InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Iowa becomes sixth state to enact comprehensive privacy legislation
On March 28, the Iowa governor signed SF 262, establishing a framework for controlling and processing consumers’ personal data in the state. Iowa is now the sixth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, and Utah (covered by Special Alerts here and here and InfoBytes here, here, and here).
- Consumer rights. Iowa consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their personal data processed by a controller (“except as to personal data that is defined as personal information pursuant to section 715C.1 that is subject to security breach protection”); and (iv) opt out of the sale of their data.
- Controller responsibilities. The Act requires controllers—the persons that determine the purpose and means of processing personal data—to respond to consumers’ requests free of charge within 90 days (the response period may be extended an additional 45 days under extenuating circumstances). A controller must also provide a consumer, without undue delay, of its justification should it decline to take action regarding the consumer’s request, as well as instructions for appealing the decision. Controllers are also required to implement reasonable data security practices to protect the confidentiality, integrity, and accessibility of personal data, and must not process collected sensitive data without notifying the consumer and allowing for the opportunity to opt out of such processing (or in the case of data involving a minor, without processing such data in accordance with the Children’s Online Privacy Protection Act). Controllers may not violate state and federal laws that prohibit discriminatory practices when processing personal data and may not discriminate against a consumer for exercising any of the provided consumer rights. Contacts that purport or waive or limit consumer rights shall be deemed void and unenforceable.
- Disclosures. Controllers are required to provide consumers “a reasonably accessible, clear, and meaningful privacy notice” that outlines the categories of personal data to be processed, the purpose for processing the data, and how consumers may submit requests to exercise their personal rights (a controller may not require a consumer to create a new account to exercise consumer rights). The privacy notice must also outline the categories of data that may be shared with third parties, as well as the categories of applicable third parties, and clearly disclose when personal data is being sold or used in targeted advertising to allow a consumer the right to opt out of such activity.
- Processor duties. Processors shall help controllers fulfill their obligations under the Act. A contract established between a controller and a processor will “govern the processor’s data processing procedures with respect to processing performed on behalf of the controller,” and must “clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and duties of both parties.”
- Exemptions and limitations. The Act also outlines various processing exemptions, including those related to pseudonymous data, and addresses certain actions that a controller or processor is able to take with respect to complying with federal, state, or local laws, investigations, or law enforcement agency inquiries, among others. The Act also limits the collection of personal data to what is adequate, relevant and necessary in relation to the purposes for which such data is processed, and requires controllers to implement data security protection practices.
- Enforcement. Although the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 90 days to cure the alleged violation before the attorney general can file suit. Should the controller or processor continue to violate the Act, the attorney general may seek an injunction and civil penalties of up to $7,500 for each violation.
The Act takes effect January 1, 2025.
California OAL approves CCPA regulations
On March 30, the California Privacy Protection Agency (CPPA) announced that the California Office of Administrative Law (OAL) approved the agency’s first substantive rulemaking package for implementing the California Consumer Privacy Act (CCPA). The approved regulations are effective immediately. The CPPA noted that the approved regulations update existing CCPA regulations to harmonize them with amendments adopted under the California Privacy Rights Act (CPRA), which was approved by ballot measure in November 2020 to amend and build on the CCPA. In February, the CPPA voted unanimously to adopt and approve the regulations, which have not been substantively changed since the CPPA voted on modifications last year (covered by InfoBytes here). The final regulations and supporting materials are now available on the CPPA’s website.
The CPPA has already begun additional rulemaking. The agency issued a preliminary request for comments on cybersecurity audits, risk assessments, and automated decision-making to inform future rulemaking in February. Comments were due at the end of March.
Law firm settles breach claims related to health care data
On March 27, the New York attorney general announced a settlement with a law firm to resolve claims that it allegedly failed to protect individuals’ personal and health care data. According to the announcement, an attacker was able to exploit a vulnerability in the law firm’s email server and gained access to the sensitive private information, including names, dates of birth, social security numbers, and/or health data, of nearly 115,000 individuals, including more than 60,000 New Yorkers. According to the AG, the law firm’s data security failures not only violated state law, but also violated HIPAA requirements relating to the adherence to certain advance data security practices. The law firm, which represents New York City area hospitals and maintains patients’ sensitive private information, is required to adopt several measures required by HIPAA, including conducting regular system risk assessments, encrypting private information housed on its servers, and adopting appropriate data minimization practices—all of which it failed to do prior to the breach.
Under the terms of the assurance of discontinuance, the law firm is required to pay $200,000 in penalties to the state and strengthen its cybersecurity measures. Required actions include encrypting private information, monitoring and logging network activity, establishing a reasonable patch management policy, developing a penetration testing program, updating its data collection and retention practices, and permanently deleting data “when there is no reasonable business or legal purpose to retain it.”
Utah amends disclosure requirements for data breaches
On March 23, the Utah governor signed SB 127, which, among other things, requires additional disclosure requirements for system security breaches and creates the Utah Cyber Center. For example, it mandates additional notice requirements to the office of the Utah attorney general (AG) and the Utah Cyber Center where an investigation “reveals that the misuse of personal information relating to 500 or more Utah residents, for identity theft or fraud purposes, has occurred or is reasonably likely to occur.” If the investigation reveals the misuse of personal information relating to 1,000 or more Utah residents, the notification must also be sent “to each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis.”
The Utah Cyber Center will be responsible for, among other things, developing a statewide strategic cybersecurity plan for executive branches and other governmental agencies; identifying, analyzing, and mitigating cyber threats and vulnerabilities; coordinating cybersecurity resilience planning; providing cybersecurity incident response capabilities; developing incident response plans to coordinate federal, state, local, and private sector activities; and developing and promoting cybersecurity best practices.
The amendments are effective 60 days follow adjournment of the legislature.
FTC finalizes gaming company order on dark patterns
On March 14, the FTC finalized an administrative order requiring a video game developer to pay $245 million in refunds to consumers allegedly tricked into making unwanted in-game purchases. As previously covered by InfoBytes, the FTC filed an administrative complaint claiming players were able to accumulate unauthorized charges without parental or card holder action or consent. The FTC alleged that the company used a variety of dark patterns, such as “counterintuitive, inconsistent, and confusing button configuration[s],” designed to get players of all ages to make unintended in-game purchases. These tactics caused players to pay hundreds of millions of dollars in unauthorized charges, the FTC said, adding that the company also charged account holders for purchases without authorization. Under the terms of the final decision and order, the company is required to pay $245 million in refunds to affected card holders. The company is also prohibited from charging players using dark patterns or without obtaining their affirmative consent. Additionally, the company is barred from blocking players from accessing their accounts should they dispute unauthorized charges.
Separately, last month the U.S. District Court for the Eastern District of North Carolina entered a stipulated order against the company related to alleged violations of the Children’s Online Privacy Protection Act (COPPA). The FTC claimed the company failed to protect underage players’ privacy and collected personal information without first notifying parents or obtaining parents’ verifiable consent. Under the terms of the order, the company is required to ensure parents receive direct notice of its practices with regard to the collection, use or disclosure of players’ personal information, and must delete information previously collected in violation of COPPA’s parental notice and consent requirements unless it obtains parental consent to retain such data or the player claims to be 13 or older through a neutral age gate. Additionally, the company is required to implement a comprehensive privacy program to address the identified violations, maintain default privacy settings, obtain regular, independent audits, and pay a $275 million civil penalty (the largest amount ever imposed for a COPPA violation).
FTC asks how cloud computing affects competition and data security
On March 22, the FTC announced it is seeking information on cloud computing providers’ business practices with respect to the potential impact on competition and data security. FTC staff noted that the agency is also interested in how cloud computing is impacting specific industries, including healthcare, finance, transportation, e-commerce, and defense. The request for information (RFI) solicits feedback on a range of issues, including (i) market power and competition (e.g. do particular segments of the economy have to rely on a small handful of cloud service providers); (ii) contract negotiation flexibility; (iii) incentives given to customers to ensure they obtain more of their cloud services from a single provider; (iv) security risks (e.g. what are the data security implications if particular segments of the economy rely on a small number of cloud service providers, and are these providers competing on their ability to provide secure storage for customer data); (v) products or services tied to artificial intelligence; and (vi) how cloud providers identify and notify customers of security risks related to security design, implementation, or configuration. Comments on the RFI are due May 22.
Colorado finalizes privacy rules
On March 15, the Colorado attorney general’s office finalized rules to implement and enforce the Colorado Privacy Act (CPA). The final rules, which went through three draft versions (covered by InfoBytes here), were filed with the Colorado Secretary of State following completion of a review by the attorney general’s office. (See redline version of the final rules showing changes made to address concerns raised through public comments here.) As previously covered by a Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the attorney general has enforcement authority for the law, which does not have a private right of action. In addition to promulgating rules to carry out the requirements of the CPA, the attorney general has authority to issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. Colorado is one of several states that have enacted comprehensive privacy laws that take effect in 2023, joining California, Connecticut, Utah, and Virginia. (Covered by InfoBytes here, here, here, and here.) The final rules will be published in the Colorado Register in March and will go into effect July 1.
SEC proposes new cybersecurity requirements
On March 15, a divided SEC issued several proposed amendments to the agency’s cybersecurity-related rules.
The first is a proposed rule that would implement cybersecurity requirements for participants in the securities market, including broker-dealers, clearing agencies, and major security-based swap participants, among others. (See also SEC press release and fact sheet.) Among other things, the proposed rule would require all market entities to establish, maintain, and enforce written policies and procedures that are reasonably designed to address cybersecurity risks. Market participants would also be required to review the design and effectiveness of their cybersecurity policies and procedures at least once a year, and immediately provide the SEC written electronic notice of a significant cybersecurity incident should the participant have a reasonable basis to conclude that the incident had occurred or is occurring. Certain market entities would also be required to make public disclosures addressing cybersecurity risks and significant cybersecurity incidents to improve transparency. The SEC explained that the “interconnectedness of [m]arket [e]ntities increases the risk that a significant cybersecurity incident can simultaneously impact multiple [m]arket [e]tities causing systemic harm to the U.S. securities markets.”
The second proposed rule would amend Regulation S-P to enhance the protection of customer information and provide a federal minimum standard for data breach notifications. Regulation S-P requires broker-dealers, investment companies, and registered investment advisers to implement written policies and procedures for safeguarding customer records and information. The regulation also imposes requirements for proper disposal of consumer report information, implements privacy notice and opt-out provisions, and requires covered institutions to tell customers how their financial information is used. (See also SEC press release and fact sheet.) Under the proposed rule, covered institutions would be required to adopt an incident response program to address unauthorized access or use of customer information. Covered institutions would also be required to notify customers affected by certain types of data breaches that may expose them to identity theft or other harm by providing “notice as soon as soon as practicable, but not later than 30 days after the covered institution becomes aware that an incident involving unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.” The proposed rule would also “extend the protections of the safeguards and disposal rules to both nonpublic personal information that a covered institution collects about its own customers and to nonpublic personal information that a covered institution receives about customers of other financial institutions.” Modifications to provisions related to registered transfer agents are also proposed.
Comments on both proposed rules are due 60 days after publication in the Federal Register.
Additionally, the SEC announced it has reopened the comment period on proposed cybersecurity risk management rules and amendments for registered investment advisers and funds. Under the proposed rules, advisers and funds would be required to adopt and implement written policies and procedures reasonably designed to address cybersecurity risks that could harm advisory clients and fund investors. The proposed rules also laid out additional requirements relating to the disclosure of cybersecurity risks and significant cybersecurity incidents as well as filing and recordkeeping. (Covered by InfoBytes here.) The SEC reopened the comment period for an additional 60 days.
In voting against the proposed rules, Commission Hester M. Pierce questioned, among other things, whether the amendments would create overlapping requirements for financial firms subject to state data breach laws that have customer notification provisions, some of which conflict with the SEC’s proposals. Commissioner Mark T. Uyeda also raised concerns as to how the three proposals interact with each other. He cautioned that the “lack of an integrated regulatory structure may even weaken cybersecurity protection by diverting attention to satisfy multiple overlapping regulatory regimes rather than focusing on the real threat of cyber intrusions and other malfeasance.”
Software company to pay $3 million to SEC for misleading disclosures about ransomware attack
On March 9, the SEC charged a South Carolina-based donor data management software company with allegedly making materially misleading disclosures about a 2020 ransomware attack. According to the SEC’s cease-and-desist order, the company issued statements that the ransomware attack did not affect donor bank account information or social security numbers. It was later revealed that the attacker had accessed and exfiltrated the unencrypted sensitive information. However, the SEC maintained that due to the company’s alleged failure to maintain disclosure controls and procedures, employees did not inform senior management responsible for public disclosures. As a result, the company’s quarterly report filed with the SEC allegedly omitted material information about the scope of the attack and “misleadingly characterized the risk of exfiltration of such sensitive donor information as hypothetical,” the SEC said. The company did not admit or deny the SEC’s findings, but agreed to pay a $3 million civil penalty and said it would cease and desist from committing violations of the Securities Act of 1933 and the Securities Exchange Act of 1934.
Design firm to settle False Claims Act allegations related to cybersecurity failures
On March 14, the DOJ announced a $293,771 settlement with a design company to resolve alleged False Claims Act (FCA) violations related to failures in its cybersecurity practices. According to the DOJ, the company failed to secure personal information on a federally-funded Florida children’s health insurance website that was created, hosted, and maintained by the company. “Government contractors responsible for handling personal information must ensure that such information is appropriately protected,” Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division, said in the announcement. “We will use the [FCA] to hold accountable companies and their management when they knowingly fail to comply with their cybersecurity obligations and put sensitive information at risk.” In this case, the Florida entity (which receives federal Medicaid funds, as well as state funds to provide children’s health insurance programs) contracted with the design company for the provision of a hosting environment that complied with HIPAA’s personal information protection requirements. The company also agreed to adapt, modify, and create code on the webserver to support the secure communication of data. However, between January 1, 2014, and Dec. 14, 2020, the company allegedly failed to provide secure hosting of applicants’ personal information and failed to implement necessary updates. In December 2020, the website experienced a data breach that potentially exposed more than 500,000 applicants’ personal identifying information and other data. In response to the data breach and the company’s cybersecurity failure, the Florida entity shut down the website’s application portal.