InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Office of Science and Technology issues RFI on biometric technology
Earlier this month, the Office of Science and Technology (OSTP) issued a request for information (RFI) on the use of biometric technology. Specifically, the RFI seeks to assist OSTP in understanding “the extent and variety of biometric technologies in past, current, or planned use; the domains in which these technologies are being used; the entities making use of them; current principles, practices, or policies governing their use; and the stakeholders that are, or may be, impacted by their use or regulation.” Citing the evolution and use of biometric data, OSTP requests information from stakeholders on data collection and applications using biometric technologies to verify and identify individuals or draw inferences from an individual’s cognitive and/or emotional state. Comments are due January 15, 2022.
NIST issues draft cybersecurity framework to mitigate ransomware events
Recently, the National Institute of Standards and Technology (NIST) issued a draft version of its Cybersecurity Framework Profile for Ransomware Risk Management, which proposes recommended steps for organizations to follow to prevent and mitigate ransomware events. The profile identifies Cybersecurity Framework Version 1.1 security objectives and can be used as a risk-management guide to help gauge an organization’s readiness level. Steps include “identifying and protecting critical data, systems, and devices; detecting ransomware events as early as possible (preferably before the ransomware is deployed); and preparing for responses to and recovery from any ransomware events that do occur.” The profile also outlines basic preventative measures organizations should take, including: (i) using antivirus software at all times to automatically scan emails and flash drives; (ii) ensuring computers are fully patched and running scheduled checks to identify and install new patches; (iii) segmenting internal networks as a precaution against malware; (iv) continuously monitoring directory services (and other primary user stores) to identify indicators of compromise or active attack; (v) blocking access to potentially malicious web resource and allowing only authorized applications; (vi) using standard user accounts; (vii) restricting personally owned devices and the use of personal applications on work computers; (viii) educating employees about social engineering; and (ix) assigning and managing credential authorization and running periodic reviews to ensure each account has the appropriate access only. Among other things, NIST further outlines five cybersecurity framework functions (identify, protect, detect, respond and recover), and advises organizations to develop an incident recovery plan; develop, implement, and test data backups and restoration strategies; and maintain updated contacts for ransomware attacks. According to NIST, taking these proactive measures will help organizations recover from future ransomware events.
Financial Stability Board calls for uniformity in cyber-breach reporting
On October 19, the Financial Stability Board (FSB) released a report calling for a convergence in the reporting of cyber incidents given the digitalization of financial services and the growing use of third-party service providers. According to FSB’s report, Cyber Incident Reporting: Existing Approaches and Next Steps for Broader Convergence, financial institutions operating across borders or sectors are subjected to multiple reporting requirements for one cyber incident. Pointing out that “fragmentation exists across sectors and jurisdictions in the scope of what should be reported for a cyber incident; methodologies to measure severity and impact of an incident; timeframes for reporting cyber incidents; and how cyber incident information is used,” FSB cautioned that the lack of a common method for reporting cyber incidents “could undermine a financial institution's response and recovery actions.” FSB also warned that the dissemination of “heterogeneous information” concerning a cyber incident “underscores a need to address constraints in information-sharing among financial authorities and financial institutions.” Harmonizing regulatory reporting would promote financial stability by ensuring there is a common method for monitoring cyberattacks in the sector, supporting effective supervision of cyber-risks at financial institutions, and helping authorities share information between jurisdictions. FSB stated it plans to create a detailed plan by the end of the year to (i) develop best practices for authorities to consider when developing their cyber incident reporting regime; (ii) identify key types of information that should be shared across the financial sector; and (iii) create a common terminology for cyber-incident reporting.
California clarifies CPRA rulemaking authority timing
On October 5, the California governor signed AB 694. The bill clarifies that the California Privacy Protection Agency (which was given “full administrative power, authority, and jurisdiction to implement and enforce the [California Consumer Privacy Act]”) would assume responsibility for rulemaking “on or after the later of July 1, 2021, or within six months of the agency providing the Attorney General with notice that it is prepared to assume rulemaking.” A previously covered by InfoBytes, last month the CPPA formally called on stakeholders to provide preliminary comments on proposed Consumer Privacy Rights Act rulemaking. However, the CPPA noted that the invitation for comments is not a proposed rulemaking action and stated that the public will have additional opportunities to provide comments on proposed regulations or modifications when it proceeds with a notice of proposed rulemaking action.
California expands consumer privacy rights to include genetic data
On October 6, the California governor signed SB 41, which requires direct-to-consumer genetic testing companies to provide consumers with information about the collection, use, maintenance, and disclosure of genetic data. Under the Genetic Information Privacy Act (GIPA), companies are required to honor a consumer’s revocation of consent and destroy a consumer’s biological sample within 30 days after the consent has been revoked. Companies must also obtain a consumer’s express consent for collection, use, or disclosure of an individual’s genetic data. GIPA also requires companies to comply with all applicable federal and state laws for disclosing genetic data without a consumer’s express consent, and companies must “implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data, as specified.” Violations of the law may result in civil penalties ranging from $1,000 to $10,000. Exempt from GIPA’s provisions is medical information governed by the Confidentiality of Medical Information Act, or medical information collected and used by business associates of a covered entity governed by the privacy, security, and data breach notification rules issued by the U.S. Department of Health and Human Services.
Earlier on October 5, the governor also signed AB 825, which expands the definition of “personal information” to include genetic data, regardless of its format. Under existing law, any agency that owns or licenses computerized data that includes personal information is required to immediately disclose a security breach upon discovery to California residents who may have been impacted. Agencies are also required to implement and maintain reasonable security procedures and practices.
Both bills take effect January 1, 2022.
Soltani to head the California Privacy Protection Agency
According to sources, Ashkan Soltani, a former chief technologist at the FTC, has been named Executive Director of the California Privacy Protection Agency (CPPA). Among other things, Soltani was an architect of the California Consumer Privacy Act (CCPA). According to CPPA Chair Jennifer Urban, Soltani’s “background in technology and privacy, and his work on both the CCPA and the [California Privacy Rights Act (CPRA)] give him a thorough understanding of California privacy law and will stand him in good stead as he leads Agency staff and helps the Agency fulfill its privacy protection mandate.” As previously covered by InfoBytes, earlier this year, California’s governor announced appointments to the five-member inaugural board for the CPPA, consisting of experts in privacy, technology, and consumer rights. The CPPA is tasked with protecting the privacy rights of consumers over their personal information, and “will have full administrative power, authority, and jurisdiction to implement and enforce” the CCPA and the CPRA, including bringing enforcement actions before an administrative law judge.
California Privacy Protection Agency seeks preliminary comments on CPRA proposed rulemaking
On September 22, the California Privacy Protection Agency (CPPA) formally called on stakeholders to provide preliminary comments on proposed rulemaking under the California Privacy Rights Act (CPRA). The CPRA, which established the CPPA to administer, implement, and enforce the act, was approved by ballot measure in November 2020 (covered by InfoBytes here) and updated the existing California Consumer Privacy Act. The invitation for comments highlights several areas of interest for the CPPA as it begins the rulemaking process, including topics related to: (i) cybersecurity audits and risk assessments to be performed by businesses processing personal information that presents a significant risk to consumers’ privacy or security; (ii) matters concerning automated decision-making; (iii) audits performed by the CPPA; (iv) issues related to consumer rights, including consumers’ right to delete, right to correct, and right to know what personal data has been collected or shared, as well as consumers’ rights to opt-out of the selling or sharing of their personal information and to limit the use and disclosure of their sensitive personal information; (v) information to be provided when responding to a consumer’s request to know; and (vi) definitions and categories of information and activities, including what updates or additions should be added to “personal information,” “sensitive personal information,” “precise geolocation,” and “dark patterns,” among other terms. Comments must be submitted by November 8.
The CPRA will become effective January 1, 2023, with enforcement delayed until July 1, 2023. However, the CPRA will apply to personal information collected by a business on or after January 1, 2022. The CPPA notes that this invitation for comments is not a proposed rulemaking action and states that the public will have additional opportunities to provide comments on proposed regulations or modifications when it proceeds with a notice of proposed rulemaking action.
Illinois state appellate court applies different limitation periods under BIPA
On September 17, the First District Appellate Court of Illinois held that different limitation periods should be applied to the Biometric Information Privacy Act (BIPA), concluding that while Section 15 imposes various duties that all concern privacy, “each duty is separate and distinct.” Specifically, the panel stated that claims related to “[a]ctions for slander, libel or for publication of matter violating the right of privacy” have a one-year limitation period, while “all civil actions not otherwise provided for” carry a five-year limit. Plaintiffs filed a class action complaint alleging violations of BIPA Sections 15(a), 15(b), and 15(d), claiming the defendant collected, stored, used, and disseminated individuals’ biometric data obtained through fingerprint scans without, among other things, (i) informing plaintiffs of the purpose and length of the storage and use of their data; (ii) receiving written release from plaintiffs; (iii) providing a retention schedule and guidelines for destroying the data; or (iv) obtaining consent from plaintiffs and other employees to disseminate their data to third parties. The defendant moved to dismiss, arguing that the claims were filed outside the limitation period, noting that while BIPA itself has no limitation provision, “the one-year limitation period for privacy actions under Code section 13-201 applies to causes of action under [BIPA] because [BIPA’s] purpose is privacy protection.” A state trial court denied the defendant’s motion to dismiss, ruling that the plaintiffs’ claims were subject to Illinois’ “catchall” five-year limitation provision rather than the state’s one-year privacy claim limitation period, since the plaintiffs were alleging specific BIPA violations rather than a general privacy invasion.
On appeal, the appellate court considered the limitations question and determined, among other things, that since Illinois’ one-year statute of limitations applies only to published privacy violations, it can only govern BIPA claims filed under section 15(c)’s profit restrictions and section 15(d)’s disclosure/dissemination prohibitions. As such, plaintiffs suing under BIPA’s section 15(a)’s retention requirements, section 15(b) informed consent, and section 15(e) data safeguarding requirements have five years to bring such claims since these duties “have absolutely no element of publication or dissemination.”
FTC says health apps must comply with Health Breach Notification Rule
On September 15, the FTC warned health apps and connected devices collecting or using consumers’ health information that they must comply with the FTC’s Health Breach Notification Rule (Rule). The Rule requires companies to notify consumers and others if consumers’ health data is breached, and ensures that entities not covered by HIPAA are held accountable in the event of a security breach. Companies that fail to comply with the Rule may be subject to monetary penalties of up to $43,792 per violation per day. The FTC’s policy statement (approved by a 3-2 vote) clarifies the Rule’s scope and puts companies on notice of their reporting obligations. According to the FTC, health apps that are increasingly collecting sensitive and personal data from consumers have a responsibility to ensure the collected data is secured from unauthorized access. However, the FTC expressed concern that there are still few applicable privacy protections. “While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” FTC Chair Lina M. Khan stated. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”
Ireland fines U.S. messaging service €225 million for GDPR violations
On September 2, the Irish Data Protection Commission (Commission) announced that a final decision was reached in a General Data Protection Regulation (GDPR) investigation into a U.S.-based messaging service’s handling of individuals’ personal information. The final Article 65 decision, published by the European Data Protection Board (EDPB), imposes a €225 million on the company, and resolves an investigation into whether the company met its transparency obligations with respect to its data processing activities. The Commission alleged that the company violated provisions of the GDPR through the way it processed users’ and non-users’ data, as well as in the way it processed and shared data with other companies’ owned by the parent global social media company.
According to the final decision, “a number of concerned supervisory authorities” raised objections to aspects of the draft decision, taking issue, among other things, with the size of the proposed fine, which was originally set between €30 and €50 million. Because the Commission was unable to reach a consensus with the objecting concerned supervisory authorities, a dispute resolution process was triggered. The EDPB ultimately ordered the Commission to reassess and increase its proposed fine. In addition to imposing the administrative fine, the Commission also ordered the company “to bring its processing into compliance by taking a range of specified remedial actions.”