Listen to this post

Today, encountering a cookie banner is a common experience for most individuals who peruse the internet. These banners inform website users of the presence of cookies or other tracking technologies through language such as, “This website uses cookies. By clicking ‘accept,’ you consent to the use of all cookies.” Many states require companies to provide consumers with certain disclosures regarding tracking technologies, and some require that users are provided an opportunity to opt-out of tracking. However, even in states without specific disclosure or opt-out requirements, businesses may still be at risk. In July 2024, the Office of the New York State Attorney General (OAG) published guidance that provides some clear examples of what is acceptable and what is considered misleading in the flow, language, and design of cookie banners.

New York’s OAG Investigation

New York does not yet have a comprehensive set of privacy regulations, so there is no requirement that websites give users the opportunity to opt-out of tracking. However, the NY OAG guidance states that if a business makes inaccurate or misleading representations about tracking on their website, they are at risk of violating New York’s consumer protection laws. Thus, if a website displays a cookie banner that is faulty, that business can be prosecuted under New York law despite the lack of a specific privacy regulation. Even more concerning is that New York’s Unfair, Deceptive, or Abusive Acts or Practices (UDAP) provides for a private right of action with an attorney’s fees provision, increasing the likelihood and incentive for future litigation (N.Y. Gen. Bus. Law § 349(h)).

The New York OAG analyzed several popular websites and found that many continued to track users after they had opted out of tracking. The investigation identified several causes of this defect. For example, many websites separate tags or cookies based on categories (such as marketing or fraud detection). Websites often give users the option to disable tracking for certain categories. However, if tags are miscategorized or uncategorized, tracking can remain active after a user attempted to disable a specific category.

Additionally, the investigation found that some websites may be mistakenly relying on “limited data use” features offered by third-party cookie providers. While certain companies provide businesses with the option to have more control over data use, many such features are only available in states with comprehensive privacy laws. In states without such regulations, providers may continue to collect and use consumer data.

Further examples of potential pitfalls identified by the OAG investigation include misconfigured cookie consent tools that fail to adhere to consumers’ chosen privacy settings; tags and cookies that are not configured to a website’s specific privacy controls; and websites only applying privacy choices to third-party cookies while continuing to use other tracking technologies.

The New York OAG guidance provides very clear examples of what is not allowed in cookie banners, such as hidden “save” features, accept only options, or confusing accept buttons. The guidance also provides some recommendations for businesses to prevent potential legal violations. These recommended processes include designating a specific individual to manage tracking technology, investigating new technology before it is used, and conducting appropriate testing and review of tracking tools.

Key Takeaway

 Companies should regularly audit and assess their use of tracking technologies and the disclosure and opt-out functionality in their cookie banners, and they should refer to the “dos and don’ts” published by the New York OAG, in conjunction with the regulatory, legislative, and litigation developments in this area.

For more information and other updates regarding privacy law developments, subscribe to Bradley’s privacy blog Online and On Point or reach out to one of our authors.

Listen to this post

Bradley’s Government Enforcement and Investigations team keeps a close eye on the different ways the government is using the False Claims Act (FCA) to seek redress for cybersecurity deficiencies and force companies into a new technological era. Check out this blog post by Brad Robertson and Cara Rice, two members of Bradley’s Government Enforcement and Investigations Practice Group, about the U.S. Department of Justice’s first major complaint-in-intervention accusing a government contractor of violating the FCA through cybersecurity deficiencies.

Listen to this post

The Intelligence Authorization Act for Fiscal Year 2025 (S.4443) is a bold legislative step in addressing ransomware as a critical threat. The act’s provisions, from elevating ransomware to a national intelligence priority to establishing an AI Security Center, illustrate the U.S.’s comprehensive approach to tackling this complex issue. The act sets the stage for a resilient defense against ransomware by fostering public-private partnerships and maintaining accountability. In this post, we explore the act’s critical cybersecurity and ransomware-related provisions and their implications for enhancing the nation’s security posture.

Deeming Ransomware Threats to Critical Infrastructure a National Intelligence Priority

The act elevates ransomware to a national intelligence priority, underscoring its grave potential to disrupt critical infrastructure and destabilize the economy. By prioritizing ransomware, the act allocates substantial intelligence resources toward understanding, mitigating, and preventing these attacks. The act empowers the director of National Intelligence to proactively identify and track the perpetrators behind these attacks and develop effective countermeasures based on the attackers’ tactics, techniques, and infrastructure.

Mandating a Report on Ransomware Threats

The act requires the director of National Intelligence to submit a comprehensive report to Congress detailing the national security implications of ransomware threats. This report equips policymakers with critical insights to develop more informed and effective legislative and policy responses. Undoubtedly, by requiring regular assessments, the act ensures that the intelligence community remains agile and adaptive in safeguarding national interests.

Establishing a Process for Designating State Sponsors of Ransomware

The act introduces a novel process for designating nations that support ransomware activities as “state sponsors of ransomware.” This provision mirrors the established framework for designating state sponsors of terrorism, enabling the application of similar diplomatic and economic pressures to countries. This designation aims to hold accountable those nations that actively support or provide safe havens for cybercriminals engaged in ransomware activities.

By labeling certain countries as state sponsors of ransomware, the U.S. acquires the authority to impose sanctions and penalties, thus creating a strong disincentive for nations to harbor or support ransomware groups.

Sense of Congress on Hostile Foreign Cyber Actors

The act further solidifies Congress’ stance against ransomware actors by expressing its view that foreign ransomware organizations and their affiliates should be considered hostile foreign cyber actors. This designation can pave the way for more aggressive legal and policy actions against these groups.

Moreover, the act takes a proactive approach by explicitly naming specific ransomware groups, such as DarkSide and Black Basta, and categorizing them as “hostile foreign cyber actors.” This label sends a clear message that their activities will not be tolerated and that the U.S. intelligence community is committed to countering their operations. However, the fluid nature of the cybercriminal underground poses a challenge. Ransomware groups often rebrand and reorganize to evade law enforcement. While naming specific groups highlights immediate threats, the legislation’s adaptability is crucial to address the ever-evolving cyber threat landscape.

Enhancing Public-Private Partnerships

The act recognizes a simple truth: We can’t fight cybercrime alone. It calls for a united front, bringing together the public and private sectors to combat the ever-evolving ransomware threat.  By encouraging collaboration, the act aims to facilitate sharing critical information – threat intelligence, best practices, and technological breakthroughs. The private sector, particularly those companies operating within critical infrastructure and the cybersecurity industry, plays an indispensable role in this collective defense effort.

Establishing the Artificial Intelligence Security Center

The act acknowledges the double-edged sword of emerging technologies. While new technologies may present new vulnerabilities, they also can be powerful tools in the fight against ransomware. That’s where the new Artificial Intelligence (AI) Security Center comes in. Its mission is to strengthen our ability to detect and counteract AI-related threats, including those posed by ransomware.

The AI Security Center will focus on developing and deploying AI-powered tools to identify patterns in ransomware attacks, predict potential targets, and even automate responses. By harnessing AI’s power, the center aims to stay one step ahead of cybercriminals who are increasingly using sophisticated technology in their attacks. 

Reporting and Accountability

The act strongly emphasizes transparency and accountability in the fight against ransomware. It mandates regular reporting to Congress on the progress and efficacy of measures implemented to combat this threat. These reports will offer valuable insights into the evolving ransomware landscape, the successes and challenges of current strategies, and areas requiring further attention.

Furthermore, the act mandates the prompt reporting of ransomware attacks, particularly those impacting critical infrastructure, aiming to get the intelligence community and other relevant agencies to respond swiftly and effectively.

Conclusion

The Intelligence Authorization Act for Fiscal Year 2025 marks a watershed moment in the U.S. government’s battle against ransomware. It’s not just another piece of legislation; it’s a clear statement that we’re taking this threat seriously. In essence, this act represents a bold step forward, highlighting a comprehensive and multi-faceted approach to tackling the complex ransomware issue.

Listen to this post

Privacy issues are inherent in almost all facets of a business — from operations, employment, and technology to customer service, contracts, legal and compliance — all with varying degrees of risk. Most companies mitigate risk by standardizing processes and procedures to handle certain common or low-risk situations. This is helpful in streamlining repetitive inquiries that typically have the same or similar answers or action items.

One such area is a company’s response to validly issued subpoenas and warrants. When a U.S. company receives a court-issued subpoena or valid warrant, the process for responding is relatively clear and the risk of disclosing personal information is mitigated by the legal process involved (and further bolstered by the fact that most privacy laws provide exceptions to disclosure of personal information to law enforcement).

However, this process assumes that the law enforcement, or their subpoena or warrant, has valid authority. A new lawsuit against Verizon Communications, Inc. alleges in a North Carolina federal court complaint that the company violated federal privacy law by giving plaintiff’s personal information to an individual she met online and who later stalked and threatened to kill her, arriving at her house with a knife. The complaint alleges that the perpetrator pretended to be a police detective and provided Verizon with a fake search warrant. Although damages, cognizable injury, and even legal standing to bring a claim can be difficult to prove in privacy cases, this case presents unique facts where the victim was at risk of physical harm, and accordingly, could be rewarded significant, tangible damages. M.D., the victim, has brought claims alleging violations of the federal Stored Communications Act, as well as state tort causes of action for intentional and negligent infliction of emotional distress.

The Stored Communications Act prohibits Verizon from “knowingly divulg[ing]” the contents of communications to any person, or “a record or other information pertaining to a subscriber to or customer … to any governmental entity,” subject to certain exceptions, which include validly issued criminal subpoenas (18 U.S.C. § 2702). The harm that allegedly befell M.D. was purportedly caused by the disclosure of her personal information, not necessarily the “contents” of her communications, which might provide Verizon with a defense to the federal charge. It’s not clear on the face of the complaint that the “contents” of any communications were provided, and Verizon did not, in fact, disclose subscriber/customer information to a governmental entity — it disclosed M.D.’s information to her civilian stalker.

M.D.’s negligence claim, on the other hand, might cause Verizon more trouble. Similar to other types of fraud or online scams, the perpetrator’s email did not match any official government email, the “search warrant” was full of misspellings, typos, or other errors, and the judge that presumably signed the warrant was not even a judge in the county in which the “search warrant” was issued — according to the complaint. Damages may be different in this case, but the legal analysis could be analogous to email spoofing/phishing cases: Was Verizon negligent in failing to notice these common hallmarks of a fraud?

Few cases reach the point where courts or fact finders weigh in on the reasonableness of how a business handled spoofed/phishing communications because in the banking context, where these claims most commonly arise, state versions of the Uniform Commercial Code often displace traditional negligence principles. Given the facts and potential damages at issue here, Verizon may settle before the issue is resolved, but the mere filing of the complaint serves to put businesses on notice of yet another avenue by which they might be subject to attack — the phishing subpoena. Businesses should confirm that their policies and procedures are up to date to handle everything criminals throw at them. An ounce of prevention and training, in this case recognition of common fraud signs and verification with law enforcement regarding the subpoena’s validity, might save a business hundreds and thousands of dollars in litigation costs.

Listen to this post

In Part I, we discussed the European Commission’s (“Commission”) disapproval of Meta’s “pay or consent” subscription model. In Part II, we delve into the European Commission’s findings, prior findings by the European Data Protection Board (EDPB), and how those findings may affect future models where privacy is considered “for sale.”

The European Commission’s Findings Against Meta

The Commission’s preliminary view is that Meta’s model does not comply with Article 5(2) of the Digital Markets Act (DMA), which requires that users who do not consent to data combination must still have access to an equivalent service that uses less of their personal data. The investigation, which began in March 2024, highlighted that Meta’s model does not provide an equivalent service that uses less personal data for users who refuse consent. In other words, the model coerces users into consenting to personalized ads to avoid paying a fee, undermining their rights to freely consent to the use and processing of their personal data.

The Commission emphasized that compliance with the DMA means offering users an equivalent alternative that respects their data privacy choices without forcing them into consent through financial penalties.

Non-compliance with the DMA can lead to fines of up to 10% of a gatekeeper’s total worldwide turnover, increasing to 20% for repeated infringements. Additionally, the Commission  can impose operational remedies, such as compelling Meta to divest parts of its business or restricting future acquisitions. Meta now has the opportunity to respond to these preliminary findings by examining the investigation documents and submitting a written defense. The investigation will conclude within 12 months from the opening of proceedings on March 25, 2024.

The EDPB’s Opinion on “Consent or Pay” Models

Earlier this year, the EDPB adopted Opinion 08/2024 in response to a request from the Dutch, Norwegian, and Hamburg data protection authorities. The opinion addresses the validity of consent to process personal data for behavioral advertising in “consent or pay” models implemented by large online platforms.

The EDPB defines “consent or pay” models as scenarios where users must either consent to the processing of their personal data (typically for behavioral advertising) or pay a fee to access the service without such data processing. The EDPB’s opinion specifically targets large online platforms, which, due to their significant user base and influence, require a consistent regulatory approach across the European Economic Area (EEA). This uniformity is crucial given the widespread impact on data subjects.

EDPB Chair Anu Talus highlighted the need for online platforms to provide users with a real choice, noting that current models often force users to either give away all their data or pay a fee. The EDPB considers that in most cases, such models do not comply with the GDPR’s requirements for valid consent, which must be freely given, informed, specific, and unambiguous.

The EDPB’s opinion stressed that consent must be given without any form of coercion or significant negative consequences for the user. A “pay or consent” model can only satisfy this requirement if the fee is not prohibitively high, ensuring that users have a genuine choice. The fee should not exclude users from essential services, especially those crucial for social or professional engagement. Users must fully understand what they are consenting to, including clear information on the nature and purpose of data processing and the consequences of giving or withholding consent. The EDPB stresses the importance of transparency and cautions against complex or deceptive designs that could mislead users, similar to the prohibition on “dark patterns” under U.S. state privacy laws.

Consent must be specific to distinct processing activities. Users should have the option to consent to various data processing purposes separately. The practice of bundling multiple purposes into a single consent request undermines the specificity required by the GDPR. The process for obtaining consent must be straightforward and clearly indicate the user’s intentions without any ambiguity. Users should be able to give their consent through clear, affirmative actions.

The Commission’s preliminary findings against Meta align closely with the EDPB’s Opinion 08/2024. Both regulatory bodies emphasize that Meta’s “pay or consent” model fails to provide users with a genuinely equivalent alternative to consent for data processing. The EDPB’s opinion highlights that such models often do not meet GDPR standards for valid consent, while the Commission’s findings indicate that Meta’s model violates the DMA by coercing users into consenting to certain data processing.

The EDPB recommends that platforms should provide an equivalent alternative that does not involve behavioral advertising and does not require a fee. This alternative should ensure that all users can access the service without being forced into a binary choice. If behavioral advertising is necessary, platforms should consider using less intrusive forms of advertising that do not rely on extensive data processing. This approach aligns with the GDPR’s data minimization principle, which mandates that only data necessary for the intended purpose should be processed. This is also in alignment with U.S. state privacy law requirements to only process “relevant and reasonably necessary” data.

Platforms must provide clear and comprehensive information about data processing activities, including detailed explanations of what data will be collected, how it will be used, and the potential impacts on users’ privacy. Transparency is crucial to ensure that users can make informed decisions.

The EDPB highlights challenges in balancing business models that rely heavily on advertising revenue with compliance requirements. Platforms must implement mechanisms that genuinely offer users a choice without coercion or undue influence. This includes setting appropriate fee levels and providing clear, understandable information about data processing practices. Platforms must continuously adapt their practices to meet evolving regulatory expectations, ensuring that user rights are consistently upheld.

Conclusion

The EDPB’s opinion underscores the importance of adhering to fundamental GDPR principles in the context of “consent or pay” models. It calls for large online platforms to ensure that their consent mechanisms are designed to offer real, uncoerced choices to users, maintaining the integrity of data protection rights. Compliance with these guidelines is crucial not only for legal adherence but also for fostering trust and transparency with users. Further, these concepts are present under U.S. law and there is a growing cooperation between U.S. privacy regulators and EU data protection authorities to address issues such as consent, targeting advertising, data minimization, and transparency.

The outcome of this investigation will have far-reaching implications for many businesses, setting a precedent for the enforcement of gatekeeper practices and the promotion of a fair and competitive digital market. This case exemplifies the EU’s commitment to regulating the power of large digital companies and fostering an open digital landscape. This case also provides insight into U.S. regulatory priorities and previews how privacy issues could be addressed under U.S. state privacy laws. Our team at Bradley will continue to monitor these developments.

For more information and other updates regarding privacy law developments, subscribe to Bradley’s privacy blog Online and On Point or reach out to one of our authors.

Listen to this post

In November of 2023, Meta launched a service in the European Union that allowed users to utilize the Facebook and Instagram platforms “ad free” for a monthly fee. The subscription service was meant to address regulatory concerns about Meta’s vast data collection and surveillance-based advertising system that tracks consumers across websites. The concept introduced a binary choice: Either subscribe to an ad-free version of these social networks for a monthly fee or use a free version that includes personalized ads.

On July 1, 2024, the European Commission announced its disapproval of this model and preliminary findings against Meta’s “pay or consent” process, stating that it violates the Digital Markets Act (DMA). In fact, the European Commission posted the following on its own Facebook account:

The “Pay or Consent” advertising model of Meta fails to comply with the Digital Markets Act. Our preliminary findings show that this choice forces users to consent to the combination of their personal data and fails to provide them a less personalized but equivalent version of Meta’s social networks.

The DMA is the EU’s legislation aimed at ensuring fairer and more contestable markets in the digital sector. It establishes clear criteria to identify “gatekeepers” — large digital platforms providing core platform services like online search engines, app stores, and messenger services. These gatekeepers must comply with a set of obligations and prohibitions to ensure an open and competitive digital market. The DMA complements existing EU competition rules without altering them.

Gatekeepers under the DMA must allow third parties to interoperate with their services, grant business users access to data generated on their platform, and provide transparency in advertising. They are prohibited from favoring their own services over those of competitors, preventing users from uninstalling pre-installed software, and tracking users for targeted advertising without effective consent.

The DMA’s findings focused on two issues. First, that the service effectively required an individual to relinquish all rights to their personal data unless they were willing to pay for an equivalent service. Second, the binary options provided were an illusion in choice and failed to meet the requirements for freely given consent.

These are also issues that reverberate outside of the EU. U.S. state regulators, as well as the Federal Trade Commission (FTC), have been focused on similar concerns – namely, whether companies can require personal information as part of a financial incentive without a discriminatory effect and what constitutes freely given, informed consent to process personal information.

In Part II of this discussion, we will take a deeper dive into the European Commission’s findings against Meta and how those findings may influence privacy law and enforcement more broadly, including here in the United States.

Our team at Bradley will continue to monitor these developments. For more information and other updates regarding privacy law developments, subscribe to Bradley’s privacy blog Online and On Point or reach out to one of our authors.

Listen to this post

As discussed in our previous blog post, the Cybersecurity and Infrastructure Security Agency (CISA) is proposing a significant new rule to bolster the nation’s cyber defenses through mandatory incident reporting. While designed to enhance CISA’s ability to monitor and respond to cyber threats, the rule has ignited a contentious debate. The concerns raised highlight the delicate balance between strengthening national security and avoiding undue burdens on businesses.

Broad Concerns and Overreporting Fears

A key concern across various industries is that the rule’s broad scope could capture over 300,000 entities, many not traditionally considered critical infrastructure. This could lead to overreporting, overwhelming CISA with low-value data, and potentially diverting resources from addressing significant threats. Critics, including Sen. Gary Peters, advocate for a more targeted approach, focusing on incidents with genuine national security implications.

Furthermore, the existing patchwork of over 50 federal breach reporting rules across various agencies raises concerns about redundancy and increased compliance burdens for businesses. The proposed rule could add another layer of complexity without necessarily enhancing cybersecurity outcomes.

Manufacturing Sector’s Alarm Bells

The National Association of Manufacturers (NAM) is particularly worried about the rule’s potential impact on its members. The NAM argues that the broad definition of “covered entities” could ensnare numerous manufacturers operating outside traditional critical infrastructure, burdening them with complex and costly reporting requirements they may not be equipped to handle. The NAM also criticizes the expansive definition of reportable incidents, advocating for a more targeted approach focused on incidents that genuinely impact critical infrastructure and national security.

Healthcare’s Unique Challenges

Healthcare and hospital groups raise unique concerns due to their sector’s interconnected nature. They argue for the inclusion of insurers and third-party vendors under the rule, as the exclusion of key entities like health IT providers and labs could lead to significant disruptions if they are targeted by cyberattacks. The strict 24- and 72-hour reporting deadlines are also a concern, as they could divert resources from patient care during a crisis and impose financial burdens on under-resourced hospitals and providers. These groups have requested financial support and technical assistance to help comply with new requirements without compromising patient care.

Finding a Middle Ground

To address these concerns, several recommendations have been proposed:

  1. Reconsider the Scope – Focus on those entities and reportable incidents with significant impact on critical infrastructure and national security.
  2. Streamline Reporting – Develop a unified reporting mechanism that harmonizes with existing regulations.
  3. Provide Support – Offer technical and financial assistance to smaller entities.
  4. Clarify Definitions – Clearly define key terms to prevent overreporting and ensure consistent interpretation.
  5. Flexibility – Tailor reporting requirements to specific industry needs, such as healthcare’s need for immediate incident response.

Balancing Security and Practicality

The debate surrounding CISA’s proposed rule underscores the challenge of balancing robust cybersecurity measures with practical, feasible compliance for businesses. Open dialogue and collaboration between CISA and industry stakeholders are crucial to finding a middle ground that strengthens national security without imposing undue burdens. By addressing industry concerns and refining the rule, CISA can create a framework that effectively protects critical infrastructure while fostering a collaborative approach to cybersecurity.

For more information and other updates regarding privacy law developments, subscribe to Bradley’s privacy blog Online and On Point or reach out to one of our authors.

Listen to this post

A significant shift in cybersecurity compliance is on the horizon, and businesses need to prepare. Starting in 2024, organizations will face new requirements to report cybersecurity incidents and ransomware payments to the federal government. This change stems from the U.S. Department of Homeland Security’s (DHS) Cybersecurity Infrastructure and Security Agency (CISA) issuing a Notice of Proposed Rulemaking (NPRM) on April 4, 2024. This notice aims to enforce the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Essentially, this means that “covered entities” must report specific cyber incidents and ransom payments to CISA within defined timeframes.

Background

Back in March 2022, President Joe Biden signed CIRCIA into law. This was a big step towards improving America’s cybersecurity. The law requires CISA to create and enforce regulations mandating that covered entities report cyber incidents and ransom payments. The goal is to help CISA quickly assist victims, analyze trends across different sectors, and share crucial information with network defenders to prevent other potential attacks.

The proposed rule is open for public comments until July 3, 2024. After this period, CISA has 18 months to finalize the rule, with an expected implementation date around October 4, 2025. The rule should be effective in early 2026. This document provides an overview of the NPRM, highlighting its key points from the detailed Federal Register notice.

Cyber Incident Reporting Initiatives

CIRCIA includes several key requirements for mandatory cyber incident reporting:

  • Cyber Incident Reporting Requirements – CIRCIA mandates that CISA develop regulations requiring covered entities to report any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred.
  • Federal Incident Report Sharing – Any federal entity receiving a report on a cyber incident after the final rule’s effective date must share that report with CISA within 24 hours. CISA will also need to make information received under CIRCIA available to certain federal agencies within the same timeframe.
  • Cyber Incident Reporting Council – The Department of Homeland Security (DHS) must establish and chair an intergovernmental Cyber Incident Reporting Council to coordinate, deconflict, and harmonize federal incident reporting requirements.

Ransomware Initiatives

CIRCIA also authorizes or mandates several initiatives to combat ransomware:

  • Ransom Payment Reporting Requirements – CISA must develop regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments due to a ransomware attack. These reports must be shared with federal agencies similarly to cyber incident reports.
  • Ransomware Vulnerability Warning Pilot Program – CISA must establish a pilot program to identify systems vulnerable to ransomware attacks and may notify the owners of these systems.
  • Joint Ransomware Task Force – CISA has announced the launch of the Joint Ransomware Task Force to build on existing efforts to coordinate a nationwide campaign against ransomware attacks. This task force will work closely with the Federal Bureau of Investigation and the Office of the National Cyber Director.

Scope of Applicability

The regulation targets many “covered entities” within critical infrastructure sectors. CISA clarifies that “covered entities” encompass more than just owners and operators of critical infrastructure systems and assets. Entities actively participating in these sectors might be considered “in the sector,” even if they are not critical infrastructure themselves. Entities uncertain about their status are encouraged to contact CISA.

Critical Infrastructure Sectors

CISA’s interpretation includes entities within one of the 16 sectors defined by Presidential Policy Directive 21 (PPD 21). These sectors include Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems, Water and Wastewater Systems.

Covered Entities

CISA aims to include small businesses that own and operate critical infrastructure by setting additional sector-based criteria. The proposed rule applies to organizations falling into one of two categories:

  1. Entities operating within critical infrastructure sectors, except small businesses
  2. Entities in critical infrastructure sectors that meet sector-based criteria, even if they are small businesses

Size-Based Criteria

The size-based criteria use Small Business Administration (SBA) standards, which vary by industry and are based on annual revenue and number of employees. Entities in critical infrastructure sectors exceeding these thresholds are “covered entities.” The SBA standards are updated periodically, so organizations must stay informed about the current thresholds applicable to their industry.

Sector-Based Criteria

The sector-based criteria target essential entities within a sector, regardless of size, based on the potential consequences of disruption. The proposed rule outlines specific criteria for nearly all 16 critical infrastructure sectors. For instance, in the information technology sector, the criteria include:

  • Entities providing IT services for the federal government
  • Entities developing, licensing, or maintaining critical software
  • Manufacturers, vendors, or integrators of operational technology hardware or software
  • Entities involved in election-related information and communications technology

In the healthcare and public health sector, the criteria include:

  • Hospitals with 100 or more beds
  • Critical access hospitals
  • Manufacturers of certain drugs or medical devices

Covered Cyber Incidents

Covered entities must report “covered cyber incidents,” which include significant loss of confidentiality, integrity, or availability of an information system, serious impacts on operational system safety and resiliency, disruption of business or industrial operations, and unauthorized access due to third-party service provider compromises or supply chain breaches.

Significant Incidents

This definition covers substantial cyber incidents regardless of their cause, such as third-party compromises, denial-of-service attacks, and vulnerabilities in open-source code. However, threats or activities responding to owner/operator requests are not included. Substantial incidents include encryption of core systems, exploitation causing extended downtime, and ransomware attacks on industrial control systems.

Reporting Requirements

Covered entities must report cyber incidents to CISA within 72 hours of reasonably believing an incident has occurred. Reports must be submitted via a web-based “CIRCIA Incident Reporting Form” on CISA’s website and include extensive details about the incident and ransom payments.

Report Types and Timelines

  • Covered Cyber Incident Reports within 72 hours of identifying an incident
  • Ransom Payment Reports due to a ransomware attack within 24 hours of payment
  • Joint Covered Cyber Incident and Ransom Payment Reports within 72 hours for ransom payment incidents
  • Supplemental Reports within 24 hours if new information or additional payments arise

Entities must retain data used for reports for at least two years. They can authorize a third party to submit reports on their behalf but remain responsible for compliance.

Exemptions for Similar Reporting

Covered entities may be exempt from CIRCIA reporting if they have already reported to another federal agency, provided an agreement exists between CISA and that agency. This agreement must ensure the reporting requirements are substantially similar, and the agency must share information with CISA. Federal agencies that report to CISA under the Federal Information Security Modernization Act (FISMA) are exempt from CIRCIA reporting.

These agreements are still being developed. Entities reporting to other federal agencies should stay informed about their progress to understand how they will impact their reporting obligations under CIRCIA.

Enforcement and Penalties

The CISA director can make a request for information (RFI) if an entity fails to submit a required report. Non-compliance can lead to civil action or court orders, including penalties such as disbarment and restrictions on future government contracts. False statements in reports may result in criminal penalties.

Information Protection

CIRCIA protects reports and RFI responses, including immunity from enforcement actions based solely on report submissions and protections against legal discovery and use in proceedings. Reports are exempt from Freedom of Information Act (FOIA) disclosures, and entities can designate reports as “commercial, financial, and proprietary information.” Information can be shared with federal agencies for cybersecurity purposes or specific threats.

Business Takeaways

Although the rule will not be effective until late 2025, companies should begin preparing now. Entities should review the proposed rule to determine if they qualify as covered entities and understand the reporting requirements, then adjust their security programs and incident response plans accordingly. Creating a regulatory notification chart can help track various incident reporting obligations. Proactive measures and potential formal comments on the proposed rule can aid in compliance once the rules are finalized.

These steps are designed to guide companies in preparing for CIRCIA, though each company must assess its own needs and procedures within its specific operational, business, and regulatory context.

Listen to this post

In the middle of the 20th century, there was a massive expansion of the retail credit market. Everything from boats to sewing machines to kitchen appliances were bought and sold through increasingly complex credit arrangements. These credit arrangements would extinguish a consumer’s rights to dispute any terms of the contract once a loan was assigned, legally binding the consumer to pay the holder of the contract, even if the sale was fraudulent. These “cut off” clauses were considered standard, and consumers had no choice, as it was presented as a “take it or leave it” agreement.

In a recent lecture, the director of the Federal Trade Commission’s Bureau of Consumer Protection compared these credit contracts to the concept of notice and choice in today’s digital world of data collection and privacy concerns. The director characterized notice and choice as “weaponizing fine-print contractual provisions to shift risk and responsibility away from themselves and onto consumers.”

The director’s remarks focused on the commission’s response to these mid-century credit contract provisions by implementing the Holder Rule. This rule reallocated the risk of misconduct by sellers, allowing consumers to assert claims and defenses against any holder of the loan. The result of this rule created incentives for creditors to self-police the retail market, as any subsequent creditor could now be held responsible for the originators bad acts.

The director went on to dispel the notion that this type of model, if applied to privacy concerns, would disrupt business and the digital marketplace by saying:

[D]espite dire warnings from industry, these changes did not make the sky fall or cause the credit market to dry up. Consumer credit continues to be very competitive, and the Holder Rule continues to provide fundamental protections that promote confidence in the lending system.

. . .

As the Holder Rule shows, well-designed government action does not distort the free market – it makes it work better. By properly aligning incentives and allocating legal responsibility, trust grows and firms can compete on value. To be clear, humility is an important virtue for regulators; unintended consequences, regulatory burden, and imperfect information are all ever-present concerns. But there are also risks to inaction, and the consequences of failing to act can leave the public worse off, especially when it allows businesses to shift the cost of misconduct onto consumers. We saw that in credit markets half a century ago, and we see it in our digital economy today.

See Toward a Safer, Freer, and Fairer Digital Economy, How Proactive Consumer Protection Can Make the Internet Less Terrible, Remarks of Samuel Levine, Fourth Annual Reidenberg Lecture, Fordham Law School, April 17, 2024.

The director concluded his remarks by emphasizing that the FTC is currently, and intends to continue to, take bold action and use every tool in its arsenal to protect privacy, combat online dark patterns and manipulation, and safeguard the public from other harms. The closing remarks signaled that the FTC intends to take further action to protect consumers’ privacy rights by moving away from notice and consent and placing the onus on businesses through legal remedies similar to those present in the Holder Rule.

Finally, the director did not say what an application of a Holder Rule analogue in the privacy space would look like in practice. However, this is certainly an area to stay abreast of, as the FTC becomes more active in this space and continues to look for ways to address these issues through its rulemaking authority.

Listen to this post

The healthcare sector is increasingly facing cyber-threats with ransomware and hacking at the forefront. In the last five years, there has been a staggering 256% rise in significant hacking-related breaches and a 264% surge in ransomware incidents reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Hacking alone was responsible for 79% of the major breaches reported to OCR in 2023. These breaches have had a profound impact, affecting over 134 million individuals in 2023 alone, marking a 141% increase from the previous year.  In response to rise in cyber-threats within the healthcare industry covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) should be proactive in aiming to mitigate or prevent the growing menace of cyber-attacks. This article will delve into OCR’s guidance, exploring the practical steps and measures that organizations can implement to bolster their cybersecurity defenses.

Cybersecurity Readiness

Cyberattacks dominated the news in 2023, with hacking and IT breaches impacting government bodies, leading corporations, and critical supply chains, including those for vital resources like gasoline. The healthcare sector faced an especially challenging year, as cybercriminals targeted hospitals and healthcare systems. On February 14, 2024, OCR released two Congressional Reports concerning compliance and enforcement under HIPAA.  These documents offer crucial insights for entities regulated by HIPAA aiming to bolster their compliance strategies.

OCR Director Melanie Fontes Rainer stated: “Our health care systems should take note of these trends and address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation. My staff and I stand ready to continue to work with Congress and the health care industry to drive compliance and protect against security threats.” Notably, as in previous years, hacking/IT incidents remain the largest category of breaches and affected the most individuals. Network servers continued as the largest category by location for breaches involving 500 or more individuals.

The breach reports that OCR received revealed common vulnerabilities and deficiencies. OCR was able to identify several areas of improvement for the sector tied to specific HIPAA Security Rule standards. OCR suggested that covered entities and business associates focus on improving compliance with the security management process standard, the audit controls standard, and response and reporting requirements.

Of note, while certain cyber-attacks leverage sophisticated techniques to exploit undiscovered vulnerabilities (known as zero-day attacks), the majority of cyber incidents according to OCR could be either prevented or significantly lessened if covered entities and business associates adhered to the HIPAA Security Rule. This includes safeguarding against prevalent attack methods such as phishing emails, the exploitation of existing vulnerabilities, and the use of weak authentication measures. In the event of a successful breach, attackers frequently encrypt electronic Protected Health Information (ePHI) for ransom purposes or steal the data for future malicious activities, including identity theft or extortion.

OCR recommends covered entities and business associates take the following best practices to mitigate or prevent cyber-threats:

  • Ensuring all partnerships with vendors and contractors are secured by appropriate business associate agreements that clearly outline responsibilities in case of a breach or security incident.
  • Embedding risk analysis and management into the core business practices, with regular assessments, particularly when adopting new technologies or altering business operations.
  • Establishing robust audit controls to document and scrutinize activity within information systems.
  • Conducting periodic reviews of information system activities to identify and mitigate potential risks.
  • Adopting multi-factor authentication measures to verify that only authorized individuals access protected health information.
  • Securing protected health information through encryption to prevent unauthorized access.
  • Learning from past security incidents to improve the overall security management strategy.
  • Offering targeted training that aligns with organizational and specific job requirements, emphasizing the essential role of all staff in upholding privacy and security standards, and ensuring such training is refreshed regularly.

Cybersecurity in 2024 And Beyond

Also, this month, U.S. Senator Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, released a report outlining ways to improve privacy protections for Americans’ crucial health data.  This follows Senator Cassidy’s call last year for input from stakeholders on ways to strengthen the privacy protections of health data within the HIPAA framework, as well as to explore privacy measures for emerging health data sources. In the report, Senator Cassidy presents various recommendations to update the HIPAA framework, protect health data not currently covered by HIPAA, and address data that blurs the lines between health and non-health categories.  The report details that while for more than two decades, HIPAA has played a crucial role in safeguarding patient information, it has struggled to stay up-to-date with the rapid advancements in technology and the introduction of innovative tools that have become integral to modern healthcare. Stakeholders highlighted a pressing need for HIPAA to evolve. They argue that updates are essential for ensuring that patient information remains secure in an increasingly digitized healthcare ecosystem. This call for modernization reflects a broader recognition of the challenges and opportunities that lie ahead in protecting patient privacy in the digital age. 

In his report, Senator Cassidy notes that the United States does not have a comprehensive data privacy law and calls on Congress to fill the gap.  Unlike 2022, which saw the American Data Privacy and Protection Act (ADPPA) make notable progress in the House of Representatives, 2023 witnessed a lull in the push for a sweeping federal privacy statute. Nevertheless, 2024 holds the potential for renewed momentum in advancing the ADPPA (or a comparable proposal). President Joe Biden has notably urged Congress to enact bipartisan data privacy laws, reinforcing this call through a recent executive order on sensitive personal data.  Meanwhile, in the absence of any action on a federal privacy law, we anticipate additional states passing comprehensive privacy laws of their own in 2024.

Indeed, comprehensive privacy bills have been passed or nearly passed by legislatures in New Jersey and New Hampshire, thus far in 2024.  Additionally, as of March 31, 2024, Washington’s My Health My Data Act (MHMDA) will go into effect.  MHMDA is a pivotal health privacy legislation that establishes substantial compliance requirements for businesses handling health data not covered by HIPAA or federal part 2 rules. The significance of this legislation is heightened by its provision for a private right of action, where uncertainties within the law are more likely to be leveraged by plaintiffs’ attorneys.

CONCLUSION

The OCR reports are a clear reminder of the need for healthcare organizations to enhance cybersecurity preparedness. As healthcare organizations navigate the complexities of the digital age, the importance of cybersecurity cannot be overstated. By prioritizing preparedness, resilience, and a culture of cybersecurity awareness, healthcare organizations can not only protect themselves against the financial and reputational damage of cyber attacks but also, and most importantly, safeguard the well-being and privacy of the patients they serve. The journey towards comprehensive cybersecurity preparedness is ongoing, requiring vigilance, adaptability, and a unified effort to ensure the health and trust of the global community. Bradley has extensive expertise in guiding clients through mass arbitration claims and stands in a unique position to help businesses tailor dispute resolution clauses that best fit their specific requirements. If you have any inquiries regarding mass arbitration, we encourage you to contact any of the Bradley representatives listed below for further assistance.