Greg Szewczyk and Phil Yannella sat down with Kimberly Klayman to give a privacy update for startups in Technical.ly. Read the full interview here.
In the latest episode in our monthly webcast series, Privacy and Data Security practice co-leaders Phil Yannella and Greg Szewczyk discuss the past, present, and future of VPPA litigation and proactive steps to mitigate the risk of VPPA litigation.
The California Privacy Protection Agency announced today that it began the formal rulemaking process to adopt the proposed regulations implementing the Consumer Privacy Rights Act of 2020 (“CPRA”). As part of this announcement, the Agency released the following link to the Proposed Regulations and supporting documents.
The Agency will hold a public hearing for comments at 9:00am PST, August 24 and 25. Those wishing to submit written comments on the proposed regulations must submit them by August 23 at 5:00pm PST. Those wishing to attend should RSVP by clicking this link.
Ballard Spahr will continue to provide updates as more information becomes available.
On June 23, 2022, the Office of the Comptroller of the Currency (OCC) released its Semiannual Risk Perspective (SRP) for spring 2022. In the SRP, the OCC opines on its current safety and soundness concerns for banks under its regulatory umbrella, focusing on Russia sanctions, climate-related risk, and rising inflation. Despite these challenges, the OCC believes that “[b]anks’ financial condition remains strong and positioned to deal with the economic headwinds.”
Of special note, the OCC also believes compliance risk is “heightened” for Bank Secrecy Act/Anti-Money Laundering (BSA/AML) and Office of Foreign Assets Control (OFAC) compliance because of world events and compliance staffing concerns. In addition, the OCC warns that banks face an “elevated” risk of cyber attacks and fraud or cybersecurity risks related to digital assets.
BSA/AML Compliance Risks
The OCC devotes a paragraph to discussion of BSA/AML and OFAC concerns related to “environmental crimes.” The OCC decries the climate risk and pollution caused by such crimes. And, echoing the Financial Crimes Enforcement Network (FinCEN) recent notice on the same topic, the OCC cautions that environmental crimes “have a strong association with corruption and transnational criminal organizations.” We have blogged about this topic several times in several facets, noting how these crimes are estimated to create hundreds of billions in illicit funds each year. Like FinCEN, it appears that the OCC has this near the top of their priority list.
The OCC then zeroes in on another perennial concern: fraud in government relief programs. Citing the Covid-19 pandemic and “recent natural disasters,” the OCC typifies fraud stemming from government relief programs as a “significant risk.” Predicting that natural disasters will become more, rather than less, common, the OCC predicts long-term increased risk of fraud and urges banks to include both environmental crimes and government relief fraud into long-term planning and risk assessments. The OCC clearly thinks that BSA/AML and OFAC concerns will continue to haunt government relief programs.
In the first SRP since the Russian invasion of Ukraine, the OCC reminds banks that they must “assess the applicability” of the “complex and evolving” Russia sanctions “on their institutions and customers.” The OCC urges banks to consider both the impact on branches here and abroad as well as overseas offices and subsidiaries. Hearkening back to two March FinCEN alerts (here and here) on which we blogged (here and here), the OCC warns banks to “be vigilant against potential efforts to evade” sanctions and reminds banks that suspicious transactions may involve “real estate, luxury goods, and other high-value assets of sanctioned Russian elites and their family members and associates.” The OCC urges banks to use this as a springboard to increase efforts to detect foreign public corruption and kleptocracy.
The SRP notes that these compliance risks are currently more difficult to respond to because “[b]ank compliance functions also are experiencing challenges retaining and replacing staff.” It is no surprise that banks, like many other employers, are finding it difficult to hire and retain talent. The SRP warns that “lack of access to subject matter expertise,” funding cutbacks, over-reliance on third parties to assist in these critical functions, and telework are exacerbating compliance risk.
The OCC has long been concerned with operational risks posed to banks from cyber attacks. The SRP now estimates that operational risks to banks remain “elevated” because cyber attacks continue to “evolve” and “become more sophisticated.” Specifically, the OCC notes an increase in distributed denial of service (DDoS) attacks and ransomware campaigns directed at the financial services sector, including banks. We noted the increase in ransomware attacks and ransomware-related SARS discussed in FinCEN’s October 15, 2021 financial trend analysis on ransomware.
The OCC suggests “heightened threat monitoring” and “greater public-private sector information sharing” as two methods to combat DDoS and ransomware attacks. The OCC states, as a practical matter, that banks should implement and regularly test backup systems to ensure operational resilience and require multifactor authentication and “timely patch management” to make it harder for cyber attackers to gain access. These echo the suggestions of the Cybersecurity and Infrastructure Security Agency, a government agency within the Department of Homeland Security, in their recently announced Shields Up initiative.
Risks of Engaging with New Technologies, Including Distributed Ledger Technologies and Digital Assets
Finally, the OCC devotes significant time to cybersecurity and fraud risks related to digital assets. While the OCC recognizes that new technologies, including distributed ledger technologies and digital assets, “can offer many benefits to both banks and their customers” the OCC believes new technologies are a common target for fraudsters. Citing this risk of fraud and the possibility of cyber attacks, the OCC provides a number of suggestions for banks considering engaging with digital assets:
- Banks should ensure that they have sufficient knowledge and expertise in the digital assets and the technology before engaging in new activity with digital assets;
- Banks should pay special attention to distributed ledger or digital assets companies “delivering banking and bank-like products and services”;
- Banks should consider their size, complexity, and risk profile before engaging in new activity with digital assets;
- Banks should engage in “appropriate due diligence, change management, and risk management processes” prior to engaging in new activity with digital assets;
- Banks may need to consider whether “additional or different controls [are needed] to safeguard against fraud, financial crimes, violations of sanctions requirements and consumer protection and fair lending laws, and operational errors”; and
- Finally, before engaging in certain activities with digital assets, banks supervised by the OCC should first obtain non-objection.
The SRP’s bottom line: banks should be deliberate and do their due diligence when engaging with new technologies, including distributed ledger technologies and digital assets.
The OCC also promises greater clarity on regulation of digital assets to come in the future, likely a reference to the Sprint Initiative the OCC is engaged in with the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation, on which we previously blogged. The OCC is currently working to “develop a common vocabulary of terms” and “use cases and risks” to create “policy and supervision considerations” for digital assets for banks. With only another vague reference to coming regulations, it remains to be seen what shape they will take and when they will be unveiled.
In a report released June 21, 2022, the U.S. Government Accountability Office (GAO) urged the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury’s (Treasury) Federal Insurance Office (FIO) to jointly assess whether the risk to critical infrastructure and potential financial exposures from catastrophic cyber incidents warrant a federal insurance response, and to inform Congress of the results of their assessment. CISA is the primary risk advisor on critical infrastructure, and FIO is the federal monitor of the insurance sector.
The GAO prepared this report pursuant to the Terrorism Risk Insurance Program Reauthorization Act of 2019, which, among other things, directed the GAO to conduct a study on: (1) the risks and potential costs of cyberattacks to U.S. public and private infrastructure; (2) whether states’ definition of cyber liability under a property and casualty line of insurance is adequate coverage for an act of cyber terrorism; (3) whether such risks can be adequately priced by the private market; and (4) whether the risk-share system established under the Terrorism Risk Insurance Act of 2002, which created the Terrorism Risk Insurance Program (TRIP), is appropriate for covering cyber terrorism events.
In the report, the GAO highlighted the significant and growing cybersecurity risks facing U.S. critical infrastructure and examined how the insurance market against cyberattacks is evolving, often in a way that means less coverage against potentially catastrophic financial losses. The report noted that although cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware, private insurers have been taking steps to limit their potential losses from cyberattacks with systemic effects. Coverage under TRIP, which requires the federal government to share certain insured losses with private insurers in the event of an act of terrorism, is limited to attacks that meet certification criteria specified by the program, among other requirements. As the GAO notes, even very large cyberattacks on critical infrastructure resulting in catastrophic losses and risk to national security might not be covered if they do not meet all the certification criteria. For example, one criterion is that the event must be a “violent act or an act that is dangerous” to human life, property, or infrastructure. Even though a data breach or denial of service attack may result in stolen data or IT system disruption, it may not necessarily be a violent act or dangerous to human life, property, or infrastructure. To date, the federal government has not certified any such acts of terrorism.
The report also noted that while CISA and FIO have taken some steps to understand the financial implications of cyber risk, neither agency has fully assessed the extent to which the risks to the nation’s critical infrastructure from catastrophic cyber incidents, and the potential financial exposures from these risks, warrant a federal insurance response. In their comments to the report, both DHS and Treasury agreed with the GAO’s recommendation to work together to produce such an assessment for Congress. DHS stated that it would review the aggregate data generated by incident disclosures under the Cyber Incident Reporting for Critical Information Act of 2022 (previously discussed here), once available, and work with Treasury in the interim to determine other data needed. Treasury confirmed that it had reached out to DHS to begin collaboration on this effort.
The Third Circuit recently issued an opinion upholding the federal cyber-stalking statute against a constitutional challenge in United States v. Ho Ka Yung. Yung was convicted of cyber-stalking after he instituted a campaign of harassment against a Georgetown Law alumnus interviewer and his family. Though he pled guilty, Yung preserved the right to appeal his conviction on the grounds that 18 U.S.C. §2261(A)(2), the federal statute criminalizing cyber-stalking, is unconstitutional because it criminalizes speech protected by the First Amendment. The Third Circuit upheld Yung’s conviction, finding that a narrower reading of the statute prevented the majority of protected speech from being swept into its purview.
The facts of this case serve as stark example of the real harm that can be inflicted through online behavior.
A year after being denied admission at Georgetown Law, Yung began a campaign of harassment online against the Georgetown alumnus who had interviewed him as part of the application process. Yung published false obituaries for the interviewer’s wife and son, created false social media profiles associating the interviewer with the Ku Klux Klan, and published blog posts in the interviewer’s name that bragged of raping women, a boy, and an eight-year-old girl. Yung posed as a female Georgetown applicant, accusing the interviewer of sexual assault. Yung’s harassment also targeted the interviewer’s family. Impersonating the interviewer’s wife, Yung published online ads, in one instance seeking a sex slave and instructing a man who responded to spy on the family, and in another instance claiming that she wanted men to use weapons to physically threaten her before initiating forcible sex. As a result of some of these ads, unknown men came to the interviewer’s home in the middle of the night on three consecutive nights. The online harassment caused real-life threats to the family’s safety.
In his First Amendment challenge, Yung did not argue that the conduct he was convicted for was protected by the First Amendment. Instead, Yung argued that the statute as a whole should be struck down for overbreadth because a significant portion of what it criminalizes is protected conduct. Statutes will only be found facially invalid when they prohibit a wide range of constitutionally protected activity in relation to their legitimate sweep. Courts are reticent to invalidate entire statutes, and as the Third Circuit demonstrated this week, the principle of constitutional avoidance dictates that when several interpretations are available, courts should choose the one that permits a statute to withstand a constitutional challenge.
The challenged federal cyber-stalking statute contains three elements. A person can be convicted if they (1) “use  the mail, any interactive computer service or … system …, or any other facility of interstate or foreign commerce” at least twice, (2) do so “with the intent to kill, injure, harass, intimidate, or place under surveillance with intent to kill, injure, harass, or intimidate another person,” and (3) put the victim “in reasonable fear of … death … or serious bodily injury,” or “cause, attempt to cause, or … be reasonably expected to cause substantial emotional distress.” §2261(A)(2). Yung argued that this statue was unconstitutionally overbroad because it would criminalize mere online “trolling,” including large amounts of constitutionally protected speech like harsh political criticism or negative reviews of literary or artistic endeavors.
In its decision this week, the Third Circuit acknowledged that this broad reading is a plausible – if not the most natural – interpretation of the statute. Both “harass” and “intimidate” can be defined to cover a range of conduct that would clearly be protected by the First Amendment. Nonetheless, applying the doctrine of constitutional avoidance, the court interpreted both terms narrowly. The court held that to “intimidate” for the purposes of §2261(A)(2), a defendant must have put the victim in fear of bodily injury; to “harass,” the defendant must “distress the victim by threatening, intimidating, or the like.” Under these definitions, which the court referred to as “criminal” definitions of harassment or intimidation, the statute is not unconstitutionally overbroad.
While the facts of Yung exemplify the need for regulation of online behavior, the questions raised by the appeal demonstrate the challenges of drawing appropriate contours for that regulation.
The intent, action, and result elements of the cyber-stalking statute were all clearly met in Yung. Yung created countless pieces of threatening and abusive content targeting his victim, and he intentionally sent people to harass and threaten his victim’s family. In many cases, however, real harm will be effected online where one or more of the statute’s elements are murkier. The Third Circuit’s refined definitions of criminal harassment and intimidation may govern those cases, but the questions about how and where to draw the line when regulating online speech will continue to challenge courts. This week’s decision affirms that the constitution permits the government to use intent to intimidate or harass as tools for drawing that line.
The FTC recently reported that over $650 mm worth of cryptocurrency was stolen by hackers last year. Thus far, over $320 mm in cryptocurrency has been stolen by hackers this year. Not surprisingly, this surge in crypto breaches has led to litigation. In our monthly webcast series, Ballard partners Phil Yannella, Greg Szewczyk and Margie Peerce discuss the emergence of “crypto breach” litigation.
They discuss the causes of action, defenses, and pro-active steps that companies can take to prepare for litigation in the wake of a crypto breach, including how to recover stolen crypto funds.
The Federal Trade Commission (FTC) recently issued a blog post stating that a failure to disclose a data breach may be a violation of Section 5 of the FTC Act. The May 20 blog post, titled Security Beyond Prevention: The Importance of Effective Breach Disclosures, explained that in some instances, the FTC Act may create a de facto breach disclosure requirement because the failure to disclose will increase the likelihood that affected parties will suffer harm. According to the FTC, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act—“[r]egardless of whether a breach notification law applies.”
If read as a requirement to report breaches that otherwise don’t meet state reporting obligations, the FTC’s position would constitute a significant expansion of breach notification obligations in the United States. This has raised eyebrows in privacy circles as a blog post is not a typical mechanism for announcing new guidance. It could also further complicate the analysis of whether notification is necessary by introducing a subject element on top of the 50-state statutory framework.
But there is reason not to read the blog post quite so broadly. Indeed, the blog post cites to four recent enforcement actions—all of which involved situations where notification was required by state breach notification statutes. Two of those cases (CafePress and Uber) included allegations that the businesses had failed to notify consumers for several months, and even more than a year, after the breach. The other two cases (SpyFone and SkyMed) included allegations that the businesses misled consumers through their public statements about their respective security breaches.
In other words, the cited enforcement actions are fundamentally delayed reporting or deceptive practice cases that give rise to consumer injury. None of the cases cited by the FTC appear to involve breaches in which the defendant company did not have any state or federal reporting obligations. Viewed in this light, the FTC blog post may not be articulating a new standard requiring companies to publicly report breaches that don’t otherwise require reporting, but rather highlighting that companies that delay reporting without a legal basis or mislead consumers about the status of a breach investigation increase the potential for consumer harm and therefore can constitute a violation of Section 5 of the FTC Act.
In any event, while the FTC’s blog post may not signal a drastic new breach reporting obligation, it does likely signal that the FTC intends to be a prominent player in the breach response, data security, and privacy fields. Businesses would therefore be wise to ensure that their practices are compliant and properly documented before crises strike.
In a surprising development, the California Privacy Protection Agency (CPPA) published proposed amendments to the CCPA regulations recently. The proposed amendments were initially made public on May 27 in a package of materials to be considered by the CPPA at its upcoming June 8 meeting. The proposed amendments—which in effect are the draft CPRA regulations—were issued without advance notice, ahead of the schedule previously announced by the CPPA.
The proposed regulations are broken into nine (9) substantive areas: General Provisions, Required Disclosures to Consumers, Business Practices for Handling Consumer Requests, Service Providers, Contractors and Third Parties, Verification of Requests, Special Rules Regarding Consumers Under 16 Years of Age, Non-discrimination, Training and Record Keeping, Investigations and Enforcement. Notably absent are regulations relating to automated profiling, cybersecurity audits, and privacy risk assessments—all areas where guidance was largely expected.
In general, the draft regulations are dense and highly technical, nearly doubling in length the current CCPA regulations. And, the regulations may actually grow if subsequent drafts incorporate new sections that are not in the first draft. In any event, if implemented in their proposed form, the CPRA regulations will require a substantial expansion of privacy compliance operations for many businesses subject to the law. The details, potential compliance problems, technical requirements, and unanswered questions are far too numerous to address in a single blog post. Over the next few weeks, we intend to analyze the proposed regulations in more detail, focusing on specific subject matter areas.
At this stage, here our initial take-aways.
The Proposed Regulations Are Highly Pro-Consumer
Even for a privacy law as expansive as the CPRA, the proposed regulations are strikingly pro-consumer, capturing an array of concerns and proposals that privacy advocates have been articulating for several years. The proposed regulations, for example, have detailed data minimization requirements that not only require businesses to collect, use, retain and share personal data in a manner consistent with the expectations of the average consumer, but would require businesses to obtain new consumer consent if they process personal data in a manner that isn’t consistent with these consumer expectations. This form of the consumer right is not explicitly provided by the CPRA, and it could create significant operational costs for businesses.
New Consumer Rights Will Require Big Compliance Changes
Not surprisingly, some of the most significant proposed regulations focus on the technical details surrounding the new rights the CPRA extends to consumers; specifically, the rights to opt out of the sharing of personal information, to limit the processing of sensitive personal information, and the right of correction. The regulations contains many pages of details explaining businesses’ options for enabling consumers to exercise these rights that are likely to trigger compliance headaches.
The new right of correction, for example, will require many U.S. based companies to build new intake and processing mechanisms. Whether a business must honor a correction request, the records that it may need to provide consumers to justify a decision not to honor a correction request, and the documentation to support a business decisions not to correct may require an adjudication process not dissimilar to FCRA correction mechanisms. For companies that rely on personal data provided by third parties – as opposed to its own records – the correction process is even more complex.
In one of the few pro-business amendments, the proposed regulations do introduce a “disproportionate effort” defense for companies facing overly burdensome consumer request. But in keeping with the general pro-consumer tilt of the CPRA, the standard for using this defense to a consumer request is high and requires companies demonstrate that the cost of compliance “significantly outweighs” the benefit to the consumer of honoring a request. Business that fail to establish adequate procedures for honoring consumer requests cannot claim a disproportionate effort.
Regarding the new opt out rights, the regulations contemplate that businesses can enable these rights via “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links or via a “My Privacy Rights” link that combines these different opt out rights or by recognizing browser opt out signals. In fact, the proposed regulations make it mandatory for businesses to honor opt out signals when those signals become commonly used by businesses. The latter requirement appears to go beyond the text of the CPRA , which makes recognition of opt out signals optional. Notably, the proposed regulations explicitly reject the use of cookie banners as a mechanism for enabling opt outs for the sale or sharing of personal information on the grounds that the opt out only addresses collection of personal data, not sale or sharing.
One thorny operational issue involves the processing of browser opt out signals that conflict with specific privacy settings chosen by consumers, for example with loyalty programs where consumers consent to providing certain personal information. In many cases, these conflicts must be resolved in favor of maximizing opt out rights unless the business obtains additional consumer consent. The operational complexity of enabling opt out rights may trigger deeper consideration about what ad tech models businesses may want to utilize once the CPRA becomes effective.
First Party Obligations Are Now Third Party Obligations
One of the more notable ways in which the CPRA broadens consumer privacy rights is through the expansion of obligations on third parties. Whereas the CCPA required that businesses push certain privacy obligations onto service providers through required contractual language, the CPRA goes even further by introducing “contractors” as a new category of service provider and expanding the provisions that must be included in a contract with a service provider or contractor to avoid vicarious liability. The proposed regulations does allow a service provider or contractor to use personal data of consumers to improve its own applications.
The proposed regulations also modify the safe harbor afforded to businesses that meet the contractual requirements for service provider and contractor agreements by noting that businesses that don’t conduct any due diligence or auditing of their service providers or contractors may not be able to argue that they were unaware of a contractual violation.
The proposed regulations also impose new obligations on third parties in a number of different ways. Third parties that collect personal data on first party platforms are required under the proposed regulations to provide a notice at collection to these consumers, which is a wholly new obligation. Businesses must also forward opt out requests, as well as consumer deletion requests to third parties processing that consumer’s personal data. Third parties, in turn, must honor opt out requests unless they become a service provider or contractor and honor deletion requests. Third parties that recognize browser opt out signals on first party sites must also honor the opt-outs. In addition, the proposed regulations impose new contractual requirements for third parties subject to the CPRA.
The combined effect of these expanded obligations on service providers, contractors and third parties is to broadly share compliance obligations across the entire ecosystem in which a consumer’s data flows. Businesses thus must analyze their own obligations as first parties as well as obligations they may face as third parties receiving consumer data through sharing arrangements. Among other things, these expanded obligations will require improved data tracking and communication with third parties.
Use of Third Parties Tools May Be Unavoidable For Some Companies
There are numerous provisions in the proposed regulations that incentivize, make easier or essentially require the use of third party tools. For example, the regulations remove a requirement that authorized agents be registered in the state of California, opening the door for more third party services to serve as agents to help Californians exercise their consumer rights. This change, coupled with the expansion of consumer rights under the CPRA – as well as four other state privacy laws – makes it quite likely that businesses will experience a significant surge in consumer requests once the CPRA becomes effective.
Perhaps the most impactful proposed regulation, as noted, is the requirement that businesses honor opt out signals when they become commonly used. When the technology evolves to that point, it is likely businesses will need to utilize new tools to process browser opt out signals. The proposed regulations appear to incentivize businesses to recognize these signals by allowing businesses who do so in a “frictionless” manner (a newly defined term) to avoid the need to separately provide Do Not Sell or Share and similar links on the website, provided that personal data is not sold or shared off-line.
The new requirements imposed on third parties will require enhanced data tracking, documentation, and communication with first parties. For many business, it may not be possible to meet these enhanced technical requirements without the use of third party privacy compliance tools.
CPRA Regulations May Complicate Plans for a Singular Approach to Privacy Compliance
Even before the release of the proposed regulations, California was arguably the most pro-consumer privacy law in the U.S. The proposed regulations, as noted, moves the law in a decidedly more pro-consumer way. Other states laws, particularly Utah and Virginia, are more business friendly and will not be subject to the same kind of detailed rule-making as California. It is therefore a distinct possibility that when the CPRA regulations are finalized, they will impose significantly more onerous requirements than other states.
The complexity of the proposed CPRA regulations may cause companies to think twice about plans to adopt a singular “most restrictive law” approach to complying with the five new U.S. state privacy laws that become effective in 2023. Much will depend on what shape the final CPRA regulations take and how closely other states hew to the CPRA model. Colorado is also going through a rule-making process for the Colorado Privacy Act (CPA) and if the state lands somewhere close to California in its rule making, the calculus may again shift toward a singular model for businesses that are subject to multiple state privacy laws. If other states pass Utah-style privacy laws in 2022 or 2023, businesses may begin to balkanize their privacy compliance programs. The potential for this schism may push Congress to pass a federal privacy law.
Needless to say, there is more to come. As businesses fully digest the proposed CPRA regulations, we are likely to see a significant push by the business community for relaxation of the proposed regulations. We will provide more analysis about particular proposed regulations in the near future.
The California Privacy Protection Agency (“CPPA”) scheduled a Board Meeting for June 8th, in which it will be discussing and possibly taking action with regard to the much anticipated CPRA enforcing regulations. To facilitate this discussion, the CPPA included a draft of the proposed regulations as part of the meeting records. This draft comes in the form of a 66 page redline of the current CCPA regulations.
At this time, it is unclear how final these draft regulations are or what additional changes will be made prior to them being officially released for public comment. However, this initial draft may provide useful insight into their current status and possible trajectory.
As discussions surrounding these regulations develop, we will be releasing a series of posts addressing the specific elements we expect to have the biggest impact on businesses operating in California.