In this initial episode of Ballard Spahr’s new privacy and data security webcast series, Phil Yannella and Greg Szewczyk – co-chairs of the Privacy & Data Security Group – discuss regulatory scrutiny concerning the use of “dark patterns” to steer website visitors into purchasing products or making online choices they otherwise would not make. This is an area of increased risk for online retailers, digital platforms and tech companies, among others. Make sure to regularly check the CyberAdviser blog for more 15-20 minute webcasts on emerging trends in the privacy and data security world.
Connecticut is the next in a growing list of states to pass comprehensive data privacy legislation. Last Friday, the Connecticut legislature passed, by large margins, Senate Bill 6 — which we are referring to as the Connecticut Data Privacy Act (CTDPA). The law now awaits the Governor’s signature.
The CTDPA follows the form and content of other privacy laws passed in the prior year, including the Colorado Privacy Act (CPA), Virginia Consumer Data Protection Act (VCDPA), and Utah Privacy Act (UPA). California, of course, passed the California Consumer Privacy Rights Act (CPRA) via ballot initiative in 2020. All of these laws will become effective in 2023. Continue Reading Connecticut Poised To Become Fifth State to Enact a Privacy Law
Businesses with automatic renewal contracts—including subscriptions—should take note of Colorado’s new law that went into effect earlier this year on January 1, 2022. While companies subject to other state’s auto-renewal laws and the Restore Online Shoppers’ Confidence Act (“ROSCA”) will be familiar with the three-prong approach of upfront clear disclosure, simple cancellation, and ongoing reminders, the Colorado law goes a step further by imposing notice obligations on month-to-month renewals.
Under the Colorado law, any automatic renewal contract must make the renewal terms and cancellation policy “clear and conspicuous” before the contract is accepted. Clear and conspicuous is defined to mean in larger type than the surrounding text; in contrasting type, font, or color to the surrounding text of the same size; or set off from the surrounding text of the same size by symbols or other marks in a manner that clearly calls attention to the language. The Colorado law also prohibits use of a link to present the offer unless it clearly discloses that it is a renewal contract.
The Colorado law also requires companies to provide a simple, cost-effective, easy-to-use mechanism for cancelling an automatic renewal contract or trial period offer. Companies can comply with this requirement through a one-step online cancellation link that is located on the website and available immediately or after the consumer completes a reasonable authentication protocol.
However, perhaps the most notable aspects of the Colorado law are the provisions relating to ongoing reminders. Similar to previously-existing laws in other states, contracts of one year or more require a renewal notice to be sent between twenty-five and forty days prior to each renewal. But, the Colorado law also requires such notices for shorter contracts—e.g., month-to-month contracts—with such notice being given twenty-five to forty days before the anniversary of the initial enrollment. This structure is similar to the new Delaware law, but that law applies only to merchandise and is therefore significantly narrower than the Colorado law.
The Colorado law contains various exemptions, including services regulated by the Federal Communications Commission, entities regulated by the Division of Insurance, bank or bank holding companies, financial institutions licensed under state or federal law, and air carriers.
The last few months have seen a flurry of new federal cybersecurity incident reporting requirements and proposals impacting private entities in the financial sector. As the number and frequency of cyber attacks continue to grow, regulators have attempted to enhance cybersecurity protections via increased and more rigid incident reporting obligations, leading to a constantly shifting regulatory patchwork of varying disclosure and timing obligations. These tightened reporting obligations raise new challenges for financial institutions who must not only ensure that their own programs are aligned with the new requirements, but also be certain to pass along reporting obligations to service providers.
The abrupt shift in reporting obligations comes after an extended period of time when most financial institutions faced consistent reporting obligations. In 2005, the federal prudential regulators—including the Board of Governors of the Federal Reserve System (Federal Reserve), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC)—issued Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. Rather than specifying the number of hours or days within which a financial institution must report, the guidance allowed covered financial institutions to notify their primary federal regulator and affected customers “as soon as possible” after the discovery of incidents involving unauthorized access to or use of sensitive customer information.
Contrast this with the final rule issued by the Federal Reserve, FDIC, and OCC last November, which requires covered banking organizations to report within 36 hours after determining the occurrence of certain significant computer-security incidents. The final rule also requires bank service providers to notify their banking organization customers as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has or is likely to materially disrupt or degrade covered services for four or more hours.
Additionally, on March 15, 2022, President Joe Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act, previously covered here, which requires entities in a critical infrastructure sector (which can include financial institutions) to report to the Cybersecurity and Infrastructure Security Agency (CISA) certain cyber incidents within 72 hours and ransomware payments within 24 hours of the payment. The Securities and Exchange Commission (SEC) recently published several proposed rules that would require various regulated entities to disclose certain cybersecurity-related incidents. The Federal Trade Commission (FTC) also tossed its hat into the ring and issued a proposal last December to require covered financial institutions to notify the FTC within 30 days after discovering a data breach affecting or reasonably likely to affect at least 1,000 consumers.
Below is a summary of the new reporting obligations proposed or soon to be effective for financial institutions:
|Law/Proposal||Who Reports||To Whom||Reporting Timeline||Status/Effective Date|
|Final Rule, Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers||Banking organizations regulated by the Federal Reserve, FDIC, or OCC
|Federal Reserve, FDIC, or OCC, depending on which agency is the banking organization’s primary federal regulator||Report as soon as possible, but no later than 36 hours after determining a “notification incident” has occurred. A “notification incident” is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:
(i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
(ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
(iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
|Effective date: April 1, 2022.
Compliance date: May 1, 2022.
|Bank service providers||The affected banking organization||Bank service providers must notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has or is reasonably likely to materially disrupt or degrade covered services for four or more hours. If a banking organization customer has not previously provided a bank-designated point of contact, the bank service provider must notify the Chief Executive Officer and Chief Information Officer of the banking organization customer, or two individuals of comparable responsibilities, through any reasonable means.
|Cyber Incident Reporting for Critical Infrastructure Act of 2022||Entities in a critical infrastructure sector (including those in the financial services sector, such as certain depository institutions, insurance companies, and financial services companies). The types of entities that constitute covered entities are to be further described in the forthcoming rulemaking process.
|CISA||Report a “covered cyber incident” not later than 72 hours after the covered entity reasonably believes that such an incident has occurred. A “covered cyber incident” means a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria to be set by the CISA Director in the forthcoming rulemaking process.
Report a ransomware payment not later than 24 hours after the payment.
|Enacted March 15, 2022. The new reporting obligations will not take effect until the CISA Director promulgates implementing regulations.|
|Proposed Rule, Standards for Safeguarding Customer Information||Financial institutions subject to the FTC’s jurisdiction. This includes mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors that are not required to register with the SEC, and entities acting as finders.
|FTC||Notify as soon as possible and no later than 30 days after the discovery of any security event where the financial institution has determined misuse of customer information has occurred or is reasonably likely and at least 1,000 consumers have been affected or reasonably may be affected.||Comment period closed February 7, 2022.|
|Proposed Rule, Amendments to Form PF To Require Current Reporting and Amend Reporting Requirements for Large Private Equity Advisers and Large Liquidity Fund Advisers||Large hedge fund advisers
|SEC||File a current report via Form PF when a hedge fund that the adviser advises, with a net asset value of at least $500 million, experiences certain stress events. Such reporting events include when the adviser or reporting fund experiences a “significant disruption or degradation” of the reporting fund’s “key operations,” which could include cybersecurity events. File such current report within one (1) business day of the occurrence of such an event.
|Comment period closed March 21, 2022.|
|Proposed Rule, Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies||Investment advisers registered or required to be registered under 15 U.S.C. § 80b-3||SEC||Report the significant cybersecurity incident affecting the adviser or its fund or private fund clients promptly, but in no event more than 48 hours after having a reasonable basis to conclude that any such incident has occurred or is occurring, by filing Form ADV-C electronically on the Investment Adviser Registration Depository.
Amend any previously filed Form ADV-C promptly, but in no event more than 48 hours after: (i) previously reported information pertaining to a significant cybersecurity incident becomes materially inaccurate; (ii) new material information pertaining to a previously reported significant cybersecurity incident is discovered; or (iii) the incident is resolved or related internal investigation is closed.
Publicly disclose in their brochures and registration statements cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years.
See further discussion of the proposal here.
|Comment period closed April 11, 2022.|
|Proposed Rule, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure||Public companies subject to the reporting requirements of the Securities Exchange Act of 1934 (which include public financial institutions)||SEC||Report via Form 8-K material cybersecurity incidents within four (4) business days after the registrant determines that it has experienced a material cybersecurity incident.
Provide updated disclosures via the registrant’s quarterly report (Form 10-Q) or annual report (Form 10-K) relating to previously disclosed cybersecurity incidents. Disclose when a series of previously undisclosed individually immaterial cybersecurity incidents becomes material in the aggregate.
For foreign private issuers, disclose material cybersecurity incidents via Form 6-K and Form 20-F.
See further discussion of the proposal here.
|Comment period closes May 9, 2022.
Managing and meeting these new deadlines—and keeping track of the different content and submission requirements associated with each disclosure—can be challenging. Additionally, these requirements may trickle down even to companies not directly regulated by the above agencies, as many financial institutions may consider new default rules, such as requiring 24-36 hour reporting across the board for their service providers. As the cybersecurity regulatory landscape continues to evolve, companies should review their third-party service provider arrangements and incident response plans and stay on top of legislative and regulatory developments to ensure they are in a good position to meet increased expectations and accelerated reporting timelines.
In a series of recent statements and releases, Lina Khan, the Chair of the FTC, made clear the Commission’s intention to revamp its oversight of consumer data privacy and establish more substantive limits on commercial data collection and processing activities. This plan is motivated in part by the increased adoption of workplace surveillance technologies as well as the “growing recognition that the ‘notice-and-consent’ framework” traditionally used by U.S. businesses may not be sufficient to protect consumer and employee rights. Chairperson Khan hopes to obtain additional funding to help recruit the talent required to develop this new framework, which is designed to bring the FTC “in line with similar agencies internationally.” However, the FTC plans to update its approach to “keep pace with new learning and technological shifts” regardless of whether funding is ultimately obtained. Continue Reading FTC Chair Announces New Privacy Approach
The California AG recently released its first Opinion interpreting the California Consumer Privacy Act (CCPA), highlighting a brewing conflict over the inferences that businesses generate about their consumers. This Opinion addresses the question of whether Right to Know requests extend to these inferences. It states that businesses are obligated to disclose inferences (1) derived from either public or private personal information (2) that are used by the business for the purpose of creating a profile about the consumer. While the Office of the Attorney General acknowledged that the CCPA does not require businesses to reveal trade secrets, the Opinion raised serious questions as to whether inferences may qualify as trade secrets and, if so, the scope of a business’s compliance obligations. Continue Reading Are Inferences Trade Secrets Under the CCPA?
At the IAPP Global Privacy Summit, Colorado Attorney General Phil Weiser announced the principles that would guide the CPA rulemaking process, after which his office published a white paper entitled Pre-Rulemaking Considerations for the CPA. In the white paper, the Colorado Department of Law (which is headed by the Attorney General) welcomes informal input from all members of the public about any aspect of the upcoming rulemaking process.
To enhance the public’s understanding of how the Office of the Attorney General will be approaching rulemaking, the white paper offers five principles to help implement the CPA: (1) promoting consumer rights; (2) clarifying ambiguities; (3) facilitating efficient and expeditious compliance; (4) harmonizing protections with other laws; and (5) allowing for innovation. The white paper explains that as the Department considers public input, it will examine how any recommendations and concerns address and advance these key principles. The white paper also provides topics and questions on which it specifically welcomes input, ranging from the universal opt out to dark patterns to data protection assessments.
The white paper is consistent with the Attorney General’s approach to date—i.e., seeking to elicit input from a diverse group of stakeholders to guide the drafting of balanced and impactful regulations. However, it should serve as a reminder to any companies or organizations that are considering providing input that they should do so soon.
Since the beginning of the year, the SEC has issued several sets of proposed rules governing cybersecurity. In an upcoming webinar, Ballard Privacy & Data Security partner Phil Yannella will join a panel discussion hosted by SEI Investments concerning the impact of these new rules on registered investment advisors and funds. You can register for the event here.
On March 15, 2022, President Joe Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which increased funding for the federal Cybersecurity and Critical Infrastructure Agency (CISA) and outlined new rules and requirements for companies and organizations to follow.
Notably, CIRCIA requires owners and operators of critical infrastructure to report cyber incidents to CISA within 72 hours and ransom payments within 24 hours. “Covered entity” means an entity in a Designated Critical Infrastructure Sector as defined by Presidential Directive 21, and CISA has also provided some general guidance on its website. CISA is required to implement regulations that define the types of events that constitute a “covered cyber incident” for reporting purposes, which must, at a minimum, include cyberattacks that: lead to a substantial loss to the confidentiality, integrity, or availability of an information system; seriously impact the safety or resiliency of operational systems; disrupt business or industrial operations due to certain types of attacks; or result in unauthorized access to an information system or otherwise impact business or industrial operations due to a compromise of the supply chain. The term “ransom payment” is defined to mean the “transmission of any money or other property or asset, including virtual currency, or any portion thereof, which has at any time been delivered as ransom in connection with a ransomware attack.”
Pursuant to CIRCIA, CISA has two years to issue proposed rules and definitions in this realm. However, in light of substantial increased Russian cyberattacks and the war in Ukraine, lawmakers may issue these rules earlier. Jen Easterly, director of CISA, was quoted as stating that “our critical infrastructure, our way of life is really under cyber assault all the time. And our current geopolitical crisis is only exacerbating this threat.”
The passage of CIRCIA continues a growing trend towards faster reporting obligations to federal regulators. As these reporting obligations are often measured in hours rather than days, companies in regulated fields such as critical infrastructure and financial services should be proactively ensuring that they are not only prepared to report, but that their cybersecurity programs are properly documented and will hold up to the higher levels of scrutiny we are likely to see in coming months and years.
On the latest episode of our podcast, Business Better, our Ballard lawyers discuss emerging trends in privacy litigation. Issues we discuss include companies sharing and selling consumer data, plaintiffs’ liability theories, including the right of publicity, and best business practices to consider in anticipation of privacy claims.
Leading this discussion is Aliza Karetnick, a Partner in our Philadelphia office. Aliza is joined by Philip Yannella, a Partner in our Philadelphia office, and Gregory Szewczyk, a Partner in our Denver office.