Editor’s Note: In recent regulatory and enforcement developments, the White House announced a new executive order aimed at strengthening cybersecurity at U.S. ports, and another executive order was issued to protect sensitive personal information. Additionally, the FCC prohibits using AI to clone voices. Data breach litigation continues to surge with one company striking a class action settlement agreement with payments of up to $75,000 per class member. In an interesting twist, the beauty company L’Occitane is suing a law firm seeking declaratory judgment that California’s wiretapping law is unconstitutional. Internationally, the Canadian government investigates a breach of its own agency, and ASEAN and the EU published a joint guide on cross-border contractual clauses.


U.S. Laws and Regulation

White House Announces EO to Protect Sensitive Personal Data. On February 28, the White House announced an executive order (EO) authorizing the attorney general (AG) to prevent large-scale transfer of Americans’ personal data to countries of concern and provide safeguards around other activities that give those countries access to Americans’ sensitive data. The EO identifies genomic data, biometric data, personal health data, geolocation data, and financial data as examples of personal and sensitive information and directs the Departments of Justice, Homeland Security, Health and Human Services, Defense, and Veteran Affairs to take action to safeguard this data. The EO is meant to address the president’s worry that commercial data brokers and companies will sell this data to countries of concern, which will end up in the hands of foreign intelligence services, militaries, or companies controlled by foreign governments.

FCC Prohibits AI Voice Cloning Technology. On February 8, the Federal Communications Commission (FCC) announced the unanimous adoption of a Declaratory Ruling confirming that calls made with artificial intelligence (AI)-generated voices are “artificial” under the Telephone Consumer Protection Act (TCPA). The TCPA restricts telemarketing calls and the use of automatic telephone dialing systems and artificial or prerecorded voice messages. This ruling now makes it illegal to use AI-generated voice messages in robocalls without complying with the TCPA requirements, such as obtaining prior express consent. According to the FCC, this action is “expanding the legal avenues through which state law enforcement agencies can hold these perpetrators accountable under the law.” The ruling takes effect immediately.

White House Announces EO on Cybersecurity at US Ports. On February 21, the Biden-Harris administration unveiled an EO detailing a $20 billion investment to enhance the security of U.S. port infrastructure. This order empowers the U.S. Coast Guard with express authority to counteract malicious cyber activities within the nation’s Marine Transportation System (MTS). It also mandates the reporting of cyber incidents or imminent cyber threats that pose a risk to any vessel, harbor, port, or waterfront facility. The U.S. Coast Guard has subsequently released a Notice of Proposed Rulemaking concerning cybersecurity in the MTS. The Proposed Rule is designed to strengthen the security of the interconnected network of ports, terminals, vessels, waterways, and land-side connections that make up the MTS. It does this by setting forth minimum cybersecurity standards that align with international and industry-recognized standards.

GAO Says Homeland Security Failed to Disclose AI Use in Cybersecurity Programs. On February 7, the Government Accountability Office (GAO) reported that the U.S. Department of Homeland Security (DHS) has not complied with a presidential EO to maintain an inventory of all AI use cases. The GAO found that DHS had inaccurately labeled at least one program as using AI, when in fact it did not. As a result, the GAO concluded that the DHS was not in full compliance with the GAO’s 2021 AI Framework for federal agencies to responsibly design, develop, deploy, and monitor AI systems.

FTC Publishes Blog Post on Potential UDAAP Violations for Policy Updates. On February 13, the Federal Trade Commission (FTC) published a blog post warning that if a company adopts more permissive data practices — for example, it starts using personal data for AI training — that are not identified in its privacy policies, making retroactive amendments to its terms of service or privacy policy may not be enough. It could be deemed an unfair or deceptive practice if the company does not specifically notify customers. For more information, visit our summary, here.

New York AG Enters Consent Order with College Board. On February 13, New York State Education Department (NYSED) Commissioner Betty A. Rosa and New York AG Letitia James announced a $750,000 settlement with College Board for alleged violations of the privacy of students and unlawfully licensing their data to colleges, scholarship programs, and other customers who used it to solicit students. In addition to this settlement, College Board is prohibited from monetizing New York student data that it acquires from New York schools and school districts.


U.S. Litigation and Enforcement

Government Agencies Are Not Immune from FCRA Liability. On February 8, the U.S. Supreme Court unanimously ruled that government agencies can be sued for violations of the Fair Credit Reporting Act (FCRA). A borrower secured a loan from a division of the U.S. Department of Agriculture (USDA) and later sued the agency for damages under the FCRA. The borrower alleged that the USDA inaccurately reported his loan as “past due,” damaging his credit score and ability to secure loans at affordable rates. The USDA argued it was immune from such suits and the district court agreed. However, the Supreme Court affirmed the Third Circuit’s reversal of the district court’s ruling, holding that the FCRA allows for suits against “any person,” including government agencies. The reasons: the FCRA’s statutory text captures government agencies as potential defendants. For more information, click here.

HHS Resolves Insider Cybersecurity Investigation for $4.75M. On February 6, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), announced a $4.75 million resolution with a nonprofit hospital system related to potential data security failures that allowed an employee to steal and sell patients’ protected health information (PHI) over a six-month period. In May 2015, the New York Police Department informed the medical center that there was evidence of theft of a certain patient’s medical information. The incident prompted the medical center to conduct an internal investigation, revealing that an employee stole the electronic PHI of 12,517 patients and sold the information to an identity theft ring. The medical center filed a breach report with OCR and the OCR investigated. The investigation revealed multiple potential violations of the Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule, including failures by the medical center to analyze and identify potential risks and vulnerabilities to PHI, monitor and safeguard its health information systems’ activity, and implement policies and procedures that record and examine activity in information systems containing or using PHI. In addition to paying $4.75 million, the medical center must implement a corrective action plan that identifies certain steps toward protecting and securing the security of PHI.

Dad Sues Hacked Chicago Children’s Hospital Again. On February 9, a plaintiff already suing Ann Lurie Children’s Hospital in Chicago, IL over alleged negligence in the hospital’s management of medical records, filed an additional class action complaint against the hospital. The new complaint alleges that the hospital failed to secure and safeguard the plaintiff’s and class members’ private information, including names, birth dates, addresses, and medical and treatment information. According to the complaint, current and former patients’ private information was exposed following a cybersecurity attack in January. The complaint alleges that the hospital confirmed that its network had been accessed by a “known criminal actor.” The plaintiff alleges that the hospital failed to properly audit and monitor its IT systems and vendors, causing its system to be vulnerable to this cyberattack. In addition to monetary damages, the suit seeks injunctive relief to “prevent [the hospital] from experiencing another [] cybersecurity breach by adopting and implementing best data security practices to safeguard Private Information and to provide or extend credit monitoring services and similar services to protect against all types of identity theft and medical identity theft.”

Missouri Hospital Faces Action Over Breach Of 500K Patients’ Data. On February 13, a Missouri resident filed a class action complaint against North Kansas City Hospital alleging that the hospital took five months to notify more than 500,000 patients that their sensitive information was compromised in a hacking event that occurred between March and May of 2023. The complaint states that Perry Johnson & Associates, a Nevada-based medical transcription service used by North Kansas City Hospital, notified the hospital that the data breach had exposed the personal information of 502,430 patients on July 21, 2023. The hospital did not notify these patients of the breach until January 3, 2024. The complaint alleges that by waiting until January to notify the affected patients, the hospital violated its own privacy policies. In addition, the complaint states that “defendants knew, or should have known, that the information they collected was a target for malicious actors,” but “despite such knowledge, defendants failed to implement and maintain reasonable and appropriate data privacy and security measures to protect plaintiff’s and class members’ PII/PHI from cyber-attacks that defendants should have anticipated and guarded against.” The medical transcription service is also the subject of several other proposed class actions in various states following large-scale data breaches in 2023 that impacted more than 3.9 million patients.

ParkMobile Users Request Class Certification in Data Breach Litigation. Parking app company, ParkMobile, is being sued by consumers alleging that inadequate cybersecurity measures by the company led to their data being stolen, sold, and given away for free on the dark web after a 2021 data breach. On February 13, the plaintiffs sought certification of the class. The plaintiffs allege that more than 20 million users’ full names, birthdates, passwords, cellphone numbers, and vehicle information are among the stolen information. The consumers have requested that a Georgia federal judge certify their class.

Connexin Software Strikes Deal Over Breached Info. On February 14, plaintiffs and Connexin Software announced a $4 million settlement over allegations of failing to properly safeguard the personal identifiable information of more than 200,000 patients, including children, after a data breach. The settlement also includes a commitment from Connexin to strengthen their data and information security measures, and an agreement that Connexin will pay each plaintiff (i) up to $75,000 for any out-of-pocket losses incurred from the breach, (ii) identity theft protection for up to three years, or (iii) a flat fee.

L’Occitane Files Suit Against Law Firm for CIPA Allegations. On February 9, L’Occitane, Inc., filed a complaint in the Central District of California, seeking declaratory judgment and injunctive relief against the law firm Zimmerman Reed LLP and 3,144 of Zimmerman’s clients, asserting that the law firm and its clients impermissibly manufactured thousands of claims against L’Occitane under the California Invasion of Privacy Act § 630 et seq. (CIPA). L’Occitane is challenging the constitutionality of CIPA, alleging it violates the First Amendment of the U.S. Constitution as an unlawful content restriction on speech and as being void for vagueness, and argues in the alternative that CIPA is preempted by the Communications Decency Act, 47 U.S.C. § 230. In support of its argument that CIPA is unconstitutional, L’Occitane cites the Ninth Circuit’s recent finding that Oregon’s wiretapping law was unconstitutional. Project Veritas v. Schmidt, 72 F.4th 1043 (9th Cir. 2023). L’Occitane also seeks declaratory relief that L’Occitane’s terms and conditions do not apply to the defendants, as more than 90% of Zimmerman’s purported clients allegedly have never placed an order on L’Occitane’s website, a minimum requirement for the terms and conditions to apply to create a binding contract between L’Occitane and its customers.


International Regulation and Enforcement

OPC Announces Data Breach Investigation. On February 26, the Canadian Office of the Privacy Commissioner of Canada (OPC) announced an investigation into a data breach at the government agency, Global Affairs Canada. The investigation comes after the OPC received several complaints about the matter and will examine the adequacy of safeguards in place to protect personal information and compliance with the Privacy Act.

Flows of Data to Shanghai to Be Relaxed. On February 7, Reuters reported that the Shanghai government will accelerate approval for foreign firms wanting to send their local data offshore. This acceleration would happen under a fast-track approval initiative. To accomplish this, Shanghai will likely leverage its free trade zone, which allows local governments to offer tax and other incentives to global companies. These rules would be separate from the Cybersecurity Administration of China’s rules on cross-border transfer of data.

Publication of Joint Guide on ASEAN Model Clauses and EU Standard Contractual Clauses. On January 31, the Association of Southeast Asian Nations (ASEAN) and the EU released a joint guide detailing how to navigate the model contractual clauses and the standard contractual clauses. These are optional clauses that can be incorporated into contracts as a basis to allow the transfer of personal data across borders. The guide provides a comparison of both sets of clauses as well as implementation guides for companies to consider best practices when operationalizing the contractual clauses.


Troutman Pepper Team Spotlight: Molly DiRago

Photo of Molly DiRago

Molly S. DiRago
Partner
Chicago
D 312.759.1926
molly.dirago@troutman.com

Molly DiRago, a partner at Troutman Pepper specializing in Business Litigation and Privacy + Cyber practices, has been honored as one of the Notable Women in Law for 2024 by Crain’s Chicago Business. Molly focuses her practice on complex business disputes and privacy litigation and compliance. As a member of the Northern District of Illinois’ trial bar, she represents and advises her clients in every phase of litigation with an eye toward trial. She has a nationwide practice, having represented clients in state and federal courts across the U.S. Her clients range from large, multinational companies to small, closely held corporations and individuals, spanning a variety of industries, including technology, agriculture, health care, solar, transportation, and energy.


Past Webinars, Podcasts, and Events

Recent Troutman Pepper Publications


Interested in comprehensive legislative and regulatory tracking services focused on consumer financial services? Troutman Pepper offers weekly reports on developments in consumer collection, consumer reporting/FCRA case law, and privacy and data security. Contact Stefanie Jackman (stefanie.jackman@troutman.com), Kim Phan (kim.phan@troutman.com), or Michael Bevel (michael.bevel@troutman.com) for more information and to request a free trial.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Molly DiRago Molly DiRago

Molly litigates complex commercial matters, focusing on biometrics and privacy, class actions, partnership and shareholder disputes, and consumer fraud. Molly takes a results-oriented approach and finds creative solutions for her clients, whether through litigation or extrajudicial procedures.

Photo of Robyn Lin Robyn Lin

Robyn is a privacy and data security attorney who focuses on helping clients understand and maintain data compliance.

Photo of Natasha Halloran Natasha Halloran

Natasha is an associate in the firm’s Privacy + Cyber practice, where she assists clients with privacy-related issues such as reviewing privacy policies, regulatory compliance, and commercial litigation including under the Fair Credit Reporting Act (FCRA) and Video Privacy Protection Act (VPPA).

Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.

Photo of James Koenig James Koenig

Jim co-chairs the firm’s Privacy + Cyber Practice Group. For the past ten years, he has represented global clients in the financial services, energy, retail, pharmaceutical/health care, cable, telecommunications, car rental, airline, social media, technology, and manufacturing industries, including 35% of Fortune 100-listed companies.

Photo of Kim Phan Kim Phan

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the assessment of breach response obligations following a breach.

Photo of Linnea Kelly Linnea Kelly

Linnea is an associate in the firm’s Health Sciences Department, resident in the Philadelphia office. They graduated from Temple University Beasley School of Law where they completed their J.D. and served as an articles editor for the Temple Law Review. While in…

Linnea is an associate in the firm’s Health Sciences Department, resident in the Philadelphia office. They graduated from Temple University Beasley School of Law where they completed their J.D. and served as an articles editor for the Temple Law Review. While in law school, Linnea served as a certified legal intern at the Defender Association of Philadelphia.

Photo of Karla Ballesteros Karla Ballesteros

Karla is an associate in the firm’s Privacy + Cyber practice. Her daily work includes counseling insureds on the initial incident response, potential ransom payment, restoration, data mining, and notification segments of the incident response practice. She also leads efforts to identifying and…

Karla is an associate in the firm’s Privacy + Cyber practice. Her daily work includes counseling insureds on the initial incident response, potential ransom payment, restoration, data mining, and notification segments of the incident response practice. She also leads efforts to identifying and remediating shortcomings in cybersecurity and privacy practices of firm clients.

Photo of Susie Lloyd Susie Lloyd

Susie is a litigation associate in the firm’s Privacy + Cyber practice. Her primary focus is assisting clients in the consumer finance industry, including data breach class actions and related regulatory actions in federal and state courts with respect to numerous privacy laws…

Susie is a litigation associate in the firm’s Privacy + Cyber practice. Her primary focus is assisting clients in the consumer finance industry, including data breach class actions and related regulatory actions in federal and state courts with respect to numerous privacy laws and regulations, including but not limited to VPPA.

Photo of Edgar Vargas Edgar Vargas

Edgar is a Certified Information Privacy Professional (CIPP/US). He assists clients on compliance and litigation issues, including issues regarding privacy and cybersecurity laws. He is fluent in Spanish, allowing him to effectively communicate with and serve Spanish speaking clients.

Safvet Theodore Mews Besen

Safvet is an associate in the firm’s Corporate practice.