Search biometric

The Cyber Safety Review Board (Board) issued a report entitled, Review of the Attacks Associates with Lapsus$ and Related Threat Groups (Report), released by the Department of Homeland Security on August 10, 2023. The Report begins with a message from the Board’s Chair and Vice Chair discussing WarGames, a movie with interesting parallels to the present day – the leveraging of AI and large language models into systems (see Joshua/WOPR) and teenagers compromising sophisticated systems (Matthew Broderick as a high school student hacking into the Dept. of Defense). The Report looks at “Lapsus$,” described as a loosely organized group of threat actors, that included juveniles in some cases, which gained lots of attention after providing a window into its inner workings.

“Lapsus$ made clear just how easy it was for its members (juveniles, in some instances) to infiltrate well-defended organizations.”

Established under President Biden’s Executive Order (EO) 14028 on ‘Improving the Nation’s Cybersecurity’, the role of the Board is to review major cyber events and make concrete recommendations that would drive improvements. The Report does not disappoint in terms of its description of the targeting and nature of attack by Lapsus$ and similar groups, as well as the Board’s recommendations, one being to move toward a “passwordless” world.

While we cannot cover all of the critical and helpful information in the 59-page Report, here are a few highlights.

Multi-factor Authentication Implementations Used Broadly Today are Insufficient.

A reliable joke at any data security conference is how “password” or “123456” continue to be the most popular passwords. Another weakness is the use of the same account credentials across multiple accounts. Multi-factor authentication (MFA) was designed to address these practices by going beyond the password to require one or more additional authenticators before access is permitted. MFA often comes highly recommended to help protect against one of the most financially damaging online crimes, business email compromise (BEC).

Perhaps a bit unsettling for many that have implemented MFA thinking it is the answer to system access vulnerabilities, the Report explains:

the Board saw a collective failure to sufficiently account for and mitigate the risks associated with using Short Message Service (SMS) and voice calls for MFA. In several instances, attackers gained initial access to targeted organizations through Subscriber Identity Module (SIM) swapping attacks, which allowed them to intercept one-time passcodes and push notifications sent via SMS, effectively defeating this widely used MFA control. A lucrative SIM swap criminal market further enabled this pay-foraccess to a target’s mobile phone services. Despite these factors, adopting more advanced MFA capabilities remains a challenge for many organizations and individual consumers due to workflow and usability issues.

As expected, however, some methods of MFA are better than others. The Report observed that application or token-based MFA methods, for example, were more resilient.

If you are not familiar with SIM swaps, the process goes something like this, as detailed in the Report:

  1. Attacker collects data on victim through social media, phishing, etc.
  2. Attacker uses victim’s credentials to request SIM swap from telecommunications provider.
  3. Telecommunications provider approves the attacker’s fraudulent SIM swap.
  4. With full account takeover, attacker can navigate MFA, access victim’s personal account, including their employer’s systems.

“Lapsus$ took over online accounts via sign-in and account recovery workflows that sent one-time links or MFA passcodes via SMS or voice calls”

Insider Recruitment

Many organizations might not realize or want to believe it, but employees are vulnerable to monetary incentives to assist with providing system access to the attackers. The Report notes that in some cases these incentives could be as high as $20,000 per week. Compromised employees might hand over access credentials, approving upstream MFA requests, conduct SIM swaps, and perform other actions to assist the attackers with getting access to the organization’s systems.

Supply chain attacks

Lapsus$ and similar groups do not just directly attack organizations, they also go after targets that provide access to many organizations – third-party service providers and business process outsourcers (BPOs). Evidence of this strategy by threat actor groups are the recent attacks on secure file transfer services, such as Accellion and the GoAnywhere service offered by Fortra. By gaining access to these services, the attackers have entrée to files uploaded to these services by their many customers. 

Per the report:

In January 2022, a threat actor studied for this report gained access to privileged internal tools of a third-party service provider by compromising the computer of a customer support contractor from one of its BPOs. The real target of this attack was not the third-party service provider, nor the BPO, but rather the downstream customers of the service provider itself. This is a remarkable example of a creative three-stage supply chain attack used by this class of threat actors.

Recommendations

The Board outlines several recommendations, some are more likely to be within an organization’s power to mitigate risk than others. The recommendations fall into four main categories

  • strengthening identity and access management (IAM);
  • mitigating telecommunications and reseller vulnerabilities;
  • building resiliency across multi-party systems with a focus on business process outsourcers (BPOs); and
  • addressing law enforcement challenges and juvenile cybercrime.

As noted above, one of the strongest suggestions for enhancing IAM is moving away from passwords. The Board encourages increased use of Fast IDentity Online (FIDO)2-compliant, hardware backed solutions. In short, FIDO authentication would permit users to sign in with passkeys, usually a biometric or security key. Of course, biometrics raise other compliance risks, but the Board observes this technology avoids the vulnerability and suboptimal practices that have developed around passwords.

Another recommendation is to develop and test cyber incident response plans. As we have discussed on this blog several times (e.g., here and here), no system of safeguards is perfect. So, as an organization works to prevent an attack, it also must plan to respond should one be successful. Among other things, these plans should:

  • identify critical data, systems, and assets that should be prioritized during an attack,
  • outline a tested process for recovering from back-ups,
  • have an internal communications plan,
  • involve BPOs and third-party service providers in the developing and practicing of the plan,
  • identify and maintain contact information for internal and external individuals and groups that are critical to the response process – key employees, DFIR firms, law enforcement, outside counsel, insurance carriers, etc.

The Report is a great read for anyone involved in some way in addressing data risk to an organization. A critical take-away for anyone reading this report is threats are evolving and come in many forms. A control implemented in year 1 may become a significant vulnerability in year 2. Forty years later, the movie WarGames continues to be relevant, even if only to show that some of the most secure systems can be compromised by a handful of curious teenagers.

test

On July 18, 2023, Oregon’s Governor signed Senate Bill 619 which enacts Oregon’s comprehensive consumer data privacy statute. Oregon joins California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Texas, Utah, and Virginia in enacting a comprehensive consumer privacy law. Most of the sections of the law are scheduled to take effect on July 1, 2024, with a delayed effective date of July 1, 2025, for non-profit organizations.

When does the law apply?

The statute applies to any person that conducts business in the State of Oregon or that provides products or services to residents of the state and who during a calendar year, controls, or processes:

  • The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or,
  • The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.

The following are some of the types of businesses that are exempted from the statute:  

  • A public corporation
  • Covered entities or business associates processing protected health information under the Health Insurance Portability and Accountability Act (HIPAA)
  • Organizations subject to the Gramm-Leach-Bliley Act.

Who is protected by the law?

The law protects consumers defined as a natural person who resides in the State of Oregon and acts in any capacity other than in a commercial or employment context.

What data is protected by the law?

Personal data that is protected under the statute is defined as “data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.”

It does not include:

  • Deidentified data
  • Data that is lawfully available through federal, state, or local government records or through widely distributed media
  • Data the controller reasonably understood to have been lawfully made available to the public by the consumer.

The statute also includes biometric data under personal data. Under the legislation biometric data is defined as personal data generated by automatic measurements of a consumer’s biological characteristics, such as the consumer’s fingerprint, voice print, iris pattern, gait, or other unique biological characteristics that allow or confirm the unique identification of a consumer.

What are the rights of consumers?

Under the new legislation, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal data and to access the personal data;
  • Correct inaccuracies in the consumer’s personal data;
  • Delete personal data provided by or obtained about the consumer;
  • Obtain a digital copy of the data the consumer previously provided, if available; and
  • Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
  • Obtain a list of “specific third parties” to whom a controller discloses personal data.

What obligations do businesses have?

The legislation requires that businesses post a privacy policy that describes the categories of personal information it collects, the purpose of the collection, the categories of third parties with whom the personal information is shared, and an explanation of the consumer’s rights.

Covered businesses must also include a “clear and conspicuous” description of any processing done for the purpose of targeted advertising.

Eventually, covered businesses will be required to recognize universal opt-out mechanisms, though that portion of the statute does not take effect until January 1, 2026.

How is the law enforced?

The State Attorney General has exclusive authority to enforce the statute and it does not allow for a private right of action to enforce.

If you have questions about Oregon’s privacy law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

On June 18, 2023, Texas’ Governor signed House Bill (HB) 4 which enacts the Texas Data Privacy and Security Act. Texas joins California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Utah, and Virginia in enacting a comprehensive consumer privacy law. Most of the sections of the law are scheduled to take effect July 1, 2024.

When does the law apply?

In general, the law applies to businesses (referred to as “controllers”) that:

  • Conduct business in the state of Texas or produce a product or service consumed by Texas residents; and
  • Processes or engages in the sale of personal data.

The law does not apply to small businesses (as defined by the Small Business Administration) and along with several categories of personal data that are excluded from coverage under the law, the following entities are specifically exempted:

  • State agencies or political subdivisions;
  • Financial institutions subject to Title V of the Gramm-Leach-Bliley Act;
  • Covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA);
  • Non-profit organizations;
  • Institutions of higher education; and
  • Electric utilities.

Who is protected by the law?

Consumers that are protected under the law are defined as an individual who is a resident of the state of Texas acting only in an individual or household context. A consumer does not include an individual acting in a commercial or employment context.

What data is protected by the law?

Personal data is protected under the legislation and defined as any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, but does not include de-identified data or publicly available information.

Under the law, sensitive data includes any data revealing a consumer’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, citizenship or immigration status, as well as any genetic or biometric data used for identifying an individual, any personal data collected from a known child, or any precise geolocation data.

What are the rights of consumers?

Under the new legislation, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal data and to access the personal data;
  • Correct inaccuracies in the consumer’s personal data;
  • Delete personal data provided by or obtained about the consumer;
  • Obtain a digital copy of the data the consumer previously provided, if available; and
  • Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

What obligations do businesses have?

Limitations on Collection

Covered controllers must limit the collection of personal data to only what is adequate, relevant, and reasonably necessary for the purpose for which the personal data is being processed and disclosed to the consumer. They must also implement “reasonable” security practices to protect the confidentiality and integrity of the data.

Consent

In addition, controllers must obtain a consumer’s consent before (1) processing personal data for any other purpose than what was disclosed or (2) processing the sensitive data of a consumer. Controllers are barred from using the data to discriminate against consumers.

Notice to Consumers

Controllers must also provide consumers with a reasonably accessible and clear privacy notice that includes:

  • The categories of personal data processed by the controller;
  • The purpose of processing personal data;
  • How consumers may exercise their rights;
  • If applicable, the categories of personal data shared with third parties; and
  • If applicable, the categories of third parties with whom the controller shares personal data
  • A description of the methods through which consumers can submit requests to exercise rights.

In addition, controllers who engage in the sale of sensitive data or biometric personal data must give specific notices (posted in the same location and manner as the privacy notice):

  • “NOTICE: We may sell your sensitive personal data.”
  • “NOTICE: We may sell your biometric personal data.”

Data protection assessments

Whenever a controller processes any sensitive data or processes personal data for targeted advertising, the sale of personal data, specific forms of profiling, or any activity that presents a heightened risk of harm to consumers, the controller is required to prepare a detailed data protection assessment.

Consumer Rights

Controllers must also make available two or more secure and reliable methods to enable consumers to submit a request to exercise their rights under the legislation, as well as establish an appeal process that is “conspicuously available” and similar to the process established for initially exercising their rights. When a consumer seeks to exercise their rights, the controller must respond to the request without undue delay, but no later than 45 days after the receipt of the request (but may, in some circumstances, extend the response deadline once by an additional 45 days). If the controller declines the consumer’s request, it must provide justification for its decision and instructions on how to appeal the decision. If the controller denies the appeal, the controller must provide the consumer with the online mechanism to submit the complaint to the Attorney General.

How is the law enforced?

Under the law, there is no private cause of action for consumers. Instead, the Attorney General has exclusive authority to enforce the new restrictions and must establish an online mechanism through which a consumer may submit a complaint.

If the Attorney General has “reasonable cause” to believe someone has violated the law, it may issue a civil investigative demand and require a controller to disclose any relevant data protection assessment to facilitate its investigation. If the Attorney General identifies violations of the law, it must send a notice of violation to the controller at least 30 days before bringing the action and allow the controller an opportunity to cure. If the controller cures the violation within the 30-day period, the Attorney General may not bring an action against the controller.

If the Attorney General brings such an action, it may seek both civil penalties, injunctive relief, and recover attorney’s fees and expenses incurred both during the initial investigation and subsequent legal action.

Texas’ new consumer privacy law is comprehensive, and the summary above reflects only the highlights of the new obligations and risks presented to businesses operating in Texas. For more information or if you have questions or concerns or require guidance on how to bring your operations into compliance with the new law, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On June 16, 2023, Nevada’s Governor signed Senate Bill (SB) 370, which enacts certain protections for consumer health data.

The law is similar to Washington’s My Health, My Data Act, which was passed in April. The Future of Privacy Forum prepared a useful chart comparing the Washington and Nevada laws.

Nevada’s law becomes operative on March 31, 2024.

To what entities does the law apply?

SB 370 applies to any person that:

  • Conducts business in Nevada or produces or provides products or services that are targeted at consumers in Nevada; and,
  • Alone or with other persons, determines the purpose and means of processing, sharing, or selling consumer health data.

The law includes a long list of exceptions, including exclusions for:

  • any person or entity subject to the Health Insurance Portability and Accountability Act (HIPAA), and
  • a financial institution or affiliate that is subject to the provisions of the Gramm-Leach-Bliley Act.

Who is protected by the law?

SB 370 protects “consumers” – natural persons who have requested a product or service from a regulated business and who reside in the state of Nevada or whose health information is collected in Nevada. The law does not extend to natural persons acting in an employment context or as an agent of a governmental entity.

What data is protected by the law?

Consumer health data is protected under the law. This is defined as personal information that is linked or reasonably capable of being linked to a consumer which the covered business uses to identify the past, present, or future health status of the consumer. Consumer health data includes:

  • Any health condition or status, disease, or diagnosis
  • Social psychological, behavioral, or medical intervention
  • Surgeries or health-related procedures
  • The use or acquisition of medication
  • Bodily functions, vital signs, or symptoms
  • Reproductive or sexual health care
  • Gender-affirming care
  • Biometric or genetic data

The law does not cover information used for certain research, public health, or health data shared pursuant to federal or state law.

What are the rights of consumers?

Similar to the California Consumer Privacy Act and the growing array of consumer privacy laws enacted in several states, consumers have certain rights under SB 370 concerning their consumer health information, such as:

  • The right to confirm whether a covered business is collecting, sharing, or selling their health data.
  • The right to access a list of all third parties with whom the business has shared or sold the consumer’s health data.
  • The right to request the business stop collection, sharing, or selling of the consumer’s health data.
  • The right to delete their health data.

What obligations do businesses have?

Below is a non-exhaustive list of obligations covered businesses have under SB 370.

Covered businesses must obtain affirmative voluntary consent when collecting and sharing consumer health data, except to the extent it is necessary to provide a product or service that the consumer has requested from the business. The covered business also may share consumer health information without consent when required by law.

Covered businesses shall upon request by a consumer:

  • Confirm whether the regulated entity is collecting, sharing, or selling the consumer’s health data.
  • Provide the consumer with a list of all third parties with whom the business has shared or sold the consumer’s health data.
  • Cease collection, sharing, or selling of the consumer’s health data.
  • Delete the consumer’s health data.

Responses to requests must be made without undue delay but no later than 45 days after the business authenticates the request. Note that under some other laws, such as Washington’s My Health, My Data Act, and the CCPA, the 45-day clock starts to run from the date the request is received, not when it is authenticated.

Covered businesses also are required to develop and maintain a policy concerning the privacy of consumer health data that clearly and conspicuously establishes:

  • The categories of consumer health data being collected and the manner in which it will be used.
  • The categories of sources from which the health data is collected
  • The categories of third parties and affiliates with whom the covered business shares health data.
  • The manner in which health data will be processed.
  • The procedure for submitting a request
  • The process by which a consumer can review and request changes to their health data
  • The way the business will notify consumers of changes to its privacy policy
  • Whether a third party may collect health data from the business
  • The effective date of the privacy policy

The business must conspicuously post a link to its policy on its main internet website or otherwise provide the policy to consumers in a manner that is clear and conspicuous. These website policy requirements across several states and countries are adding significant complexity to the compliance obligations of covered businesses.

Employees and processors of the covered business may be permitted to access consumer health information only where reasonably necessary (i) to further the purpose for which the consumer consented to the collection or sharing of the information, or (ii) to provide a product or service that the consumer requested.

Covered businesses also are required to establish, implement and maintain policies and practices for the administrative, technical, and physical security of consumer health data.

In addition, covered businesses may not establish a geofence within 1,750 feet of any medical facility for the purposes of identifying or tracking consumers seeking in-person health care, collecting health data, and sending notifications. 

How is the law enforced?

The new law provides for enforcement by the Nevada Attorney General. There is no private right of action.

For additional information on Nevada’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On June 6, 2023, Governor DeSantis signed Senate Bill (SB) 2262, legislation intended to create a “Digital Bill of Rights” for Floridians. While Florida’s new law provides similar privacy rights to consumers as other states’ comprehensive privacy laws passed in recent months, the law is narrower in the businesses that are regulated.

Generally, the requirements of the law take effect on July 1, 2024, with certain sections taking effect sooner.

Covered Businesses

The new legislation applies to businesses that collect consumers’ personal information, make in excess of $1 billion in gross revenues, and meet one of the following thresholds:

  • Derive 50% or more of its global annual revenues from providing targeted advertising or the sale of ads online; or
  • Operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to cloud computing service that uses hands-free verbal activation.

Consumer Rights

Like many of the comprehensive privacy laws passed in recent months, the new law provides Florida consumers the right to:

  • Access their personal information;
  • Delete or correct personal information; and,
  • Opt out of the sale or sharing of their personal information.

In addition to these rights, the law adds biometric data and geolocation information to the definition of personal data, for purposes of protecting consumers.

Covered Business Obligations

Under the new law, covered businesses and their processors are required to implement a retention schedule for the deletion of personal data. Controllers or processors may only retain personal data until:

  • The initial purpose of the collection was satisfied;
  • The contract for which the data was collected or obtained has expired or terminated; or
  • Two years after the consumer’s last interaction with the covered business.

Covered businesses will be required to provide reasonably accessible and clear privacy notices, and such notices will need to be updated annually, including disclosures to consumers regarding data collection, processing, and use practices.  

The law also requires covered businesses to develop and implement reasonable data security practices.

If you have questions about Florida’s new Digital Bill of Rights or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On May 11, 2023, Tennessee’s Governor signed Senate Bill 0073, the Tennessee Information Protection Act, making the state the eighth state to pass consumer privacy legislation. Tennessee joins  CaliforniaColoradoConnecticutIndiana, IowaUtah, and Virginia which have previously passed consumer privacy statutes.

Tennessee’s law will take effect July 1, 2025.

When does this law apply?

The law will apply to persons that conduct business in the state of Tennessee or produce products or services that are targeted to Tennessee residents and that:

  • During the calendar year, control or process personal information of at least 100,000 consumers; or,
  • Control or process the personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.

Covered persons hereafter are referred to as controllers.

Are there exemptions?

Among the entities not subject to the Act include Tennessee and state agencies, financial institutions, HIPAA-covered entities and business associates, not-for-profit organizations, and institutions of higher education.

There also are several categories of personal information exempted from the Act, including without limitation personal information protected by the Family Educational Rights and Privacy Act (FERPA) and the Driver’s Privacy Protection Act.

Who is protected by the law?

Under the statute, individuals referred to as “consumers” are protected. A consumer is defined as a natural person who is a resident of the state of Tennessee and acts only in a personal context.

What personal information is protected by law?

Under the statute, personal information is protected, which includes:

  • Identifiers such as a real name, alias, unique identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Information that identifies, relates to, describes, or could be associated with, a particular individual, including, but not limited to, signature, physical characteristics or description, address, telephone number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or other financial, medical, or health insurance information
  • Characteristics of protected classifications under state or federal law;
  • Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
  • Biometric data;
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information;
  • Education information that is not publicly available information

Personal information also includes “sensitive data” which means:

  • Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  • The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
  • The personal information collected from a known child; or
  • Precise geolocation data.

Personal information does not include information that is:

  • Publicly available
  • De-identified or aggregate consumer information

What are the rights of consumers?

Under the statute, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal information and to access the personal information.
  • Correct inaccuracies in the consumer’s personal information.
  • Delete personal information provided by or obtained about the consumer.
  • Obtain a copy of the consumer’s personal information that the consumer previously provided to the controller.
  • Request information about personal information the controller sold or disclosed to third parties.
  • Opt-out of the controller selling the personal information of the consumer.

What obligations do controllers and processors have?

Under the statute, a controller shall respond to requests from a consumer without undue delay, but no later than 45 days from the date of receipt of the request. If the controller declines to take action upon a consumer’s request, the controller shall inform the consumer without undue delay but no later than 45 days from receipt.

The controller is required to take certain steps to ensure transparency of its processing including:

  • Limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purpose for which the data is processed
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices.
  • Not process “sensitive data” without obtaining the consumer’s consent, provided that in the case of a child, the controller does so in accordance with the federal Children’s Online Privacy Protection Act.  

Controllers shall conduct and document a data protection assessment of each of the following processing activities:

  • The processing of personal information for purposes of targeted advertising
  • The sale of personal information
  • The processing of personal information for purposes of profiling where the profiling presents a foreseeable risk
  • The processing of sensitive data
  • The processing of personal information presents a heightened risk of harm to consumers.

Upon receipt of an authenticated consumer request, a controller must provide a “reasonably accessible, clear, and meaningful privacy notice” the contents of which are similar to but not as expansive as the California Consumer Privacy Act (CCPA).

With respect to processors, the Act requires they adhere to the instructions of controllers, such as assisting the controller with responding to consumer requests. Contracts between controllers and processors are required and must include certain provisions, such as (i) instructions for processing personal information, (ii) the nature, purpose, and duration of the processing, and (iii) the type of data subject to the processing. Other required provisions include (i) a requirement for processors to make available all information in the processor’s possession to demonstrate the processor’s compliance with the Act, (ii) cooperating with reasonable assessments of compliance by the controller (or arrange for a qualified and independent assessor), and (iii) obligating the processor to push the Act’s required provisions down to the processor’s subcontractors.

How is the law enforced?

The attorney general and reporter have exclusive authority to enforce the statute, which may include bringing an action in a court of competent jurisdiction.

The Act requires controllers or processors to create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.” Among the requirements for a privacy, program is that it discloses the commercial purposes for which the controller or processor collects, controls, or processes personal information. Maintaining such a program is not only important for compliance purposes, but it also provides an affirmative defense to a cause of action for a violation of the law.

For additional information on Tennessee’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Since the privacy and security regulations were issued under the federal Health Insurance Portability and Accountability Act (HIPAA), critics pointed to the limitations on the reach of those rules. A critical limitation advanced by privacy advocates is that the popular health data privacy rule extends only to certain covered entities and their business associates, not to health data generally. On April 17, 2022, Washington’s legislature passed House Bill 1155, also known as the My Health, My Data Act. The bill aims to address health data collected by entities not covered by HIPAA, including certain apps and websites.

If signed by the governor, most sections of the law would take effect on March 31, 2024, though certain parts of the legislation may take effect sooner.

When would the law apply?

A “regulated entity” for purposes of the law is defined as:

  • Conducts business in the State of Washington, or produces or provides products or services that are targeted to consumers in Washington, and
  • Alone or jointly with others, determines the purposes and means of collecting, processing, sharing, or selling consumer health data.

The legislation creates a subgroup of regulated entities, known as “small businesses,” largely to provide a few more months to comply. Small businesses are regulated entities that satisfy one or both of the following thresholds:

  • Collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or,
  • Derives less than 50 percent of gross revenue from the collection, processing, selling, or shares of consumer health data and controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.

Who is protected by the law?

Under the legislation, a protected consumer is defined as a natural person who is a Washington resident or a natural person whose consumer health data is collected in Washington.

A consumer is only protected for actions taken as an individual or on behalf of a household and does not include actions taken by an individual acting in an employment context.

What data is protected by the law?

The law would protect “consumer health data,” defined as personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status. Health status includes but is not limited to the following:

  • Individual health conditions, treatment, diseases, or diagnosis
  • Social, psychological, behavioral, and medical interventions
  • Health-related surgeries or procedures
  • Use or purchase of prescribed medications
  • Bodily functions, vital signs, symptoms, or measurements of health-related functions
  • Diagnoses or diagnostic testing, treatment, or medication
  • Gender-affirming care information
  • Reproductive or sexual health information
  • Biometric data
  • Genetic data
  • Precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services and supplies
  • Data that identifies a consumer seeking health care services.

What are the rights of consumers?

Under HIPAA, individuals have several rights with respect to their protected health information (PHI). These rights include the right to authorize disclosures in certain contexts (and revoke those authorizations), to request an amendment, to request an accounting of disclosures, to request a restriction on use and disclosure, and to be notified of a breach. The Washington legislation would provide consumers with the right to:

  • Confirm whether their consumer health data is being collected, shared, or sold, including a list of all third parties and their affiliates to whom the data has been shared and their contact information.
  • Consent to or deny collection or sharing of health data.
  • Withdraw consent from a regulated entity or small business to collect or share health data.
  • Delete health data collected by a regulated entity or small business, including on archived or backup systems.
  • Be provided clear and conspicuous disclosure of rights to consent or deny collection or sharing of health data.

The provisions concerning the administration of these rights look a lot like the provisions in the California Consumer Privacy Act (CCPA) and other recently enacted state comprehensive data privacy laws.

What obligations do businesses have?

The Washington law would add to the growing compliance burden on company websites as it would require regulated entities and small businesses to maintain a consumer health data privacy policy prominently on their homepages. That policy must that clearly and conspicuously disclose:

  • Categories of consumer health data collected and the purpose for which the data is collected.
  • Categories of sources from which the consumer health data is collected
  • Categories of consumer health data that are shared.
  • A list of the categories of third parties and specific affiliates with whom consumer health data is shared.
  • How a consumer can exercise the rights provided under the law.

This too is very similar to obligations under the CCPA. Regulated entities and small businesses may not discriminate against a consumer for exercising any rights included under the law. They also must respond to requests from consumers to withdraw consent to collect or share health data. Moreover, they must respond to requests from consumers to delete their consumer health data. The law also would mandate contracts be in place with processors of consumer health data and codify specific data security obligations for regulated entities and small businesses, including specific access management requirements.

Additionally, the law would make it unlawful for “any person” (apparently not just regulated entities or small businesses) to implement a geofence around an entity that provides in-person health care services where such geofence is used to: (1) Identify or track consumers seeking health care services; (2) collect consumer health data from consumers; or (3) send notifications, messages, or advertisements to consumers related to their consumer health data or health care services.

How is the law enforced?

Under the new legislation, violations of the requirements for health care data would be enforceable either by the prosecution by the State’s Attorney General’s Office or by private actions brought by affected consumers.

For additional information on Washington’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On March 15, 2023, the Iowa legislature unanimously passed Senate File 262, the Consumer Privacy Act, which relates to consumer data and privacy protection. Once signed by Iowa’s governor, the statute will become operative on January 1, 2025, and  Iowa will join California, Colorado, Connecticut, Utah, and Virginia in passing a comprehensive consumer privacy statute.

Covered Businesses

Covered businesses that must comply with the requirements of this new consumer privacy law are those entities that control or process personal data on 100,000 consumers in the state or derive 50% of their revenue from selling the data of more than 25,000 consumers.

Consumer Defined

Under the statute, a consumer is defined as a natural person who is a resident of Iowa and acting only in an individual or household context. The definition of consumer excludes individuals acting in a commercial or an employment context.

Personal Data

The Act applies to Personal Data, which means information linked or reasonably linkable to an identified individual or an identifiable individual.

Consumer Data Rights

 The statute provides consumers with the following rights:

  • To confirm that covered businesses are processing the consumer’s personal data and access that personal data.
  • To delete personal data provided by the consumer.
  • To port the personal data.
  • To obtain a copy of the consumer’s personal data with certain limitations.
  • To opt out of processing for the sale of personal data or targeted advertising.

Covered Business Obligations

Covered businesses under the statute must comply with requests by consumers to exercise their rights as follows:

  • Respond to consumer requests without undue delay, but in all cases within 90 days of receipt of the request. The response period may be extended by 45 days when reasonably necessary, based on the complexity of the request and the number of consumer requests.
  • If the covered business declines to take action, it must inform the consumer.
  • Information provided in response to a consumer request must be provided to the consumer free of charge twice annually per consumer.

In addition to complying with consumer requests covered businesses must:

  • Adopt reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
  • Protect sensitive data, which is a broad category under the statute that includes racial information, biometric data, and even geolocation under the statute but not processing such data without the consumer having been presented clear notice and an opportunity to opt-out of such processing.
  • Avoid processing data in such a way as to violate the state or federal laws that prohibit unlawful discrimination against a consumer. Moreover, a covered business may not discriminate against a consumer for exercising rights under the statute including denying goods or services or changing the prices or rates.
  • Contractually obligate processors to adhere to the business’s instructions, where the business is a controller, and implement appropriate technical and organizational measures to assist the controller in meeting its obligations under the Act.  
  • Develop a privacy notice and a secure and reliable means for consumers to submit requests to exercise their rights.

Enforcement

The statute does not include a private right of action and the attorney general of the state has exclusive authority to enforce the provisions of this chapter.

For additional information on Iowa’s new privacy statute and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

To celebrate Data Privacy Day, we present our top ten data privacy and cybersecurity predictions for 2023.

1. Healthcare and Medical Data Security and Tracking

The healthcare industry has been facing increased scrutiny for the protection of healthcare information both online and on apps.

2023 will see a significant increase in the number of lawsuits and perhaps OCR compliance reviews relating to medical information privacy and HIPAA, including new developments such as pixel and other tracking technologies. We will see more regulation of health apps and websites as the necessities and advantages of remote health care that were brought by the pandemic are considered further. 

Businesses in the healthcare industry should continue to work with counsel to review new ways of delivering healthcare services, including new technologies, with an eye toward the protection of medical information and privacy for patients. Building in protections from the outset can have significant advantages. Of course, medical device and technology companies also will need to consider how their devices and technologies could capture or affect medical information and the corresponding regulatory requirements and best practices.

2. A Patchwork of Legislation and Regulations Pertaining to Privacy and Cybersecurity

Currently, nine states are considering consumer privacy bills; Indiana, Iowa, Kentucky, Mississippi, New York, Oklahoma, Oregon, and Tennessee. This is already a complicated arena with California, Colorado, Connecticut, Utah, and Virginia that have laws on the books.

More cities and states will implement cybersecurity regulations with a view toward data protection and privacy, including in specific industries. In 2022, for example, we saw government entities such as the Nevada Gaming Commission issue security regulations for regulated entities in the gaming industry. The  New York State Bar is now requiring its members, lawyers practicing in New York, to have annual continuing legal education in cybersecurity.

The Biden Administration released its regulatory agenda which aimed at new cybersecurity requirements for government contractors, the maritime industry, public companies, and others. The Securities and Exchange Commission has also set goals to enact new cybersecurity regulations.

It will be important in 2023 for businesses to be more aware than ever about the data they are collecting, why it is processed, and how it is stored and safeguarded in order to comply with the myriad of privacy laws around the country.

3. California, California, California

California will continue to be a leader in the privacy data space, with both the implementation of its first-in-the-nation comprehensive consumer privacy law and further enforcement actions under that law. California will be sure to shape both state and national viewpoints on privacy requirements.

The California Privacy Protection Agency (CPPA) continues to work on revisions to regulations for the California Privacy Rights Act (CPRA). These changes are critical for covered organizations with respect to both their commercial activities and when functioning as an employer.

It does not stop there. Another first for California is that it is the first state to adopt a comprehensive law, AB 2273, addressing children’s online privacy.

4. Employee Privacy and Monitoring

As remote working remains mainstream, we will see more regulation on the monitoring of and privacy protections for employees. Last year, the NLRB’s General Counsel issued a memo on the electronic monitoring of employees. In the memo, the General Counsel suggested employers establish “narrowly tailored” practices to address “legitimate business needs” as to whether the practices outweigh employees’ Section 7 interests. If the employer establishes that its narrowly tailored business needs outweigh those rights, the General Counsel nonetheless will “urge the Board to require the employer to disclose to employees the technologies it uses to monitor and manage them, its reasons for doing so, and how it is using the information it obtains,” unless the employer can establish special circumstances.

In some industries, “workplace” monitoring goes beyond the home office. Consider transportation and logistics. An increasing number of states are advancing legislation on digital license plates, which could include related vehicle tracking and related telematics technologies. California’s recent statute on vehicle tracking and fleet management creates significant obligations for employers monitoring their fleets using these technologies.

5. Federal Government to Join in Privacy Regulation

We’re going out on a bit of a limb here as there have been predictions year after year that the federal government would enact a national privacy standard. Of course, none of those predictions turned out.  For sure, the federal government is on a much slower path toward joining states in privacy regulation, but we definitely see the federal government continuing its efforts whether via administrative regulations by the Federal Trade Commission or proposed legislation toward national privacy protection. Perhaps this is the year!

6. AI, Automated Decision Systems and Privacy

2022 saw a tremendous uptick in the attention to and use of AI and Automated Decision Systems, along with the potential effects of both in employment and related circumstances. Naturally, this raises significant privacy concerns among many stakeholders, including the Biden Administration. According to the framework issued by the White House in 2022 pertaining to the use of AI, data privacy was one of the five protections that individuals should be entitled to when using AI.

As the use of AI and automated decision systems continues to spread through industries and everyday life, how individuals’ privacy will be safeguarded will be a growing concern.

7. More privacy-related lawsuits

2023 will see more privacy-related lawsuits as privacy laws proliferate across the country.

We will continue to see more litigation under Illinois’ Biometric Information Privacy Act (BIPA) as plaintiff’s attorneys find more places that the law could apply from dash cams to timekeeping. Other states may enact laws that fuel more litigation, as several states including Maryland, Mississippi, and New York are considering biometric privacy laws. The facial recognition ban in the city of Portland a few years ago is beginning to see lawsuits filed under the ordinance.

While BIPA and the Telephone Consumer Protection Act (TCPA) continue to drive a significant amount of litigation, there is an emerging trend in cases seeking to apply newer technologies to privacy statutes such as the California Invasion of Privacy Act (CIPA), the Florida Telephone Solicitation Act (FTSA), the Video Privacy Protection Act (VPPA), and the Genetic Information Privacy Act (GIPA).

8. EU Continued Enforcement of Privacy Laws

Companies transferring personal data from the EEA (European Economic Area) to the U.S. may soon have an opportunity to leverage a new transfer mechanism. In October, President Biden signed Executive Order 14086 as part of the process to implement the EU-U.S. Data Privacy Framework (DPF), successor to the invalidated EU-U.S. Privacy Shield framework. The EU Commission has issued a draft decision that, upon adoption, will enable the DPF to proceed. In the meantime, the U.S. Department of Commerce announced it will help current U.S. Privacy Shield participants prepare to transition to the new framework.

In October, the European Data Protection Board approved Europrivacy, the first European Data Protection Seal. Europrivacy is a certification mechanism designed to help data controllers and processors demonstrate compliance with the GDPR.

Artificial Intelligence and data protection remain a top priority for the U.K. Information Commissioner’s Office. In November, the ICO published How to Use AI and Personal Data Appropriately and Lawfully. Earlier in the year, the EU Commission published an updated proposal for Laying Down Harmonised Rules On Artificial Intelligence (Artificial Intelligence Act). The proposal creates a legal framework and includes principle-based requirements for AI systems, harmonized rules for the development and use of AI systems, and a regulatory system.

9. Ransomware Attacks and Data Breaches Will Continue as Will Secondary Enforcement Actions

We will continue to see a flow of ransomware attacks, business email compromises, and other data breaches stemming from crafty hackers and cybersecurity lapses. In addition to business interruption costs and direct expenses incurred to respond to the incident, organizations will likely face more enforcement actions as states continue to tighten their data breach notification requirements.

Organizations cannot prevent all attacks from happening, but they can redouble their efforts around regulatory compliance, preparedness, and incident response planning. The stronger an organization is in these three areas, the more successful it likely will be in resolving a government agency enforcement action relating to a data breach.

10. More Focus on Critical Infrastructure Sector When it Comes to Cybersecurity and Privacy

In 2022, we saw the passage of federal legislation Cyber Incident Reporting for Critical Infrastructure of 2022 included within the Consolidated Appropriations Act, 2022. In short, the law requires certain entities in the critical infrastructure sector to report to the Department of Homeland Security (DHS):

  1. a covered cyber incident not later than 72 hours after the covered entity reasonably believes the incident occurred, and
  2. any ransom payment within 24 hours of making the payment as a result of a ransomware attack (even if the ransomware attack is not a covered cyber incident to be reported)

Because of the ongoing threats to critical infrastructure, the Cybersecurity Infrastructure Security Agency (CISA) has started to focus more on this sector, as small to medium-sized providers have been under threat. Recently, CISA stated in its review of 2022, that the agency would narrow in on “target-rich, resource-poor entities” such as small water facilities that are part of critical infrastructure but don’t have large security teams.

For these reasons and others, we believe data privacy will continue to be at the forefront of many industries in 2023.

Happy Privacy Day!

The Colorado Privacy Act (CPA), effective July 1, 2023, provides expansive protections to the personal data of Colorado residents acting in an individual or household context (a “consumer”). Similar to the California Consumer Privacy Act (CCPA), the CPA requires providing notice of an entity’s (“controller”) data collection activities, provides for consumer rights including the right to opt out of certain processing, and creates an affirmative duty to safeguard personal data. Notably, the CPA does not apply to employee personal data or data collected in a commercial context. 

On December 22, 2022, the Colorado Attorney General published Version 2 of Proposed Draft Rules for implementing the CPA and invited public comment. A rulemaking hearing on the proposed rules is scheduled for February 1, 2023.

While not an exhaustive list, the Proposed Draft Rules:

  • provide an extensive list of defined terms;
  • set forth presentation and accessibility requirements for consumer disclosures and notices (e.g., readable on all devices, straightforward and accurate, accessible to the target audience);
  • address the exercise of personal data rights (e.g., opt-out, access, correct, delete, and port data) and authentication of requests (i.e., establishing reasonable methods to authenticate a consumer based on the specific rights exercised, the risk of harm from improper access and the value, amount, and sensitivity of the personal data associated with the request);
  • require using a universal opt-out mechanism that enables opting out of processing for targeted advertising or the sale of personal data in an affirmative, freely given, and unambiguous manner; and prohibits using pre-installed, the default setting, universal opt-out mechanisms since they do not constitute freely given, affirmative consent to opt out; include technical specifications;
  • address privacy notice content (e.g., disclosing the processing purpose; whether the data is sold, used for targeted advertising, or used for profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer; data rights, etc.);
  • detail use of loyalty programs (e.g., prohibiting an increase in cost or decrease in the availability of a product or service based on a consumer’s exercise of a right; permitting a controller to offer bona fide loyalty program benefits based on a consumer’s voluntary participation);
  • detail duties regarding processing sensitive data (i.e., obtaining consent);
  • outline the affirmative obligation to safeguard consumer personal data;
  • set forth requirements for valid consent (e.g., informed, affirmative, freely given, specific and unambiguous);
  • detail the performance of a data protection assessment (e.g., identify and describe the heightened risk of harm to a consumer posed by processing; document measures taken to offset those risks; and demonstrate the benefits of processing outweigh the risks as offset by implemented safeguards).

The following non-exhaustive list notes substantive changes to the Proposed Draft Rules in the recently published Version 2. These changes: 

  • add key definitions (e.g., “employee”, “employer”, “employment records” since the CPA does not apply to data maintained for employment purposes; “non-commercial purpose” since the CPA applies to entities that conduct business in Colorado or produce or deliver commercial products or services intentionally targeted to Colorado consumers);  amends “biometric identifiers” to mean data generated by the technological processing, measurement, or analysis of an individual’s biological, physical, or behavioral characteristics that can be processed to uniquely identify an individual, including but not limited to a fingerprint, a voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics. The definition of biometric identifier is significant since consumer consent must be obtained prior to collecting biometric data;
  • permit delayed compliance with a consumer’s request to correct data when the data is archived or in backup systems;
  • detail the scope and application of a universal opt-out mechanism including an affirmative obligation to safeguard data processed with respect to the use of a universal opt-out mechanism;
  • provide controllers with six (6) months to recognize mechanisms added to the public list of recognized universal opt-out mechanisms published by the Colorado Department of Laws;
  • provide examples of substantive or materials changes that require a controller to notify a consumer of changes to its privacy policy (e.g., changes to categories of personal data processed or processing purposes, controller’s identity, or methods to exercise consumer rights);
  • list considerations for identifying and incorporating reasonable and appropriate safeguards for personal data;
  • require that an interface used to request consumer consent include specific disclosures;
  • detail when the controller must refresh consent received from a consumer to process certain personal information;
  • prohibit consent interface designs that subvert or impair user autonomy or decision-making, manipulate or coerce the consumer to provide consent;
  • replace the phrase “similarly significant effects concerning a consumer resulting from profiling” with specific examples (e.g., denial of financial or lending services, housing); and
  • permit the use of a profiling-related data protection assessment performed for purposes of another jurisdiction’s law to satisfy CPA requirements when the assessment is reasonably similar in scope.

The CPA rulemaking process is ongoing and, similar to California’s draft regulations, it is anticipated that Colorado’s Proposed Draft Rules will undergo further revisions prior to July 1, 2023. Jackson Lewis will continue to track updates to the CPA and Proposed Draft Rules. For additional information on the CPA and other data privacy laws and regulations, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.