On March 6, 2024, New Hampshire Governor Chris Sununu signed SB 255 into law, making the Granite State the latest to enact a comprehensive privacy law—the 15th state, if you count Florida’s privacy law of narrower applicability.

New Hampshire’s privacy law goes into effect January 1, 2025 and applies to persons that conduct business in New Hampshire, or persons that produce products or services that are targeted to New Hampshire residents, and who during a one-year period: (1) controlled or processed the personal data of not less than 35,000 unique New Hampshire residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or (2) controlled or processed the personal data of not less than 10,000 unique New Hampshire residents, and who derived more than 25% of their gross revenue from the sale of personal data.

Continue reading.

On February 28, 2024, President Joe Biden issued Executive Order (“EO”) 14117, empowering the Department of Justice (DOJ) to regulate the export of certain consumer data, in order to prevent certain countries’ governments from obtaining bulk sets of especially sensitive personal data. The EO, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” addresses longstanding concerns from the Executive Branch that certain foreign governments are amassing sensitive genomic, biometric, health, geolocation, financial, and other personal data and using it to engage in activities that threaten national security, such as espionage (including through computer hacking), blackmail, transnational repression, and disinformation campaigns.

Continue reading.

As we previewed in our prior Legal Update, the Federal Trade Commission (“FTC”) warned businesses of its stance on the use and collection of biometric information in a May 2023 policy statement. Now, an enforcement action filed earlier this week offers insight into the potential consequences for businesses that do not comply with the FTC’s policy statement guidelines.

On December 19, 2023, the FTC sued Rite-Aid Corporation and its parent company Rite-Aid Headquarters Corporation (together, “Rite-Aid”) in the United States District Court for the Eastern District of Pennsylvania for (1) an unfair Facial Recognition Technology (“FRT”) practice, improperly using FRT that falsely flagged Rite-Aid customers for shoplifting, and (2) failing to implement a comprehensive security program to protect customers’ personal information. The complaint alleges that Rite-Aid’s failure to take reasonable measures that would prevent harm to consumers violated a 2010 consent order (“2010 order”) with the FTC and Section 5 of the FTC Act, 15 U.S.C. §§ 45(a), (n).

The FTC attached a stipulated order to its complaint that, if approved, would not only ban Rite-Aid from using FRT for five years but also require significant modification to Rite-Aid’s existing information security policies.

Continue reading.

On December 20, 2023, the Federal Trade Commission (“FTC”) issued a Notice of Proposed Rulemaking (“NPRM”) that would make significant changes to the Children’s Online Privacy Protection Rule (“COPPA Rule”), which implements the Children’s Online Privacy Protection Act of 1998 (“COPPA”). The proposed rule would make a number of changes intended to expand the COPPA Rule, in order to address perceived shortcomings in how information about children under the age of 13 is collected, used, and shared by websites and online service operators. The FTC’s last major change to the COPPA Rule occurred in 2013.

Continue reading.

On December 12, 2023, the Department of Justice (DOJ) issued guidelines for companies to follow in requesting that the Attorney General authorize delays of cyber incident disclosures required by the U.S. Securities and Exchange Commission (“SEC”) pursuant to Form 8-K Item 1.05.

In July, the SEC finalized a rule (the “Final Rule”), which comes into effect on December 18, 2023, requiring companies subject to the reporting requirements in Section 13 or 15(d) of the Securities Exchange Act of 1934 (“registrants”) to determine without “unreasonable delay” whether a cybersecurity incident is “material,” and to report material incidents on SEC Form 8-K within four business days of that determination. In announcing the Final Rule, the SEC restated the standard for materiality from caselaw: information about a cybersecurity incident is “material” if there is “a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.

Continue reading.

On October 25, 2023, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Department of Health and Human Services (“HHS”) released a cybersecurity toolkit containing resources and information that organizations in the healthcare and public health (HPH) sector can utilize to reduce their cyber risk.

Continue reading.

On November 1, 2023, the New York Department of Financial Services (“NYDFS”) finalized the amendment to its cybersecurity regulation (the “Amendment”). The Amendment expands cybersecurity requirements across many areas—from governance to incident response to access controls.

The Amendment follows the three published drafts: two proposals published for formal notice and comment in November 2022 and June 2023, and a pre-proposal draft published in July 2022. The final version resembles the June 2023 proposal, but includes a handful of key changes and clarifications. In this Legal Update, we analyze the new requirements introduced in the Amendment.

Continue reading.

On October 30, 2023, President Joe Biden issued an Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intellence (the “AI EO”). Directing numerous actions by federal agencies, the AI EO reflects the Biden Administration’s intent to employ a range of legal and policy tools to promote US leadership on artificial intelligence (“AI”) while reducing the associated risks.1

The AI EO directs the creation, over the next year, of best practices and regulations to promote safety, cybersecurity, privacy, fairness, and competition. Government action will also include studies on uses of AI across government agencies and industries, and measures to support development of the technology.

Continue reading.

The Second Amendment to the New York Department of Financial Services’ (“NYDFS”) Cybersecurity Requirements for Financial Services Companies (the “NYDFS Requirements”) is expected to be published in final form in the next two weeks. The Second Amendment will follow updated proposed amendments to the NYDFS Requirements published on June 28, 2023 (the “2023 Proposal”),1 which were revised after the proposed amendments were first formally published on November 9, 2022.2 The comment period for the 2023 Proposal ended on August 14, 2023.

Continue reading.