US Department of Homeland Security Publishes Strategic Plan on Artificial Intelligence
Headlines that Matter for Privacy and Data Security
US News
US Department of Homeland Security Publishes Strategic Plan on Artificial Intelligence
The Dep’t of Homeland (DHS) Security Science and Technology Directorate recently published its Artificial Intelligence & Machine Learning Strategic Plan. The Plan, which outlines AI/ML research, development, testing, and evaluation plans, lays out five goals including to: (i) assess the potential of AI on the homeland security enterprise; (ii) invest in DHS AI capabilities; (iii) mitigate AI risks to DHS and the U.S. broadly; (iv) develop a DHS AI workforce; and (v) improve public trust and engagement, as well as to: (i) drive next-generation AI/ML technologies for cross-cutting homeland security capabilities; (ii) facilitate the use of proven AI/ML capabilities in DHS missions; and (iii) build an interdisciplinary AI/ML trained workforce.
Whirlpool Defeats Federal Wiretapping Class Action, For Now
A federal judge in Florida dismissed two putative class actions accusing Whirlpool Corp. of unlawfully intercepting website visitors’ information, finding that the state’s wiretapping law doesn’t apply to the company’s use of marketing analytics software to capture browsing histories, personal interests and similar data. The complaints alleged that Whirlpool violated Florida’s Security of Communications Act by using “session replay” technology to intercept electronic communications from those who visited its Whirlpool and KitchenAid websites without visitors’ knowledge or permission. The judge dismissed the cases, asserting that the complaints failed to plead a claim under the statute, and gave the plaintiffs two weeks to amend their filings.
Senators Wicker, Blackburn Introduce Federal Data Privacy Legislation
U.S. Senators Wicker and Blackburn introduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act. The Act would impose requirements on business’ data processing, collecting, and retention, impose disclosure and security requirements, and provide consumers with the ability to access, correct, delete, and port their data, among other things. Notably, the bill would also enhance the Federal Trade Commission’s (FTC) authority and provide additional resources to enforce the Act.
Changes in Connecticut Cybersecurity Legislation
The Connecticut governor recently signed into a law a pair of bills that together address privacy and cybersecurity in the state. Public Act 21-59 “An Act Concerning Data Privacy Breaches” (PA 21-59) modifies Connecticut law addressing data privacy breaches to broaden the types of information protected in the event of a breach, to shorten the timeframe for reporting a breach from 90 days to 60 days, to clarify applicability of the law to anyone who owns, licenses, or maintains computerized data that includes redefined “personal information,” and to create an exception for entities that report breaches in accordance with HIPAA. Public Act 21-119 “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” (PA 21-119) establishes statutory protection from punitive damages in a tort action alleging that inadequate cybersecurity controls resulted in a data breach under specified circumstances. Both laws are set to take effect on October 1, 2021.
New York City Biometric Privacy Law Enacted
New York City enacted a new biometric ordinance governing how businesses handle biometric data, including retina scans, finger or voice prints, and scans of face or hand geometry. The ordinance requires commercial establishments, including entertainment facilities (e.g., stadiums), retails stores, and food and drink establishments, that use biometrics to identify their customers to post clear and conspicuous signs putting customers on notice of the business’ collection, retention, sharing, and use of biometric data. The ordinance also prohibits the sale of biometric information, and creates a private right of action and contemplates statutory damages for violations.
Don’t Be Insecure: DOL Guidance Addresses
Cybersecurity for ERISA Plans
The Department of Labor (DOL) recently issued new guidance on best practices for maintaining cybersecurity in connection with ERISA plans (the Guidance). The Guidance, which is intended for sponsors, fiduciaries, record keepers, and participants of plans governed by the Employee Retirement and Income Security Act of 1974 (“ERISA”), is composed of three documents – 1) Tips for Hiring a Service Provider; 2) Cybersecurity Program Best Practices; and 3) Online Security Tips. Read together, each component of the Guidance teaches that ERISA plan sponsors, fiduciaries, and service providers must act both proactively and reactively to mitigate cybersecurity risks.
Pennsylvania District Court Finds Investigative Report Created in Response to Data Breach not Protected Work Product nor Attorney-Privileged
The Middle District of Pennsylvania recently granted a motion to compel production of a report created in response to a data breach by a third-party cybersecurity consultant and related communications. After being notified of “suspicious scripts and indications of the use of potentially compromised credentials,” the defendant hired outside a third-party cybersecurity consultant to conduct “forensic analyses on [defendant’s] card environment and determine the character and scope of the incident.” Plaintiff sought production of this investigative report and related communications between defendant and the third-party consultant. In response, defendant asserted that these documents were protected under the work-product doctrine and/or under attorney-client privilege. The court rejected defendant’s arguments, finding that the report was not prepared in anticipation of litigation and the consultant was not acting as an attorney nor providing legal input.
Global News
Singapore Launches Stricter Data Privacy Laws
Singapore’s Personal Data Protection Commission (PDPC) recently updated its laws to include wider enforcement controls, instituting mandatory notifications when data is breached, making the mishandling of data a criminal offense, and imposing additional requirements pertaining to the storage, use, and collection of personal data.
Austria Announces First GDPR Fine
Austria’s data protection authority issued its first GDPR fine against a retail establishment due to its use of a surveillance camera which recorded a large portion of a public sidewalk. The Austrian authority found this act to be in violation of the GDPR, as large-scale monitoring of public spaces is not permitted under the GDPR. The camera was also not sufficiently marked as conducting video surveillance, thereby shirking applicable transparency obligations. The fine amounted to 4800 Euros.
Contacts
- Related Practices