The Matrix

Privacy and data security laws and regulations continue to evolve quickly, and companies processing personal data have an increasing array of issues to manage. As we enter 2024, below are five key considerations for companies managing privacy and data security risks.

Data breaches in the healthcare industry are a costly and legally evolving issue. The sophistication of threat actors and their ability to navigate IT systems using constantly changing tactics has made it difficult to predict and, in some cases, respond to a breach. The recent aggressive enforcement by the Federal Trade Commission (the “FTC”) of its Health Breach Notification Rule (the “HBNR”), as well as its proposed changes to the HBNR, have expanded the factors companies must consider when analyzing and responding to potential breaches of health data.

On November 22, 2023, the Federal Communications Commission issued a proposed rule that likely will considerably alter the online lead generation industry, including the use of comparison shopping websites. The proposed rule addresses a number of areas, but, notably, the rule would require texters and callers using certain regulated technologies to obtain prior express written consent from a single seller at a time to comply with the Telephone Consumer Protection Act (“TCPA”). The FCC is expected to pass the rule during its December 13, 2023 meeting. 

Last week, the FTC amended its Gramm-Leach-Bliley Safeguards Rule, supplementing the additions to the rule that it announced in 2021 and that have been in effect since June 2023. The recent amendment will require nonbank financial institutions to notify the FTC when there is an unauthorized acquisition of unencrypted customer information involving 500 or more consumers. This notification requirement, which is scheduled to go into effect in May 2024, adds to the growing list of notifications that a company must consider after a data incident, including the SEC’s recently enacted rules requiring registrants to disclose material cybersecurity incidents.

Last week, the FTC and HHS’ Office for Civil Rights (OCR) sent a joint letter to approximately 130 hospitals and telehealth providers concerning the privacy and security risks related to the use of online tracking technologies integrated into their websites or mobile apps.  The agencies assert that these tracking technologies – such as the Meta/Facebook pixel and Google Analytics – gather identifiable information about users when they interact with a website or mobile app, often without users’ knowledge and in ways that are hard for users to avoid.

Since the arrival of AI programs like OpenAI’s ChatGPT, Google’s Bard, and other similar technologies (“Generative AI”) in late 2022, more programs have been introduced and several existing programs have been upgraded or enhanced, including ChatGPT’s upgrade to ChatGPT-4. Our previous posts have identified the features and functionality of Generative AI programs and outlined the emerging regulatory compliance requirements related to such programs. This post discusses how regulatory agencies worldwide have begun to address these issues.

On February 17, 2023, the FTC brought its first civil enforcement action under the Telemarketing Sales Rule, 16 C.F.R. Part 310 (“TSR”), in nearly one year.  In U.S. v. Stratics Networks Inc., et al., which was filed in the U.S. District Court for the Southern District of California, the FTC seeks to stop a group of companies and individuals that it claims are “responsible for delivering tens of millions of unwanted Voice Over Internet Protocol (VoIP) and ringless voicemail (RVM) phony debt service robocalls to consumers nationwide.”  Because the FTC is seeking civil penalties, the Complaint was filed by the Department of Justice on behalf of the FTC.

On August 11th, the Federal Trade Commission kicked off of its long-awaited privacy rulemaking by releasing an Advanced Notice of Proposed Rulemaking (ANPR).  The ANPR is the beginning of what likely will be a lengthy process conducted pursuant to the FTC’s Magnuson-Moss rulemaking authority.  The ANPR is extremely broad, raising 95 questions directed at nearly every type of data collection.  Notably, in promulgating a rule, the FTC must demonstrate that each practice regulated is either deceptive or unfair and is prevalent in the market.

The Federal Trade Commission recently announced a newly updated rule concerning the data security safeguards required for financial institutions to protect their customers’ financial information. The FTC’s updated Safeguards Rule, which originally was mandated by Congress under the 1999 Gramm-Leach-Bliley Act, requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security system to keep their customers’ information safe. The new rule more closely aligns with the NY Department of Financial Services Cybersecurity Regulation.

Yesterday, the U.S. Supreme Court, in AMG Capital Management, LLC v. FTC, sharply curtailed the ability of the Federal Trade Commission to obtain restitution and disgorgement in enforcement actions. In a 9-0 decision, the court found that Section 13(b) of the FTC Act, which authorizes the FTC to seek permanent injunctions in federal court, did not also authorize the Commission to obtain court-ordered monetary relief. 

A number of U.S. federal agencies have authority to issue a type of administrative subpoena called a Civil Investigative Demand (“CID”) to obtain relevant information as part of an investigation. For example, both the Federal Trade Commission (“FTC”) and the Consumer Financial Protection Bureau (“CFPB”) have authority to issue CIDs to obtain documents and testimony in investigations related to privacy, data security, deceptive marketing, and financial fraud. This article identifies some items to consider when receiving a CIDs based on my experience issuing and reviewing hundreds of CIDs as an enforcement attorney in the Chicago office of the FTC.