Bipartisan Federal Privacy Bill Set for Committee Markup Faces Uncertain Future & Potentially Complicates CPRA, State Privacy Law Compliance
On June 21, 2022, legislation, The American Data Privacy and Protection Act (“ADPPA”), was introduced. The bipartisan measure is currently scheduled for markup by the House Energy and Commerce Committee on June 23, 2022. While initially modeled on the CCPA and similar state privacy laws, the version that was introduced more closely resembles the GDPR framewok.
As currently drafted, the ADPPA would establish a national framework for protecting consumer privacy by restricting processing activities through transparency, consumer choice, and imposing other obligations on “covered entities.” Covered entities include any entity or person, other than an individual acting in a “non-commercial context,” that “alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data” and is either subject to the Federal Trade Commission Act, a non-profit organization, or a common carrier. Organizations that qualify as “large data holders,” defined as covered entities that exceed certain revenue and volume of process thresholds, would be subject to additional obligations, while smaller organizations, defined as covered entities that fall below certain revenue and volume of process thresholds, would be exempted. The ADPPA explicitly states that organizations in compliance with the data privacy requirements of enumerated federal regulations, including the Health Insurance Portability and Accountability Act ("HIPAA") and the Gramm-Leach-Bliley Act, “shall be deemed to be in compliance with the related requirements of [the ADPPA] . . . with respect to the data subject to such regulations."
Two significant issues addressed by the bill that have stymied previous efforts are preemption and a private right of action. The ADPPA appears to offer a compromise by preempting many (but not all) state privacy laws and allowing a limited private right of action. The ADPPA would not preempt enumerated state laws, including those that govern employee privacy rights and data breach notification, and explicitly does not preempt the Illinois Biometric Information Privacy Act. The private right of action would kick in four years after the ADPPA becomes effective. To exercise the private right of action, individuals would be required to first notify the FTC and their state attorney general and could not file a lawsuit if either of those agencies decided to initiate an action.
Primary enforcement under the ADPPA would fall to a newly created FTC bureau. The ADPPA would also allow state attorneys general and chief consumer protection enforcement officers to bring civil actions in federal court on behalf of their respective states to enjoin violations of the ADPPA, enforce compliance or obtain damages and civil penalties on behalf of state residents.
Takeaway: As goes California so goes the rest of the country. A confluence of events, including a growing number of CCPA and CCPA-influenced state privacy laws, has accelerated the push from multiple sectors for a single, federal law. The prospect of a comprehensive federal law is complicating companies’ ongoing efforts to comply with the CPRA and recently enacted state privacy laws. However, those laws and the ADPPA share core themes based on universally accepted Fair Information Privacy Principles (“FIPPS”). Accordingly, focusing on shared FIPPS-based themes should facilitate compliance strategies. Further, the ADPPA’s alignment with the GDPR could lay the foundation for more fruitful discussions with the EU on an “adequacy” finding for EU-U.S. data transfers aimed at loosening broad restrictions on those transfers. While the ADPPA appears to have garnered broader support than previous bills, notable holdouts remain and Congressional leaders may be unlikely to move the measure for a vote without unanimous party support. Congressional gridlock, the summer recess, and upcoming midterm elections also pose obstacles to passage. Nonetheless, the ADPPA has momentum and developments should be closely monitored.
SEC’s Proposed Four-day Data Breach Reporting Requirement Draws Critical Comments
Back in March, Dechert reviewed the SEC’s proposed four-business-day reporting requirement for data breaches. As proposed, public companies would need to disclose information about a cybersecurity incident within four business days after a company determines that it has experienced a “material cybersecurity incident.” Specifically, new Item 1.05 of Form 8-K would require companies to disclose: when the incident was discovered and whether it is ongoing; a brief description of the nature and scope of the incident; whether any data was stolen, altered, accessed, or used for any other unauthorized purpose; the effect of the incident on the company’s operations; and whether the incident has been remediated or the company is currently remediating the incident.
Analyzing the proposed rules, we previously noted that: (1) the four-day deadline would impose an increased burden on companies in the midst of what is likely a crisis situation; and (2) the breadth of the SEC’s proposed rules would result in a particularly active comment period.
The SEC has subsequently received more than 130 comments on the proposed rules from various industries, lobbyists, law firms, and individuals. While comments generally supported the Commission’s efforts to improve transparency regarding cybersecurity incidents, many criticized the four-day requirement as missing the mark. Some comments highlighted how the proposed rules would distract cyber first responders from focusing their full attention and resources on addressing and remediating incidents. Others noted that companies that report pursuant to the four-day deadline could alert threat actors that they have been detected, potentially hampering efforts to blunt the impacts of intrusions and causing malicious actors to expedite their activities.
Comments were also critical of the vague materiality standard, as it would place significant pressure on companies to make complex determinations on materiality during the initial stages of an incident. Companies would therefore be making reporting decisions based on limited, and potentially inaccurate, information. Relatedly, some comments noted that since SEC reports are public, companies may be overly cautious about what they disclose—particularly since statements made in public filings regarding cybersecurity are commonly cited in lawsuits filed after a data breach, either by consumers or by investors alleging that the company misled the market.
Takeaway: Time will tell whether the proposal will remain fully intact following what has been an especially active comment period. But if the rules are adopted as proposed, companies will need to ensure that their disclosure controls and procedures associated with the reporting of cyber incidents conform with the four-business-day reporting requirement. Advanced preparation and established procedures will be vital for counsel to receive adequate information to assess and comply with disclosure obligations within the required timeframe.
European Commission Issues Additional Guidance on Standard Contractual Clauses
On May 25, 2022, the European Commission (“EC”) published practical guidance on the use of Standard Contractual Clauses (“SCCs”), which follows the adoption of new SCCs last June. Companies can rely on the pre-approved SCCs for data transfers between the EU and non-EU countries that the EC considers as not offering an adequate level of data protection.
The new guidance, which the EC will update regularly, is meant to assist companies to comply with the GDPR and is based on feedback the EC received from stakeholders. The guidance includes 44 questions and answers centered around three topics:
- General questions about what SCCs are and administrative requirements. The guidance explains, for example, that SCCs can be incorporated into a commercial contract in accordance with the civil law requirements from a chosen jurisdiction, and that they must be signed by all parties to be valid. It also clarifies how additional parties may join a contract which incorporates SCCs.
- Questions about SCCs between controllers and processors. This part includes only six questions, which suggests that companies have fewer questions about how to use these SCCs. The issues addressed relate, for example, to requirements for processors to notify controllers of a data breach, and authorizations of sub-processors.
- Questions about SCCs for data transfers to non-EU countries. Of the three categories this subject area raises the most questions. The guidance addresses a number of issues, including changes to the SCCs that applied prior to those currently in place, and how organizations can transition to the new regime. The guidance also makes clear that SCCs may not include a general exclusion of liability, and confirms that to avoid duplication and deviation from GDPR obligations, data importers who are themselves subject to the GDPR should not use SCCs. The guidance also provides a detailed overview of the circumstances to be taken into account when carrying out the required “transfer impact assessment,” such as the categories and format of the data or the economic sector in which the data transfer occurs.
The current SCCs were adopted in June 2021 and apply to data transfer agreements concluded after September 27, 2021. The transition period for agreements concluded before September 2021 will terminate on December 27, 2022.
Takeaway: The guidance is helpful in clarifying issues of interpretation and uncertainties related to SCCs. More questions may arise, however, especially for companies transitioning from the old to the new SCCs, and the EC may need to update its guidance soon (e.g. when the transition period ends this December.)
CISA Issues Warning on Karakurt Ransomware Group
The U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), FBI, Department of Treasury, and Financial Crimes Enforcement Network (“FinCEN”), recently issued a Joint Cybersecurity Advisory concerning the Karakurt data extortion group. The Karakurt Group—a branch of the prolific Conti ransomware syndicate—steals data and threatens to sell the data unless a ransom is paid in Bitcoin, usually by a one-week deadline. As is typical, the group also threatens to issue press releases naming victims who did not cooperate. Ransom demands from the group have been known to be as high as $13 million.
While stealing data, the group opts for a “living off the land” approach that makes use of tools already on the target’s system, such as a victim’s valid credentials and previously installed applications. Karakurt also makes its demands via ransom notes, which include instructions on how victims can negotiate directly via chat applications. The attacks generally do not involve encrypting the victim’s system, but instead focus on exfiltrating data and then extorting its targets.
Upon payment, Karakurt provides some proof of file deletion and occasionally issues a brief statement explaining how the intrusion occurred. Unsurprisingly, the U.S. Government strongly discourages the payment of any ransom to Karakurt.
Takeaway: Karakurt’s attempts to compromise security tools rely on existing users’ credentials. Businesses can mitigate the threat by adhering to the National Institute for Standards and Technology password protocols (which now recommend against requiring frequent changes). Other mitigation suggestions include auditing user accounts and administrative privileges, consistently enforcing multi-factor authentication, and monitoring the dark web for company-related passwords.
UK Court Dismisses Claim that a Data Breach Amounts to Misuse of Private Information but Allows Data Claims from Unconfirmed Breaches to Proceed
On May 27, 2022, the UK High Court rejected a tort claim for damages brought by customers of the TV and internet provider TalkTalk for misuse of private information (“MPI”) in the case Smith vs TalkTalk Telecom Group plc. The case arises from data breaches that occurred in 2014 and 2015 for which TalkTalk had been fined by the UK data protection authority. The plaintiffs, actual and potential customers of TalkTalk, alleged that TalkTalk had taken insufficient security measures to protect their personal data, enabling unknown criminal third parties to access and use their personal data for fraudulent purposes.
The court struck out the MPI claim on the ground that failure to take data protection measures, even if it creates a situation of vulnerability (and thus enables fraud), does not amount to the tort of MPI. Referring to the precedent of Warren vs DSG Rail, the court found that the misuse of information occurred not while the data was in TalkTalk’s possession but after the criminal actors stole it and began to use it for their own purposes. Data protection breaches, the court ruled, must be decided under data protection law or a claim for another tort like negligence.
On the other hand, the court ruled in the plaintiffs’ favor on the issue of “unconfirmed” breaches involving plaintiffs who suffered cyberattacks, based on their personal data shared with TalkTalk, but could not ascertain if the personal data used for these attacks was stolen as part of the 2014 or 2015 breaches. The court accepted the plaintiffs’ proposed inference that because their personal data would not have been available for third party threat actors absent a system failure at TalkTalk, if their data was not taken in the known breaches it must have been stolen as part of another unconfirmed breach. On that basis the court allowed discovery to go forward.
Takeaway: The judgment confirms the limitations for claimants in bringing MPI tort claims in cases of third-party misuse and is in line with earlier rulings that, even if a company’s data breach facilitates fraud committed by third parties, the company itself cannot be held liable for those fraudulent acts. The case also demonstrates that discovery can be broad, burdensome, and expensive in the case of data breaches, particularly in cases where discovery in relation to unidentified breaches is allowed to proceed.
FTC Staff Weighs in on Breach Disclosure Requirements
On May 20, 2022, the Federal Trade Commission (“FTC”) staff published a blog post on cybersecurity incident breach disclosures in which the FTC staff takes the position that, in certain instances, there may be a de facto data breach notification requirement under the FTC Act, based on the fact that failure to disclose the data breach may constitute an “unfair or deceptive” practice in violation of Section 5 of the FTC Act. The blog post explains that this is so because “in some instances … failure to disclose will, for example, increase the likelihood that affected parties will suffer harm."
Referring to past cases in which the FTC previously took this approach (available here, here and here), the FTC staff observed that “these cases stand for the proposition that companies have legal obligations with respect to disclosing breaches, and that these disclosures should be accurate and timely.”
The blog post was authored by the FTC’s Team Chief Technology Officer and the Division of Privacy and Identity Protection. The blog post is non-binding and only represents the views of the FTC staff, not of the FTC or any specific FTC commissioner.
Takeaway: The FTC blog post is yet another step in the dangerous “piling on” trend by regulators towards “regulation by enforcement action” we have seen in the cybersecurity space. Worse, here it would be “regulation by blog post.” Each of the 50 states, as well as European regulators, among others, have clear, specific, and consumer-oriented laws as to when businesses are required to notify in the event of a data breach. The FTC’s blog post suggests that, even if the business concludes that notification is not required under state law, the FTC’s interpretation of the FTC Act may still require breach notification. While not a specific legal requirement, companies should review with their counsel whether a particular incident may fall into the category of requiring “timely, accurate, and actionable security disclosures” so as not to run afoul of Section 5 of the FTC Act, regardless of whether state data breach laws apply.