Right To Know - April 2023, Vol. 5

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed. 

State Actions:  

• California Privacy Right Act Rules Finalized. On March 30, 2023, the California Privacy Protection Agency announced the first California Privacy Rights Act rulemaking package was approved by the California Office of Administrative Law following its review. The final regulations, which come ahead of the CPRA’s 1 July enforcement, contain no substantive changes to the CCPA’s final draft submitted in February. The first rulemaking package addresses regulations concerning data processing agreements, consumer opt-out mechanisms, mandatory recognition of opt-out preference signals, dark patterns, and consumer request handling. A second set for rulemaking is expected from the Agency later this year, which will address the requirements of cybersecurity audits, privacy risk assessments, and profiling.
• Iowa Enacts Comprehensive State Privacy Law. This month Iowa joined a growing group of states that have passed comprehensive state privacy legislation. Like Colorado, Connecticut, Utah and Virginia, Iowa’s law applies to covered entities that control or process personal data of 100,000 Iowa consumers or derive 50% of revenue from selling the data of more than 25,000 consumers. The privacy notice requirements of the new state law are also not unique – if a company has already drafted a privacy policy compliant with the CCPA or the VCDPA, the company does not have to amend the policy to fit Iowa’s legislative requirements. One major distinction from other state privacy laws is that the Iowa law does not include sensitive data opt-in consent requirement nor offer the consumer the right to require a business to correct their personal information. 
• Utah Passes First of Its Kind Social Media Law. Utah passed a first-of-its-kind statute, the Utah Social Media Regulation Act, which has an effective date of March 1, 2024. The law requires social media companies to have robust age verification procedures in place for maintenance of opening of a social media account by Utah residents. The law prohibits the opening or maintenance of a social media account by a Utah resident under the age of 18, unless that individual has the express consent of a parent. The law also provides parents and guardians a means to access minors’ (under the age of 18) accounts and view all posts, responses, and messages. The statute also imposes off-hours digital curfew (10:30 p.m. to 6:30 a.m.) subject to parent modification. Industry allies and some advocacy groups have already pledged to challenge the law on privacy and First Amendment grounds. 
• Colorado Insurance Division Announces Stakeholder Engagement on AI Regulations. Following the Colorado Division of Insurance (“DOI”) release of its draft Algorithm and Predicative Model Governance Regulation (the “Draft AI Regulation”), the DOI announced that it will engage in a first round of stakeholder engagement. Recall, the Draft AI Regulation, which is promulgated under a 2021 Colorado state law, requires life insurers in the state that use consumer data, algorithms and predictive models in the underwriting process to develop an AI governance and risk management framework, implement certain technical controls and maintain comprehensive documentation concerning the use of these algorithmic and predictive tools, including up-to-date inventories and evaluations of the algorithms or predictive models.  The regulations are currently subject to a public comment period but are expected to be finalized later this year. 
• New York City issued Final Regulations under its Automated Employment Decision Tools Law (Local Law 144). The New York City Department of Consumer and Workplace Protection released the highly anticipated final rules implementing Local Law 144, which regulates the use of automated employment decision tools (AEDT) by employers and other entities in the City. Generally, LL144 prohibits the use of AEDTs by employers in the City unless the AEDT has first been subjected to a bias audit, information about the bias audit results have been publicly posted, and written notices and opt-out rights have been provided to employees or job candidates in advance of their use. The final regulations expanded the definition of machine learning and artificial intelligence and modified important requirements concerning the requirements of the bias audit and the independence of the auditor involved in the audit. While the law has been effective as of earlier this year, the final regulations have an effective and enforcement date of July 5, 2023. 
• New Jersey Adopts 72 Hour Breach Notification Requirement for Public Agencies. On March 13, 2023, New Jersey Governor Phil Murphy signed legislation that requires State agencies and government contractors to report cybersecurity incidents to the New Jersey Office of Homeland Security and Preparedness within 72 hours of an incident. The law broadly covers all public agencies in New Jersey, as well as government contractors, including municipalities, counties, kindergarten through 12th grade public schools, public colleges and universities and State law enforcement agencies, among others.
• State Attorneys General Location Tracking Settlement. On March 20, 2023, the New Hampshire Office of the Attorneys General announced that it had joined a group of 5 attorneys general who have settled with Google for $9 million for misleading consumers about its location tracking practices. The settlement resolves allegations from the attorneys general that Google caused users to be confused about two account settings that control data collection of the users’ location. The settlement requires Google to be more transparent with consumers about its practices. For more information visit the New Hampshire Department of Justice website here.   

Regulatory:   

• New Hires Expected at the FTC. The Federal Trade Commission’s Congressional Budget Justification for Fiscal Year 2024 proposed hiring an additional 310 full-time employees, including 62 employees specifically dedicated to “increasingly complex consumer protection investigations, including privacy and data security issues.” 
• White House Releases National Cybersecurity Strategy. On March 2, 2023, the Biden administration announced a new National Cybersecurity Strategy to “make fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace.” It includes five pillars: (1) defend critical infrastructure, (2) disrupt and dismantle threat actors, (3) shape market forces to drive security and resilience, (4) invest in a resilient future, and (5) forge international partnerships to pursue shared goals. The strategy proposes to add more mandatory requirements to the current, largely voluntary, public-private approach. It presents a framework that will require executive action and legislation to take effect.
• FBI Releases 2022 Internet Crime Report. The FBI’s Internet Crime Complaint Center (IC3) released its 2022
  Internet Crime Complaint Report in March 2023. The report includes only reported crimes and notes that many crimes are unreported. IC3 received 800,944 reported complaints, with losses exceeding $10.3 billion. Phishing schemes were the number one crime reported last year and, for the first time, investment schemes reported the highest financial loss to victims. It reports on successes of IC3’s Recovery Asset Team (RAT), which was established in February 2018 to streamline communication with financial institutions and assist FBI field offices with the freezing of funds for victims who made transfers to domestic accounts under fraudulent pretenses. Victims can directly file an online report with IC3.
• FTC’s Artificial Intelligence Guidance:  This month, the FTC released guidance titled “Keep Your AI Claims in Check,” reiterating its authority to regulate unfair and deceptive claims concerning a business’s use of Artificial Intelligence under Section 5 of the FTC Act. The guidance warned companies not to exaggerate or mischaracterize their use of AI tools or use of data, not to make claims that are unsupported by scientific study or underlying data, and – critically – stated that businesses cannot blame third party vendors whose technologies they use and are themselves responsible for knowing the ins and outs of any AI solutions utilized by the business.
• Executive Order Tells Federal Agencies to Address Algorithmic Discrimination. U.S. President Joe Biden directed federal agencies to address “discrimination” within algorithms used by technology companies in the “Executive Order on Further Advancing Racial Equity.”   The Order defined algorithmic discrimination to include “instances when automated systems contribute to unjustified different treatment or impacts disfavoring people” based on protected characteristics, such as race, religion, sex, and genetic information. 

Litigation & Enforcement:  

• New York Secures a $200,000 Penalty in a Law Firm Data Breach. In a March 27, 2023 press release, New York Attorney General Letitia James announced a settlement with a law firm, including a $200,000 penalty, under state law and the Health Insurance Portability and Accountability Act (HIPAA). The enforcement action alleged that poor data security measures made the law firm vulnerable to a 2021 data breach that compromised the private information of approximately 114,000 patients, including more than 60,000 New Yorkers. The firm represents hospitals. The breach reportedly involved an unpatched Microsoft Exchange server. In addition to the penalty, the settlement requires implementation of a comprehensive cybersecurity program, with third-party review, and additional safeguards.
• California Chamber of Commerce Files Legal Challenge to Toll CPRA Enforcement. The California Chamber of Commerce on March 30 filed an action in state court for declaratory and injunctive relief to toll the planned July 2023 enforcement of the California Privacy Right Act of 2020.  In its complaint, the Chamber argues that Proposition 24 required that the new agency, the California Privacy Protection Agency, publish regulations a year before the date of enforcement, that the voters intended businesses to have adequate implementation time with the benefit of the regulations, and that it would be unfair to enforce the CPRA without at least one year planning period to implement compliance measures.
• Illinois Appellate Court Finds Coverage for BIPA Class Action Under Cyber Policy. On March 31, 2023, the Appellate Court of Illinois held that an insured was entitled to coverage for claims expenses it incurred in an Illinois Biometric Information Privacy Act (“BIPA”) class action lawsuit. In the case, Remprex, LLC v. Certain Underwriters at Lloyd’s London, 2021 IL App (1st) 211097, Remprex sought coverage for costs it incurred in two BIPA class actions filed by truck drivers who claimed their privacy rights had been violated when their fingerprints were collected in order to access automatic railyard gates. Remprex was never named as a defendant in the first action, therefore there was no “claim” and coverage was not owing. Remprex was, however, a defendant in the second action. For costs incurred in this action, the court held that Remprex was entitled to its claim expenses under the policy’s Media Liability section, which applied to claims alleging a violation of an individual’s right to privacy during the “course of creating media material.” Importantly, the court also ruled that coverage was not owed under the portion of the Media Liability section applying to the dissemination of material to the public, because collecting truck drivers’ fingerprints was not tantamount to disseminating them to the public. Further, the court found coverage was not owed under the policy’s Data & Network Liability section because collecting and storing fingerprints is not tantamount to a security breach and no personally identifiable information was lost. 

International Updates:  

• Lloyd’s State-Backed Cyber Attack Exclusion Requirements Take Effect. Lloyd’s’ new state-backed cyber attack requirements took effect on March 31, 2023. These requirements were set out in an August 16, 2022, Market Bulletin, which established minimum requirements for all standalone cyber-attack policies. Policies incepting or renewing after this date must exclude losses arising from war and losses arising from state-backed cyber-attacks that significantly impair a state’s security capabilities or ability to function. Policies must also clarify whether the exclusion applies to computer systems located outside of the state that is affected by the attack and must offer a “robust basis” for agreement between the parties as to how a state backed cyber-attack will be attributed to states.
• UK ICO Updates Guidance on Use of AI. The UK’s Information Commissioner Office has updated its guidance on the use of artificial intelligence from a privacy perspective. The updates are primarily focused on accountability and governance. The ICO is quoted as saying that the changes support a “pro-innovation approach to AI regulation” and in particular enshrining considerations of fairness into AI. This is a reference to Article 5(1)(a) of UK GDPR which requires that personal data be processed lawfully, fairly and in a transparent manner. The ICO noted also that AI “increases the importance of embedding a data protection by design approach into your organization’s culture and processes.”  
• Large Multinationals Beginning to Gain Ground on Supervisory Authorities in Court Appeals. A number of European Regulators have suffered defeat as member state courts have ruled to overturn their issuance of regulatory findings of breaches of GDPR in UK, Italy, Germany and Spain.  The appeals, brought separately in member states by Experian PLC (based in Ireland), Amazon, Enel Energia SpA, BBVA, saw the member state courts also strike down seven-figure fines issued by supervisory authorities against the companies. This trend of appellate reversal gives companies further justification to fully resource these appeals particularly when mission-critical to their business. It also highlights one of the weaknesses of principle-based legislation such as GDPR in terms of the broad range of interpretations which can be made of key aspects. What this trend might mean for Meta’s appeal against the Irish Data Protection Commissioner’s fines of €390m is unknown. 
• Data Protection Officer (DPO) Initiative Announced. The European Data Protection Board announced that the 26 Data Protection Authorities across the EEA will be focusing on the designation and position of data protection offices (DPOs). This initiative will focus on whether DPOs have the appropriate position within their organization and the appropriate resources to carry out their tasks. Launch of coordinated enforcement on role of data protection officers.