The year 2023 saw continued expansion of public interest in privacy rights, data security and related legislation. Comprehensive privacy laws took effect in five states, while 12 more states enacted similar laws that will take effect in 2024 or 2025. Separately, Florida and Washington also passed privacy laws in 2023, although Florida’s law only applies to companies with more than $1 billion in annual revenue and Washington’s law focuses on health-related data. Washington’s My Health My Data Act, however, defines “consumer health data” so broadly that it will likely impact companies’ overall data practices. Connecticut and Nevada enacted copycat health-data legislation soon after the Washington law passed.
The Securities and Exchange Commission (SEC) finalized new cybersecurity reporting and disclosure requirements, which took effect in December 2023. The New York Department of Financial Services (NY-DFS) adopted major changes to its cybersecurity rules with stringent security requirements. This year also saw an increased focus on children’s data, with seven states passing laws to protect children’s privacy and at least 12 more considering similar legislation in 2023.
We see no indication that the global privacy and data security movement will slow down in 2024. While there was no significant advancement on a federal privacy bill in 2023, at least nine more states are currently considering comprehensive privacy laws as of December 2023.
Kramer Levin issued numerous alerts in 2023 on major developments in this burgeoning area of law. We briefly summarize those alerts below.
The NY-DFS adopted comprehensive amendments to its cybersecurity regulations (known as Part 500). The amendments took effect on Dec. 1, 2023, with “transitional periods” of up to 24 months for covered entities to comply with certain provisions. Major changes include heightened requirements for “Class A Companies” (those with more than $20 million in annual revenue and meeting other requirements) such as annual independent cybersecurity audits, privileged account access management, enhanced password governance, and endpoint detection and response requirements.
The amendments to Part 500 also require all covered entities to: provide notice of cybersecurity events and ransom payments; conduct annual reviews of a specific list of internal policies; perform annual risk assessments, penetration testing and automated scanning; establish cybersecurity oversight by a senior governing body; maintain asset inventories; implement business continuity and disaster recovery plans; conduct annual cybersecurity awareness training; and submit annual certifications of compliance.
Gov. Gavin Newsom signed the Delete Act on Oct. 11, 2023, making it easier for California consumers to instruct data brokers to delete their personal information or refrain from selling or sharing it. Consumers already have the right to make such requests under the California Consumer Privacy Act (CCPA), but they must do so individually for each of the state’s 500 registered data brokers. The Delete Act consolidates this right into a single request that consumers may submit online, effective for all data brokers registered in California.
By a 3-2 vote on July 26, 2023, the SEC adopted final rules enhancing disclosure requirements regarding public companies’ cybersecurity risk management, strategy, governance and incident reporting. Beginning Dec. 18, 2023, the new rules require disclosure of “material cybersecurity incidents” in a Form 8-K that must be filed within four business days of determining that the incident is “material.” Companies must determine without “unreasonable delay” following discovery whether an incident is material. Under the final rules, companies are required to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”
The new rules also amended Regulation S-K to require annual disclosures describing a company’s cybersecurity risk management and strategy in Forms 10-K and 20-F, including “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.” The SEC lists certain elements that should be included in these disclosures, including whether and how the company has integrated cybersecurity processes into its overall risk management system, whether it engages third parties such as consultants or auditors in connection with such processes, and whether it has processes in place to oversee material risks associated with any third-party service providers. Companies must also disclose which persons and committees hold cybersecurity responsibilities, explain the relevant expertise of such persons or committee members, and describe how they monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. The final rules also require disclosure of whether and how such persons or committees report information about cybersecurity risks to the board of directors.
On July 10, 2023, the European Union and the United States finalized the EU-U.S. Data Privacy Framework (DPF), an agreement that allows for the transfer of personal data from residents of the EU to certified companies in the United States without the need for additional agreements such as standard contractual clauses. The DPF is effective immediately and replaces prior agreements that were invalidated by the EU Court of Justice.
Beginning on July 17, 2023, the U.S. Department of Commerce launched a new website through which companies can join the DPF. To comply, companies must self-certify and publicly agree to abide by the DPF Principles. Those principles largely follow the individual rights and company duties established by existing EU privacy laws and the 12 state privacy laws passed in the United States so far. Companies currently certified under the Privacy Shield have access to a simplified self-certification process. Companies that are not certified can create an account and upload documents for certification but will not be allowed to publicly claim they adhere to the DPF Principles until their materials are verified by the Department of Commerce and they are listed as DPF certified on the website.
Two bills were introduced at the New York City (NYC) council meeting on April 27, 2023, that would amend NYC’s administrative code to more heavily regulate the collection and storage of biometric data by businesses and owners of residential buildings. The Tenant Data Privacy Act (TDPA) currently restricts the use of biometric data by residential building owners in NYC. TDPA requires owners of “smart access buildings” (i.e., buildings that use keyless entry systems, including those that use facial recognition and fingerprint scans for building access) to obtain consent before using biometric data and provide tenants with a retention and privacy policy. The TDPA also limits the biometric data that owners may collect to the minimum amount necessary to enable use of the smart access system.
One of NYC’s proposed bills would expand the scope of NYC’s existing local law to apply to all “places or providers of public accommodation” (i.e., restaurants, hotels, retail stores, museums, stadiums, etc.) and would require written consent before using biometric recognition technology to identify a customer. The second proposed bill would amend the TDPA to make it illegal for an owner of a “multiple dwelling” (i.e., residential buildings that are occupied, or will be occupied, by three or more families living independently of each other) to install, activate or employ any biometric recognition technology that identifies tenants or their guests without first obtaining their written consent or their consent through a mobile application.
Recently, Iowa became the sixth state to enact a comprehensive privacy law to protect personal data, joining California, Virginia, Colorado, Utah and Connecticut. Although privacy laws have existed in the United States for decades, until recently they were limited to certain industries, jurisdictions or data types. The Iowa law continues the growing movement worldwide to protect an individual’s general right to privacy.
While the patchwork of privacy laws in the United States may seem overwhelming, clear patterns have emerged regarding how companies can comply. For example, Colorado revised the final regulations implementing its privacy law to bring them in line with California’s privacy regulations, in response to public comments that an earlier version would prove unnecessarily burdensome for businesses that operate in both states. Iowa’s privacy law doesn’t contain many surprises for privacy professionals. California still offers the most consumer protection, and if a business complies with the California Consumer Privacy Act, becoming compliant with the other five state privacy laws should not require much more effort. Companies should also note that California’s privacy law applies to its 40 million residents, while Virginia, Utah, Connecticut and Iowa have just over 3 million residents each.
On March 9, 2023, software company Blackbaud agreed to pay $3 million to the SEC as a result of alleged misleading disclosures arising out of a 2020 data breach that involved customer bank account information and Social Security numbers. This order underscores again the importance of effective internal communication between data security and privacy personnel and senior management responsible for a company’s public disclosures.
On May 14, 2020, Blackbaud detected that it had suffered a data breach that resulted in the unauthorized access of more than 13,000 customers’ information. At that time, company personnel were unaware whether bank account information or Social Security numbers had been accessed. Approximately two months later, on July 16, 2020, Blackbaud notified customers individually and also via its website, stating that no bank account information or Social Security numbers were accessed. However, Blackbaud personnel learned soon afterward that bank account information and Social Security numbers had, in fact, been accessed in an unencrypted form. On Aug. 4, 2020, Blackbaud filed a Form 10-Q that did not disclose the unauthorized access of bank account information and Social Security numbers. Blackbaud eventually disclosed on Sept. 29, 2020, that the data breach had resulted in the access of customer bank account information and Social Security numbers.
In an era of increasing cyberattacks by varying threat actors, the board’s oversight of cybersecurity risks remains a key responsibility. In two recent cases, the Delaware Court of Chancery dismissed Caremark claims against directors following major cybersecurity incidents, concluding that the plaintiffs had failed to plead specific facts from which bad faith liability on the part of the directors could plausibly be inferred. However, the growing threat of such incidents and the enactment of new expansive privacy laws together underscore the need for boards to exercise appropriate care in overseeing such risks. Boards should ensure that they are receiving necessary information from management or outside experts to exercise such oversight and should appropriately document their consideration of these risks.
As we head into 2024, we will continue to monitor these and other developments related to privacy and data security.