The Digital Download – Alston & Bird's Privacy & Data Security Newsletter – August 2024

July 25, 2024 – Cara Peterman, Sierra Shear, and Madeleine Davidson published "Securities Litigation / Privacy, Cyber & Data Strategy / Securities Law Advisory | First of Its Kind: Federal Court
Belgium Privacy

Publications and Advisories

Selected U.S. Privacy and Cyber Updates

New York AG Seeks Comments on Rulemaking for Minors' Online Protection Laws

On August 1, 2024, New York Attorney General Letitia James issued two advanced notices of proposed rulemaking (ANPRs) for the Stop Addictive Feeds Exploitation for Kids Act (SAFE Act) and the Child Data Protection Act (CDPA), which New York Governor Kathy Hochul signed into law on June 20, 2024. The ANPRs invite interested parties to submit comments on the rules that James plans to promulgate for the SAFE Act and CDPA.

6th Circuit Upholds 20-Year Sentence of Chinese Spy Convicted of Espionage Crimes, Attempting to Steal Trade Secrets

On August 7, 2024, the Sixth Circuit upheld a Chinese spy's 20-year prison sentence for attempting to steal aviation trade secrets from General Electric. Yanjun Xu, a deputy director in China's Ministry of State Security, was responsible for trying to steal aviation-related proprietary information.

NYDFS Issues Final Circular Letter Guidance on Use of AI in Insurance Underwriting and Pricing

On July 11, 2024, the New York Department of Financial Services released Insurance Circular Letter No. 7, which establishes guidelines on the use of artificial intelligence systems and external consumer data and information sources in insurance underwriting and pricing.

CISA Releases Findings from Its AI Pilot Program on Detecting Critical Vulnerabilities

On July 28, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) announced that it piloted an AI-enabled vulnerability program to help detect and remediate vulnerabilities in the U.S. government's critical networks, systems, and software, as required by Executive Order 14110.

Senate Passes Bill for Kids Online Safety and Privacy Act

On July 30, 2024, in a 91–3 vote, the U.S. Senate passed the Kids Online Safety and Privacy Act. The bill, which combines the bills for the Kids Online Safety Act (KOSA) and the Children and Teens' Online Privacy Protection Act (CTOPPA), aims to expand online safety and privacy protections for individuals under the age of 17.

U.S. Court Rules Against Online Travel Booking Company in Web-Scraping Case

On July 18, 2024, a federal jury in Delaware found that an online travel booking company violated the Computer Fraud and Abuse Act (CFAA) by accessing portions of a European airline's website without permission and "with intent to defraud" the airline. In particular, the jury unanimously found that the online travel company violated the CFAA by using a third-party service provider to scrape the airline's website to find and resell airline tickets to its own customers at an additional charge. The jury further found that the online travel company's scraping activity caused damage to the airline of at least $5,000, which the airline alleged resulted from service interruptions to its website, data, and underlying database, amounts spent by the company attempting to prevent the unauthorized scraping, and other losses.

CPPA Holds Preliminary Stakeholder Session on Accessible Deletion Mechanism Under Delete Act

On June 26, 2024, the California Privacy Protection Agency (CPPA) held a stakeholder session to provide information and gather stakeholder input on the CPPA's mandate to build an accessible deletion mechanism known as the Delete Request and Opt-Out Platform (DROP) as required by the California Delete Act. DROP will allow consumers to request the deletion of their personal information held by data brokers through a single request. Generally, the public comments addressed concerns about potential administrative and technical burdens on data brokers, clarifying and confirming the scope of deletion requests, and verifying deletion requests.

Pennsylvania Amends Data Breach Notification Law

Pennsylvania's governor has approved amendments that significantly overhaul the commonwealth's data breach notification law. The amendments make a number of material changes, including adding a regulator notification requirement, lowering the threshold of impacted Pennsylvania residents triggering a notification requirement to the consumer reporting agencies, slightly tweaking the definition of "personal information," and adding a requirement to offer credit monitoring and to pay for a credit report for impacted individuals who are not able to obtain one for free. The amended law goes into effect on September 26, 2024.

CPPA Board Declines to Advance CCPA Regulations to Formal Rulemaking; CPPA Highlights Enforcement Priorities

On July 16, 2024, the CPPA board declined to advance to formal rulemaking California Consumer Privacy Act (CCPA) draft regulations on cybersecurity audits, risk assessments, automated decision-making technology, insurance companies, and updates to existing regulations. The CPPA board voted against advancing the regulations during its board meeting when it also received an update on CPPA enforcement priorities.

California AG Announces $500,000 Settlement with Mobile Game App Company for Unlawful Collection and Sharing of Children's Data

On June 18, 2024, California Attorney General Rob Bonta and Los Angeles City Attorney Hydee Feldstein Soto announced a settlement with a video game developer and publisher over allegations that the company violated the CCPA, the federal Children's Online Privacy Protection Act, and California's Unfair Competition Law. The settlement requires the company to pay $500,000, implement certain privacy practices for the protection of children, and provide annual reports under regulatory monitoring for three years. This case marks the third public CCPA enforcement action by the California AG to date, following prior settlements in August 2022 and February 2024.

SEC Corporation Finance Provides Additional Guidance on the Disclosure of Material Cybersecurity Incidents in Form 8-K

On June 24, 2024, the Division of Corporation Finance of the Securities and Exchange Commission (SEC) issued five new Compliance and Disclosure Interpretations (C&DIs) related to the disclosure of "material" cybersecurity incidents in Item 1.05 of Form 8-K. The C&DIs present hypothetical fact patterns related to ransomware attacks and insurance reimbursement for damages related to cybersecurity incidents.

SEC Settlement Suggests the Agency's Attempt to Regulate Cybersecurity Controls

On June 18, 2024, the SEC announced a $2.125 million settlement with R.R. Donnelley & Sons Co. relating to the company's 2021 ransomware attack. The settlement, and the SEC's accompanying cease-and-desist order, portend the agency's continued and increasing oversight over registrants' cybersecurity policies and practices.

New York State Department of Health Revises Proposed Hospital Cybersecurity Regulations

In May 2024, the New York State Department of Health issued revisions to proposed regulations on hospital cybersecurity that it first released in November 2023. The proposed revised regulations were subject to public comment that ended on July 1, 2024 and applied to general hospitals licensed under Article 28 of the New York State Public Health Law.

DOJ Announces $11.3 Million in Settlements for FCA Violations

On June 17, 2024, the Department of Justice (DOJ) announced a settlement with two U.S.-based consulting companies that agreed to pay a combined total of $11.3 million to resolve allegations that they violated the False Claims Act by failing to comply with cybersecurity requirements in government contracts. According to the DOJ, the companies failed to meet cybersecurity requirements in contracts intended to ensure the security of New York's emergency rental assistance program application, which provided rental assistance to individuals in need during the COVID-19 pandemic.

White Paper on Clarifying Definitions in the Protecting Americans' Data from Foreign Adversaries Act of 2024

On May 14, 2024, Peter Swire published a white paper at the Cross-Border Data Forum, analyzing the definitions in the Protecting Americans' Data from Foreign Adversaries Act of 2024 (PADFAA), which was passed on April 24, 2024 and took effect on June 23, 2024. The white paper discusses some ambiguities in the text of the new law and the consequences that may result from differing interpretations of the language. It also includes an appendix comparing the PADFAA definitions to those in the Executive Order on bulk sensitive data.

Data Breach Notification Requirements Under the Safeguards Rule Now in Effect

On May 13, 2024, new breach notification requirements under the FTC's Gramm–Leach–Bliley Act Safeguards Rule came into effect. These new FTC rules represent a significant change for financial institutions overseen by the FTC, requiring a new form of regulatory notification that covers a much wider range of incidents.

Tennessee Law Designed to Combat Deepfakes Set to Take Effect in July

On July 1, 2024, the Tennessee Ensuring Likeness, Voice, and Image Security (ELVIS) Act will go into effect, bolstering the limitations on the unauthorized commercial use of an individual's voice. The ELVIS Act, which amends the Tennessee Personal Rights Protection Act of 1984, was enacted in response to the growing proliferation of AI-generated and deepfake music that has mimicked the work of many stars and celebrities. The ELVIS Act broadly proscribes the distribution of "an individual's voice or likeness" if the distributor has knowledge that use of the voice or likeness was not authorized by the individual. The ELVIS Act specifically targets deepfakes by also proscribing distribution of a person's voice, image, or likeness if the unauthorized user "distributes, transmits, or otherwise makes available an algorithm, software, tool, or other technology, service, or device, the primary purpose or function of which is the production of" a particular, identifiable individual's photograph, voice, or likeness.

SEC Corporation Finance Director Clarifies That Form 8-K Item 1.05 Disclosures Should Be Limited to "Material" Cybersecurity Incidents

On May 22, 2024, the director of the Division of Corporation Finance of the SEC issued further guidance on the disclosure of cybersecurity incidents on Form 8-K. The statement builds on and provides additional clarity to companies seeking to comply with the SEC's 2023 cybersecurity rules, which require public companies to disclose "material cybersecurity incidents" under Item 1.05 of Form 8-K.

LockBit Takedown Indicates Shifting DOJ Cyber Strategy and Has Implications for Ransomware Victims

On May 7, 2024, the United States unsealed an indictment against Dimitry Yuryevich Khoroshev, one of the leaders of the Russian-based ransomware group LockBit, for his alleged involvement in developing and distributing the LockBit ransomware. According to the indictment, Khoroshev performed both administrative and operational roles for the cybercrime group, including upgrading the LockBit infrastructure, managing LockBit affiliates, and recruiting new developers for the ransomware. Since emerging in 2020, LockBit has become one of the most prolific ransomware groups in the world, targeting over 2,500 victims worldwide and allegedly receiving more than $500 million in ransom payments, according to DOJ statistics. The group licenses its ransomware software of the same name to affiliate cybercriminal groups, which use the software to encrypt and steal data from victims' systems. LockBit itself provides support and receives a portion of any ransom payment typically made in exchange for system decryption and promises to delete the stolen data.

NIST Cybersecurity Framework 2.0 Prioritizes Governance and Flexibility

In early 2024, the National Institute of Standards and Technology (NIST) issued an update to its Cybersecurity Framework (CSF) with the release of version 2.0, the first update since April 2018 (version 1.1). While the core components of the CSF remain, there are two thematic changes. First, CSF 2.0 no longer applies just to critical infrastructure organizations but rather explicitly aims to assist all organizations in managing and reducing risks across industries and sectors, regardless of their cybersecurity sophistication. Second, it adds "Govern" as a sixth core function, alongside Identify, Protect, Detect, Respond, and Recover. CSF 2.0 also contains significant additions and a refocus on cybersecurity supply chain risk management (C-SCRM), which is not too unsurprising given organizational reliance on third-party vendors and supply chain attacks.

Selected Global Privacy and Cybersecurity Updates

Dutch Data Protection Authority Warns That Using AI Chatbots Can Lead to Personal Data Breaches

On August 6, the Dutch Data Protection Authority (DPA) issued guidance cautioning companies about the potential data protection risks associated with the use of AI-powered chatbots. In its guidance, the DPA reports that it has recently received several notifications of personal data breaches caused by employees sharing personal data with a chatbot that uses AI.

What to Tell Your C-Suite About the EU AI Act

On July 12, 2024, the European Union's long-awaited Artificial Intelligence (AI) Act was finally published. It entered into force on August 1, 2024. The AI Act is a landmark legal framework that imposes obligations on both private and public sector actors that develop, import, distribute, or use in-scope AI systems.

EU Artificial Intelligence Act Signed into Law

On June 13, 2024, the AI Act was signed into law. The AI Act will impose obligations on both private and public sector actors that provide, import, distribute, or deploy in-scope AI systems. It also contains obligations that apply to general-purpose AI models.

Events

In the News

Press Releases

Alston & Bird Creates Ransomware Fusion Center

As ransomware actors mature their tactics, Alston & Bird's Privacy, Cyber & Data Strategy Team has created a Ransomware Fusion Center to help organizations enhance their ransomware readiness and response protocols.

Alston & Bird Represents Whitley Family in Acquisition of Old Edwards Hospitality Group

Alston & Bird represented the Whitley family in the acquisition of Old Edwards Hospitality Group, a collection of upscale hotels, golf courses, and restaurants in Highlands, North Carolina, as well as several residential communities in nearby Cashiers. Daniel Gerst, Dorian Simmons, John Lesko, Sara Pullen Guercio, and Andrew Rice are noted from the Privacy, Cyber & Data Strategy Team.

Alston & Bird Receives Key Recognitions from The Legal 500 US 2024

Alston & Bird has received significant recognition in the 2024 edition of The Legal 500 United States. The rankings include five of the firm's key practice areas including cyber law. Kim Peretti continues to be named a "Leading Lawyer" in Cyber law.

Alston & Bird Adds Privacy, Cyber & Data Strategy Partner Jennifer Everett

Alston & Bird has further enhanced its Privacy, Cyber & Data Strategy Team with the addition of partner Jennifer Everett to the firm's Washington, D.C. office. With a focus on health care and emerging technologies, Jennifer advises clients on data privacy and complex cybersecurity.

Alston & Bird Increases Practices and Attorneys Recognized in Chambers USA 2024

Alston & Bird has received significant recognition in the 2024 edition ofChambers USA: America's Leading Lawyers for Business, with 73 practice rankings and 153 leading lawyer listings. The Privacy, Cyber & Data Strategy Team is ranked Band 4 for Privacy & Data Security: The Elite. Kim Peretti is ranked Band 1 for Privacy & Data Security: Cybersecurity.

"The Digital Download" is produced by Alston & Bird'sPrivacy, Cyber & Data Strategy Team, led byKim PerettiandDavid Keating. It is edited byPaul GreavesandYin Tydir.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More