STATE & LOCAL LAWS & REGULATIONS

CPPA Releases Draft Regulations on Cybersecurity Audit and Risk Assessment
The California Privacy Protection Agency (“CPPA”) Board released Draft Cybersecurity Audit Regulations and Draft Risk Assessment Regulations (collectively, the “Draft Regulations”). The CPPA discussed the proposed rules during its recent public meeting and announced that the formal rulemaking process for the Draft Regulations will begin shortly. Although these Draft Regulations are subject to change, the CPPA Board’s publication offers critical insight into expected compliance obligations, including new definitions for “Artificial Intelligence” and “Automated Decision-Making Technology,” examples of activities that could trigger the need to conduct a risk assessment (e.g., selling or sharing personal information, processing personal information for purposes of monitoring, or use of Automated Decision-Making Technology), and the content and process requirements for conducting and submitting such assessments. The Draft Regulations also outline categories of businesses that must undergo cybersecurity audits and offer detailed requirements for doing so, including requirements to submit a written notice of compliance or non-compliance to the CPPA.

CPPA Appeals Enforcement Delay

The CPPA and the California Attorney General filed a petition with California’s Third District Court of Appeals to overturn a recent trial court decision that imposed a delay in enforcement of the regulations implementing the California Privacy Rights Act (“CPRA”). In California Chamber of Commerce v. California Privacy Protection Agency, the Sacramento Superior Court delayed the enforcement date of the CPRA’s regulations from July 1, 2023, to March 29, 2024, (a year after the regulations were finalized) due to the CPPA’s delay in issuing the CPRA’s regulation and not addressing several key rulemaking topics contemplated by the CPRA. The CPPA argued that the delay in enforcement would hurt consumers and businesses that have operated in good faith to implement the protections required by the regulations.

New York Seeks to Limit Use of AI in Employment Decision-Making and Monitoring

Senator Hoylman-Sigal introduced Senate Bill 7623 (“SB 7623”) to amend New York’s state labor law to add significant restrictions on the use of any “electronic monitoring tool” and any “automated employment decision tool” by employers and employment agencies in the state. Similar to New York City’s Local Law 144, which took effect earlier this year, SB 7623 would require automated employment decision tools to undergo a bias audit prior to use by employers, meaningful human oversight for matters like “hiring, promotion, termination or disciplinary decisions,” and detailed disclosures notifying individuals when such tools are being used. SB 7623 would further ban employers from using tools that could incorporate information about employees’ protected activities and characteristics, including employees’ biometric information (e.g., gait), among other restrictions. If enacted, violators of SB 7623’s provisions could face civil penalties of up to $500 for the first violation and between $500-$1,500 for each subsequent violation.

Colorado Attorney General Releases Additional Resources for the Colorado Privacy Act

Following the announcement that the Colorado Department of Law will begin enforcing the Colorado Privacy Act (“CPA”) and sending a series of letters to companies educating them on their new legal obligations under the CPA, the Colorado Attorney General has published additional resources to assist with CPA compliance on its website. The CPA webpage provides FAQs and webinars about what consumers and entities should know about the CPA, how businesses, nonprofits, and other entities will be impacted by the CPA, and how the CPA will be enforced.

Dubai Data Protection Commission Declares California Privacy Law Equivalent

The Data Protection Commission of the Dubai International Financial Centre (“DIFC”) issued an adequacy decision, which establishes that the CPRA is equivalent to the DIFC’s Data Protection Law. California was the first US state to enact data privacy legislation, beginning with the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA was strengthened by the CPRA in 2020, which took effect on January 1, 2023. The DIFC commission’s decision marks the first time this commission has granted adequacy to a US state and will permit personal data to be transferred without restrictions between the DIFC and California entities. When announcing the decision, the DIFC commissioner’s office stated that its adequacy determination would create a precedent for building similar relationships with various U.S. states and future U.S. privacy frameworks. 

FEDERAL LAWS & REGULATIONS

Cybersecurity and Infrastructure Security Agency Releases Cybersecurity Strategic Plan
The Cybersecurity and Infrastructure Security Agency (“CISA”) released its new Cybersecurity Strategic Plan (the “Plan”). The Plan sets forth three goals for the next three years: (1) to address immediate threats, including by increasing visibility into and ability to mitigate cybersecurity threats and campaigns; coordinating disclosure of, hunting for, and driving mitigation of critical and exploitable vulnerabilities; planning for, exercising, and executing joint cyber defense operations; and coordinating the response to significant cybersecurity incidents; (2) to harden the terrain, including by understanding how attacks occur and how to stop them, driving implementation of measurably effective cybersecurity investments, and providing cybersecurity capabilities and services that fill gaps and help measure progress; and (3) to drive security at scale, including by driving development of trustworthy technology products, understanding and reducing cybersecurity risks posed by emergent technologies, and contributing to efforts to build a national cyber workforce.

CFPB Director Announces Potential FCRA Rule Changes to Address Data Brokers

U.S. Consumer Financial Protection Bureau (“CFPB”) Director Rohit Chopra announced that the CFPB is considering proposing new rules under the Fair Credit Reporting Act (“FCRA”) aimed at regulating the practices of data brokers. Specifically, Director Chopra stated that the CFPB would soon be publishing outlines of a regulatory proposal that would define any entity that sells certain types of data, “for example or example, a consumer’s payment history, income, and criminal records” as a “credit reporting agency” under the law. This would require such entities to comply with the FCRA’s requirements, including ensuring the accuracy of data and handling disputes about inaccurate information, as well as prohibiting misuse under existing FCRA rules. The CFPB plans to propose a rule for public comment in 2024.

Legislation on Federal Contractor Vulnerability Disclosures Introduced

The Federal Cybersecurity Vulnerability Reduction Act was introduced in the U.S. House of Representatives. The Bill would require the Director of the Office of Management and Budget, in consultation with federal agencies with cybersecurity-specific expertise, to develop updates to the federal acquisition regulations requiring federal contractors to have in place a vulnerability disclosure policy consistent with the National Institute of Standards and Technology (“NIST”) guidelines. The proposed legislation aims to promote a proactive approach to identifying and prompt handling of software vulnerabilities by federal contractors.

NIST Releases Draft of Cybersecurity Framework 2.0

After hearing community feedback for over a year, the National Institutes of Standards and Technology (“NIST”) has released a draft version of Cybersecurity Framework 2.0 (“CSF”). CSF was first released in 2014 to help organizations understand and communicate cybersecurity risks. CSF provides high-level guidance, including a systematic methodology for managing cybersecurity risk across sectors and activities that can be tailored and incorporated into cybersecurity programs for each organization. Since it was first published, the CSF has been downloaded more than 2 million times globally. The CSF 2.0 includes various major changes, including an expanded framework to include all organizations, not just critical infrastructure. CSF 2.0 also provides improved and expanded guidance on implementing the CSF. NIST is accepting public comment on the CSF 2.0 draft until November 4, 2023, and has a fall workshop planned for additional comments. NIST is expected to publish the final version of CSF 2.0 in 2024.

U.S. ENFORCEMENT

CPPA Targets Privacy Practices of Connected Vehicles and Related Technologies

The CPPA’s enforcement division announced that it has begun making inquiries into connected vehicle (“CV”) manufacturers and related CV technologies to understand how these companies are complying with the CPRA when they collect and use consumers’ data. According to the CPPA, CVs are “embedded with several features including location sharing, web-based entertainment, smartphone integration, and cameras. Data privacy considerations are critical because these vehicles often automatically gather consumers’ locations, personal preferences, and details about their daily lives.” The CPPA also stated, “California has more than 35 million vehicles registered in the state, and even more sharing our roads. The sheer number of vehicles makes it an area that affects all Californians who drive, rideshare, or even walk near a car equipped with these technologies.”

FCC Adopts $20 Million Fine against Telecommunications Carriers for Lax Security

The Federal Communications Commission (“FCC”) announced its adoption of a proposed fine of $20 million against Q Link Wireless LLC (“Q Link”) and Hello Mobile Telecom LLC (“Hello Mobile”) for the telecommunications carriers’ apparent failure to appropriately authenticate customers’ identities before providing online access to Customer Proprietary Network Information (“CPNI”). The FCC’s investigation found that the companies violated the CPNI provisions of the Communications Act of 1934 by setting customers’ readily available biographical and account information as the default password to new accounts to authenticate customer identities. Q Link further relied upon this information as a backup method of authentication through its “Forgot Your Login?” feature. In calculating the proposed $20 million penalty, the FCC applied the base forfeiture of $40,000 per violation to the estimated 500 customers whose information was put at risk.

FTC to Settle CAN-SPAM Charges for Sending Unsolicited Emails

The FTC will require Experian Consumer Services (“Experian”) to pay $650,000 to settle charges that it sent consumers unsolicited emails without providing a way to opt out of the messages. Under the CAN-SPAM Act, Experian was required to provide clear and conspicuous notice of consumers’ ability to opt out of receiving additional marketing messages and a mechanism for doing so. The complaint, filed by the Department of Justice on behalf of the FTC, alleges that consumers who signed up for a free account with Experian were sent emails promoting certain services. However, these emails did not contain an unsubscribe link that consumers could use to stop receiving marketing emails. The complaint alleges that while the Experian emails contain a notice stating the emails contained important account information, the emails are not related to consumers’ accounts and do not serve marketing purposes.

U.S. LITIGATION

California Supreme Court Holds Third Parties Can Be Held Liable for Employment Discrimination Claims

The California Supreme Court held in Raines et al. v. U.S. Healthworks Medical Group that third-party vendors used by employers to screen job applicants can be held liable under state civil rights laws for employment discrimination claims. Plaintiffs in the case alleged that employers used a vendor that conducted invasive health screening exams, asking questions unrelated to job responsibilities, such as whether applicants had venereal disease, problems with menstrual periods, prostate or other cancers, mental illness, HIV, and hemorrhoids. The Court stated that the California Fair Employment and Housing Act’s (“FEHA”) definition of “employer” includes third-party agents, and their liability under the FEHA “results from the entity's own engagement in FEHA-regulated activities on the employer's behalf.” The decision could have a far-reaching impact on employees and vendors who use algorithms to make employment-related screening and other decisions, an area that received significant attention from federal and state regulators in recent months.

Seventh Circuit Rules Worry and Anxiety Insufficient for Standing in Data Breach Case

The Seventh Circuit in Alp Baysal et al. v. Midvale Indemnity Co. et al. affirmed a district court ruling that plaintiffs lacked standing in a data breach case where they alleged auto insurance companies Midvale Indemnity Co. and American Family Insurance Co. negligently leaked driver’s license numbers to bad actors. The court held that plaintiffs failed to show how the bad actors used affected driver’s licenses to cause financial harm, such as open accounts or obtain credit, stating that guesswork is not enough and that “the injury must be traceable to the asserted wrong and likely rather than speculative.” The court further held that the “worry and anxiety” alleged by the plaintiffs was insufficient for standing, even if the worry and anxiety caused the consumers to purchase credit monitoring services.

INTERNATIONAL LAWS & REGULATIONS

India Passes Digital Personal Data Protection Act

The Indian parliament passed the Digital Personal Data Protection Act (the “Act”). The Act applies to data maintained in digital form and applies to processing outside of India if personal data is processed in connection with an activity related to offering goods or services to data subjects in India. The Act requires entities processing personal data (“data fiduciaries”) to process personal data only pursuant to specific legal grounds. Primary among these is the consent of the data subject. Other legal grounds include processing for specific purposes for which a data subject voluntarily provides personal data and to comply with law and court orders. The Act also requires data fiduciaries to provide notice to data subjects and provides data subjects with certain rights in their personal data, including the right to know what data is processed about them and the qualified right to delete personal data. Although the Act does not generally prohibit cross-border data transfers, it gives the Indian government the ability to create a list of countries to which personal data cannot be transferred and permits sectoral data localization, such as in connection with payment data. The Act provides maximum penalties for specific violations of the Act, such as a maximum penalty of up to 2.5 billion rupees (about $30 million) for failing to use reasonable safeguards to prevent a data breach. The Indian government announced it would implement the Act within ten months but has not yet specified the effective date.

China Releases Proposed National Cybersecurity Standard on Sensitive Personal Information for Public Comment

China’s National Information Security Standardization Technical Committee (“TC260”) released a draft Information Security Technology – Security Requirements for Processing of Sensitive Personal Information (the “Draft”) for public comment. In accordance with China’s national Personal Information Protection Law (“PIPL”), the Draft proposes national standards and cybersecurity requirements applicable to processing “sensitive personal information,” including clarifications as to what types of personal information may be considered “sensitive personal information,” as ambiguously defined under PIPL.

Chinese Internet Regulator to Require Annual Audits for Companies Handling Personal Data

The Cyberspace Administration of China (“CAC”) has proposed new rules for companies handling personal data. In recent years, China has tightened its control over cross-border data and information. The CAC’s new rules expand upon the existing framework under the Personal Information Protection Law and Data Security Law. Under the new rules, companies offering infrastructure information or services that process data from more than 1 million users will be required to conduct annual compliance audits. For companies processing less than 1 million users, the CAC will require audits every two years. The CAC would also evaluate companies owning data of more than 100,000 users or holding sensitive data of more than 10,000 users. Finally, for companies engaged in cross-border data transfers, the CAC audit will include verification of whether personal information is shared with foreign judicial or law enforcement bodies and whether Chinese authorities endorse this transfer.

Canada Seeks Comments to Establish Generative AI Code of Practice

The Government of Canada published a Consultation seeking comments on the development of a proposed Code of Practice (the “Code”) for generative artificial intelligence (“AI”) systems and to establish guardrails on the same. The Code is intended to serve as a voluntarily-implemented resource for developers, deployers, and operators of AI systems ahead of discussions on generative AI through the G7’s Hiroshima AI Process and ahead of further consideration of Canada’s Artificial Intelligence and Data Act, which was tabled as part of the proposed Bill C-27, the Digital Charter Implementation Act, in June 2022. The Government of Canada announced it is specifically seeking comments on six potential elements of the Code: Safety; Fairness & Equity; Transparency; Human Oversight and Monitoring; Validity and Robustness; and Accountability.

RECENT PUBLICATIONS & MEDIA COVERAGE

• Brave New World for Cybersecurity Risk Management and Incident Disclosure (Blank Rome Client Advisory)

Tianmei Ann Huang, Amanda M. Noonan, and Jason C. Hirsch also contributed to this article.