- Emergency Consultation Services
- Risk Management Services
- Who We Are
- Our People
- What We Do
- Why We Are Different
- What’s New
- Where We Are
By: Nicholas Jajko
2023 has been a busy year for data privacy regulation, with the passage of privacy laws in six new states (Indiana, Iowa, Montana, Oregon, Tennessee, and Texas). Other developments are also worth spotlighting for current and prospective Freeman Mathis & Gary, LLP (“FMG”) clients:
Privacy Shield Certification Revived by the Trans-Atlantic Data Privacy Framework
The EU-U.S. Privacy shield was administered by the International Trade Administration from 2016 until it was declared invalid by the European Court of Justice 2020 decision in Schrems II. Since that time, the ITA members worked to refine the legal framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States consistent with the decision. Their solution: the “DPF”. Specifically, on July 17, 2023, the ITA launched the Data Privacy Framework (DPF) program website (www.dataprivacyframework.gov). The DPF site enables U.S.-based organizations to make initial self-certification submissions to participate in the EU-U.S. DPF and, as applicable and necessary, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF, and to enable participating organizations to make their annual re-certification submissions. The DPF is also available for organizations who previously self-certified in compliance with the Privacy Shield principles.
FMG’s Data Security, Privacy & Technology practice group attorneys are available to assist in complying with the updated EU-U.S. Data Privacy Framework (DPF) principles by the October 10, 2023, deadline for revising organization privacy policies.
SEC Reporting Requirements
On July 26, 2023, the Securities and Exchange Commission (SEC) adopted final rules requiring disclosure of material cybersecurity incidents and annual cybersecurity risk management, strategy, and governance reporting. Notably, a new form 8-K Item 1.05 will require registrants to disclose any cybersecurity incident they determine to be material and describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the filing entity. Generally, the disclosure must be made within four days of the determination.
The new rules also add Regulation S-K Item 106(b), which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106(c) will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.
The Form 8-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. The S-K 106(a & b) disclosures will be required in a registrant’s annual report on Form 10-K which will be due beginning with annual reports for fiscal years ending on or after December 15, 2023.
Publicly traded FMG clients who are also victims of one or more recent data security incidents should be aware of the new SEC requirements.
Compliance for Cloud Computing Service Providers Seeking Government Contracts
At the end of 2022, Congress approved and signed into law the FedRAMP Authorization Act as part of the 2023 National Defense Authorization Act. FedRAMP became the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information and are sold to the U.S. Government. The FedRAMP program is managed by the FedRAMP management offices and leverages NIST standards and guidelines to provide a reusable approach to security assessment and authorization.
FMG attorneys are available to assist Cloud Service Provider (CSP) clients with Joint Authorization Board authorization, including advising on the readiness assessment and authorization process.
ABA adopts Cybersecurity Resolutions for Attorneys
On August 8, 2023, the American Bar Association’s House of Delegates approved Resolutions 608, 609, and 610 to stimulate improvement in cyber security defenses for law firms and attorneys from a technical and administrative standpoint. Resolution 608 urges Congress to enact legislation establishing an attorney’s duty to implement reasonable security for organization data, products, and systems in consistency with existing cybersecurity frameworks. The Resolution also provide incentives to developers of existing and emerging digital technologies, and all entities, to monitor and enhance cybersecurity protections and increase resilience against cybersecurity threats, and to provide resources for users of digital technologies, products, services, and capabilities to enable enhancement of cybersecurity protections and increased resiliency.
Resolution 609 urges lawyers to improve their awareness of threats to data and new privacy issue developments by keeping informed about new and emerging technologies and ways to protect digital products, systems, and data from unauthorized access, use, and modification. This is in response to a 2021 ABA study that estimated 25% of responding law firms had experienced a data breach. The data protection focus is not only on emerging technologies like artificial intelligence and ChatGPT, but also general technology developments such as widespread vulnerabilities in hardware and software as seen with SolarWinds, Halfnium Exchange exploit, and most recently, MoveIt.
Finally, Resolution 610 addresses awareness and specialization at the education level. Specifically, the Resolution encourages U.S. law schools protect student and client information from cyberattacks, by understand cybersecurity emerging technologies in much the same way it encourages law firms and lawyers. Beyond that, the ABA also suggests the inclusion of courses in cybersecurity law, emerging technology, and data protection to stimulate awareness at an earlier stage in a lawyer’s development process.
Washington “My Health My Data Act” Private Right of Action
Signed into law on April 27th, the Washington “My Health My Data Act” imposes new requirements on the processing and sale of consumer health data by organizations with a nexus to Washington state. In response to the Dobbs decision, the Washington legislature sought to keep non-HIPAA regulated entities from sharing information (“consumer health data”) even remotely related to bodily functions and health care services that could be used against any consumer whose health data is “collected in Washington” (not limited to Washington residents). Notably, Section 11 of MHMD Act establishes any violation of the Act as an unfair or deceptive act under the Washington Consumer Protection Act, with no opportunity to cure, and no prerequisites to bring the private right of action. Statutory and liquidated damages, however, are not available rather the Act provides for actual damages proven to be sustained, treble damages (up to $25,000), attorney’s fees and costs, and possible injunctive relief. Compliance deadlines begin on March 31, 2024.
Delay of CCPA Enforcement Until March 29, 2024
The Superior Court of California for the County of Sacramento granted a petition to stay the enforcement of the California Consumer Privacy Act of 2018 (CCPA), through its progeny the California Privacy Rights Act of 2020 (CPRA) one year from its original intended July 1, 2023, enforcement date. The initial publication deadline contemplated by CCPA was July 1, 2022, with enforcement beginning one year later. However, approval of the first set of regulations under the CPRA for 12 of 15 areas contemplated in Section 1798.185 of the Act did not occur until March 29, 2023. Therefore, the Superior Court granted the petition delaying enforcement of the final regulations 12 months from the date of finalization consistent with the original intent, until March 29, 2024.