Modeling the Privacy Catwalk: Practical Steps Forward

Busy, impressionistic city shopping street scene made from ones and zeros and overlaid with glowing computer numbers.

What’s Trending? (Privacy a la Mode)

Notable fashion brands have been engaging in a “trial period” of new technologies as privacy laws and privacy enforcement are trending – for example, exploring integrating branding into digital assets in video games, virtual reality (VR) and augmented reality (AR) technology, metaverses, and non-fungible tokens (NFTs). Fashion naturally pushes the envelope, taking on risks in the interest of not being left behind and losing relevancy and notoriety. This brings about several legal issues, such as those arising from trademark infringement by NFT creators, as well as marketing collaborations as influencers are becoming an essential component of a brand’s commercial success.

Continue Reading

AI Regulation and Soft Law Considerations Across the Uncanny Valley

Abstract landscape made of tiny cubes and human-like face, artificial intelligence concept

Artificial intelligence (AI) refers to the recognition or creation of patterns that simulate human actions or thought. Since the late 1970s, when people began regularly interacting with computers, AI has become increasingly prevalent, and uses of AI technology continue to create greater opportunities for interaction with human norms — those rules that define acceptable behavior. The intersection of those norms and AI processes that seek to replace human actions where efficiency calls for it is also an intersection of expectations and the law ― one that is changing and adapting quickly.

The recent article “AI–human interaction: Soft law considerations and application,” published in the Journal of AI, Robotics & Workplace Automation, discusses these issues. In particular, the article considers several primary concepts:

  • The history of AI and how its purpose, usability and interaction with humans have evolved in the past 50 years.
  • One potential challenge to AI is the Uncanny Valley, or those instances where robots create a digital presence that is indistinguishable from a real human that can induce mental uneasiness when humanlike appearances create expectations that robots cannot meet.
  • The Turing test, a concept anticipated by AI pioneers, as a method of inquiry for determining whether a computer is actually capable of thinking like a human being.
  • How chatbots launched by technology corporations have recently demonstrated the risks and ethical challenges that advancement to AI presents.
  • The necessity of soft law to address the risks presented by increased use of AI as the industry progresses, and how legislative bodies have already begun addressing those risks. 

Examining these issues, the article begins by tracing the history of AI from personal computing in the 1970s, when software and computer platforms were being developed with the goal of making everyone a computer user. As computers became a part of daily life, the field of cognitive engineering, a scientific field merging how people think and the engineering of products to address human needs, developed with the goal of increased efficiency worldwide. Human interaction with computers then progressed actively for decades, conforming to usability and aiming to reflect changes in society. And today, everyone is “plugged in” in some way in nearly every part of their existence, especially given the virtual and remote world designed in response to the COVID-19 pandemic. AI has not only adapted to these changes but continues to evolve, and the use of AI is shaping up to create a new normal.

The rapid maturation of the industry has set off related calls for action in the legal and regulatory communities. The article considers these movements and posits that soft law is the ideal step to address AI innovations, especially when considering how certain legislative bodies (including the California Legislature) have frameworks addressing how AI communicates with the public. As noted in the article, because “this is unlikely to be a situation where AI developers police themselves without any outside demands or influence,” there is a need to continue expanding efforts like this into a soft law approach that works.

The FTC’s Latest Staff Report on Dark Patterns: A Warning for Marketing Teams and UX Designers

technology smart city with network communication internet of thing.  Internet concept of global business in New york, USA.

The Federal Trade Commission issued a detailed [staff report] on September 15 addressing Dark Patterns (or what some more descriptively call “manipulative design,” but Dark Patterns seems to be sticking). Regulators are focusing increased attention on these manipulative designs and it’s critical for marketing, user experience and design teams to understand this topic.

Continue Reading

What’s Old Is New Again: OCR Announces $300,000 Settlement Related to Improper Disposal of Physical PHI

After a long stretch of breach enforcement actions and settlements arising out of alleged technology gaps, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced that it settled a case that involved improper disposal of physical protected health information (PHI). This case unusual for its quick resolution, but that is likely a byproduct of the fact that it would be hard to defend, given OCR’s well-settled advice on this issue. This case serves as a reminder to covered entities that, while electronic medical records and security rule violations are more the norm, they must still recognize paper records as a possible source of a breach.

Continue Reading

California’s Landmark Age-Appropriate Design Code Act: What You Need to Know

On Aug. 29, California’s Senate unanimously passed Assembly Bill 2273, known as the Age-Appropriate Design Code Act (the CA AADC or the Bill). The Bill, which is anticipated to be signed into law by Gov. Gavin Newsom, is aimed at promoting online safety and privacy for children under 18. The Bill was inspired by the UK’s Age-Appropriate Design Code (the UK AADC or the Children’s Code) and includes many similar requirements. If it is signed into law, covered businesses would need to come into compliance with the Bill’s core provisions by July 1, 2024. This blog explains who is covered, key provisions and how the CA AADC compares to its UK counterpart.

Continue Reading

CCPA Employee and B2B Exemptions Set to Expire on Jan. 1, 2023

Abstract background of wires and glowing particles

The California Consumer Privacy Act (CCPA) exemptions for employee and business-to-business Personal Information (PI) likely will not be extended. Aug. 31, 2022 was the last day for each house to pass bills, per the California Constitution (Art. IV, Sec 10(c) and the Joint Rules (J.R. 61(b)(18))), and no legislative proposals or amended bills made it to the floor. This means that on Jan. 1, 2023, full consumer rights will apply to the PI of workforce members[1] as well as to their PI collected on behalf of their employer in the context of “providing or receiving a product or service to or from” a business (B2B).

Continue Reading

2022 DSIR Report Deeper Dive: The Expanding Landscape of State Data Privacy Law

BakerHostetler’s Data Security Incident Response Report is a one-of-a-kind resource that leverages aggregated data from security incidents. Our Digital Risk Advisory and Cybersecurity team has shared insights from attorneys across the firm’s Digital Assets and Data Management Practice Group who work with clients on complex privacy and data protection matters. This article takes a closer look at recent updates to the privacy law compliance landscape in the United States.

Continue Reading

NYDFS Proposed Amendments to Its Cybersecurity Rules

technology smart city with network communication internet of thing.  Internet concept of global business in New york, USA

On July 29, the New York Department of Financial Services (NYDFS) released Draft Amendments to its Part 500 Cybersecurity Rules that include a number of significant amendments to the rules, including notification requirements such as a mandatory 24-hour notification for cyber ransom payments, specific requirements for newly defined larger entities, increased expectations for oversight of cybersecurity risk, additional requirements for incident response plans (IRPs), business continuity and training, risk assessments, and new technical requirements. The Draft Amendments can be found here. The 10-day pre-proposal comment period would have ended today, Aug. 8, 2022, but NYDFS has extended the comment period for an additional 10 days, with a new deadline of Aug. 18, 2022. The official proposed amendments will be published following the comment period.

Continue Reading

‘Unboxing’ the New NIST Guidance: NIST Publishes Significant Update to Healthcare Cybersecurity Guide

3d graph

Without question, healthcare providers and the companies that support them operate in an elevated cybersecurity risk environment. And when a cybersecurity incident occurs, the ensuing regulatory inquiries and/or litigation often focus on whether the entity followed recognized security practices. The National Institute of Standards and Technology (NIST) Cybersecurity Framework has long been one of the most widely recognized sources of recommended security practices, even as some of its guidance has become outdated. This is especially true for its HIPAA security guidance, as the NIST publication “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule” was published in 2008. Office for Civil Rights investigations now routinely ask for evidence that an organization has implemented “recognized security practices”, typically in alignment with the NIST Cybersecurity Framework. The challenges presented by aging NIST guidance cause frustration for many of our clients

But in a move that feels long overdue, NIST has finally published a draft update to its healthcare cybersecurity guide, Special Publication 800-66r1. We’re excited to share our “unboxing” of the updated compilation of guidance and references, useful to anyone interested in healthcare cybersecurity. The draft of 800-66r2, titled “Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide,” is open for public comment until Sept. 21, 2022. 

While remaining essentially true to the structure of the original 800-66 publication, the draft revision adds substantial details. The main body of the document contains significantly expanded guidance on risk assessments and risk management. The appendices have been largely reworked and feature extensive resources to aid in performing risk assessments, especially with regard to threat modeling. The update to the original “Security Rule Standards and Implementation Specifications Crosswalk” appendix combines the many NIST publications issued in the intervening years between the release of 800-66r1 and the draft of 800-66r2. 

Perhaps the most useful new feature in the revised draft, Appendix F – HIPAA Security Rule Resources (Informative) contains more than 10 pages of categorized and summarized links to other resources in 17 different categories. While these categories include several timeless and broad topics (Risk Assessment/Risk Management, Documentation Templates, Small Regulated Entities, Education, Training & Awareness, Protection of Organizational Resources and Data, Equipment and Data Loss, Contingency Planning, Supply Chain, Information Sharing, Access Control/Secure Remote Access, Cybersecurity Workforce), they also include more specific topics of particular relevance to the current security environment (Telehealth/Telemedicine Guidance, Mobile Device Security, Cloud Services, Ransomware & Phishing, Medical Device and Medical IoT Security, Telework). The revamped Appendix F essentially offers a guided tour to an extensive library of healthcare cybersecurity resources.  It’s worth noting, however, that digesting the content of these resources may prove to be a heavy lift for already overburdened healthcare information security teams. 

As in 800-66r1, the largest section of the revised draft is “Considerations When Implementing the HIPAA Security Rule,” which sets forth “Key Activities” with corresponding “Description” and “Sample Questions” in a tabular format. In several places, the draft adds updated material and references consistent with the way the cybersecurity landscape continues to develop. For example, in addressing authentication, the draft revision includes considerations regarding multifactor authentication and application programming interfaces (both absent from r1). 

Although this draft is intended to incorporate suggestions from the hundreds of pre-draft comments NIST received, healthcare entities have until Sept. 21, 2022 to provide additional feedback. Still, the draft of 800-66r2 offers a wealth of content and concrete guidance that anyone addressing healthcare cybersecurity should be able to use immediately—a welcome tool considering the security challenges the sector faces right now.

Florida Follows North Carolina in Prohibiting State Agencies from Paying Ransoms

Abstract colorful grid surrounded by glowing particles

We recently wrote about North Carolina’s new law prohibiting state agencies – including public schools and universities – from paying a ransom or even communicating with a threat actor following a ransomware incident. On June 24, Florida followed suit when its governor signed HB 7055 into law, amending portions of the State Cybersecurity Act (the Act), which became effective on July 1.

Continue Reading