Some of the latest information on privacy and cyber in the US
NYDFS issues circular on use of AI in underwriting and pricing
On January 17, 2024, the New York State Department of Financial Services (NYDFS) published a draft comment circular regarding the use of artificial intelligence systems and external consumer data and information sources in insurance underwriting and pricing. The letter states that “all insurance companies authorized to write insurance in the State of New York, licensed fraternal benefit organizations, and the State of New York” use Artificial Intelligence Systems (AIS) and External Consumer Data and Information Sources (ECDIS). ) details NYDFS’ expectations and guidelines for the use of State Insurance Fund. ” While the NYDFS notes that AIS and ECDIS can provide certain benefits to consumers and insurers, “the self-learning behavior of AIS may result in inaccurate, arbitrary, capricious, or unjustifiably discriminatory outcomes.” It points out the unique risks of “increasing the risk”. The consequences can disproportionately impact marginalized or vulnerable communities and individuals.
Washington AG Office Update My Health My Data Act FAQ
The Washington State Attorney General’s Office has updated its Frequently Asked Questions on the Washington MyHealth MyData Act regarding the AG’s position on whether companies are required to publish independent consumer health data privacy policies under the law. Provided guidance. The update, first posted on January 11, 2023, states that (1) businesses must maintain a “separate and clear link” to their consumer health data privacy policy; (2) A consumer health data privacy policy may not contain information that is not required by this law.
NYDFS releases industry letter regarding use of self-service password reset functionality
On January 12, 2024, NYDFS released a new industry letter regarding the use of self-service password reset (SSPR) services. SSPR services allow users to reset their passwords without the help of her desk or the assistance of her IT professionals. This letter describes the risks associated with the use of SSPR Services. Specifically, it explains that you can reset your password using just an email address (personal or business), SMS, or voice message.
Making (brain)waves happen: Colorado’s new law to protect neural data privacy
On January 10, 2024, the Colorado General Assembly introduced House Bill 124-1058. This bill would amend the Colorado Privacy Act (CPA) to extend the protections currently provided to “sensitive data” to neurological, genetic, and other biological data. Masu.
NY AG’s Office Announces Significant Cybersecurity Settlement with Healthcare Company
On January 5, 2024, the New York State Attorney General’s Office filed a lawsuit against Lehua Health Centers Inc. for allegedly failing to adequately protect patient information, including failing to encrypt patient information or use multi-factor authentication. announced a settlement with A ransomware attack in May 2021 affected approximately 300,000 patients. As part of the settlement, the company will pay a penalty of $450,000 and forbearance of $100,000 if it spends $1.2 million between fiscal years 2024 and 2028 to develop and maintain its information security program. There is a possibility that it will happen.
Colorado recognizes Global Privacy Control as first effective universal opt-out mechanism
On December 29, 2023, the Colorado Attorney General announced that the Global Privacy Control (GPC) will be the first universal opt-out mechanism that the AG deems valid under the CPA. Effective July 1, 2024, controllers subject to the CPA can control the privacy settings of Colorado consumers sent through browser signals that comply with GPC specifications to opt out of data sales or targeted advertising. It should be treated as a consumer request.
FBI develops decryption tool to combat BlackCat ransomware
On December 19, 2023, the Department of Justice announced a disruption campaign against the BlackCat ransomware group. The same press release also states that the Federal Bureau of Investigation has developed a decryption tool to combat the ALPHV/BlackCat ransomware variant. Over the past few years, BlackCat ransomware has increased in popularity and has become one of the most prevalent ransomware in the world. Since its emergence, the group has targeted more than 1,000 of his networks in a wide range of industries, including networks supporting critical infrastructure.
NYDFS issues consent order in first enforcement action under cybersecurity regulations
After a three-year investigation/enforcement action by NYDFS, NYDFS enters into an agreement with a major insurance company for the insurance company’s violations of NYDFS’ Cybersecurity Regulations (23 NYCRR Part 500), particularly the failure to protect non-public information. The order has been concluded. NYDFS originally filed an enforcement action in July 2020 (the SEC is conducting its own investigation and enforcement, which was concluded in 2021).
FCC plans to update data breach notification rules
After a decade and a half of the current data breach notification rules for telecommunications carriers and telecommunications relay service (TRS) providers, the Federal Communications Commission (FCC) has announced plans to update and expand the rules. On November 22, 2023, the FCC issued a report and order stating that it will consider updating its current data breach notification rules. While the new rule eases the burden on carriers and their TRS providers by relaxing the requirement to notify customers of violations in some circumstances, it also expands the scope of the rule in important respects.
CPPA issues revised cybersecurity audit rules ahead of board meeting
On December 8, 2023, the California Privacy Protection Agency (CPPA) will hold a board meeting to seek public comment on various privacy regulations. The meeting, held on Zoom, will cover several topics listed on the published agenda. The New CPRA Rules Subcommittee will provide an update and presentation on the draft rules regarding automated decision-making technologies, risk assessments, and cybersecurity audits. Other topics of discussion include proposed insurance regulations under the California Consumer Privacy Act, proposed regulations regarding the CPPA’s data broker registration fees under the DELETE Act, CPPA’s intergovernmental engagement, legislation, agency proposals, and priorities. Contains the latest information.
Colorado releases list of candidates for universal opt-out mechanism
On November 21, 2023, the Colorado Attorney General announced a short list of potential universal opt-out mechanisms (UOOMs) that the AG is considering recognizing as binding under the CPA. Beginning July 1, 2024, the CPA will require Covered Controllers to comply with Colorado consumer requests to opt out of data sales and targeted advertising sent through UOOM that meet the technical specifications set forth in the CPA Regulations. I will oblige you to do so.
Ransomware group files regulatory notice with SEC amid extortion attempt
Just a month before the Securities and Exchange Commission’s Serious Cybersecurity Incident Rule went into effect, ransomware groups appear to have taken compliance with reporting requirements into their own hands. On November 15, 2023, the ransomware group known as BlackCat (also known as ALPHV) issued a notice claiming that it had compromised the network of a software company that provides digital lending solutions to financial institutions on November 7, 2023. posted on a leak site. They then stole “customer data and business information” from the company’s servers. What makes this latest extortion attempt unique is that in addition to publishing the software company’s name on the leak site, BlackCat also filed a complaint with the SEC for failing to file a Form 8-K. He claims that he has submitted a complaint. Required under the SEC’s new Major Cybersecurity Incident Rule.
Selected global privacy and cybersecurity updates
National Cyber Security Center predicts future cyber threats using AI in attacks
On 24 January 2024, the UK’s National Cyber Security Center published a new report, “The Near-Term Impact of AI Against Cyber Threats”, detailing how artificial intelligence will impact the effectiveness of cyber operations in 2025 and beyond. announced the impact. The report says threat actors are already using AI in cyberattacks, and the use of malicious AI will “almost certainly” increase the volume and impact of cyberattacks, particularly ransomware, over the next two years. That’s it.
Do you use EU Standard Contractual Clauses for data transfers? Be aware of these breach notification requirements
It is no secret that the General Data Protection Regulation (2016/679) (GDPR) severely restricts the transfer of personal data outside the European Union (EU). In the absence of an adequacy decision by the European Commission, the GDPR will require that controllers and processors may transfer your personal data to third countries outside the EU. Personal data will be transferred. Businesses that use EU Standard Contractual Clauses to “import” personal data originating from the EU should be aware of applicable breach notification requirements.
EU Supreme Court issues major judgment on AI with far-reaching implications
On December 7, 2023, the Court of Justice of the European Union issued an important decision on how the GDPR governs AI-assisted decisions. The case arose in the financial services context, and the court held that the GDPR’s AI rules apply when banks use credit scores to make credit decisions about consumers. But the decision is likely to affect more than just financial services. Regulators have already indicated that it could be applied to other industries and business processes where AI is increasingly playing a role, such as employment, healthcare and housing.
EU lawmakers agree to EU artificial intelligence law, businesses brace for change
On 8 December 2023, after long negotiations, EU legislators reached a political agreement on the long-awaited EU Artificial Intelligence Law. The AI Act is billed as the first comprehensive legal framework for AI systems around the world, imposing obligations on both private and public sector actors who develop, import, distribute, or use covered AI systems. will be imposed.
[View source.]