As we previewed in our prior Legal Update, the Federal Trade Commission (“FTC”) warned businesses of its stance on the use and collection of biometric information in a May 2023 policy statement. Now, an enforcement action filed earlier this week offers insight into the potential consequences for businesses that do not comply with the FTC’s policy statement guidelines.

On December 19, 2023, the FTC sued Rite-Aid Corporation and its parent company Rite-Aid Headquarters Corporation (together, “Rite-Aid”) in the United States District Court for the Eastern District of Pennsylvania for (1) an unfair Facial Recognition Technology (“FRT”) practice, improperly using FRT that falsely flagged Rite-Aid customers for shoplifting, and (2) failing to implement a comprehensive security program to protect customers’ personal information. The complaint alleges that Rite-Aid’s failure to take reasonable measures that would prevent harm to consumers violated a 2010 consent order (“2010 order”) with the FTC and Section 5 of the FTC Act, 15 U.S.C. §§ 45(a), (n).

The FTC attached a stipulated order to its complaint that, if approved, would not only ban Rite-Aid from using FRT for five years but also require significant modification to Rite-Aid’s existing information security policies.

Continue reading.

On December 20, 2023, the Federal Trade Commission (“FTC”) issued a Notice of Proposed Rulemaking (“NPRM”) that would make significant changes to the Children’s Online Privacy Protection Rule (“COPPA Rule”), which implements the Children’s Online Privacy Protection Act of 1998 (“COPPA”). The proposed rule would make a number of changes intended to expand the COPPA Rule, in order to address perceived shortcomings in how information about children under the age of 13 is collected, used, and shared by websites and online service operators. The FTC’s last major change to the COPPA Rule occurred in 2013.

Continue reading.

On December 12, 2023, the Department of Justice (DOJ) issued guidelines for companies to follow in requesting that the Attorney General authorize delays of cyber incident disclosures required by the U.S. Securities and Exchange Commission (“SEC”) pursuant to Form 8-K Item 1.05.

In July, the SEC finalized a rule (the “Final Rule”), which comes into effect on December 18, 2023, requiring companies subject to the reporting requirements in Section 13 or 15(d) of the Securities Exchange Act of 1934 (“registrants”) to determine without “unreasonable delay” whether a cybersecurity incident is “material,” and to report material incidents on SEC Form 8-K within four business days of that determination. In announcing the Final Rule, the SEC restated the standard for materiality from caselaw: information about a cybersecurity incident is “material” if there is “a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.

Continue reading.

On October 25, 2023, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Department of Health and Human Services (“HHS”) released a cybersecurity toolkit containing resources and information that organizations in the healthcare and public health (HPH) sector can utilize to reduce their cyber risk.

Continue reading.

On November 1, 2023, the New York Department of Financial Services (“NYDFS”) finalized the amendment to its cybersecurity regulation (the “Amendment”). The Amendment expands cybersecurity requirements across many areas—from governance to incident response to access controls.

The Amendment follows the three published drafts: two proposals published for formal notice and comment in November 2022 and June 2023, and a pre-proposal draft published in July 2022. The final version resembles the June 2023 proposal, but includes a handful of key changes and clarifications. In this Legal Update, we analyze the new requirements introduced in the Amendment.

Continue reading.

On October 30, 2023, President Joe Biden issued an Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intellence (the “AI EO”). Directing numerous actions by federal agencies, the AI EO reflects the Biden Administration’s intent to employ a range of legal and policy tools to promote US leadership on artificial intelligence (“AI”) while reducing the associated risks.1

The AI EO directs the creation, over the next year, of best practices and regulations to promote safety, cybersecurity, privacy, fairness, and competition. Government action will also include studies on uses of AI across government agencies and industries, and measures to support development of the technology.

Continue reading.

The Second Amendment to the New York Department of Financial Services’ (“NYDFS”) Cybersecurity Requirements for Financial Services Companies (the “NYDFS Requirements”) is expected to be published in final form in the next two weeks. The Second Amendment will follow updated proposed amendments to the NYDFS Requirements published on June 28, 2023 (the “2023 Proposal”),1 which were revised after the proposed amendments were first formally published on November 9, 2022.2 The comment period for the 2023 Proposal ended on August 14, 2023.

Continue reading.

On 13 September 2023, negotiations began between European institutions to adopt the text of the EU Cyber Resilience Act (the “CRA”). If adopted, the CRA will impose a set of software security, cybersecurity, and vulnerability management requirements on products with digital elements (i.e., software or hardware products and their remote data processing solutions) placed on the EU market.

Continue reading.

On September 25, 2023, the Consumer Financial Protection Bureau (“CFPB”) began its most substantial Fair Credit Reporting Act (“FCRA”) rulemaking yet with an outline of proposed changes to Regulation V, which implements FCRA, ahead of the Bureau’s Small Business Advisory Review Panel.1  The proposals under consideration could have a substantial impact on the data brokerage industry, if implemented. In this Legal Update, we look at the key components of the CFPB’s initial proposals for revising Regulation V.

Continue reading.