The Matrix

Last week, the Consumer Financial Protection Bureau (“CFPB”) took a significant step forward in enhancing consumer control over private financial data when it launched a rulemaking process under Section 1033 of the Dodd–Frank Wall Street Reform and Consumer Protection Act (“Section 1033”). Section 1033 requires the CFPB to implement a rule to allow consumers to access their financial information. Currently, there is no duty under Section 1033 to maintain or keep any information about a consumer. The CFPB has yet to adopt a rule relating to data access, despite its authority to do so.

On October 12, 2022, a jury returned a verdict against the defendant, BNSF Railway Company (“BNSF”), in the first trial in a class action asserting claims under the Illinois Biometric Information Privacy Act (“BIPA”). Shortly thereafter, the Court entered a staggering judgment against BNSF in the amount of $228 million. To the extent that companies operating in Illinois have not already recognized the significant impact of BIPA, they should be paying attention now. While the case seemingly addressed a number of issues that companies have been grappling with in considering the implications of this law, many important questions about BIPA’s reach still persist.

The DOJ recently published guidance regarding website accessibility under the Americans with Disabilities Act (ADA). This guidance reiterated the DOJ’s longstanding position that websites of businesses open to the public (defined as “places of public accommodations” under Title III of the ADA) are required to be accessible to people with disabilities and provided some non-binding indicators of what it means for a website to be accessible. 

On September 15, 2022, President Biden issued the first Presidential Directive to refine the scope of the Committee for Foreign Investment in the United States (“CFIUS”) following the 2018 Foreign Investment Risk Review Modernization Act of 2018.  CFIUS is empowered to review business transactions that result in a foreign person having ownership or control rights over U.S. companies.  While CFIUS review is a largely voluntary process, it is mandatory when foreign owners or investors may be tied to foreign governments or when a target business is involved with certain critical U.S. technologies.  CFIUS may, as a result of its review, take remedial steps to address national security concerns imposed by the transaction, such as imposing mitigation agreements or third-party monitors.  CFIUS may also refer the transaction for Presidential review. Ultimately, CFIUS can unwind a business transaction – even years after the closing. 

On August 11th, the Federal Trade Commission kicked off of its long-awaited privacy rulemaking by releasing an Advanced Notice of Proposed Rulemaking (ANPR).  The ANPR is the beginning of what likely will be a lengthy process conducted pursuant to the FTC’s Magnuson-Moss rulemaking authority.  The ANPR is extremely broad, raising 95 questions directed at nearly every type of data collection.  Notably, in promulgating a rule, the FTC must demonstrate that each practice regulated is either deceptive or unfair and is prevalent in the market.

As part of a larger trend of legal developments with respect to cybersecurity throughout the United States, the SEC recently proposed certain rules intended to increase and standardize a public company’s reporting and disclosure requirements regarding cybersecurity incidents and risk management (the “Proposed Rules”). Generally, the Proposed Rules require the disclosure of information related to a company’s: (i) material cybersecurity incidents; (ii) cybersecurity risk management and strategy; (iii) cybersecurity governance; and (iv) board member and management cybersecurity expertise. Specifically, and as more fully set forth in the discussion below, the Proposed Rules seek to amend Forms 6-K, 8-K, 10-K, 10-Q, 20-F, and Items 106 and 407 of Regulation S-K. Below, we have provided a brief summary of each of the Proposed Rules and the impact the reporting and disclosure requirements under such Rules would have on a public company.

As 2023 approaches, organizations must again address new and modified laws governing Data Subject Requests (DSRs). Of course, the rollout of additional privacy regulations has become almost routine. But as the growing number of jurisdictions empower individuals with the right to opt out of more types of processing and access, rectify, or delete personal data, the legal and operational challenges of these laws continue to accelerate. Organizations – especially those with lean privacy and legal ops functions – will need to be strategic in addressing the expanding regulatory burden.

With that in mind, we offer a few issues to address as you map out your next steps when it comes to DSRs.

The FTC issued a policy statement yesterday notifying education technology companies that the agency is committed to ensuring that ed tech tools comply with the Children’s Online Privacy Protection Act (“COPPA”).  COPPA requires that websites or services covered under COPPA obtain a parent’s – or in some cases, a school’s – consent before collecting personal information from children under 13.  COPPA also limits how long companies may keep children’s personal information and requires that companies properly safeguard information.  The policy statement signals that the FTC will be scrutinizing COPPA compliance by providers of ed tech and other covered online services. 

On March 24, 2022, Utah joined California, Virginia and Colorado to become the fourth state to enact a comprehensive consumer privacy law. The Utah Consumer Privacy Act (the “UCPA”) has similarities to the existing privacy laws enacted by California (the “CCPA”), Virginia (the “VCDPA”) and Colorado (the “CPA”). Certain aspects of the UCPA’s approach, however, are distinct from those other privacy laws. Generally, the UCPA applies to a more narrow scope of businesses, and more categories of data fall outside of the UCPA’s definition of “personal data” -- thereby imposing less of a burden on businesses. Below we’ve provided a high-level summary of the UCPA’s general requirements and certain of its differences and similarities to consumer privacy laws enacted by other states.

The increase in cyber breaches and hacks has resulted in litigation, some involving policy interpretation, and some involving new theories of liability. The two cases described below are illustrations of the types of issues that businesses, insureds and insurers continue to face as result of cyber liability. In the first case, the court found that a traditional general liability policy could provide coverage for a cyber breach, a result likely not anticipated by the insurance carrier, nor possibly by the insured. The second case involves injury and death, allegedly caused by a hospital’s inability to use monitoring equipment during a birth because the equipment was inoperable due to a ransomware attack, that likely would be covered under a traditional medical malpractice policy despite the fact that it was a cyber attack that gave rise to the claim for injury and medical negligence.