Regulatory Update: FL and TX Pass Comprehensive Consumer Data Privacy Bills, WA Signs ‘My Health My Data Act’ — May 2023 Newsletter

In the first two weeks of May:

• Florida passed Senate Bill 262, the Florida Digital Bill of Rights.
• The Texas Senate approved HB 4, the Texas Data Privacy and Security Act.
• Washington State Governor Inslee signed the My Health, My Data Act into law.

Florida, Texas and Washington All Pass Consumer Privacy Bills

The Washington law is particularly notable. It includes broad definitions of covered entities and sensitive data types, as well as a strong private right of action. The combination of these features may make it the most significant new privacy law in the country. 

Washington State now joins Iowa, Indiana, and Tennessee, who have all signed new privacy legislation into law this year. California, Colorado, Connecticut, Utah, and Virginia have passed similar laws in the past few years. The Montana legislature also passed a comprehensive privacy law in April.

Our take: 

Washington’s My Health, My Data Act is likely to be a significant source of concern for many companies. The Act is similar to Illinois’ Biometric Information Privacy Act (BIPA), which has led to billions of dollars lost in class action settlements over the last few years, but imposes more operationally challenging obligations and has fewer limitations on applicability. 

Cybersecurity Update: Municipal Agencies, Healthcare Networks Under Fire

Cybersecurity researchers are pointing to a growing trend of ransomware attackers targeting municipalities. Since the beginning of 2023, there have been major disruptions in Oakland, CA, Dallas, TX, and Washington, DC, as well as smaller cities like Lowell, MA, and the suburbs of Detroit, MI. This month also saw attacks on the Federal Department of Transportation and the DC Metro system, highlighting growing cyber risks to public infrastructure.

The healthcare sector has also become the exclusive target of some well-resourced ransomware groups like CLOP and LockBit. Attacks in this sector peaked at a record high in April. A recent breach of PharMerica, a pharmacy services provider, is one of the largest this year so far, exposing the data of over six million patients.

Our Take: 

With large ransomware payouts in decline, Russian cyber gangs appear to be dividing efforts between “disruption for disruption’s sake” and exfiltrating the most lucrative, sellable data. The public sector is ideal for the former and the healthcare industry for the latter.

Workforce Surveillance Receiving Greater Federal Scrutiny

The White House Office of Science and Technology Policy released a public request for information on employer use of workforce monitoring technologies. This is usually an early indication of forthcoming policy proposals.

Recent research indicates that even though pandemic-driven remote work opportunities have decreased, the use of employee surveillance tools has grown since 2021. The types of technologies used have also become more invasive.

Our Take

Few new state privacy laws (other than the CCPA) have included employee data protections so far. Still, it’s possible that workforce surveillance – like Children’s  Data, Health Data, and Location Data – may become an area where the FTC applies broader interpretations of its own regulatory mandate in the near future. 

Check Out Our Latest Blog Posts

• Data Broker Hearings, CISA ‘Secure by Design’ Standards, and Telegram Bots
• Open Data, Hidden Risk: Publicly Available Employee Data & Cyber Risk [+ Breach Prevention Tips]
• How Cybercriminals Use Data Brokers for Executive Phishing

DeleteMe in the News

• Check out our running log of DeleteMe in the news in 2023.