Cybersecurity, Privacy And Data Protection 2022 Year In Review – Privacy Protection

The year 2022 saw a groundswell of interest in privacy rights
and related legislation. Five states enacted new laws or
regulations aimed at protecting a general right to privacy, while
the U.S. government came closer than ever before to enacting a
comprehensive federal law called the American Data Privacy and
Protection Act. Both the Federal Trade Commission (FTC) and
Securities Exchange Commission (SEC) moved to strengthen existing
cybersecurity and reporting requirements. The White House issued
executive orders to bolster cybersecurity for critical
infrastructure. And the California Attorney General's (AG)
Office announced its first public fine for privacy violations,
stating the "kid gloves" are coming off for enforcement
in 2023.

We see no indication that the global privacy movement will slow
down in 2023. Broad privacy bills have already been introduced this
year by lawmakers in Indiana, Iowa, Kentucky, Mississippi, New
York, Oklahoma, Oregon and Tennessee. New Jersey lawmakers are
reviewing a comprehensive privacy bill that was carried over from
2022. Several states have also introduced narrower bills aimed at
protecting specific privacy rights. These include a reproductive
rights privacy bill in Washington and an age-appropriate design
code bill in Oregon, which is similar to the law of the same name
enacted in California in 2022. Biometric privacy legislation has
also been introduced in New York, Maryland and Mississippi, which
would join existing biometric privacy laws in Illinois, Texas and
at least five other states. We will continue to monitor these and
other developments.

Kramer Levin also issued numerous alerts throughout 2022 on
major developments in privacy and data security. We briefly
summarize those alerts below.

New York State Department of Financial Services To
Amend Cybersecurity Regulations for Financial Services
Companies

On Nov. 9, 2022, the New York State Department of Financial
Services (NYDFS) published proposed amendments to its Cybersecurity
Requirements for Financial Services Companies. The amendments to
the agency's cybersecurity regulations, 23 NYCRR Section 500
(Part 500), would subject all covered entities - including banks,
insurance companies and other financial institutions regulated by
NYDFS - to a number of new cybersecurity requirements, including a
24-hour notification requirement for ransomware payments, annual
penetration testing and risk assessments, enhanced cybersecurity
policies and security measures, and new governance and board
oversight requirements. They would impose additional requirements
on a new category of Class A companies - the largest financial
services companies - including requirements that they conduct
independent audits of their cybersecurity programs at least
annually, monitor privileged access activity and use external
experts to conduct a risk assessment at least once every three
years.

NYDFS published the amendments to the State Register on Nov. 9,
commencing a 60-day comment period that ended on Jan. 9, 2023. The
amendments may increase costs for some financial services companies
that need to adopt additional cybersecurity measures. At the same
time, there will be more NYDFS-regulated entities that qualify for
a limited exemption based on their relatively smaller size.
Companies that determine they qualify for a limited exemption would
still need to file a Notice of Exemption form on the NYDFS website
within 30 days of that determination.

Proposed FTC Order Targets Drizly and Its CEO for
Allegedly Lax Information Security Standards Following Data
Breach

On Oct. 24, 2022, the FTC issued a proposed decision and order
against Drizly LLC and its CEO regarding allegations that the
company's security failures led to a data breach exposing the
personal information of about 2.5 million consumers in 2020. The
order mandates that Drizly implement a wide range of data security
and privacy protocols and requires Drizly's CEO, James Cory
Rellas, to personally ensure that any company he joins in an
ownership or managerial capacity maintains an adequate information
security program as stipulated by the terms of the order.

The action stresses the responsibility of businesses that
collect consumer data to manage and protect that information from
both internal and external threats. It is another example of the
FTC's use of its unfair trade practice authority to police
privacy and data minimization in the absence of a uniform federal
privacy law. Importantly, instituting requirements to report to the
boards of directors or equivalent managing bodies, coupled with
direct penalties levied against Drizly's CEO, underscores the
FTC's view that the privacy and protection of consumer personal
information should involve top-level employees. Senior executives
and managers should take note that lax handling of consumer
personal information could have both companywide and individual
consequences.

CA Attorney General Announces First Public CCPA
Fine

On Aug. 24, 2022, California AG Rob Bonta announced the first
public fine for failure to comply with the California Consumer
Privacy Act (CCPA). Beauty products retailer Sephora Inc. agreed in
a settlement to pay $1.2 million into California's Consumer
Privacy Fund, to make substantial changes to Sephora's privacy
programs and policies, and to submit annual reports regarding these
changes to the AG for the next two years.

Like many retailers, Sephora installed (or allowed third parties
to install) software on its website that monitored the actions of
its online shoppers. Although these third parties did not pay
Sephora for its shoppers' data, in return, Sephora received
analytics regarding these shoppers and the option to purchase
advertisements targeting them. The AG alleged that this use of
Adtech constituted a sale of personal information under the CCPA,
which the AG stated "broadly defines sales as the exchange of
personal information for anything of value."

The AG's complaint against Sephora alleged three CCPA
violations: (1) Sephora's online privacy policy falsely stated
"we do not sell personal information" despite the value
it received for using Adtech software; (2) Sephora failed to
include the required "Do Not Sell My Personal
Information" link on its homepage; and (3) Sephora failed to
respond to consumer requests to opt out of such sales via Global
Privacy Controls, which are browser signals that users can set once
to inform all websites that they do not want their information
sold. The AG also alleged that these actions separately violated
California's Unfair Competition Law. Companies that deploy
Adtech software on their websites should revisit their privacy
programs and policies to ensure compliance with any applicable laws
and regulations.

Federal Privacy Bill Shows Emerging Patterns in US
Privacy Law

On July 20, 2022, the House Committee on Energy and Commerce
advanced a new federal privacy bill titled the American Data
Privacy and Protection Act (ADPPA) to the House floor. Although it
is not yet law, many commentators were optimistic that it may move
forward in view of the ADPPA's bipartisan support and the
compromises it reaches on the issues of preemption and private
rights of action, both of which have stalled prior federal privacy
bills. The ADPPA reflects trends in U.S. privacy law that are
emerging from state-level laws passed in California, Virginia,
Colorado, Utah and Connecticut (the State Privacy Laws). It also
departs from all five State Privacy Laws in a few novel ways. This
alert discusses key provisions of the ADPPA, as currently drafted,
and how they compare to the State Privacy Laws.

Updates From ACI's Advanced Forum on False
Claims and Qui Tam Enforcement, June 22-23 in New York

On June 22-23, 2022, government, industry and outside counsel
convened in New York at the American Conference Institute's
(ACI) Advanced Forum on False Claims and Qui Tam Enforcement to
discuss recent trends in False Claims Act (FCA) case law and
enforcement priorities. The panels addressed several developments
of potential interest to health care providers, contractors that
certify compliance with government cybersecurity requirements, and
private equity firms that invest in and manage government
contractors. First, health care providers will not be surprised to
learn that the government obtained its highest-ever total annual
recovery from the industry in FY2021 - approximately $5 billion.
Second, both relator- and defense-side counsel agree that
cybersecurity failures present a new and emerging FCA enforcement
risk. Third, another emerging area for FCA enforcement relates to
private equity (PE). PE firms that purchase government contractors
are increasingly finding themselves the target of government
enforcement efforts, along with the contractors they manage.
Finally, government panelists confirmed that the Department of
Justice's latest policy on cooperation credit, announced by
Deputy AG Lisa Monaco in October 2021, restored prior department
guidance that sought to incentivize disclosure and cooperation by
potential FCA defendants.

Comparing the 5 Comprehensive Privacy Laws Passed
by US States

On May 10, 2022, Connecticut became the fifth state to enact a
comprehensive privacy law to protect personal data, joining
California, Virginia, Colorado and Utah. Although privacy and data
security laws have existed in the U.S. for decades, until recently,
they were limited to certain industries, jurisdictions or data
types. These five new laws reflect a growing movement to protect an
individual's general right to privacy rather than regulate only
particular types of data processing. See our analyses of the California, Virginia and Colorado laws for how to comply with privacy
requirements in those states.

2022 Omnibus Spending Package Includes New
Cybersecurity Incident Reporting Requirements for Critical
Infrastructure Companies: How the Law May Affect Your
Company

On March 15, 2022, President Biden signed the Cyber Incident
Reporting for Critical Infrastructure Act (the Act) into law as
part of the $1.5 trillion fiscal 2022 omnibus spending package. The
Act will create a mandatory cyber incident reporting regime under
the Cybersecurity and Infrastructure Security Agency (CISA). It
will require covered critical infrastructure entities to report
information about substantial cyber incidents they've
experienced to CISA within 72 hours and to report information about
ransomware payments they've made within 24 hours.

SEC Proposes Comprehensive Cybersecurity Reporting
Rules for Public Companies

On March 9, 2022, the SEC proposed new rules as part of its most
far-reaching effort to enhance and standardize
cybersecurity-related disclosures and incident reporting by public
companies. The proposed rules include mandatory cyber incident
reporting and periodic disclosure regarding risk management,
strategy and governance.

These proposed rules, coupled with recent comprehensive guidance
and enforcement actions, demonstrate the SEC's heightened focus
on cybersecurity issues. As set out in our alert, we expect this
trend to continue - underscoring the importance for companies to
maintain adequate cybersecurity disclosure and risk management
policies and procedures.

President Biden Issues Executive Order Framing His
Administration's Approach to Regulating Digital Assets

On March 9, 2022, President Biden issued a long-anticipated
executive order called Ensuring Responsible Development of Digital
Assets that outlined a whole-of-government approach to regulating
digital assets. The order implements no new policies or regulations
but instead sets out the administration's priorities for
digital asset regulation and establishes a process through which
the White House will gather reports on the digital asset ecosystem
from more than 20 executive agencies named in the order.

The order acknowledges the exponential growth of the digital
asset market over the past five years and recognizes the
government's interest in enabling "responsible financial
innovation" while protecting against perceived risks. The
administration's approach to digital asset regulation is aimed
at six objectives: protecting consumers, investors and businesses;
ensuring financial stability and mitigating systemic risk;
combating illicit finance and national security risks; promoting
U.S. leadership and economic competitiveness; encouraging equitable
access to the financial system; and supporting the development of
digital technologies in a safe, responsible manner.

FinCEN Warns of Russian Sanctions Evasion Attempts
and Provides Guidance for Increased Vigilance

On March 7, 2022, the Financial Crimes Enforcement Network
(FinCEN) of the Treasury Department published guidance on increased
vigilance for potential Russian sanctions evasion attempts. The
FinCEN alert follows the imposition of mounting sanctions levied by
the U.S. government against Russian interests in connection with
the invasion of Ukraine. Among these recent efforts, the Office of
Foreign Assets Control and the U.S. Department of State sanctioned
numerous Russian elites by identifying certain of their property as
blocked. This initiative aims to prevent elites from providing
support to the Russian government through their wealth and other
resources. The Treasury Department and State Department have also
sanctioned Russian intelligence-directed disinformation outlets and
defense-related firms.

SEC Proposes Cybersecurity Risk Management
Requirements for Investment Advisers and Registered Funds

On Feb. 9, 2022, the SEC proposed a suite of new rules and
amendments concerning cybersecurity risk management for registered
investment advisers (advisers) and registered investment companies,
including business development companies (funds). Proposed under
the authority of the Investment Advisers Act of 1940 and the
Investment Company Act of 1940, the proposed rules and amendments
would require investment advisers and funds to adopt and implement
extensive "cybersecurity risk management policies and
procedures." In addition, the proposals would modify
recordkeeping, disclosure and reporting requirements, obligating
investment advisers and funds to maintain records of significant
cybersecurity incidents, to disclose such incidents to their
clients, and - for investment advisers only - to promptly report
significant cybersecurity incidents to the SEC.

As we head into 2023, we will continue to monitor these and
other developments related to privacy and data security.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Comments are closed.