Publications and Advisories
- July 25, 2024 – Cara Peterman, Sierra Shear, and Madeleine Davidson published “Securities Litigation / Privacy, Cyber & Data Strategy / Securities Law Advisory | First of Its Kind: Federal Court Dismisses Majority of SEC’s SolarWinds Action but Maintains Claims Against CISO Defendant.”
- July 12, 2024 – Wim Nauwelaerts and Paul Greaves published “Privacy, Cyber & Data Strategy Advisory: What to Tell Your C-Suite About the EU AI Act.”
- July 1, 2024 – Kim Peretti, Cara Peterman, Dave Brown, Sierra Shear, and Madeleine Davidson published “Securities Litigation / Privacy, Cyber & Data Strategy / Securities Law Advisory: SEC Settlement Suggests the Agency’s Attempt to Regulate Cybersecurity Controls.”
- May 2024 – Dan Felz and Kathleen Benway published “AI Enforcement Takes Off in the U.S.: Key Points from the FTC’s Initial AI Enforcement Actions” in Transatlantic Law Journal.
Selected U.S. Privacy and Cyber Updates
New York AG Seeks Comments on Rulemaking for Minors’ Online Protection Laws
On August 1, 2024, New York Attorney General Letitia James issued two advanced notices of proposed rulemaking (ANPRs) for the Stop Addictive Feeds Exploitation for Kids Act (SAFE Act) and the Child Data Protection Act (CDPA), which New York Governor Kathy Hochul signed into law on June 20, 2024. The ANPRs invite interested parties to submit comments on the rules that James plans to promulgate for the SAFE Act and CDPA.
On August 7, 2024, the Sixth Circuit upheld a Chinese spy’s 20-year prison sentence for attempting to steal aviation trade secrets from General Electric. Yanjun Xu, a deputy director in China’s Ministry of State Security, was responsible for trying to steal aviation-related proprietary information.
NYDFS Issues Final Circular Letter Guidance on Use of AI in Insurance Underwriting and Pricing
On July 11, 2024, the New York Department of Financial Services released Insurance Circular Letter No. 7, which establishes guidelines on the use of artificial intelligence systems and external consumer data and information sources in insurance underwriting and pricing.
CISA Releases Findings from Its AI Pilot Program on Detecting Critical Vulnerabilities
On July 28, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) announced that it piloted an AI-enabled vulnerability program to help detect and remediate vulnerabilities in the U.S. government’s critical networks, systems, and software, as required by Executive Order 14110.
Senate Passes Bill for Kids Online Safety and Privacy Act
On July 30, 2024, in a 91–3 vote, the U.S. Senate passed the Kids Online Safety and Privacy Act. The bill, which combines the bills for the Kids Online Safety Act (KOSA) and the Children and Teens’ Online Privacy Protection Act (CTOPPA), aims to expand online safety and privacy protections for individuals under the age of 17.
U.S. Court Rules Against Online Travel Booking Company in Web-Scraping Case
On July 18, 2024, a federal jury in Delaware found that an online travel booking company violated the Computer Fraud and Abuse Act (CFAA) by accessing portions of a European airline’s website without permission and “with intent to defraud” the airline. In particular, the jury unanimously found that the online travel company violated the CFAA by using a third-party service provider to scrape the airline’s website to find and resell airline tickets to its own customers at an additional charge. The jury further found that the online travel company’s scraping activity caused damage to the airline of at least $5,000, which the airline alleged resulted from service interruptions to its website, data, and underlying database, amounts spent by the company attempting to prevent the unauthorized scraping, and other losses.
CPPA Holds Preliminary Stakeholder Session on Accessible Deletion Mechanism Under Delete Act
On June 26, 2024, the California Privacy Protection Agency (CPPA) held a stakeholder session to provide information and gather stakeholder input on the CPPA’s mandate to build an accessible deletion mechanism known as the Delete Request and Opt-Out Platform (DROP) as required by the California Delete Act. DROP will allow consumers to request the deletion of their personal information held by data brokers through a single request. Generally, the public comments addressed concerns about potential administrative and technical burdens on data brokers, clarifying and confirming the scope of deletion requests, and verifying deletion requests.
Pennsylvania Amends Data Breach Notification Law
Pennsylvania’s governor has approved amendments that significantly overhaul the commonwealth’s data breach notification law. The amendments make a number of material changes, including adding a regulator notification requirement, lowering the threshold of impacted Pennsylvania residents triggering a notification requirement to the consumer reporting agencies, slightly tweaking the definition of “personal information,” and adding a requirement to offer credit monitoring and to pay for a credit report for impacted individuals who are not able to obtain one for free. The amended law goes into effect on September 26, 2024.
On July 16, 2024, the CPPA board declined to advance to formal rulemaking California Consumer Privacy Act (CCPA) draft regulations on cybersecurity audits, risk assessments, automated decision-making technology, insurance companies, and updates to existing regulations. The CPPA board voted against advancing the regulations during its board meeting when it also received an update on CPPA enforcement priorities.
On June 18, 2024, California Attorney General Rob Bonta and Los Angeles City Attorney Hydee Feldstein Soto announced a settlement with a video game developer and publisher over allegations that the company violated the CCPA, the federal Children’s Online Privacy Protection Act, and California’s Unfair Competition Law. The settlement requires the company to pay $500,000, implement certain privacy practices for the protection of children, and provide annual reports under regulatory monitoring for three years. This case marks the third public CCPA enforcement action by the California AG to date, following prior settlements in August 2022 and February 2024.
On June 24, 2024, the Division of Corporation Finance of the Securities and Exchange Commission (SEC) issued five new Compliance and Disclosure Interpretations (C&DIs) related to the disclosure of “material” cybersecurity incidents in Item 1.05 of Form 8-K. The C&DIs present hypothetical fact patterns related to ransomware attacks and insurance reimbursement for damages related to cybersecurity incidents.
SEC Settlement Suggests the Agency’s Attempt to Regulate Cybersecurity Controls
On June 18, 2024, the SEC announced a $2.125 million settlement with R.R. Donnelley & Sons Co. relating to the company’s 2021 ransomware attack. The settlement, and the SEC’s accompanying cease-and-desist order, portend the agency’s continued and increasing oversight over registrants’ cybersecurity policies and practices.
New York State Department of Health Revises Proposed Hospital Cybersecurity Regulations
In May 2024, the New York State Department of Health issued revisions to proposed regulations on hospital cybersecurity that it first released in November 2023. The proposed revised regulations were subject to public comment that ended on July 1, 2024 and applied to general hospitals licensed under Article 28 of the New York State Public Health Law.
DOJ Announces $11.3 Million in Settlements for FCA Violations
On June 17, 2024, the Department of Justice (DOJ) announced a settlement with two U.S.-based consulting companies that agreed to pay a combined total of $11.3 million to resolve allegations that they violated the False Claims Act by failing to comply with cybersecurity requirements in government contracts. According to the DOJ, the companies failed to meet cybersecurity requirements in contracts intended to ensure the security of New York’s emergency rental assistance program application, which provided rental assistance to individuals in need during the COVID-19 pandemic.
On May 14, 2024, Peter Swire published a white paper at the Cross-Border Data Forum, analyzing the definitions in the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA), which was passed on April 24, 2024 and took effect on June 23, 2024. The white paper discusses some ambiguities in the text of the new law and the consequences that may result from differing interpretations of the language. It also includes an appendix comparing the PADFAA definitions to those in the Executive Order on bulk sensitive data.
Data Breach Notification Requirements Under the Safeguards Rule Now in Effect
On May 13, 2024, new breach notification requirements under the FTC’s Gramm–Leach–Bliley Act Safeguards Rule came into effect. These new FTC rules represent a significant change for financial institutions overseen by the FTC, requiring a new form of regulatory notification that covers a much wider range of incidents.
Tennessee Law Designed to Combat Deepfakes Set to Take Effect in July
On July 1, 2024, the Tennessee Ensuring Likeness, Voice, and Image Security (ELVIS) Act will go into effect, bolstering the limitations on the unauthorized commercial use of an individual’s voice. The ELVIS Act, which amends the Tennessee Personal Rights Protection Act of 1984, was enacted in response to the growing proliferation of AI-generated and deepfake music that has mimicked the work of many stars and celebrities. The ELVIS Act broadly proscribes the distribution of “an individual’s voice or likeness” if the distributor has knowledge that use of the voice or likeness was not authorized by the individual. The ELVIS Act specifically targets deepfakes by also proscribing distribution of a person’s voice, image, or likeness if the unauthorized user “distributes, transmits, or otherwise makes available an algorithm, software, tool, or other technology, service, or device, the primary purpose or function of which is the production of” a particular, identifiable individual’s photograph, voice, or likeness.
On May 22, 2024, the director of the Division of Corporation Finance of the SEC issued further guidance on the disclosure of cybersecurity incidents on Form 8-K. The statement builds on and provides additional clarity to companies seeking to comply with the SEC’s 2023 cybersecurity rules, which require public companies to disclose “material cybersecurity incidents” under Item 1.05 of Form 8-K.
LockBit Takedown Indicates Shifting DOJ Cyber Strategy and Has Implications for Ransomware Victims
On May 7, 2024, the United States unsealed an indictment against Dimitry Yuryevich Khoroshev, one of the leaders of the Russian-based ransomware group LockBit, for his alleged involvement in developing and distributing the LockBit ransomware. According to the indictment, Khoroshev performed both administrative and operational roles for the cybercrime group, including upgrading the LockBit infrastructure, managing LockBit affiliates, and recruiting new developers for the ransomware. Since emerging in 2020, LockBit has become one of the most prolific ransomware groups in the world, targeting over 2,500 victims worldwide and allegedly receiving more than $500 million in ransom payments, according to DOJ statistics. The group licenses its ransomware software of the same name to affiliate cybercriminal groups, which use the software to encrypt and steal data from victims’ systems. LockBit itself provides support and receives a portion of any ransom payment typically made in exchange for system decryption and promises to delete the stolen data.
NIST Cybersecurity Framework 2.0 Prioritizes Governance and Flexibility
In early 2024, the National Institute of Standards and Technology (NIST) issued an update to its Cybersecurity Framework (CSF) with the release of version 2.0, the first update since April 2018 (version 1.1). While the core components of the CSF remain, there are two thematic changes. First, CSF 2.0 no longer applies just to critical infrastructure organizations but rather explicitly aims to assist all organizations in managing and reducing risks across industries and sectors, regardless of their cybersecurity sophistication. Second, it adds “Govern” as a sixth core function, alongside Identify, Protect, Detect, Respond, and Recover. CSF 2.0 also contains significant additions and a refocus on cybersecurity supply chain risk management (C-SCRM), which is not too unsurprising given organizational reliance on third-party vendors and supply chain attacks.
Selected Global Privacy and Cybersecurity Updates
Dutch Data Protection Authority Warns That Using AI Chatbots Can Lead to Personal Data Breaches
On August 6, the Dutch Data Protection Authority (DPA) issued guidance cautioning companies about the potential data protection risks associated with the use of AI-powered chatbots. In its guidance, the DPA reports that it has recently received several notifications of personal data breaches caused by employees sharing personal data with a chatbot that uses AI.
What to Tell Your C-Suite About the EU AI Act
On July 12, 2024, the European Union’s long-awaited Artificial Intelligence (AI) Act was finally published. It entered into force on August 1, 2024. The AI Act is a landmark legal framework that imposes obligations on both private and public sector actors that develop, import, distribute, or use in-scope AI systems.
EU Artificial Intelligence Act Signed into Law
On June 13, 2024, the AI Act was signed into law. The AI Act will impose obligations on both private and public sector actors that provide, import, distribute, or deploy in-scope AI systems. It also contains obligations that apply to general-purpose AI models.
Events
- November 19, 2024 – Alston & Bird will host a reception and dinner during the IAPP European Data Protection Congress with a special fireside chat with European Data Protection Supervisor Wojtek Wiewiórowski.
- October 23–25, 2024 – David Keating will speak on the panel “Regulatory Pitfalls Under State Comprehensive Privacy Law,” and Kim Peretti and Cara Peterman will speak on the panel “The Board’s Oversight Role in Cybersecurity: Trends in Preparedness and Response” at the 2024 Privacy & Security Forum, Fall Academy.
- September 18-19, 2024 – Kim Peretti will speak on the panel “Countering Sophisticated Threats: Insights from the Frontlines" at the Mandiant Worldwide Information Security Exchange.
- September 16, 2024 – David Keating will speak on the panel “Evolution of California Privacy Law: Recent Regulatory and Legislative Trends Impacting Retailers” at the 2024 California Retail Law Summit.
- September 12, 2024 – Cari Dawson, Kathleen Benway, David Keating, Scott Hilsen, and Peter Swire will present “Steering Clear: Navigating Data Privacy Risks in the Automotive Industry.”
- August 29, 2024 – Wim Nauwelaerts will present on international privacy developments at a Virtual IAPP KnowledgeNet seminar.
- August 6, 2024 – Jen Pike presented “What the AHA Lawsuit Ruling Means for the Future of Privacy in Healthcare” at a webinar hosted by Becker’s Hospital Review.
- June 6, 2024 – Kellen Dwyer spoke on techniques to manage the increasing civil and criminal liabilities for CISOs during the NYU Tandon Executive Education Program.
- June 3–4, 2024 – Kim Peretti spoke on the panel “Preparing for the Inevitable: Managing a Cybersecurity Incident,” and Cara Peterman spoke on the panel “Privacy and Cybersecurity: Governance, Oversight, and Risk Management” during the 25th Annual Practicing Law Institute on Privacy and Cybersecurity Law.
In the News
- June 6, 2024 – Jennifer Everett is featured for joining Alston & Bird in National Law Journal, Bloomberg Law, Law360, and Cybersecurity Law Report.
- May 23, 2024 – Lance Taubin is quoted on the updated cybersecurity framework from the National Institute of Standards and Technology in Federal News Network.
Press Releases
Alston & Bird Creates Ransomware Fusion Center
As ransomware actors mature their tactics, Alston & Bird’s Privacy, Cyber & Data Strategy Team has created a Ransomware Fusion Center to help organizations enhance their ransomware readiness and response protocols.
Alston & Bird Represents Whitley Family in Acquisition of Old Edwards Hospitality Group
Alston & Bird represented the Whitley family in the acquisition of Old Edwards Hospitality Group, a collection of upscale hotels, golf courses, and restaurants in Highlands, North Carolina, as well as several residential communities in nearby Cashiers. Daniel Gerst, Dorian Simmons, John Lesko, Sara Pullen Guercio, and Andrew Rice are noted from the Privacy, Cyber & Data Strategy Team.
Alston & Bird Receives Key Recognitions from The Legal 500 US 2024
Alston & Bird has received significant recognition in the 2024 edition of The Legal 500 United States. The rankings include five of the firm’s key practice areas including cyber law. Kim Peretti continues to be named a “Leading Lawyer” in Cyber law.
Alston & Bird Adds Privacy, Cyber & Data Strategy Partner Jennifer Everett
Alston & Bird has further enhanced its Privacy, Cyber & Data Strategy Team with the addition of partner Jennifer Everett to the firm’s Washington, D.C. office. With a focus on health care and emerging technologies, Jennifer advises clients on data privacy and complex cybersecurity.
Alston & Bird Increases Practices and Attorneys Recognized in Chambers USA 2024
Alston & Bird has received significant recognition in the 2024 edition of Chambers USA: America’s Leading Lawyers for Business, with 73 practice rankings and 153 leading lawyer listings. The Privacy, Cyber & Data Strategy Team is ranked Band 4 for Privacy & Data Security: The Elite. Kim Peretti is ranked Band 1 for Privacy & Data Security: Cybersecurity.
“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti and David Keating. It is edited by Paul Greaves and Yin Tydir.
For additional updates, please be sure to visit our blog at www.alstonprivacy.com.
The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.