The year 2022 saw a groundswell of interest in privacy rights and related legislation. Five states enacted new laws or regulations aimed at protecting a general right to privacy, while the U.S. government came closer than ever before to enacting a comprehensive federal law called the American Data Privacy and Protection Act. Both the Federal Trade Commission (FTC) and Securities Exchange Commission (SEC) moved to strengthen existing cybersecurity and reporting requirements. The White House issued executive orders to bolster cybersecurity for critical infrastructure. And the California Attorney General’s (AG) Office announced its first public fine for privacy violations, stating the “kid gloves” are coming off for enforcement in 2023.
We see no indication that the global privacy movement will slow down in 2023. Broad privacy bills have already been introduced this year by lawmakers in Indiana, Iowa, Kentucky, Mississippi, New York, Oklahoma, Oregon and Tennessee. New Jersey lawmakers are reviewing a comprehensive privacy bill that was carried over from 2022. Several states have also introduced narrower bills aimed at protecting specific privacy rights. These include a reproductive rights privacy bill in Washington and an age-appropriate design code bill in Oregon, which is similar to the law of the same name enacted in California in 2022. Biometric privacy legislation has also been introduced in New York, Maryland and Mississippi, which would join existing biometric privacy laws in Illinois, Texas and at least five other states. We will continue to monitor these and other developments.
Kramer Levin also issued numerous alerts throughout 2022 on major developments in privacy and data security. We briefly summarize those alerts below.
On Nov. 9, 2022, the New York State Department of Financial Services (NYDFS) published proposed amendments to its Cybersecurity Requirements for Financial Services Companies. The amendments to the agency’s cybersecurity regulations, 23 NYCRR Section 500 (Part 500), would subject all covered entities — including banks, insurance companies and other financial institutions regulated by NYDFS — to a number of new cybersecurity requirements, including a 24-hour notification requirement for ransomware payments, annual penetration testing and risk assessments, enhanced cybersecurity policies and security measures, and new governance and board oversight requirements. They would impose additional requirements on a new category of Class A companies — the largest financial services companies — including requirements that they conduct independent audits of their cybersecurity programs at least annually, monitor privileged access activity and use external experts to conduct a risk assessment at least once every three years.
NYDFS published the amendments to the State Register on Nov. 9, commencing a 60-day comment period that ended on Jan. 9, 2023. The amendments may increase costs for some financial services companies that need to adopt additional cybersecurity measures. At the same time, there will be more NYDFS-regulated entities that qualify for a limited exemption based on their relatively smaller size. Companies that determine they qualify for a limited exemption would still need to file a Notice of Exemption form on the NYDFS website within 30 days of that determination.
On Oct. 24, 2022, the FTC issued a proposed decision and order against Drizly LLC and its CEO regarding allegations that the company’s security failures led to a data breach exposing the personal information of about 2.5 million consumers in 2020. The order mandates that Drizly implement a wide range of data security and privacy protocols and requires Drizly’s CEO, James Cory Rellas, to personally ensure that any company he joins in an ownership or managerial capacity maintains an adequate information security program as stipulated by the terms of the order.
The action stresses the responsibility of businesses that collect consumer data to manage and protect that information from both internal and external threats. It is another example of the FTC’s use of its unfair trade practice authority to police privacy and data minimization in the absence of a uniform federal privacy law. Importantly, instituting requirements to report to the boards of directors or equivalent managing bodies, coupled with direct penalties levied against Drizly’s CEO, underscores the FTC’s view that the privacy and protection of consumer personal information should involve top-level employees. Senior executives and managers should take note that lax handling of consumer personal information could have both companywide and individual consequences.
On Aug. 24, 2022, California AG Rob Bonta announced the first public fine for failure to comply with the California Consumer Privacy Act (CCPA). Beauty products retailer Sephora Inc. agreed in a settlement to pay $1.2 million into California’s Consumer Privacy Fund, to make substantial changes to Sephora’s privacy programs and policies, and to submit annual reports regarding these changes to the AG for the next two years.
Like many retailers, Sephora installed (or allowed third parties to install) software on its website that monitored the actions of its online shoppers. Although these third parties did not pay Sephora for its shoppers’ data, in return, Sephora received analytics regarding these shoppers and the option to purchase advertisements targeting them. The AG alleged that this use of Adtech constituted a sale of personal information under the CCPA, which the AG stated “broadly defines sales as the exchange of personal information for anything of value.”
On July 20, 2022, the House Committee on Energy and Commerce advanced a new federal privacy bill titled the American Data Privacy and Protection Act (ADPPA) to the House floor. Although it is not yet law, many commentators were optimistic that it may move forward in view of the ADPPA’s bipartisan support and the compromises it reaches on the issues of preemption and private rights of action, both of which have stalled prior federal privacy bills. The ADPPA reflects trends in U.S. privacy law that are emerging from state-level laws passed in California, Virginia, Colorado, Utah and Connecticut (the State Privacy Laws). It also departs from all five State Privacy Laws in a few novel ways. This alert discusses key provisions of the ADPPA, as currently drafted, and how they compare to the State Privacy Laws.
On June 22-23, 2022, government, industry and outside counsel convened in New York at the American Conference Institute’s (ACI) Advanced Forum on False Claims and Qui Tam Enforcement to discuss recent trends in False Claims Act (FCA) case law and enforcement priorities. The panels addressed several developments of potential interest to health care providers, contractors that certify compliance with government cybersecurity requirements, and private equity firms that invest in and manage government contractors. First, health care providers will not be surprised to learn that the government obtained its highest-ever total annual recovery from the industry in FY2021 — approximately $5 billion. Second, both relator- and defense-side counsel agree that cybersecurity failures present a new and emerging FCA enforcement risk. Third, another emerging area for FCA enforcement relates to private equity (PE). PE firms that purchase government contractors are increasingly finding themselves the target of government enforcement efforts, along with the contractors they manage. Finally, government panelists confirmed that the Department of Justice’s latest policy on cooperation credit, announced by Deputy AG Lisa Monaco in October 2021, restored prior department guidance that sought to incentivize disclosure and cooperation by potential FCA defendants.
On May 10, 2022, Connecticut became the fifth state to enact a comprehensive privacy law to protect personal data, joining California, Virginia, Colorado and Utah. Although privacy and data security laws have existed in the U.S. for decades, until recently, they were limited to certain industries, jurisdictions or data types. These five new laws reflect a growing movement to protect an individual’s general right to privacy rather than regulate only particular types of data processing. See our analyses of the California, Virginia and Colorado laws for how to comply with privacy requirements in those states.
On March 15, 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act (the Act) into law as part of the $1.5 trillion fiscal 2022 omnibus spending package. The Act will create a mandatory cyber incident reporting regime under the Cybersecurity and Infrastructure Security Agency (CISA). It will require covered critical infrastructure entities to report information about substantial cyber incidents they’ve experienced to CISA within 72 hours and to report information about ransomware payments they’ve made within 24 hours.
On March 9, 2022, the SEC proposed new rules as part of its most far-reaching effort to enhance and standardize cybersecurity-related disclosures and incident reporting by public companies. The proposed rules include mandatory cyber incident reporting and periodic disclosure regarding risk management, strategy and governance.
These proposed rules, coupled with recent comprehensive guidance and enforcement actions, demonstrate the SEC’s heightened focus on cybersecurity issues. As set out in our alert, we expect this trend to continue — underscoring the importance for companies to maintain adequate cybersecurity disclosure and risk management policies and procedures.
On March 9, 2022, President Biden issued a long-anticipated executive order called Ensuring Responsible Development of Digital Assets that outlined a whole-of-government approach to regulating digital assets. The order implements no new policies or regulations but instead sets out the administration’s priorities for digital asset regulation and establishes a process through which the White House will gather reports on the digital asset ecosystem from more than 20 executive agencies named in the order.
The order acknowledges the exponential growth of the digital asset market over the past five years and recognizes the government’s interest in enabling “responsible financial innovation” while protecting against perceived risks. The administration’s approach to digital asset regulation is aimed at six objectives: protecting consumers, investors and businesses; ensuring financial stability and mitigating systemic risk; combating illicit finance and national security risks; promoting U.S. leadership and economic competitiveness; encouraging equitable access to the financial system; and supporting the development of digital technologies in a safe, responsible manner.
On March 7, 2022, the Financial Crimes Enforcement Network (FinCEN) of the Treasury Department published guidance on increased vigilance for potential Russian sanctions evasion attempts. The FinCEN alert follows the imposition of mounting sanctions levied by the U.S. government against Russian interests in connection with the invasion of Ukraine. Among these recent efforts, the Office of Foreign Assets Control and the U.S. Department of State sanctioned numerous Russian elites by identifying certain of their property as blocked. This initiative aims to prevent elites from providing support to the Russian government through their wealth and other resources. The Treasury Department and State Department have also sanctioned Russian intelligence-directed disinformation outlets and defense-related firms.
On Feb. 9, 2022, the SEC proposed a suite of new rules and amendments concerning cybersecurity risk management for registered investment advisers (advisers) and registered investment companies, including business development companies (funds). Proposed under the authority of the Investment Advisers Act of 1940 and the Investment Company Act of 1940, the proposed rules and amendments would require investment advisers and funds to adopt and implement extensive “cybersecurity risk management policies and procedures.” In addition, the proposals would modify recordkeeping, disclosure and reporting requirements, obligating investment advisers and funds to maintain records of significant cybersecurity incidents, to disclose such incidents to their clients, and — for investment advisers only — to promptly report significant cybersecurity incidents to the SEC.