Privacy & Information Security Law Blog

On February 26, 2024, the National Institute of Standards and Technology (“NIST”) announced the release of Version 2.0 of its voluntary Cybersecurity Framework (“CSF”).

The first iteration of the CSF was released in 2014 as a result of an Executive Order, to help organizations understand, manage, and reduce their cybersecurity risks. The original CSF was developed for organizations in the critical infrastructure sector, such as hospitals and power plants, but has since been voluntarily implemented across various sectors and industries, including throughout schools and local governments.

On February 28, 2024, the European Data Protection Board (“EDPB”) announced the launch of its latest Coordinated Enforcement Framework action on the right of access. Through the course of 2024, 31 data protection authorities across the European Economic Area, including seven German state-level authorities, will take part in this initiative on the implementation of the right of access. The EDPB selected the right access for its third coordinated enforcement action as it is “at the heart of data protection,” is a right that is very frequently exercised by individuals, and one that is often the basis of complaints to authorities.

On March 1, 2024, the UK Information Commissioner’s Office (“ICO”) announced that it had issued an enforcement notice and a warning to the UK Home Office for failing to sufficiently assess the privacy risks posed by the electronic monitoring of people arriving in the UK via unauthorized means. The Home Office is the ministerial department of the UK government responsible for immigration, security, and law and order.

On February 22, 2024, the Federal Trade Commission announced a settlement order against Avast Limited (“Avast”) requiring Avast to pay $16.5 million and prohibiting Avast from selling or licensing any web browsing data for advertising purposes. This ban is to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking.

On February 21, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement and corrective action plan with Green Ridge Behavioral Health LLC (“GRBH”) stemming from the organization’s failure to comply with the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (“HIPAA”) and subsequent failure to protect against a 2019 ransomware attack that impacted the personal health information (“PHI”) of more than 14,000 patients. This marks the second such settlement with a HIPAA-regulated entity for violations that were discovered following a ransomware attack, according to HHS.

As reported on the Hunton Employment & Labor Perspectives blog, on February 15, 2024, California lawmakers introduced the bill AB 2930. AB 2930 seeks to regulate use of artificial intelligence (“AI”) in various industries to combat “algorithmic discrimination.” The proposed bill defines “algorithmic discrimination” as a “condition in which an automated decision tool contributes to unjustified differential treatment or impacts disfavoring people” based on various protected characteristics including actual or perceived race, color, ethnicity, sex, national origin, disability and veteran status. 

On February 20, 2024, The Centre for Information Policy Leadership at Hunton Andrews Kurth LLP  (“CIPL”) and Theodore Christakis, Professor of International, European and Digital Law at University Grenoble Alpes, released a comprehensive study titled The “Zero Risk” Fallacy: International Data Transfers, Foreign Governments’ Access to Data and the Need for a Risk-Based Approach. In the study, Prof. Christakis makes the case that the EU General Data Protection Regulation (“GDPR”), the Charter of Fundamental Rights of the European Union and EU law, more generally, allow a more nuanced and risk-based approach to data transfers than the restrictive approach often applied. CIPL and Prof. Christakis provide an approach that outlines data protection measures that are proportionate to the risks at hand, and takes into account the nature of the data, the likelihood of access by foreign governments, and the severity of the potential harm.

On February 23, 2024, the UK Information Commissioner’s Office (the “ICO”) reported that it had ordered public service providers Serco Leisure, Serco Jersey and associated community leisure trusts (jointly, “the Companies”) to stop using facial recognition technology (“FRT”) and fingerprint scanning (“FS”) to monitor employee attendance.

On February 15, 2024, the Federal Trade Commission proposed a rule that would ban the use of AI to impersonate individuals, which would extend protections of a recently finalized FTC rule against government and business impersonation.  The FTC announced a public comment period for a supplemental Notice of Proposed Rulemaking (“NPR”) regarding the proposed rule that ends 60 days after being published in the Federal Register. The FTC’s swift action is in response to an AI-generated robocall mimicking President Biden that encouraged voters not to vote in the New Hampshire primary. FTC Chair Lina Khan described the FTC’s supplemental NPR as a key step in “strengthening the FTC’s toolkit to address AI-enabled scams impersonating individuals,” as malicious actors “us[e] AI tools to impersonate individuals with eerie precision and at a much wider scale.”

On February 12, 2024, California bill AB-1949 was referred to the Assembly Committee on Privacy and Consumer Protection. The bill would amend the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (the “CCPA”) to significantly expand businesses’ obligations with respect to the personal information of consumers under the age of 18.