Privacy, Cybersecurity and Data Innovation Law — 2024 Year in Review

2024 saw continued expansion of laws, regulations and enforcement actions concerning privacy and data security. With no overarching federal privacy law, states continue to expand their enforcement. Four new comprehensive state privacy laws took effect this year. By January 2025, comprehensive privacy laws will be in effect in 16 states.

Texas and California have increased enforcement of their privacy laws. The Texas attorney general (AG) launched a Data Privacy and Security initiative in its Consumer Protection Division, reached a $1.4 billion settlement with Meta regarding facial recognition, announced a new enforcement action against General Motors for sharing personal information with insurers and announced a new action against TikTok for sharing minors’ information. California’s AG announced the settlement of a privacy-related action against DoorDash, its second public settlement under the California Consumer Privacy Act (CCPA), while the California Privacy Protection Agency (CPPA) settled allegations against two data brokers for failing to register and pay the annual fee.

The Securities and Exchange Commission (SEC) adopted new cybersecurity regulations and provided clarity on disclosure obligations regarding material cybersecurity incidents. The SEC also penalized several companies for downplaying the impact of the SolarWinds breach on their operations. The New York Department of Financial Services (DFS) issued guidance addressing the rising use of artificial intelligence (AI) in cybersecurity attacks and how to consider those risks under its cybersecurity regulations.

Kramer Levin issued numerous alerts in 2024 on developments in this burgeoning area of law. We briefly summarize those alerts below.

DoorDash Settles California Consumer Privacy Act Enforcement Action

California’s AG announced the second public settlement of an enforcement action under the CCPA. This settlement requires DoorDash to pay a $375,000 civil penalty and comply with injunctive terms, which include submitting annual reports for the next three years regarding DoorDash’s compliance with the CCPA and the California Online Privacy Protection Act (COPPA) and reviewing DoorDash’s contracts with marketing and analytics vendors to evaluate whether it is selling or sharing personal information.

The complaint against DoorDash alleged that it participated in a marketing cooperative owned by KBM Group LLC (KBMG). DoorDash allegedly disclosed the names, addresses and transaction histories of its customers to KBMG in exchange for the opportunity to advertise its services, through KBMG, to the customers of other companies in the cooperative. The complaint also alleged that DoorDash did so without disclosing in its online privacy policy that it sold personal information, violating both the CCPA and COPPA, and without posting the “Do Not Sell My Personal Information” link on its website and mobile app as required by the CCPA. The settlement serves as a reminder of the broad definition of “sale” under the CCPA and the AG’s interpretation of the term, which according to the complaint includes any sharing or disclosure of personal information to a third party “in exchange for a benefit.”

SEC Adopts Significant Cybersecurity Amendments to Regulation S-P

The SEC adopted final amendments to Regulation S-P, which is a set of privacy rules that govern how certain financial institutions handle nonpublic personal information. These amendments seek to modernize requirements for broker-dealers (including funding portals); investment companies such as mutual funds, closed-end funds and business development companies (BDCs); SEC-registered investment advisers (RIAs); and transfer agents (collectively, Covered Institutions) to address the expanded use of technology and the corresponding risks that have developed since the rules were first adopted in 2000.

The adopted rules broaden the scope of information covered by Regulation S-P. They contain new requirements under the Safeguards and Disposal rules regarding a Covered Institution’s incident response plan, service provider oversight, recordkeeping and notices to individuals following a security incident. These adopted rules are distinct from additional cybersecurity requirements that the SEC proposed for RIAs, registered funds and BDCs in February 2022, as they are broader, with a greater focus on notice to individuals affected by breaches.

SEC Division of Corporation Finance Clarifies Form 8-K Disclosures of Material Cybersecurity Incidents

The director of the SEC’s Division of Corporation Finance, Erik Gerding, issued a statement regarding the new requirement to disclose material cybersecurity incidents on Form 8-K. The SEC’s cybersecurity disclosure rules took effect for most companies on Dec. 18, 2023, and require public companies to disclose incidents that are “determined by the registrant to be material” under Item 1.05 of Form 8-K. Item 1.05, “Material Cybersecurity Incidents,” and the adopting release state that Item 1.05 “is not a voluntary disclosure, and it is by definition material because it is not triggered until the company determines the materiality of an incident.” Under Item 1.05, a materiality determination must be made by the company “without undue delay” and must be based on whether there is a substantial likelihood that a reasonable investor would consider the information important or whether it would have significantly altered the total mix of information available. Once a public company deems an incident “material,” it must report the incident within four business days.

Since the new rules took effect, many companies have chosen to voluntarily report cybersecurity incidents under Item 1.05 out of an abundance of caution, even where the company had not yet made a materiality determination. Given the prevalence of both material and immaterial cybersecurity threats, Gerding encouraged companies to use Item 8.01, “Other Events,” to voluntarily report cybersecurity incidents that have not been deemed material to “allow investors to more easily distinguish between the two and make better investment and voting decisions with respect to material cybersecurity incidents.” Companies should carefully consider which item of Form 8-K to use when disclosing cybersecurity incidents.

Southern District of New York Dismisses Most Claims in SEC Cybersecurity-Related Enforcement Action Against SolarWinds

U.S. District Judge Paul A. Engelmayer dismissed most of the charges brought by the SEC against SolarWinds and its chief information security officer (CISO) related to its cybersecurity practices and disclosures. The SEC’s complaint, filed in the wake of the Russian SUNBURST cyberattack on SolarWinds, alleged that the company failed to maintain internal accounting controls to safeguard its software and failed to ensure that disclosure systems were in place so that upper management was informed of known security risks.

The court dismissed all but the SEC’s material misrepresentation claims related to the company’s website security statements, concluding that (i) Section 13(b)(2)(B) of the Exchange Act, which covers internal accounting controls, does not cover cybersecurity controls; (ii) the company’s erroneous internal rating of the severity of SUNBURST in the days after the attack, which resulted in a failure to elevate the incidents to top executives for disclosure evaluation, did not evidence inadequate disclosure controls; and (iii) the cybersecurity risk disclosures in the company’s S-1 and periodic disclosures were adequate and not misleading.

NY Department of Financial Services Releases AI Cybersecurity Guidance

DFS issued guidance recently concerning cybersecurity risks associated with AI and measures that covered entities (generally, banks, insurers and other classes of financial firms) may take to mitigate those risks. The guidance highlights four AI risks, with a particular emphasis on the use of deepfake technology to impersonate individuals and trick employees into divulging sensitive information. The guidance notes that AI may also enhance the speed and scale of cyberattacks, may enlarge the quantity of nonpublic information that covered entities store and may create supply chain vulnerabilities since the use of AI often involves third-party vendors.

The rest of the guidance discusses how AI risks may affect the existing requirements under DFS’s cybersecurity regulations, known as Part 500. Covered entities should consider AI threats as part of their periodic risk assessments and adjust their cybersecurity policies and procedures as needed as well as adjust their data management, monitoring and access controls for new AI risks.

SEC Announces Penalties Against Four Companies for Downplaying Severity of SolarWinds Cybersecurity Breach in Disclosures

The SEC announced it charged four technology companies with making materially misleading disclosures about the effect the SolarWinds cyberattack had on these issuers. To settle the claims, the companies, Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd. and Mimecast Ltd., agreed to pay a total of nearly $7 million in civil penalties.

The SEC’s charges arose from an investigation of public companies that were potentially impacted by the SolarWinds cyberattack. The SEC claimed that the companies’ public disclosures following these discoveries “negligently minimized” the severity of the breaches and the new cybersecurity risks that arose from the attack. All four companies settled the charges without admitting or denying the allegations. These charges are a continuation of the SEC’s increasing focus on regulating company conduct related to cybersecurity risk management and breach disclosures.

Texas Attorney General Positions Itself As A Leader In Privacy Enforcement

Since the Texas Data Privacy and Security Act took effect in July, Texas has emerged as a leader in privacy enforcement. The Texas AG recently announced, “Any entity abusing or exploiting Texans’ sensitive data will be met with the full force of the law.” He has taken several major steps this year toward protecting consumer personal data, including launching a Data Privacy and Security Initiative dedicated to enforcing state and federal privacy laws, reaching a $1.4 billion settlement with Meta for its unauthorized use of biometric data, filing a lawsuit against General Motors alleging that the carmaker unlawfully collected and sold driving data from more than 1.5 million Texans without their knowledge or consent, and filing a lawsuit against TikTok for operating its social media platform in a manner that puts Texas children at risk.

As we head into 2025, we will continue to monitor these and other developments related to privacy and data security. Please reach out to Kramer Levin’s Privacy, Cybersecurity and Data Innovation group for more information.