission took a significant step towards the adoption of the EU-U.S. Data Privacy Framework (DPF). The DPF is a new framework designed to replace the EU-U.S. Privacy Shield, which was struck down by the Court of Justice of the European Union in the Schrems II decision.
In an attempt to address the concerns raised by the Court of Justice of the EU in the Schrems II case, the European Commission issued a new set of “modernized” standard contractual clauses (SCCs) on June 4, 2021. The modernized SCCs can be used as grounds for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).
On November 10, 2022, the European Parliament adopted a new cybersecurity directive, the NIS2 Directive, which is designed to replace the existing EU Directive on the Security of Network and Information Systems (Directive 2016/1148/EC) (the NIS Directive). The objective of the NIS2 Directive is to achieve a higher level of cybersecurity within the EU than has been the case under the NIS Directive. It is also designed to promote greater harmonization of cybersecurity rules across EU Member States.
- February 23, 2023 – Amy Mushahwar will speak on the panel “Innovation & Technology: Evolving Rules of Data Privacy – What Servicers Need to Know” during the MBA’s Servicing Solutions Conference & Expo 2023.
- February 9, 2023 – Dan Felz and Dorian Simmons hosted IAPP Atlanta KnowledgeNet: Careers in Privacy 2023: Bull or Bear Market?
- February 8-9, 2023 – Amy Mushahwar spoke on the panel “Fighting Financial Cyber Crime: How the Industry Is Working Together to Meet Increasing Privacy, Cybersecurity and Data Security Challenges” during the 23rd National Forum on Prepaid Accounts Compliance.
- February 8, 2023 – Dorian Simmons and Sara Guercio spoke on the panel “US State and Federal Data Privacy and Security Laws: An Overview of Data Privacy and Security Laws” and “Third-Party Vendor Selection: A Discussion of What Businesses Need to Consider from a Data Privacy and Security Perspective When Selecting Third-Party Vendors” during the Atlanta Bar Association Data Security and Privacy Symposium.
- January 31, 2023 – David Keating, Wim Nauwelaerts, Peter Swire, Karen Sanzaro, and Dorian Simmons presented “Privacy and Data in 2023: A Look Ahead.”
- January 25, 2023 – Kim Peretti and Kate Hanniford presented “Women in Cyber: The CPRA Is Here: A Deeper Look at Data Retention & Disposal.”
- January 19, 2023 – Amy Mushahwar spoke during the Charleston CyberLaw Forum hosted at The Charleston Museum.
- January 12, 2023 – Kim Peretti spoke on the panel “Ransomware Attacks: What to Do When You Get the Call” during Incident Response Forum Ransomware 2023.
- December 5, 2022 – Kim Peretti spoke during “Uber Verdict: The CISO, The Law, and The Door!”
In the News
- January 2, 2023 – Kathleen Benway is quoted on future privacy and consumer protection rulemaking from the Federal Trade Commission in Law360.
Alston & Bird announces the election of 23 lawyers to its partnership, including Dan Felz as partner with our Privacy, Cyber & Data Strategy Team.
For the third consecutive year, Global Data Review (GDR) has recognized Alston & Bird as one of the world’s 100 leading data law firms. In the “GDR 100 2023,” Alston & Bird ranks among the top 25 “Global Elite” law firms.
“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti and David Keating. It is edited by Paul Greaves and Dorian Simmons. For additional updates, please be sure to visit our blog at www.alstonprivacy.com.
The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.