Jones Day Global Privacy & Cybersecurity Update | Vol. 23

Jones Day Cybersecurity, Privacy & Data Protection Attorney Spotlight: Aaron Charfoos

Cybersecurity and privacy risks are on the rise, the regulatory landscape changes daily, and data protection authorities are closely examining data collection, use, and protection practices across the globe. It has never been more important to have trustworthy and knowledgeable counsel guiding companies through this challenging environment to both comply with legal requirements and unlock the value of the data they hold.

Aaron Charfoos is an accomplished privacy and data protection trial lawyer. He regularly guides clients with responding to high-profile incidents, privacy litigation, regulatory enforcement actions, and coordinated vulnerability disclosures. In 2012, he won his first cybersecurity trial, successfully defending a Fortune 100 technology client accused of violating Indiana's data breach notification statute. Since then, Aaron has guided well over 100 companies through similar cybersecurity incidents, and companies now regularly seek his advice in developing multinational privacy and data security compliance programs and in reducing data-related risk in corporate transactions.

UNITED STATES

Regulatory—Policy, Best Practices, and Standards

NIST Produces Roadmap for Improving Critical Infrastructure Cybersecurity Version 1.1

On April 25, the National Institute of Standards and Technology produced a roadmap for improving critical infrastructure cybersecurity version 1.1. The roadmap outlined several areas of focus for future development of the framework, including authentication methods, automated indicator sharing, conformity assessments, data analytics, and supply chain risk management.

Regulatory—Consumer and Retail

FTC Takes Action Against Companies Falsely Claiming to Comply with Privacy Shield

Federal Trade Commission ("FTC") On June 14, the announced that it had reached a settlement with a company that provides employment background checks for falsely claiming participation in the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks. The FTC also sent warning letters to 13 companies that claimed to participate in expired U.S.-EU Safe Harbor and the U.S.-Swiss Safe Harbor frameworks. The FTC instructed the companies to remove any "public documents or statements that might be construed as claiming participation or involvement" in the privacy frameworks.

Regulatory—Financial

NYDFS Creates New Fintech Division

Consistent with New York's status as a financial services and technology hub, the New York State Department of Financial Services ("NYDFS") announced on July 23 a new Research and Innovation Division focusing on fintech innovation and consumer protection. The Division will also assume responsibility for licensing and supervising entities engaged in virtual currency business activity under the NYDFS's BitLicense Regulation. As the NYDFS explained, the Division is intended to make the NYDFS "the regulator of the future" by reviewing the use of technology in financial services, safeguarding consumer data rights, and fostering fintech innovation.

Regulatory—Communications

FCC Complaint Alleges Wireless Carriers Violated Privacy Laws

On June 14, several public interest groups filed with the Federal Communications Commission ("FCC") against prominent wireless carriers, alleging that the carriers sold customers' real-time location data to third parties without informed consent. The complaint highlighted the public safety risk associated with the sale of such data. The groups urged the FCC to investigate these practices and enforce Sections 201(b) and 222 of the Communications Act against the carriers. an informal complaint

Regulatory—Energy/Utilities

FERC Strengthens Electric Grid Cybersecurity Standards

On June 20, the Federal Energy Regulatory Commission ("FERC") signed that expands the reporting requirements for incidents involving attempts to compromise operation of the electric grid. The new standards require that entities report cybersecurity incidents that compromise electronic security perimeters, electronic access control or monitoring systems, and physical security perimeters associated with cyber systems. Furthermore, the standards require that entities develop criteria for identifying an attempt to compromise a cyber asset and then apply the criteria during their cybersecurity incident identification process. an order

Regulatory—Transportation

California Proposes Limiting Access of Local Authorities to Scooter Data

On May 22, the California State Assembly passed legislation that would allow providers of shared mobility devices, such as bicycles and motorized scooters, to withhold individual trip data from local governments. Local authorities could still require providers to share de-identified and aggregated trip data as a condition for operating a shared mobility device program. The proposed legislation comes as some cities have begun implementing regulations requiring shared mobility providers to share individual trip data with local authorities.

House Representatives Raise Privacy Concerns over Use of Facial Recognition at Airports

On June 13, 23 members of the House of Representatives sent a letter to the Department of Homeland Security to raise privacy and security concerns over reports that U.S. Customs and Border Protection ("CBP") is using facial recognition technology at airports to scan U.S. citizens. According to the reports, CBP has partnered with the Transportation Security Administration and commercial airlines to use facial recognition technology on U.S. citizens, potentially in violation of the Biometric Exit Program, which permits CBP to collect biometric data on foreign nationals entering and exiting the United States.

Regulatory—Health Care/HIPAA

Medical Records Service Settles HIPAA Breach

On May 23, the U.S. Department of Health and Human Services ("HHS") announced that a medical records service paid the Office for Civil Rights $100,000 to settle a breach that exposed the electronic protected health information ("ePHI") of approximately 3.5 million people in violation of the Health Insurance Portability and Accountability Act ("HIPAA") Privacy and Security Rules. The breach occurred when hackers used a compromised user ID and password to access the ePHI. The investigation found that the record service did not conduct a comprehensive risk analysis prior to the breach.

Breach of Third-Party Collections Vendor Affects Millions of Patients

On June 3-4, two health care diagnostics companies each filed a report with the SEC reporting unauthorized activity on the webpage of their third-party collections service provider between August 1, 2018, and March 30, 2019, which affected up to 11.9 and 7.7 million patients, respectively.

FDA Warns of Dangerous Cybersecurity Hacking Risk with Connected Medical Devices

On June 27, the Food and Drug Administration ("FDA") warned that a company's internet-connected insulin pumps have potential cybersecurity risks and suggested that patients switch to a different model. The devices are vulnerable to malicious use of radiofrequencies to change device settings impacting insulin delivery. The FDA was not aware of any reports of harm caused by the cybersecurity risk.

Regulatory—Defense and National Security

Executive Order Declares Network Security National Emergency

On May 15, President Trump issued an executive order that declares a national emergency with respect to foreign threats against information and communications technology and services in the United States. The executive order delegates authority to the U.S. Secretary of Commerce to establish, within 150 days, a regulatory regime to mitigate or prohibit transactions with a "foreign adversary" if the agency determines those transactions pose risk of sabotage to U.S. networks, critical infrastructure, the digital economy, or other national security risks.

Litigation, Judicial Rulings, and Agency Enforcement Actions

FTC Settles Data Breach Allegations with Website Operators

On April 24, the FTC announced settlements with website operators for failure to take reasonable steps to protect consumer data in light of a breach of each website. The FTC alleged that one company failed to implement readily available security measures, despite falsely claiming to use the latest security and encryption measures. This enabled a hacker to download a document with clear text information about 6.6 million consumers, including 500,000 in the United States. The FTC alleged that the second company failed to implement reasonable security measures to protect the personal information of children under the age of 13 and collected personal information from children without parental consent, in violation of the Children's Online Privacy Protection Act ("COPPA").

FTC Warns Dating App Operator about Potential COPPA, FTC Act Violations

On May 1, the FTC sent a letter to a Ukraine-based operator of an online dating application warning it about potential violations of COPPA by failing to block users who indicated they were under 13 years old from using the apps.

Indiana Attorney General Brings Data Breach Claim Against Credit Reporting Agency

On May 6, Indiana's attorney general sued a consumer credit reporting agency over claims that it violated the state's Disclosure of Security Breach Act and Deceptive Consumer Sales Act by failing to protect consumers' personal information. The complaint alleged that the agency failed to implement adequate security measures or disclose security deficiencies, resulting in a data breach in 2017. The attorney general is seeking penalties, injunctive relief, restitution, costs, and attorneys' fees.

Vermont Attorney General Settles Failure to Secure Information Charge Against Software Supplier

On May 23, Vermont's attorney general settled against a third-party provider of municipal management software to municipalities in Vermont for failing to secure municipal...