2022 has been relatively quiet as it relates to state updates to breach notification laws, but Maryland made significant alterations to its general data breach notification law. Additionally, several other states made more minor changes, and the federal government issued or proposed several new data security and breach reporting requirements for certain types of entities. Companies should take note of the updates in federal laws and guidance, demanding cybersecurity measures in order to maintain adequate security posture to best prevent ransomware and other cyberattacks.

Click here read the full update

The Federal Trade Commission filed a lawsuit on August 29, 2022, against data broker Kochava Inc., alleging that the company’s sale of precise geolocation data is an unfair act or practice that violates Section 5 of the FTC Act. The case follows an FTC blog post warning that the agency would be vigilant in protecting consumers’ location and health information in the wake of Dobbs v. Jackson Women’s Health Organization, 142 S. Ct. 2228 (2022), and reflects the heightened scrutiny the FTC is bringing to bear on precise location data following the Dobbs decision.

Particularly for businesses that sell or share precise location data, the case suggests the importance of implementing safeguards on individuals who may have access to such data, especially if it could be used to infer that an individual had visited “sensitive” locations.

Click here to read the full update.

The Cyberspace Administration of China released the Measures for the Security Assessment of Cross-Border Data Transfer on July 7, 2022, to regulate cross-border data transfers in accordance with the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law. The measures went into effect on September 1, 2022.

The measures provide a six-month grace period from September 1, 2022, to March 1, 2023, for companies with previous cross-border data transfer activities to become compliant with the new standards. Companies with outbound data transfers should seek knowledgeable counsel to monitor the implementation and enforcement of the measures by the CAC.

Click here to read the full update.

The Cybersecurity and Infrastructure Security Agency seeks public input on regulations that will set new mandatory cybersecurity reporting requirements for critical infrastructure companies. Open questions include the following:

  • Who will be subject to the new requirements?
  • What level of incident will trigger mandatory reporting?
  • How much follow-up reporting will be required?
  • What costs could potential regulations impose on private-sector companies?

The following Update provides details on the request for information, as well as the response deadline.

Click here to read the full update.

On August 11, 2022, the Federal Trade Commission (FTC) issued an advance notice of proposed rulemaking (ANPRM), kicking off its long-awaited rulemaking on commercial surveillance and data security.

The ANPRM is the first step in a long process that could result in the adoption of a federal regulation addressing privacy, data security, and use of algorithms across broad sectors of the economy. The rulemaking will be an unprecedented proceeding, and the FTC appears to be considering approaches that could have extraordinary ramifications for businesses, such as limits on personalized advertising, new privacy protections for teens and children that exceed those of the Children’s Online Privacy Protection Act (COPPA), limits on techniques that promote prolonged online activity by teens and children, required data security measures, required steps to avoid algorithmic error, measures to combat algorithmic discrimination, and limits on the use of biometric data.

Once the ANPRM is published, the public will have 60 days to comment.

Click here to read the full update.

Online shopping and the use of virtual try-on technology continue to grow in popularity. Retailers today have a number of options when considering how to bring virtual try-ons to consumers. These range from licensing third-party technology to integrate virtual try-on within their own e-commerce channels to partnering with an online shopping network that offers the feature as an add-on. Regardless of how a retailer makes virtual try-ons available to consumers, use of virtual try-on technology introduces important privacy considerations. And if the feature collects data about consumers’ hands or faces, state biometric laws may come into play. Miriam Farhi, Andrew Grant, and Bipasana Joshee share some privacy best practices for retailers considering virtual try-ons in their article for Retail TouchPoints.

The U.S. Department of Justice’s (DOJ) Civil Cyber-Fraud Initiative, announced last October, is designed to leverage existing whistleblower incentives for employees, or other persons with inside knowledge, to identify lapses in federal contractors’ cybersecurity and privacy practices. We gave that issue in-depth treatment here, with particular focus on the U.S. District Court for the Eastern District of California’s opinion in United States ex. rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-02245 WBS AC, 2022 WL 297093 (E.D. Cal. Feb. 1, 2022), denying the defendant’s motions for summary judgment on a majority of the relator’s False Claims Act (FCA) claims.

Continue Reading Recent Settlement Highlights Cybersecurity Whistleblower Risk for Government Contractors

Last week, the Consumer Privacy Protection Agency (Agency) Board rounded out the first half of 2022 by releasing draft California Privacy Rights Act (CPRA) regulations. This first set of CPRA regulations focus on updating existing California Consumer Privacy Act (CCPA) regulations to account for the new provisions of the CPRA and addressing specific areas such as Agency audits and enforcement. At its May 26, 2022, board meeting preceding the release of the draft, the Agency’s Executive Director Ashkan Soltani remarked, “We are building the car while driving it.”

Click here to read the full update.

The Federal Communications Commission recently adopted certain final rules, policies, and proposed rules to “stem the tide of foreign-originated illegal robocalls.” The FCC Order targets so-called “gateway providers,” which are U.S.-based intermediate providers that receive calls directly from a foreign provider or its U.S.-based facilities before transmitting the calls downstream. Among other things, the Order requires gateway providers to block illegal traffic upon notification from the FCC, respond to robocall traceback requests within 24 hours, and implement “know your upstream provider” obligations. The Order’s proposed rules would extend most of the Order’s obligations to all forms of U.S.-based telecom providers.

Read More.

The National Information Security Standardization Technical Committee issued a draft of the new national standards on May 26, 2022. The new draft—Information Security Technology: Requirements of Privacy Policy of Internet Platforms, Products and Services—is available for public comment until July 25, 2022.

The Draft Requirements document is China’s first list of national standards focusing on privacy policy and covers five aspects of compliance requirements, including (1) the preparation procedures, (2) the privacy policy’s content, (3) release and visualization, (4) revision, and (5) the resolution of disputes over the privacy policy.

The standards can act as a reference point in drafting and implementing company privacy policies for their products or services.

Read More