For healthcare providers and health systems covered by the privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA), a breach of unsecured protected health information (PHI) likely triggers obligations to notify affected individuals, the federal Office of Civil Rights (OCR), potentially the media and other entities. The breach also may require notification to one or more state Attorneys General, an obligation that depends on state law. Currently, the state data breach notification law in Michigan does not provide for Attorney General notification, something Michigan Attorney General Dana Nessel wants to change, according to reporting earlier this month from the HIPAA Journal.

Spurring the Michigan AG are concerns about the timing of notification to patients about recent breaches involving health systems but which were breaches experienced by downstream vendors. These are important concerns considering the increasing identity crimes and overall data risk individuals face, which can be mitigated to some degree with timely notification. However, health systems and entities in other industries can find themselves caught in a tough spot from a notification perspective when dealing with a breach experienced by a vendor.

On the one hand, quickly putting notification in the hands of individuals about a compromise of their personal data is critical to helping those individuals take measures to protect themselves from ID theft and other harms. Notification may prompt individuals to be more vigilant about their personal information, review credit reports, set up a fraud alert, check their bank statements and other measures to protect themselves from cyber criminals.  On the other hand, as a practical matter, the time between the date the breach occurred (as experienced by a downstream vendor) and the date of notification to patients can be affected by many factors, several of which may be outside the control and sometimes the knowledge of the covered entity. Looking solely to that metric in some cases may not be the most appropriate measure of timeliness to assess a covered entity’s performance and compliance when responding to a breach. If it is a metric upon which enforcement can be based, covered entities may need to revisit their incident response plans and vendor relationships to that timeframe as much as possible.

Let’s unpack this a little.

  • Recall that under HIPAA, a breach must be reported “without unreasonable delay and in no case later than 60 calendar days after discovery.” 45 CFR 164.404(b) (emphasis added).
  • A downstream vendor experiencing a breach of PHI likely is (but not always) a business associate of the covered healthcare provider. Of course, the relationship may not be that close. The vendor may be the subcontractor of the subcontractor of the business associate of the covered entity.
  • The general rule under the HIPAA Breach Notification rule is that business associates are obligated to notify the covered entity of a breach, not the affected individuals. See 45 CFR 164.410(a)(1). When there are multiple layers of business associates, a chain of notification commences where one business associate notifies the next business associate upstream and so on until getting to the covered entity. In many cases, the business associate experiencing a breach may not know what entity or entities are the ultimate covered entity(ies). See more on that below.
  • Under the HIPAA Breach Notification rule, business associates are not obligated to notify affected individuals. That obligation, unless delegated, remains with the covered entity. 45 CFR 164.404(a)(1).
  • The HIPAA Breach Notification rule also provides that when a business associate has a breach it must report “the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach.” 45 CFR 164.410(c)(1).
  • In some cases, vendors effectively have no access to the PHI that they maintain or store for the ultimate covered entities, but still may be considered business associates. Other similar vendors may fall under a “conduit exception” and not be considered business associates under HIPAA. In either case, they may nonetheless have obligations other than HIPAA (statutory or contractual) to notify their customers of a breach. In these cases, however, the vendors simply may not be in a position to provide critical information upstream, such as identity of the affected individuals.
  • As the reporting of the data breach travels upstream, the covered entity may be completely unaware of the breach. It could be weeks or even months after the breach actually occurred before news of the breach reaches the covered entity. Consider that the vendor that experienced the breach may not have discovered it for some time after the attack happened, further expanding the time between the breach occurring and ultimate notification to patients.
  • Upon discovery of a security incident from a business associate, which already could be long after the breach actually occurred and several layers downstream, the covered entity must initiate its incident response plan. One of the first tasks will be to understand what happened and what data was affected. This news often does not come with a spreadsheet from which the affected individuals could easily be identified. It may instead arrive in the form of a long list of files and folders that contain thousands and thousands of documents, images, records, etc. Many of these items may have no PHI whatsoever. The challenge is to find those documents, images, records, etc. that do, and to pull from those items the individuals affected and the kind of information involved. This process, sometimes referred to as data mining and document review, often is complex, time-consuming, and costly.
  • On completion of the data mining and document review process, the covered entity will begin to have a better sense of the individuals affected, the type of information compromised, the state(s) in which those individuals reside, etc. At this point, covered entities will work quickly to arrange for notification to individuals, the OCR, and, if applicable, the media, state agencies, others. 

There is no doubt that breach notification laws serve an important purpose, namely, to alert affected individuals about a compromise to their sensitive data so that they can take steps to protect against ID theft and other risks. However, the promptness of notice can and often is hampered by factors outside of the covered entity’s control, particularly if the measure of promptness is the time between the date the breach occurred (regardless of what entity experienced the breach) and the date of notification to individuals.

All that being said, there may be some ways that covered entities might tighten up this process. One consideration, of course, is to adopt, regularly assess, and practice an incident response plan. Another is to have a more granular understanding of the data certain vendors are handling for the covered entity. Still another consideration is to revisit the entity’s vendor management program. Looking more closely at downstream service providers beyond direct business associates might be helpful in assessing the notification process and timing should a breach take place downstream. Having more information about downstream vendors, their roles, and the data they process may serve to shorten the notification timeline. Ultimately, even if there is a delay downstream, before the covered entity discovered the breach, a well-executed incident response plan, one that results in a shortened timeframe between discovery and notification, could help to improve the covered entity’s defensible position whether facing a litigation or government agency enforcement action.

To celebrate Data Privacy Day (January 28), we present our top ten data privacy and cybersecurity predictions for 2024.

  1. AI regulations to protect data privacy.

Automated decision-making tools, smart cameras, wearables, and similar applications, powered by technology commonly referred to as “artificial intelligence” or “AI” will continue to expand in 2024 as will the regulations to protect individuals’ privacy and secure data when deploying those technologies. Last year, we saw a comprehensive Executive Order from the Biden Administration, the New York City AI law take effect, and states like Connecticut passed laws regarding the state use of AI. Already in 2024, several states have introduced proposed AI regulation, such as  New York developing an AI Bill of Rights.

The use of “generative AI” also exploded, as several industries sought to leverage its benefits while trying to manage risks. In healthcare, for example, AI and HIPAA do not always mix when it comes to maintaining the confidentiality of protected health information. Additionally, generative AI is not only used for good, as criminal threat actors have enhanced their phishing attacks against the healthcare industry.

  1. The continued expansion of the patchwork of state privacy laws.

In 2023, seven states added comprehensive consumer privacy laws. And several other states enacted more limited privacy laws dealing with social media or health-related data. It looks like 2024 will continue the expansion. Already in 2024, New Jersey has passed its own consumer privacy law, which takes effect in 2025. And New Hampshire is not far behind in potentially passing a statute.

  1. Children’s data protections will expand.

In 2023, several states passed or considered data protection legislation for minors with growing concerns that the Children’s Online Privacy Protection Act (COPPA) was not sufficient to protect children’s data. Connecticut added additional protections for minors’ data in 2023.

In 2024, the Federal Trade Commission (FTC) issued a notice of proposed rulemaking pertaining to COPPA, in addition to several states proposing legislation to protect children’s online privacy.

  1. Cybersecurity audits will become even more of a necessity to protect data.

As privacy protection legislation increases, businesses must start working to protect the data they are collecting and maintaining. The importance of conducting cybersecurity audits to ensure that policies and procedures are in place.

In 2023, there California Privacy Protection Agency considered regulations pertaining to cybersecurity audits. The SEC and FTC expanded obligations for reporting security breaches, making audits, incident response planning, and tabletop exercises to avoid such incidents all the more important.

It is anticipated there will be further regulations and legislation forcing companies to consider their cybersecurity in order to protect individuals’ privacy.

  1. Genetic and health data protection will continue to rise.

In 2023, Nevada and Washington passed health data privacy laws to protect data collected that was not subject to HIPAA. Montana passed a genetic information privacy law. Already this year Nebraska is advancing its own genetic information privacy law. It is likely concerns about health and genetic data will grow along with other privacy concerns and so too will the legislation and regulations. We also have seen a significant uptick in class action litigation in Illinois under the state’s Genetic Information Privacy Act (GIPA). A close relative to the state’s Biometric Information Privacy Act (BIPA), GIPA carried nearly identical remedy provisions, except the amounts of statutory damages are higher than under BIPA.

  1. Continued enforcement actions for data security.

As legislation and regulations grow so too will enforcement actions. Many of the state statutes and city regulations only allow for governmental enforcement, however, those entities are going to start enforcing requirements to ensure there is an incentive for businesses to comply. In 2023, we saw the New York Attorney General continue its active enforcement of data security requirements.

  1. HIPAA compliance will continue to be difficult as it overlaps with cybersecurity.

In 2023, the Office of Civil Rights (OCR) which enforces HIPAA, discussed issues with driving cybersecurity and HIPAA compliance as well as other compliance concerns.  In 2024, entities required to comply with HIPAA will be challenged to determine how to use new and useful technologies and data sharing while maintaining privacy, while also protecting HIPAA-covered information as cybersecurity threats continue to flourish.

  1. Website tracking technologies will continue to be in the hot seat.

In 2023, both the FTC and the Health and Human Services (HHS) took issue with website tracking technologies such as through “pixels”. By the time that guidance was issued, litigation concerning these technologies pertaining to data privacy and data sharing concerns had already been expanding. To help clients identify and address these risks Jackson Lewis and SecondSight joined forces to offer organizations a website compliance assessment tool that has been well received.

In 2024, it is anticipated that there will be further website-tracking litigation as well as enforcement actions from governmental agencies that see the technology as infringing on consumers’ privacy rights.

  1. Expect biometric information to increasingly be leveraged to address privacy and security concerns.

As we move toward a “passwordless” society,  technologies using biometric identifiers and information continue to be the “go-to” method for authentication. However, also increasing are the regulations on the collection and use of biometric information. While the Illinois Biometric Information Privacy Act (BIPA) is most prolific in its protection of biometric information, many of the new comprehensive privacy laws include protections for biometric information. See our biometric law map for developments.  

  1. Privacy class actions will continue to increase.

Whether it is BIPA, GIPA, CIPA, TCPA, DPPA, pixel litigation, or data breach class actions, 2024 will likely see an increase in privacy-related class actions. As such, it becomes more important than ever for businesses to understand and ensure the protection of the data they collect and control.

For these reasons and others, we believe data privacy will continue to be at the forefront of many industries in 2024, and Jackson Lewis will continue to track relevant developments. Happy Privacy Day!

On January 16, 2024, New Jersey’s Governor signed  Senate Bill (SB) 332, which establishes a consumer data privacy law for the state.  New Jersey becomes the 13th state to pass a comprehensive data consumer privacy law. The law would take effect one year after its enactment, on January 16, 2025.

To whom does the law apply?

The law applies to controllers defined as an individual or legal entity that alone or jointly with others determines the purpose and means of processing personal data that do business in New Jersey or produce products or services targeted at New Jersey residents and that during a calendar year either:

  • Control or process the personal data of at least 100,000 consumers, excluding personal data processed solely to complete a payment transaction; or
  • Control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.

Who is protected by the law?

Under the law covered consumer is defined as a person who is a resident of New Jersey acting only in an individual or household context. Like several other states, excluding California, the consumer does not include a person acting in a commercial or employment context.

What data is protected by the law?

The law will protect data that qualifies as “personal data” which is information that is linked or reasonably linkable to an identified or identifiable person. It does not include de-identified data or publicly available information.

What are the rights of consumers?

Under the law, a consumer has the following rights:

  • To confirm whether a controller processes the consumer’s personal data and access such personal data.
  • To correct inaccuracies in the consumer’s personal data.
  • To delete personal data concerning the consumer.
  • To obtain a copy of the consumer’s data.
  • To opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

What obligations do businesses have?

A controller shall provide a consumer with a reasonably accessible, clear, and meaningful privacy notice that shall include but may not be limited to:

  • The categories of the personal data that the controller processes.
  • The purpose of processing personal data.
  • The categories of all third parties to which the controller may disclose a consumer’s personal data.
  • The categories of personal data that the controller shares with third parties, if any
  • How consumers may exercise their consumer rights.
  • The process by which the controller notifies consumers of material changes to the notification.
  • An active e-mail address or other online mechanism that consumers may use to contact the controller.

If the controller sells personal data to third parties or processes personal data for purposes of targeted advertising, the sale of personal data, or profiling on a consumer, the controller shall clearly and conspicuously disclose such sale or processing, as well as the manner in which a consumer may opt out of the sale or processing.

A controller must respond to a verified consumer rights request from a consumer within 45 days of the controller’s receipt of the request. The controller may extend the response period by 45 additional days when reasonably necessary considering the complexity and number of the consumer’s requests.

How is the law enforced?

The attorney general shall have sole and exclusive authority to enforce a violation of the statute.

If you have questions about New Jersey’s privacy law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

Phishing has long been a favorite tactic for threat actors (hackers) to commence a cyberattack. The rapid expansion of more adaptable and available artificial intelligence (AI) technologies, such as natural language processing and large language models, now fuels more ferocious phishing campaigns. The effects are being felt in many industries, perhaps most notably the healthcare industry. One indicator of that may be the recent Office for Civil Rights (OCR) announcement of its “First Ever Phishing Cyber-Attack Investigation

In October 2023, the U.S. Department of Health and Human Services (HHS) and the Health Sector Cybersecurity Coordination Center (HC3) published a white paper entitled, AI-Augmented Phishing and the Threat to the Health Sector, the HC3 Paper. While many have been using ChatGPT and similar platforms to leverage generative AI capabilities to craft client emails, layout vacation itineraries, support coding efforts, and help write school papers, threat actors have been hard at work using the technology for other purposes. According to the HC3 Paper,

Making this even easier for attackers, tools such as FraudGPT have been developed specifically for nefarious purposes. FraudGPT is a generative AI tool that can be used to craft malware and texts for phishing emails. It is available on the dark web and on Telegram for a relatively cheap price – a $200 per month or $1700 per year subscription fee – which makes it well within the price range of even moderately-sophisticated cybercriminals.

The HC3 Paper is informative. It not only outlines some basics about AI and the healthcare industry, but also speaks to helpful countermeasures and best practices. These include:

  • email filtering,
  • employee training and awareness,
  • multifactor authentication, and
  • endpoint security management.

Of course, phishing is nothing new. As noted by the HC3 Paper, the FBI’s Internet Crime Complaint Center (IC3) found that phishing attacks were the number one reported cybercrime in 2022, with over 300,00 complaints reported. And, important for the healthcare industry, phishing was the most common attack impacting healthcare organizations, amounting to nearly half of the attacks in 2021, according to the Healthcare Information and Management Systems Society.

This brings us to the recent OCR’s enforcement action and resolution agreement. According to OCR announcement, a relatively small urgent care center in Louisiana, experienced a HIPAA breach that was initiated by a phishing attack. Reports about the incident suggest the attack affected nearly 35,000 individuals. According to the resolution agreement, the OCR alleged that prior to the incident, the HIPAA covered entity had not conducted a HIPAA Security Rule risk analysis or implemented procedures to regularly review records of information system activity. In addition to the payment of a restitution amount of $480,000, the center agreed to a two-year corrective action plan.

Phishing attacks are serious business and they have become more so since being fueled by AI technologies – the healthcare industry continues to be a prime target. It is critical for covered entities and business associates to not only implement measures to prevent these attacks, but to also be prepared to respond when they occur. Develop and maintain an incident response plan! Back to basics on HIPAA compliance also is critical when responding to an OCR inquiry. Cyberattacks happen and inquiries may follow. Maintaining a record of HIPAA compliance will be one of, if not, the most important element in the response to the OCR or state agency.

As the year comes to a close here are some of the highlights from the Workplace Privacy, Data Management & Security Report with our Top 10 most popular topics from 2023.

  1. States Passing Comprehensive Privacy Laws

There was a landslide of comprehensive state privacy laws passed in 2023, from coast to coast. The laws are similar in mandating requirements for businesses to allow consumers to access, correct, delete, and opt out of the collection of, their personal data.

  • Delaware – Effective January 1, 2025
  • Indiana – Effective January 1, 2026
  • Iowa – Effective January 1, 2025
  • Montana – Effective October 1, 2024
  • Oregon – Effective July 1, 2024
  • Tennessee – Effective July 1, 2025
  • Texas – Effective July 1, 2024
  1. California Superior Court Put the Brakes on Enforcement of California Privacy Rights Act

In March 2023, the California Chamber of Commerce filed a Petition for Writ of Mandate and Complaint for Declaratory and Injunctive Relief against the California Privacy Protection Agency (CPPA), the agency tasked with implementation and enforcement of the California Privacy Rights Act (CPRA) which amended the California Consumer Privacy Act (CCPA).

The writ sought to compel the CPPA to promptly adopt final regulations and seek to enjoin enforcement actions under the CPRA until 12 months after the adoption of final implementing regulations.

The hearing on the petition for Writ of Mandate was on June 30, 2023, the last day before enforcement was set to commence for the CPRA. Specifically, the superior court’s opinion discusses that the CPPA adopted the first set of regulations in 12 of the 15 areas needed on March 29, 2023.

  1. New York AG Releases Guide for Businesses on Effective Data Security

New York’s Attorney General (“NYAG”) has made enforcement of the New York SHIELD Act an enforcement priority. The SHIELD Act requires organizations handling personal information related to New York residents to maintain reasonable safeguards to protect that information.  Maintaining its focus on this area, the NYAG recently released a guide to help organizations strengthen their data security programs and “to put [them] on notice that they must take their data security obligations seriously, and at a minimum, take the reasonable steps outlined” in the NYAG’s guide

  1.      Data Protection Update: Q4 Noteworthy Dates

From UK Data Transfers to the NIST draft documents regarding cybersecurity, the fourth quarter wrap-up covered wide-ranging developments in data protection.

  1. Getting Healthcare in 2023 and Beyond…Virtually…and Securely

For many reasons, using digital information and communication technologies to deliver healthcare services can provide enormous benefits to the overall healthcare system. Indeed, predictions from many leaders in healthcare see expanded use of remote patient care and monitoring, along with other technologies such as artificial intelligence, robotics, and wearables.

  1. Immigration and Citizenship Status Add to Definition of Sensitive Information under California’s Consumer Privacy Act

California’s Governor Newsom signed Assembly Bill (AB) 947. Effective January 1, 2024, the bill will revise the California Consumer Privacy Act (CCPA) definition of “sensitive personal information” to include personal information that reveals a consumer’s citizenship or immigration status.

  1. HHS and FTC Send Joint Letter to 130 Hospital Systems, Telehealth Providers Re: Tracking Technologies

The Department of Health and Human Services and the Federal Trade Commission have sent a joint letter to approximately 130 hospital systems and telehealth providers to emphasize the risks and concerns about the use of technologies, such as the Meta/Facebook pixel and Google Analytics, that can track a user’s online activities.

  1.   Virginia Passes Legislation Prohibiting the Use of Employees’ Social Security Numbers as Identifiers

Virginia’s governor approved Senate Bill 1040, which prohibits an employer from using an employee’s social security number or any derivative as an employee’s identification number. The bill also prohibits including an employee’s social security number or any number derived from the social security number on any identification card or badge.

  1. SEC Cyber Enforcement and SEC New Cybersecurity Disclosure Requirements

 The SEC has had a particular interest in cybersecurity in 2023, driving discussions in boardrooms and corporate security departments of large organizations about the handling and reporting of cybersecurity breaches.

  1. President Biden Issues Executive Order Regarding the Development and Use of AI

On October 30, 2023, President Biden issued an Executive Order regarding the Development and Use of Artificial Intelligence across the federal government. The Executive Order (EO) is intended to establish new standards for AI safety and security. The EO builds on principles set forth last year in the White House’s Blueprint for an AI Bill of Rights.

The EO comes as states, like Connecticut, are also looking to address AI

Jackson Lewis will continue to track important developments in privacy, data management, and cybersecurity in the new year. If you have questions about these or other related issues contact a Jackson Lewis attorney to discuss.

According to a New York Times story this weekend, the Security Exchange Commission’s lawsuit against SolarWinds is driving discussions in boardrooms and corporate security departments of large organizations about the handling and reporting of cybersecurity breaches. It turns out that such boards and departments may not be the only ones following the SEC’s increased focus on cybersecurity and data breaches.

Criminal threat actor group, BlackCat, reportedly posted on its dark web leak site that its latest cyberattack victim failed to comply with the soon to apply SEC four-day rule for reporting data breaches. As reported by databreaches.net, the hackers also filed a report with the SEC. How these developments will shape corporate disclosures, incident response planning, and reporting is unknown.

On the one hand, the New York Times article suggests, the use of boilerplate language by public companies to describe cybersecurity risks may be insufficient where the company is aware of more specific risks. On the other hand, more specific disclosures about potential risks could expose companies to increased attacks (yes, the bad guys do their research). And, there is some question about whether a primary SEC objective would be served, namely whether the average investor would be able to grasp the impact of more granular reporting on the sheer number of vulnerabilities such organizations face.

Still others worry about a chilling effect. In the SEC’s fraud case against SolarWinds, the agency named the company’s CISO as well as the company. The NYT reminded readers that personal exposure for CISOs following a major data breach is not new. Whether these developments provide an incentive not to document vulnerabilities raises some concerns.

But there may not be a chilling effect at all. The potential for personal liability might push some CISOs to over disclose or at least diverge from the wishes of other executives to “paint a rosy or maybe rosier-than-aligned-with-reality picture.”

Of course, these are the kinds of reactions that might be expected following the SEC’s enforcement action – are our disclosures sufficient, we have to be careful about disclosing too much about our vulnerabilities, will the CISO share too much or not enough to avoid personal liability, etc. Reconciling these competing concerns will not be easy, particularly in the absence of clear agency guidance and the facts of a given situation. Further, they are concerns that should not be limited to public companies.

That challenge becomes intensely more complex when criminal threat actors unpredictably join the discussion. For anyone that has been through a significant security incident investigation, there are a myriad of decision points that have to be made along what often is a very short timeline. Each decision, particularly decisions dealing with communication and reporting, and even when well-intended, comes with multiple facets – report to whom, report when, what must be communicated, it is accurate, it is complete, what if facts change, what will the effects be, etc.

Now knowing that threat actors may be bold enough to report to relevant government agencies may change the calculus of these deliberations.

Facing these issues for the first time when your organization has been compromised and criminal threat actors are demanding millions in ransom while reporting to your primary government regulator(s) is not a good business strategy. No incident response plan will be perfect or prepare the organization for every curveball that will be thrown in a data breach matter, but actively planning for these situations can help. This includes aligning with the organization’s CISO on existing systems vulnerabilities, how best to communicate about them, and addressing potential business and personal exposure in an increasingly complex regulatory environment.

On October 30, 2023, President Joe Biden issued an Executive Order regarding the “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.” The Executive Order (EO) directs departments and agencies throughout the government, including the Department of Homeland Security (DHS) and the Department of State (DOS), to develop plans and policies to establish new standards for artificial intelligence (AI) use.

Read the full article on Jackson Lewis’ Immigration Blog .

On October 30, 2023, President Biden issued an Executive Order regarding the Development and Use of Artificial Intelligence across the federal government. The Executive Order (EO) is intended to establish new standards for AI safety and security. The EO builds on principles set forth last year in the White House’s Blueprint for an AI Bill of Rights.

The EO uses the definition of AI found in 15 U.S.C. 9401(3) which is the National Artificial Intelligence Initiative, which is a machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments. As such, the EO is not limited to just technologies like ChatGPT but also machine-based systems that make predictions, recommendations, and decisions.

Here are the highlights:

  • The EO directs multiple government agencies from the Department of Commerce to the Department of Energy to develop guidelines and plans around the use and development of AI.
  • The EO also seeks to advance technology and authenticate and trace content generated by AI.
  • To promote innovation and competition, the EO sets out ways that the Departments of State and Homeland Security can make it easier to attract and retain the best foreign nationals with AI (and other emerging technologies) knowledge, skills, and education.
  • Because of concerns that AI technologies could replace workers, several reports are mandated by the EO to determine both the potential for displacement but also to develop principles and best practices by employers to mitigate harm to employees while maximizing benefits.
  • The EO calls on federal agencies to ensure AI does not promote bias and discrimination in various areas.
  • Another concern addressed in the EO is consumer protection and privacy including clarifying the responsibility of regulated entities to conduct due diligence on and monitor any third-party AI services used. The EO calls on Congress to pass comprehensive privacy legislation, which has stalled over the last year.

While the White House is pushing forward the voluntary requirements for AI policy in the latest EO, it does not set forth enforcement. Though prior EOs have directed agencies to combat algorithmic discrimination.

The EO will spark more agency-level regulations pertaining to AI in the coming months. Additional focus is expected from Congress on AI.

If you have questions about AI legislation or related issues, contact a Jackson Lewis attorney to discuss.

Cross Border Transfers of Data.

UK Data Transfers. The UK government has published a U.S. “adequacy decision” which permits U.S. organizations that have certified to the EU-US Data Privacy Framework (DPF) and UK Extension to receive personal data transferred from the UK to the U.S. after October 12, 2023.

China Data Transfers. November 30, 2023 ends the grace period for coming into compliance with China’s final Measures for the Standard Contract for Cross-Border Transfer of Personal Information (“SCCs Measures”) under China’s Personal Information Protection Law (PIPL). The PIPL SCCs facilitate the transfer of personal data to a third country where the transfer is not subject to a security assessment requirement. In September, the Cyberspace Administration of China (CAC) published draft Provisions on Regulating and Promoting Cross-Border Data Flows for public comment. Of note for employers, the draft exempts from the SCCs requirement any transfers of employee personal information necessary for certain human resources management activities. The public comment period ended on October 15, 2023, and the final Provisions may be published prior to November 30th.       

State Consumer Data Protection Laws.

Utah. The Utah Consumer Privacy Act (UCPA) will take effect on December 31, 2023. Utah joins California, Connecticut, Colorado, and Virginia in enacting comprehensive consumer data protection laws that include notice obligations and consumer rights. Unlike the California Consumer Privacy Act, the UCPA does not apply to personal data collected in the employment or commercial context.   

California. Effective January 1, 2024, an amendment to the CCPA expands the definition of Sensitive Personal Information to include personal information that reveals a California resident’s citizenship or immigration status. Organizations that collect or process these data elements should review their data mapping and update Privacy Policies and Notices at Collection to include this information, as needed.

Genetic Information.

Montana. Effective October 1, 2023, Montana’s state privacy law is amended to address the collection, use, and disclosure of genetic information and includes notice and consent requirements. This amendment applies to businesses that offer consumer genetic testing products or services directly to a consumer or collect, use, or analyze genetic data.

Cybersecurity.

Securities and Exchange Commission (SEC). The SEC has adopted rules to enhance and standardize disclosures by public companies related to cybersecurity practices including risk management and security incidents. The new rules, which took effect September 5, 2023, require incident disclosures after December 18, 2023 (smaller companies will have additional time). Companies whose fiscal years end on or after December 15, 2023, will be required to provide the annual disclosures beginning with their 2023 Form 10-K or 20-F.

FTC Safeguards Rule. The Federal Trade Commission announced on October 27, 2023 that it approved an amendment to the Safeguards Rule that would require non-banking institutions to notify the FTC as soon as possible but no later than 30 days after discovering a security incident impacting 500 or more consumers. The FTC’s Safeguards Rule applies to non-banking financial institutions (e.g., mortgage brokers, motor vehicle dealers, and payday lenders) and requires these institutions to develop, implement, and maintain a comprehensive security program to safeguard customer information. The breach notification requirement becomes effective 180 days after publication of the rule in the Federal Register.

Maryland. Effective October 1, 2023, HB622 establishes the Industry 4.0 Technology Grant Program in the Department of Commerce to provide grants of at least $25,000 to qualifying small and medium-sized manufacturing enterprises to assist with implementing new Industry 4.0 technology or related infrastructure for certain purposes.

Threat Actor Alert. On October 11, 2023, the Cybersecurity & Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a Joint Cybersecurity Advisory advising organizations to take precautions to mitigate cyber threats from AvosLocker’s ransomware. Recommended actions include 

  1. Securing remote access tools
  2. Restricting RDP and other remote desktop services
  3. Securing PowerShell and/or restricting usage
  4. Update software to the latest version and apply patching updates regularly

NIST. NIST has released draft documents for public comment.

ICYMI

Canada. On September 23, 2023, the second set of amendments to Quebec’s Privacy Act went into effect. These amendments impose new compliance obligations, including placing a strong emphasis on the requirement to obtain consent prior to the collection, use, and disclosure of personal information. Other obligations imposed by these amendments include, but are not limited to, the following: (1) development of internal governance policies covering personal information; (2) limitations regarding transfers of personal information outside of Quebec; (3) limitations regarding the use of personal information for marketing purposes; (4) implementation of cookie consent tools when personal information is collected using technology; and (5) disclosure of use of automated processing of personal information when used to make decisions that impact an individual.

Texas. The amended Texas Data Breach Notification law went into effect on September 1, 2023. The amended law revises the deadline for businesses to notify the Texas Attorney General of any data breach affecting at least 250 Texas residents from 60 days to “as soon as practicable and not later than 30 days” and now requires such persons to submit the notification via an electronic form accessible on the Attorney General’s website. For more information, see our post Texas Tightens State’s Data Breach Notification Law.

Looking Ahead to Q1 2024

Washington My Health, My Data Act.  Regulated entities that are not small businesses must fully comply with the Act by March 31, 2024 (e.g., maintain a consumer health data privacy policy, obtain consumer consent to collect health data, recognize certain consumer rights, implement safeguards, and obtain consumer consent to sell health data). A regulated entity is a legal entity that (a) conducts business in Washington or produces or provides products or services that are targeted to consumers in Washington and (b) alone or jointly with others, determines the purpose and means of collecting, processing, sharing, or selling of consumer health data. For more information see our recent blog.

Nevada Health Data Privacy Act.  Nevada’s Health Data Privacy Act becomes operative on March 31, 2024. The law applies to any person who conducts business in Nevada or produces or provides products or services targeted at consumers in Nevada and, alone or with other persons, determines the purpose and means of processing, sharing, or selling consumer health data. Similar to the Washington law, the Data Privacy Act requires notice, gives consumers rights regarding their health data, and obligates covered businesses to safeguard collected consumer data.  For more information see our recent blog.

The Federal Trade Commission (FTC) has approved an amendment to its Safeguards Rule that will require non-banking financial institutions to report certain data breaches (or “notification events”) to the FTC (not affected individuals).

The “Safeguards Rule,” short for “Standards for Safeguarding Customer Information,” was created to ensure that businesses maintain safeguards to protect the security of customer information. The Safeguards Rule already applied to financial institutions subject to the FTC jurisdiction and that aren’t subject to the enforcement authority of another regulator under the Gramm-Leach-Bliley Act. Under the Rule, financial institutions are defined as any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities. FTC guidance can help to better navigate that definition.   

Amendment

While parts of the Safeguards Rule already apply to non-banking financial institutions such as mortgage brokers, motor vehicle dealers, accountants, tax preparation services, and payday lenders, the recent amendment expands the data breach reporting requirements to these entities.

The recent amendment presents a significant expansion of the obligation to provide notification of a “notification event,” even beyond what generally is required under potentially applicable state breach notification laws. Under the FTC’s amendment, the notification obligation applies to “customer information,” whereas most state breach notification laws apply to “personal information.” Remember definitions are important. While states have expanded their definitions of personal information over the years, the term is generally defined to include an individual’s first name (or first initial) and last name, together with one or more of the following data elements:

  • Social security number.
  • Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
  • Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
  • Medical information.
  • Health insurance information.
  • Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, is used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
  • Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.
  • Genetic data.

The above definition is taken from California’s breach notification law that applies to certain businesses and is one of the most expansive. It also includes a username or email address, in combination with a password or security question and answer that would permit access to an online account. However, many other states include only a portion of these elements, often only those in the first three bullets above.

On the other hand, customer information is nonpublic, personally identifiable financial information maintained about a “customer.” For this purpose, a customer is a consumer with whom the financial institution has a continuing relationship to provide financial products or services for personal, family, or household purposes. In its final rule, the FTC describes customer information as follows:

The definition of “customer information” in the Rule does not encompass all information that a financial institution has about consumers. “Customer information” is defined as records containing “non-public personal information” about a customer. “Non-public personal information” is, in turn, defined as “personally identifiable financial information,” and excludes information that is publicly available or not “personally identifiable.” The Commission believes that security events that trigger the notification requirement—where customers’ non-public personally identifiable, unencrypted financial information has been acquired without authorization—are serious and support the need for Commission notification.

This definition is not limited to a specific set of data elements like Social Security numbers or financial account numbers. Also, while many state laws limit the definition of personal information to computerized data, FTC guidance provides that customer information includes “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”

Under the amendment, non-banking financial institutions must report “notification events” in which the data of at least 500 people has been acquired without authorization as soon as possible, and no later than 30 days after the discovery to the FTC. A few other points about the rule:

  • Notification events are defined as unauthorized acquisitions of customer information, while several state breach notification laws include unauthorized access to personal information.
  • As noted above, the final rule does not require notification to affected individuals. However, like many states, notably Maine, the FTC will publish information about the notification events it receives.
  • The FTC’s final rule does not include a risk of harm exception, which is a provision in state laws. Such provisions can be welcomed relief to businesses as they provide that even if there is a “breach” as defined under the law, notice is not required if, generally speaking, there is not a significant risk of harm to affected individuals.    

The breach notification requirement becomes effective 180 days after publication of the rule in the Federal Register. 

If you have questions about data breach reporting or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.