Right To Know - August 2023, Vol. 8
Cyber, Privacy, and Technology Report
Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.
- California Regulators Announce Two New Enforcement Initiatives under the CCPA: Following last month’s judicial stay of the enforcement of California’s final privacy regulations under the California Privacy Rights Act (CPRA) until 2024, California regulators this month announced two investigative sweeps that demonstrate enforcement of the California Consumer Privacy Act (CCPA) law remains in full force and effect:
- Employees and Job Applicant Data: First, the California AG announced an enforcement sweep and the issuance of inquiry letters to employers throughout California concerning their compliance with the CCPA’s privacy obligations as it pertains to the personal information of employees, independent contractors and job applicants in California.
- Automobile Privacy Probe: Next, the California Privacy Protection Agency (CPPA) announced an enforcement sweep targeted at automobile manufacturers and suppliers concerning the collection and use of personal data in connected automobile devices. Specifically, the CPPA stated it would look at data collection and sharing as it pertains to vehicle features like location sharing, web-based entertainment, smartphone integration, and cameras.
- California regulators seek to overturn judicial stay of CPRA Regulations: The California AG and CPPA jointly filed a petition with a California appellate court seeking to overturn the recent judicial stay of the CPRA final regulations issued by a California state court.
- Colorado Attorney General Makes Moves to Enforce Colorado Privacy Act: The Colorado Privacy Act (“CPA”) is effective as of July 1, 2023. Shortly after its effective date, the Colorado Attorney General. issued a press release announcing immediate enforcement of the CPA through a series of letters of noncompliance sent to businesses. According to the press release, the initial round of AG letters focused on educating companies that operate in Colorado on their new legal obligations. There is particular emphasis on obligations relating to the collection and use of sensitive data, including the requirement to obtain consumer consent prior to collecting sensitive data, and the obligation to allow consumers to opt out of targeted advertising and profiling.
- Delaware Enacts Comprehensive Data Privacy Law. The Delaware General Assembly has granted final passage of HB-154, otherwise known as the Delaware Personal Data Privacy Act. Similar to other state consumer privacy laws, residents of Delaware will have the right to know what information is collected about them, review the information collected about them, correct inaccuracies, or request deletion of their personal data. This act will apply to entities which conduct business in Delaware that control or process personal data of not less than 35,000 consumers or control/process personal data of not less than 10,000 consumers and derive more than 20 percent of their gross revenue from the sale of personal data. The Delaware Department of Justice is also required to engage in public outreach to educate consumers and businesses about the Act six months prior to the effective date. The effective date of this act will be January 1, 2025, pending governor approval.
- Rhode Island Amends Its State Breach Notification Statute: The Rhode Island General Assembly amended its state data breach law. The Act now requires state agencies, municipalities and persons which store, own, collect, process, maintain, acquire, use, or license data that includes personal information to notify the state police of an incident within 24 hours of discovery of the incident, notify individuals within 30 days, and notify the collective bargaining agent if any of the recipients of the notice are represented by a labor union through a collective bargaining unit. The amendment will also require state and municipal agencies to provide five (5) years of remediation services for individuals over the age of 18, and coverage for minors until they reach the age of 20.
- SEC Issues Final Rule on Public Company Reporting of Data Breaches: The United States Securities and Exchange Commission (SEC) issued a final rule entitled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. The rule is set to go into effect in late September with compliance dates for specific sections to begin in December 2023. Among other changes, the rule requires public companies to report any cybersecurity incident deemed to be material within four business days of the determination that the event is material (subject to certain delays for national security or public safety). Additionally, companies will need to describe various of their cybersecurity related processes in public filings.
- FTC Cases Shed Light on Health Law Protections: A review of the FTC’s recent cases involving consumer health data provide a number of key takeaways about how companies collect and use health data. First, it is important for companies to understand that “health data” is a broad term encompassing more than just medications, procedures, and diagnoses –it extends to anything which conveys information (or allows an inference) about a consumer’s health (for instance the mere use of a mental health or fertility app or location data that shows repeated trips to a cancer clinic may be health data in and of itself). Second, if a company is collecting or using a consumer’s health data, the risk associated must be assessed, documented, and safeguards must be used to protect it—particularly privacy policies and procedures. Where it has enacted such policies, it must make certain that those policies are followed. And finally, the collection of health data clearly brings with it certain responsibilities, but receiving such information can bring with it liability if procedural and technical measures are not used to secure that data.
- Biden Administration Proposes New Cybersecurity Labeling for IoT Devices: While the number and type of IoT devices has grown exponentially year over year, there isn’t a baseline of cybersecurity standards that these products must meet. The Biden Administration has proposed a “U.S. Cyber Trust Mark” that would be affixed to IoT products that meet to be developed cybersecurity standards, allowing consumers to make more informed purchasing decisions. As part of this proposal, the National Institute of Standards and Technology (NIST) would develop the cybersecurity criteria for the IoT devices, the Federal Communications Commission (FCC) and Cybersecurity and Infrastructure Security Agency (CISA) would educate the public on the benefits of purchasing a product with the U.S. Cyber Trust Mark and the U.S. Department of Justice would establish enforcement mechanisms for the certification. The administration plans to roll this program out in 2024 and it already has support from several IoT manufacturers.
- CISA and Partners Publish Security-by-Design and -Default Joint Guidance. On April 12, 2023, the Cybersecurity, and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and international partners published the jointly developed Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default. This joint guidance urges manufacturers to take urgent steps necessary to ship products that are secure-by-design and -default. It includes core principles and specific technical recommendations, to guide software manufacturers in building software security into their design processes prior to developing, configuring, and shipping their products.
- NIST Expands Outreach to the Small Business Community. The National Institute of Standards and Technology (NIST) is continuing to expand its cybersecurity outreach to small businesses through its Small Business Cybersecurity Corner. It is intended to provide a one-stop shop with “cybersecurity solutions, guidance, and training so they can cost-effectively address and manage their cybersecurity risks.”
Litigation & Enforcement:
- No Standing in AI Training Data Suit: On July 11, 2023, the 7thS. Circuit Court of Appeals ruled that a patient lacked standing to sue Google LLC after he alleged that the search engine used his hospital records from two stays at the University of Chicago Medical Center (“University”) to train an artificial intelligence algorithm without his consent. According to the complaint, Google partnered with the University in 2017 to develop an AI algorithm to identify patients’ health problems and predict future medical events. The plaintiff argued that the failure to redact date and time stamps from several years of electronic medical records provided to Google, combined with geolocation and other data Google collects from cellphone users, could allow it to de-anonymize the records it received from the University. The Court of Appeals said that the plaintiff did not suffer a sufficient injury because the University anonymized the records and Google promised not to try to identify anyone from them. Under the Court’s analysis, a breach of contract without any concrete injury falls short of the Article III requirements for a suit in federal court.
- Judge Denies Attorneys’ Fees for Prevailing Defendant in BIPA Class Action: A plaintiff brought a class action in federal court against Christian Dior claiming its website’s virtual try-on feature violates Illinois’ Biometric Information Privacy Act (“BIPA”). The court dismissed the plaintiff’s claims and awarded judgment to Christian Dior (a decision currently on appeal). Christian Dior then requested an award of attorneys’ fees under BIPA. Judge Elaine Bucklo denied the request. While not deciding whether BIPA authorized an award of attorneys’ fees to prevailing defendants, Judge Bucklo reasoned that because BIPA gave the court discretion whether to award fees or not, even if such an award was available to a prevailing defendant under BIPA, “attorneys’ fees are not available to prevailing BIPA defendants absent a showing of bad faith.” This sets a very high bar for defendants in BIPA actions if they want to seek attorneys’ fees.
- AI Lawsuits Spread to Healthcare: The rise of the algorithmic bias class action lawsuit is here. Following lawsuits brought against insurers for their use of AI or algorithmic models in homeowner claims processing, a large health care insurer was sued this month in federal court for allegations that its automated claims systems denied health care claims without any human oversight or monitoring. The lawsuit, which was filed in California, alleges the automated claims denial processing violates the state’s competition, business fraud, and insurance laws.
- Open AI Targeted in Multiple Lawsuits concerning ChatGPT:
- ChatGPT Alleged to Scrape Personal Information of Individuals without Consent: Anonymous Plaintiffs on June 28, 2023, filed a federal 157-page class action complaint in the Northern District of California against ChatGPT creator OpenAI alleging that the Defendants’ conduct in developing, marketing, and operating their AI products, including ChatGPT-3.5, ChatGPT-4.0, 4 Dall-E, and Vall-E was unlawful when it used scraping technology and methods to steal private information, including personally identifiable information, “from hundreds of millions of internet users, including children of all ages, without their informed consent or knowledge.” The Plaintiffs request a jury trial, several transparency and governance measures, as well as additional injunctive, equitable and monetary damages, including actual damages for economic and non-economic harm and punitive damages in an amount to be determined at trial.
- ChatGPT alleged to Violate Copyright and IP Law: Two authors have brought a class action lawsuit against OpenAI for its ChatGPT product, alleging that OpenAI scraped and mined data from thousands of books, including the authors’ own publications, which were protected by copyright. According to the lawsuit, OpenAI acted without permission or license to do so, and in violation of federal copyright and other laws.
- FTC Files Sealed Amended Complaint Against Kochava, After Losing First Round in Data Privacy Battle: In 2022, the FTC sued data analytics and marketing company Kochava alleging that its data collection practices, in particular its collection and use of sensitive geolocation data and mobile device IDs, violates user privacy and constitutes an unfair trade practice under Section 5 of the Federal Trade Commission Act. Among other things, the FTC sought a permanent injunction prohibiting Kochava from continuing with these data collection practices. Last month, the Idaho Federal District Court overseeing the case granted Kochava’s motion to dismiss the FTC’s action, finding that the FTC failed to sufficiently allege substantial consumer harms. Specifically, the Court held that the risk of misuse of the sensitive consumer data at issue was theoretical at best, and did not constitute a substantial injury as required under the FTC Act. Nonetheless, the Court allowed the FTC 30 days to amend its complaint to include such allegations. Earlier this month, the FTC filed its amended complaint against Kochava under seal. According to the FTC, the new complaint was filed under seal because the FTC “anticipates that defendant Kochava Inc. may take the position that some of the materials referenced, excerpted, or cited in the amended complaint constitute trade secrets” and was sealed “out of an abundance of caution.”
- US-EU Data Privacy Framework Finalized & Re-Certification Application Deadline Announced: Following finalization of the EU-US Data Privacy Framework, the U.S. Department of Commerce launched the Data Privacy Framework (DPF) program website, enabling eligible U.S. companies to self-certify their participation in the EU-U.S. Data Privacy Framework (EU-U.S. DPF), facilitating cross-border transfers of personal data in compliance with EU law.
- Brazilian Data Protection Authority Issues Its First Fine Under the General Data Protection Law: In a first since the law was passed in September 2020, the Brazilian National Data Protection Authority (ANPD) announced a $3,005 fine for a breach of the Brazilian General Data Protection Law (LGPD) following complaints that a telemarketing company was offering a list of voters’ WhatsApp contacts for the purpose of disseminating election campaign material related to the 2020 municipal election in Ubatuba, Brazil. Under the LGPD, the commercialization and improper use of individuals’ personal information is prohibited. The LGPD also requires companies to have a Data Protection Officer responsible for ensuring the adequate protection of individuals’ data and compliance with the law. The fine was issued for the telemarketing company’s violations under the LGPD for failing to appoint a Data Protection Officer, lacking a legal basis for data processing, and being non-compliant with ANPD’s requests during its administrative process.
- S. Chamber of Commerce Raises Concerns over SEC Reporting Rule. The US Chamber of Commerce raised concerns and opposition with the new SEC cybersecurity rule. The new SEC rule requires companies to report cybersecurity incidents that they determine are material. The Chamber is concerned such reports will damage the confidentiality of the current reporting strategy for cybersecurity incidents and data breaches, and potentially resulting in harming cybersecurity incident victims before they are able to recover from such incidents. This split between the two agencies will be important to keep an eye on as they attempt to work together to address the concerns. In the meantime, it will be important that companies follow the new SEC rule.
- Enhanced Log Availability for Microsoft Cloud Based Products: On July 19th Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) announced that Microsoft is expanding the types of logs that it will make available to all customers and the duration those logs are stored for subscribers of Microsoft Purview Audit Standard. Previously, broader log access and a longer log retention policy required a Microsoft customer to pay more. This will enhance the ability of Microsoft customers to investigate email compromises, specifically in situations where the email compromise isn’t discovered immediately. This change in Microsoft policy is a reaction to a security incident in which a US agency suffered a compromise that was only discovered through analysis of Microsoft log data that would not have been available to a standard Microsoft customer.
This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.
2023 Chicago Labor & Employment Conference
This program is designed to ensure that you and your business stay prepared and in compliance with new developments in federal and Illinois labor and employment laws.
Webinar: How Will The Supreme Court's Affirmative Action Ruling Affect Workplace DEI Programs?
This webinar will examine what the Supreme Court held in its ruling on universities’ affirmative action plans, the controversy surrounding how the Supreme Court’s ruling affects employer’s diversity, equity and inclusion (DEI) initiatives, and the factors to be considered by public and private companies when deciding the future of their DEI efforts.