CISA/FBI Urge U.S. Companies to Take Steps to Reduce Security Risks Due to Heightened Risk of Russian Retaliation for Ukraine-Related Sanctions

The U.S. and many other nations recently imposed unprecedented sanctions on Russia in response to Russia’s military action in Ukraine. More details about some of these sanctions can be found in Dechert’s related OnPoint available here. To prepare for the risk of Russian retaliation, the U.S. Cybersecurity & Infrastructure Security Agency (“CISA”) and the Federal Bureau of Investigation (“FBI”) are now urging companies to take steps to reduce cybersecurity risks.

Jen Easterly, the Director of CISA, has warned that threats can “manifest quickly” from both state and non-state actors. As part of their mission to mitigate and respond to cyber threats, CISA and the FBI are emphasizing their “Shields Up” campaign to encourage businesses to “adopt a heightened posture” regarding cybersecurity, including by:

• Reducing the likelihood the business will suffer a damaging cyber intrusion (e.g., validating remote access to a business’ networks, updating systems/software, disabling non-essential ports and protocols, and ensuring any cloud storage is properly secured and monitored)
• Taking steps to quickly detect a potential intrusion into the business (e.g., ensuring that IT personnel monitor and evaluate any unusual network behavior)
• Ensuring that the business is prepared to respond if an intrusion occurs (e.g., designating a crisis-response team, ensuring that key personnel are aware of their roles in the event of an incident)
• Maximizing the business’s resilience to a destructive cyber incident (e.g., testing and isolating backup systems)

In addition to the preventative measures listed above, CISA and the FBI are also encouraging businesses to report any known incidents or anomalous activity.

Takeaway:

• Heightened diligence and complying with industry-standard practices are the most effective means of preventing and mitigating cyber threats. Implementing best practices such as multi-factor authentication, updated patches, segregating data, limiting administrative domain access and ongoing education of employees as to phishing and physical security risks is imperative in these times.
• Businesses need to continue to have robust systems in place to both proactively assess risks and to be able to react to incidents quickly and efficiently. Businesses must also carefully assess internal and external risks—many external threats still rely on the accidental (or purposeful) assistance of “insiders” (internal personnel).
• In light of the ongoing sanctions against Russia, cybersecurity incidents are likely to increase. In addition to the national security risks posed by these attacks, businesses also still face litigation and reputational risks.

_____________________________________________________

EDPB Letter to the European Commissioner for Justice on Adapting Liability Rules to the Digital Age and Artificial Intelligence (AI)

On February 22, 2022, Andrea Jelinek, the Chair of the European Data Protection Board (“EDPB”), sent a letter to the European Commissioner for Justice, on adapting the Product Liability Directive (85/374/EEC) (“the Directive”) to the challenges posed by the digital age and AI systems. The Proposed EU Regulation on Artificial Intelligence calls for aligning the Directive with the conduct of conformity assessment provisions for high-risk artificial intelligence (AI) (for more information please see our previous OnPoint). Publication of the draft revised Directive is anticipated in the third quarter of 2022.

The letter was prepared in response to the European Commission’s (“the Commission”) initiative “Adapting liability rules to the digital age and circular economy,” which included a public consultation that concluded in January 2022. The Commission’s initiative has two objectives: (1) to modernize liability rules to take account of the characteristics and risks associated with recent technology and new digital and circular business models; and (2) to reduce obstacles to being awarded compensation.

The EDPB letter makes the following key points (some of which are a reiteration of recommendations made in the EDPB-EDPS (European Data Protection Supervisor) Joint Opinion 5/2021) on the proposal for a Regulation of the European Parliament and of the Council laying down harmonized rules on artificial intelligence (Artificial Intelligence Act), June 18, 2021:

• the revised Directive should be consistent with and complement EU data protection laws;
• the liability regime should be strengthened for providers of AI systems designed to secure the processing of personal data, so that the systems can be relied upon;
• there should be transparency for the end user with regard to the use and operation of AI;
• providers of AI systems should be responsible for providing users with tools to mitigate against known and new types of attack and for security by design throughout the entire lifecycle of the AI (particularly where the AI system is used as a security measure for personal data processing);
• the AI system should be accompanied by sufficient information to enable the data controller to understand the cause of a system failure and prevent it in a timely manner (particularly in the event of a data breach);
• those affected by a system failure should be afforded an effective legal remedy; and
• since inaccurate data and unfair algorithmic decisions can have a negative impact on individuals’ rights and freedoms, and cause damage and economic loss, it is essential that an assessment as to the fairness and impact of algorithmic decisions plays a key part in the new Directive.

Takeaway: It remains to be seen whether there is a consensus among members of the Commission to adopt industry views on the Directive submitted during the recent consultation and, if not, if there is an appetite to hammer out a compromise between any conflicting industry and consumer advocates’ positions and still succeed in its objectives, and those of the EDPB and European Parliament.

_____________________________________________________

California Lawmaker Introduces BIPA-Style Biometric Privacy Law

On February 17, 2022, California State Senator Bob Wieckowski introduced bill SB1189, which would require businesses to provide notice and obtain consent to process a California resident’s biometric information and would subject violators to a private right of action. SB1189 largely mirrors Illinois’ Biometric Information Privacy Act (“BIPA”) and is intended to expand upon the protections already afforded by the California Consumer Privacy Act (“CCPA”) enacted in 2020 and the California Privacy Rights Act (“CPRA”), which becomes effective in 2023.

SB1189 would broadly prohibit any “private entity” from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining a person’s biometric information unless the entity biometric information is required (i) to provide a service requested or authorized by the individual to whom the information relates or (ii) for a valid “business purpose” (as defined by the CCPA). The entity would need to provide notice to, and obtain consent from, the individual (or their representative) to process the biometric information. Companies would also generally need to obtain a written release to disclose biometric information (subject to certain exceptions) and make available a written policy outlining a retention schedule and guidelines for “permanently destroying” biometric information.

SB1189 provides a private right of action and entitles plaintiffs to pursue statutory damages between $100 and $1,000 per violation per day, actual damages, punitive damages, attorneys’ fees and costs, and “any other relief” such as injunctive or equitable remedies. A notable difference between SB1189 and BIPA is SB1189’s penalties accruing on a per violation and per diem basis. BIPA, by contrast, only provides penalties “for each violation.”

SB1189 expressly notes that it “does not . . . [c]onflict with the Gramm-Leach-Bliley Act” (“GLBA”). Regardless, the GLBA’s preemption provisions would apply to the extent SB1189 is inconsistent with the GLBA.

The text of SB1189 can be found here.

Takeaway: SB1189’s provisions closely mirror BIPA. Therefore, if enacted, SB1189 is likely to result in an uptick in California class actions, especially in light of its extended scope to a broader range of “private entities.” It remains to be seen if those actions will be primarily dominated by employees claiming violations of the law or if there will be broader consumer litigation. As SB1189 moves through the legislative process, businesses should closely track developments. In particular, financial institutions subject to the GLBA - which are exempt from BIPA - will want to monitor SB1189 and assess its applicability to their information collection practices.

_____________________________________________________

The Data Act: Commission Proposes Measures for a Fair and Innovative Data Economy

The Commission published its draft Data Act on February 23, 2022. It aims to give consumers and companies more control over what can be done with their data (including non-personal data) and to provide clarification on who can access data and on what terms. The Data Act is the second legislative initiative resulting from the European Strategy for Data and is designed to complement the Data Governance Regulation proposed in November 2020.

The Data Act is broad in scope and some of its key objectives are as follows:

• to put safeguards in place against the unlawful international transfer of and government access to non-personal data;
• to allow customers to switch between different cloud data-processing service providers more easily;
• to provide protection to SMEs (which are exempt from certain of the obligations in the Data Act) by preventing abuse of contractual imbalances in data sharing contracts; and
• to provide means to public sector bodies to access and use data held by the private sector that is necessary for exceptional circumstances, particularly in the case of a public emergency.

The European Commission’s aim is that the Data Act should unlock the economic and social potential of data and technologies in line with EU rules and values, creating a single market to allow data to flow freely within the EU for the benefit of businesses and wider society. The volume of data is constantly growing and is an untapped potential – it is estimated that 80 percent of industrial data is never used. It is hoped that if consumers and businesses are able to access and have more information in relation to their data, they will be able to make better decisions, for example buying higher quality or more sustainable products and services. Furthermore, businesses will have more data available to them and will benefit from a competitive data market, for example, aftermarkets service providers will be able to offer more personalized services and data can be combined to develop completely new digital services.

The Data Act is likely to undergo amendments before entering into force, which is expected to be during 2022, and it will need to be implemented by members states within 12 months from that date.

Takeaway: If enacted, it will inevitably lead to additional challenges and burdens in some areas, particularly with regard to international data transfers, which will require conditions to be put in place similar to those for transfers of personal data pursuant to the General Data Protection Regulation (e.g., binding corporate rules or Standard Contractual Clauses). However, for forward-thinking organizations, it could also bring significant benefits and opportunities, giving them more control over their data and enabling them to maximize its potential benefits. Companies should continue to monitor developments so as to have maximum time to prepare.