Right To Know - July 2024, Vol. 19

Cyber, Privacy, and Technology Report

 

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

 

State Actions:  

• Texas Attorney General Ramps Up Data Broker Registration Enforcement: Companies whose principal source of revenue is derived from the collecting, processing, or transferring of personal information are required to register as a data broker in the State of Texas under Chapter 509 of the Texas Business and Commerce Code. In June, the Texas Attorney General issued a press release stating that they had notified over 100 companies of their apparent failure to comply with this law. This is another signal of Texas’ efforts to ramp up protection of consumer privacy, following on the heels of the Attorney General’s establishment of a specialized team dedicated to enforcing Texas privacy law.

Regulatory:  

• FCC Proposes Rule Mandating Broadband Providers Create BGP Security Plans: Border Gateway Protocol (BGP) is the methodology the determines the pathway through the internet that a user gets routed to a particular website. In recent years, the US has found, among other things, that threat actors and adversaries have misused BGP to reroute American internet traffic (BGP hijacking). In an attempt to secure this routing protocol, the FCC is proposing to mandate that Broadband Providers create security plans around their use of BGP. 

• FCC Launches $200 Million Program to Improve Cybersecurity for Schools and Libraries: The FCC has approved a $200 million three-year pilot program to improve cybersecurity in schools and libraries, titled “The Schools and Libraries Cybersecurity Pilot Program.” This program aims to enroll a variety of schools and districts. Eligible schools and districts will be funded by the FCC at a minimum of $15,000 to at most $1.5 million. These funds may be used to secure the network under four categories: advanced or next generation firewalls; endpoint protection; identity protection and authentication; and monitoring, detection, and response. 

• CISA and Partners Release Guidance for Modern Approaches to Network Access Security: On June 18, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and Canadian and New Zealand partners released Modern Approaches to Network Access Security. The guidance explores weaknesses in traditional remote access and virtual private network (VPN) solutions and explains emerging, more robust approaches like Zero Trust, Secure Service Edge (SSE) and Secure Access Service Edge (SASE). Secure remote access is critical for both on-premises and cloud services. The guidance provides information and best practices for businesses and organizations of all sizes to transition to more secure remote access using these emerging approaches.

Litigation & Enforcement:

• Meta Securities Fraud Action Over Disclosure Of Cambridge Analytica Breach Headed To Supreme Court: The United States Supreme Court agreed to hear the appeal in the securities fraud case brought against Meta. In the case, the plaintiffs alleged, among other things, that Meta’s (then called Facebook) 2016 disclosure of the potential impact of a data breach on the business was insufficient (as stated as a hypothetical breach) given what Meta knew about the Cambridge Analytica breach at the time.  Meta denied that allegation and defended its disclosure as truthful and that the Cambridge Analytica breach was already known.  The Supreme Court will hear arguments next term and its decision will likely impact public companies’ disclosure requirements about prior risks — including data breach and related risks — that have materialized.

• 5th Circuit Rejects AI Rule: Based on significant negative comment, the United States Court of Appeals for the Fifth Circuit decided not to adopt a proposed rule governing the use of AI in briefs filed with the court. Complaints about the proposed rule included that existing rules were sufficient and the proposed rule lacked clarity. The Fifth Circuit reminded parties that “‘I used AI’ will not be an excuse” for non-compliance with existing rules or lack of truthfulness or inaccuracy in filed briefs. 
• Seventh Circuit Confirms Limits Of Privacy Of Electronic Devices At The Border: Agreeing with “the uniform view of [its] sister circuits” the Seventh Circuit, on June 10, ruled that searching electronic devices at the border does not require a warrant or probable cause, and that a “routine, manual search” does not require “individualized reasonable suspicion.” Specifically, the Court held that a manual search (scrolling the photo gallery) of the defendant’s mobile phone by an airport Customs and Border Patrol agent was a “routine search” and did not require any individualized suspicion of the defendant by the agent.
• Attorneys Appeal $78 million Fee Award for Class Lawyers: Attorneys representing objectors to the T-Mobile class action data breach settlement, argued to the Eighth Circuit Court of Appeals that the $78 million attorney fee award approved by the District Court was improper and a “windfall.” The settlement resolved privacy claims involving an estimated 76 million T-Mobile customers whose personal information was compromised in data breach in 2021. The breach did not affect financial information but did compromise sensitive personal identifiers such as names, addresses, dates of birth, ID information and even some Social Security numbers. Robert Clore, an attorney representing one of the appellants, argued “This is exactly the kind of case that causes the public to scoff at class actions…My client gets 25 bucks, and these attorneys are walking away with $7,000 to $10,000 per hour.”

  Defending the settlement, one of the attorneys representing the class, Bradley Wilders, told the three-judge panel that the challengers were “serial” class action objectors who were motivated by financial self-interest. In one of the filed briefs, Wilders said class counsel so far had invested more than 9,100 hours in the litigation. “Of the more than 76 million Class members, only two appealed,” he wrote.

• Class Action Settlement Provides Profit Sharing with Class Members: Clearview AI, a facial recognition technology company, has reached a settlement in twelve class action cases consolidated in a multi-district litigation alleging Clearview’s collection of faces from online sources and marketing and sale of access to that collection violated individuals’ privacy rights. . The settlement involves a unique structure in which, instead of paying specified amounts of monetary damages and attorneys’ fees our of a specified fund, the amount available for payment to class members and attorneys is based on either (at the Class’s option) an amount equal to (a) a “23% stake in Clearview as of September 6, 2023,” or (b) “17% of Clearview’s GAAP recognized revenue” between final approval of the settlement and election of the option.  The plaintiffs’ attorneys noted in their filing seeking approval that the value could be over $50 million. This interesting structure, in a sense, gives ownership of the biometric data back to the affected class members.  The assigned judge gave preliminary approval to the settlement on June 21, 2024.

• DOJ to Take Action Against TikTok: The FTC has referred its complaint against TikTok and its parent company ByteDance to the Department of Justice (“DOJ”). The DOJ now will continue the investigation and move forward with litigation of the allegations that the two companies have violated the Children’s Online Privacy Protection Act by collecting information in children 13 years of age and under without parental consent and engaged in deceptive trade practices in violation of the FTC Act. This is a continuation of previous enforcement actions taken by the FTC against TikTok’s predecessor Music.ly.

• California Attorney General Announces $500,000 Settlement With Online Gaming Company for Violations of the CCPA and COPPA: On June 18, 2024, the California Attorney General announced a third settlement under the California Consumer Privacy Act as well as the Children’s Online Privacy Protection Act. Tilting Point Media LLC, makers of the mobile app game “SpongeBob: Krusty Cook-Off”, are alleged to have used age screens that did not ask for the user’s age in a neutral manner, allowed children under 13 to consent to receiving personalized advertising without verifiable parental consent, and processed the personal information of children who self-identified as under 13 without verifiable parental consent and who self-identified as between 13 and 15 without the consumer’s consent. The California Attorney General also stated that Tilting Point Media’s advertising to children used deceptive tactics and their privacy policy was ambiguous and incomplete for the use of personal information for targeted and behavioral advertising. As part of the settlement. Turning Point must pay $500,000 in civil penalties and comply with injunctive terms ensuring legal data collection and disclosure, including obtaining parental consent. 

• United States District Court Judge Vacates HHS OCR’s Online Tracking Guidance: On June 20, 2024. a United States District Court Judge in Texas ruled that Department of Health and Human Services (HHS) Office of Civil Rights (OCR) guidance that restricted hospitals and other medical providers from using online tracking technologies that capture IP addresses on portions of their public-facing webpages was unlawful. The guidance was issued in December 2022 after OCR began receiving an increasing number of complaints that healthcare entities were mishandling patients’ information as a result of using analytics technologies made available by third-party companies that gathered data about website visitors. The American Hospital Association, the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System sued the federal government and moved for summary judgment to enjoin HHS OCR’s enforcement of the guidance. In response, HHS OCR revised its’ guidance on using online tracking technologies in March 2024. The plaintiffs argued that the revised guidance was still unlawful. The judge agreed and vacated the guidance, stating that it improperly created substantive legal obligations for covered entities.

International Updates:  

• Irish Websites Targeted During Elections: The Irish Times reported that, during recent local councilor and European Parliamentary elections held in Ireland, several government websites were targeted by Russian-based hackers. These included voter registration portals, the House of the Oireachtas (website for both houses of government in Ireland) and Transport for Ireland.  These were DDOS attacks according to the National Cyber Security Centre.  The attacks on Irish web infrastructure was not isolated and other countries suffered similar attacks the same week.  Interestingly, given the nil or close-to-nil damage inflicted, the theory is that the attacks were a signal by the hacker groups (primarily HackNeT) of support for Moscow.

• UN Chief Weighs in on Rise in Cybersecurity Incidents: António Guterres, the United Nations Secretary General, has issued a stark warning on cyber threats increasing in volume. He referred to the weaponization of technology and how new technologies create new vulnerabilities. He also touched also on the misuse of technology to spread misinformation and division. The warnings were issued alongside a call to action for the upcoming Summit of the Future in September.

Industry Updates:    

• CISA Highlights Mitigation Guidance for Snowflake Users: On June 2, Snowflake, a cloud-based data platform that offers data storage and analytics services, began reporting an increase in cyber threat targeting. On June 3, CISA released guidance for users to take steps to prevent access from unauthorized actors. Some Snowflake customers have had large amounts of data, including sensitive customer information, exfiltrated from their Snowflake instances when a threat actor was able to steal the login credentials for the Snowflake accounts on their cloud data platform. The affected accounts appear to not have had multi-factor authentication enabled for human accounts or use key pair authentication or OAuth for service accounts. Snowflake released instructions for Detecting and Preventing Unauthorized User Access on June 11, 2024.
• Biden Bans the Kaspersky Security Software Effective Immediately: The Department of Commerce has reviewed transactions involving cybersecurity and anti-virus software supplied by Kaspersky Lab, Inc. as to whether transactions pose an undue or unacceptable risk to US National Security. The final determination prohibits Kaspersky and its affiliates from transactions in the US involving these products. The review of Kaspersky’s cybersecurity transactions found that the vulnerabilities created by Kaspersky products allow the Russian Federation to exploit them. Consumers are advised to seek alternative anti-virus products as a result of this ban.
• Center for Internet Security Releases Version 8.1 of the CIS Controls: On June 25, 2024, the Center for Internet Security, Inc. (CIS) released Version 8.1 of the CIS Critical Security Controls (CIS Controls). The CIS Controls are a prioritized set of Safeguards to mitigate against the most prevalent cyberattacks against systems and networks, currently containing 18 controls. The revised version incorporates new asset classes and introduces an additional security function, governance. The addition of governance recognizes the importance of managing and minimizing data from creation or receipt through final disposition. It follows the recently released National Institute of Standards and Technology (NIST) Cybersecurity Framework, Version 2, which adds Govern as a core cybersecurity function. For businesses and organizations that use the CIS Controls, the updated version provides details for addressing governance in their cybersecurity programs. For those newly adopting the CIS Controls, it provides a more comprehensive approach, including governance.
• Microsoft Pumps the Brakes on Recall: Microsoft announced on their Windows Experience blog that as a result of privacy and security concerns, it is delaying the release of Recall, its’ artificial intelligence-powered search software that takes periodic screenshots of user’s screens and makes this data searchable while storing it locally on the user’s devices. The Windows Insider Community expressed their concerns about how this data was going to be encrypted in conjunction with “just in time” decryption and whether Microsoft was doing enough to ensure that unauthorized persons were unable to access this sensitive information. In their blog post, Microsoft stated that Recall will be turned off by default for Copilot+ PCs. Windows Insider Program users must opt-in to saving snapshots using Recall. Enrollment in Windows Hello, which allows users to access to their Windows devices using facial recognition, fingerprint, or a PIN, is required to enable Recall.
• New MOVEit Vulnerability Being Exploited: Following on the heels of the 2023 massive data breach caused by a vulnerability in Progress Software’s MOVEit transfer software, a new vulnerability has been reported. Progress Software’s MOVEit transfer software is used to “securely” transfer data between parties. Because the software is intended to be used to securely move data, it often contains highly sensitive data or information–making vulnerabilities a serious concern. In 2023, vulnerabilities in that software allowed access to the personal information of an estimated 62 million individuals worldwide. Progress urged organizations to patch their MOVEit software immediately.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.