- Recent DOJ ADA Web Accessibility Guidance Creates Compliance Questions, not Answers
- New Presidential Directive for Foreign Investment Reviews of U.S. Technology and Data Companies
- FTC Launches “Commercial Surveillance and Data Security” Rulemaking
- Cybersecurity Disclosures Required by the SEC’s Recently Proposed Rules
- The Future is Now: Data Subject Requests in 2023
- FTC Scrutinizes Children’s Privacy Issues Involving Education Technology
- Utah Becomes the Fourth State to Enact a Comprehensive Privacy Law
- Courts Requiring General and Professional Liabilities Policies to Respond to Cyberattacks
- The US and EU Announce a New Trans-Atlantic Data Privacy Framework
- BIPA Claims Following the McDonald Decision
- September 2022
- August 2022
- June 2022
- May 2022
- April 2022
- March 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- April 2020
- March 2020
Legal developments in data, privacy, cybersecurity, and other emerging technology issues
The DOJ recently published guidance regarding website accessibility under the Americans with Disabilities Act (ADA). This guidance reiterated the DOJ’s longstanding position that websites of businesses open to the public (defined as “places of public accommodations” under Title III of the ADA) are required to be accessible to people with disabilities and provided some non-binding indicators of what it means for a website to be accessible.
On September 15, 2022, President Biden issued the first Presidential Directive to refine the scope of the Committee for Foreign Investment in the United States (“CFIUS”) following the 2018 Foreign Investment Risk Review Modernization Act of 2018. CFIUS is empowered to review business transactions that result in a foreign person having ownership or control rights over U.S. companies. While CFIUS review is a largely voluntary process, it is mandatory when foreign owners or investors may be tied to foreign governments or when a target business is involved with certain critical U.S. technologies. CFIUS may, as a result of its review, take remedial steps to address national security concerns imposed by the transaction, such as imposing mitigation agreements or third-party monitors. CFIUS may also refer the transaction for Presidential review. Ultimately, CFIUS can unwind a business transaction – even years after the closing.
On August 11th, the Federal Trade Commission kicked off of its long-awaited privacy rulemaking by releasing an Advanced Notice of Proposed Rulemaking (ANPR). The ANPR is the beginning of what likely will be a lengthy process conducted pursuant to the FTC’s Magnuson-Moss rulemaking authority. The ANPR is extremely broad, raising 95 questions directed at nearly every type of data collection. Notably, in promulgating a rule, the FTC must demonstrate that each practice regulated is either deceptive or unfair and is prevalent in the market.
As part of a larger trend of legal developments with respect to cybersecurity throughout the United States, the SEC recently proposed certain rules intended to increase and standardize a public company’s reporting and disclosure requirements regarding cybersecurity incidents and risk management (the “Proposed Rules”). Generally, the Proposed Rules require the disclosure of information related to a company’s: (i) material cybersecurity incidents; (ii) cybersecurity risk management and strategy; (iii) cybersecurity governance; and (iv) board member and management cybersecurity expertise. Specifically, and as more fully set forth in the discussion below, the Proposed Rules seek to amend Forms 6-K, 8-K, 10-K, 10-Q, 20-F, and Items 106 and 407 of Regulation S-K. Below, we have provided a brief summary of each of the Proposed Rules and the impact the reporting and disclosure requirements under such Rules would have on a public company.
As 2023 approaches, organizations must again address new and modified laws governing Data Subject Requests (DSRs). Of course, the rollout of additional privacy regulations has become almost routine. But as the growing number of jurisdictions empower individuals with the right to opt out of more types of processing and access, rectify, or delete personal data, the legal and operational challenges of these laws continue to accelerate. Organizations – especially those with lean privacy and legal ops functions – will need to be strategic in addressing the expanding regulatory burden.
With that in mind, we offer a few issues to address as you map out your next steps when it comes to DSRs.
The FTC issued a policy statement yesterday notifying education technology companies that the agency is committed to ensuring that ed tech tools comply with the Children’s Online Privacy Protection Act (“COPPA”). COPPA requires that websites or services covered under COPPA obtain a parent’s – or in some cases, a school’s – consent before collecting personal information from children under 13. COPPA also limits how long companies may keep children’s personal information and requires that companies properly safeguard information. The policy statement signals that the FTC will be scrutinizing COPPA compliance by providers of ed tech and other covered online services.
On March 24, 2022, Utah joined California, Virginia and Colorado to become the fourth state to enact a comprehensive consumer privacy law. The Utah Consumer Privacy Act (the “UCPA”) has similarities to the existing privacy laws enacted by California (the “CCPA”), Virginia (the “VCDPA”) and Colorado (the “CPA”). Certain aspects of the UCPA’s approach, however, are distinct from those other privacy laws. Generally, the UCPA applies to a more narrow scope of businesses, and more categories of data fall outside of the UCPA’s definition of “personal data” -- thereby imposing less of a burden on businesses. Below we’ve provided a high-level summary of the UCPA’s general requirements and certain of its differences and similarities to consumer privacy laws enacted by other states.
The increase in cyber breaches and hacks has resulted in litigation, some involving policy interpretation, and some involving new theories of liability. The two cases described below are illustrations of the types of issues that businesses, insureds and insurers continue to face as result of cyber liability. In the first case, the court found that a traditional general liability policy could provide coverage for a cyber breach, a result likely not anticipated by the insurance carrier, nor possibly by the insured. The second case involves injury and death, allegedly caused by a hospital’s inability to use monitoring equipment during a birth because the equipment was inoperable due to a ransomware attack, that likely would be covered under a traditional medical malpractice policy despite the fact that it was a cyber attack that gave rise to the claim for injury and medical negligence.
On March 25, 2022, the United States and the European Union announced they agreed in principle to a new data privacy framework for cross-border data transfers. Although specific details of this new data privacy framework have not yet been provided, the new framework is meant to replace the former EU-U.S. Privacy Shield (the “Privacy Shield”), an arrangement that allowed companies to transfer the personal data of European data subjects to the United States. The Privacy Shield was invalidated in July of 2020 by the Court of Justice of the European Union on the basis that the Privacy Shield did not protect European data from U.S. surveillance.
This is a follow-up to the June 23, 2021 Litigation Trends Analysis Alert, “How the IWCA Impacts BIPA Claims.” As noted there, the question before the Supreme Court of Illinois in McDonald was whether claims of injury under the Illinois Biometric Information Privacy Act (BIPA) fall under the scope of the Illinois Workers’ Compensation Act (IWCA). The Court ruled last month that the BIPA is not preempted by the IWCA.