Technology Law Roundup with Brandon Graves
by Brandon Graves, Partner
August was a busy month for proposed cybersecurity and privacy rules. Not all of these new rules will come into force, but the sheer number of proposals means that at least some will. Many of these proposals apply broadly, so even companies that aren’t currently complying with a cybersecurity or privacy regime will need to plan for a more regulated future.
Federal Privacy Bill
The American Data Privacy and Protection Act has made it to the House floor, although no movement occurred past that due to August recess. This bill, if passed, would impose significant data privacy obligations on companies, including non-profits, but would pre-empt many state data privacy laws. Regardless, many domestic companies that have watched others work through GDPR will need to conduct extensive data mapping and compliance exercises should the bill pass; although it has bi-partisan support, it does have powerful opponents.
The FTC has enforced cybersecurity and data privacy requirements under Section 5 of the FTC Act for over 20 years. Generally speaking, the FTC has pointed to its authority to police deceptive statements or protect consumers; courts have upheld this authority. But Section 5 has limited penalties available. In particular, it is a challenge for the FTC to impose monetary penalties. In addition, regulated companies have complained about a lack of specific guidance.
On August 11, 2022, the FTC issued notice of proposed rule making addressing both commercial surveillance and data security. This notice announced an event on September 8 with speakers from both industry and government, as well as an opportunity for the public to make comments. It is still too early to know the exact structure of the proposed rules, but they will likely include a series of required disclosures concerning data gathering and security as well as specific conduct either prohibited (e.g., certain types of data collection) or required (e.g., certain security controls).
Also on August 11, the Consumer Financial Protection Bureau issued a circular stating that “entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security.” The circular further stated that this requirement was in addition to the Safeguard Rule that already imposes cybersecurity requirements on regulated entities. It also parallels the language that the FTC uses under Section 5 of the FTC Act.
The CFPB points to three specific security controls in its circular: multi-factor authentication, password management, and timely software updates. However, it says these are just examples and indicates that any breach could lead to an investigation and potentially a finding of non-compliance.
The New York Department of Financial Services released draft amendments to its current cybersecurity regulations. NYDFS regulations impact beyond its boarders and its remit; many other state regulators will adopt NYDFS audit findings, and the NYDFS uses its authority over insurers to “suggest” cybersecurity requirements for organizations it does not regulate.
A host of other actions took place in August (or late July). A draft CMMC Assessment Process document was released. The New York State Bar added a cybersecurity requirement for lawyer CLE. California announced its first settlement under its privacy law. The draft NDAA has additional certification requirements for software sold to DoD. More news occurred within specific industries, especially critical infrastructure.
The general perception is that US cybersecurity and privacy are insufficient and more rule makers are stepping in to increase compliance obligations. This trend will continue for the foreseeable future.