This week on Cyber Matters, host Tanner Wilburn and guests Katherine Kennelly and Zach Smith cover a wide range of cybersecurity, privacy, and technology law topics. They begin with a discussion of AT&T's massive data breach disclosure, highlighting the company's use of SEC guidance on cybersecurity incident reporting and the involvement of the Department of Justice in delaying public disclosure.

The hosts then explore the ongoing fallout from the MOVEit breach one year later, using it as a case study to anticipate potential consequences for Snowflake's recent data breach. They discuss the legal and financial implications for Progress Software, the company behind MOVEit.

CISA Director Jen Easterly's recent comments on ransomware payments are examined, along with the broader debate on whether to ban such payments. The hosts also delve into CISA's proposed Cyber Incident Reporting for Critical Infrastructure Act regulations and industry reactions.

In regulatory news, they cover the 6th Circuit's stay on the FCC's net neutrality rules and provide historical context for the ongoing debate over internet regulation. The podcast touches on several Big Tech stories, including OpenAI's "Strawberry" project, Microsoft's board seat changes at OpenAI, and Apple's antitrust maneuvers in the EU.

The hosts discuss Meta's relaxation of restrictions on former President Trump's social media accounts and the potential implications of the Supreme Court's SEC v. Jarkesy decision on Meta's dispute with the FTC. They also cover the official publication of the EU AI Act and its significance for businesses operating in Europe.

National security topics include expanded U.S. Treasury reviews of foreign real estate purchases near military bases, Microsoft's potential investment in UAE's G42 AI firm, and updates on TikTok-related legislation. The hosts also discuss a new software supply chain security bill and Germany's decision to phase out Huawei and ZTE components in 5G infrastructure.

The episode concludes with updates on Pennsylvania's amended data breach notification law and a local ransomware attack affecting Monroe County, Indiana.

LinkedIn Page:

https://www.linkedin.com/company/cyber-matters-podcast

Ransomware Resources:

https://www.lawfaremedia.org/article/ofac-the-ransomware-gangs#:~:text=In%20a%20nutshell%2C%20OFAC%20can,in%20other%20words%2C%20ransomware%20gangs.

https://securityandtechnology.org/virtual-library/memo/roadmap-to-potential-prohibition-of-ransomware-payments/

This week on Cyber Matters, hosts Tanner and Katherine cover a wide range of topics in cybersecurity, privacy, and technology law. They begin by discussing the ELVIS Act, a new Tennessee law effective July 1, 2024. Katherine explains how this act expands protections for individuals' voices and likenesses, particularly regarding AI-generated deepfakes. While both hosts praise the act's intentions, they also point out several ambiguities in its language that could lead to implementation challenges.

Tanner then provides an update on the Department of Defense's Cybersecurity Maturity Model Certification (CMMC) program. He details the revised CMMC rules submitted to the Office of Information and Regulatory Affairs, incorporating changes based on public feedback. These revisions include a new 2.5-year rollout plan, allowances for self-attestation in some cases, and increased focus on third-party risk management.

In SEC news, Tanner discusses a recent 8-K filing by Affirm Holdings, noting how it aligns with new SEC guidance on cybersecurity incident disclosures. The hosts also delve into the Supreme Court's decision in Moody v. NetChoice, which vacates lower court rulings on social media platform regulation laws in Florida and Texas. They explore the nuances of the majority opinion, concurrences, and the implications for future as-applied challenges to these laws.

Katherine highlights international privacy enforcement actions, including the European Commission's preliminary findings that Meta's "pay or consent" model for Facebook and Instagram users in Europe may violate the Digital Markets Act. She also mentions an order for Meta to stop training its AI on Brazilian personal data.

In the healthcare sector, Tanner covers a $950,000 settlement between the Office for Civil Rights and Heritage Valley Health System for potential HIPAA violations. He emphasizes the importance of basic security measures like risk assessments and access policies, noting that this case took nearly seven years to resolve.

The hosts then turn their attention to emerging technologies and their privacy implications. They address concerns about OpenAI's ChatGPT application for Mac storing conversation history in plaintext, debating whether this constitutes a breach of trust. Tanner and Katherine also explore the potential risks and considerations surrounding Morgan Stanley's new AI-powered tool for recording and summarizing client calls.

This week on Cyber Matters, Tanner Wilburn and Katherine Kennelly cover a wide range of cybersecurity, privacy, and regulatory news. The episode begins with a discussion of the Department of Commerce's final determination prohibiting Kaspersky Lab from providing antivirus software and cybersecurity services in the United States.

Tanner then delves into the ongoing challenges with the SEC's cyber disclosure rules that went into effect in December 2023. Many companies have been using cautious language in their Form 8-K filings, often stating that they have not yet determined the materiality of cyber incidents. The SEC has issued further clarifications, including guidance on how companies should assess and disclose ransomware attacks.

Katherine discusses the American Privacy Rights Act, which was unexpectedly pulled from a congressional hearing. The pair then covers the Protecting Americans' Data from Foreign Adversaries Act (PADFA), which took effect on June 23. This act establishes new restrictions on data brokers transferring sensitive personal data to foreign adversary countries, enforced by the Federal Trade Commission (FTC).

Tanner and Katherine cover several significant court decisions. These include a ruling from the Northern District of Texas in American Hospital Association v. Becerra, which challenged the Department of Health and Human Services' definition of individually identifiable health information. The Supreme Court's decision in Murthy v. Missouri, addressing government involvement in social media content moderation, is also discussed. Additionally, they touch on the landmark Supreme Court decision overturning the Chevron deference doctrine and its potential effect on the administrative state. (More to come on future episodes).

State-level privacy legislation is a major focus of this episode, with Tanner highlighting three new state privacy laws taking effect on July 1: the Oregon Consumer Privacy Act, the Texas Data Privacy and Security Act, and the Florida Digital Bill of Rights Act. He discusses unique aspects of each law and notes Texas's aggressive approach to enforcement. The podcast also covers other state-level developments, including Florida Governor Ron DeSantis's veto of a cybersecurity safe harbor bill, Vermont's failure to pass a privacy bill, and Rhode Island's enactment of comprehensive privacy legislation.

Katherine examines New York's newly enacted child and teen online safety bills, the New York Child Data Protection Act and the Stop Addictive Feeds Exploitation (SAFE) for Kids Act. Tanner then discusses California's third CCPA settlement, involving Tilting Point Media and its mobile gaming app.

International cooperation in privacy regulation is touched upon, with Tanner noting the California Privacy Protection Agency (CPPA) signing a partnership agreement with France's data protection authority (CNIL) for joint research and information sharing.

The episode concludes with discussions on several other topics, including a lawsuit by the Arkansas Attorney General against Temu, Project Veritas challenging an Oregon privacy law before the Ninth Circuit Court of Appeals, Microsoft's blog post on "skeleton key" AI jailbreak techniques, and a brief mention of a Neiman Marcus hack.

__________________________

Questions, comments, and feedback can go to cybermatterspodcast@gmail.com, and dont forget to subscribe to the podcast and share with your network.

Thanks for joining us, and we'll see you next week!

_______________________

Links Mentioned in the show:
https://www.bakerlaw.com/insights/northern-district-of-texas-flashes-the-blue-lights-on-ocrs-pixel-guidance/