Privacy & Information Security Law Blog

On October 16, 2024, the New York Department of Financial Services (“NYDFS”) issued an Industry Letter warning companies to update their AI security procedures around multifactor authentication, which are potentially vulnerable to deepfakes and AI-supplemented social engineering attacks.

On October 16, 2024, the European Data Protection Board announced it had adopted Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive following a public consultation.

On October 10, 2024, the Council of the European Union adopted the EU’s new regulation on horizontal cybersecurity requirements for products with digital elements.

October 17, 2024, is the final day for EU Member States to implement the necessary measures for transposing the NIS2 Directive into their national laws.

On October 4, 2024, the Court of Justice of the European Union issued its judgment in case C‑446/21 to assess whether the GDPR imposes limits to Meta Platforms Ireland’s use of personal data collected outside of the Facebook social network for advertising purposes.

On September 30, 2024, the State Council of China published the Regulations on Administration of Network Data Security (the “Regulations”), which will take effect on January 1, 2025. The Regulations cover multiple dimensions of network data security, including personal information protection, security of important data, cross-border transfers, network platform service providers’ obligations, and regulatory supervision and administration. Certain of the key provisions are summarized below. In general, most of the provisions under the Regulations can be found in other existing laws and regulations of China.

On October 3, 2024, Texas Attorney General Ken Paxton announced a lawsuit against TikTok for operating its platform in violation of the Texas Secure Children Online through Parental Empowerment Act.

On October 9, 2024, the European Data Protection Board adopted an Opinion on certain obligations following from the reliance on processor(s) and sub-processor(s), and Guidelines on the processing of personal data based on legitimate interest.

On September 26, 2024, the U.S. Department of Health and Human Services Office for Civil Rights entered into a resolution agreement and corrective action plan with Cascade Eye and Skin Centers, P.C. following a ransomware attack that impacted approximately 291,000 files containing electronic PHI.

On October 9, 2024, both the Federal Trade Commission and a coalition of 50 state attorneys general issued announcements that they had reached settlement agreements with Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC over a multi-year series of data breaches impacting hundreds of millions of individuals.