Publications and Advisories
- July 31, 2023 – Dave Brown, Kate Hanniford, Kim Peretti, Julia Mediamolle, Cara Peterman, Sierra Shear, Kristen Bartolotta, and Kezia Osunsade published “Securities Law, Securities Litigation, and Privacy, Cyber & Data Strategy Advisory: SEC Adopts New Cybersecurity Disclosure Rules for Public Companies.”
- July 11, 2023 – Kathleen Benway, Sara Pullen Guercio, Sarah Beach, and Hyun Jai Oh published “Privacy, Cyber & Data Strategy / Consumer Protection/FTC / Health Care Advisory: FTC Continues Its Focus on Health Privacy.”
- July 1, 2023 – Kathleen Benway, David Keating, Sara Pullen Guercio, and Hyun Jai Oh published “Limit Your Health Data Sharing and Call Me in the Morning: Federal Trade Commission Prescribes Enforcement of the Health Breach Notification Rule” in Pratt’s Privacy & Cybersecurity Law Report.
- June 30, 2023 – Dan Felz, Ted Kang, and Paul Monnin published “Multinational Aspects of SEC Investigations” in SEC Compliance and Enforcement Answer Book.
- June 27, 2023 – Peter Swire published “Oceans Apart: The EU and US Cybersecurity Certification Standards for Cloud Services” in European Law Blog.
- June 26, 2023 – Wim Nauwelaerts published “EU: EDPB’s Finalized Guidelines on International Data Transfers Under the GDPR Explained” in Data Guidance.
Selected U.S. Privacy and Cyber Updates
FTC Launches Investigation into Creator of ChatGPT
In mid-July, the Federal Trade Commission (FTC) reportedly opened an investigation into OpenAI, the maker of ChatGPT, sending the company an extensive civil investigative demand (CID). While FTC investigations are not normally public, the Washington Post published what appears to be part of the CID. This investigation comes on the heels of FTC Chair Lina Khan stating her intention to use existing consumer protection law to protect people from the potential dangers of generative artificial intelligence. President Joe Biden’s Administration has signaled that they will take a “whole of government” approach to using existing law to combat any potentially harmful outcomes of artificial intelligence.
FTC Seeks Comments on a New Verifiable Parental Consent Mechanism Under COPPA
On July 19, 2023, the FTC announced that it is seeking comment on an application for a new verifiable parental consent mechanism under the Children’s Online Privacy Protection Act. The application, submitted jointly by the Entertainment Software Rating Board, Yoti, and SuperAwesome, requests the FTC to approve Yoti’s “Facial Age Estimation” technology as a method to obtain parental consent. The request for public comment was published in the Federal Register on July 20, 2023. Interested parties have until August 21, 2023 to submit comments.
Chinese Hackers Exploit Gap in Cloud Environment Used by U.S. Government
According to recent reports issued by Microsoft and U.S. government agencies, hackers recently exploited a gap in Microsoft’s cloud environment, enabling the malicious actors to access the email accounts of employees at the U.S. Commerce and State Departments. The hackers victimized 10 organizations in the United States, including the U.S. government, and 25 organizations worldwide. The U.S. government has not yet attributed the attack to any country or group, though Microsoft disclosed that the attack came at the hands of a “China-based threat actor.”
HHS and FTC Fire a Warning Shot at Health Care Companies Using Online Tracking Technologies
On July 20, 2023, the Office for Civil Rights of the U.S. Department of Health and Human Services and the FTC published a joint letter sent to approximately 130 hospital systems and telehealth providers. The letter warns that certain online tracking technologies that “may be present” on the recipients’ mobile apps or websites could be “impermissibly disclosing consumers’ sensitive personal health information to third parties.”
California Attorney General Launches CCPA Investigative Sweep for Employers
On July 14, 2023, California Attorney General Rob Bonta launched investigations into large California employers’ compliance with the California Consumer Privacy Act as it relates to their processing of employee and job applicant personal information.
Texas Becomes Tenth State to Enact a Comprehensive State Privacy Law
On June 18, 2023, Texas Governor Greg Abbott signed the Texas Data Privacy and Security Act (TDPSA) into law, making Texas the latest contributor to the growing patchwork of comprehensive U.S. state privacy laws. The TDPSA takes effect July 1, 2024, except for provisions that enable consumers to designate authorized agents to exercise on the consumers’ behalf rights to opt out of data sales and targeted advertising, which take effect on January 1, 2025.
NYDFS Releases Revised Proposed Second Amendment of Its Cybersecurity Regulation
On June 28, 2023, the New York Department of Financial Services (NYDFS) published an updated proposed Second Amendment to its Cybersecurity Regulation in the New York State Register, updating its previous proposed Second Amendment published November 9, 2022. While the new language is largely similar to the previous draft, the NYDFS incorporated a number of changes as a result of the 60-day comment period.
SEC’s Proposed Cybersecurity Rules Delayed Yet Again
On June 13, 2023, the U.S. Securities and Exchange Commission published its spring 2023 rulemaking agenda that delayed finalizing the proposed Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies and proposed rule on Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies until at least October 2023. The proposed rules were originally intended to be finalized in April 2023.
CL0P Ransomware Gang’s Exploitation of MOVEit Vulnerability: What It Means for Companies
On June 7, 2023, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency released a Joint Cybersecurity Advisory in connection with a recent zero-day (or previously undetected) vulnerability in Progress Software’s managed file transfer software, exploited by the CL0P ransomware group. CL0P publicly claimed responsibility for exploiting the vulnerability on June 5, 2023 and has a well-established history of targeting vulnerabilities in file transfer software, gaining notoriety in 2021 after the group exploited the zero-day vulnerability in Accellion’s File Transfer Appliance.
NYDFS Penalizes bitFlyer $1.2 Million for Violations of Cybersecurity Regulation
On May 1, 2023, bitFlyer USA Inc. entered into a consent order with the NYDFS for multiple deficiencies in its cybersecurity program, most notably for the failure to conduct periodic risk assessments to sufficiently inform the program’s design. BitFlyer operates a cryptocurrency trading platform and provides custodial wallet services for U.S. dollars and digital currencies, holding a virtual currency license (commonly referred to as a BitLicense) under the NYDFS virtual currency regulation. By virtue of its BitLicense, bitFlyer is a “covered entity” and must comply with the NYDFS Cybersecurity Regulation, as well as the NYDFS cybersecurity-specific requirements for virtual currency licensees, which contain substantially similar requirements as those set forth in the NYDFS Cybersecurity Regulation.
Selected Global Privacy and Cybersecurity Updates
On July 10, 2023, the European Commission (EC) adopted its long-awaited adequacy decision approving the EU-U.S. Data Privacy Framework. By doing so, the EC confirmed that personal data transferred to the United States under the framework is adequately protected in line with the EU General Data Protection Regulation’s international data transfer rules.
Council of Europe Launches Model Contractual Clauses for Transfers of Personal Data
On June 16, 2023, the Council of Europe’s Committee of Convention 108+ (the Convention for the Protection of Individuals with Regard to the Processing of Personal Data) adopted model contractual clauses for cross-border data flows. The model contractual clauses are intended to cover the transfers of personal data to countries that are not parties to Convention 108+. According to the Council of Europe, the model contractual clauses have the potential to bridge similar data transfer tools – such as the EC’s standard contractual clauses (SCCs) – and to contribute to the convergence towards appropriate data protection standards globally.
On May 23, 2023, the EC and the Association of Southeast Asian Nations (ASEAN) published guidance that identifies commonalities and differences between the EU SCCs and ASEAN’s model contractual clauses to assist companies with their efforts to comply with data transfer rules in both regions. The guidance includes a reference guide that compares the EU SCCs and the ASEAN model contractual clauses and will shortly be complemented by an implementation guide providing best practices for companies that plan to use both sets of clauses.
Events
- July 18, 2023 – Dan Felz spoke during the Atlanta IAPP KnowledgeNet Seminar “How Legal and Privacy Engineering Can Work Together for an Effective Privacy Compliance,” hosted by Alston & Bird.
- June 27, 2023 – Dan Felz, Maki DePalo, John Snyder, and Jason Waite presented “Navigating Dealmaking Regulations and Data Security, Privacy, and AI Compliance Considerations,” hosted by Alston & Bird.
- June 20–23, 2023 – Amy Mushahwar spoke on the panel “AI Basics” during the 2023 National Conference – Society for Corporate Governance.
- June 20, 2023 – Kellen Dwyer, Jenny Kramer, BJ Stieglitz, and Jason Waite presented “Alston & Bird Mid-Year Update: The DOJ’s Focus on National Security and Corporate Crime.”
- June 14–15, 2023 – Amy Mushahwar spoke on the panel “Technology Developments: How CMMC 2.0, Cybersecurity, Data Analytics, and AI are Changing the Industry” during the 14th Advanced Forum on DCAA & DCMA Cost, Pricing, Compliance & Audits.
- June 6–8, 2023 – Amy Mushahwar presented “Cyber Communications – Preparedness and Response” during the inaugural UC Tech Cyber Leadership Program.
- June 5–6, 2023 – Kim Peretti spoke on the panel “Preparing for the Inevitable: Managing a Cybersecurity Incident” and Dan Felz spoke on the panel “AdTech – Getting a Handle on a Rapidly Changing Environment” during PLI’s Twenty-Fourth Annual Institute on Privacy and Cybersecurity Law.
- May 31, 2023 – Lance Taubin spoke on the panel “Managing Third-Party Risk Throughout the Life Cycle” during the 2023 Global GRC, Data Privacy & Cyber Security ConfEx.
- May 24–26, 2023 – Peter Swire spoke on the panels “Moving Towards a Sustainable and Functional EU-US Transfers Framework?” and “‘Flexibility’ in the ‘Essential Equivalence’ Test for Data Transfers: Taking into Account Different Legal Traditions and Constitutional Constraints in Third Countries” during the 16th Computers, Privacy & Data Protection International Conference.
- May 23, 2023 – Amy Mushahwar presented “The Inevitable Is Coming: How to Take Small Steps Toward CMMC Readiness,” hosted by Alston & Bird.
- May 18, 2023 – Kate Hanniford and Alysa Austin presented on cybersecurity during the annual Investment Funds Symposium 2023.
- May 18, 2023 – Amy Mushahwar presented “It’s All About Identity – Case Studies Regarding Identity Management the Essential Nexxus of AML, Fraud, Privacy & Cyber Compliance” during the ACAMS Atlanta Chapter May Lunch and Learn.
In the News
- July 18, 2023 – Dan Felz is quoted on the impact of the Norwegian Data Protection Authority’s ruling limiting Meta’s behavioral advertising in Digiday.
- May 26, 2023 – Kim Peretti is quoted on early messaging to consumers to build trust after a data breach in Bloomberg.
- May 23, 2023 – Peter Swire is quoted on how the U.S. government is implementing changes to its surveillance of incoming data transfers from Europe in Bloomberg Law.
- February 8, 2023 – Alston & Bird’s Women in Cyber webinar “The CPRA Is Here: A Deeper Look at Data Retention & Disposal,” hosted by Kim Peretti and Kate Hanniford, was the source of “How to Comply with the CPRA’s Data Minimization Standards” in Cybersecurity Law Report.
Press Releases
Alston & Bird Earns New Practice Rankings in The Legal 500 US 2023
Alston & Bird has received recognition by The Legal 500 United States in Media, Technology, and Telecoms: Cyber Law. Partner Kim Peretti continues to be named a “Leading Lawyer” in Cyber Law.
Alston & Bird Increases Practices and Attorneys Recognized in Chambers USA 2023
Alston & Bird has received significant recognition in the 2023 edition of Chambers USA: America’s Leading Lawyers for Business, with 68 practice rankings and 149 leading lawyer listings. The Privacy, Cyber & Data Strategy Team is ranked Band 4 for Privacy & Data Security: The Elite (USA - Nationwide). Kim Peretti is ranked Band 1 for Privacy & Data Security: Incident Response and Band 2 for Privacy & Data Security (USA - Nationwide).
Pathstone Acquires Brainard Capital Management and Receives New Private Equity Investments
Alston & Bird represented Pathstone, a New Jersey–based wealth management advisor, in its acquisition of Brainard Capital Management, an independent advisory boutique in Austin, Texas, as well as in its new strategic private equity investment from Kelso & Company and its additional private equity investment from Lovell Minnick Partners. Dan Felz and Sara Pullen Guercio were noted along with other Alston & Bird attorneys for their representation of Pathstone.
“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti and David Keating. It is edited by Paul Greaves and Dorian Simmons.
For additional updates, please be sure to visit our blog at www.alstonprivacy.com.
The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.