Right To Know - March 2023, Vol. 4

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed. 

State Actions:  

• Colorado Insurance Division Releases AI Regulations. On February 1, 2023, the Colorado Division of Insurance (“DOI”) released its draft Algorithm and Predicative Model Governance Regulation (the “Draft AI Regulation”). The Draft AI Regulation, which is promulgated under a 2021 Colorado state law, requires life insurers in the state that use consumer data, algorithms, and predictive models in the underwriting process to develop an AI governance and risk management framework, implement certain technical controls and maintain comprehensive documentation concerning the use of these algorithmic and predictive tools, including up-to-date inventories and evaluations of the algorithms or predictive models. The regulations are subject to a public comment period but are expected to be finalized later this year. 
• Virginia Effort to Protect Reproductive Health App Data Fails. Virginia’s attempt to shield fertility and reproductive app data from search warrants was ultimately rejected in the General Assembly by the state’s Republicans. This is particularly important in a post-Roe abortion restriction realm. The Senate had passed legislation preventing authorities from obtaining menstrual app data in a 31-7 bipartisan vote. However, Governor Youngkin’s administration opposed the measure with the idea that this would “ultimately open the door to put further limits on search warrants down the road.” 
• California Seeks Public Comments. As part of its preliminary rulemaking activities, the California Privacy Protection Agency (“CPPA”) seeks preliminary comments by March 27, 2023, on proposed regulations for cybersecurity audits, risk assessments, and consumer rights related to automated decision-making. The CPPA is seeking input from stakeholders and the public in developing and proposing specific regulations that implement these CPRA amendments to the CCPA. The CPPA has prepared a list of topics and questions to assist interested parties in providing input on rulemaking.
• Indiana Privacy Bill Makes Progress. Indiana’s Senate Bill 5, Indiana’s consumer data protection law, continues to move through the legislative process and may be enacted. This bill would establish rights for consumers regarding their personal data and require business to have data protection assessments and security checks. 

Regulatory:   

• FTC’s Artificial Intelligence Guidance:  This month, the FTC released guidance titled “Keep Your AI Claims in Check,” reiterating its authority to regulate unfair and deceptive claims concerning a business’s use of Artificial Intelligence under Section 5 of the FTC Act. The guidance warned companies not to exaggerate or mischaracterize their use of AI tools or use of data, not to make claims that are unsupported by scientific study or underlying data, and – critically – stated that businesses cannot blame third party vendors whose technologies they use and are themselves responsible for knowing the ins and outs of any AI solutions utilized by the business.
• Executive Order Tells Federal Agencies to Address Algorithmic Discrimination. U.S. President Joe Biden directed federal agencies to address “discrimination” within algorithms used by technology companies in the “Executive Order on Further Advancing Racial Equity.”  The Order defined algorithmic discrimination to include “instances when automated systems contribute to unjustified different treatment or impacts disfavoring people” based on protected characteristics, such as race, religion, sex, and genetic information.
• CISA Policy Address. On February 27, 2022, Jen Easterly, the director of the Cybersecurity and Infrastructure Agency (CISA), delivered a major policy address, titled Unsafe at Any CPU Speed: The Designed-in Dangers of Technology and What We Can Do About It, at Carnegie Mellon University in Pittsburgh, PA. She called for radical changes to the technology industry so that tech products are both secure-by-design and secure-by-default, including liability for products that are not secure. She noted that “Government can work to advance legislation to prevent technology manufacturers from disclaiming liability by contract, establishing higher standards of care for software in specific critical infrastructure entities, and driving the development of a safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.” She compared the automotive industry where safety has been driven by government regulation and liability of manufacturers. 
• SEC Proposes Revision to the Privacy Act Rule. On February 14, 2023, the Securities and Exchange Commission (SEC) proposed a rule that would revise the its regulations under the Privacy Act. The Privacy Act is the principal law governing the handling of personal information in the federal government. The SEC says the proposed revisions will provide greater clarity regarding its process for how individuals can access information pertaining to themselves. The revisions would essentially codify current practice for handling requests under the Privacy Act, including allowing electronic methods to verify one’s identity. The SEC’s rule is published in the Federal Register. 
• HHS Announces New Offices to Support Increase Enforcement. The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a reorganization of the responsibilities of the current Health Information Privacy, Operations and Resources, Civil Rights and the Conscience and Religious Freedom divisions into three new divisions overseeing enforcement, policy, and strategic planning. OCR will also rename the Health Information Privacy Division to the Health Information Privacy, Data, and Cybersecurity Division to more accurately reflect their work to address and enforce cybersecurity.
• NAIC Model Privacy Law Public Comments. On February 1, 2023, the National Association of Insurance Commissioners (“NAIC”) invited comments on the Insurance Consumer Privacy Protection Model Law #674. The Model Law includes a safe harbor for entities that comply with HIPAA. If approved, Model 674 would expand the privacy rights afforded to insurance consumers and place significant new restrictions on insurance licensees’ ability to use and share consumers’ personal information. Among other changes, Model 674 would provide for the direct regulation of licensees and regulation of third-party service providers through any contract or agreement they hold with licensees, permit licensees to retain consumers’ personal information until it is no longer needed and enhance transparency regarding how and why consumer data is collected, processed, shared, and retained. 

Litigation & Enforcement:  

• Each Scan an Accrual for BIPA: In a close 4-3 decision, the Illinois Supreme Court in Cothron v. White Castle System, Inc., 2023 IL 128004, ruled that a claim under the Illinois Biometric Information Privacy Act (“BIPA”) accrues with every scan or transmission of biometric identifiers or biometric information without prior informed consent. The decision acknowledged White Castle’s own estimate that the Court’s accrual interpretation could render it liable for up to $17 billion in damages, but said the result was necessitated by a strict interpretation of the statute.
• Economist Settles Subscriber Sales Lawsuit for Millions. The Economist publication agreed to pay $9.5 million to settle a class action lawsuit brought in Michigan under that state’s Preservation of Personal Privacy Act statute alleging that the publisher had sold subscriber information in violation of the law. The PPPA law is one of several laws, including the federal Video Privacy Protection Act (VPPA), that plaintiffs have leveraged in recent years to file consumer privacy class actions.
• Merger Materials Never Used by Business Result in $400k In Fines After Breach: DNA Diagnostics Center, Inc. obtained several databases from a company it acquired. Those databases were never used by the company and, according to some, were never meant to have been transferred as part of the acquisition. But, when those databases were exposed during a cybersecurity incident ten years later, they lead to the disclosure of information belonging to 45,000 Pennsylvania and Ohio residents. That exposure resulted in fines of $200,000 to each state to settle the matter—emphasizing, once again, the need to police an organization’s data and to purge data when it is not necessary. 

International updates:  

• Push Back to Adequacy of Proposed Data Privacy Framework Grows:  A February 14 draft opinion from the European Parliament Committee on Civil Liberties, Justice and Home Affairs recommends that the European Commission not extend an adequacy decision to the U.S.’s proposed EU-U.S. Data Privacy Framework (DPF). The DPF was the latest in a string of treaties negotiated between the EU and U.S. to govern the privacy of information collected from EU residents and moved to the U.S. Prior iterations, including the EU-U.S. Privacy Shield and EU-U.S. Safe Harbor that were each invalidated by the European Court of Justice over concerns that they failed to adequately protect EU resident personal information while in the U.S. Of particular concern, the DPF has been attacked because it is dependent, in large measure, on a Presidential executive order that could, in theory, be rescinded by any future President and over concerns that the proposed system for redress associated with the DPF was not truly independent or transparent enough to allow EU residents equivalent protection to that found in the EU. A final decision on the adequacy of the DPF by the European Parliament is expected later this year. 
• China Releases new Standard Contract Clauses (SCC) and SCC Regulations On February 24, 2023, the Cyberspace Administration of China released its SCCs for transferring China data abroad. Under the SCC regulations, the SCCs may be adopted only if: (1) the data exporter is not a critical infrastructure operator, (2) the data exporter has processed less than 1 million individuals’ personal data, (3) the data exporter has made less than 100,000 transfers of aggregated personal data since January 1 of the preceding year, and (4) the data exporter transferred less than 10,000 individuals’ personal data since January 1 of the preceding year.  Unlike the EU GDPR’s SCCs, the Chinese SCC have only one universal template regardless of role or functions. Companies who do business in China should be aware of the new SCCs and SCC Regulations. Read more here.
• Spain’s Data Protection Authority (AEPD) Issued Guidance for Anonymization: On February 25, 2023, the AEPD published guidance for anonymizing data. The AEPD’s guidance directs data controllers to delegate anonymization to professionals with experience in reidentification attacks. The guidance requires a “formal analysis” that anonymized data cannot be re-identifiable. At the same time, the controller must “[assume] that there could be a residual probability of re-identification” and “analyze the impact that re-identification could have on individuals.”  The full guidance is available on the AEPD’s website. 
• The EU Commission banned the use of TikTok on its corporate devices and on personal devices, if enrolled in the Commission’s mobile device service. According to the European Commission’s blog this move aims to increase its cybersecurity. The ban is in line with the strict internal cybersecurity policies for use of mobile devices for work-related communications.
• Australia Announces New Cyber Agency. Australia has announced that it will be overhauling its cyber security rules and setting up a new government agency to provide oversight for cyber security investment. The Australian Department of Home Affairs has released a discussion paper seeking opinions on how best to achieve its goals under the new strategy. The government’s overarching goals are to allow for greater collaboration in response to the growing threat of cyberattacks. They agree that the government and private sector are undertaking critical security measures, but the current rules do not allow for the type of coordination and cooperation needed to provide effective responses. The request for comment closes April 15, 2023.