2024 was a year chock-full of data breaches and privacy violations. Many new data privacy and cybersecurity regulations were introduced (and became effective), and regulators sent a strong message to businesses that privacy must be at the forefront of their strategy and goals and that robust security controls are required to protect employee and consumer personal information. Plaintiffs also sent a strong message to businesses that breaches will likely result in class action lawsuits.

This year, financial settlements with regulators and data breach victims were particularly prominent. Here are the top data protection fines and settlements in the U.S. last year, according to Infosecurity’s 2024 report:

  • Meta’s $1.4 billion settlement with the Texas Attorney General for unlawful collection of biometric data in violation of the Texas Capture or Use of Biometric Identifier Act and The Deceptive Trade Practices Act (largest ever privacy settlement in the U.S.).
  • Lehigh Valley Health Network’s $65 million class action settlement after a data breach involving 600 patients and employees (accessed were addresses, email addresses, dates of birth, Social Security numbers, and passport information, as well as various medical data and some nude photos) (largest settlement on a per-patient basis for a healthcare ransomware breach case).
  • Marriott’s $52 million settlement with 50 U.S. states related to a multi-year data breach that affected over 131 million users of the Starwood guest reservation database (allegations were related to failure to comply with consumer protection laws, privacy laws, and data security standards).
  • 23andMe’s $30 million settlement agreement resulting from a class action against it for a data breach affecting ancestry data (these accounts were not protected by multi-factor authentication; 23andMe denied any wrongdoing in the settlement agreement and contends that the breach was a result of users’ reusing credentials across multiple websites).
  • T-Mobile’s $15.75 million settlement with the Federal Communications Commission (FCC) for several security incidents (2021, 2022, and 2023) that resulted in millions of consumers’ personal data being accessed by cyber criminals (T-Mobile also has to invest the same amount -$15.75 million – to update its cybersecurity practices and safeguards).
  • AT&T’s $13 million FCC settlement over its supply chain breach which led to cyber criminals’ exfiltration of customer personal information (AT&T agreed to update its data governance and supply chain integrity practices).

As we head into the new year, the landscape of data privacy laws in the U.S. will continue to change. Eight new consumer privacy laws will become effective throughout the year, and companies should be prepared for more rulemaking that could expand compliance obligations and enforcement.

American Addiction Centers Inc. faces a class action in the Middle District of Tennessee for allegations that it violated the Health Insurance Portability and Accountability Act (HIPAA) by failing to protect patient data from cyber criminals.

In September 2024, American Addiction Centers suffered a cyber-attack that led to the unauthorized access to sensitive personal information and protected health information of over 420,000 individuals. The information included names, Social Security numbers, addresses, telephone numbers, dates of birth, medical information, and health insurance information. The regulatory and individual notifications were provided on or about December 23, 2024; the class action was filed only a few days later.

The class members allege that they face the threat of identity theft and misuse of their data by cyber criminals. The lawsuit includes claims of negligence, unjust enrichment, and breach of implied contract, as well as monetary and injunctive relief.

CyberArk, an identity security provider, has issued a new report on employee risk that is a must-read for IT Professionals and executives. The report highlights several findings that are directly related to the risks employees pose to an organization. These risks include:

  • A majority of employees have access to sensitive information;
  • Employees commonly reuse passwords;
  • A majority of employees bypass cybersecurity policies;
  • AI Adoption is creating more security challenges. The statistics in the report are rather staggering:
  • 60% of employees admitted to using a personal device to access work-related information.
    • 45% of employees admitted that they “had” to share a work password with a colleague for legitimate reasons.
    • 43% logged into a public wi-fi-on a work device.
    • 42% admitted to being bombarded with so many authentication requests that they just click “accept.”
    • 40% used a colleague’s work device for their own work.
    • 35% received and clicked on links in a phishing email.
    • 34% lost a personal device.
    • 25% lost a work device.

One conclusion of the report is that “busy employees often prioritize productivity over security.”   As employees, we are all responsible for protecting the data  we access for work purposes. One click could compromise our company’s data. We are all inundated with numerous tasks while simultaneously flooded with vast amounts of data. It is essential to understand that our companies have implemented cybersecurity measures to protect our data and us from compromising it. Respect the measures your employer has implemented, don’t try to get around them, and embrace solid cybersecurity hygiene in the new year.

According to Cyberscoop, the cyber gang Cl0p “has claimed responsibility for attacks tied to vulnerabilities in software made by Cleo, an Illinois-based IT company that sells various types of enterprise software.” The gang claimed responsibility for the attacks on its website. The vulnerabilities affect Cleo’s products LexiCom, VLTrader, and Harmony. Cleo reportedly services approximately 4,200 organizations. You may remember that Cl0p claimed responsibility for the MoveIT incident in 2023 and, before that, the Accelion incident. Both of these previous incidents affected numerous companies.

The exploitation was identified by Huntress Labs. The flaw, CVE-2024-50623, “is an unrestricted file upload and download vulnerability that could lead to remote code execution.”

Cleo has released multiple patches for the CVE, including one last week to fix the issue.

Rapid7 has noted an uptick in compromised endpoints in the consumer products, food, and shipping industries. Rapid7 has provided mitigation guidance, including “updating to the latest version of affected products immediately.”  Sound guidance.

If your company uses Cleo products LexiCom, VLTrader, or Harmony, follow the guidance and apply the provided patches provided.

The United States Supreme Court announced on December 18, 2024, that it will hear the TikTok ban case and has scheduled oral arguments for January 10, 2025, before the ban’s January 19, 2025 effective date.

The case stems from a bipartisan law signed by President Biden that required ByteDance, the Chinese-based parent of the app TikTok, to divest from the app or face a ban in the U.S. because it poses a threat to national security. In addition to being a threat to national security, numerous states have filed suit against TikTok alleging that the app has caused a mental health crisis for youth in the U.S. Forbes has reported on “numerous concerns involving the company, including Tiktok spying on journalists, promoting Chinese propaganda criticizing U.S. politicians, mishandling user data, and tracking ‘sensitive words.’”

ByteDance sought emergency relief from the U.S. Supreme Court following a lower federal court’s decision that the ban does not violate TikTok’s First Amendment rights. The district court judge held that if Chinese-owned ByteDance divests from TikTok, the app will be available to users in the U.S.  ByteDance sought emergency relief from the federal circuit court but was denied on December 13, 2024.

The Supreme Court will consider whether the law banning TikTok from the U.S. violates the First Amendment. It is mind-boggling that the Chinese government (which backs ByteDance and is one of the U.S.’s primary cyber adversaries actively engaged in cyber warfare against us) can actually allege it has First Amendment rights in the U.S. Since when can a cyber enemy use our court system to advocate for using spyware against our children? We will be watching the case carefully.

After the conclusion of the public comment period earlier this month, the Colorado Department of Law adopted amendments to the Colorado Privacy Act (CPA). The Act grants rights to Colorado consumers concerning their personal information, including the right to access, delete, and correct their personal data as well as the right to opt out of the sale of their personal data or its use for targeted advertising or certain kinds of profiling.

The amendments include:

  • Requirements for data controllers (which includes employers) that collect biometrics to provide pre-collection notice to individuals;
  • Specific guidelines on employers’ collection of biometric data, including retention requirements and deletion requirements;
  • Requirement that data controllers obtain consent from any consumer under the age of 18 before the data controller can process personal information; and,
  • New methods for businesses to contact the Colorado Attorney General for guidance on regulatory compliance.

The amendments also include some implementation-friendly clarifications, such as:

  • The required biometric data collection notice can be included in a business’ general privacy notice;
  • Consent for processing the personal information of a minor is only required if the data controller “actually knows or willfully disregards” facts indicating that the consumer is under 18 years of age;
  • Allowing employers to “refresh” consent to collect biometric data (in certain limited circumstances);
  • Attorney-client privilege is not waived when seeking an opinion letter from the Colorado Attorney General after submitting a data protection assessment; and,
  • Data protection assessments submitted to the Colorado Attorney General are exempt from public inspection under the Colorado Open Records Act.

The amendments will become effective 30 days after they are published in the state register. Given this short period, businesses subject to the CPA should start preparing for compliance. To see the amendments, click here.

This week, Director Shira Perlmutter indicated that the publication of part two of the U.S. Copyright Office’s three-part report on copyright issues raised by artificial intelligence (AI) would be further delayed. In her letter to the ranking members of the Senate Subcommittee on Intellectual Property and the House Subcommittee on Courts, Intellectual Property, and the Internet, Director Perlmutter indicated that although substantial progress had been made, the Office will not publish part two by the end of 2024 and now expects publication to occur in early 2025.

Part two of the report will describe the copyrightability of generative AI outputs and will build on part one of the report on digital replicas. Following the publication of part two, Director Perlmutter indicated that the third and final part would be published in the first quarter of 2025. Part three will relate to “analyzing the legal issues related to the ingestion of copyrighted works to train AI models, including licensing considerations and the allocation of potential liability.”

Scammers prey on us at our most vulnerable. Although some of us are early holiday shoppers, others wait until the last minute. Scammers know this and are lurking to find late shoppers scrambling for gifts. Many late shoppers feel a bit desperate, so they are at risk of falling for scams that divert them to fake websites.

These fake websites offer last-minute deals that are too good to be true—even better than cyber-Monday deals.

Don’t be fooled. According to the FTC, there are numerous fake shopping websites. It provides helpful tips on identifying and avoiding getting scammed by them. For instance, “Unusually low prices are a sign of a scam. Don’t click on ads that advertise a product at a very low price when you know it’s usually a very expensive item. Clicking the link in the ad could take you to a scammy site that takes your money and sends you something that looks totally different from what was advertised…or send you nothing at all.” In addition, the FTC recommends:

            To protect yourself while shopping online:

  • Do some research. Especially before you buy from an unfamiliar seller, search online for the name of the seller plus words like “review,” “complaint,” or “scam.” See what others say about their experience with the seller.
  • Check the terms of the sale. Look at the price, other charges, their refund policy, who pays for return shipping, and if there’s a restocking fee.
  • Pay by credit card whenever possible. Credit cards offer more protection and allow you to dispute charges if what you get isn’t what you ordered or if you get nothing at all.
  • Never buy from online sellers who demand you pay with gift cards, wire transfers, payment apps, or cryptocurrency. Only scammers tell you to pay that way.

Safe shopping and happy holidays to everyone!

In a highly anticipated decision on an issue facing courts across the country, the Massachusetts Supreme Judicial Court held in late October that Massachusetts hospitals’ use of online tracking technologies that collect and transmit browsing activities of website visitors does not violate the Massachusetts Wiretap Law. 

The Court determined that online interactions between visitors and the hospitals’ websites did not unambiguously qualify as a “wire communication” subject to the wiretap law, and therefore, the hospitals merited the benefit of the doubt under the “rule of lenity.” The Court accordingly reversed the trial court’s denial of the hospital-defendants’ motions to dismiss the complaints.

The case was brought as a class action alleging that two Massachusetts hospitals violated the Massachusetts Wiretap Law by “aiding… third-party software providers” in unlawfully intercepting communications involving the individuals. The communications in the complaint were the browsing activities of each individual on the hospitals’ websites, including obtaining information about specific doctors and conditions, as well as accessing medical records through a patient portal. The plaintiffs alleged that the hospitals’ collection of information on website users (such as URLs, IP addresses, and device characteristics) and third-party tracking software to monitor user activities on the websites constituted impermissible interceptions under the Massachusetts Wiretap Law. The plaintiffs sought civil remedies under that law. Notably, the allegations mirrored similar actions brought against other hospitals in Massachusetts (under the same state law) and hospitals in different states (often under those states’ analogous wiretap laws).

The Court undertook a statutory construction analysis of the specific terms in the Massachusetts Wiretap Law. It concluded that the interactions between a user and the website were not unambiguously “communications” accepted under the wiretap law (e.g., person-to-person communications). The Court observed that when visiting a website, the “user is not communicating with another person but instead interfacing with pre-generated information on a website” and that a website visitor is not “engaging in a conversation but accessing published information and databases.” The Court noted that although the Wiretap Law dates to 1968 —long before the internet age — it contains a “forward-looking mandate” concerning its applicability to new technologies, citing a 2013 decision affirming the applicability to cell phone calls and text messages. However, the Court was unwilling to expose the hospitals to potential civil and criminal penalties for “activities that do not capture such person-to-person communications or messaging” because “the text of the wiretap act is inconclusive at best as to whether website browsing is a “communication” protected by the act.”

The decision has been welcomed by hospitals and health care organizations in Massachusetts, many of whom have litigated similar allegations under the same state law – while also seeking to align with changing federal guidance on tracking technologies – for several years. Nonetheless, health care organizations should strongly consider the use and disclosures associated with website tracking technologies since the Court acknowledged the alleged conduct “raises serious concerns” and could potentially “violate various other statutes and give rise to common-law causes of action” involving protecting confidential medical information. Moreover, the decision included a lengthy dissent from one judge , who strongly disputed the majority holding and criticized the hospitals’ activities.

This post is also being shared on our Health Law Diagnosis blog. If you’re interested in getting updates on developments affecting health information privacy and HIPAA related topics, we invite you to subscribe to the blog. 

My home state of Rhode Island may be the smallest in the union, but it has taken on a significant initiative implementing the Protective Domain Name Service (PDNS) in all 64 public school districts. PDNS, an initiative launched by the White House Office of the National Cyber Director, assists K-12 schools with preventing “ransomware and other cyber attacks by preventing computer systems from connecting to harmful websites and other dangerous areas of the internet without the user having to take any action.” Rhode Island is the first state to agree to implement PDNS statewide. Rhode Island public schools serve approximately 136,000 students.

White House National Cyber Director Harry Coker, Jr. announced in Rhode Island on Monday, December 9, 2024, that all 64 school districts across the state pledged to implement PDNS. According to Coker, “Today, Rhode Island is stepping up to lead the way taking advantage of these free federal resources on behalf of every public school district in the state. The partnership at the federal, state and local level exemplify a collaboration committed to keeping students, teachers, administrators and their data safe from evolving cyber threats.”

Rhode Island public schools will use PDNS “with support from the Multi-State Information Sharing and Analysis Center, operated by the Upstate New York nonprofit Center for Internet Security.”

If interested, schools can sign up for PDNS through service providers, including the Federal government-funded Multi-State Information Sharing and Analysis Center, some state governments, and regional Educational Service Agencies.

Rhode Island has taken the initiative to assist all public school districts throughout the state at a time when school districts are getting hammered by cyber attacks. Other states should look at what mighty Little Rhody is doing to assist its schools and use it as an example to start their own statewide program.—Linn Foster Freedman