Kara Thompson

An all-time high of 11.6 million notices of data breaches were sent to citizens of Washington state from July 24, 2023, to July 23, 2024, beating the previous record of 6.5 million in 2021, according to an annual report from Attorney General Bob Ferguson (D) Tuesday. Businesses reported 112 of the year’s 279 breaches in the state, with communications firms sending the most notices to consumers: 3.4 million. A mega breach of Comcast was responsible for 3.1 million of them. This is the first time that the number of individual notices of breaches has exceeded the state’s population and is the highest number of citizen breaches affected. “The more people know about data breaches, the more they can protect themselves,” Ferguson said in a news release. Retail had the most data breach incidents, at 20, sending 88,000 consumers notices. A cyberattack was the most common way data breaches occurred, with 217 instances, said the report. Ten were the result of either theft or a mistake, and 52 happened when an unauthorized person accessed secure data through something like an unsecured network or left sensitive documents out on a desk. Ransom was behind 113 of the cyberattacks; malware, 31; phishing, nine; skimming -- using a malicious card reader on a payment terminal, two. “These statistics further underscore our state’s critical need for comprehensive data privacy regulation,” Ferguson said in the report. “Data breaches are symptomatic of gaps in data privacy policies and the standards and practices of every entity that collects or controls this information.”

Snap accused the New Mexico attorney general of making false allegations against the social media platform and misrepresenting its undercover investigation into the Snapchat app in a case about children’s safety and privacy. The platform said Thursday that it filed a motion to dismiss the AG’s lawsuit on Nov. 18. “Instead of working with Snap and New Mexico’s law enforcement officials on these efforts to combat bad actors,” AG Raul Torrez (D) "has chosen to work against them,” the motion said. “The result is a highly charged, headline-grabbing lawsuit founded upon gross misrepresentations of the State’s ‘investigation,’ dubious ‘evidence’ mined from the dark web, screenshots from platforms other than Snapchat, and cherry-picked references to old features that no longer exist.” Torrez filed a suit against Snap on Sept. 4 alleging that the social media app’s design features foster sextortion, sharing of child sexual abuse materials and child sexual exploitation. The New Mexico Department of Justice conducted an undercover investigation into the social media platform, including creating a decoy account of a 14-year-old. The decoy exchanged messages with dangerous accounts, several of which attempted to coerce it into sharing child sexual abuse materials. The investigation found the app’s recommendation algorithm connected Snapchat accounts that capture, circulate and sell child sexual abuse materials, as well as a network of dark websites dedicated to sharing these materials, among other allegations. In the motion to dismiss, Snap asserts that the decoy account searched for and instigated connections with the dangerous accounts, contrary to claims that they came up as algorithmic recommendations. On these and other grounds, including violations of the First Amendment and the legal liability shield Section 230 of the Communications Decency Act, Snap seeks to dismiss the lawsuit.

Congress should approve the Kids Online Safety Act, attorneys general from 31 states and the District of Columbia wrote congressional leaders Monday (see 2411180046). “While an increasingly online world has improved many aspects of our material well-being, prolific internet usage negatively impacts our children—with some studies suggesting minors spend over 5 hours daily on the internet,” the letter reads. “KOSA will establish better safeguards for minors online.” This effort comes as many AG offices have launched investigations and lawsuits against social media platforms, such as Meta and TikTok, for targeting minors. The letter lists the many ways KOSA addresses threats to children online, including having the strongest safety settings on by default, the option to disable addictive product features and algorithmic recommendations and giving parents more ways of identifying harmful behaviors and report them. “The states have been consistently acting to vigorously protect kids from online dangers using their existing consumer protection authority, and we look forward to further collaboration,” the letter said. “These changes will help create a safer online environment that reduces harm to kids.” Tennessee Attorney General Jonathan Skrmetti (R) was the letter's lead. AGs from Alabama, Colorado, Georgia, Illinois, Kentucky, Maryland, Minnesota, New York and South Carolina signed it.

Academics raised concerns Friday about who makes decisions about the accessibility for the disabled of broadband, media and websites. During a Silicon Flatirons symposium at the University of Colorado Boulder, Blake Reid, a University of Colorado Law School professor, said that while the idea of designing technology to work well for everyone by having accessibility features is good in theory, in practice it can prompt “universal designs” that don't benefit the disabled community. A disconnect exists between those making the product and users, he said. “The technologists in the room need to be the people that are using the technology,” said Reid. “We need better technologists. And we need technologists that have alignment with communities.” Said Meg Leta Jones, a Georgetown University professor, “Giving people seats at the accessibility table that aren't disabled is such an important point about why exclusions matter to power shifts in decision-making structures”: “Sometimes for people to matter, you have to exclude other people.”

Some industry groups raised concerns about proposed amendments to Colorado privacy rules concerning children and biometric data. The Colorado attorney general’s office held a rulemaking hearing Thursday to gather public comments on proposed draft amendments to the Colorado Privacy Act Rules (see 2409160036). The draft amendments, published Sept. 13, provide updated language to align with children’s and biometric privacy bills the Colorado legislature approved this year and create a process for issuing opinion letters and interpretive guidance. The proposed rules include definitions of “child” versus “minor,” as well as requirements for notifying consumers before collecting or processing biometric identifiers. Employers must also gain consent from employees before collecting and processing biometric identifiers. State Privacy and Security Coalition lobbyist Andrew Kingman said separate obligations for biometric data and biometric identifiers could be confusing. “Our comments really focus on how to simplify this so that consumers have a single notice or are directed to a single notice where all of that information can be easily comprehended,” he said during the hearing. Additionally, Kingman suggested deleting the reference to “minors” as a part of the children’s privacy policy, saying it is “impractical” to distinguish between a 22-year-old and a 17-year-old. Kingman also asked for modifications to the consent requirement in the employment context, noting that the interaction between an employer and employee differs from the interaction between consumers and controllers. Phoebe Blessing, manager of public policy with the Colorado Hospital Association, also recommended an exception to the new biometric collection amendments on employees, such as when employers use employees' biometric information for authentication purposes. “For example, many of our hospitals require the use of fingerprints to access medication cabinets and dispense drugs,” Blessing said. She also recommended an exception for when healthcare providers use a patient’s biometric information in relation to the treatment process. Several other citizens spoke at the hearing about concerns for privacy but lacked specific input regarding the proposed amendments. The AG office also posted written comments that were due later Thursday night.