Right To Know - October 2024, Vol. 22

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

State Action:  

• California Governor Signs Bill Addressing Training Data Transparency in Generative Artificial Intelligence: On Sep. 28, California Governor Gavin Newsom signed Bill AB 2013 which would require the developers of generative artificial intelligence systems or services to post documentation on their website about the data used to train the generative artificial intelligence system or service. Companies will need to disclose whether the data is copyrighted, public domain, or personal data. There are exceptions if the generative artificial intelligence system or service (1) has the sole purpose to ensure security and integrity, (2) has the sole purpose of the operation of aircraft in the national airspace, or (3) is developed for national security, military, or defense purposes and is only made available to a federal entity.
• Kansas Town’s Water Facility Moves to Manual Operation Because of Cyberattack: Arkansas City, Kansas was forced to move to manual operations at its water treatment facility as part of its response to a cyberattack that occurred on Sep. 22. The attack, suspected of being ransomware, did not affect the water supply. Attacks on water treatment facilities are common and highlights, once again, the importance of cybersecurity protections in connection with critical infrastructure.

Regulatory:  

• OCR Announces $250,000 Settlement Involving Ransomware: The Office for Civil Rights (OCR) has settled with Cascade Eye & Skin Centers, P.C. following a ransomware attack that compromised the electronic protected health information (ePHI) of its patients. As part of the settlement, Cascade agreed to pay a $250,000 penalty and adopt a corrective action plan to address vulnerabilities in its data security practices. The OCR’s investigation revealed that Cascade had failed to conduct a comprehensive risk analysis and did not adequately implement safeguards to protect against such attacks, in violation of HIPAA’s privacy and security rules. This is the fourth settlement involving ransomware, and the third announced this year, highlighting the OCR’s renewed focus on these types of incidents.
• PA Attorney General Opens New Online Data Breach Reporting Portal: On Sep. 16, the Pennsylvania Attorney General’s Office announced the opening of a new online portal for reporting data breaches as required under Pennsylvania’s amended Breach of Personal Information Notification Act. The amendments became effective on September 26, 2024. For breaches involving more than 500 affected Pennsylvania residents, the amendments require (1) notice to the Pennsylvania Attorney General at the same time that notice is sent to affected residents (excluding entities covered by the Pennsylvania insurance data security law), (2) notice to consumer reporting agencies (reduced from more than 1,000 residents), and (3) for defined kinds of personal information, assumption of all costs and fees of providing a credit report and credit monitoring for 12 months. The time for reporting remains “without unreasonable delay,” with a law enforcement exception. The amendments also require reporting breaches of “medical information in the possession of a state agency or state agency contractor.” In addition, the definition of “breach” is expanded to include data that is only “accessed” (rather than “accessed and acquired”).
• Irish Data Protection Commission fines Meta €91m: The Irish Data Protection Commission (DPC) fined Meta, the owner of Facebook, a sum of €91m and issued a reprimand arising from the DPC’s investigation into storage of users’ passwords in basic unencrypted text format on Metas’s servers. Meta initially notified the DPC of the issue in 2019 and a DPC inquiry followed. The decision also notes the various breaches of GDPR including: Article 5.1.f for not using appropriate technical or organization measures to ensure appropriate security against unauthorized processing, and Article 33 for failure to notify the DPC and failure to document the personal data breaches.
• FTC Announces Crackdown on Deceptive Artificial Intelligence Claims and Schemes: As part of Operation AI Comply, the Federal Trade Commission announced enforcement actions against five companies that it said used artificial intelligence in deceptive and unfair ways. In response to the complaint against it, DoNotPay (a company claiming to offer AI legal services) agreed to pay $193,000 and provide a notice to consumers who subscribed to the service. The FTC also took action against Ascend Ecom, Ecommerce Empire Builders AI-and FBA Machine for their false claims about AI-powered tools to help build ecommerce platforms that would make consumers significant income. The FTC also settled with a company called Rytr for engaging in unfair business practices by offering an AI writing tool that offered a feature that allowed users to generate fake product reviews that would flood the marketplace and harm both consumers and honest competitors.
• FTC Report Finds Vast Social Media Surveillance and Inadequate Safeguards: The FTC, in a new staff report, discussed findings from its examination of data collection and use by major social media and streaming services. The report was based on information requests sent to nine of the largest social media and streaming services, including Amazon, Facebook, YouTube, TikTok, and Reddit. The report found that the companies in question gathered enormous amounts of information surveilled from users of their sites and then monetized that personal data for their benefit. The report further found that protections for that data were often woefully inadequate. The report also noted that larger collectors found themselves in a position to “achieve market dominance”–which could lead to harmful practices.
• LinkedIn Halts AI Data Processing in UK Amid Privacy Concerns Raised By ICO: The Microsoft-owned company, LinkedIn, has halted using UK user’s data for training AI models after concerns raised by the UK’s Information Commissioner’s Office (ICO). The ICO welcomed the move, which follows LinkedIn’s initial practice of automatically opting in all users to allow the use of their data for AI training. LinkedIn says that user control over personal data is a top priority for the company and has now provided UK users the option to opt out. The platform, like other tech companies, uses user-generated content to enhance AI tools, such as resume drafting. This pause mirrors actions by other firms like Meta, which faced similar regulatory challenges in the UK and EU.

Litigation & Enforcement:  

• GIPA Cases Continue to Proceed: Following up on our recent alert on two key decisions under Illinois’ Genetic Information Privacy Act, another similar claim has been allowed to move beyond a motion to dismiss. In Ginski v. Ethos Seafood Group, LLC, the Northern District of Illinois, after finding the parties did not agree to arbitrate the claim, allowed the plaintiff to continue her putative class action case. The court noted that GIPA did not require that the genetic information that was requested was used for discriminatory purposes — the information merely being requested in a pre-employment physical examination was sufficient. The court also rejected the defendants’ argument that the request for the genetic information was “inadvertent,” noting that the defendants required physical examinations as part of the hiring process, and that the fact that the information was requested by a third-party, rather than the defendants, did not change that result.  The court also rejected the defendants’ other arguments, including that the information requested was not “genetic information” under the statute, and that the plaintiff’s claims were time barred.
• First Circuit Enforces Arbitration Clause in Clickwrap: The plaintiff brought a putative class action against Everly Health, Inc. and Everly Well, Inc. for “deceptively market[ing] its tests and mislead[ing] consumers into providing their personal medical information for [defendants’] commercial use.” The defendants claimed the plaintiff was bound by an arbitration clause and a class action waiver and requested that the court compel arbitration or, alternatively, dismiss the complaint. The district court granted the motion to compel arbitration, and the plaintiff appealed. The First Circuit affirmed the order compelling arbitration.  The court noted that when the plaintiff signed up for an account, she was required to click a box indicating she “read and accept[ed] the Terms and Conditions,” which contained a mandatory arbitration clause. The court also pointed out that the link to the relevant terms was next to the checkbox, was on the sign-up page, and was bolded in green. Further, the court noted that requiring the plaintiff to click a box (as opposed to a browsewrap license that requires no action other than continuing to use a site) provided an indication of acceptance. After finding that the plaintiff agreed to the arbitration clause, the court then found that the clause was valid and enforceable.
• HHS Withdraws Appeal of North Texas District Courts Ruling on Tracking Technologies: The US Department of Health and Human Services has withdrawn its appeal of the June 20 decision by the United States District Court for the Northern District of Texas. The district court previously found that the HHS OCR bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” was promulgated in excess of HHS’ authority under HIPAA.
• FCC Reaches Settlement with T-Mobile Requiring Multi-Million Dollar Investment in Cybersecurity: The Federal Communications Commission (“FCC”) has reached a multi-million dollar settlement with T-Mobile following the FCC’s investigation of multiple cybersecurity incidents suffered by T-Mobile in 2021, 2022, and 2023. The settlement requires T-Mobile to invest $15.75 million in its cybersecurity program and pay a civil penalty of $15.75 million. FCC Chairwoman Jessica Rosenworcel stated, “Today’s mobile networks are top targets for cyber criminals. Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections. We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences.” This appears to be a significant warning to all major wireless carriers regarding what is now expected of them.
• FBI Recently Disrupts a China State-Sponsored Hacker Group: On Sep. 18, the Justice Department announced a court-authorized law enforcement operation that disrupted a botnet consisting of more than 200,000 consumer devices in the US. The botnet devices were infected by China state-sponsored hackers privately known as “Flax Typhoon.” This botnet malware infected consumer devices such as routers, internet protocol cameras, digital video recorders, and network-attached storage devices. The group then used this botnet to conduct malicious cyber activity disguised as routine internet traffic. The FBI was able to take control of the hackers’ computer infrastructure and send disabling commands.
• CrowdStrike Boss Apologies for Global Outage: A Senior Executive at Crowdstrike, a cybersecurity company, appeared before Congress on Sep. 24 apologizing for the outage that grounded thousands of flights in late July. Crowdstrike describes the event as a “perfect storm” and answered questions from Congress specifically related to the role of AI in Crowdstrike’s platforms. Lawmakers raised convers about the incident’s impact on national security and the role of AI and cybersecurity controls moving forward. Despite facing lawsuits related to the incident, Crowdstrike emphasized that it would collaborate with the government and share lessons learned moving forward.
• 17-Year-Old-Boy Arrested over London Transport Cyber Hack: A 17-year-old boy has been arrested in connection with a cyberattack affecting Transport for London (TfL), which may have exposed the bank details of around 5,000 customers. The attack led to the breach of sensitive data, including names, emails, and addresses. The teenager was arrested on Sep. 5 in Walsall on suspicion of Computer Misuse Act offenses. TfL and the National Crime Agency (NCA) are working with the National Cyber Security Centre (NCSC) to mitigate risks, and affected customers are being contacted directly.
• Treasury Targets Russian Virtual Currency Exchanges and Cybercrime Facilitator: The U.S. Department of the Treasury, in coordination with international partners, is taking action against Russian cybercrime services by designating virtual currency exchangers PM2BTC and Cryptex, along with Russian national Sergey Sergeevich Ivanov, as facilitators of money laundering and cybercrime. PM2BTC is labeled as a “primary money laundering concern” due to its involvement in laundering virtual currency for ransomware and other illicit activities. Concurrently, Cryptex, operating in Russia, is linked to millions in ransomware proceeds. U.S. agencies, alongside Dutch authorities, have seized related infrastructure, and the Treasury’s actions aim to safeguard U.S. financial security by cutting off these entities from the market. The U.S. is also offering a reward for information leading to Ivanov’s arrest, as part of a broader effort to dismantle cybercrime networks operating within Russia’s jurisdiction.
• Man Pleads Guilty to Cryptocurrency Theft Impacting 571 Victims: Evan Frederick Light, an Indiana resident has pled guilty to stealing over $37 million in cryptocurrency from clients of an unnamed investment holdings company. In 2022, Light and his co-conspirators stole the identity of a current client of the investment company and successfully gained unauthorized access to the system. Once in the system, the thieves were able to exploit vulnerabilities in the network, allowing them to steal personally identifiable information of clients as well as cryptocurrency assets. Light and his co-conspirators sent the currency to a variety of coin mixing services in attempt protect their identities and hide the traces of the cryptocurrency. However, the FBI was able to find Light and arrest him. Light now faces 20 years of imprisonment per count.
• Government Required to Pay for Additional Security of Protected Health Information Produced to It in Civil Discovery: In S. v. Anthem, Inc., No. 20-CV-2593 (S.D.N.Y., June 12, 2024), the court established a new test for which party bears the cost of security of data produced in discovery in civil cases. The case is a Medicare whistleblower case in which the defendant produced to the government data that included Protected Health Information under the Health Insurance Portability and Accountability Act. The government proposed to provide a HITRUST-certified level of security, while the defendant proposed a higher level of security. The court found that the higher level of security was warranted and that the government, the party receiving the discovery, was required to bear the cost of providing it. The court adapted an established general test for cost sharing in e-discovery to costs for providing security. The test weighs the following nonexclusive factors: “1) the nature of the information to be protected and risks and costs associated with unauthorized disclosure of such information; 2) the reasonableness of the security measures requested by the producing party (which can include an evaluation of the degree of risk mitigated by the security requested relative to less costly security measures); 3) the cost of the data security requested relative to the overall costs of discovery and amount in controversy; and 4) relative ability of the parties to pay the costs of the security requested by the producing party.” Required security of confidential data in discovery and allocation of the cost of providing it are likely to have increasing importance in today’s cyber threat environment and, where appropriate, should be addressed early in the meet and confer process.

International Updates:  

• French Data Protection Authority Fines CEGEDIM SANTÉ €800,000: Commission Nationale de l’Informatique et des Libertés (“CNIL”), the French Data Protection Authority, has imposed a fine of €800,000 on CEGEDIM SANTÉ for processing health data without authorization. CEGEDIM SANTÉ is a corporate entity which publishes and sells management software for general practitioners working in surgery and health centers. The software developed by CEGEDIM SANTÉ enables doctors to manage their diaries, patient files and prescriptions. The CNIL carried out inspections in 2021 which revealed that CEGEDIM SANTÉ had processed non-anonymous health data without authorization and transmitted it to its customers in order to carry out studies and produce statistics in the health sector.

• Transatlantic Data Transfer News: Standard Contractual Clauses to be Updated, with Public Input: Adoption of the EU Commission-approved model data protection clauses (standard contractual clauses or SCCs) can be a valid method to lawfully transfer personal data from the EEA to a third country in the absence of an adequacy decision. The clauses were last updated in June 2021 and the target date for issuance of the revised clauses is Q2 2025. The aim is to address gaps in the existing SCCs that the European Data Protection Board has identified based on various scenarios.

Industry Updates:   

• Kaspersky Pulls a Switcheroo on Its Way Out of the United States Market: Recently, Kaspersky has begun self-deleting itself and, apparently without informing customers or getting their approval, installing a different anti-virus product, UltraAV, on its former customers’ systems. Earlier this year, the US Government banned Kaspersky from “directly or indirectly providing anti-virus software and cybersecurity products or services” in the United States, citing the risk that access to customers’ systems might be co-opted by the Russian government. Following the ban, Kaspersky then planned to shut down its operations in the United States, resulting in the self-deletion. The installation of UltraAV caught Kaspersky’s former customers by surprise.
• NIST Updates Password Guidelines: The National Institute of Standards and Technology (NIST) released the second public draft of its Digital Identity Guidelines (SP 800-63-4). Under the guidelines, NIST plans to eliminate outdated practices like mandatory password complexity rules (e.g., mixing cases and symbols) and frequent password resets. Instead, the guidelines prioritize longer passwords (12-16 characters) and encourage the use of password managers. These changes aim to balance security with user-friendliness, reducing vulnerabilities caused by predictable password patterns.
  Additionally, NIST is discouraging reliance on outdated practices like password hints, and supporting the use of all ASCII and Unicode characters. These updates are designed to reduce password-related breaches and improve compliance with security regulations.
  The NIST guidelines, though primarily designed for federal agencies, are widely used by non-government organizations to meet security compliance requirements. Many industries rely on NIST’s framework to help safeguard sensitive information. With the 2024 updates, organizations will need to reassess their password management strategies to align with these new recommendations.
• Word for Microsoft 365 Deletes Files: Microsoft has reported a fix for a bug in the software that deletes user files. The bug, which was present in Version 2409, reportedly deleted user files where the filenames are saved including capitalized file extensions (Ex. DOCX), or filenames using the # symbol. The fix was rolled out on Oct. 8.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.