The Biden Administration released its National Cybersecurity Strategy on March 1. The Strategy breaks with past precedent and emphasizes regulatory mandates and imposing liability, in addition to enhancing voluntary information sharing and development of best practices. The Strategy will particularly affect critical infrastructure and cloud service providers.

Click here to read the full Update.

The Illinois Supreme Court recently opened the floodgates for class actions under the Illinois Biometric Information Privacy Act and created potentially massive and catastrophic exposure for Illinois businesses. In a close 4-3 ruling, the landmark decision in Latrina Cothron v. White Castle System Inc. holds that every individual scan or transmission of biometric data made without the proper disclosures amounts to a separate violation of BIPA.

Read more.

Artificial Intelligence (AI) and automated systems can increase efficiency and help reduce human error. However, the National Institute of Standards and Technology (NIST), the White House, and the Equal Employment Opportunity Commission (EEOC) are warning companies that uncritical reliance on AI can have legal consequences, including potentially building in bias that can lead to claims of employment discrimination. Employers’ reliance on these technologies to target job advertisements, recruit applicants, train employees, and make or assist in hiring decisions can lead to adverse employment actions. But, NIST explains, “[w]ith proper controls, AI systems can mitigate and manage inequitable outcomes.” The NIST study does not focus on specific legal risks arising from use of this technology, but it is useful for evaluating whether the systems meet accepted scientific standards.

Click here to read the full Update.

The Transportation Security Administration issued a new cybersecurity directive to enhance cybersecurity preparedness and resilience for designated passenger and freight railroads. The requirements focus on performance-based measures to achieve critical cybersecurity outcomes in light of the growing sophistication of evolving threats.

The directive is effective as of October 24, 2023, and companies will need to comply by February 21, 2023. Directive 1580/82-2022-01, Rail Cybersecurity Mitigation Actions and Testing, will replace the cybersecurity directive the TSA issued last December.

Click here to read the full Update.

For the first time, the Federal Trade Commission has brought an enforcement action under its 2009 Health Breach Notification Rule (HBNR). The case was brought against a digital health company, GoodRx Holdings, Inc., for sharing users’ health information with third-party advertising platforms without the authorization of the users whose data was being shared.

Click here to read the full Update.

The recently announced disruption of the Hive ransomware network is a significant and welcome accomplishment. It cuts off bad actors from the gains they sought to extract from victims and makes their continued criminal activity more challenging. Raising the cost on malicious cyber actors is always a good way to deny them the inherent benefits of online crime, such as distance from target, anonymity, and freedom of operation.

Continue Reading Important Lessons from the Hive Ransomware Disruption

Recent comments by Anne Neuberger, President Biden’s Deputy National Security Adviser for Cyber and Emerging Technology, herald an important shift in U.S. cybersecurity policy. Traditionally, the U.S. Government’s approach has mostly focused on requiring companies to notify regulators and affected individuals of security breaches that implicate specific types of information, such as personally identifiable information, protected health information, and financial information. Federal efforts to prescribe or enforce proactive security measures have been sector-specific, such as the Transportation Security Administration’s Security Directives covering rail and pipeline owners and operators. Those measures have been spread among sector-specific agencies, which has resulted in multiple, and sometimes conflicting or confusing, requirements applying to some businesses. Federal law enforcement agencies have also made targeted and novel use of criminal search authorities to proactively remediate privately owned machines infected with malware by Russian and China-based actors.

Continue Reading Biden Administration Plans Mandatory Cybersecurity Regulations for Critical Infrastructure Companies

The Board of the California Privacy Protection Agency (CPPA) approved a rulemaking package covering Sections 7000–7304 of their draft regulations on February 3, 2023. The board also initiated preliminary rulemaking activities for risk assessments, cybersecurity audits, and automated decision-making. In approving the rulemaking package, the CPPA did not make substantive changes to the version of its draft regulations published in October 2022, indicating that any changes following from the more than 400 pages of public comment analysis could be advanced in future rulemaking activities.

Continue Reading Almost There and Starting Again: CPPA Votes To Finalize Regulations and Launches Round Two

As it did last year, the California Attorney General’s Office recognized Data Privacy Day by announcing its latest investigative sweep under the California Consumer Privacy Act (CCPA). This time, the Attorney General focused on companies that operate mobile apps allegedly without offering CCPA-compliant opt-out mechanisms.

Continue Reading California Attorney General Targets Popular Mobile Apps in CCPA Enforcement Sweep

The European Commission released a draft adequacy decision on December 13, 2022, approving the new EU-U.S. data privacy framework established in part by President Biden’s Executive Order 14086 issued on October 7, 2022. The draft adequacy decision is the first step in the European Union’s adoption procedure.

Click here to read the full Update.