Publications & Advisories
- November 2024 – Kathleen Benway, Jennifer Everett, Alysa Austin, and Kristen Bartolotta published “Federal Trade Commission’s Updated Health Breach Notification Rule Is Now in Effect” in Employee Benefit Plan Review.
- October 30, 2024 – Kate Hanniford, Jennifer Pike, and Angie Burnette published “Health Care / Privacy, Cyber & Data Strategy Advisory: Coming This December: Will Health Care Entities Be Unwrapping New HIPAA Security Rules for the Holidays?”
- October 24, 2024 – Kim Peretti, Kate Hanniford, Ashley Miller, Lance Taubin, and Colton Jackson published “Privacy, Cyber & Data Strategy Advisory: NYDFS Issues Guidance on Artificial-Intelligence-Related Cybersecurity Risks.”
- October 18, 2024 – Kathleen Benway, Alex Brown, Kate Hanniford, Zain Haq and Graham Gardner published “Consumer Protection/FTC / Privacy, Cyber & Data Strategy Advisory: FTC and State AGs Settle with Marriott over Starwood Data Breaches.”
- October 16, 2024 – Peter Swire and Dan Felz published “German Court Decision Signals Move Toward Risk-Based Approach to Data Transfers” for the International Association of Privacy Professionals.
- October 1, 2024 – Kim Peretti, Lance Taubin, and Colton Jackson published “Privacy, Cyber & Data Strategy Advisory: AI vs. AI: Recent Developments in the Cyber Landscape.”
- September 24, 2024 – Kim Peretti was joined by Bryan Vorndran, assistant director of the FBI Cyber Division, and Cynthia Kaiser, deputy assistant director of the FBI Cyber Division, to discuss Common Cyber Threats and How to Reduce Risk.
- August 8, 2024 – Dan Felz, Mona Bhalla, and Hyun Jai Oh published “Privacy, Cyber & Data Strategy Advisory: New York Department of Financial Services Issues Final Guidance to Insurers on Using AI and External Consumer Data.”
Selected U.S. Privacy & Cyber Updates
On November 12, 2024, the CISA, FBI, NSA, and several international partners (including the Australian Signals Directorate’s Australian Cyber Security Centre, Canadian Centre for Cyber Security, New Zealand National Cyber Security Centre and New Zealand Computer Emergency Response Team, and the United Kingdom’s National Cyber Security Centre) published a joint cybersecurity advisory identifying the top vulnerabilities routinely exploited by malicious threat actors in 2023.
CPPA Board Advances CCPA Regulations to Formal Rulemaking; Adopts New Data Broker Regulations
On November 8, 2024, the California Privacy Protection Agency (CPPA) board advanced to formal rulemaking the CCPA draft regulations on cybersecurity audits, risk assessments, automated decision-making technology, and insurance. The CPPA board also adopted the California Delete Act proposed regulations, which clarify data broker registration requirements and provide definitions for key terms under the Delete Act.
In early October 2025, several media outlets reported that U.S. telecommunications services had been infiltrated by state-affiliated threat actors linked to the People’s Republic of China (PRC). These reports were followed by a joint press release on October 25, 2024 by the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency stating that the government is investigating “the unauthorized access to commercial telecommunications infrastructure by actors affiliated with the People’s Republic of China.” Several days later, on October 29, 2024, the Congressional Research Service issued an updated report stating that the PRC state-sponsored hacker group dubbed “Salt Typhoon” by security researchers was reportedly responsible for the attack on U.S. telecommunications companies in early October 2024. According to the report, Salt Typhoon appears “to have conducted counterintelligence operations, seeking information on PRC targets that the United States may be surveilling.” Typhoon is a moniker given by Microsoft, but further adopted by U.S. law enforcement agencies, that refers to threat actors with PRC state sponsorship. Presently, there are three specific groups labeled with the Typhoon moniker – Flax Typhoon, known for using Internet of Things devices as an entry point to target Taiwanese and U.S. critical infrastructure; Volt Typhoon, known for using stealth and espionage to prepare for potential future disruptions of U.S. critical infrastructure; and Salt Typhoon, known for conducting espionage and counterintelligence.
Combatting the New Insider Threat: North Korean IT Workers Posing as Remote Employees
On November 1, 2024, the New York Department of Financial Services (NYDFS) issued a cybersecurity advisory on a growing threat posed by North Korean operatives seeking remote IT roles at U.S. companies. These operatives secure jobs at prominent companies, generate revenue for the regime, and have the potential to expose sensitive corporate data. These highly sophisticated threat actors use a range of tactics to disguise their identities and infiltrate businesses, posing significant security risks. This alert consolidates critical information from the NYDFS and FBI on the tactics used by these actors, the vulnerabilities they exploit, and recommended steps for companies to mitigate these threats.
Massachusetts Top Court Torpedoes Website Analytics Wiretapping Class Action
On October 24, 2024, in a long-awaited decision in Vita v. New England Baptist Hospital, Massachusetts’s highest court snuffed out an attempt to use the state’s 1968 Wiretap Act to impose liability on a hospital system for its use of third-party analytics technologies on its website. The case had been closely watched by the business community, including amicus briefing by the U.S. Chamber of Commerce expressing concerns that an opposite holding could have imposed “crippling and virtually unlimited liability” under the state’s Wiretap Act for “injury-less claims.”
Summary of Changes from DoD CMMC Proposed Rule to Final Rule
On October 11, 2024, the Department of Defense issued its Final Program Rule for the Cybersecurity Maturity Model Certification (CMMC) Program. The Final Rule is a signal to federal contractors to develop compliance programs pertaining to CMMC before the implementation of the program (likely next year).
SEC 2025 Examination Priorities Indicate Sustained Focus on Cybersecurity & Data Protection
The SEC has released its Examination Priorities: Fiscal Year 2025, which may be a useful roadmap to SEC-registered investment advisers, exchanges, and other entities subject to routine examination by the SEC Division of Examinations. The examination priorities represent the division staff’s identification of areas of heightened risks to investors and the integrity of the U.S. capital markets, based on prior years’ examinations, market events, information gathered from conversations with investors and industry groups, and information from other regulators. Although the examination priorities are not a comprehensive list of the issues that the division will scrutinize in examinations, as in prior years, information security and operational resiliency remain a focus.
President Biden Signs First National Security Memorandum Focused on AI
On October 24, 2024, President Biden signed the first-ever National Security Memorandum (NSM) focused on artificial intelligence, pursuant to subsection 4.8 of Executive Order 14110. The NSM provides guidance on developing, employing, and strengthening AI usage within the federal government. The NSM outlines three main objectives that serve as guideposts in directing the U.S. government in “appropriately harnessing … AI models and AI-enabled technologies.”
NYDFS Issues Guidance on Artificial-Intelligence-Related Cybersecurity Risks
On October 16, 2024, the NYDFS issued an industry letter, Cybersecurity Risks Arising from Artificial Intelligence and Strategies to Combat Related Risks. The letter contains guidance for entities regulated by the NYDFS in assessing and responding to cybersecurity risks related to the use of AI, specifically the use of AI by threat actors and the risks posed by a covered entity’s AI systems.
DOJ Unseals Indictment of Evil Corp Member, While OFAC Announces New Evil Corp Sanctions
On October 1, 2024, the Department of Justice (DOJ) unsealed an indictment against Aleksandr Viktorovich Ryzhenkov, a member of the ransomware group Evil Corp. The indictment charges Ryzhenkov with several violations of the Computer Fraud & Abuse Act, as well as conspiring to commit money laundering, arising from his use of a ransomware strain called “BitPaymer.” In addition to his alleged work with Evil Corp, the UK’s National Crime Agency has reported that Ryzhenkov is also a suspected affiliate of LockBit, another ransomware group that the FBI disrupted in February 2024 and that saw the DOJ indict one of its leaders in May 2024.
NIST Releases Updated Draft Guidelines Regarding AI Use in Identity Systems
On August 21, 2024, the National Institution of Standards and Technology (NIST) released the second draft of its Digital Identity Guidelines, which provides federal agencies with a framework for identity-proofing and authentication of external employees, government contractors, and individuals accessing government information systems and services. Building on the first draft of the guidance, the second draft expands on requirements for risk management, identity-proofing models, authentication protocols, and safeguards for detecting and preventing fraud.
Ransomware Activity Trends in Q2 2024
Ransomware attacks are hitting record highs in 2024 and show no sign of slowing down as new criminal groups enter the scene and employ a variety of evolving tactics. Multiple recent security reports have reported a significant increase in ransomware attacks claimed by criminal groups in Q2 2024, making it the second-highest quarter on record for claimed attacks.
California Joins the Neural Data Bandwagon
On August 31, 2024, the California legislature passed SB 1223, which amends the CCPA/CPRA to include “neural data” as a type of sensitive data. SB 1223 defines “neural data” as “information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.” California follows Colorado as the second state to include neural data as a category of sensitive data under its state comprehensive privacy law.
On August 28, 2024, the CISA, FBI, and Department of Defense Cyber Crime Center (DC3) released a joint advisory warning of increased collaboration between Pioneer Kitten, an Iranian state-backed threat actor, and various ransomware groups. The advisory highlights how Iranian threat actors are leveraging relationships with affiliates of NoEscape, Ransomhouse, and the defunct ALPHV/ BlackCat to launch attacks more efficiently.
Department of Justice Intervenes in Cybersecurity Qui Tam Action Against Georgia Tech
On August 22, 2024, the DOJ filed a complaint in intervention in the case of United States v. Georgia Tech. This lawsuit, which was originally filed under seal by relators Christopher Craig and Kyle Koza on July 8, 2022, concerns the cybersecurity program that Georgia Tech, acting under a federal government contract, is required to maintain for its work in federal defense research. The DOJ’s intervention in the Georgia Tech case marks the first time that the DOJ has intervened to litigate a cybersecurity-based lawsuit under the False Claims Act, commonly referred to as a qui tam action.
California Passes Generative AI ‘Training Transparency’ Bill
On August 27, 2024, the California state legislature passed AB 2013 and sent it to Governor Gavin Newsom for signature. If signed, AB 2013 would require companies that make generative AI systems and services publicly available to Californians to post documentation on their websites about the data used to train Gen AI systems and services. This documentation would need to be posted by January 1, 2026. [editors’ note: AB 2013 was signed by the governor on September 28.]
On August 21, 2024, the CISA, alongside government agencies of key global allies, including Australia, the UK, Canada, and Japan, released guidance on event logging and threat detection best practices. The guidance was published in response to the increased prevalence of threat actors employing Living off the Land techniques to evade detection.
On July 30, 2024, New York Attorney General Letitia James announced she had completed an investigation into the tracking technology practices of popular websites and used this announcement to create website privacy guides on online tracking for New York businesses and consumers, the Business Guide and Consumer Guide. The Business Guide is directed to companies providing services to New York consumers and explains how businesses can identify and prevent common issues when implementing cookies and other online tracking technologies. It also provides guidance on complying with New York online tracking law.
DOJ Continues to Investigate and Prosecute North Korean IT Worker Fraud Scheme
On August 8, 2024, the DOJ announced that it had charged a Nashville man for his alleged role in assisting North Korea with a scheme designed to funnel money from legitimate U.S.-based businesses through fraudulently hired remote IT workers. The DOJ warned that, through the use of stolen identities and remote desktop software, North Korean IT workers located throughout China and Russia have continued to circumvent international sanctions and obtain high-paying remote IT jobs for the purpose of raising revenue for the North Korean weapons of mass destruction program.
Selected Global Privacy & Cybersecurity Updates
Forthcoming UK Cyber Security and Resilience Bill to Boost the UK’s Cyber Defenses
In the July 2024 King’s Speech, the UK government announced its intention to introduce a Cyber Security and Resilience Bill to improve the UK’s cyber defenses and protect essential public services. The announcement comes as companies and countries increasingly face attacks by cyber criminals and state actors, sometimes disrupting public services and infrastructure.
Singapore Cybersecurity Agency Publishes Guidelines on Securing AI Systems
On October 15, 2024, the Cyber Security Agency of Singapore (CSA) published Guidelines on Securing AI Systems alongside a Companion Guide for Securing AI Systems, which is intended to serve as support for the guidelines. In its announcement, the CSA states that while AI offers significant benefits for the economy and society, it is crucial to ensure AI systems behave as intended and that the cybersecurity risks are properly addressed. The CSA notes that AI should be secure by design and by default, and companies should take a proactive approach to managing security risks from the outset.
Green Light for the Enforcement of NIS 2 in Limited EU Countries Only
EU Member States had until October 17, 2024 to transpose the Network and Information Security (NIS) 2 Directive into their national laws. As directives are not directly applicable in EU Member States, the EU legislature required all 27 Member States to incorporate into their national laws the requirements of NIS 2 and to make them binding on covered entities within their jurisdictions. However, a large number of EU Member States have missed the transposition deadline.
EDPB Adopts Opinion on the Use of Processors and Subprocessors
On October 7, 2024, the European Data Protection Board (EDPB) adopted an opinion on obligations following from the use of processors and subprocessors. The EDPB is the body that seeks to ensure harmonized application of the EU GDPR across the European Economic Area (EEA) and is composed of the heads of the data protection authorities in each EEA state, as well as the European data protection supervisor. The opinion was rendered in response to questions posed by the Danish supervisory authority to the EDPB concerning controllers’ obligations toward processors, as well as specific questions about the wording of processing contracts.
On September 19, 2024, the Belgian Data Protection Authority (DPA) issued new guidance on the interplay between the recently adopted EU Regulation on Artificial Intelligence (the AI Act) and the GDPR, which aims to provide further insight into the use of AI systems that process personal data.
EU Data Protection Regulators Publish Additional Guidance on the EU-U.S. Data Privacy Framework
In July 2024, the EDPB – which is composed of the national data protection authorities of the countries in the EEA, as well as the European data protection supervisor – adopted two FAQ documents for the EU-U.S. Data Privacy Framework (DPF) aimed at providing further insight into the functioning of the DPF. The European Commission considers transfers of personal data from the EEA to companies in the U.S. that are certified under the DPF to enjoy an adequate level of protection. As a result, personal data can be transferred freely from the EEA to U.S. by certified companies without the need to put in place additional data-transfer safeguards.
Events
- November 19, 2024 – Alston & Bird will host a reception and dinner during the IAPP European Data Protection Congress with a special fireside chat with European Data Protection Supervisor Wojciech Wiewiórowski. Paul Greaves will lead the roundtable “The EU Data Act: Compliance Challenges and Solutions.”
- November 15, 2024 – Rachel Lowe presented “California Privacy Litigation: Key Trends and Insights,” hosted by the Association of Corporate Counsel.
- November 14–15, 2024 – Wim Nauwelaerts spoke on the panel “Strategies for Compliance with the EU Data Act” during the Data Sharing: Preparing for Compliance with the EU Data Act conference.
- November 1, 2024 – Dorian Simmons spoke on the panel “Data Privacy” at the Atlanta Works HR Technology and Legal Conference.
- November 1, 2024 – Dan Felz spoke on the panel “AI in Healthcare: Legal Perspectives on Innovation, Risk Management, and Compliance” during the Advanced Health Law Seminar 2024.
- October 31, 2024 – Kate Hanniford, BJ Stieglitz, Isabelle De Smedt, and Kelly Hagedorn presented “Alston & Bird Webinar – Global Investigations: What’s New?”
- October 23–25, 2024 – David Keating spoke on the panel “Regulatory Pitfalls Under State Comprehensive Privacy Law” and Kim Peretti and Cara Peterman spoke on the panel “The Board’s Oversight Role in Cybersecurity: Trends in Preparedness and Response” at the 2024 Privacy & Security Forum, Fall Academy.
- October 23, 2024 – Jen Pike presented “The Future of Health Care Privacy: What Payers Need to Know.”
- October 8, 2024 – Kim Peretti presented “Cybersecurity and AI – Challenges, Opportunities, and Trends.”
- September 19, 2024 – Dan Felz, Jennifer Everett, and Wim Nauwelaerts presented “What the EU AI Act and AI Regulatory Trends in the U.S. Mean for Business.”
- September 18, 2024 – Kate Hanniford co-hosted “Cyber Threat Briefing,” covering key issues in global cyber-threats, including the cyber-threat landscape and incident management and crisis response best practices.
- September 18–19, 2024 – Kim Peretti spoke on the panel “Countering Sophisticated Threats: Insights from the Frontlines” at the Mandiant Worldwide Information Security Exchange.
- September 16, 2024 – David Keating spoke on the panel “Evolution of California Privacy Law: Recent Regulatory and Legislative Trends Impacting Retailers” at the 2024 California Retail Law Summit.
In the News
- October 17, 2024 – Jennifer Everett is quoted on the potential impact of the U.S. presidential election on AI regulation in CIO Dive.
- October 4, 2024 – Sara Pullen Guercio is quoted on a California law that added brain waves as a category of sensitive information protected under the state’s privacy laws in Bloomberg Law.
- October 1, 2024 – Kelly Hagedorn is noted for joining Alston & Bird as a partner in London in Law.com and Bloomberg Law.
- September 30, 2024 – Jennifer Everett is quoted on California Governor Gavin Newsom’s veto of a bill to provide safety regulations for AI systems in CIO Dive.
- September 6, 2024 – Jennifer Everett is quoted on legislation in California that would regulate AI systems in Law360.
- August 1, 2024 - Wim Nauwelaerts provides an overview of the data protection regulatory considerations for using dashcams in the EU in OneTrust DataGuidance.
Press Releases
Alston & Bird Adds Privacy, Cyber & Data Strategy Partner Kelly Hagedorn in London
Alston & Bird has expanded its Privacy, Cyber & Data Strategy Team with the addition of partner Kelly Hagedorn in the firm’s London office. With extensive cyber incident response experience, Kelly advises clients on data protection, regulatory enforcement, and privacy litigation.
Alston & Bird Represents Christie’s in Acquisition of Gooding & Company
Maki DePalo and Dorian Simmons are noted for representing the international auction house Christie’s in its acquisition of Gooding & Company, a leading international auction house in the classic-car market.
Alston & Bird Advises EverBank Holdings on $150 Million Private Offering
Kate Hanniford, Scott Hilsen, and Kristen Bartolotta are noted for advising EverBank Holdings on a $150 million private offering of its 8.375% fixed-to-floating rate subordinated notes due 2034.
“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti and David Keating. It is edited by Paul Greaves and Yin Tydir.
For additional updates, please be sure to visit our blog at www.alstonprivacy.com.
The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.