On April 8, 2022, the U.S. Food and Drug Administration (“FDA”) released a draft guidance document titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” The draft guidance, if finalized, would replace FDA’s 2014 final guidance document titled, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” adding significant details to FDA’s existing guidance. Manufacturers should pay close attention to developments in this area, expand their internal expertise, and otherwise invest in establishing robust cybersecurity risk assessment, design control, and risk management practices and procedures relating to their devices.

Click here to read Ropes & Gray’s Client Alert on the draft FDA guidance.

On April 28, 2022, the Connecticut General Assembly passed SB 6, the Act Concerning Personal Data Privacy And Online Monitoring (the “Connecticut Privacy Act”) by a vote of 144-5, which puts Connecticut on course to become the fifth state to enact a comprehensive data privacy law, following California, Virginia, Colorado, and Utah. The bill, which passed the state senate 35-0, now awaits the signature of Governor Ned Lamont. If it becomes law, the bulk of the statute is set to take effect July 1, 2023.

The bill passed by Connecticut legislature closely follows the structure of similar laws enacted in other states, giving support to the Colorado legislature’s claim, that “states across the United States are looking to [the Colorado Privacy Act, enacted in 2021] and similar models to enact state-based data privacy requirements and to exercise the leadership that is lacking at the national level.” One of the Connecticut bill’s sponsors and its key proponent in the state senate, Sen. James Maroney, compared the legislation to Colorado’s statute, saying that both SB 6 and the Colorado law are less aggressive than the California Consumer Privacy Act (“CCPA”) but provide more privacy protections that similar bills passed by other states.

Continue Reading Connecticut Becomes the Fifth State to Pass a Comprehensive Data Privacy Law

On April 18, a Ninth Circuit panel reaffirmed its holding that LinkedIn cannot stop hiQ Labs (“hiQ”) from scraping publicly accessible data from its website at this stage of the litigation. In its latest opinion in HiQ Labs, Inc. v. LinkedIn Corporation, the Ninth Circuit ruled that hiQ raised serious questions about whether their scraping of public LinkedIn profile information should be permissible under the Computer Fraud and Abuse Act (“CFAA”). While the court’s opinion was limited to hiQ’s motion for a preliminary injunction prohibiting LinkedIn from preventing hiQ’s scraping, the reasoning and discussion in the court’s opinion suggests that the panel’s position is that scraping publicly accessible data likely does not violate the Computer Fraud and Abuse Act (“CFAA”).

The CFAA is the most prominent federal anti-hacking statute, and it prohibits, among other things, obtaining information through access to a protected computer system “without authorization” or in a way that “exceeds authorized access.” The bounds of what constitutes a violation of authorization under the CFAA has been a topic of debate in recent cases. Last year, in Van Buren v. United States (previously discussed here and here), the Supreme Court ruled that using information from a computer system for unpermitted purposes would not “exceed authorized access” under the CFAA if the user was otherwise authorized to access that information using the computer.

Less than two weeks after issuing its decision in Van Buren, the Court issued a summary disposition in LinkedIn v. hiQ Labs, LinkedIn’s petition to the Supreme Court to allow it to prevent hiQ from continuing its scraping practices. The Court vacated the Ninth Circuit’s earlier opinion affirming the trial court’s decision to allow the scraping to continue and remanded the case to the Night Circuit for further consideration in light of the Van Buren decision. In the opinion issued on April 18, the Ninth Circuit reasoned that the Supreme Court’s reasoning in Van Buren supported the conclusion that the CFAA does not prohibit access to publicly accessible data.

Continue Reading Ninth Circuit Affirms Preliminary Injunction in HiQ Labs, Inc. v. LinkedIn Corporation, Reasoning that CFAA Is Unlikely to Bar Access to Public LinkedIn Data

Data, privacy & cybersecurity partners Ed McNicholas and Fran Faircloth and counsel Kevin Angle authored a chapter in Chambers Global Practice Guide Cybersecurity 2022 on “USA Law & Practice and Trends & Developments.” The chapter provides an overview of cybersecurity regulation in the United States and provides insights on the multitude of cybersecurity threats facing companies and the response by state and federal lawmakers.

Topics covered in the chapter include the general and sector specific laws comprising the foundation of United States cybersecurity law, data breach reporting and notification, including developing requirements for critical infrastructure providers and financial institutions, cyberthreat information sharing, regulatory enforcement and litigation, transactional diligence and insurance. The chapter also describes key developments at the federal level in setting standards that may establish baseline best practices for many industries going forward.

Click here for more details and a link to the full chapter.

On Friday 25 March President Biden and the President of the European Commission jointly announced that they had reached an agreement in principle on a revised trans-Atlantic data flow mechanism.  The timing could not have been better, as I was moderating a panel on “International Data Transfers in 2022 and Beyond” at the Privacy + Security Forum Spring Forum on the same day.

The panel was made up of William Malcolm, Director of Privacy at Google, Vivienne Artz, OBE Chair of the International Regulatory Strategy Group Data Committee, and Joe Jones, Deputy Director International Data Transfers Data Policy Directorate at the UK’s Department for Culture, Media & Sport.  Our plan was to facilitate a discussion focused on recent enforcement actions and statements by data protection authorities in the EU and UK that had highlighted the increasingly complex challenges organizations face in complying with GDPR when transferring personal data out of Europe.  Instead we had a very engaging hour discussing how important data transfers are in a digital economy, noting that at the EU-US summit the discussion of data was second only to discussions of the situation in Ukraine; and that although the EU-US announcement had set Twitter feeds alight, it provided no information as to what the actual agreement was or how it would avoid falling foul of being challenged as Schrems III, IV or V. Finally, we brainstormed some ideas as to the direction or detail that could be contained in the new EU-US agreement and which could really drive change in the regulation of international data flows.

It was clear to all that following the CJEU’s ruling in Schrems II, which invalidated the EU-US Privacy Shield and made use of Standard Contractual Clauses more challenging for business, commercial organizations find themselves in the situation in which data transfers are becoming an impediment to business when really they should be the soil of the digital society in which services and societal benefits can grow globally.

Continue Reading International Data Transfers in 2022 and Beyond

The California Attorney General’s office (OAG) recently released its first formal written opinion on the scope of the rights granted to consumers under the California Consumer Privacy Act (CCPA), specifically, the right for a consumer to know about the personal information that a business collects from them. The opinion comes in response to a question submitted by California Assembly member Kevin Kiley as to whether a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer applies to internally generated inferences the business holds about them. The OAG asserted that the right to know does apply to such inferences, albeit with certain key exceptions.

Continue Reading California Attorney General’s Office Releases First Formal CCPA Opinion

On March 24, 2022, Utah Governor Spencer Cox signed into law the Utah Consumer Privacy Act (“UCPA”), which was unanimously passed by the state legislature earlier this month. Utah is the fourth U.S. state to pass a comprehensive privacy law, following California, Virginia, and Colorado. The UCPA will go into effect on December 31, 2023.

The Utah law generally resembles the three existing state privacy models, but closely tracks with the Virginia Consumer Data Protection Act (CDPA) and Colorado Privacy Act (CPA), suggesting that states are shifting away from California’s more stringent strand of privacy regulation toward a version that balances the spirit of the EU’s General Data Protection Regulation (GDPR), in terms of purpose limitation and consumer protection, against the need to avoid overly burdening companies. In fact, the UCPA is seen by some as more business-friendly than legislation passed in Virginia and Colorado: Utah’s law does not require businesses to conduct data protection assessments and does not compel companies to provide a mechanism for consumers to appeal denials of requests to exercise personal data rights.

Continue Reading Utah Passes Comprehensive Privacy Law

Today RopesDataPhiles brings you thoughts from across the pond, with an update on the UK Information Commissioner’s international data transfer agreement and its supporting documentation.

Some days it all comes together.  The sun’s shining in London for what feels like the first time in months.  One of the kids is going on a week-long school trip.  And just when you think it can’t get any better, you remember that the UK Information Commissioner’s international data transfer agreement and its supporting documentation have come into effect, following a period of Parliamentary approval.

As of Monday, 21 March, organisations transferring personal data from the UK have a range of options for papering those transfers.  As you’ll see, it’s going to feel much like the pick ‘n’ mix you get at the cinema, only without the intense initial rush followed by a crippling sense of doom when you realise what’s ahead.  Or maybe it’s exactly like that.

Continue Reading The IDTAs of March

On March 15, 2022, President Biden signed into law significant new federal data breach reporting legislation that could vastly expand data breach notice requirements far beyond regulated entities or entities processing personal data. Unceremoniously tucked as Division Y into the H.R. 2471 Consolidated Appropriations Act, 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will require “covered entities” —organizations in certain critical infrastructure sectors—to report substantial cybersecurity incidents to the Department of Homeland Security within 72 hours after the organization reasonably believes the cyber-incident has occurred. Covered entities will also be required to report ransom payments within 24 hours of making a payment in response to a ransomware attack.

For more details, click here to read Ropes & Gray’s client alert on the expansive new federal breach reporting requirement.

On March 9, 2022, the Securities and Exchange Commission (“SEC”) proposed updates to its disclosure rules intended to “enhance and standardize” public company disclosure regarding cybersecurity risk management, strategy, governance, and incident reporting (the “Proposed Rules”). The Proposed Rules may require issuers to update their disclosure controls and procedures, in particular with respect to determining the materiality of cybersecurity events and providing prompt disclosure.

The Proposed Rules build on a body of pre-existing SEC guidance regarding cybersecurity disclosures. In 2011, the Division of Corporation Finance issued interpretive guidance regarding disclosure obligations relating to cybersecurity risks and cyber incidents. The SEC followed up that guidance with a 2018 statement on cybersecurity disclosure addressing, among other things, the materiality of incidents, updates to risk factors, and board risk oversight. If adopted, the proposed rules make many of these recommendations express requirements, while adding additional clarity and detail regarding cybersecurity risks and practices that must be reported. While the proposed rules are focused on disclosure, if adopted, they may lead issuers to enhance cybersecurity risk management and oversight, as well as to add directors with expertise in cybersecurity.

For more details, click here to read Ropes & Gray’s client alert on the Proposed Rules.