The Siskinds Privacy, Cyber and Data Governance team is focused on providing businesses and professionals with monthly updates on technology, privacy, and artificial intelligence (A.I.) laws in both the U.S. and Canada.
There have not been many updates in Canada; however, as usually, lots of updates south of the border in the United States.
But first, the Word of the Month: “Abstract Digital Formats” (more of a phrase than a “word”)
The California Consumer Privacy Act was recently amended to clarify the forms in which “Personal Information” (PI) may exist in. One such form is in an abstract digital format, which is defined as any “compressed or encrypted files, metadata, or artificial intelligence systems that are capable of outputting personal information.” This recognition is important because even if you cannot identify the PI in a record due to the format of the record, it does not mean that such a record does not contain PI.
General news: Addressing Google’s monopoly; A.I. vulnerabilities; ByteDance was told by Apple that TikTok should have a higher age rating; and more
October 9, 2024: The U.S. Department of Justice (DOJ) has filed with the District Court for the District of Columbia a proposed remedy framework that examines “structural remedies” to address Google’s monopoly, according to the Guardian. Find the filing here. Examples include the following:
- limiting or ending “Google’s use of contracts, monopoly profits, and other tools to control or influence . . . distribution channels and search-related products (e.g., browsers, search apps, artificial intelligence summaries and agents)” (for example, “Google’s longstanding control of the Chrome browser, which its preinstalled Google search default, ‘significantly narrows the available channels of distribution and thus disincentivizes the emergence of new competition)”;
- requiring Google “to make available, in whole or through an API, (1) the indexes, data, feeds, and models used for Google search, including those used in AI-assisted search features, and (2) Google search results, features, and ads, including the underlying ranking signals, especially on mobile”;
- prohibiting Google from “using contracts or other practices to undermine rivals’ access to web content and level the playing field by requiring Google to allow websites crawled for Google search to opt out of training or appearing in any Google-owned artificial-intelligence product or feature on Google search such as retrieval-augmented-generation-sourced summaries”;
- rejigging Google’s Ad business by “licensing or syndication of Google’s ad feed independent of its search results” or even allowing “Google search advertisers to receive transparent and detailed information (e.g., Search Query Reports and other information related to its search text ads auction and ad monetization) consistent with user privacy and to opt out of Google search features (e.g., keyword-expansion, broad match)”;
October 10, 2024: The Internet Archive (a U.S. non profit digital library that hosts the famous WayBack Machine) suffered a series of cyber-attacks that exposed the personal information of 31 million of its users, according to Infosecurity Magazine.
October 10, 2024: In Matter of Weber, a New York court found that, “due to the nature of the rapid evolution of artificial intelligence and its inherent reliability issues that prior to evidence being introduced which has been generated by an artificial intelligence product or system, counsel has an affirmative duty to disclose the use of artificial intelligence.” 2024 NY Slip Op 24258 (N.Y. Surrogacy Ct. Oct. 10, 2024).
October 14, 2024: Ars Technica discusses how some A.I. LLM chatbots may have a vulnerability caused by reading hidden text that is included with normal text, and how users of the A.I. may not notice that hidden text when inputting that text into the A.I.
October 31, 2024: The Washington Post found improperly redacted elements of South Carolina’s Complaint against TikTok (which are now properly redacted) that disclosed that, in 2022, “a team at Apple reviewing TikTok’s rating found that the app features ‘frequent or intense mature or suggestive content’ and pressed the platform to raise its recommended age to 17 and over.”
Canada: PIAs and news from Saskatchewan!
October 9, 2024: The Treasury Board of Canada Secretariat has revised its Directive on Privacy Practices, specifically its standards on Privacy Impact Assessments.
October 15, 2024: The Saskatchewan Information and Privacy Commissioner (SIPC) found that the Regina Police Service (RPS) could not withhold videos of an individual’s arrest from that individual. The RPS argued that disclosing the requested videos would, “reveal the security arrangements of particular vehicles, buildings or other structures or systems, including computer or communication systems, or methods employed to protect those vehicles, buildings, structures or systems.” The SIPC found that “[w]hile the disclosure of the eight videos to the Applicant would reveal the general area in which one camera is located, it does not reveal other areas in which cameras are located. Nor would it reveal how the cameras are organized, operated, or utilized.” Accordingly, the SIPC recommended that the “RPS release the eight videos . . .” Regina Police Service (Re), 2024 CanLII 100965 (SK IPC).
United States:
U.S. Federal Trade Commission (FTC) rules and enforcement.
October 9, 2024: The FTC has filed a proposed settlement order with Marriot International, Inc. and its subsidiary, Starwood Hotels & Resorts Worldwide LLC, to implement a “robust information security program to settle charges that the companies’ [failed] to implement reasonable data security [that] led to three data breaches.” Additionally, both companies agreed to “provide all its U.S. customers with a way to request deletion of personal information associated with their email address or loyalty rewards account number.” See the Proposed Settlement Order here. As part of the Settlement Order, the companies must also implement a data minimization policy.
October 15, 2024: If your business is a telemarketing business, and you call in the US, note that the FTC has updated the Telemarketing Sales Rule’s record keeping requirements, which came into effect Oct. 15.
October 16, 2024: The FTC has published the “Negative Option Rule” in relation to negative option features, which are provisions “of a contract under which the consumer’s silence or failure to take affirmative action to reject a good or service or to cancel the agreement is interpreted by the . . . seller as acceptance or continuing acceptance of the offer, including, but not limited to: (1) an automatic renewal; . . . (3) a free-to-pay conversion or fee-to-pay conversion . . .”
Importantly, among other requirements, this Rule requires businesses to obtain “the consumer’s unambiguously affirmative consent to the Negative Option Feature offer separately from any other portion of the transaction”, to keep such evidence for at least three years, and to provide a “simple mechanism for a consumer to cancel the Negative Option Feature . . .” Such simple mechanism must be “at least as easy to use as the mechanism the consumer used to consent to the Negative Option Feature.” Take note that the FTC considers this rule to apply to both business-to-consumer and business-to-business transaction (especially when the business signing up is a smaller business).
U.S. Securities Exchange Commission (SEC) enforcement: Charges against four companies for making materially misleading disclosures regarding cybersecurity risks and intrusions
October 22, 2024: Four companies settled charges against them from the SEC that they made materially misleading disclosures to investors regarding cybersecurity risks and intrusions: Unisys will pay a $4 million civil penalty; Avaya. will pay a $1 million civil penalty; Check Point will pay a $995,000 civil penalty; and Mimecast will pay a $990,000 civil penalty. See the SEC press release here.
U.S. Consumer Financial Protection Bureau (CFPB): Guidance re. background dossiers and surveillance-based, “black box” AI scores about employees
October 24 , 2024: The CFPB published a guidance (a CFPB Circular) addressing employers’ use of background dossiers, algorithmic scores, and other third-party consumer reports about their workers, and noted that the employers must comply with FCRA obligations, “including the requirement to obtain a worker’s permission to procure a consumer report, the obligation to provide notices before and upon taking adverse actions, and a prohibition on using consumer reports for purposes other than the permissible purposes in the FCRA.”
U.S. Health and Human Services, Office for Civil Rights (OCR) enforcement
October 17, 2024: The OCR announced a $70,000 civil monetary penalty against Gums Dental Care, LLC (GDC), a solo dental practice in Maryland. OCR investigated GDC on a complaint that they failed to provide a patient with timely access to their medical records. HIPAA’s right to access provisions require that individuals have timely access to their PHI records within 30 days, with the possibility of one 30-day extension, and for a reasonable, cost based fee (45 C.F.R. § 164.524).
First, GDC alleged that the patient failed to pay a flat fee of $25 to have the PHI mailed certified to the patient; however, the patient requested the PHI sent over email. Accordingly, the $25 mailing charge was not necessary (fyi, the patients have the right to request their PHI in the format, time and manner, as long as the request is reasonable). Second, GDC alleged that the patient requested the PHI for the purpose of submitting a fraudulent claim to the insurer—however, “a covered entity may not require an individual to provide a reason for requesting access.”
October 31, 2024: After a ransomware attack, the Office of Civil Rights initiated an investigation into Plastic Surgery Associates of South Dakota in Sioux Falls and found multiple potential violations of the HIPAA Security Rule, “including failures to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems; implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level; implement procedures to regularly review records of information system activity; and implement policies and procedures to address security incidents.
Under the terms of the settlement, Plastic Surgery Associates of South Dakota paid $500,000 to OCR and agreed to implement a corrective action plan that requires them to take steps to resolve potential violations of the HIPAA Security Rule and protect the security of electronic protected health information.” See the HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation for $500,000 | HHS.gov.
New York: Cyber risks from A.I. guidance and enforcement
October 16, 2024: The NY Department of Financial Services published an industry letter providing guidance on cybersecurity risks arising from A.I. and providing strategies to combat such risks. See the letter here. A few recommended strategies include the following: (1) conducting risk assessments on A.I. systems; (2) implement controls to ensure the quality of data used to train the A.I.; (3) implement controls to protect the A.I from tampering; and (4) cybersecurity training for all personnel (including executives) to ensure all are aware of the risks posed by A.I.
November 1, 2024: After two security incidents, the Office of the NY State Attorney General (OAG) investigated the Albany ENT & Allergy Services, P.C. (AENT). The OAG found that AENT failed to: “a. adequately monitor vendors responsible for outsourced IT and InfoSec functions; b. adopt a data encryption policy and train employees regarding the importance of encrypting PI; c. identify and encrypt PI, including database backups; d. timely install critical software security updates; e. implement reasonable network security processes, including network logging, log monitoring, log analysis, log repositories, IP restrictions, and intrusion detection technology; f. adequately identify, inventory, and protect PI before the attacks; g. adequately identify, inventory, and remediate unencrypted copies of PI after the attacks; h. meet minimum requirements for password security; i. adopt a multifactor authentication policy (“MFA”) to access its local server environment and online services reached through its local server environment; j. adequately control administrator privileges; k. implement reasonable security testing, including penetration tests and vulnerability tests; l. accurately perform security risks analyses; and m. follow security risk analysis recommendations.”
In addition to requiring AENT to take other steps, including the maintenance of a comprehensive information security program, AENT was also fined $1,000,000 (of which $500,000 is suspended, provided that OAG spends less than $450,000 to enhance its information security program).
California: Definition of personal information includes PI held in “Abstract Digital Formats”, including A.I systems
September 28, 2024: Assembly Bill No. 1008 amended the California Consumer Privacy Act to specify that “personal information” can exist in various formats, including, but not limited to, all of the following: “(A) Physical formats, including paper documents, printed images, vinyl records, or video tapes”; “(B) Digital formats, including text, image, audio, or video files”; and, most importantly, “(C) Abstract digital formats, including compressed or encrypted files, metadata, or artificial intelligence systems that are capable of outputting personal information.”.
Putting privacy first: Your path to compliance starts here
It is crucial for businesses to establish a comprehensive privacy program. At Siskinds, our Privacy Concierge program offers custom subscription programs.
To discover how Siskinds can assist you in meeting your privacy compliance needs, or if you have any questions related to this blog post, contact myself, Savvas Daginis at [email protected], or a lawyer on our Siskinds’ Privacy, Cyber & Data Governance Team.