You may have recently seen press reports about lawyers who filed and submitted papers to the federal district court for the Southern District of New York that included citations to cases and decisions that, as it turned out, were wholly made up; they did not exist.  The lawyers in that case used the generative artificial intelligence (AI) program ChatGPT to perform their legal research for the court submission, but did not realize that ChatGPT had fabricated the citations and decisions.  This case should serve as a cautionary tale for individuals seeking to use AI in connection with legal research, legal questions, or other legal issues, even outside of the litigation context.

In Mata v. Avianca, Inc.,[1] the plaintiff brought tort claims against an airline for injuries allegedly sustained when one of its employees hit him with a metal serving cart.  The airline filed a motion to dismiss the case. The plaintiff’s lawyer filed an opposition to that motion that included citations to several purported court decisions in its argument. On reply, the airline asserted that a number of the court decisions cited by the plaintiff’s attorney could not be found, and appeared not to exist, while two others were cited incorrectly and, more importantly, did not say what plaintiff’s counsel claimed. The Court directed plaintiff’s counsel to submit an affidavit attaching the problematic decisions identified by the airline.

Plaintiff’s lawyer filed the directed affidavit, and it stated that he could not locate one of the decisions, but claimed to attach the others, with the caveat that certain of the decisions “may not be inclusive of the entire opinions but only what is made available by online database [sic].”[2]  Many of the decisions annexed to this affidavit, however, were not in the format of decisions that are published by courts on their dockets or by legal research databases such as Westlaw and LexisNexis.[3]

In response, the Court stated that “[s]ix of the submitted cases appear to be bogus judicial decisions with bogus quotes and bogus internal citations”[4], using a non-existent decision purportedly from the Eleventh Circuit Court of Appeals as a demonstrative example.  The Court stated that it contacted the Clerk of the Eleventh Circuit and was told that “there has been no such case before the Eleventh Circuit” and that the docket number shown in the plaintiff’s submission was for a different case.[5] The Court noted that “five [other] decisions submitted by plaintiff’s counsel . . . appear to be fake as well.” The Court scheduled a hearing for June 8, 2023, and demanded that plaintiff’s counsel show cause as to why he should not be sanctioned for citing “fake” cases.[6]

At that point, plaintiff’s counsel revealed what happened.[7] The lawyer who had originally submitted the papers citing the non-existent cases filed an affidavit stating that another lawyer at his firm was the one who handled the research, which the first lawyer “had no reason to doubt.” The second lawyer, who conducted the research, also submitted an affidavit in which he explained that he performed legal research using ChatGPT. The second lawyer explained that ChatGPT “provided its legal source and assured the reliability of its content.” He explained that he had never used ChatGPT for legal research before and “was unaware of the possibility that its content could be false.” The second lawyer noted that the fault was his, rather than that of the first lawyer, and that he “had no intent to deceive this Court or the defendant.” The second lawyer annexed screenshots of his chats with ChatGPT, in which the second lawyer asked whether the cases cited were real. ChatGPT responded “[y]es,” one of the cases “is a real case,” and provided the case citation. ChatGPT even reported in the screenshots that the cases could be found on Westlaw and LexisNexis.[8]

This incident provides a number of important lessons. Some are age-old lessons about double-checking your work and the work of others, and owning up to mistakes immediately. There are also a number of lessons specific to AI, however, that are applicable to lawyers and non-lawyers alike.

This case demonstrates that although ChatGPT and similar programs can provide fluent responses that appear legitimate, the information they provide can be inaccurate or wholly fabricated. In this case, the AI software made up non-existent court decisions, even using the correct case citation format and stating that the cases could be found in commercial legal research databases. Similar issues can arise in non-litigation contexts as well.  For example, a transactional lawyer drafting a contract, or a trusts and estates lawyer drafting a will, could ask AI software for common, court-approved contract or will language that, in fact, has never been used and has never been upheld by any court. A real estate lawyer could attempt to use AI software to identify the appropriate title insurance endorsements available in a particular state, only to receive a list of inapplicable or non-existent endorsements. Non-lawyers hoping to set up a limited liability company or similar business structure without hiring a lawyer could find themselves led astray by AI software as to the steps involved or the forms needed to be completed and/or filed. The list goes on and on.

The case also underscores the need to take care in how questions to AI software are phrased. Here, one of the questions asked by the lawyer was simply “Are the other cases you provided fake”?[9] Asking questions with greater specificity could provide users with the tools needed to double-check the information from other sources, but even the most artful prompt cannot change the fact that the AI’s response may be inaccurate. That said, there are also many potential benefits to using AI in connection with legal work, if used correctly and cautiously. Among other things, AI can assist in sifting through voluminous data and drafting portions of legal documents.  But human supervision and review remain critical.

ChatGPT frequently warns users who ask legal questions that they should consult a lawyer, and it does so for good reason. AI software is a powerful and potentially revolutionary tool, but it has not yet reached the point where it can be relied upon for legal questions, whether in litigation, transactional work, or other legal contexts. Individuals who use AI software, whether lawyers or non-lawyers, should use the software understanding its limitations and realizing that they cannot rely solely on the AI software’s output.  Any output generated by AI software should be double-checked and verified through independent sources. When used correctly, however, it has the potential to assist lawyers and non-lawyers alike.

[1] Case No. 22-cv-1461 (S.D.N.Y.).

[2] Id. at Dkt. No. 29. 

[3] Id.

[4] Id. at Dkt. No. 31. 

[5] Id.

[6] Id.

[7] Id. at Dkt. No. 32.

[8] Id.

[9] Id.

michal-jakubowski-oQD9uq4Rd4I-unsplash-275x183

Tennessee and Montana are now set to be the next two states with “omnibus” privacy legislation. “Omnibus” privacy legislation regulates personal information as a broad category, as opposed to data collected by a particular regulated business or collected for a specific purpose, like health information, financial or payment card information. As far as omnibus laws go, Tennessee and Montana are two additional data points informing the trend we are seeing at the state level regarding privacy and data protection. Fortunately (or unfortunately depending on your point of view) these two states have taken the model which was initiated by Virginia and Colorado instead of following the California model.

Is There Really Anything New?

While these two new laws may seem to be “more of the same”, the Tennessee law contains some new interesting approaches to the regulation of privacy and data protection. While we see the usual set of privacy obligations (notice requirements, rights of access and deletion, restrictions around targeted advertising and online behavioral advertising, et cetera) in both the Tennessee and Montana laws, Tennessee has taken the unusual step of building into its law specific guidance on how to actually develop and deploy a privacy program in the Tennessee Information Protection Act (“TIPA”).

Previously, privacy compliance programs have been structured in a wide variety of ways, mostly as a result of the operational necessities of various businesses. With Tennessee’s new law, we now see a state attempting to standardize how businesses develop and implement privacy programs with more clearly defined NIST standards, as opposed to the traditional, but nebulous  concepts of “reasonableness” and “adequacy”.

NIST Privacy Framework

Tennessee’s law incorporates standardized compliance concepts by requiring the use of the National Institute of Standards and Technology (“NIST”) privacy framework entitled “a tool for improving privacy through enterprise risk management version 1.0”. More specifically, the TIPA states that “…a controller or processor shall create…” it’s privacy program using this framework. Unfortunately, it is unclear for now whether or not failure to use the NIST framework would actually constitute a violation of the law. One could potentially argue that if a program fulfills all of the obligations of the TIPA it should not matter what framework is used.

Part of the concern around a “mandatory” use of the NIST framework is that the framework is somewhat complicated to implement; and does not factor the size, capabilities, and processing risk activity of a particular organization. Since NIST intended the framework to cover a wide range of use cases and operational complexities, the framework is inherently complex. As a consequence, smaller and less mature organizations will likely struggle in implementing a privacy program under the NIST framework. This is particularly true since while NIST framework has various levels of maturity for a privacy program, the TIPA doesn’t articulate what “tier” of program maturity a controller needs to fulfill within the NIST framework to be compliant.

The whole issue of “mandatory v. permissive” use of the NIST framework is further muddied as a result of the TIPA giving an affirmative defense to controllers who use the NIST framework. If the NIST framework is oriented as an affirmative obligation, it would not be necessary to articulate the use of the NIST framework as an affirmative defense. In our opinion, Tennessee may have been better served by providing a safe harbor for privacy programs built under the NIST framework, as opposed to mandating that all programs must use the NIST framework. In any event, further clarity as to what constitutes “compliant” use of the NIST framework would be helpful.

Privacy Certification

Another useful concept which the TIPA introduced is the participation in a certification program  acting as evidence of compliance with the law. While not truly being a “safe harbor”, controllers that participate in the Asia Pacific Economic Cooperation Forum (“APEC”) Cross-Border Privacy Rules (“CBPR”) system may have their certification under these rules operate as evidence of compliance with the TIPA. Outside of one specific federal privacy law (i.e. COPPA), neither the federal nor state privacy laws have officially recognized certification schemes as providing evidence of compliance with the relevant law.

In the end, while there may be confusion in some of the components of the TIPA, Tennessee can be commended for attempting to provide more commercially viable guidance on how to comply with the TIPA, at least from the perspective of building out a privacy program. Additionally, this is the first time in the United states we have seen the use of privacy certification schemas as legally relevant evidence of compliance. Privacy certification systems have been around for some time, but they have almost never been capable of demonstrating legal compliance.

On March 15, 2023 the Securities and Exchange Commission (“SEC”) proposed three new sets of rules (the “Proposed Rules”) which, if adopted, would require a variety of companies to beef up their cybersecurity policies and data breach notification procedures. As characterized by SEC Chair Gary Gensler, the Proposed Rules aim to promote “cyber resiliency” in furtherance of the SEC’s “responsibility to help protect for financial stability.”[1]

In particular, the SEC has proposed:

  • Amendments to Regulation S-P which would, among other things, require broker-dealers, investment companies, and registered investment advisers to adopt written policies and procedures for response to data breaches, and to provide notice to individuals “reasonably likely” to be impacted within thirty days after becoming aware that an incident was “reasonably likely” to have occurred (“Proposed Reg S-P Amendments”).[2]
  • New requirements for a number of “Market Entities” (including broker-dealers, clearing agencies, and national securities exchanges) to, among other things: (i) implement cybersecurity risk policies and procedures; (ii) annually assess the design and effectiveness of these policies and procedures; and (iii) notify the SEC and the public of any “significant cybersecurity incident” (“Proposed Cybersecurity Risk Management Rule”).[3]
  • Amendments to Regulation Systems Compliance and Integrity (“Reg SCI”) in order to expand the entities covered by Reg SCI (“SCI Entities”) and add additional data security and notification requirements to SCI Entities (“Proposed Reg SCI Amendments”).[4]

As Commissioner Hester Peirce observed, each Proposed Rule “overlaps and intersects with each of the others, as well as other existing and proposed regulations.” [5] Therefore, while each of the Proposed Rules relates to similar cybersecurity goals, each must be considered in turn to determine whether a particular company is covered and what steps the company would need to undertake should the Proposed Rules become final.

Below we discuss each set of Proposed Rules in more detail and provide some takeaways and tips for cybersecurity preparedness regardless of industry.

Proposed Reg S-P Amendments

Reg S-P, adopted in 2000, requires that brokers, dealers, investment companies, and registered investment advisers adopt written policies and procedures regarding the protection and disposal of customer records and information.[6] But, as Chair Gensler explained in a statement in support of the Proposed Reg S-P Amendments, “[t]hough the current rule requires covered firms to notify customers about how they use their financial information, these firms have no requirement to notify customers about breaches,” and the Proposed Reg S-P Amendments look to “close this gap.”[7]

In particular, “[w]hile all 50 states have enacted laws in recent years requiring firms to notify individuals of data breaches, standards differ by state, with some states imposing heightened notification requirements relative to other states,” and the SEC seeks, through the Proposed Reg S-P Amendments, to provide “a Federal minimum standard for customer notification” for covered entities.[8] This includes a definition of “sensitive customer information” which is broader than that used in at least 12 states; a 30-day notification deadline, which is shorter than timing currently mandated by 15 states (plus 32 states which do not include a notification deadline or permit delayed notifications for law enforcement purposes); and required notification unless the covered institution finds no risk of harm, unlike 21 states which only require notice if, after investigation, the covered institution does find risk of harm.[9]

Furthermore, while Reg S-P currently applies to broker-dealers, investment companies, and registered investment advisors, the Proposed Reg S-P Amendments would expand the scope to transfer agents.[10] It also would apply customer information safeguarding and disposal rules to customer information that a covered institution receives from other financial institutions and to a broader set of information by newly defining the term “customer information” which, for non-transfer agents, would “encompass any record containing ‘nonpublic personal information’ (as defined in Regulation S-P) about ‘a customer of a financial institution,’ whether in paper, electronic or other form that is handled or maintained by the covered institution or on its behalf,” and for transfer agents, which “typically do not have consumers or customers” for purposes of Reg S-P, would have a similar definition with respect to “any natural person, who is a securityholder of an issuer for which the transfer agent acts or has acted as transfer agent, that is handled or maintained by the transfer agent or on its behalf.”[11]

Proposed Cybersecurity Risk Management Rule

The Proposed Cybersecurity Risk Management Rule will impact a variety of “different types of entities performing various functions” in the financial markets defined as “Market Entities,” including “broker-dealers, broker-dealers that operate an alternative trading system, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents.”[12]

As Chair Gensler explained, the Proposed Cybersecurity Risk Management Rule is designed to “address financial sector market entities’ cybersecurity,” by, among other things, requiring Market Entities to adopt written policies and procedures to address their cybersecurity risks, to notify the SEC of significant cyber incidents, and, with the exception of smaller broker-dealers, to disclose to the public a summary description of cybersecurity risks that could materially affect the entity and significant cybersecurity incidents in the current or previous calendar year.[13]

According to the SEC, these policies and procedures are “not intended to impose a one-size-fits-all approach to addressing cybersecurity risks,” and are designed to provide Market Entities “with the flexibility to update and modify their policies and procedures as needed[.]”[14] However, there are certain minimum policies and procedures that would be required, such as periodic assessments of cybersecurity risks,[15] controls designed to minimize user-related risks and prevent unauthorized system access,[16] periodic assessment of information systems,[17] oversight of service providers that receive, maintain, or process the entity’s information (including  written contracts between the entity and its service providers),[18] measures designed to detect, mitigate, and remediate cybersecurity threats and vulnerabilities,[19] measures designed to detect, respond to, and recover from cybersecurity incidents,[20] and an annual review of the design and effectiveness of cybersecurity policies and procedures (with a written report).[21] For most regulated entities, such measures are already in place.

Proposed Reg SCI Amendments

Finally, the SEC has proposed amendments to Reg SCI, a 2014 rule adopted to “strengthen the technology infrastructure of the U.S. securities markets, reduce the occurrence of systems issues in those markets, improve their resiliency when technological issues arise, and establish an updated and formalized regulatory framework” for the SEC’s oversight of these systems.[22]  Reg SCI applies to “SCI Entities,” which include self-regulatory organizations, certain large Alternative Trading Systems, and certain other market participants deemed to have “potential to impact investors, the overall market, or the trading of individual securities in the event of certain types of systems problems.”[23]

The Proposed Reg SCI Amendments would expand the definition of SCI Entity to include registered Security-Based Swap Data Repositories, registered broker-dealers exceeding a size threshold, and additional clearing agencies exempt from registration.[24] They also would broaden requirements to which SCI Entities are subject, including  required notice to the SEC and affected persons of any “systems intrusions,” which would include a “range of cybersecurity events.”[25]

Takeaways

While the Proposed Rules are not adopted as-of-yet, companies which could be covered should take the opportunity to reevaluate their cybersecurity practices and policies, both to mitigate as much as possible the risk of a cyber-attack and to be prepared to address an attack, including meeting all notification requirements, should one occur.

Among other things, best practices include:

  • A written cyber risk assessment which categorizes and prioritizes cyber risk based on an inventory of the information systems’ components, including the type of information residing on the network and the potential impact of a cybersecurity incident;
  • A cybersecurity vulnerability assessment to assess threats and vulnerabilities; determine deviations from acceptable configurations, enterprise or local policy; assess the level of risk; and develop and/or recommend appropriate mitigation countermeasures in both operational and nonoperational situations;
  • A written incident response plan that defines how the company will respond to and recover from a cybersecurity incident, including timing and method of reporting such incident to regulators, persons or other entities;
  • A business continuity plan designed to reasonably ensure continued operations when confronted with a cybersecurity incident and maintain access to information;
  • Tabletop exercises to review and test incident response and business continuity plans;
  • Annual review of policies and procedures.

As a next step, each of the Proposed Rules will be published on the Federal Register and open for comment for sixty days following this publication. Regardless of whether the Proposed Rules are adopted, they represent the SEC’s increasing awareness of, and desire to mitigate, cybersecurity incidents, and companies should be prepared accordingly.

[1] Gensler, Gary, Opening Statement before the March 15 Commission Meeting (SEC, March 15, 2023).

[2] See Press Release, SEC Proposes Changes to Reg S-P to Enhance Protection of Customer Information (SEC, March 15, 2023). The full text of the Proposed Reg S-P Amendments can be found here.

[3] See Press Release, SEC Proposes New Requirements to Address Cybersecurity Risks to the U.S. Securities Markets (SEC March 15, 2023). The full text of the Proposed Cybersecurity Risk Management Rule can be found here.

[4] See Press Release, SEC Proposes to Expand and Update Regulation SCI (SEC, March 15, 2023). The full text of the Proposed Reg SCI Amendments can be found here.
In addition, on March 15, 2023 the SEC re-opened comments on proposed cybersecurity risk management rules for investment advisors until May 22, 2023. For our analysis of these proposed rules, see How Fund Industry Can Prepare For SEC’s Cyber Proposal (Law360, March 4, 2022). The SEC is also presently considering comments on a different proposed rule mandating certain cybersecurity disclosures by public companies. See Carlson, Scott and Riley, Danny, SEC Proposes Mandatory Cybersecurity Disclosures by Public Companies (Carpe Datum Blog, April 14, 2022).

[5] Peirce, Hester, Statement on Regulation SP: Privacy of Consumer Financial Information and Safeguarding Customer Information (SEC, March 15, 2023).

[6] Proposed Reg S-P Amendments, supra n.2 at 1.

[7] Gensler, Gary, Statement on Amendments to Regulation S-P (SEC, March 15, 2023).

[8] Proposed Reg S-P Amendments, supra n.2 at 4.

[9] Id. at 4-6.

[10] Proposed Reg S-P Amendments, supra n.2, at 6-7.

[11] Id. at 74-75, 82.

[12] Proposed Cybersecurity Risk Management Rule, supra n. 3 at 9-10 (internal definitions of terms omitted).

[13] Gensler, Gary, Statement on Enhanced Cybersecurity for Market Entities (SEC, March 15, 2023).

[14] Proposed Cybersecurity Risk Management Rule, supra n. 3 at 103.

[15] Id. at 103-108.

[16] Id. at 109-112.

[17] Id. at 113-115.

[18] Id. at 115-116.

[19] Id. at 116-118.

[20] Id. at 118-124.

[21] Id. at 124-126.

[22] Proposed Reg SCI Amendments, supra n.4 at 10.

[23] Id. at 13-14.

[24] Id. at 24.

[25] Id. at 24-25.

Introduction

Employers need to be aware of the significant changes that are on the horizon when the California Privacy Rights Act (CPRA) becomes operative on January 1, 2023.

By way of background, in November of 2021, California residents voted to pass the CPRA, which affords California consumers heightened rights and control over their personal information.  California residents already have a number of rights under the California Consumer Privacy Act (CCPA), and the CPRA will provide even more rights to individuals — including employees — in California.

Currently, the only obligations that covered employers have under the CCPA is to provide a notice of collection and to reasonably safeguard personal information due to a partial exemption under CCPA for information collected in the context of employment.  However, this will change on January 1, 2023, when the partial exemption for employers under the CCPA will expire.  Although bills were proposed to extend the exemption for employers until at least January 1, 2026, the last day on which the California legislature could have passed those bills into law was August 31, 2022.

What’s New For Covered Employers In 2023 Under CPRA?

California employees of covered employers will have increased rights as of January 1, 2023, and accordingly, their employers will have increased compliance obligations.  The new rights for California employees will include, among others:

  1. the right to know: the employee’s right to notice regarding the type(s) of personal information that their employer collects, sells, shares, or discloses, as well as the right to make a request that the employer to disclose personal information it has collected about the employee;
  2. the right to rectification: the employee’s right to correct or rectify the personal information that their employer maintains;
  3. the right to deletion: the employee’s right to request that the employer delete the personal information that the employer has collected about them;
  4. the right to data portability: the employee’s right to request that their employer provide them with, or transmit to another entity, a copy of their personal information in a reasonable format;
  5. the right to limit use and disclosure of sensitive personal information: the employee’s right to request that their employer limit the use and disclosure of “sensitive personal information” to certain defined activities.

Employers will need to evaluate employee requests to exercise their rights to determine their obligations under the CPRA, as employers may have certain bases to deny employee rights requests.  For example, should an employee attempt to exercise their right to deletion, the employer could rightfully deny that request to the extent that certain personal information is required to carry out the employment relationship (to process payroll, provide benefits, etc), or because of statutory requirements that dictate the retention of certain employment related information.  Further, the right to rectification can also be significantly limited to certain personal information that can be verified.  However, in the wake of employee requests, covered employers must keep in mind that the CPRA prohibits discrimination against employees for exercising their rights under CPRA.

What Organizations Can Do to Prepare

In the coming months, there are a number of steps that employers can and should take to prepare for their new obligations under the CPRA.  Organizations should consider the following when determining whether their processes and procedures are CPRA ready:

Data Inventory: Employers need to assess the locations of personal information, including employee personal information, and create a data inventory.  Data inventories are helpful when an employer needs to identify the location(s) of employee data in response to an employee request under CPRA.  For example, an employer cannot delete data if it does not know where it is.  Employers should inventory not just their own data, but also data being held by third party service providers and contractors as these are also components of information required to be communicated when responding to access requests.

Records Retention: Employers might also assess their current records retention policies and schedules to ensure that they reflect retention periods appropriate for the states and/or jurisdictions in which they operate.  With privacy principles like data minimization and storage retention continuing to be adapted and grow, the importance of appropriate records retention is growing in parallel.

Review of Existing Practices: Employers should also review their current CCPA notices of collection, as well as current policies and procedures related to privacy and cybersecurity, to determine any changes that should be made under CPRA to address the processing of new or sensitive personal information, the processing of information for new purposes, the length of time the personal information will be maintained, and the categories of third parties that will have employee personal information.

Vendor Assessment: Employers should review any contracts they maintain with any vendor that processes personal information about their employees and ensure that the contracts meet CPRA requirements.

Conclusion

This is a significant change for employers with employees in California; for some it will require a re-assessment of how personal data is handled and maintained, along with changes to current policies and procedures, but for others it will require a complete overhaul of current privacy and cybersecurity activities.  These compliance initiatives cannot be put into place overnight; employers should expect it to take anywhere from three to six months to stand up a compliant privacy and cybersecurity program.  That said, while compliance will not be enforced until July 1, 2023, employers can and should help themselves by beginning to make these changes now.

At the end of May, 2022, the California Privacy Protection Agency (“Agency”) released a preliminary draft of proposed regulations for the California Privacy Rights Act (“CPRA”). The 66-page draft proposal only covers a few topics the Agency is seeking to cover. The issues covered in this draft of the regulations include data collection and processing restrictions, and some detailed requirements on the sale and sharing of personal information. Several notable topics were left out of the proposed regulations and still remain unresolved. Those unresolved items include specifics about soon-to-be required Privacy Risk and Impact Assessments, Automated Decision Making, Personal Data Retention, Cybersecurity Audits and Examinations, and the closely watched fate of the employee carve-out.

On June 8, 2022, after the draft release, the Agency conducted a board meeting where board members and authoring members of the California Attorney General’s Office discussed the proposed regulations as well as the upcoming formal rulemaking process. Deputy Attorney General Lisa Kim and Supervising Deputy Attorney General Stacey Schesser described at a high level what changes the proposed regulations brought to the CPRA. The Board also authorized the Agency’s Executive Director, Ashkan Soltani, to commence the formal rulemaking process.

As things look today, the Regulations are unlikely to be finished by the CPRA’s effective date of January 1, 2023, which will lead to other challenges. There are also a large number of question marks still in place on a lot of very important issues. Nonetheless, businesses and organizations operating in California should start to take notice that the train is beginning to leave the station to operationalize the CPRA.

Generally, the proposed Regulations act as a roadmap for businesses ahead of the 2023 enforcement date. Deputy AG Kim highlighted the main purpose behind the draft, and directed businesses to read the CCPA’s Initial Statement of Reasons, or ISOR, for an in-depth look at the “why” behind the proposed Regulations. Kim and Supervising Deputy AG Schesser pointed out the primary goals of the regulations:

  1. To update existing CPRA amendments to the CCPA, provide harmonization and clarity to minimize any confusion;
  2. To operationalize the existing CPRA amendments, so businesses will have a better idea on how to implement policies and procedures to comply with the law; and
  3. To reorganize and consolidate certain aspects of the law, making it more digestible.

While the formal rulemaking process has not yet commenced, a few comments were taken into consideration at the Board meeting regarding the draft regulations. Many of the concerns came from small businesses, and the Board was asked to extend the CPRA’s January 1, 2023, effective date anywhere between 6 and 12 months to allow businesses to prepare for the law. CPPA Board members urged the public, businesses and individual consumers alike, to participate in the formal comment period by sharing personal experiences and perceived challenges for rule makers to take into account. Below is a more detailed walkthrough of the proposed Regulations, and some of the key takeaways we flagged in our review:

Article 1: General Provisions

Under Article 1, the proposed regulations purport to rework some of the existing regulations to focus on being understandable to both consumers and businesses. For example, the concept of data minimization as restated through section 7002, requires a business’s “collection, use, retention, and sharing of a consumer’s personal information” be done so in a manner that is “reasonably necessary and proportionate” in order to achieve the businesses purpose in collecting the data in the first place. Section 7003 sets forth all of the requirements for businesses regarding consumer disclosures and communications being plain and understandable. The main idea of these sections was already present under the CCPA, but the intention of the newly released drafts is to restate the regulation’s language in order to help businesses better understand their responsibilities.

Another notable section is 7004, which addresses the idea that consent through so called “dark patterns” is not considered consent. “Dark patterns” are defined as a user “interface [that] has the effect of substantially subverting or impairing user autonomy, decision-making, or choice, regardless of a business’s intent.” Dark patterns may appear as manipulative language, consumer shaming, or even bundling consent options. The draft regulations include examples of what is not acceptable, such as pairing “Yes” to accept and “No, I like paying the full price” as options for an offer. Once again, Section 7004 follows the ongoing theme of transparency for the consumer, requiring businesses to provide easy-to-understand methods of obtaining consent. Note that this is also consistent with the FTC’s treatment of on-line disclosures and the doctrine of “deception”.

Section 7001 defines the terms used throughout the proposed regulations, and according to the ISOR, “assists businesses in implementing the law” while helping consumers to “enjoy the benefits of the rights provided [to] them by the CCPA.” Some of the noteworthy additions include definitions for concepts such as “disproportionate effort”, “frictionless manner”, and “unstructured data.” These definitions may, in theory, help businesses with the burden of compliance under the CCPA, but they lack an objective standard for what falls into these categories. For example, “frictionless manner” is defined as “a business’s processing of an opt-out preference signal that complies with the requirements set forth in section 7025, subsection (f).” 11 CCR § 7001(m). While these definitions technically explain “how” a business should be compliant under the law, the draft’s somewhat circular language could be problematic when it comes to actual business operations.

Article 2: Required Disclosures to Consumers

Article 2 lays out a proposal of how businesses make disclosures to consumers. When describing the proposals, Deputy AG Kim pointed out the new concept of an alternative opt-out link from Section 7015, which businesses could provide to consumers who want to opt out of the sale or sharing of their personal information or limit the businesses use of their sensitive personal information. The link would be imbedded in a business’ website, and it would direct consumers to a page where they will be further informed of these rights, as well as given the opportunity to exercise the rights. The alternative opt-out link is an example of how the proposed regulations operationalize some of the CCPA’s legal requirements. Other notable Article 2 highlights from the proposed regulations include an updated notice for consumers’ opt-out rights, allowing them to opt out of the sharing of personal data, as well as the sale of that information. Businesses could also use the alternative opt-out link to comply with this requirement. Businesses will also need to update their privacy policies. Under Section 7011 of the draft regulations, businesses have additional requirements, such as:

  • Stating whether or not the business discloses sensitive personal information for purposes other than those authorized by the CPRA. If that is the case, the business must provide notice information within their privacy policy. 11 CCR § 7011(e)(1)(K).
  • Providing an explanation of the new consumers’ rights added by the CPRA’s amendments to the CCPA, including the right to correct, right to limit, and the right to opt-out of sale and sharing of personal information. 11 CCR § 7011(e)(2). It should be noted that the practical effect of adding “share” (at least the way “share” is defined in the law) to the opt-out obligation is quite limited. The CCPA’s “sale” definition has the same practical effect as the CPRA’s “share” definition.
  • Providing information about how the business responds to and processes opt-out preference signals. 11 CCR § 7011(e)(3)(F). This is a very new concept and has some interesting side effects from a practical implementation perspective, as noted below.
Article 3: Business Practices for Handling Consumer Requests

According to Deputy AG Kim, Article 3 updates how consumers may submit requests to exercise their rights. The Article clarifies that the right to know and right to delete no longer relate to household information, and it provides businesses some timelines and ways to respond to consumer requests and it consolidates the already established exceptions to the consumer right to limit.

One of the most notable updates under Article 3 relates to opt-out preference signals (Section 7025), which is likely to be subject to heavy debate once the formal rulemaking process commences. Opt-out preference signals are defined as a “signal that is sent by a platform, technology, or mechanism, on behalf of a consumer, that clearly communicates the consumer choice to opt-out of the sale and sharing of personal information.” 11 CCR § 7001(r). This clearly includes the browser configuration options around “Do Not Track” (“DNT”) signals.

The CPRA had previously given businesses the option to recognize opt-out preference signals as a method for consumer privacy requests, but the proposed regulations, as written, would require businesses to recognize them. At this point, the proposed regulations are missing technical specifications for opt-out preference signals.

Ironically, the side effect of the DNT recognition requirement is that if a business is only engaging in cross-contextual behavioral advertising via cookies or similar technology on their website (and there isn’t any other “sharing” going on) then the recognition of DNT signals removes the need to post “Do Not Sell or Share my Information” links on the website. For businesses that only “sell” or “share” data by participating in an affiliate advertising network, this is a significant operational benefit. The draft regulations, as written, would effectively remove the requirement for “Do Not Sell” links on those businesses’ websites because the DNT signal is supposed to moot the need for such a link.

On top of the requirement to adhere to requests to delete, section 7022 of the draft regulations creates the obligation for businesses to notify third parties, service providers, and contractors of the consumer’s request to delete. If a business relies on a CCPA exception to refuse a consumer’s request to delete, they will still have to notify the applicable service providers, contractors, and third parties of the consumer’s request to delete any information not subject to a CCPA exception.

Section 1798.106 of the California Consumer Protection Act (CCPA) provides consumers with the right to correct inaccurate information. Section 7023 of the proposed regulations operationalizes the right to correct by setting forth the procedures for businesses to follow for consumer submissions and the handling of requests to correct. Other state laws also provide consumers the right to requests to correct, so the operationalized methods of the draft regulations will assist compliance efforts of businesses operating in other states. Regarding requests to opt-out of sale or sharing, section 7026 of the proposed regulations states that a notification or pop-up for cookies is not by itself an acceptable method for submitting requests to opt out of sale/sharing. According to the ISOR, this section of the regulation has been restructured to be “easier to read and understandable for businesses and consumers.”

Section 1798.121 of the CCPA provides consumers the right to request a business to limit its use and/or disclosure of their sensitive personal information. The draft regulations add a new section 7027 aimed at giving consumers with the ability to limit the use of sensitive personal to instances where that information is necessary for the business to provide goods and services and only for purposes that are reasonably expected by a consumer requesting those goods and services. According to the proposed regulations, businesses using or disclosing personal information must provide two or more designated methods for submitting requests to limit. At least one of the methods should reflect the manner in which the business primarily interacts with the consumer (Online, Brick and Mortar Store, etc.).

Article 4: Service Providers, Contractors, and Third Parties

Article 4 of the Draft Regulations highlights responsibilities for businesses regarding their relationship with third parties, service providers, and contractors. Section 7050 clarifies that a person who contracts with a business to provide cross-contextual behavioral advertising is a third party and not a service provider or contractor. 11 CCR § 7050(c). As a result, that transfer of personal information is subject to the right to opt-out of sharing.

Both sections 7051 and 7053 lay out the requirements that apply to vendor contracts. Notably, the draft proposals would create a new due diligence duty for businesses when working with contractors, service providers, and third parties. The regulation states that “[w]hether a business conducts due diligence of its service providers and contractors factors into whether the business has reason to believe that a service provider or contractor is using personal information in violation of the CCPA and these regulations.” 11 CCR § 7051. Furthermore, Section 7052 sets forth the duties of third parties such as recognizing opt-out preference signals and complying with consumer requests. The ISOR states that the listed responsibilities for a third party “benefits businesses by sharing the burden of communicating online requests to opt-out of sale/sharing”

According to Deputy AG Kim, Article 5 through Article 8 are all relatively unchanged. The differences come in where the statutory language lies, and the draft regulations work to align the language of the CCPA and the CPRA amendments.

Article 9: Investigations and Enforcement

Supervising Deputy AG Schesser discussed the additions made to Article 9, stating that the proposed provisions outline requirements for complaints made to the Agency. The proposed regulations also provide what the Agency needs to start its own investigations. Schesser briefly covered probable cause hearings, stating that the Agency may conduct probable cause hearings if there is evidence to support a reasonable belief that the CPRA was violated. (11 CCR §7303(a)). Other sections of the proposed regulations cover requirements for Sworn Complaints (Section 7300), CCPA Investigations (Section 7301), Stipulated Orders (Section 7303), and Agency Audits (Section 7304).

What’s Next?

The Agency said during its February 17, 2022 board meeting that the regulations are unlikely to be finalized on time. Many of the public comments at the June 8 board meeting echoed concern to the Agency to push the enforcement date back at least 6 months. This additional time would allow businesses, small and large, to adjust their privacy practices to be compliant ahead of the enforcement date. With that said, the Executive Director Soltani, was just recently authorized to commence the final rulemaking proceedings. The proceedings will commence when the Agency publishes a notice of proposed action in the California Regulatory Notice Register. After providing the notice, the public will be welcomed to comment on the proposed regulation for 45 days, which could even be extended should the Agency seek to make substantial changes. With penalties that can get up $7,500 per violations, and both the California Attorney General’s Office and the California Privacy Protection Agency having enforcement powers, businesses should be keeping a close eye on the Agency for further updates.

We do not recommend that organizations in California make any drastic compliance plans right now based on the current state of things. We do recommend that organizations subject to the CCPA/CPRA start looking at their vendor and service provider agreements. The draft regulations give pretty clear direction as to the kinds of things that will need to be included in these agreements, even if the actual text of the regulation isn’t final.

On compliance with the rest of the CPRA, there are simply too many unknowns at this point. However, this recent publication and initial public comment activity signals that the 2023 CPRA train is at least rumbling in the distance.

Introduction

On March 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) proposed mandates for cybersecurity disclosures by public companies. If adopted, these mandates seek to provide investors a deeper look into public companies’ cybersecurity risk, governance, and incident reporting practices. SEC chair Gary Gensler noted in a statement regarding the proposed mandates that cybersecurity incidents continue to become a growing risk with “significant financial, operational, legal, and reputational impacts.”

“The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk. Investors want to know more about how issuers are managing those growing risks.” – Gary Gensler, SEC Chairperson

Continue Reading SEC Proposes Mandatory Cybersecurity Disclosures by Public Companies

Introduction

On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The Act will require critical infrastructure organizations (defined below) to report cyber attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. The Act also creates an obligation to report ransomware payments within 24 hours.

According to the Federal Bureau of Investigation’s 2021 Internet Crime Report, released on March 23, 2022, cyber incidents rose 7% from 2020, with potential losses topping $6.9 billion. Many of the most threatened organizations fall into the critical infrastructure sector, and in 2021 alone, cyber incidents caused oil and food shortages, as well as supply chain threats. With cyber incidents reaching all-time highs in 2021, the legislation purports to protect U.S. critical infrastructure entities and investigate cyber crimes moving forward. The Act suggests that reporting obligations are being implemented to ensure that the government can support in the response, mitigation, and protection of both private and public companies that are covered under the Act. Within 24 months, CISA’s director is required to issue a proposed rule, and must issue a final rule 18 months after making the proposal. The legislation also authorizes the Director of CISA to issue future regulations to amend or revise that rule. Continue Reading President Biden Signs Bill Mandating Cyber Reporting for Critical Infrastructure Entities

Introduction 

The Utah legislature has passed Senate Bill 227, otherwise known as the Utah Consumer Privacy Act (UCPA). Barring a veto from Utah Governor Spencer J. Cox, who, as of March 15, 2022, officially has the bill on his desk for action, Utah will become the fourth state to pass a comprehensive privacy bill, following the likes of California, Virginia, and Colorado. If enacted, the UCPA would take effect on December 31, 2023. Continue Reading Utah To Become The Fourth State to Pass Privacy Legislation

Introduction

While previous cybersecurity legislation has largely been unable to pass through Congress, the Strengthening American Cybersecurity Act of 2022 was introduced by U.S. Senators Rob Portman (R-OH) and Gary Peters (D-MI), and has been viewed as a priority as threats of cyber incidents continue to rise. The Senate unanimously passed the Act, which, in its current form, would require federal agencies and critical infrastructure operators to report cyberattacks within 72 hours to the Cybersecurity and Infrastructure Security Agency (CISA). Should the legislative package make it through the House unchanged, it would also require critical infrastructure companies to report ransomware payments within 24 hours. The Act combines language from the three bills Senators Portman and Peters have authored in the past – the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act. Continue Reading U.S. Senate Unanimously Passes Cybersecurity Bill on March 2, 2022

Recently, a federal Special Master in the District of New Jersey addressed whether a requesting party waives its right to relevant and discoverable documents when it fails to timely follow up on the responding party’s objections. In In re Valeant Pharmaceuticals International, Inc. Securities Litigation,[1] the Special Master refused to entertain the plaintiffs’ waiver argument, finding that the relevant and discoverable documents should be produced regardless.

In that case, defendant served its first request for the production of documents from plaintiffs on October 22, 2018.[2]  On July 29, 2019, plaintiffs served objections and responses to those requests.[3] Certain responses included general objections.[4] The response to one request, Request No. 7, included a statement that plaintiffs were “willing to meet and confer” with defendant regarding the “appropriate scope of responsive documents.”[5] The response to another request, Request No. 11, included a statement that plaintiffs would conduct a “reasonable search for and produce responsive, non-privileged, or otherwise unprotected communications in their possession, custody, or control.”[6] Continue Reading Recent Decision Holds That Failure to Timely Follow Up On Objections to Discovery Requests Does Not Waive Discovery