December tends to be a busy time for everyone, so you may have missed a privacy update or two.  We have set out some updates in the form of questions, with links in the answers where you can find more information.  (For those making this quiz a competitive event, we have included a tie-breaker/bonus question.)  Answers are below.

1.         As of December 18, 2023, unless the U.S. Attorney General determines that public disclosure would be a substantial threat to national security or public safety, the Securities and Exchange Commission (SEC) requires that public companies must report a cyber incident, typically by filing a publicly available Form 8-K, within:

a.         24 hours of discovery of the incident

b.         24 hours of a determination that the incident is material

c.         4 business days after discovery of the incident

d.         4 business days after determining that the incident is material

2.         If a public company seeks to delay the public report because the company believes a substantial threat to national security or public safety may exist, the company must notify the FBI, which will gather evidence for the U.S. Attorney General’s review and determination.  Upon receipt of the public company’s request, how long does the FBI’s December 6, 2023 memo state that the FBI will take to verify the request and assign an agent in the company’s local FBI office:

a.         “Without unreasonable delay”

b.         Within 2 hours

c.         Within 12 hours

d.         Within 2 business days

3.         On December 9, 2023, the California Privacy Protection Agency (CPPA) met to discuss, among many other topics, three proposed draft regulations that were required by the California Privacy Rights Act (CPRA) amendment to the California Consumer Privacy Act (CCPA):  Automated Decision-Making Technology, Cybersecurity Audits, and Risk Assessments.  One of the three regulations advanced, and the other two were sent back for additional work.  Which one advanced so that it can be proposed at the next CPPA board meeting for a vote to proceed to formal rulemaking?

a.         Automated Decision-Making Technology

b.         Cybersecurity Audits

c.         Risk Assessments

4.         The Illinois Biometric Information Privacy Act (BIPA) also generated headlines in early December with an Illinois Supreme Court ruling on whether BIPA’s HIPAA exception for “information collected, used, or stored for health care treatment, payment or operations under HIPAA” applied to biometric information of health care workers (not patients) whose fingerprints were scanned in order for the workers to access materials and medications for patient health care treatment and operations.  How did Illinois’ highest court rule:

a.         The exception applied to the workers’ data because the exception applies to all health care workers’ biometric data.

b.         The exception applied to the workers’ data because the biometric data was “collected, used or stored for health care treatment, payment or operations under HIPAA” only, and the source of the data was not relevant.

c.         The exception did not apply because, if the Illinois legislature had intended to exempt all health care workers from BIPA, it could have done so [affirming the appellate court].

d.         The exception did not apply because BIPA’s goal of protecting the secrecy interest of an individual in his/her biometric data is furthered by a narrow reading of the exception.

5.         Headlines in 2023 also had many references to artificial intelligence.  Does the national defense bill (National Defense Authorization Act for Fiscal Year 2024, signed on December 22, 2023) require the Department of Defense to develop a “bug bounty” program for certain large artificial intelligence models being integrated into the missions and operations of the Department of Defense?

a.         Yes

b.         No

6.         The national defense bill’s “Generative AI Detection and Watermark Competition” permits the Secretary to Defense to open the competition to which of the following six types of entities:

1.         Federally funded research and development centers

2.         Entities within the private sector

3.         Entities within the defense industrial base

4.         Institutions of higher education

5.         Federal departments and agencies

6.         Any other categories of participants as the Secretary of Defense considers appropriate

a.         1, 3, and 6 only

b.         1, 5, and 6 only

c.         1, 3, 5, and 6 only

d.         All six types

7.         The Federal Trade Commission (FTC) also addressed artificial intelligence and machine learning.  In its December 20, 2023 Notice of Proposed Rulemaking relating to amendments to the Children’s Online Privacy Protection Act (COPPA) regulations, the FTC has proposed which of the following:

a.         Prohibiting any artificial intelligence algorithm from interacting with a child

b.         Prohibiting website/app/online service operators from using COPPA’s “internal operations” exception to disclose or use personal information in connection with machine learning processes that encourage or prompt use of the website or online service

c.         Permitting website/app/online service operators to use artificial intelligence and machine learning to determine whether the consent was likely provided by a child or an adult

d.         Permitting website/app/online service operators to use COPPA’s “internal operations” exception to disclose or use personal information in connection with machine learning processes

8.         The FTC also proposed amending the COPPA regulations to require that website/app/online service operators establish and maintain a data retention policy that:

a.         Is written

b.         Specifies the business need for retaining a child’s personal information

c.         Specifies the timeframe for deleting the personal information

d.         Precludes indefinite retention

e.         a through c only

f.          All of the above

g.         None of the above—the FTC did not address retention

9.         With respect to comprehensive state privacy laws, on December 31, 2023, the number of U.S. states with such laws increased to five (adding to California, Colorado, Connecticut, and Virginia) with which state’s law going into effect

a.         Illinois

b.         Massachusetts

c.         New York

d.         Utah

e.         Washington

10.       Three more states are scheduled to have comprehensive privacy laws take effect in 2024:  Montana, Oregon, and Texas.

a.         Which one does NOT require a minimum number of residents’ personal data for the “controller” to be in-scope for the law?

b.         Which one makes most non-profits subject to its provisions?

c.         Which one does NOT take effect on July 1, 2024?

Tie-breaker/Bonus question:

Which two states have comprehensive privacy laws scheduled to go into effect on January 1, 2025?

a.         Delaware and Iowa

b.         Indiana and Michigan

c.         New Mexico and South Carolina

c.         Tennessee and Wisconsin

Answers:

1.d.(4 business days after determining that the incident is material).  See SEC, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 88 Fed. Reg. 51896  (Aug 4, 2023), available at https://www.sec.gov/files/rules/final/2023/33-11216.pdf

2.b (within 2 hours).  FBI Policy Notice 1297N, Cyber Victim Requests to Delay Securities and Exchange Commission Public Disclosure (Dec. 6, 2023), available at https://www.fbi.gov/file-repository/fbi-policy-notice-120623.pdf/view?mod=djemCybersecruityPro&tpl=cy

3.b (cybersecurity audits).  The draft regulation and webcast of the meeting are available at the CPPA’s website:  https://cppa.ca.gov/meetings/materials/20231208.html

4.b. (The exception applied to the workers’ data because the biometric data was “collected, used or stored for health care treatment, payment or operations under HIPAA” and the source of the data was not relevant.).  The court was careful to note that it was “not construing the language at issue as a broad, categorical exclusion of biometric identifiers taken from health care workers.” ¶ 57 of Mosby v. The Ingalls Mem. Hosp., 2023 IL 129081 (Nov. 30, 2023), available at https://ilcourtsaudio.blob.core.windows.net/antilles-resources/resources/aa521aa9-5cf0-417c-a388-85bfec69625d/Mosby%20v.%20Ingalls%20Memorial%20Hospital,%202023%20IL%20129081.pdf

5.a. (yes).  Under Section 1542 of HR 2670 (National Defense Authorization Act for Fiscal Year 2024) (https://www.govtrack.us/congress/bills/118/hr2670/text ), the DoD has 180 days from enactment, subject to availability of appropriations.

6.d (all six types).  Section 1543(b) of HR 2670.

7.b (Prohibiting website/app/online service operators from using the “internal operations” exception to disclose or use personal information in connection with machine learning processes that encourage or prompt use of the website or online service).  Federal Trade Commission, Notice of Proposed Rulemaking, Children’s Online Privacy Protection Rule, at 44, available at https://www.ftc.gov/system/files/ftc_gov/pdf/p195404_coppa_reg_review.pdf

8.f.  (all of the above).  Proposed § 312.10, see NPRM at 160.

9.d. (Utah).  The Utah Consumer Privacy Act, available at https://le.utah.gov/~2022/bills/static/SB0227.html

10.a. Texas.  The Texas Data Privacy and Security Act (HB4) can be found here:  https://capitol.texas.gov/tlodocs/88R/billtext/pdf/HB00004F.pdf#navpanes=0   See our summary here:  https://www.dataprotectionreport.com/2023/06/texas-enacts-comprehensive-privacy-law/

10.b Oregon. The Oregon Consumer Privacy Act (SB 619) can be found here:  https://olis.oregonlegislature.gov/liz/2023R1/Downloads/MeasureDocument/SB619/Enrolled   Section 2(2)(r) exempts “A nonprofit organization that is established to detect and prevent fraudulent acts in connection with insurance,” and subsection (2)(s)(C) exempts the non-commercial activities of “A nonprofit organization that provides programming to radio or television networks.”

10.c. Montana.  The Consumer Data Privacy Act (SB 384), which goes into effect on October 1, 2024 (see § 14), can be found here:  https://leg.mt.gov/bills/2023/billpdf/SB0384.pdf .

Tie-breaker/bonus question:  a.  Delaware and Iowa