Cybersecurity and Data Privacy

Subscribe to Cybersecurity and Data Privacy via RSS

Introduction

On Thursday, March 20, a federal judge in the Northern District of Illinois granted final approval to a settlement agreement under which Clearview AI (Clearview) agreed to pay an estimated $51.75 million to a nationwide class if one of several contingencies takes place. This approved settlement agreement resolves In Re: Clearview AI, Inc. Consumer Privacy Litigation, No. 1:21-cv-00135 (N.D. Ill.), a multidistrict suit alleging that the company’s automatic collection, storage, and use of biometric data violated various privacy laws, including Illinois’ Biometric Information Privacy Act (BIPA). The unorthodox settlement not only preserves Clearview’s business model, but may also insulate Clearview from subsequent or parallel regulatory investigations without requiring the company to jeopardize the liquidity necessary for continued growth. Ultimately, this settlement seems to represent a good outcome for the company, especially in light of the fact that that it was achieved over the objections from 23 state attorneys general (AG). U.S. District Judge Sharon Johnson Coleman stated that the settlement is fair, reasonable, and adequate.

What’s Happening?

Under the Department of Justice’s (DOJ) “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” rules (the Rules), allowing access outside the United States to certain types of sensitive personal data involving “countries of concern” may be restricted or prohibited beginning on April 8.  See our previous advisory for more detail.

Dear Mary,

Our company experienced a cybersecurity incident. It seemed pretty minor — just a few suspicious emails and an employee’s account being locked. To my dismay, we’re now hearing from our IT team that the issue is more serious. We have cyber insurance, but we didn’t notify our carrier right away. Did we make a mistake? When should I reach out to our insurance provider?

– Unsure Insured of San Francisco

State attorneys general (AGs) continue to play a pivotal role as innovators, shaping the regulatory environment by leveraging their expertise and resources to influence policy and practice. The public-facing nature of AG offices across the U.S. compels them to respond to constituent concerns on abbreviated timetables. This political sensitivity, combined with the AGs’ authority to address both local and national issues, underscores their significant influence in the current regulatory environment.

Published in Law360 on January 22, 2025. © Copyright 2025, Portfolio Media, Inc., publisher of Law360. Reprinted here with permission.

In the first installment of this two-part article, state attorneys general across the U.S. took bold action in 2024 to address what they perceived as unlawful activities by corporations in several areas, including privacy and data security, financial transparency, children’s internet safety, and other overall consumer protection claims.

On January 6, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published significant proposed amendments (proposed rule) to the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Key drivers for the proposed rule include the dramatic increase in cyberattacks, including ransomware, the rapid adoption of cloud computing, mobile devices, and other technologies, and inconsistent compliance with the existing Security Rule identified by the OCR’s investigations.

On November 21, the Supreme Court of Virginia entered a published order reversing a 14-3 en banc decision of the Court of Appeals of Virginia addressing the applicability of Virginia’s criminal laws regulating cybercrime. The decision in Commonwealth v. Wallace is the latest example of courts testing regulatory reach in the cybercrime arena.

New York Attorney General (AG) Letitia James and global movie theater operator National Amusements, Inc. (National) settled a lawsuit stemming from a 2022 data breach reported by National, which affected 82,128 National employees. As part of its settlement, National agreed to pay $250,000 in penalties to the state and to “improve existing cybersecurity infrastructure to prevent future data breaches.”