Just weeks before the end of 2022, data stolen from Uber Technologies Inc. was leaked online. The data came from multiple breaches of the embattled rideshare company, including from 2014, 2016, and September 2022.

The news of this latest data leak comes two months after the conviction of Joseph Sullivan, Uber’s former Chief Security Officer (CSO). United States Attorney Stephanie M. Hinds and FBI San Francisco Special Agent in Charge Robert K. Tripp announced on October 5, 2022 that Sullivan had been convicted by a federal grand jury for his attempts to cover-up the details of two separate breach incidents of Uber’s database in 2014 and 2016—breaches that affected tens of millions of Uber account holders..

The California Privacy Protection Agency (CPPA) is still taking public comments on the modified text of the CPRA—an outline of which can be found here. Because of the potential for further changes, Reuters notes that businesses likely won’t receive their full marching orders until the end of January or February 2023, “given the Office of Administrative Law's (OAL) 30-day review period.”

Regardless of the enforcement date, we will provide you with tips on how your organization can begin preparing for the release of the CPRA now.

On November 9, 2022, the New York Department of Financial Services (“NYDFS”) Cybersecurity Resource Center announced that it was proposing a second amendment to 23 NYCRR Part 500 , the NYDFS Cybersecurity Requirements for Financial Services Companies (the “Act”) that would expand the responsibilities and corresponding liabilities for officers and directors of a financial services company with regard to the organization’s cyber security.

In recent years, organizations have utilized “clean rooms” as part of their data governance practices. According to this Wall Street Journal article, the term “clean room” is derived from the manufacturing industry where a clean room is a “controlled environment that is free of contamination.” In the data governance industry, a clean room is a software process that enables organizations to exchange secure data with outside contributors or users without allowing those parties to view the actual consumer information.

On October 24, 2022, the Congressional Research Service (CRS) released a report titled “The EU-U.S. Data Privacy Framework: Background, Implementation, and Next Steps” (the “Report”). The Report “explains the circumstances leading to the development of the Data Privacy Framework, U.S. steps to implement the framework, and issues of possible interest to Congress.”

On October 24, 2022, the Federal Trade Commission (FTC) issued a press release indicating it was initiating action against Drizly, LLC (“Drizly”), an online alcohol marketplace, and its chief executive officer (CEO), James Cory Rellas, for a data breach that resulted in approximately 2.5 million consumers’ personal data being exposed.

On October 7, 2022, President Joe Biden signed an executive order to secure a data transfer agreement between the European Union (EU) and United States (US).

Previously, we reported that the Colorado Attorney General (“AG”) issued pre-rulemaking considerations to assist regulated entities in understanding the requirements and application of the Colorado Privacy Act (“CPA” or “Act”), which will go into effect on July 1, 2023.   

On September 30, 2022, the Colorado AG issued a proposed draft[1] of the CPA. The Colorado AG will be holding three virtual stakeholder meetings on November 10, 15, and 17, 2022 to gather feedback that will form the basis of the final rule.  

On September 4, 2022, White House Office of Science and Technology Policy (“OSTP”) released its Blueprint for an AI Bill of Rights (“Blueprint”) to make “automated systems work for the American people.”

On September 29, 2022, Senator Edward J. Markey (D-MA), Senator Richard Blumenthal (D-CT), Senator Kathy Castor (D-FL), and Senator Lori Trahan (D-MA) (collectively, the “Senators”) sent Federal Trade Commission (“FTC” or “Commission”) Chair Lina Khan a letter requesting that the Commission update its regulations under the Children’s Online Privacy Protection Act (“COPPA”).

On October 3, 2022, the Department of Justice (“DOJ”) announced that the United States of America (US) and the United Kingdom of Great Britain and Northern Ireland (UK) governing the Access to Electronic Data for the Purpose of Countering Serious Crime (“Data Access Agreement” or “Agreement”) was in effect.

In September 2022, several industry experts and shareholders spoke on the need for companies to elevate their cybersecurity programs and implement enhanced policies and procedures for responding to cybersecurity incidents.

On September 15, 2022, the Federal Trade Commission (FTC) released a report titled ‘Bringing Dark Patterns to Light’ (the “Report”) detailing the use of dark patterns across a variety of industries and the years of effort that these companies committed to establishing dark patterns.

On September 15, 2022, California Governor Gavin Newsom signed the California Age-Appropriate Design Code Act (the “Act”), which is directed at businesses providing online services, products, or features likely to be accessed by persons under the age of 18.

On September 14, South Korea’s Personal Information and Protection Commission (the “Commission”) announced it will levy more than $70 million in fines against Alphabet Inc.’s Google (“Google”) and Facebook’s parent Meta Platforms Inc. (“Meta”) over alleged privacy violations. According to the Commission, these companies collected and utilized personal information for targeted advertising without obtaining user consent.

On September 9, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information (RFI) from critical infrastructure owners and operators on “approaches to implementing the cyber incident reporting requirements, pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which President Biden signed into law in March 2022.”

On August 31, 2022, the California legislature adjourned without issuing extension of the temporary exemptions from the reporting and compliance requirements under the California Consumer Privacy Act (“CCPA”) for the collection of personal information derived from job applicants, employees, and contractors (collectively, the “workforce”) in employment contexts.

In September 2022 the Information Commissioner’s Office (“ICO”) published draft guidance to assist organizations with implementing a ‘data protection by design and by default’ approach via techniques like data anonymization and pseudonymization, as well as through the use of privacy enhancing technologies (“PETs”).

On August 11, 2022, the Federal Trade Commission (“FTC”) released an advance notice of proposed rulemaking (“ANPR”) to govern “commercial surveillance,” which is broadly defined by the ANPR as the “collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information,” or the security organizations apply to that data.

As many organizations engage in audits to ensure that their operations are sufficiently safeguarded against data loss or breach, we have compiled the following information on the industry’s leading data assessment standard — Service Organization Control ("SOC 2").