Following up on the recent release by the New York Department of Financial Services (“NYDFS”) of an updated Proposed Second Amendment to its “first-in-the-nation” Cybersecurity Regulation, 23 NYCRR Part 500 (Proposed Second Amendment released June 28, 2023), it is not too late for companies to submit comments on the most recent version of the proposed changes from NYDFS.  Comments are due by 5:00 p.m. ET on August 14.

As background, the NYDFS Cybersecurity Regulation took effect in March 2017, including a robust set of cybersecurity requirements as well as a 72-hour incident notification requirement for NYDFS licensees.  After releasing an initial draft of a proposed amendment on July 29, 2022, NYDFS released the first version of a Proposed Second Amendment to the regulation in November 2022 with a public comment period that closed on January 9, 2023.  The changes proposed in November 2022 included several significant updates to the regulation with respect to:

  • Increased cybersecurity governance and board oversight requirements;
  • The creation of “classes” of companies subject to different requirements;
  • The introduction of new reporting requirements for privileged account compromise, ransomware deployment, and “extortion” payments; and
  • The enumeration of factors to be considered in enforcement decisions, among others. 

After reviewing the comments received on these proposed changes, NYDFS released an updated version of the Proposed Second Amendment on June 28, 2023 with adjustments made in response to these comments.  The revisions reflect adjustments rather than substantial changes to the prior version, and include among other things: 

  • Clarifying that a CISO must be a “qualified individual” responsible for an entity’s cybersecurity program and policy (Section 500.1(c));
  • Narrowing the definition of “privileged accounts” that will be subject to some of the new programmatic and reporting requirements (Section 500.1(m));
  • Specifying that  newly required annual independent audits of cybersecurity programs for “Class A” companies can be conducted by internal or external auditors that meet certain requirements (Section 500.1(g));
  • Clarifying that the board must exercise effective oversight over an entity’s cybersecurity risk management but eliminating the requirement that the board have “sufficient expertise and knowledge” (Section 500.4); and
  • Requiring companies to conduct a “root cause analysis” as part of incident response (Section 500.16).

As noted above, the updated version is subject to an additional comment period, and stakeholders may submit comments before 5:00 p.m. ET on August 14, 2023.  Comments should be sent by email to cyberamendment@dfs.ny.gov or by mail to the New York State Department of Financial Services c/o Cybersecurity Division, Attn: Joanne Berman, 1 State Street Plaza, Floor 19, New York, NY, 10004.

According to a recently-released meeting agenda, the Securities and Exchange Commission’s (“SEC”) upcoming July 26, 2023 meeting will include consideration of adopting rules to enhance disclosures regarding cybersecurity risk management, governance, and incidents by publicly traded companies. 

The SEC initially proposed these rules in March 2022.  If adopted as proposed, the new rules would require publicly traded companies to publicly disclose a cybersecurity incident within four business days of determining that the incident is material, and to provide disclosure in periodic reports about certain cybersecurity governance practices.  The proposed rule has been subject to two comment periods; after the original comment period ended in May 2022, the SEC re-opened the comment period between October-November 2022. The SEC is considering additional rules that implicate cybersecurity considerations and are in various phases of comment and revision for investment advisors, broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents.

On July 13, 2023 the White House issued the National Cybersecurity Strategy Implementation Plan (“NCSIP”).  The NCSIP identifies 65 initiatives – to be led by 18 different departments and agencies – that are designed as a roadmap for implementing the U.S. National Cybersecurity Strategy released earlier this year.  This is the first iteration of the plan, which is intended to be an evolving document that the Administration plans to update annually.  Consistent with the Strategy, the NCSIP contemplates five broad lines of effort (“pillars”):

  • Defending critical infrastructure;
  • Disrupting and dismantling threat actors;
  • Shaping market forces to drive security and resilience;
  • Investing in a resilient future; and
  • Forging international partnerships to pursue shared goals.

Among the many initiatives, the Administration has outlined several specific efforts over the next three years that will be of interest to technology companies, federal contractors, and critical infrastructure owners and operators.

Continue Reading White House Releases Implementation Plan for the National Cybersecurity Strategy

On July 10, 2023, the European Commission adopted its adequacy decision on the EU-U.S. Data Privacy Framework (“DPF”). The decision, which took effect on the day of its adoption, concludes that the United States ensures an adequate level of protection for personal data transferred from the EEA to companies certified to the DPF. This blog post summarizes the key findings of the decision, what organizations wishing to certify to the DPF need to do and the process for certifying, as well as the impact on other transfer mechanisms such as the standard contractual clauses (“SCCs”), and on transfers from the UK and Switzerland.

Continue Reading European Commission Adopts Adequacy Decision on the EU-U.S. Data Privacy Framework

On July 13, 2023, the Cybersecurity Administration of China (“CAC”), in conjunction with six other agencies, jointly issued the Interim Administrative Measures for Generative Artificial Intelligence Services (《生成式人工智能管理暂行办法》) (“Generative AI Measures” or “Measures”) (official Chinese version here).  The Generative AI Measures are set to take effect on August 15, 2023. 

As the first comprehensive AI regulation in China, the Measures cover a wide range of topics touching upon how Generative AI Services are developed and how such services can be offered.  These topics range from AI governance, training data, tagging and labeling to data protection and user rights.  In this blog post, we will spotlight a few most important points that could potentially impact a company’s decision to develop and deploy their Generative AI Services in China.

This final version follows a first draft which was released for public consultation in April 2023 (see our previous post here). Several requirements were removed from the April 2023 draft, including, for example, the prohibition of user profiling, user real-name verification, and the requirement to take measures within three months through model optimization training to prevent illegal content from being generated again.  However, several provisions in the final version remain vague (potentially by design) and leave room to future regulatory guidance as the generative AI landscape continues to evolve.

Continue Reading Key Takeaways from China’s Finalized Generative Artificial Intelligence Measures

This quarterly update summarizes key legislative and regulatory developments in the second quarter of 2023 related to key technologies and related topics, including Artificial Intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), data privacy and cybersecurity, and online teen safety.

Continue Reading U.S. Tech Legislative & Regulatory Update – Second Quarter 2023

In the past year, plaintiffs have filed a wave of lawsuits asserting claims under the Video Privacy Protection Act (“VPPA”) in connection with the alleged use of third-party pixels on websites that offer video content.  A recent decision establishes the limits of the VPPA’s reach and provides a well-reasoned ground for future motions to dismiss.

In Carroll v. General Mills, Inc., 2:23-cv-01746 (C.D. Cal. June 26, 2023), plaintiffs alleged that their video-viewing activity had been shared with third parties, in purported violation of the VPPA, via pixel code allegedly installed on defendant’s website.  The federal court dismissed the lawsuit in an opinion that will have broad impact for other companies. 

In Carroll, the VPPA’s “video tape service provider” element was at issue.  The VPPA applies only to “video tape service provider[s]” (a/k/a VTSPs), defined as “any person engaged in the business . . . of rental sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.”  Plaintiffs claimed that General Mills was “in the business” of video delivery through its creation and distribution of online videos to “increase[] its brand presence.”  The court found this allegation insufficient to satisfy the VTSP requirement and held that the VPPA “does not cover every company that merely delivers audio visual materials ancillary to its business.”  The court stated that a plaintiff seeking to bring a claim under the VPPA must plead facts demonstrating that a defendant’s “particular field of endeavor” is the delivery of audiovisual materials, rather than merely a “peripheral” part of its marketing strategy. 

In making clear that posting online videos that are only incidental to a company’s core business is not subject to the VPPA, Carroll supports a strong threshold defense to future VPPA claims.

On June 30, 2023, a Superior Court of California (County of Sacramento, case number 34-2023-80004106-CU-WM-GDS) held that enforcement of the California Privacy Protection Agency’s (“CPPA”) regulations cannot commence until one year after the finalized date of the regulations.  However, the court declined to delay the CPPA’s ability to enforce violations of the underlying ballot initiative.

As background, the California Privacy Rights Act (“CPRA”) amended the California Consumer Privacy Act (“CCPA”) and, among other things, established the CPPA and mandated the CPPA issue regulations.  The CPPA finalized its first rulemaking package on March 29, 2023 and has ongoing rulemaking activities focused on cybersecurity audits, risk assessments, and automated decisionmaking.  Because of the order, the CPPA cannot enforce the regulations it finalized on March 29, 2023 until March 29, 2024, although it appears to be able to enforce the underlying provisions of the CCPA, as amended by the CPRA. 

Any future regulations must be final for one year before enforcement (e.g., if the CPPA finalizes regulations relating to cybersecurity audits on October 1, 2023, the CPPA cannot enforce these regulations until October 1, 2024).  As of this blog post, we are not aware of the CPPA appealing the court’s order, although the CPPA is scheduled to discuss enforcement priorities at a Board meeting scheduled for July 14, 2023.

On June 30, 2023, the Delaware general assembly passed the Delaware Personal Data Privacy Act (“DPDPA”), H.B. 154.  This bill resembles the comprehensive privacy statutes in Connecticut, Montana, and the recently passed bill in Oregon, though there are some notable distinctions.  If signed into law, Delaware will be the latest state to implement a comprehensive privacy statute, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Florida, and, if signed into law by the governor, Oregon.

  • Scope and Exemptions:  The DPDPA would apply to any person that conducts business or provides products or services to Delaware residents and during a calendar year, controls or processes (1) personal data of 35,000 or more consumers (except for personal data controlled or processed solely for the purpose of completing a payment transaction) or (2) personal data of 10,000 or more consumers if the person derives more than 20% of their annual revenue from the sale of data.  The DPDPA exempts employee information, among other exceptions.
  • Sensitive Data:  DPDPA requires consent prior to the processing of sensitive data.  The definition of sensitive data includes data revealing race or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, status as transgender or nonbinary, citizenship status, precise geolocation, and a number of other categories that are consistent with many other comprehensive state privacy statutes.  However, the DPDPA contains a definition for “genetic data,” which includes “any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained, and concerns genetic material.”
  • Consumer Rights: Consumers have rights to: (1) confirm whether a controller is processing their personal data and access such personal data; (2) correct inaccuracies in the consumer ’s personal data; (3) delete personal data provided by or obtained about the consumer; (4) obtain a portable copy of the consumer’s personal data; (5) obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data; and (6) opt-out of processing for purposes of (a) targeted advertising (defined as displaying advertisements that are selected based on the consumer’s activities over time and across nonaffiliated websites), (b) the sale of personal data; or (c) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.  The DPDPA also requires controllers to implement opt-out preference signals.
  • Opt-In Consent:  Unless the controller obtains a consumer’s consent, the DPDPA would prohibit a controller from processing personal data for targeted advertising, or selling personal data, if the controller has “actual knowledge that, or willfully disregards whether, the consumer is at least thirteen years of age but younger than 18 years of age.”
  • Enforcement:  The Attorney General has exclusive authority to enforce the DPDPA, and there is no private right of action.  The DPDPA will enter into effect January 1, 2025 if the bill is enacted by January 1, 2024.  The DPDPA has a 60-day right to cure that sunsets on December 31, 2025.  If the bill is enacted after January 1, 2024, the Act will take effect on January 1, 2026.

In late June, the Oregon Legislature passed HB 2759, which would amend the state’s existing “do not call” law.  The bill currently is awaiting action by the governor. 

If enacted, the bill would make a person “liable for any loss and subject to any penalty” to the same extent as the violator if the person “knows or consciously avoids knowing that another person is engaging in an act or practice that violates” the prohibition on engaging in telephone solicitations to a party at a telephone number on the National Do Not Call Registry and “the person nonetheless provides substantial assistance or support for the violation, including permitting, carrying or facilitating calls that violate” the prohibition.

The bill would exempt “a telecommunications utility or cooperative corporation when engaged in providing a telecommunications service and operating as a common carrier” and “a person that enables another person to complete a voice communication by means of a network that the person operates and on which the voice communication terminates.” This new restriction would constitute an unlawful practice under state’s Unlawful Trade Practices Act.