CYBER CORNER

A California appellate court recently ruled in favor of the state’s privacy protection agency (“the Agency”) holding that the California Privacy Rights Act of 2020 (“the Act”) is currently enforceable. The court rejected the state’s Chamber of Commerce (“the Chamber”) argument that, based upon the plain wording of the Act, the Agency was required to develop regulations for the state to administer the Act and then wait a year from the regulations being finalized to begin enforcement. The court instead agreed with the Agency, which asserted that it currently possesses the authority to enforce the Act, and has had such authority since July of 2023, the date originally specified by the Act.

The Act was designed to expand the regulatory reach of the state into various new areas of privacy, such as the right of the state’s consumers to request that businesses correct any inaccurate information in their records. The court turned to the voters’ intent when they passed the Act by referendum and reasoned that if a mandatory year-long delay from the Act’s approval to its enforcement was intended, the drafters of the Act would have made such a requirement clear. The Agency’s failure to timely approve final regulations did not alter the July 2023 enforcement date initially set forth in the Act. 

As a result, businesses that fall under the regulatory authority of the Agency are subject to enforcement of the Act effective immediately. These businesses should ensure that all data practices comply with the Act to avoid any potential violations. 

On February 21, 2024, United Health Group (the “Company”) experienced a cyberattack (the “attack”) that allowed threat actors to gain access to the Company’s technology unit, Change Healthcare’s (“Change Healthcare”) information technology systems. The attack led to service interruptions across the nation, impacting networks and systems used between healthcare providers and insurance companies. According to a filing with the SEC, the Company immediately isolated the impacted systems to address the attack and protect its partners and patients. 

The attack has impacted more than one hundred Change Healthcare operated services, including but not limited to, benefit verification, claim processing, and claim submissions. The attack sheds light on the importance of cyber insurance policies and third-party risk management. In cyberattacks such as this, where multiple parties are connected, it is crucial for businesses to explore potential coverage for contingent business interruptions. Such interruptions are currently being incurred by clients of Change Healthcare’s operated services, who are still working to bring their systems back to normal. Despite the gravity of the attack, there has been limited media coverage regarding the incident. Additionally, the Company appears to be gearing up to argue that its own liability in this attack should be limited—implying that its partners also failed to implement workarounds and to build resilience into their own incident response planning.