Skip to content

Right To Know - February 2023, Vol. 3

February 7, 2023

Cyber, Privacy, and Technology Report


Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.


New Laws & Regulations:  

  • On January 27, 2023, California Attorney General Rob Bonta announced that letters were sent to businesses with mobile apps that fail to comply with the California Consumer Privacy Act (CCPA). The investigation focused on popular apps in the retail, travel, and food service industries that allegedly fail to comply with consumer opt-out requests or do not offer any mechanism for consumers who want to stop the sale of their data.
  • Also in California, the California Privacy Protection Agency voted to finalize California Privacy Rights Act (CPRA) regulations, which including issuing a “Final Statement of Reasons” for the regulations. Following Office of Administrative Law review, the Agency said it expected the regulations to be effective in April 2023, in advance of the law’s July 1, 2023, enforcement date.
  • The New York City Department of Consumer and Worker Protection held its second public hearing on Local Law 144 – an amendment to existing city code that will regulate the use of “automated employment decision making tools” (AEDTs) by employers in the city. The second public hearing attracted considerable attendance. The Law, which was originally set to go into effect on January 1, 2023, prohibits employers from using artificial intelligence/machine learning tools which constitute AEDTs without first conducting an independent bias audit on the AEDT, publishing the results, and providing notice and an opportunity to opt-out to job candidates and employees. Employers now have until at least April 15, 2023, to prepare for compliance with Local Law 144.
  • The Colorado Attorneys General and Colorado Department of Law published revisions to the Colorado Privacy Act (“CPA”) regulations, which will be effective July 1, 2023. The updates build upon the original version of the CPA. The comment period for version 2 of the CPA ends February 1, 2023. Read more about the proposed CPA here.
  • This month, state legislatures continued to advance new privacy law proposals. Currently, over 15 states have privacy legislation pending, including Indiana, Iowa, New Hampshire, Massachusetts, Hawaii, and Washington tend to follow the California (CCPA)-model of data access rights. While in Massachusetts the Information Privacy and Security Act and the Internet Bill of Rights proposals look to establish GDPR style rights and obligations.
  • Notable in the trend of new state law proposals is the New York State Assembly’s recently introduced Digital Fairness Act. The proposal is unique for its low threshold of application and for its breadth. It purports to apply to entities that collect or process the personal information over 500 or more New York residents, and has provisions addressing the collection of biometric information, discriminatory processing of personal information, automated decision making and a private right of action.  

Federal Enforcement & Initiatives:   

  • The FBI announced that it had seized the website used by the Hive ransomware group to extort hundreds of millions of dollars from victims across the globe, many in the healthcare industry. The months-long infiltration of the Hive networks allowed the FBI to covertly penetrate the group’s networks, capture its decryption keys, and provide them to victims, averting over $130 million in ransomware payments. Working with law enforcement partners in Germany and the Netherlands, this is the latest example of the FBI’s efforts to thwart ransomware groups and seize payments to hackers.
  • Two important initiatives from the National Institute of Standards and Technology (NIST) this month:   
    • First, NIST released the NIST AI Risk Management Framework (AI RMF 1.0) on January 26, 2023. The release was livestreamed, and a recording is available here. Currently, the framework is intended for voluntary use “to improve the ability to incorporate trustworthiness considerations into the design, development, use and evaluation of AI products, services, and systems.” 
    • Second, NIST published “NIST Cybersecurity 2.0 Concept Paper; Potential Significant Updates to the Cybersecurity Framework.” In 2014, NIST released the original version 1.1 of “Framework for Improving Critical Infrastructure Cybersecurity,” which provides voluntary, flexible guidance for organizations of all sizes to better understand, manage, reduce, and communicate cybersecurity risks. It covers the core security functions of identify, protect, detect, respond, and recover, with categories and subcategories of safeguards for each of them. It includes tables that compare the listed safeguards to other security standards and frameworks. In 2018, NIST published an updated version 1.1. During 2022, NIST sought public comments on updating the Framework. This Concept Paper seeks additional input on the structure and direction of the updated version before a draft is published.
  • On January 24, 2023, the Cybersecurity and Infrastructure Security (CISA) issued Partnering to Safeguard K-12 Organizations from Cybersecurity Threats,” to provide recommendations and resources to help K-12 schools and school districts address systemic cybersecurity risk. It includes information about the current threat landscape specific to the K-12 community and offers steps that schools can take to strengthen their cybersecurity. It includes three overall recommendations: (1) Invest in the most impactful security measures and build toward a mature cybersecurity plan; (2) Recognize and actively address resource constraints; and (3) Focus on collaboration and information-sharing.
  • On January 3, 2023, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced a new case to be resolved under OCR’s HIPAA Right of Access Initiative. Life Hope Labs, LLC, a full-service diagnostic laboratory in Sandy Springs, Georgia, agreed to implement a corrective action plan and pay a monetary settlement for their failure to provide a personal representative with a copy of her deceased father’s medical records. The personal representative requested access to her father’s records on July 7, 2021, but did not receive them until February 16, 2022.
  • Other activity by OCR includes a recently announced settlement with Banner Health Affiliated Covered Entities (“Banner Health”), a nonprofit health system based in Phoenix, Arizona, to resolve a 2016 data breach which exposed the protected health information of 2.81 million consumers. Banner Health paid $1,250,000 to OCR and agreed to implement a corrective action plan to resolve violations of the HIPAA Security Rule, including the failure to determine risks and vulnerabilities to electronic protected health information (“ePHI”), insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, failure to implement an authentication process to safeguard its ePHI, and failure to have security measures in place to protect ePHI from unauthorized access when transmitted electronically. 

Litigation & Noteworthy Settlements:  

  • In a highly anticipated decision, the Illinois Supreme Court held that a five-year statute of limitations applies to claims under the Biometric Information Privacy Act, 740 ILCS 14/15 (“the BIPA”). The case is Tims, et al. v. Black Horse Carriers, Inc., Case No. 127801 (Ill.) and the decision is available here. The decision is seen as a win for plaintiffs and increases the exposure and potential statutory penalties awarded to them against employers and companies who do business in Illinois and collect or process biometric information.
  • The United States Supreme Court dismissed as “improvidently granted” a case, In Re Grand Jury, that sought to clarify the issue of whether a communication involving both legal and non-legal advice is protected by attorney-client privilege when obtaining or providing legal advice was one of the significant purposes behind the communication. Dual purpose communications arise frequently in the data breach context, and incident response and data breach commentators were hopeful of the Supreme Court’s decision to resolve a circuit-split concerning the privileged nature of those communications. The Supreme Court’s dismissal leaves intact the prior ruling of the Ninth Circuit from September 2021 which endorsed the “primary purpose” test for determining the application of attorney client privilege. 13 F.4th 710 (9th Cir. 2021).
  • Madison Square Garden Entertainment Corp. (“MSG”)’s policy of using facial recognition technology (“FRT”) to prohibit attorneys whose firms are engaged in litigation against the company from entering its venues may be illegal and discriminatory, New York Attorney General Letitia James said in a letter to the company. The State Attorney General is seeking additional information from MSG concerning its use of FRT technologies to determine whether the practice violates local, state, or federal human rights laws, including laws prohibiting retaliation. 

Cyber Insurance & Subrogation:  

  • A federal district court held that a cyber policy’s coverage for “actual impairment . . . of business operations” could apply where a breach partially disrupted the policyholder’s usual business activities. In that case, New England Systems, Inc. v. Citizens Insurance Co. of America, No. 3:20-cv-01743-SVN, 2022 WL 17585966 (D.Conn. 2022), a bad actor hacked into the systems of the policyholder, an IT provider, and encrypted some of its clients’ data. The IT provider made a claim under its cyber business interruption coverage, saying it was forced to take time away from providing regular services to its unaffected clients to provide remediation services for those of its clients who were affected. The court looked to the reasoning in P.F. Chang’s China Bistro, Inc. v. Federal Insurance Co., No CV-15-01322-PHX-SMM, 2016 WL 3055111 (D. Ariz. May 31, 2016) and Fishbowl Solutions, Inc. v. Hanover Insurance Co., No. 21-cv-0794-SRN/DJF, 2022 WL 16699749 (D. Minn. Nov. 3, 2022), holding that the term “actual impairment” is broad enough to include the policyholder’s “forced reallocation of resources.” Because there were genuine issues of material fact as to whether the policyholder had in fact been forced to shift its resources, the court denied summary judgment on the insurer’s breach of contract claim. Notably, the court granted summary judgment for the insurer on the policyholder’s claim for bad faith, explaining there was no evidence that the insurer had acted with a dishonest purpose in investigating the claim.
  • The District Court of Illinois in Thermoflex Waukegan LLC v. Mitsui Sumitomo Insurance USA Inc. granted partial win to an automotive company in a dispute with its insurer over coverage for a proposed class action accusing the company of violating the state’s Biometric Information Privacy Act. The court there held that the insurer has a duty to defend but that it has not been triggered. Specifically, the court ruled the insurer owed the insured a duty to defend the company under its umbrella policies, which provide coverage for damages Thermoflex becomes legally obligated to pay for “personal and advertising injury” that is in excess of its self-insurance or other insurance coverage, subject to certain exclusions. With respect to the statutory violation exclusion, the ruling held: “Without clear meaning for the text, or with the aid of canons of construction, the exclusion is ambiguous and must be construed in favor of coverage.”  Further, the court also said the umbrella coverage’s data breach exclusion, “although limited to the data breach context,” must also be construed in favor of coverage. 

International & Industry Highlights 

  • DNV, a Norweigan headquartered classification society and risk management firm was subject to a ransomware attack targeting its ShipManager software on January 7. DNV shut down the ShipManager’s Information Technology services leaving 70 customers and around 1,000 vessels to operate offline and in downtime procedures while systems were down. Around 1,000 vessels affected by cyber-attack on DNV’s software. 
  • On January 27, 2023, the US and EU signed “Administrative Arrangement on Artificial Intelligence for the Public Good.” This agreement builds to principles set forth in the 2022 Declaration for the Future of the Internet, and it intended to “drive responsible advancements in AI to address major global challenges,” including areas like climate change, natural disasters, healthcare, energy, and agriculture. Read more here.
  • EU Directive 2022/2555 took effect on January 17th. The new Directive, known as NIS2, replaces a prior directive and establishes uniform baselines for cyber risk management measures, such as business continuity and disaster recovery, access controls and supply chain security. Member states will now take the directives requirements and transpose them into their national laws. One notable change is the expanded scope of entities that will fall under the new directive’s requirements. The new directives cover both public and private entities and go beyond previous limitations requiring entities to have a physical basis in the EU. Member states may institute stricter requirements.
  • The International Organization for Standardization is set to adopt Privacy by Design as ISO31700. While initially not set to be a conformance standard, the 30 requirements of the new ISO standard will include general guidance on designing products that allow users to enforce privacy rights, how to provide privacy information to consumers, protocol for conducting privacy risk assessments, establishing, and documenting requirements for privacy controls, managing data life cycles, and preparing for and responding to data breaches. The ISO’s adoption is anticipated to further push the concept of Privacy by Design that was adopted and is required by the European Union’s General Data Protection Regulation.
  • New Federal Canadian Privacy Requirements Are Likely in 2023:  Following the adoption of more stringent and all-encompassing privacy requirements in Quebec and British Columbia, amendments to the national Personal Information Protection and Electronic Documents Act and enaction of a federal Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act are expected to pass as federal laws in Canada in 2023. Of particular note, the Consumer Privacy Protection Act would create an Office of the Privacy Commissioner of Canada with capabilities of issuing compliance orders, recommending penalties of the higher of $10 million and 3% of organization’s gross global revenue (with higher fines available for more egregious conduct). These new laws are expected to bring Canadian privacy protections more in line with those of Europe under the GDPR.
  • Data Privacy Center nonprofit formed to Advise K-12 Leaders on Privacy Issues:  
    • The Public Interest Privacy Center is a new non-profit formed in 2022 that will assist school districts in fielding questions and issues relating to student data privacy. The PIPC, operating on over $500,000 of grants, will consist of a three-person team at the School Superintendents Association’s facilities. PIPC will directly assist school superintendents and other district leaders respond to privacy considerations and questions resulting from data collection by and even data privacy agreements with educational software companies. The organization will also serve as a resource for school district leaders and their state lobbyists to improve understanding of how new or proposed privacy legislation at the state level could affect schools and their operations. 

The views and opinions expressed in the article represent the view of the authors and not necessarily the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is it intended to be a substitute for professional legal advice

Subscribe For The Latest