California continues to be at vanguard of data privacy rights. The latest effort by California legislators to protect consumer privacy rights focuses on data brokers, who under the proposed California Senate Bill 362, aka the “Delete Act,” would be required to recognize and honor opt-out signals from Californians. The law seeks to expand on the deletion and opt-out rights provided under the CCPA, which currently requires a Californians to submit their deletion and opt-out requests on a company-by-company basis.… Continue Reading
CPPA publishes new draft regulations addressing AI, risk assessments, cyber audits
The California Privacy Protection Agency (CPPA) recently published two new sets of draft regulations addressing a range of cutting-edge data protection issues. Although the CPPA has not officially started the formal rulemaking process, the Draft Cybersecurity Audit Regulations and the Draft Risk Assessment Regulations will serve as the foundation for the process moving forward. … Continue Reading
OpenAI class action likely to increase scrutiny of webscraping and data collection practices
On June 28, a group of plaintiffs filed a class action lawsuit against OpenAI—creator and publisher of the generative artificial intelligence (AI) tool ChatGPT—as well as OpenAI’s primary investor, Microsoft. The 151-page complaint is the first significant U.S. class action to assert that generative AI tools violate consumer privacy rights.
The Complaint, filed in the Northern District of California, challenges the core of the generative AI models. … Continue Reading
Senator Bennet Proposes Federal Commission to Regulate Artificial Intelligence
Following recent Senate testimony in which OpenAI CEO Sam Altman proposed additional Congressional oversight for the development of artificial intelligence (AI), Colorado Senator Michael Bennet has re-introduced the Digital Platform Commission Act, a bill that would enable the creation of a federal agency to oversee the use of AI by digital platforms. … Continue Reading
Pennsylvania amends data breach notification law
In early November, Pennsylvania amended its data breach notification law broadening the definition of personal information. The amendment adds “health insurance information” and “medical information” as data elements that could trigger breach notification requirements. Coupled with this addition is a breach notification exception for businesses that are (1) subject to and (2) in compliance with HIPAA’s privacy and security standards. … Continue Reading
CFPB issues Section 1033 SBREFA outline
The CFPB has taken a significant step towards issuing regulations to implement Section 1033 of the Dodd-Frank Act by releasing an outline of the proposals it is considering in preparation for convening a small business review panel (Panel). Section 1033 authorizes the CFPB to issue rules requiring “a covered person [to] make available to a consumer, upon request, information in the control or possession of such person concerning the consumer financial product or service that the consumer obtained from such covered person, including information related to any transaction, or series of transactions, to the account including costs, charges, and usage data.”… Continue Reading
NYDFS Announces Draft Amendments to Cybersecurity Regulation
On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Cyber Security Regulations. The Amendments, if adopted, would further regulatory trends and impose important new requirements on covered entities.
The Amendments contain three significant changes relating to ransomware. First, the Amendment specifically adds “the deployment of ransomware within a material part of the covered entity’s information system” as a cybersecurity event requiring notice to the superintendent within 72 hours. … Continue Reading
GAO report recommends DHS and Treasury assess federal response to cyber attacks
In a report released June 21, 2022, the U.S. Government Accountability Office (GAO) urged the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury’s (Treasury) Federal Insurance Office (FIO) to jointly assess whether the risk to critical infrastructure and potential financial exposures from catastrophic cyber incidents warrant a federal insurance response, and to inform Congress of the results of their assessment. … Continue Reading
Unpacking the FTC’s Recent Blog Post Regarding Breach Notification
The Federal Trade Commission (FTC) recently issued a blog post stating that a failure to disclose a data breach may be a violation of Section 5 of the FTC Act. The May 20 blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures, explained that in some instances, the FTC Act may create a de facto breach disclosure requirement because the failure to disclose will increase the likelihood that affected parties will suffer harm. … Continue Reading
Initial thoughts about the proposed CPRA regulations
In a surprising development, the California Privacy Protection Agency (CPPA) published proposed amendments to the CCPA regulations recently. The proposed amendments were initially made public in a package of materials to be considered by the CPPA at its upcoming June 8 meeting. The proposed amendments—which in effect are the draft CPRA regulations—were issued without advance notice, ahead of the schedule previously announced by the CPPA. … Continue Reading