Congratulations to Katherine Lowry and the IncuBaker Team

BakerHostetler is proud to announce that Financial Times recently recognized the firm’s IncuBaker team, along with incoming CIO Katherine Lowry, in its annual Innovative Lawyers North America 2022 Awards. The IncuBaker team won in the Innovation in Client Delivery category, and Lowry was named Most Innovative Intrapreneur.

The awards, presented on Dec. 5 in New York, celebrate the best in innovation from law firms and in-house legal teams in the North America region.

“I am thrilled to see Financial Times recognize both IncuBaker and Katherine,” said Bob Craig, BakerHostetler’s current CIO and co-creator of IncuBaker. “BakerHostetler’s collaborative culture and focus on innovation are key components in not only firm achievements, including awards and recognitions like these, but also the overall success of our people and the excellent service we provide our clients.”

Link to press release

CCPA/CPRA Rulemaking Update: What to Expect

The California Privacy Protection Agency (“CPPA” or the “Agency”) published on November 3, 2022, a Public Notice of Proposed Modifications and Additional Materials Relied Upon, which starts what we hope is the last round of rulemaking to finalize the regulations for the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”). The CPRA amendments to the CCPA go into effect on January 1, 2023. Enforcement of those new provisions under the CPRA will become enforceable starting July 1, 2023, and the Agency will be able to bring enforcement actions for violations that occurred on or after July 1. This article summarizes the changes in the Proposed Regulations, what businesses can do now to comply with the January 1 deadline, and what to expect in terms of forthcoming regulations and enforcement of the new California requirements in 2023.

Key Takeaways

  • SPI and Opt-Out Preference Signal: There was significant discussion by the Agency on two topics, and therefore businesses should continue to monitor updated regulations in these areas: (1) the use and disclosure of sensitive personal information (“SPI”) and (2) opt-out preference signals.
  • DPA and Notice Requirements: No material changes were made in the November 3 modified draft of the regulations for requirements relating to data protection agreements (“DPA”), notice and privacy policies. The Agency did discuss creating in the future a DPA template that businesses could incorporate by reference, similar to a standard contractual clause that businesses can use to comply with the EU General Data Protection Regulation. For businesses that went forward with updating DPAs and prepared notices and privacy policies to go live on January 1 based on regulations that were proposed this past July, it is our assessment that there should be no material changes needed, at least for the January 1 deadline. For businesses that did not update the service provider and third-party contract terms or review the adequacy of the notices and privacy policies in the past year, they should now review them based on the November 3 draft regulations.

Continue Reading

California’s AB 587: What You Need to Know About Social Media Content Moderation

Businessman using smart phone. This is entirely 3D generated image.

On Sept. 13, California Gov. Gavin Newsom signed into law AB 587, which requires social media companies to publicly post their content moderation policies and semiannually report data on their enforcement of the policies to the attorney general. The first part of this article will discuss the requirements imposed by AB 587 on social media companies. The second part will discuss other state laws that similarly moderate social media content and how they compare to AB 587. The last part of this article will examine the litigation history of content moderation laws and the potential implications of possible Supreme Court intervention on these state laws.

Continue Reading

New York Department of Financial Services Publishes Proposed Second Amendment to Its Cybersecurity Regulation

technology smart city with network communication internet of thing.  Internet concept of global business in New york, USA.

On Nov. 9, 2022, the New York State Department of Financial Services (NYDFS) published a proposed second amendment to its cybersecurity regulation. This follows its pre-proposed amendment that was published on July 29. Our prior analysis of those amendments is available here. NYDFS did consider comments received in response to the pre-proposed amendments, as they clarify and strengthen certain requirements. We highlight some of the key changes.

Continue Reading

OCR releases YouTube Video Addressing “Recognized Security Practices” in HIPAA Enforcement Context

As a Halloween treat for HIPAA-covered entities and business associates, on October 31, the Department of Health and Human Services Office for Civil Rights (OCR) released a new video on its YouTube channel, in which senior OCR cybersecurity advisor Nick Heesters addresses recognized security practices, or RSPs. In this video, Heesters answers a handful of questions directed to the OCR in response to OCR’s June 2022 call for input on the implementation of RSPs. While the video should be viewed in its entirety, we discuss here some of the more noteworthy aspects: (1) the OCR’s position on the “voluntary” nature of RSPs, (2) the goal posts around implementation; (3) the importance of robust asset inventory practices, and (4) supporting evidence of RSP implementation.

Continue Reading

Could Careless Coders Face False Claims Liability?

New Software Development Security Attestation and Related False Claims Act Liability for Commercial and Noncommercial Software Developers and Suppliers

Planet digital earth and network connection on a black background. Software development

Key takeaway

Software producers at all levels in the federal supply chain should prepare to attest that their software development practices comply with National Institute of Standards and Technology (NIST) standards supported by artifacts that demonstrate secure software development and by the software bill of materials.

What happened

On Sept. 14, 2022, the Office of Management and Budget (OMB) issued guidance establishing time frames for requiring all federal agencies to only use software provided by developers (producers) who can attest in writing to complying with the NIST-specified secure software development framework (NIST SP 800-218) and NIST software supply chain security guidance. OMB’s actions implement President Joe Biden’s May 12, 2021 Executive Order requiring NIST to identify practices that enhance the security of the software supply chain.

Continue Reading

Top NFT-Related Cybersecurity, Phishing, Hacking and Other Risks in 2022

The continued growth of the market for nonfungible tokens (NFTs) in 2022 has helped shape the zeitgeist of what has been referenced colloquially by some as the “fourth industrial revolution,”[1] defined largely by network effect (e.g., virality); rapid innovation; social, creative and civic engagement; and evolved perspectives with regard to how rights and obligations between and among parties to automated agreements are defined and enforced.

Commonly used to identify and affix identifiable rights to otherwise fungible digital media files, NFTs, along with other cryptographic assets and blockchain technology generally, compose the infrastructure required to facilitate transactions between and among anonymous or pseudonymous counterparties without involvement by third-party intermediaries, such as banks. As a result, the nonfungible (unique) nature of NFTs has revolutionized conceptions of digital property ownership by demonstrating that digital property is not only real but has intrinsic value, similar to real property.

Continue Reading

White House Releases First-Ever Comprehensive Framework for Responsible Development of Digital Assets

Blue Abstract background Futuristic wire frame wave  for business,Science and technology background

On Sept. 16, 2022, the White House released a comprehensive framework for responsible digital asset development and, in particular, cryptocurrency. Agencies across the federal government have been working for the past six months to develop frameworks and policy recommendations to advance the six key priorities identified in President Biden’s March 9 executive order on Ensuring Responsible Development of Digital Assets: (1) consumer and investor protection, (2) financial inclusion, (3) promoting financial stability, (4) responsible innovation, (5) U.S. leadership in the global financial system and economic competitiveness, and (6) countering illicit finance. This framework comes weeks after the California Senate unanimously passed the Age-Appropriate Design Code Act on Aug. 29, 2022, reflecting an increased focus on platform accountability, transparency and consumer protection at both the state and federal levels.

Continue Reading

2022 DSIR Report Deeper Dive: OCR’s Right of Access Initiative

In 2019, the U.S. Department of Health & Human Services, Office for Civil Rights (OCR) announced its Right of Access Initiative, promising to prioritize patients’ rights to receive timely copies of their medical records without being overcharged. In the three years since, which saw the transition to a new administration in Washington, OCR has publicized resolutions related to 41 Right of Access claims, including two civil monetary penalties (CMP) and 39 settlements totaling $2,428,650. In BakerHostetler’s 2022 Data Security Incident Response (DSIR) Report, we highlighted OCR’s ongoing commitment to its Right of Access Initiative, fully expecting the trend would continue, and also provided a high-level list of red flags based on the resolution agreements published at the time. In this blog post, we take a deeper dive into OCR’s enforcement actions under this initiative to date, including major themes and shifts in approach.

Continue Reading

Modeling the Privacy Catwalk: Practical Steps Forward

Busy, impressionistic city shopping street scene made from ones and zeros and overlaid with glowing computer numbers.

What’s Trending? (Privacy a la Mode)

Notable fashion brands have been engaging in a “trial period” of new technologies as privacy laws and privacy enforcement are trending – for example, exploring integrating branding into digital assets in video games, virtual reality (VR) and augmented reality (AR) technology, metaverses, and non-fungible tokens (NFTs). Fashion naturally pushes the envelope, taking on risks in the interest of not being left behind and losing relevancy and notoriety. This brings about several legal issues, such as those arising from trademark infringement by NFT creators, as well as marketing collaborations as influencers are becoming an essential component of a brand’s commercial success.

Continue Reading