Right To Know - November 2022, Vol. 1

Cyber, Privacy, and Technology Report

 

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

New Laws & Regulations:  

• On November 8, the California Privacy Protection Agency met as part of the ongoing rulemaking process for the promulgation of the California Privacy Right Act (CPRA) regulation. The most recent CPRA regulations, released by the Agency on November 3, can be found here. The current draft regulations do not include guidance on the CPRA’s inclusion of employment/personnel or B2B data. At the earliest, the Agency will submit to the California Office of Administrative Law (OAL) at the end of the year, and the OAL would approve (or not) towards the end of January 2023. 

• The Colorado Department of Law issued draft rules under the Privacy Act, which goes into effect on January 1, 2023. The public comment period on the proposed Colorado regulations will end on February 1, 2023. Colorado, Connecticut, and Utah state privacy laws also go into effect in 2023, and rulemaking and public comment under those state’s laws are expected in the new year.  

• California Attorney General Bona hailed the recently-enacted California Age-Appropriate Design Code Act, which requires businesses to consider the best interests of child users and to default to privacy and safety settings that protect children’s mental and physical health and well-being. In public comments issued this month, Attorney General Bona urged the Federal Trade Commission and other states to follow California’s lead and adopt similar requirements which go far beyond the federal Child Online Privacy Protection Act (COPPA). A similar NY proposal, the New York Child Data Privacy Protection Act, remains under consideration.  

• On November 9, the New York State Department of Financial Services announced proposed amendments to its cybersecurity regulation 23 NYCRR 500, with the opportunity for public comments expiring on January 9, 2023. The proposed amendments include additional security controls, enhanced notification obligations, and additional or revised requirements related to governance and oversight. The proposed amendments also increase cybersecurity requirements for a newly defined group of larger companies, called “Class A companies.” Most of the amendments take effect 180 days from NYDFS’ adoption of the final regulations unless otherwise indicated. 

• Starting on January 1, 2023, two more states will be making their NAIC model laws effective – Vermont and Kentucky. Vermont, under the Vermont Insurance Data Security Law (“VIDSL”), will be the 22nd state to adopt the National Association of Insurance Commissioners Insurance Data Security Law (NAIC Model 668). The difference between the NAIC model law and VIDSL is the VISDL provides that entities regulated by the Department of Financial Services still need to provide notice of certain cybersecurity events to the Department. Kentucky signed House Bill 747 in April 2022, which is modeled after the NAIC model law.  

• In the international realm, the EU Digital Service Act came into force on November 16. The Digital Services Act sets rules for online intermediary services, hosting services, online platforms, and large online platforms. The DSA rules address everything from illegal online content and takedown requirements to transparency measures and targeted advertising. Initial compliance by large online platforms will be required in 2023, while the DSA will be fully applicable to all entities in scope in February 2024.  

Federal Enforcement:   

• The Department of Health and Human Services released new video guidance explaining how it will consider the “recognized security practices” when enforcing HIPAA. 
• The FTC announced a settlement with Drizly, an online distribution platform associated with Uber, for its failure to implement reasonable security measures leading to a data breach exposing the personal information of 2.5 million consumers. According to the FTC complaint, Drizly was alerted that it was storing critical information on an unsecured platform (GitHub) that hackers could access. In its proposed order, Drizly is required to destroy data it did not need, limit future collection, and implement a full information security program, the FTC required Drizly’s CEO to implement an information security program at any future companies he may move to that collects consumer information from more than 25,000 people and where he is a majority owner or senior officer.  
• As part of its ongoing efforts to police companies that collect and process minor data, FTC announced a settlement with Chegg, an online education company, concerning four data breaches of its Homework Help App over three years caused by company security failures. According to the FTC, “as a result of these failures, some of the data about Chegg’s 40 million customers stolen by its former contractor was later found for sale online.” Chegg avoided the payment of any penalty but is required to implement a robust information security program to include the rollout of MFA, data access controls, encryption, and biennial third-party assessments of its security practices.  

• On November 21st, the FTC released a notice for public comment on its notice of rulemaking on commercial surveillance and data security practices that may harm consumers. Comments received from California Attorney General Bob Bonta and the European Data Protection Supervisor Wojciech both urged the FTC to look at improving specific privacy and data security provisions of the current regulations.  

• Also this month the FTC extended the compliance deadline for businesses and financial institutions to comply with the strengthened data security safeguards put in place under the Safeguards Rule; the compliance deadline is now June 9, 2023.  

• In the continued fall-out from the 2022 Russian state-sponsored exploitation of its Orion network management software, Solar Winds announced in a recent 8-K filing that it received notice from the United States Security and Exchange Office of the agency’s intent to file an enforcement action against it concerning the mass software compromise. That compromise affected public and private entities alike, including the NSA, DOJ, and security company FireEye. According to SolarWinds filing, the SEC’s anticipated enforcement action concerns “its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures.” In the same filing, Solar Winds disclosed that it had agreed to pay $26 million to resolve shareholder litigation concerning the same incident. 

Litigation & Noteworthy Settlements:  

• In a decision relevant to website data use practices, on November 4 the District Court for the Northern District of California found mostly in favor of LinkedIn in its ongoing dispute with hiQ over data scraping. The Court found that hiQ’s data scraping actions and its use of third parties to data scrape were in breach of LinkedIn’s user agreement but held that factual issues surrounding hiQ’s defenses remained under both statutory (Computer Fraud and Abuse Act) and common law (breach of contract).  

• A prominent war-exclusions insurance lawsuit has been settled. Zurich American Insurance and Mondelez International, the snack food giant (think Oreos) have reportedly settled their dispute over Mondelez’s $100m claim related to the 2017 NotPetya cyber-attack. Mondelez sought coverage for roughly $100m in losses related to the attack under its ‘all-risk’ property insurance. The malware reportedly damaged 1700 of its servers and 24,000 laptops, disrupting distribution and customers, and the losses included downtime, lost profit, and remediation work. Zurich invoked the policy’s war exclusion since NotPetya threat actors were associated with Russia, though admittedly Mondelez was not the initial target of the attack (Ukraine was). The settlement indicates a compromise was reached between the parties concerning payment of the losses, though the exact terms of the settlement were not disclosed. According to Reinsurance News, this result has disappointed some in the insurance/reinsurance industry who had hoped the case would result in legal precedent concerning the scope of the war exclusion.  

• On November 25,  the court for the Northern District of Illinois held that the Consumer Financial Protection Bureau could proceed with its “digital dark patterns” enforcement action against TransUnion and its former executive arising from the agency’s violation of a prior consent order concerning its deceptive marketing regarding credit scores and credit-related products. Under the Dodd-Frank Wall Street Reform and Consumer Protection Act, the CFPB can act against institutions violating consumer financial laws, as alleged in the complaint.  

• On November 4, the Northern District of Illinois found that the higher learning institution DePaul University was properly characterized as a financial institution for purposes of availing itself of a BIPA exemption. The ruling could mean any entity that can put forth evidence showing it is subject to the GLBA’s privacy requirements—commonly known as the Financial Privacy Rule — may fall under the scope of BIPA exemption and utilize it as a defense to suit. The decision is Powell v. DePaul Univ., No. 21-C-3001, 2022 U.S. Dist. LEXIS 201296 (N.D. Ill. Nov. 4, 2022).  

• The attorneys general of Oregon, New York, Florida, Illinois, and three dozen other states have reached a historic $391.5 million settlement with Google to resolve allegations that the tech company tracked users’ locations even after they were made to understand that they had turned off that feature. 

• Last month, the New York Department of Financial Services announced its $4.5 Million dollar settlement with EyeMed Vision Care, LLC, a licensed health insurance company, concerning a 2020 phishing attack that gained access to a shared email box containing 6 years’ worth of non-public customer information. NYSDFS accused EyeMed of failing to use multi-factor authentication (MFA), limit user access privileges, and failing to maintain proper disposal and retention practices. Among other things, NYSDFS noted EyeMed had not conducted an adequate risk assessment and therefore the company’s annual certifications to NYDFS were “improper.”  In addition to the penalty, the Consent Order requires EyeMed to undertake significant remedial measures, including “conduct a comprehensive cybersecurity risk assessment and develop a detailed action plan describing how EyeMed will address the risks identified in that assessment. The action plan will be subject to the review and approval of the Department.”  

Security Alerts:  

• “A group of university researchers recently discovered that threat actors can access data collected through cookies for targeted advertising with only an email address. The threat actor used the email address to pretend to be the user and obtained that user’s detailed browsing history. The research shows how insecure information may be passed among ad networks.” 
• On November 9, 2022, the U.S. Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) issued an analyst note warning of Venus ransomware attacks targeting the United States healthcare organizations. According to the note, Venus ransomware, also known as GOODGAME, was first discovered in August 2022 and deployed against at least one healthcare entity. The Venus ransomware targets publicly exposed Remote Desktop services, and the alert stresses the importance of placing these services behind a firewall. The ransomware will encrypt files and append them with the ‘.venus’ extension. Among their recommendations in the note, HC3 encourages healthcare entities to retain multiple copies of sensitive data and servers in a physically separated, segmented, and secure location, maintain offline backups of data, password-protect backup copies offline, periodically update antivirus software, and install updates and patches as soon as they are released.