Privacy & Information Security Law Blog

On October 18, 2022, the Transportation Security Administration (“TSA”) issued a new cybersecurity directive requiring passenger and freight railroad carriers to create plans for responding to cybersecurity incidents. The new directive is one of many actions taken by the Biden Administration to strengthen the cybersecurity posture of the U.S.’s critical infrastructure following a significant ransomware attack on a major U.S. pipeline in 2021.

On September 23, 2022, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted a response to the UK Department for Digital, Culture, Media & Sport (“DCMS”) on its Consultation on establishing a pro-innovation approach to regulating AI (the “Response”).

On September 23, 2022, New York State Senator Andrew Gounardes introduced S9563, also known as the “New York Child Data Privacy and Protection Act.” The bill, which resembles the recently passed California Age-Appropriate Design Code Act, bans certain data collection and targeted advertising and requires data controllers to, among other obligations, assess the impact of their products on children.

On October 20, 2022, Texas Attorney General Ken Paxton brought suit against Google alleging various violations of Texas’s biometric privacy law, including that the company unlawfully collected and used the biometric data of millions of Texans without obtaining proper consent. The lawsuit alleges that, since 2015, Google has collected millions of biometric identifiers of Texas consumers, such as voiceprints and records of face geometry, through Google’s various products, including Google Photos, Google Assistant and Nest Hub Max, in violation of Texas’s biometric privacy law. Texas’s biometric privacy law prohibits the collection of biometric identifiers for a commercial purpose unless the individual whose biometric identifiers are collected is informed of the collection and provides consent. The law also requires companies to destroy biometric identifiers within a reasonable time, but not later than the first anniversary of the date the purpose for collecting the biometric identifier expires (except in limited circumstances).

On October 24, 2022, the UK Information Commissioner’s Office (“ICO”) issued a £4.4 million fine to Interserve Group Limited for failing to keep employee personal data secure, which violates Article 5(1)(f) and Article 32 of the EU General Data Protection Regulation (“GDPR”), during the period of March 2019 to December 2020. The ICO determined that such violations rendered Interserve vulnerable to the cyber attack which took place between March 2020 and May 2020, affecting the personal data of up to 113,000 Interserve employees. The compromised data included contact details, national insurance numbers and bank account details, as well as special category data, including ethnic origin, religion, details of any disabilities, sexual orientation and health information.

On October 17, 2022, the French Data Protection Authority (the “CNIL”) imposed a €20 million fine on Clearview AI for unlawful use of facial recognition technology. The fine was imposed after the CNIL’s prior formal notice remained unaddressed by Clearview AI.

On October 18, 2022, the New York State Department of Financial Services (“NYDFS”) announced that EyeMed Vision Care LLC (“EyeMed”) agreed to a $4.5 million settlement for violations of the Cybersecurity Regulation (23 NYCRR Part 500) that contributed to the exposure of hundreds of thousands of consumers’ health data in connection with a cybersecurity event in 2020.

On October 19, 2022, Bloomberg Law reported that the White House is planning to introduce a system to label Internet of Things (“IoT”) devices with information related to the devices’ cybersecurity risk.

On October 12, 2022, a federal jury found BNSF Railway, operator of one of the largest freight railroad networks in North America, violated the Illinois Biometric Information Privacy Act (“BIPA”) in the first ever BIPA case to go to trial. In Richard Rogers v. BNSF Railway Company (Case No. 19-C-3083, N.D. Ill.), truck drivers’ fingerprints were scanned for identity verification purposes when visiting BNSF rail yards to pick up and drop off loads. The jury found that BNSF recklessly or intentionally violated the law 45,600 times when it collected such fingerprint scans without written, informed permission or notice.

On October 12, 2022, New York Attorney General Letitia James announced that her office had secured a $1.9 million penalty from e-commerce retailer Zoetop, owner of SHEIN and ROMWE, following an improperly handled data breach. The Office of the Attorney General of the State of New York (“NYAG”) alleged in its Assurance of Discontinuance that Zoetop failed to properly handle the breach and lied about its scope to consumers.