The Matrix

Washington state’s My Health My Data Act (“MHMD”) goes into effect on March 31, 2024. Entities should carefully evaluate whether MHMD applies to them in light of the law’s broad applicability, an expansive definition of consumer health data, strict consent requirements and a unique private right of action. This post answers questions about which entities are subject to MHMD, and what the law requires entities to do.

Privacy and data security laws and regulations continue to evolve quickly, and companies processing personal data have an increasing array of issues to manage. As we enter 2024, below are five key considerations for companies managing privacy and data security risks.

Data breaches in the healthcare industry are a costly and legally evolving issue. The sophistication of threat actors and their ability to navigate IT systems using constantly changing tactics has made it difficult to predict and, in some cases, respond to a breach. The recent aggressive enforcement by the Federal Trade Commission (the “FTC”) of its Health Breach Notification Rule (the “HBNR”), as well as its proposed changes to the HBNR, have expanded the factors companies must consider when analyzing and responding to potential breaches of health data.

On November 22, 2023, the Federal Communications Commission issued a proposed rule that likely will considerably alter the online lead generation industry, including the use of comparison shopping websites. The proposed rule addresses a number of areas, but, notably, the rule would require texters and callers using certain regulated technologies to obtain prior express written consent from a single seller at a time to comply with the Telephone Consumer Protection Act (“TCPA”). The FCC is expected to pass the rule during its December 13, 2023 meeting. 

Last week, the FTC amended its Gramm-Leach-Bliley Safeguards Rule, supplementing the additions to the rule that it announced in 2021 and that have been in effect since June 2023. The recent amendment will require nonbank financial institutions to notify the FTC when there is an unauthorized acquisition of unencrypted customer information involving 500 or more consumers. This notification requirement, which is scheduled to go into effect in May 2024, adds to the growing list of notifications that a company must consider after a data incident, including the SEC’s recently enacted rules requiring registrants to disclose material cybersecurity incidents.

On Sept. 5, the U.S. Department of Justice announced its settlement with Verizon Business Network Services LLC, a Verizon Communications Inc. subsidiary, in which Verizon agreed to pay $4.1 million to settle certain False Claims Act allegations related to cybersecurity.

The settlement resolves allegations that Verizon's Managed Trust Internet Protocol Service, or MTIPS, which was designed to provide federal agencies with secure connections to public internet and other networks, did not satisfy certain cybersecurity controls related to contracts with the U.S. General Services Administration from 2017 to 2021.

In April 2023, Kyland Young, a star from the popular reality TV show Big Brother, brought a right of publicity claim against NeoCortext, Inc., the developer of a deepfake software called Reface. See Young v. NeoCortext, Inc., 2:23-cv-02486 (C.D.CA filed Apr. 3, 2023). Young claimed that NeoCortext’s Reface, “which uses an artificial intelligence algorithm to allow users to swap faces with actors, musicians, athletes, celebrities, and/or other well-known individuals in images and videos,” violates California’s right of publicity law. Young’s case, which is still pending in the U.S. District Court for the Central District of California, raises important questions about deepfakes and their intersection with the law as it pertains to famous figures.

Last week, the FTC and HHS’ Office for Civil Rights (OCR) sent a joint letter to approximately 130 hospitals and telehealth providers concerning the privacy and security risks related to the use of online tracking technologies integrated into their websites or mobile apps.  The agencies assert that these tracking technologies – such as the Meta/Facebook pixel and Google Analytics – gather identifiable information about users when they interact with a website or mobile app, often without users’ knowledge and in ways that are hard for users to avoid.

According to a study conducted by the Federal Research Division of the Library of Congress as of 2018, counterfeiting was identified as the largest criminal enterprise in the world, with domestic and international sales of counterfeit and pirated goods totaling between an estimated $1.7 trillion and $4.5 trillion a year.

On June 18, 2023, Texas Governor Greg Abbott signed the Texas Data Privacy and Security Act (TDPSA) into law, making Texas the next state to enact a comprehensive state-wide data privacy statute. The TDPSA will take effect on July 1, 2024, and applies to businesses that produce a product or service that is “consumed” by Texas residents, and process or engage in the sale of personal data.

Last updated: January 17, 2024

To assist privacy practitioners keep track of new state laws, below is a chart containing links to the major enacted state privacy laws and their respective regulations.  Bookmark this page, and we will update this chart periodically as new laws are enacted.

Since the arrival of AI programs like OpenAI’s ChatGPT, Google’s Bard, and other similar technologies (“Generative AI”) in late 2022, more programs have been introduced and several existing programs have been upgraded or enhanced, including ChatGPT’s upgrade to ChatGPT-4. Our previous posts have identified the features and functionality of Generative AI programs and outlined the emerging regulatory compliance requirements related to such programs. This post discusses how regulatory agencies worldwide have begun to address these issues.

In March 2023, the White House released the National Cybersecurity Strategy, which details the Biden administration’s policy and agency directives to strengthen U.S. cybersecurity across the public and private sectors. Cybersecurity regulations and cybersecurity responses affect both U.S. national security as well as the security and stability of U.S. businesses and individuals. The 2023 National Cybersecurity Strategy replaces the 2018 National Cyber Strategy set forth under the Trump administration and builds on the 2008 Comprehensive National Cybersecurity Initiative set forth under the Obama administration.  

Since late 2022, terms like “large language models,” “chat-bots,” and “natural language processing models” increasingly have been used to describe artificial intelligence (AI) programs that collect data and respond to questions in a human-like fashion, including Bard and ChatGPT. Large language models collect data from a wide range of online sources, including books, articles, social media accounts, blog posts, databases, websites, and other general online content. They then provide logical and organized feedback in response to questions or instructions posed by users. The technology is capable of improving its performance and otherwise building its knowledge base through its internal analysis of user interactions, including the questions that users ask and the responses provided. These AI programs have a variety of applications and benefits, but businesses should be aware of potential privacy and other risks when adopting the technology.

On February 17, 2023, the FTC brought its first civil enforcement action under the Telemarketing Sales Rule, 16 C.F.R. Part 310 (“TSR”), in nearly one year.  In U.S. v. Stratics Networks Inc., et al., which was filed in the U.S. District Court for the Southern District of California, the FTC seeks to stop a group of companies and individuals that it claims are “responsible for delivering tens of millions of unwanted Voice Over Internet Protocol (VoIP) and ringless voicemail (RVM) phony debt service robocalls to consumers nationwide.”  Because the FTC is seeking civil penalties, the Complaint was filed by the Department of Justice on behalf of the FTC.

In an eye-opening 4-3 decision issued on Friday, the Illinois Supreme Court ruled that a separate Biometric Information Privacy Act (“BIPA”) claim accrues “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” Cothron v. White Castle System, Inc., 2023 IL 128004 ¶ 45. The decision may have staggering consequences on all pending BIPA cases, converting what might have been a single claim, into thousands of separate claims for $1,000 or $5,000 (depending on whether the violation is negligent or willful). The impact of the decision is even more severe in light of the Illinois Supreme Court’s recent decision in Tims v. Black Horse Carriers, Inc., 2023 IL 127801, applying a five-year statute of limitations to all BIPA claims. 

The Illinois Supreme Court has issued its highly anticipated ruling in Tims v. Black Horse Carriers, Inc., 2023 IL 127801, which expands the statute of limitations period for certain claims under the Biometric Information Privacy Act (BIPA) from one year to five years. The Court reversed in part a previous ruling by the appellate court, which held that a one-year limitations period applied to claims under subsections 15(c) and (d) of BIPA, prohibiting the sale and unauthorized disclosure of biometric data, and affirmed the appellate court’s judgment that a five-year period applied to other claims under BIPA.

As seen from the recent release of the ChatGPT artificial intelligence (“AI”) tool, AI technologies have a major potential to transform society rapidly. However, the technologies also pose potential unique risks. Because AI risk management is a key component of responsible development and use of AI systems, the National Institute of Standards and Technology last week released its voluntary AI Risk Management Framework, which will be a helpful resource to assist businesses to responsibly incorporate AI into their processes, products and services.

Because the use of passwords alone is a relatively weak method to prove identity, enforcement agencies are ramping up pressure for companies to implement multi-factor authentication (MFA) both internally and to customers for online services. MFA makes it more difficult for cyber threat actors to gain access to networks and information systems if authentication information, such as passwords, is compromised through phishing attacks or other means. Below is information that may be helpful in assessing whether your company should implement MFA, and how to do so.

The Ohio Supreme Court recently ruled that the “Electronic Equipment” endorsement of a property insurance policy does not provide coverage for a policyholder’s losses following a ransomware attack.  In EMOI Servs., LLC. v. Owners Ins. Co., 2022-Ohio-4649 (Ohio 2022), the Ohio Supreme Court reversed an appellate court’s decision which held, among other things, that there was potential coverage under the “Electronic Equipment” endorsement because damage to software could constitute “direct physical loss of or damage” to covered property.  

Last week, the Consumer Financial Protection Bureau (“CFPB”) took a significant step forward in enhancing consumer control over private financial data when it launched a rulemaking process under Section 1033 of the Dodd–Frank Wall Street Reform and Consumer Protection Act (“Section 1033”). Section 1033 requires the CFPB to implement a rule to allow consumers to access their financial information. Currently, there is no duty under Section 1033 to maintain or keep any information about a consumer. The CFPB has yet to adopt a rule relating to data access, despite its authority to do so.

On October 12, 2022, a jury returned a verdict against the defendant, BNSF Railway Company (“BNSF”), in the first trial in a class action asserting claims under the Illinois Biometric Information Privacy Act (“BIPA”). Shortly thereafter, the Court entered a staggering judgment against BNSF in the amount of $228 million. To the extent that companies operating in Illinois have not already recognized the significant impact of BIPA, they should be paying attention now. While the case seemingly addressed a number of issues that companies have been grappling with in considering the implications of this law, many important questions about BIPA’s reach still persist.

The DOJ recently published guidance regarding website accessibility under the Americans with Disabilities Act (ADA). This guidance reiterated the DOJ’s longstanding position that websites of businesses open to the public (defined as “places of public accommodations” under Title III of the ADA) are required to be accessible to people with disabilities and provided some non-binding indicators of what it means for a website to be accessible. 

On September 15, 2022, President Biden issued the first Presidential Directive to refine the scope of the Committee for Foreign Investment in the United States (“CFIUS”) following the 2018 Foreign Investment Risk Review Modernization Act of 2018.  CFIUS is empowered to review business transactions that result in a foreign person having ownership or control rights over U.S. companies.  While CFIUS review is a largely voluntary process, it is mandatory when foreign owners or investors may be tied to foreign governments or when a target business is involved with certain critical U.S. technologies.  CFIUS may, as a result of its review, take remedial steps to address national security concerns imposed by the transaction, such as imposing mitigation agreements or third-party monitors.  CFIUS may also refer the transaction for Presidential review. Ultimately, CFIUS can unwind a business transaction – even years after the closing. 

On August 11th, the Federal Trade Commission kicked off of its long-awaited privacy rulemaking by releasing an Advanced Notice of Proposed Rulemaking (ANPR).  The ANPR is the beginning of what likely will be a lengthy process conducted pursuant to the FTC’s Magnuson-Moss rulemaking authority.  The ANPR is extremely broad, raising 95 questions directed at nearly every type of data collection.  Notably, in promulgating a rule, the FTC must demonstrate that each practice regulated is either deceptive or unfair and is prevalent in the market.

As part of a larger trend of legal developments with respect to cybersecurity throughout the United States, the SEC recently proposed certain rules intended to increase and standardize a public company’s reporting and disclosure requirements regarding cybersecurity incidents and risk management (the “Proposed Rules”). Generally, the Proposed Rules require the disclosure of information related to a company’s: (i) material cybersecurity incidents; (ii) cybersecurity risk management and strategy; (iii) cybersecurity governance; and (iv) board member and management cybersecurity expertise. Specifically, and as more fully set forth in the discussion below, the Proposed Rules seek to amend Forms 6-K, 8-K, 10-K, 10-Q, 20-F, and Items 106 and 407 of Regulation S-K. Below, we have provided a brief summary of each of the Proposed Rules and the impact the reporting and disclosure requirements under such Rules would have on a public company.

As 2023 approaches, organizations must again address new and modified laws governing Data Subject Requests (DSRs). Of course, the rollout of additional privacy regulations has become almost routine. But as the growing number of jurisdictions empower individuals with the right to opt out of more types of processing and access, rectify, or delete personal data, the legal and operational challenges of these laws continue to accelerate. Organizations – especially those with lean privacy and legal ops functions – will need to be strategic in addressing the expanding regulatory burden.

With that in mind, we offer a few issues to address as you map out your next steps when it comes to DSRs.

The FTC issued a policy statement yesterday notifying education technology companies that the agency is committed to ensuring that ed tech tools comply with the Children’s Online Privacy Protection Act (“COPPA”).  COPPA requires that websites or services covered under COPPA obtain a parent’s – or in some cases, a school’s – consent before collecting personal information from children under 13.  COPPA also limits how long companies may keep children’s personal information and requires that companies properly safeguard information.  The policy statement signals that the FTC will be scrutinizing COPPA compliance by providers of ed tech and other covered online services. 

On March 24, 2022, Utah joined California, Virginia and Colorado to become the fourth state to enact a comprehensive consumer privacy law. The Utah Consumer Privacy Act (the “UCPA”) has similarities to the existing privacy laws enacted by California (the “CCPA”), Virginia (the “VCDPA”) and Colorado (the “CPA”). Certain aspects of the UCPA’s approach, however, are distinct from those other privacy laws. Generally, the UCPA applies to a more narrow scope of businesses, and more categories of data fall outside of the UCPA’s definition of “personal data” -- thereby imposing less of a burden on businesses. Below we’ve provided a high-level summary of the UCPA’s general requirements and certain of its differences and similarities to consumer privacy laws enacted by other states.

The increase in cyber breaches and hacks has resulted in litigation, some involving policy interpretation, and some involving new theories of liability. The two cases described below are illustrations of the types of issues that businesses, insureds and insurers continue to face as result of cyber liability. In the first case, the court found that a traditional general liability policy could provide coverage for a cyber breach, a result likely not anticipated by the insurance carrier, nor possibly by the insured. The second case involves injury and death, allegedly caused by a hospital’s inability to use monitoring equipment during a birth because the equipment was inoperable due to a ransomware attack, that likely would be covered under a traditional medical malpractice policy despite the fact that it was a cyber attack that gave rise to the claim for injury and medical negligence.

On March 25, 2022, the United States and the European Union announced they agreed in principle to a new data privacy framework for cross-border data transfers. Although specific details of this new data privacy framework have not yet been provided, the new framework is meant to replace the former EU-U.S. Privacy Shield (the “Privacy Shield”), an arrangement that allowed companies to transfer the personal data of European data subjects to the United States. The Privacy Shield was invalidated in July of 2020 by the Court of Justice of the European Union on the basis that the Privacy Shield did not protect European data from U.S. surveillance.

This is a follow-up to the June 23, 2021 Litigation Trends Analysis Alert, “How the IWCA Impacts BIPA Claims.” As noted there, the question before the Supreme Court of Illinois in McDonald was whether claims of injury under the Illinois Biometric Information Privacy Act (BIPA) fall under the scope of the Illinois Workers’ Compensation Act (IWCA). The Court ruled last month that the BIPA is not preempted by the IWCA.

Last week, the New York Attorney General’s office offered guidance regarding credential stuffing, a common and costly attack on businesses and consumers, in which threat actors repeatedly attempt to log in to online accounts using usernames and passwords stolen from other online services.  Credential stuffing takes advantage of three aspects of the online ecosystem:  (1) most online accounts utilize usernames and passwords; (2) a steady flow of data breaches has resulted in billions of stolen credentials being leaked onto the dark web for other threat actors to exploit; and (3) consumers tend to reuse the same passwords across multiple online services. 

Corporate policyholders, insurers and courts continue to grapple with the question of whether traditional “non-cyber” business insurance policies provide coverage for losses from cyberattacks.  The most recent decision addressing this “silent cyber” issue came last month in EMOI Services, LLC v. Owners Insurance Company, 2021 -Ohio- 3942, 2021 WL 5144828 (Ohio App. 2 Dist., Nov. 5, 2021).  In EMOI Services, an Ohio Court of Appeals panel reversed a trial court’s grant of summary judgment in favor of an insurer that found no coverage for a ransomware attack under a property insurance policy.   

Last week, the Federal Bureau of Investigation issued a private industry notification warning that “ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections.” The FBI cautioned that ransomware attackers research publicly available information and target companies involved in significant, time-sensitive financial dealings such as M&A and other transactions. This initial reconnaissance, according to the FBI, is later followed by a ransomware attack and a subsequent threat that unless the victim pays the ransom, the attackers will disclose the information publicly, causing potential investor backlash and affecting the victim’s stock value.

The Federal Trade Commission recently announced a newly updated rule concerning the data security safeguards required for financial institutions to protect their customers’ financial information. The FTC’s updated Safeguards Rule, which originally was mandated by Congress under the 1999 Gramm-Leach-Bliley Act, requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security system to keep their customers’ information safe. The new rule more closely aligns with the NY Department of Financial Services Cybersecurity Regulation.

October is National Cybersecurity Awareness month, and the Department of Justice has chosen this month to roll out a new “Civil Cyber-Fraud Initiative.” The announced purpose of the Initiative is to actively pursue cybersecurity-related fraud claims by government contractors and grant recipients. 

A bipartisan bill was introduced on October 5, 2021, in the Michigan Senate to amend the Michigan Identity Theft Protection Act (the “Act”). The bill, linked below, would create an affirmative defense to tort claims arising out of a security breach. 

On September 21, 2021, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an updated ransomware advisory (the “2021 Guidance”), which supersedes its 2020 ransomware guidance (the “2020 Guidance”), discussed in a previous post on this blog. 

In the 2021 Guidance, OFAC notes that ransomware payment demands have escalated during the COVID-19 pandemic as U.S. businesses maintain significant online and internet-connected activities.  OFAC identifies a 21 percent increase in ransomware attacks and a 225 percent increase in ransomware losses as reported by the Federal Bureau of Investigation (FBI).  The  pandemic has presented numerous opportunities for cyber actors to target system vulnerabilities, particularly smaller businesses and municipal entities with limited resources for cybersecurity investments as well as entities supporting critical infrastructure, such as hospitals, that are likely to make quick payments to avoid service disruptions to patients. 

Post authored by Mahja D. Zeon, an Associate in Honigman's Detroit office and Lauren Legner, a 2021 Summer Associate in the firm's Detroit office.

Employers have a right, and in some industries, even a requirement, to implement vaccine-related policies to promote workplace safety, but they must be mindful of the privacy implications.  There are several competing concerns to weigh when deciding whether to implement vaccine-related policies. On the one hand, data regarding employee vaccination status may play an essential role in keeping the workplace safe from COVID-19 outbreaks. On the other hand, collecting and using such data implicates individual privacy and data security concerns. Should an employer choose to collect vaccine-related data, it must take the appropriate steps to keep this information safe. Here are three ways employers can implement vaccine-related, data-safe policies:

On the heels of Virginia’s Consumer Data Protection Act, Colorado recently passed its own comprehensive consumer privacy law. On July 8, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (“CPA”). The CPA takes effect on July 1, 2023.

Business transactions, management changes or investments involving non-U.S. companies or individuals receiving control or information rights to U.S. companies are subject to review by the U.S. government for national security purposes. There is a particular concern if any sensitive individual or government data is held by the U.S. company.  U.S. companies holding sensitive data should consider whether their business may be subject to CFIUS review prior to entering any investment or engaging in M&A activities.  

Michigan state courts have new privacy protections in court rules that become effective July 1, 2021 (links to the implementing orders are included below) after implementation was previously delayed.  Under revised Michigan Court Rule (“MCR”) 1.109 and 8.119, parties are no longer able to file papers – including pleadings, motions, and briefs – or attachments containing specified types of personally identifying information (PII) such as date of birth, financial account numbers, driver’s license numbers, state-issued personal identification card numbers, or passport numbers.  The existing prohibition on filing more than the last four digits of a social security number remains in force.  The revised MCR 1.109 calls for parties and their attorneys to redact any PII and to prepare a separate form listing the un-redacted information and reference codes to be used in the public document.  That separate form is considered a nonpublic document and is available only to the court, the parties, and other specified persons.  Anyone obtaining a copy of a publicly filed document will receive only the redacted copy and not the separate form.

The Illinois Biometric Information Privacy Act (BIPA) is a law concerning the protection of biometric data. The BIPA requires companies collecting biometric information to establish a policy and obtain a written release from its employees prior to collecting and using this information. The BIPA is the only statute of its kind with a private right of action. Under the BIPA, individuals may sue for violations and recover monetary damages. 

Today, the European Commission (“EC”) adopted new standard contractual clauses (“SCCs”) reflecting new requirements under the European Union’s General Data Protection Regulation (“GDPR”).  The SCCs are intended to provide standardized templates for companies to utilize to comply with the GDPR’s data protection requirements. 

As cybersecurity incidents increase in frequency and scope, cyber insurance policies are an important tool for companies to mitigate loss from such incidents.  Recent surveys of small and medium businesses reveal, however, that many respondents do not carry cyber insurance.[1] And for those that do, the cost of such coverage is rising.  For companies considering purchasing or renewing a cyber policy in light of new or increasing risk, this article provides a brief primer on the types of coverages that cyber policies offer, potential add-ons to coverage, common conditions and exclusions, and other cyber insurance-related questions. 

In late 2020, a sophisticated adversary used the SolarWinds Orion Platform to plant covert backdoors in the networks of thousands of companies and government agencies.  The attack confirms the importance of vigorous third-party risk management.  Last month, the New York State Department of Financial Services (“NYDFS”) issued a report on the SolarWinds attack and provided the following steps that companies can take to reduce supply chain risk:  

New York And Maryland Propose BIPA-Like Biometric Privacy Bills
New York Assembly Bill 27—introduced on January 6, 2021—seeks to amend the New York general business law in relation to biometric privacy.  Similarly, Maryland House Bill 218—introduced on January 13, 2021—proposes biometric privacy regulations on private entities in Maryland.

Yesterday, the U.S. Supreme Court, in AMG Capital Management, LLC v. FTC, sharply curtailed the ability of the Federal Trade Commission to obtain restitution and disgorgement in enforcement actions. In a 9-0 decision, the court found that Section 13(b) of the FTC Act, which authorizes the FTC to seek permanent injunctions in federal court, did not also authorize the Commission to obtain court-ordered monetary relief. 

The Michigan Court of Appeals issued a recent opinion in Long Lake Township v. Maxon, considering the question of whether a private landowner had a reasonable expectation of privacy that would preclude the government from flying a drone over their property.  The Court concluded that there was an expectation of privacy, and distinguished expectations of privacy from drones from those expected of plane or helicopter surveillance.  (A dissent argues that U.S. Supreme Court precedent on the Fourth Amendment mandated the opposite result.)

With the passage of the Cybersecurity Affirmative Defense Act, Utah became the second state – after Ohio’s Data Protection Act in 2018 – to create an affirmative defense to certain causes of action stemming from a data breach.  The law provides an affirmative defense under Utah law and in Utah courts to certain tort claims arising out of a data breach if the company demonstrates that it created, maintained, and reasonably complied with a written cybersecurity program.  

With Governor Ralph Northam’s signature yesterday, the Consumer Data Protection Act (“CDPA”) became law, making Virginia the second state after California to enact a comprehensive privacy law (with apologies to Nevada, which also has passed more modest privacy legislation). Although similar in many respects to the California Consumer Privacy Act (“CCPA”), which was recently updated by the Consumer Privacy Rights Act (“CPRA”), the law contains terminology more consistent with the European Union’s General Data Protection Regulation (“GDPR”). 

On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit issued its opinion vacating the $4.3 million penalty that the U.S. Department of Health and Human Services (“HHS”) had levied against the University of Texas M.D. Anderson Cancer Center (“M.D. Anderson”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”).  Eye-popping penalty amounts for HIPAA and HITECH Act violations have picked up steam in recent years. However, the M.D. Anderson case is among the first such settlement to be litigated. The Fifth Circuit decision contains some critical takeaways as to key requirements under HIPAA and the enforcement actions available to HHS, and should be of particular interest to healthcare providers and also insurers writing cybersecurity policies.

In Tsao v. Captiva MVP Restaurant Partners, LLC, the Eleventh Circuit joined the federal appellate courts holding that a consumer’s exposure to a substantial risk of future identity theft, and efforts to mitigate the risk of future identity theft, are not sufficient to confer Article III standing. The decision highlights federal court’s struggle with the standing requirements in a data breach case, and possibly raises the likelihood that the U.S. Supreme Court will address the issue.

Over the last few weeks, the federal government has issued a number of trade sanctions and restrictions targeting the People’s Republic of China.  These include prohibitions on investments in certain companies deemed to be Chinese military companies, and further restrictions on any business relationships with an entity connected to Huawei.  This article discusses certain new restrictions with significant data, privacy and cybersecurity implications.

Given the speculation and concern over ransomware attacks impacting the 2020 U.S. election, the recent spate of private companies falling victim to such attacks, and the October 1, 2020 advisory issued by the Department of Treasury (“Advisory”), it is no surprise that ransomware is trending in cybersecurity.

On September 23, 2020, Representatives Bob Latta (R-Ohio) and Greg Walden (R-Ore.) re-introduced the “Safely Ensuring Lives Future Deployment and Research In Vehicle Evolution Act’’ or the ‘‘SELF DRIVE Act” to create a federal framework for autonomous vehicles (“AVs”).  The measure lacks bipartisan support and is not expected to reach the floor of the House of Representatives during this session.  But the continued effort demonstrates the importance that many lawmakers put on promoting a U.S.-led effort in the development of self-driving vehicles.  The matter likely will be among the key transportation themes before the next session of Congress, which convenes in January.  On the Senate side, policymakers have not advanced autonomous vehicle bills.  In the previous congressional session, an autonomous vehicle policy measure advanced in the House but came up short in the Senate.

In response to the Court of Justice of the European Union’s (CJEU) recent Schrems II decision that, among other things, invalidated the Privacy Shield Framework (previously covered in The Matrix), various agencies of the US Government co-published a White Paper providing background on US intelligence agencies’ data collection activities and limitations thereon. Although the White Paper is intended to “assist organizations in assessing whether their transfers offer appropriate data protection in accordance with the [CJEU’s] ruling,” the agencies stressed that it “is not intended to provide companies with guidance on EU law or what positions to take before EU regulators or courts.”

Undeterred by previous failed attempts to bolster Washington state laws protecting individual privacy, earlier this month Washington State Senator Reuven Carlyle announced on his Twitter account that the draft Washington Privacy Act 2021 (the “Bill”) is available for public comment. This is the State of Washington’s most recent attempt to strengthen protections for consumer privacy, following the lead of California and the California Consumer Protection Act (“CCPA”).

While the Bill contains many similarities to the State of Washington’s previous attempts, included with the Bill are new provisions related to contact tracing aimed to “instill public confidence on the processing and use of their personal and public health data during any global pandemic[.]” These new provisions apply protections related to the processing of certain “covered data” for the purposes of “detecting symptoms of an infectious disease, enabling the tracking of an individual's contacts with other individuals, or with specific locations to identify in an automated fashion whom individuals have come into contact with, or digitally notifying, in an automated manner, an individual who may have become exposed to an infectious disease, or other similar purposes directly related to a state of emergency declared by the governor[.]” The covered data subject to the new protections includes “personal data and one or more of the following: specific geolocation data, proximity data, or personal health data.”

While the new Bill presents the opportunity for the State of Washington to fill the gap created by the absence of comprehensive federal protection, the Bill still lacks a private right of action, which was one of the primary reasons for predecessor bill’s failure to pass. You can access the entire Bill here or view an overview, with helpful comparisons to the CCPA and the predecessor bill, here.

A number of U.S. federal agencies have authority to issue a type of administrative subpoena called a Civil Investigative Demand (“CID”) to obtain relevant information as part of an investigation. For example, both the Federal Trade Commission (“FTC”) and the Consumer Financial Protection Bureau (“CFPB”) have authority to issue CIDs to obtain documents and testimony in investigations related to privacy, data security, deceptive marketing, and financial fraud. This article identifies some items to consider when receiving a CIDs based on my experience issuing and reviewing hundreds of CIDs as an enforcement attorney in the Chicago office of the FTC.

What Happened?
On July 16th, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield framework (one of the three primary mechanisms that permit the lawful transfer of personal data to the U.S. from the EU), finding that U.S. personal data protections are not satisfactory so as to be “essentially equivalent to those required under EU law.”

The Illinois Biometric Information Privacy Act (BIPA) is the only biometric privacy statute in the country with a private right of action. In the last two years, litigation under BIPA has dominated privacy law headlines. There are hundreds of BIPA class action lawsuits pending in Illinois state and federal courts, with new filings each week.

Last month, the Seventh Circuit issued a highly anticipated ruling concerning Article III standing for claims brought under the Illinois Biometric Information Privacy Act (BIPA).

As schools increasingly are adjusting to remote learning and utilizing education technology (“ed tech”) services, both schools and their ed tech service providers need to consider the appropriate collection and usage of student personal information.  Here are some tips for protecting students’ privacy and safeguarding personal data:

New York’s Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act”) took effect on March 21, 2020.  The Act expands existing state breach notification requirements and imposes specific data security protections for covered businesses that own or license the private information of New York residents, regardless of whether those businesses are based in New York. The Act also broadens the definition of “private information” to include new types and combinations of data.

On March 31, 2020, Washington Senate Bill No. 6280 (the “Act”) became law, codifying one of the most detailed facial recognition regulations in the country. The Act regulates state and local government agencies in Washington using or intending to develop, procure, or use a facial recognition service but also includes important considerations for companies designing this technology.

Under extraordinary circumstances, businesses are quickly adapting to remote work on a large scale. In doing so, companies should promote best practices to protect sensitive data. Below are some techniques that your company can employ to help ensure that sensitive personal or company information stays safe: