- April 5, 2023 – Kate Hanniford and Elinor Hiller published “Healthy Byte: White House and HHS Both Update Their Cybersecurity Guidance.”
- March 13, 2023 – Kim Peretti, Amy Mushahwar, and Kristen Bartolotta published “Privacy, Cyber & Data Strategy Advisory: White House Releases National Cybersecurity Strategy.”
- March 13, 2023 – David Teske and Hyun Jai Oh published “Intellectual Property Advisory: New National Cybersecurity Strategy Seeks to Hold Technology Companies Accountable.”
- February 24, 2023 – Wim Nauwelaerts, Dan Felz, Paul Greaves, and Josh Fox published “Privacy, Cyber & Data Strategy: Help! My Business Wants to Start Using ChatGPT!”
Selected U.S. Privacy and Cyber Updates
HHS and FTC Expanding Technology, Privacy, and Cybersecurity Divisions
The Federal Trade Commission (FTC) and U.S. Department of Health and Human Services (HHS) announced the expansion of operational areas of their organizations that are dedicated to the enforcement of laws and regulations related to technology, privacy, and cybersecurity. On February 17, 2023, the FTC announced the creation of a new Office of Technology to “strengthen the FTC’s ability to keep pace with technological challenges in the digital marketplace,” including to “strengthen and support law enforcement investigations and actions.” On February 27, 2023, HHS announced the rebranding and reorganization of divisions within the Office for Civil Rights.
New NAIC Consumer Privacy Model Law Proposed for Insurers
On January 31, 2023, the National Association of Insurance Commissioners (NAIC) Privacy Protections Working Group released Insurance Consumer Privacy Protection Model Law #674 for comment. Model 674 is intended to modernize and replace the Insurance Information and Privacy Protection Model Act #670 and the Privacy of Consumer Financial and Health Information Regulation #672, which have been widely adopted nationwide but are approximately 30 to 40 years old. Unlike its predecessors, Model 674 notably includes a safe harbor for entities that comply with the Health Insurance Portability and Accountability Act (HIPAA). The proposed model law does not impact the reporting obligations for cybersecurity events set forth under Insurance Data Security Model Law #668.
Selected Global Privacy and Cybersecurity Updates
International Data Transfers: Lessons from the EDPS’s “101 Task Force”
In August 2020, privacy activist organization None of Your Business (NOYB) – European Center for Digital Rights filed 101 complaints with the EU supervisory authorities (SAs) in connection with the transfer of personal data from Europe to the United States by companies that implemented Google Analytics and Facebook Business Tools on their websites.
EU Supervisory Authorities Clarify Breach Notification Requirements
On April 4, 2023, the European Data Protection Board (EDPB), which is composed of representatives of the EU SAs and the European Data Protection Supervisor, published an updated version of the Working Party 29 Guidelines on personal data breach notification under the EU General Data Protection Regulation (GDPR). The EDPB initially endorsed the Working Party 29 Guidelines – without amendments – when the GDPR became applicable in May 2018. However, the EDPB reconsidered whether there was a need to clarify the GDPR’s breach notification requirements, in particular regarding personal data breaches suffered by controllers that do not have an establishment in the EU. The EDPB has therefore revised and updated the relevant section of the Guidelines, while the rest was left unaltered (save for editorial changes).
China’s Standard Contractual Clauses for Cross-Border Transfers of Personal Information
On February 24, 2023, the Cyberspace Administration of China released its final version of the Standard Contract Measures for Exporting Personal Information, accompanied by a template contract outlining the standard contractual clauses. The Standard Contract Measures are effective June 1, 2023; however, organizations transferring personal information outside China before June 1, 2023 will have a six-month grace period to comply with and enter into the standard contractual clauses with the overseas recipient.
On March 15, 2023, the EDPB along with 26 EU SAs officially launched a coordinated enforcement action, focusing on the designation of data protection officers (DPOs) under the EU GDPR, and the position that DPOs hold in the organizations that appoint them.
Events
- June 6-8, 2023 – Amy Mushahwar will present “Cyber Communications – Preparedness and Response” during the inaugural UC Tech Cyber Leadership Program.
- June 5-6, 2023 – Kim Peretti will speak on the panel “Preparing for the Inevitable: Managing a Cybersecurity Incident” and Dan Felz will speak on the panel “AdTech – Getting a Handle on a Rapidly Changing Environment” during PLI’s Twenty-Fourth Annual Institute on Privacy and Cybersecurity Law.
- May 10-12, 2023 – Dan Felz will speak on the panel “Building Your Organization’s AI Compliance Program,” Peter Swire will speak on the panel “Government Access to Data for Criminal Law Purposes: Global Convergence and Challenges,” and Kate Hanniford will speak on the panel “Data Disposal: You Really Can Hit Delete” during the Privacy + Security Forum 2023, Spring Academy.
- May 4, 2023 – Peter Swire presented “Privacy Talks: U.S. and EU Legislation on Privacy Algorithms” during a live webinar hosted by Privya.AI.
- May 4, 2023 - Wim Nauwelaerts and Karen Sanzaro spoke on the panel “Creating a Comprehensive Privacy Compliance Program” hosted by the IAPP Atlanta KnowledgeNet Chapter.
- April 27-28, 2023 – Kate Hanniford spoke on the panel “Cybersecurity, Privacy and Data Protection Ethics Issues in Private Equity” during PLI’s 24th Annual Private Equity Forum.
- April 27, 2023 – Wim Nauwelaerts presented “Challenges Surrounding the Use of Artificial Intelligence in the United States and European Union.”
- April 20, 2023 – Kate Hanniford spoke on the panel “Ransomware Attack Response: Best Practices” during the Incident Response Forum Masterclass 2023.
- April 4-5, 2023 – Paul Greaves moderated the peer-to-peer roundtable “The Proposed EU Artificial Intelligence Act – Challenges for Providers and Users” during the 2023 IAPP Global Privacy Summit.
- April 4, 2023 – The Alston & Bird Privacy, Cyber & Data Strategy Team hosted the lunch program “Managing Threats to Your Data – Lessons from the Pros” during the 2023 IAPP Global Privacy Summit.
In the News
- March 15, 2023 – Peter Swire is quoted on how companies can be proactive about cybersecurity by digging deep into their own code in AdExchanger.
- February 13, 2023 – Paul Greaves is noted in Global Legal Chronicle for representing Spectrum Science in a strategic investment from Knox Lane.
Press Releases
Wim Nauwelaerts and Kim Peretti have been named to Cybersecurity Docket’s 2023 “Incident Response 50.” This marks the seventh consecutive year that Kim has been recognized among this select group of leaders in security incident management and data breach response. She was previously named to Cybersecurity Docket’s “Incident Response 30” in 2016, 2018, 2019, and 2020 and “Incident Response 40” in 2021 and 2022.
Alston & Bird Recognized by Chambers Global 2023
Alston & Bird has been recognized in the 2023 edition of Chambers Global, with 9 practices and 18 lawyers cited for excellence. Our Privacy, Cyber & Data Strategy practice is ranked Band 4 in Privacy & Data Security: The Elite. Kim Peretti is ranked Band 2 in Privacy & Data Security and in Privacy & Data Security: Incident Response.
“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti and David Keating. It is edited by Paul Greaves and Dorian Simmons.
For additional updates, please be sure to visit our blog at www.alstonprivacy.com.
The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.