Right To Know - June 2024, Vol. 18

Cyber, Privacy, and Technology Report

 

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

 

State Actions:  

• BIPA Amendment Passes Illinois House – Sent to Governor: Last month’s Right to Know mentioned Illinois Senate Bill 2979, which is designed to limit the damages available under Illinois’ Biometric Information Privacy Act. On May 16, 2024, the Illinois House also passed the same bill.  Governor Pritzker is expected to sign the bill into law.  Upon signing, the amendments become effective immediately.
• Colorado’s AI Act Signed into Law: On May 17, 2024, Colorado’s governor signed an AI act into law. The law aims to regulate the private-sector use of AI systems and address discrimination arising from the use of the technology. The law defines a covered high-risk AI system as one that “when deployed, makes, or is a substantial factor in making a consequential decision,” And requires developers thereof to take steps to avoid algorithmic discrimination and document those efforts.  The law also requires disclosures when any AI interacts with consumers.  The law will be enforced by the Colorado Attorney General and does not provide for a private right of action. The law will go into effect on February 1, 2026.

Regulatory:  

• HHS OCR Updates Guidance on Change Healthcare Notifications: HHS OCR previously stated that every individual organization that was affected by the Change Healthcare incident would have to notify HHS OCR individually. HHS OCR has since updated its guidance so that “All of the required HIPAA breach notifications may be performed by Change Healthcare.”
• US Sanctions 911 S5 Botnet: On May 28, 2024, the US Department of the Treasury’s Office of Foreign Asset Controls designated three individuals associated with the malicious botnet tied to 911 S5, and also sanctioned three entities owned by one of the individuals. The 911 S5 botnet was a service that compromised computers and allowed threat actors to proxy their internet connections through the compromised computers to hide the threat actor’s actual location. The 911 S5 botnet compromised 19 million IP addresses and facilitated fraudulent applications related to the Coronavirus Aid, Relief, and Economic Security Act – costing the US government billions of dollars.
• SEC Charges Intercontinental Exchange and Affiliates with Failing to Report a Cyber Intrusion – $10 Million Penalty: On May 22, 2024, the Securities and Exchange Commission announced that The Intercontinental Exchange, Inc. (ICE) agreed to pay a $10 million penalty to settle charges that it caused nine wholly-owned subsidiaries, including the New York Stock Exchange, to fail to timely report a cyber intrusion to the SEC.  The SEC alleged that ICE determined that a threat actor had compromised remote access to ICE’s network, but ICE did not notify its subsidiaries for several days. Because of this delayed notice, those subsidiaries did not properly assess the intrusion and did not comply with their independent regulatory obligations to immediately contact SEC staff about the intrusion, as required by Regulation Systems Compliance and Integrity (Regulation SCI).

• White House Publishes Principles to Protect Working from Risks of Artificial Intelligence: On May 16, 2024, the White House published principles applicable to protect workers in every industry when AI is used in the workplace. These principles are a guiding framework that should be considered at all stages of AI development, and they apply to both the development and deployment of AI systems. The principals provide best practices for the use of AI by employers to inform workers about the use of AI in the workplace and encourage their input in its ethical use, the responsible use of employee data collected by AI, and protect workers’ rights. The White House also announced that Microsoft and Indeed committed to adopting these principles.

• SEC Adopts Rules for Reporting Data Breaches: The SEC announced the adoption of amendments to Regulation S-P that were proposed last year. The Amended Rules impose additional requirements on registered investment advisers, investment companies, broker dealers and transfer agents with respect to the handling of non-public consumer information. The Amended Rules address incident response plans, customer notifications, service provider oversight, and expand the scope of safeguards and other items.

Litigation & Enforcement:  

• TikTok Divestment Case On Expedited Schedule: On May 28, the United States Court of Appeals for the District of Columbia Circuit set an expedited schedule for TikTok’s and ByteDance’s challenge to the recent law ordering ByteDance to divest itself of TikTok or have it banned. Under the order, the case will be argued in September.

International Updates:  

• New UK Law Requires Stricter Security Standards for IoT Devices: The UK is the first country to start requiring stricter security standards for IoT devices. The landmark law, enacted as part of the Product Security and Telecommunications Infrastructure (“PSTI”) regime, requires manufacturers of IoT devices to implement changes such as stronger default passwords, required default password changes during setup, and the provision of clear information regarding security updates. The UK is aiming to help avoid the compromise of IoT devices and their use in large botnets for cyber-attacks.
• The Netherlands Data Protection Authority Releases Report on Use of Facial Recognition Programs: On May 2, the Netherlands’ data protection authority, Autoriteit Persoonsgegevens (“the AP”), released a report answering frequently asked questions on the use of facial recognition programs. Facial recognition is prohibited in most cases, but there are exceptions. One such exception is that the technology can be used if it is necessary for authentication or security purposes.
• France’s Data Protection Authority Published Guidance on Nursing Home Surveillance: On May 2, France’s data protection authority, the Commission nationale de l’informatique et des libertés (“the CNIL”), published guidance on the installation of surveillance devices in nursing home residents rooms. The guidance was published due to concerns of elder abuse following media coverage of cases of mistreatment within nursing home establishments. The CNIL specified that the surveillance devices should only be installed in exceptional circumstances to ensure the safety of a resident of an establishment as part of an investigation for mistreatment. The devices are only permitted in the event of a substantial suspicion of mistreatment of a resident and after failure of investigation procedures by the nursing home. The CNIL have included a number of conditions and guidelines in their recommendation that must be considered prior to installation of the surveillance device. The establishment will also be required to undertake a data protection impact assessment.

• MasterCard Opens European Cyber Resilience Centre: Following a trend of other large multinationals in the payment processing space, MasterCard has opened a European hub for cybersecurity resilience. Located in Belgium, the centre will “sharpen defenses against cyber threats, speed up response times and serve as a hub for thought leadership.”  The centre will work with private and public sector bodies. 

• Disruptive Attacks Have Doubled in 2024: In an interview with the Associated Press, Juhan Lepassaar, chief of ENISA (the EU cybersecurity agency) stated that disruptive cyberattacks in the EU have doubled in recent months. He noted that geopolitical motivated attacks have increased since the Russian invasion of Ukraine over two years ago.  This is a relevant development since many of these attacks target democratic functions and that 2024 is a year a significant portion of the world’s population will go to the polls. 

• Quebec Publishes the Final Version of their Regulation Concerning the Anonymization of Personal Information: On May 15, 2024, the government of Quebec published the final version of the regulation regarding the anonymization of personal information. The regulation establishes the compliance requirements for public bodies and the private sector when anonymizing personal information. The regulation sets out a process requiring organizations to take several steps before, during and after anonymizing personal information. Most of the regulation became effective on May 30, 2024, apart from the requirement to record certain prescribed information in a register, which will be effective beginning on January 1, 2025.

Industry Updates:  

• The Department of Health and Human Services Provides $50 Million to Enhance Hospital Cybersecurity: The Department of Health and Human Services’ research funding agency (the Advanced Research Projects Agency for Health or ARPA-H) is providing $50 million to developers who can assist in building automated tools that develop and deploy software patches more quickly than is currently available. Addressing vulnerabilities in health care and data security is a challenge that ARPA-H is uniquely positioned to address.
• Cyber Attack Affects More Than a Dozen Large Pharmaceutical Companies: Pharmaceutical industry support company, Cencora Inc., and its affiliate Lash Group, suffered a cyber attack in February 2024. Last week, large pharmaceutical clients of Cencora started filing breach notices to state attorneys general regarding the data breach. So far, there are 15 known companies that have been affected along with hundreds of thousands of individuals for whom data was exfiltrated.
• Backdoor Found in Courtroom Recording Software: Recently, was found installed on a version of the JAVS Viewer, which is a recording software used for courtrooms. Users have been urged to re-image impacted endpoints, reset credentials, and update to the latest version of the software. The backdoor allows threat actors to gain full control of the affected system. This includes giving threat actors unauthorized remote access and the ability to download payloads with capabilities to scrape browser credentials.
• Center for Internet Security Releases “A Guide to Defining Reasonable Cybersecurity”: On May 9, 2024, the Center for Internet Security (CIS) released “A Guide to Reasonable Cybersecurity” “to provide practical and specific guidance to organizations seeking to develop a cybersecurity program that satisfies the general standard of reasonable cybersecurity.” The Guide suggests a risk-based analysis for identifying minimally adequate information security protections that can be used for implementing a cybersecurity program and for assessing security protections after compromise of protected information. It also explores how the CIS Critical Security Controls® can be used prescriptively and to assess whether reasonable cybersecurity measures were taken. The Guide provides one organization’s analysis of “reasonable security,” using a widely accepted set of controls. In practice, whether security was reasonable is likely to be analyzed, with hindsight, by regulators, judges, and juries.
• United Health Group Confirms $22 million Ransom Payment: United Health Group confirmed during U.S. Senate Finance Committee testimony that it to cybercriminals who attacked its subsidiary Change Healthcare. The Change Healthcare attack left many doctors unable to fill prescriptions or get paid for services. In response, Senator Ron Wyden of Oregon remarked that this incident served as a “dire warning about the consequences of too-big-to-fail mega-corporations” and the obligations such corporations have to protect their customers.
• Kaiser Permanente Patient Information Exposed to Third Parties: On April 12, Kaiser Permanente disclosed to the U.S. Department of Health and Human Services that information belonging to 13 million patients, including IP addresses, names, interaction with Kaiser websites, and search terms used on Kaiser websites was disclosed to third parties (including Google, Microsoft Bing, and X), likely through the use of tracking software on Kaiser’s website. Kaiser has stated that the software in question has been removed. But the incident again raises the issue of companies monitoring the tracking software used on their websites and the potential repercussions of such use. Studies have found that 98.6% of non-federal acute care hospitals in the U.S. use third-party tracking tools on their websites.
• First Director for the EU AI Office Named: The European Commission has named Lucilla Sioli as the Director of the EU AI Office. This appointment comes after a restructuring of an existing unit dealing with AI within the commission. The department will focus on regulation and compliance, safety, excellence and robotics, AI for societal good, as well as innovation. The appointment is effective as of June 16.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.