Selected Developments in U.S. Law
Japan’s Personal Information Protection Committee Releases Guidance on Contact Tracing Mobile Apps to Combat COVID-19
On May 1, the Personal Information Protection Committee in Japan released guidance (only available in Japanese) on the use of contact tracing mobile apps as one of the mechanisms to combat the spread of COVID-19 and highlighted five essential consideration points.
COVID-19 Is Not a Free Pass for Privacy and Security Compliance
In the wake of stay-at-home orders stemming from the COVID-19 pandemic, companies have rushed to provide work-from-home options for many, if not all, of their employees. As exigency fades into the new normal, however, the California attorney general and New York’s Department of Financial Services (NYDFS)—two key privacy and security regulators—have indicated that COVID-19 does not give businesses an exception from compliance and will not delay enforcement activity. Businesses cannot lose sight of their privacy and security compliance programs and should reassess these programs in light of changes that have occurred while transitioning to a work-from-home environment.
Cyber Hygiene and Cyber Threats in the Age of COVID-19
The shift to remote work in response to the coronavirus (COVID-19) pandemic poses cybersecurity and information technology risks to companies, particularly due to an expanded work-from-home environment. In the midst of this environment, cybercriminals enjoy a target-rich world. We have also seen an explosion of cybercriminal activity taking advantage of the unique uncertainties of the COVID-19 pandemic. A recent FBI alert highlights the large volume of complaints related to COVID-19 scams, and media reports and government guidance point to the proliferation of phishing and similar exploits. At the same time, non-COVID-19 threats persist.
FTC Cautions Against Biased Outcomes in Use of AI and Algorithms
As the health care and financial impacts of COVID-19 continue to evolve with the global pandemic, the use of artificial intelligence (AI) technology and associated risks have received greater attention. On April 8, 2020, the FTC posted an extensive summary of its recent enforcement actions, studies, and guidance regarding the use of AI tools and algorithms. The summary weaves together a handful of FTC enforcement actions and the FTC’s 2016 report on Big Data and 2018 hearings on AI, algorithms, and predictive analysis. The FTC’s compilation is intended to aid companies managing the risks associated with the use of AI, design algorithms, evaluate training data, and develop an audit/accountability program to ensure their use of AI tools does not result in biased outcomes.
CCPA Plaintiffs Testing Whether Any CCPA Violation Can Be Used to Bring Class Actions
Plaintiffs’ counsel have started to lay the groundwork in the last few weeks for a broad private right of action under the California Consumer Privacy Act (CCPA). Alston & Bird has published an advisory that evaluates this recent CCPA litigation and offers practical advice to companies as they build CCPA compliance.
Location and Mobile Data in the Fight Against COVID-19 – An Overview of U.S. and Global Efforts
As cases continue to mount globally, governments are increasingly seeking to leverage consumer geolocation and other mobile device data to assist with fighting the spread of COVID-19. Location data can be of significant value to public health models, such as models that determine areas where social-distancing measures are needed or test whether such measures are effective. In some areas, governments are also using location data for contact tracing or for measures designed to monitor and enforce quarantine of individuals who have tested positive for COVID-19 or persons they have come into contact with.
In Response to COVID-19, NYDFS Delays While CA AG Declines to Change CCPA Timing
According to a report from the International Association of Privacy Professionals, the California attorney general has confirmed that enforcement of the CCPA will not be delayed due to the COVID-19 pandemic. “We’re committed to enforcing the law as early as July 1,” said a representative of the attorney general’s office. The statement from the attorney general’s office goes on to emphasize the importance of data security, which may suggest that data security will be an initial focus of enforcement efforts.
New York Financial Regulator Requires COVID-19 Risk Assessment, Operational Planning
Last week, the NYDFS issued letters to all its licensed financial institutions. Based on these letters, all NYDFS licensees must assess and plan for the financial risk of COVID-19 and, separately, develop operational plans for managing their response to the virus. The NYDFS requires written responses “as soon as possible,” but within 30 days in any case. As a result, impacted businesses should be actively preparing responses to the NYDFS’s detailed request, if they have not already.
California Attorney General Issues Second Round of Modifications to CCPA Regulations
On March 11, 2020, California Attorney General Xavier Becerra announced a second round of modifications to the draft regulations his office is preparing for the CCPA. The updates contain a number of material modifications to the initial CCPA regulations that Becerra’s office released in October 2019.
DOJ Releases Guidance on Gathering Threat Intel from the Dark Web
The Cybersecurity Unit (CsU) of the Computer Crime and Intellectual Property Section of the Criminal Division of the U.S. Department of Justice (CCIPS) has released its guidance, Legal Considerations When Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources. The CsU prepared the guidance—with input from the FBI, Secret Service, and Office of Foreign Assets Control—to help companies assess the legal risk associated with information security practitioners gathering intelligence from online forums where computer crimes are discussed and planned and stolen data is bought and sold. The guidance also addresses the legality of situations when private actors attempt to purchase their own stolen data (or stolen data belonging to others but with the “data owners’” authorization), malware, or security vulnerabilities from potentially criminal actors.
High-Profile Settlements, Strengthened Data Security Orders, and COPPA: The FTC’s 2019 Privacy and Data Security Update
Each year, the Federal Trade Commission (FTC) publishes a report on its consumer privacy and data security activities during the prior year. On February 25, 2020, the FTC released its 2019 Privacy and Data Security Update. The update contains a summary of the FTC’s enforcement, advocacy, and rulemaking actions as well as its privacy and security-related workshops, consumer education and business guidance, and international engagement. The update is a useful way to see what the FTC focused on in the prior year and where to expect continued interest.
FBI Releases IC3 2019 Internet Crime Report
The FBI’s Internet Crime Complaint Center (IC3) has released its 2019 Internet Crime Report on trends and statistics of suspected cybercrimes from 2019. The report gathers data from 467,361 complaints, an increase from prior years, with dramatic losses exceeding $3.5 billion. In addition to an explanation of the IC3’s history and operations, the report includes six “hot topics” from 2019: business email compromise, IC3 Recovery Asset Team (RAT), RAT successes, elder fraud, tech support fraud, and ransomware.
The Updated CCPA Regulations: Alston & Bird Detail the 30 Key Business Impacts
California Attorney General Xavier Becerra released updated regulations to the CCPA. The updates contain a number of material modifications to the initial CCPA regulations that Becerra’s office released in October 2019.
DOJ Indicts Chinese Military Personnel for Involvement in 2017 Equifax Breach
On February 10, 2020, the U.S. Department of Justice announced charges against four members of China’s People’s Liberation Army (PLA) for their alleged involvement in the 2017 Equifax hack that resulted in the theft of the personal information of 145 million Americans. In the nine-count indictment, the four individuals, Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei, members of the PLA’s 54th Research Institute, were charged with computer fraud, economic espionage, and wire fraud for allegedly conspiring to hack into Equifax’s networks, maintain unauthorized access to those computers, and steal sensitive information, including trade secrets.
SEC Releases Detailed Set of “Cybersecurity and Resiliency Observations”
On January 28, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released a detailed set of observations culled from thousands of examinations of registered investment advisers, broker-dealers, clearing agencies, national exchanges, and other SEC registrants. These observations represent the most detailed compilation of strategies and tools that OCIE has observed to promote effective cybersecurity programs.
California Releases Modified CCPA Regulations
On February 7, 2020, the California Office of the Attorney General released modified regulations to the CCPA. The modified regulations update the initial proposed regulations, which were previously published on October 11, 2019.
EU and United Kingdom Updates
UK ICO Publishes the Final Version of Its Age Appropriate Design Code
On January 21, 2020, the UK ICO published the final version of its Age Appropriate Design Code, which sets out 15 standards that online services should meet to protect children’s privacy. The Design Code applies not only to online services squarely aimed at children but also online services likely to be accessed by children.
Press Releases
Alston & Bird Widely Recognized in Chambers USA 2020 – Alston & Bird has earned wide recognition in the 2020 edition of Chambers USA: America’s Leading Lawyers for Business.
Sixteen Alston & Bird practices received Nationwide rankings, including Privacy & Data Security. Kim Peretti was ranked Nationwide in the area of Privacy & Data Security for the fourth year in a row.
Alston & Bird Launches Women in Cyber Network – Alston & Bird announced the launch of the Women in Cyber™ network, a unique and innovative program that brings together private practice and in-house lawyers, cybersecurity practitioners, and information technology professionals to tackle the need for cross-functional engagement in addressing enterprise cybersecurity risk. Partners Kim Peretti, co-leader of Alston & Bird’s Cybersecurity Preparedness & Response Team, and Amy Mushahwar, member of the firm’s Privacy & Data Security and Cybersecurity Preparedness & Response Teams, serve as co-directors of the network, with support from Alston & Bird associates Emily Poole and Alysa Austin.
Kim Peretti Named to Cybersecurity Docket’s 2020 “Incident Response 30” – Kim Peretti, Alston & Bird partner and co-chair of the firm’s Cybersecurity Preparedness & Response and National Security & Digital Crimes Teams, has been named to Cybersecurity Docket’s 2020 “Incident Response 30,” which recognizes the “30 best data breach response lawyers in the business.” As described by the publication, the Incident Response 30 “celebrates the ‘best of the best’—30 true leaders in this field who are setting the standard” and “who have established themselves as the ‘first call’ for companies hit with a cyber-attack or other data security incident.” This is the fourth time Peretti has been selected to the list, having also been honored in 2016, 2018, and 2019.
Alston & Bird Recognized by Chambers Global 2020 – Alston & Bird has been recognized in the 2020 edition of Chambers Global, with six practices and 13 lawyers cited for excellence. Chambers Global also singled out Kim Peretti as a leading lawyer in the area of Privacy & Data Security.
In the News
- April 24, 2020 – Kim Peretti is quoted in Law.com on launching Alston & Bird’s Women in Cyber network to connect female executives and encourage discussion on cybersecurity’s enterprise risks and legal challenges.
- March 24, 2020 – Kate Hanniford is quoted in Compliance Week on state privacy laws during the COVID-19 pandemic and how remote work arrangements have raised important privacy and security compliance issues.
- March 24, 2020 – Amy Mushahwar is quoted in American Banker on how the newly mobile working-from-home workforce created by COVID-19 could make banks more susceptible to cybersecurity threats. (Subscription required)
- March 18, 2020 – Law360 notes Alston & Bird as a “CyberSavvy 16” law firm in BTI Consulting Group’s 2020 Cybersecurity & Data Privacy Report. (Subscription required)
- March 18, 2020 – Sean Sullivan is quoted in Bloomberg Law on how to balance the pressing COVID-19 demand for telehealth against potential data and privacy risks under the Health Insurance Portability and Accountability Act. (Subscription required)
- March 2, 2020 – Kathleen Benway comments in FTC Watch on the impact that the Federal Trade Commission’s revised data-security orders will have on businesses. (Subscription required)
- February 11, 2020 – Larry Sommerfeld is quoted in Legal Tech News on the forensic challenges posed by encryption platforms.
For additional updates, please be sure to visit our blog at www.alstonprivacy.com.