Tag: Cybersecurity

Cyber Incident Reporting for Critical Infrastructure Act

On September 12, 2022, the Cybersecurity and Infrastructure Security Agency (“CISA”) released a Request for Information (“RFI”) seeking public input regarding the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The public comment period will close on November 14th, 2022. The RFI provides a “non-exhaustive” list of topics on which CISA seeks public input, including:

  • Definitions and criteria of various terms, such as “covered entity,” “covered cyber incident,” “substantial cyber incident,” “ransom payment,” “ransom attack,” “supply chain compromise” and “reasonable belief;”
  • Content of reports on covered cyber incidents and the submission process (e.g., how entities should submit reports, report timing requirements, and which federal entities should receive reports;
  • Any conflict with existing or proposed federal or state cyber incident reporting requirements;
  • The expected time and costs associated with reporting requirements; and
  • Common best practices governing the sharing of information related to security vulnerabilities in the U.S. and internationally.

In March 2022, President Biden signed CIRCIA into law. CIRCIA creates legal protections and provides guidance to companies that operate in critical infrastructure sectors, including a requirement to report cyber incidents within 72 hours, and report ransom payments within 24 hours. The CISA website features more information about the law, the RFI, and a list of public listening sessions with CISA to provide input.

Article By Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

California Law Prohibits Cooperation with Out-of-State Entities Regarding Lawful Abortion

In response to Dobbs v. Jackson Women’s Health Organization, California Governor Gavin Newsom recently signed AB 1242 into law, which “prohibits law enforcement and California corporations from cooperating with out-of-state entities regarding a lawful abortion in California.”

In particular, AB 1242 prohibits California companies that provide electronic communication services from complying with out-of-state requests from law enforcement regarding an investigation into, or enforcement of, laws restricting abortion.

Sponsored by California Assembly member Rebecca Bauer-Kahan and California Attorney General Rob Bonta, AB 1242:

takes an innovative legal approach to protect user data. The bill prohibits California law enforcement agencies from assisting or cooperating with the investigation or enforcement of a violation related to abortion that is lawful in California. This law thereby blocks out-of-state law enforcement officers from executing search warrants on California corporations in furtherance of enforcing or investigating an anti-abortion crime. For example, if another state wants to track the movement of a woman traveling to California seeking reproductive health care, the state would be blocked from accessing cell phone site tower location data of the woman by serving a warrant to the tech company in California. In addition, if another state wants Google search history from a particular IP address, it could not serve an out-of-state search warrant at Google headquarters in CA without an attestation that the evidence is not related to investigation into abortion services. Although the first state to enact such a law, as California often is when it comes to privacy rights, we anticipate that other states will follow suit and that these laws will be hotly contested in litigation.

Article By Linn F. Freedman of Robinson & Cole LLP

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Hackers Caused a Traffic Jam in Moscow

Hackers caused a massive traffic jam in Moscow by exploiting the ride-sharing app Yandex Taxi and using it to summon dozens of taxis to a single location. While Yandex has not confirmed the attacker’s identity, the hacktivist group Anonymous claimed responsibility on Twitter. The group has been actively taking aim at Russian targets in response to the Russian Federation’s ongoing invasion of Ukraine.

Yandex claims that it has implemented new algorithms to detect this type of attack in the future and will compensate the affected drivers.

This traffic jam is a new application of an old hacktivist tactic: flood the system to make it unusable. Other techniques in this vein include blackouts (which target fax machines) and distributed denial of service (which targets websites and networks). No word yet on whether this new rideshare jam exploit will merit a snappy title.

Blair Robinson contributed to this article. 

For more Global Law news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

FTC Commercial Surveillance and Data Security Forum Highlights Industry and Consumer Perspectives

On September 8, 2022, the Federal Trade Commission hosted a virtual public forum on its Advanced Notice of Proposed Rulemaking (“ANPR”) concerning “commercial surveillance and lax data security.” The forum featured remarks from FTC Chair Lina Kahn, Commissioner Rebecca Kelly Slaughter and Commissioner Alvaro Bedoya, as well as panels with industry leaders and consumer advocates.

Remarks from Chair Khan and Commissioners Slaughter and Bedoya focused on the need for public participation in the rulemaking process and the FTC’s role in privacy regulation in the absence of comprehensive federal legislation. Commissioner Slaughter noted that, until such federal legislation is passed, the FTC will continue to use its Section 5 authority to regulate unfair and deceptive practices related to privacy and data security.

The industry panel was moderated by FTC Senior Advisor Olivier Sylvain and focused in part on how the FTC should structure a potential rule. Multiple industry panelists emphasized the need for rules that limit out-of-context data use or tracking, while still allowing in-context use to as consumers expect. Industry panelists also highlighted the need for heightened rules for “dominant” industry players and financial penalties for bad behaviors.

The consumer advocate panel focused on issues surrounding meaningful consumer consent and the negative effects of commercial surveillance on consumers, such as one-click background checks and demographic-tailored advertising that disproportionately affects minority groups in negative ways. Similar to the industry panel, consumer advocate panelists also highlighted out-of-context data use and dominant industry actors as some of the major issues the FTC should address in its rulemaking.  The FTC will receive public comments on the ANPR until October 21, 2022.

Article By Privacy and Cybersecurity Practice Group of Hunton Andrews Kurth

For more antitrust and FTC legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Speaker Pelosi Expresses Concerns With Federal Privacy Bill’s Preemption Provision

On Thursday, House Speaker Nancy Pelosi expressed concerns with certain features of the American Data Privacy and Protection Act (“ADPPA”) and its broad preemption provision, which as currently drafted would override the California Consumer Privacy Act (“CCPA”) and its subsequent voter- approved amendments.  The ADPPA was favorably reported by the House Committee on Energy and Commerce in July by a vote of 53-2.  The bill has not yet been scheduled for a vote on the House floor. Speaker Pelosi “commended” the Energy and Commerce Committee for its efforts, while also praising California Democrats for having “won the right for consumers for the first time to be able to seek damages in court for violations of their privacy rights.”  Speaker Pelosi noted that California leads the nation in protecting consumer privacy and it was “imperative that California continues offering and enforcing the nation’s strongest privacy rights.”

Speaker Pelosi stated that she and others would be working with Chairman Frank Pallone (D-NJ) to address concerns related to preserving  California privacy laws.  Although Speaker Pelosi’s comments cast doubt on the future of the ADPPA, we continue to believe that it will clear the House. We anticipate only modest tweaks to the preemption provision, which must be acceptable to the Republican leadership of the committee for the bill to move forward. As Speaker Pelosi noted, the bill contains a private right of action for consumers—the single most important provision to Republicans in return for strong preemption language. After more than a decade of effort, the Democratic leadership of the House will be hard pressed to let the perfect be the enemy of the really good.

Article By Kristin L. Bryan, Jeffrey L. Turner, and Kyle R. Fath of Squire Patton Boggs (US) LLP

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

© Copyright 2022 Squire Patton Boggs (US) LLP

Acronis Reports Ransomware Damages Will Exceed $30B by 2023

In its Mid-Year Cyberthreat Report published on August 24, 2022, cybersecurity firm Acronis reports that ransomware continues to plague businesses and governmental agencies, primarily through phishing campaigns.

According to the report over 600 malicious email campaigns were launched in the first half of 2022, with the goal of stealing credentials to launch ransomware attacks. Other attack vectors included vulnerabilities to cloud-based networks, targeting unpatched or software vulnerabilities, and cryptocurrency and decentralized finance systems.

According to Acronis, “ransomware is worsening, even more so than we predicted.” It estimates that global damages related to ransomware attacks will top $30 billion by 2023.

Article By Linn F. Freedman of Robinson & Cole LLP

For more cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

What’s in the American Data Privacy and Protection Act?

Congress is considering omnibus privacy legislation, and it reportedly has bipartisan support. If passed, this would be a massive shake-up for American consumer privacy, which has been left to the states up to this point. So, how does the American Data Privacy and Protection Act (ADPPA) stack up against existing privacy legislation such as the California Consumer Privacy Act and the Virginia Consumer Data Protection Act?

The ADPPA includes a much broader definition of sensitive data than we’ve seen in state-level laws. Some notable inclusions are income level, voicemails and text messages, calendar information, data relating to a known child under the age of 17, and depictions of an individual’s “undergarment-clad” private area. These enumerated categories go much further than recent state laws, which tend to focus on health and demographic information. One asterisk though – unlike other state laws, the ADPPA only considers sexual orientation information to be sensitive when it is “inconsistent with the individual’s reasonable expectation” of disclosure. It’s unclear at this point, for example, if a member of the LGBTQ+ community who is out to friends would have a “reasonable expectation” not to be outed to their employer.

Like the European Union’s General Data Protection Regulation, the ADPPA includes a duty of data minimization on covered entities (the ADPPA borrows the term “covered entity” from HIPAA). There is a laundry list of exceptions to this rule, including one for using data collected prior to passage “to conduct internal research.” Companies used to kitchen-sink analytics practices may appreciate this savings clause as they adjust to making do with less access to consumer data.

Another innovation is a tiered applicability, in which all commercial entities are “covered entities,” but “large data holders” – those making over $250,000,000 gross revenue and that process either 5,000,000 individuals’ data or 200,000 individuals’ sensitive data – are subject to additional requirements and limitations, while “small businesses” enjoy additional exemptions. Until now, state consumer privacy laws have made applicability an all-or-nothing proposition. All covered entities, though, would be required to comply with browser opt-out signals, following a trend started by the California Privacy Protection Agency’s recent draft regulations. Additionally, individuals have a private right of action against covered entities to seek monetary and injunctive relief.

Finally, and controversially, the ADPPA explicitly preempts all state privacy laws. It makes sense – the globalized nature of the internet means that any less-stringent state law would become the exception that kills the rule. Still, companies that only recently finalized CCPA- and CPRA-compliance programs won’t appreciate being sent back to the drawing board.

Read the bill for yourself here.

Article By Blair Robinson, a non-lawyer intern in the Data Privacy & Cybersecurity Practice Group at Robinson & Cole LLP

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Judge Approves $92 Million TikTok Settlement

On July 28, 2022, a federal judge approved TikTok’s $92 million class action settlement of various privacy claims made under state and federal law. The agreement will resolve litigation that began in 2019 and involved claims that TikTok, owned by the Chinese company ByteDance, violated the Illinois Biometric Information Privacy Act (“BIPA”) and the federal Video Privacy Protection Act (“VPPA”) by improperly harvesting users’ personal data. U.S. District Court Judge John Lee of the Northern District of Illinois also awarded approximately $29 million in fees to class counsel.

The class action claimants alleged that TikTok violated BIPA by collecting users’ faceprints without their consent and violated the VPPA by disclosing personally identifiable information about the videos people watched. The settlement agreement also provides for several forms of injunctive relief, including:

  • Refraining from collecting and storing biometric information, collecting geolocation data and collecting information from users’ clipboards, unless this is expressly disclosed in TikTok’s privacy policy and done in accordance with all applicable laws;
  • Not transmitting or storing U.S. user data outside of the U.S., unless this is expressly disclosed in TikTok’s privacy policy and done in accordance with all applicable laws;
  • No longer pre-uploading U.S. user generated content, unless this is expressly disclosed in TikTok’s privacy policy and done in accordance with all applicable laws;
  • Deleting all pre-uploaded user generated content from users who did not save or post the content; and
  • Training all employees and contractors on compliance with data privacy laws and company procedures.

Article By the Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Are You Ready for 2023? New Privacy Laws To Take Effect Next Year

Five new state omnibus privacy laws have been passed and will go into effect in 2023. Organizations should review their privacy practices and prepare for compliance with these new privacy laws.

What’s Happening?

While the US currently does not have a federal omnibus privacy law, states are beginning to pass privacy laws to address the processing of personal data. While California is the first state with an omnibus privacy law, it has now updated its law, and four additional states have joined in passing privacy legislation: Colorado, Connecticut, Utah, and Virginia. Read below to find out if the respective new laws will apply to your organization.

Which Organizations Must Comply?

The respective privacy laws will apply to organizations that meet particular thresholds. Notably, while most of the laws apply to for-profit businesses, we note that the Colorado Privacy Act also applies to non-profits. There are additional scope and exemptions to consider, but we provide a list of the applicable thresholds below.

The California Privacy Rights Act (CPRA) – Effective January 1, 2023

The CPRA applies to for-profit businesses that do business in California and meet any of the following:

  1. Have a gross annual revenue of over $25 million;
  2. Buy, receive, or sell the personal data of 100,000 or more California residents or households; or
  3. Derive 50% or more of their annual revenue from selling or sharing California residents’ personal data.

Virginia Consumer Data Protection Act (CDPA) – Effective January 1, 2023

The CDPA applies to businesses in Virginia, or businesses that produce products or services that are targeted to residents of Virginia, and that:

  1. During a calendar year, control or process the personal data of at least 100,000 Virginia residents, or
  2. Control or process personal data of at least 25,000 Virginia residents and derive over 50% of gross revenue from the sale of personal data.

Colorado Privacy Act (CPA) – Effective July 1, 2023

The CPA applies to organizations that conduct business in Colorado or produce or deliver commercial products or services targeted to residents of Colorado and satisfy one of the following thresholds:

  1. Control or process the personal data of 100,000 Colorado residents or more during a calendar year, or
  2. Derive revenue or receive a discount on the price of goods or services from the sale of personal data, and process or control the personal data of 25,000 Colorado residents or more.

Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTPDA) – Effective July 1, 2023

The CTPDA applies to any business that conducts business in the state, or produces a product or service targeted to residents of the state, and meets one of the following thresholds:

  1. During a calendar year, controls or processes personal data of 100,000 or more Connecticut residents, or
  2. Derives over 25% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Connecticut residents.

Utah Consumer Privacy Act (UCPA) – Effective December 31, 2023

The UCPA applies to any business that conducts business in the state, or produces a product or service targeted to residents of the state, has annual revenue of $25,000,000 or more, and meets one of the following thresholds:

  1. During a calendar year, controls or processes personal data of 100,000 or more Utah residents, or
  2. Derives over 50% of the gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more Utah residents.

The Takeaway 

Organizations that fall under the scope of these respective new privacy laws should review and prepare their privacy programs. The list of updates may involve:

  • Making updates to privacy policies,
  • Implementing data subject request procedures,
  • How your business is handling AdTech, marketing, and cookies,
  • Reviewing and updating data processing agreements,
  • Reviewing data security standards, and
  • Providing training for employees.

Article By Eva J. Pulliam, Christine Chong, and Destiny Planter of ArentFox Schiff LLP

For more privacy and cybersecurity legal news, click here to visit the National Law Review. 

© 2022 ArentFox Schiff LLP

Federal Bill Would Broaden FTC’s Role in Cybersecurity and Data Breach Disclosures

Last week, the House Energy and Commerce Committee advanced H.R. 4551, the “Reporting Attacks from Nations Selected for Oversight and Monitoring Web Attacks and Ransomware from Enemies Act” (“RANSOMWARE Act”).  H.R. 4551 was introduced by Consumer Protection and Commerce Ranking Member Gus Bilirakis (R-FL).

If it becomes law, H.R. 4551 would amend Section 14 of the U.S. SAFE WEB Act of 2006 to require not later than one year after its enactment, and every two years thereafter, the Federal Trade Commission (“FTC”) to transmit to the Committee on Energy and Commerce of the House of Representatives and the Committee on Commerce, Science, and Transportation of the Senate a report (the “FTC Report”).  The FTC Report would be focused on cross-border complaints received that involve ransomware or other cyber-related attacks committed by (i) Russia, China, North Korea, or Iran; or (ii) individuals or companies that are located in or have ties (direct or indirect) to those countries (collectively, the “Specified Entities”).

Among other matters, the FTC Report would include:

  • The number and details of cross-border complaints received by the FTC (including which such complaints were acted upon and which such complaints were not acted upon) that involve ransomware or other cyber-related attacks that were committed by the Specified Entities;
  • A description of trends in the number of cross-border complaints received by the FTC that relate to incidents that were committed by the Specified Entities;
  • Identification and details of foreign agencies, including foreign law enforcement agencies, located in Russia, China, North Korea, or Iran with which the FTC has cooperated and the results of such cooperation, including any foreign agency enforcement action or lack thereof;
  • A description of FTC litigation, in relation to cross-border complaints, brought in foreign courts and the results of such litigation;
  • Any recommendations for legislation that may advance the security of the United States and United States companies against ransomware and other cyber-related attacks; and
  • Any recommendations for United States citizens and United States businesses to implement best practices on mitigating ransomware and other cyber-related attacks

Cybersecurity is an area of recent federal government focus, with other measures recently taken by President Bidenthe Securities and Exchange Commissionthe Food and Drug Administration, and other stakeholders.

Additionally, H.R. 4551 is also consistent with the FTC’s focus on data privacy and cybersecurity.  The FTC has increasingly taken enforcement action against entities that failed to timely notify consumers and other relevant parties after data breaches and warned that it would continue to apply heightened scrutiny to unfair data security practices.

In May 2022, in a blog post titled “Security Beyond Prevention: The Importance of Effective Breach Disclosures,” the FTC’s Division of Privacy and Identity Protection had cautioned that “[t]he FTC has long stressed the importance of good incident response and breach disclosure as part of a reasonable information security program, and that, “[i]n some instances, the FTC Act creates a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm.”

As readers of CPW know, state breach notification laws and sector-specific federal breach notification laws may require disclosure of some breaches.  However, as of May 2022 it is now expressly the position of the FTC that “[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.”  This is a significant development, as notwithstanding the absence of a uniform federal data breach statute, the FTC is anticipated to continue exercise its enforcement discretion under Section 5 concerning unfair and deceptive practices in the cybersecurity context.

Article By Kristin L. Bryan and Jeffrey L. Turner of Squire Patton Boggs (US) LLP

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

© Copyright 2022 Squire Patton Boggs (US) LLP