Publications and Advisories
- February 5, 2024 – Angie Burnette, Kate Hanniford, and Elinor Hiller published “Health Care / Privacy, Cyber & Data Strategy Advisory: HHS Issues Cybersecurity Performance Goals Specific to the Health Care and Public Health Sector.”
- January 22, 2024 – Kathleen Benway and Hyun Jai Oh published “Consumer Protection/FTC / Privacy, Cyber & Data Strategy Advisory: FTC Proposes Significant Amendments to the COPPA Rule.”
- January 12, 2024 – Dan Felz, Wim Nauwelaerts, and Alice Portnoy published “Major EU AI Banking Ruling Will Reverberate Across Sectors” in Law360.
- January 9, 2024 – Sara Pullen Guercio published “Neurotechnology Will Spur Novel Privacy Issues and Regulations” in Bloomberg Law.
- January 2024 – Wim Nauwelaerts and Alice Portnoy published “What You Should Know About the EU Data Governance Act” in the Global Regulatory Developments Journal.
- December 21, 2023 – Kim Peretti, Kate Hanniford, Dave Brown, Rebecca Valentino, Alysa Austin, and Kezia Osunsade published “Securities Law / Privacy, Cyber & Data Strategy Advisory: SEC’s Cybersecurity Rules – SEC Issues Guidance and DOJ Establishes Processes for the National Security or Public Safety Exception.”
- November 22, 2023 – Wim Nauwelaerts and Alice Portnoy published “Privacy, Cyber & Data Strategy Advisory: What You Should Know About the EU Digital Operational Resilience Act.”
Selected U.S. Privacy and Cyber Updates
NYDFS Releases Circular Letter on Use of AI in Insurance Underwriting and Pricing
On January 17, 2024, the New York State Department of Financial Services (NYDFS) issued a proposed circular letter for comment, Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing. The letter details the NYDFS’s expectations and guidelines for the use of artificial intelligence systems (AIS) and external consumer data and information sources (ECDIS) by “all insurers authorized to write insurance in New York State, licensed fraternal benefit societies, and the New York State Insurance Fund.” While the NYDFS notes that AIS and ECDIS can provide certain benefits to consumers and insurers, they flag the unique risks – “the self-learning behavior of AIS increases the risks of inaccurate, arbitrary, capricious, or unfairly discriminatory outcomes,” and that those outcomes can disproportionately affect marginalized or vulnerable communities and individuals.
Washington AG’s Office Updates FAQs for My Health My Data Act
The Office of the Attorney General of Washington has updated the Frequently Asked Questions for the Washington My Health My Data Act to provide guidance on the AG’s position on whether businesses must publish stand-alone consumer health data privacy policies under the act. The update, first posted on January 11, 2023, states that (1) businesses must maintain a “separate and distinct link” to their consumer health data privacy policies; and (2) consumer health data privacy policies may not contain any information not required under the act.
NYDFS Releases Industry Letter on the Use of Self-Service Password Reset Feature
On January 12, 2024, the NYDFS released a new industry letter on the use of self-service password reset (SSPR) services, which enable users to reset their own password without the assistance of help desk or IT professionals. The letter discusses the risks associated with the use of SSPR services – specifically allowing for a password reset with only an email address (personal or business), SMS, or voice message.
Making (Brain) Waves: New Colorado Legislation Poised to Protect Privacy of Neural Data
On January 10, 2024, the Colorado General Assembly introduced House Bill 124-1058, which aims to amend the Colorado Privacy Act (CPA) to extend protections currently offered to “sensitive data” to neural, genetic, and other biological data.
NY AG’s Office Announces Significant Cybersecurity Settlement with Health Care Company
On January 5, 2024, the New York Attorney General’s Office announced a settlement with Refuah Health Center Inc. based on the company’s alleged failures to appropriately safeguard its patients’ information, including failing to encrypt patient information or use multifactor authentication, which allegedly resulted in a May 2021 ransomware attack that impacted approximately 300,000 patients. As part of the settlement, the company will pay $450,000 in penalties, with the possibility of suspending $100,000 when the company spends $1.2 million between fiscal years 2024 and 2028 to develop and maintain its information security program.
Colorado AG Recognizes Global Privacy Control as the First Valid Universal Opt-Out Mechanism
On December 29, 2023, the Colorado attorney general announced that the Global Privacy Control (GPC) will become the first universal opt-out mechanism the AG considers valid under the CPA. Effective July 1, 2024, controllers subject to the CPA will need to treat Colorado consumers’ privacy preferences submitted through browser signals that conform to the GPC specification as consumers’ requests to opt out of data sale or targeted advertising.
FBI Develops Decryption Tool to Combat BlackCat Ransomware
On December 19, 2023, the Justice Department announced a disruption campaign against the BlackCat ransomware group. The same press release also stated that the Federal Bureau of Investigation had developed a decryption tool to combat ALPHV/BlackCat’s ransomware variant. Over the last couple of years, BlackCat’s ransomware has risen in popularity and become one of the most prevalent in the world. Since its emergence, the group has targeted more than 1,000 networks in a wide range of industries, including those that support critical infrastructure.
NYDFS Releases Consent Order in First Enforcement Action Brought Under the Cybersecurity Regulations
After a three-year investigation/enforcement action by the NYDFS, it entered into a consent order with a large title insurer for the insurer’s violation of the NYDFS’s Cybersecurity Regulation (23 NYCRR Part 500), specifically, its failure to protect nonpublic information. The NYDFS originally brought the enforcement action in July 2020 (and the SEC had its own separate investigation and enforcement, which was concluded in 2021).
FCC Plans to Update Data Breach Notification Rules
After a decade and a half under the current data breach notification rules for telecommunications carriers and telecommunications relay services (TRS) providers, the Federal Communications Commission (FCC) unveiled plans to update and expand them. On November 22, 2023, the FCC issued a report and order that it intends to consider an update to the current data breach notification rules. While the new rules would reduce the burden on carriers and TRS providers by relieving them of the requirement to notify customers of breaches under some circumstances, they also broaden the scope of the rules in important ways.
CPPA Publishes Revised Cybersecurity Audit Regulations in Advance of Board Meeting
On December 8, 2023, the California Privacy Protection Agency (CPPA) will hold a board meeting seeking public comment on various privacy regulations. The meeting, which will take place on Zoom, will cover several topics listed in its published agenda. The New CPRA Rules Subcommittee will provide an update and present on the Draft Regulations on Automated Decisionmaking Technology, Risk Assessments, and Cybersecurity Audits. Other topics for discussion include proposed insurance regulations under the California Consumer Privacy Act, proposed regulation on the CPPA’s data broker registration fee under the DELETE Act, and updates on CPPA intergovernmental engagement, legislation, agency proposals, and priorities.
Colorado AG Publishes Shortlist of Universal Opt-Out Mechanisms
On November 21, 2023, the Colorado attorney general published a shortlist of potential universal opt-out mechanisms (UOOMs) that the AG is considering recognizing as binding under the CPA. Beginning on July 1, 2024, the CPA will require covered controllers to comply with Colorado consumers’ requests to opt out of data sales and targeted advertising submitted through UOOMs that meet the technical specifications described in the CPA rules.
Ransomware Group, in Midst of Extortion Attempt, Files Regulatory Notice with SEC
Just a month before the Securities and Exchange Commission’s Material Cybersecurity Incidents Rule is set to take effect, a ransomware group has apparently taken compliance with reporting requirements into its own hands. On November 15, 2023, the ransomware group known as BlackCat (also known as ALPHV) posted a notice on its leak site alleging that, on November 7, 2023, it breached the network of a software company that provides digital lending solutions to financial institutions and stole “customer data and operational information” from the company’s servers. What makes this most recent extortion attempt unique is that BlackCat, in addition to naming the software company on its leak site, also claims to have filed a complaint with the SEC against the company for failing to file a Form 8-K, which it alleges is required under the SEC’s new Material Cybersecurity Incidents Rule.
Selected Global Privacy and Cybersecurity Updates
National Cyber Security Centre Forecasts Upcoming Cyber Threats with AI Use for Attacks
On January 24, 2024, the UK’s National Cyber Security Centre released a new report, The Near-Term Impact of AI on the Cyber Threat, detailing how artificial intelligence will impact the effectiveness of cyber operations for 2025 and beyond. According to the report, threat actors are already using AI in cyber-attacks and the use of malicious AI will “almost certainly” increase the volume and impact of cyber-attacks, particularly ransomware, over the next two years.
It has become common knowledge that the General Data Protection Regulation (2016/679) (GDPR) heavily restricts transfers of personal data outside the European Union (EU). In the absence of an adequacy decision by the European Commission, the GDPR allows controllers and processors to transfer personal data to a third country outside the EU only if appropriate safeguards have been provided and enforceable rights and effective legal remedies are available to the data subjects whose personal data is transferred. Companies that are using EU standard contractual clauses to “import” personal data originating in the EU should be aware of the breach notification requirements that apply.
EU’s Highest Court Issues Major AI Decision with Wide-Reaching Impact
On December 7, 2023, the Court of Justice of the EU issued an important decision on how the GDPR governs AI-assisted decisions. The case arose in the financial services context, with the court holding that the GDPR’s AI rules apply when banks use credit scores to make consumer credit decisions. But the decision will likely not just impact financial services. Regulators are already indicating it may apply to other industries or business processes where AI increasingly plays a role, such as employment, health care, or housing.
Companies Prepare for Change as EU Legislators Agree on EU Artificial Intelligence Act
On December 8, 2023, following marathon negotiations, EU legislators reached a political agreement on the much-anticipated EU Artificial Intelligence Act. The AI Act is billed as the first comprehensive legal framework on AI systems worldwide and will impose obligations on both private and public sector actors that develop, import, distribute, or use in-scope AI systems.
Events
- February 15, 2024 – Dorian Simmons will speak on the panel “Artificial Intelligence: Reducing Risk to Realize Benefits” during the 2024 CLE by the Hour hosted by the Atlanta Bar Association.
- January 26, 2024 – Dan Felz spoke on the panel “Artificial Intelligence and Implications for the Healthcare Industry” during the HCCA Atlanta Regional Healthcare Compliance Conference.
- January 25, 2024 – David Keating, Wim Nauwelaerts, Kate Hanniford, Peter Swire, and Dorian Simmons presented “A Look Ahead: Privacy in 2024,” hosted by Alston & Bird.
- January 18, 2024 – Kim Peretti spoke on the panel “State of Play: LockBit, Scattered Spider, and Other New Ransomware Variants” during Incident Response Forum Ransomware 2024.
- December 18, 2023 – Kim Peretti, Kate Hanniford, Dave Brown, and Cara Peterman presented “D-Day: SEC Disclosure Day for Public Companies,” hosted by Alston & Bird.
- December 14-15, 2023 – Kim Peretti spoke on the panel “Managing a Cybersecurity Incident” during the Corporate Counsel Institute 2023.
- November 30, 2023 – Paul Greaves spoke during the Brussels IAPP KnowledgeNet seminar “Artificial Intelligence Around the World: A Comparative Approach to AI Regulation Between the EU, UK, the U.S., and China,” hosted by Alston & Bird.
In the News
- February 13, 2024 – Sara Guercio is quoted on proposed regulations for consumer neurotechnology in Colorado and Minnesota in Bloomberg Law.
- December 19, 2023 – Cara Peterman is quoted on the high stakes of the Securities and Exchange Commission’s new cybersecurity rules in CFO Dive.
“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti and David Keating. It is edited by Paul Greaves and Yin Tydir.
For additional updates, please be sure to visit our blog at www.alstonprivacy.com.
The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.