Right To Know - January 2025, Vol. 25

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

 

State Action:  

• Comprehensive privacy laws in four U.S. states take effect January 1, 2025: Comprehensive privacy laws in Delaware, Iowa , Nebraska, and New Hampshire are enforceable as of January 1, 2025. In addition, New Jersey’s statute is enforceable as of January 15, 2025. Notably, none of these statutes have a private cause of action.

Regulatory:  

• OCR Proposes Amendments to HIPAA Security Rule: The U.S. Department of Health and Human Services Office of Civil Rights (OCR) has issued proposed rulemaking relating to the HIPAA Security Rule to address modern cybersecurity threats and strengthen protections for electronic protected health information. Key changes include mandatory implementation of all security specifications, maintaining comprehensive documentation, conducting detailed risk analyses, and requiring annual compliance audits. Covered entities would also need to develop technology asset inventories, network maps, and implement enhanced incident response plans to restore lost systems or data within 72 hours. The proposed rules will be open for public comment shortly after publication in the Federal Register.
• HHS Cannot Enforce the Privacy Rule Against Doctor for Abortion Privacy: A federal judge has temporarily blocked HHS from enforcing a rule that protects the privacy of patients seeking abortion services. The rule, as a result of the Supreme Court’s overturning of Roe v. Wade in Dobbs v. Jackson Women’s Health Org., is designed to prevent states from penalizing doctors who refuse to share patient information related to abortion with state authorities. This ruling comes from a lawsuit filed in a district court in Texas, which argued that the rule exceeded HHS’ statutory authority and violated states’ rights. This decision prevents HHS from enforcing this privacy rule against the plaintiffs while the case proceeds.
• FBI Issues Alert on Criminals Use of Generative Artificial Intelligence to Facilitate Financial Fraud: On December 3, 2024, the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) issued an alert, “Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud.” The FBI warns that generative AI enables criminals to create believable content more easily on a larger scale for fraud and extortion. The warning notes the use of AI-Generated Text, AI-Generated Images, AI-Generated Audio (aka Vocal Cloning), and AI-Generated Videos. It includes tips for protecting against this kind of content (such as creating a secret word or phrase to verify identity), looking for subtle imperfections in images and videos, listening closely to the tone and word choice, limiting online content of your image or voice, making social media accounts private, verifying the identity of the person calling, researching the contact of the bank or organization purporting to call you, never sharing sensitive information with people you have met only online or over the phone, and not sending money, gift cards, cryptocurrency, or other assets to people you do not know or have met only online or over the phone. The alert suggests that victims file a report with IC3, www.ic3.gov. While some of the tips are aimed at individuals, they can be adapted for businesses and organizations.
• CISA Releases Best Practice Guidance for Mobile Communications: On December 18, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued  “Mobile Communications Best Practice Guidance” for “highly targeted” individuals in response to cyber espionage by China targeting commercial telecommunications carriers. It includes General Recommendations as well as iPhone and Android Specific Recommendations. The General Recommendations include (1) use only end-to-end encrypted communications, (2) enable Fast Identity Online (FIDO) phishing-resistant authentication, (3) migrate away from Short Message Service (SMS)-based Multifactor Authentication (use stronger MFA), (4) use a password manager to store all passwords, (5) set a Telco PIN for telecommunications providers, (6) regularly update software, (7) opt for the latest hardware version from your cell phone manufacturer, and (8) do not use a personal virtual private network (VPN). While this guidance was prompted by espionage focused on highly targeted individuals, it can also be applied to others.
• EU Cybersecurity Certification Program update: From January 31, 2025, ICT businesses will be able to have their products certified under the EU Cybersecurity Act’s certification regime. The European Cybersecurity Certification Scheme on Common Criteria (EUCC) was adopted in January 2024 and it is intended that certification applications will be open from 31st January.  Run under the ENISA (the European Union Agency for Cybersecurity) umbrella, national certification authorities will be tasked with implementing the certification regime.  So far, just six such authorities have been emplaced (Cyprus, Czechia, Finland, Germany, Netherlands and Sweden).  
• Privacy Complaint Filed Against BeReal in EU Over Pop-up Consent Banner Activity: Social media platform operator BeReal had a privacy complaint filed against it in the EU over its online consent banner. The banner, which pops up when visitors come to the BeReal social media platform, would ask users if they consented to having their personal data collected for advertising purposes. According to the complaint, if users consented, the banner would disappear. However, the complaint alleged, if they refused to consent, the pop-up would reappear with every subsequent visit to the site and each time they would try to publish a post. This activity is characterized in the complaint, filed in France, as a “dark-pattern”–designed to manipulate users’ decision and annoy them into consent.

Litigation & Enforcement:  

• Supreme Court to Hear TikTok Ban: The United States Supreme Court agreed to hear argument over Congress’ ban of TikTok in the Protecting Americans from Foreign Adversary Controlled Applications Act. Congressional concern grew over, among other things, the data collected by TikTok, and its ability to share that data with others including the Chinese government.  The argument will be held on January 10, 2025. 
• FTC Orders Marriott to Improve Security: Based on a complaint filed in October that Marriott deceived consumers and failed to have reasonable data security in place, the FTC entered an order on December 20 against Marriott International, Inc., and its subsidiary Starwood Hotels& Resorts Worldwide LLC. The order requires Marriott and Starwood to, among other things, maintain a comprehensive Information Security Program, make annual certifications of compliance with the order, notify the FTC whenever Marriott or Starwood notifies any governmental agency of a data security incident impacting PII, and implement other protections, monitoring, and disclosures. 
• S. Army Soldier Arrested on Suspicion of Involvement in Hack of Snowflake Customers: A U.S. Army soldier based out of Fort Hood, Texas was arrested in December on suspicion of participating in the theft of data of several Snowflake customers. This followed the arrest of a Canadian citizen earlier this year for their involvement in this incident. As you’ll recall, several companies had uploaded a large amount of data to the data platform Snowflake, but did not protect their logins with multifactor authentication. In late 2023, threat actors began using credentials obtained via the dark web to login to these accounts and exfiltrate large amounts of data.
• US District Court Finds NSO Group Liable for Planting Spyware on WhatsApp Users’ Phones: On December 20, 2024, in WhatsApp Inc., v. NSO Group Technologies Ltd, the District Court for the Northern District of California found that NSO Group was liable for planting spyware on plaintiffs’ customers’ mobile phones and devices. NSO Group is an Israeli counterintelligence firm. The plaintiffs claimed that defendants used WhatsApp’s system to send Pegasus malware to approximately 1,400 mobile phones and devices to infect them to conduct surveillance on users. The court granted summary judgment against the defendants on liability for violation of the federal Computer Fraud and Abuse Act, violation of the California Comprehensive Computer Data Access and Fraud Act, and breach of contract (prohibition of reverse engineering), leaving only damages for trial. The court also sanctioned the defendants for discovery violations.
• HHS OCR Imposes a $1.19 Million Penalty Against Gulf Coast Pain Consultants for HIPAA Security Rule Violations: The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced on December 3, 2024, the imposition of a $1.19 million penalty on Gulf Coast Pain Consultants following a data breach affecting over 34,000 individuals. The breach occurred when a former contractor accessed the practice’s electronic health records (EHR) system without authorization, intending to use protected health information (PHI) for fraudulent Medicare claims. The exposed data included patients’ names, contact details, dates of birth, Social Security numbers, and insurance information. OCR’s investigation revealed Gulf Coast’s failure to comply with HIPAA Security Rule requirements, such as conducting risk assessments, monitoring system activity, terminating access for former workforce members, and managing access levels. These deficiencies contributed to the breach. OCR emphasized the need for healthcare providers to proactively secure patient data, highlighting that workforce members can pose significant privacy risks.
• FTC Bans Mobilewalla from Collecting/Selling Sensitive Location Data: The FTC alleged that Mobilewalla had collected data from real-time bidding sites and third-party aggregators that included sensitive consumer data like visits to health clinics, places of worship, and military installations and sold this data. Mobilewalla allegedly did this through bid requests on real-time advertising bidding exchange where it collected and retained information in the bid requests whether it won the bid or not. The raw location data was not anonymized and could be used to identify individual consumers’ mobile devices and sensitive locations visited. The settlement with the FTC prohibits Mobilewalla from using, transferring, selling and disclosing sensitive location data from health clinics, religious organizations, correctional facilities, labor union offices, LGBTQ+ related location, political gatherings, and military installations.

International Updates:  

• Italian Garante Fines OpenAI $15 Million Euros and Issues Corrective Action: The Italian privacy supervisory authority, Garante Per La Protezione Dei Dati Personali, has closed its investigation into the collection of personal data through OpenAI’s ChatGPT. Garante found that OpenAI failed to provide notice of a 2023 data breach and has violated transparency and legal basis requirements for its data collection and associated AI training practices. In addition to the €15 million fine, OpenAI will be required to carry out a 6-month communication campaign on radio, television, newspapers, and the internet to promote public understanding of ChatGPT, its collection practices, and how such data is used by the technology.
• EU’s Data Privacy Board issues guidance on 3rd Country authority requests for data transfers: The European Data Protection Board (EDPB) has issued guidance on how to handle requests from state authorities in third countries for personal data. Examples of such requests include requests for evidence in a criminal or civil case, or financial transaction information. GDPR’s role in such scenarios is reinforced by the guidance. Under Article 48 of GDPR, which governs such data transfers, the lawful basis for the transfer must be assessed on a case-by-case basis; the third country request is not always automatically recognized or enforceable and must be carefully assessed by the data controller.
• Dutch Data Protection Authority Fines Netflix For Not Properly Informing Customers About Data Usage: Netflix has been fined €4.75 million by the Dutch Data Protection Authority (DPA) for failing to adequately inform customers about its handling of personal data between 2018 and 2020, violating GDPR requirements. The investigation, prompted by complaints from the Austrian NGO None of your business (noyb), revealed that Netflix’s privacy statement lacked clarity on critical points, including the purposes and legal basis for data collection, data sharing practices, retention periods, and measures for securing data transmitted outside Europe. The Dutch DPA emphasized the need for transparency, especially for a company of Netflix’s scale, and coordinated its findings and fine with other EU data protection authorities. Netflix has since updated its privacy practices but objected to the imposed fine.
• European Data Protection Board Releases Opinion on Personal Data Use in AI Model Development and Deployment: On December 17, 2024, the European Data Protection Board (“EDPB”) adopted Opinion 28/2024 regarding certain data protection aspects related to the processing of personal data in the context of AI models. Key points include whether an AI model which has been trained with personal data can be considered anonymous, considerations when relying on the legitimate interest basis for processing in an AI context, and the impact of unlawful processing on subsequent processing or operations of an AI Model.

Industry Updates:  

• Guess Who’s Back, Back Again- Clop: The ransomware group Clop has again exploited a security vulnerability in a file transfer software product to exfiltrate a large amount of data from potentially thousands of organizations. The Clop group, best known for its attacks that leveraged zero-day vulnerabilities in file transfer applications such MOVEit, GoAnywhere and Accellion to abscond with the data of thousands of victims at the same time, has this time exploited a zero-day vulnerability in the file transfer software Cleo Harmony, VLTrader, and LexiCom. The exploited vulnerability is tracked as CVE-2024-50623. Clop has begun to list victims on its leak site.
• Rhode Island Ransomware Attack May Affect Half of State Residents: Hackers infiltrated Rhode Island’s RIBridges system, which manages health and human services benefits, potentially exposing personal information of hundreds of thousands of residents, including Social Security numbers and banking details. The Brain Cipher ransomware group has claimed responsibility for the attack and is threatening to publish the stolen data if the ransom demand is not paid. Governor McKee stated in a press conference that approximately 650,000 people are believed to be impacted with notification letters expected to mail in January.   

International Data Protection Week – Webinar Series

Join Clark Hill’s Cybersecurity, Data Privacy and Technology team for three webinars in recognition of International Data Protection Week. It is a week to raise awareness of the importance of data privacy and to promote data protection practices. Topics include:

• A review of the evolving AI landscape, including key enacted laws, emerging legal challenges, and actionable strategies for businesses deploying AI technologies.
• An in-depth discussion on how the Digital Operational Resilience Act (DORA) will transform digital and operational resilience requirements in the financial sector and the obligations related to incident response and the adjustments businesses need to make to their existing programs to achieve compliance.
• The latest privacy and data breach litigation trends and challenges, including developments in Pixel litigation, BIPA, GIPA, CIPA, VPPA, standing issues, and defense strategies

CLICK HERE TO REGISTER AND LEARN MORE

 

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.