Articles in this issue

• The Biden Administration Issues Executive Order on Artificial Intelligence
• FTC Approves Amendment to the Safeguards Rule to Require Non-Banking Financial Institutions to Report Data Security Breaches
• Solar Winds CISO Named Alongside Company in SEC Complaint for Data Breach Response
• Counter Ransomware Initiative Members Agree to Policy Statement that Governments Should not Pay Ransoms to Cybercriminals, Other Initiatives
• NY DFS Issues Amended Cybersecurity Regulations
• Dechert Tidbits

The Biden Administration Issues Executive Order on Artificial Intelligence

On October 30, 2023, President Biden signed an Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (the “Order”) establishing standards for artificial intelligence (“AI”) safety and security. The Order is the latest initiative by the Biden administration to establish parameters in the AI space. The Order’s requirements fall under eight principles: (1) new standards for AI safety and security; (2) protecting Americans’ privacy; (3) advancing equity and civil rights; (4) standing up for consumers, patients and students; (5) supporting workers; (6) promoting innovation and competition; (7) advancing American leadership abroad; and (8) ensuring responsible and effective government use of AI.

The Order calls on Congress to pass bipartisan data privacy legislation to protect all Americans’ privacy, particularly children. The Order specifically directs multiple government agencies to produce guidelines regarding the development and use of AI. For example, the Order instructs (i) the National Institute of Standards and Technology (NIST) to establish guidelines and best practices to promote consensus industry standards that help ensure the development and deployment of safe, secure, and trustworthy AI systems; (ii) the Secretary of Commerce to require companies “developing or demonstrating an intent to develop potential ‘dual-use foundation models’” (as defined in section 3 of the Order) to provide the U.S. government with detailed information regarding such models on an ongoing basis, including the results of any relevant AI red-team testing; (iii) the Secretary of Homeland Security to establish an Artificial Intelligence Safety and Security Board, including AI experts from the private sector, academia, and government, to provide advice and recommendations for improving security, resilience, and incident response related to AI usage in critical infrastructure; and (iv) agencies that fund life-science projects to establish, as a condition of federal funding, strong new standards to protect against the risks of using AI to engineer dangerous biological materials.

The Order also contemplates the risks of harm to consumers posed by AI. The Order directs the Department of Health and Human Safety to establish a program to receive reports of – and act to remedy – harms or unsafe healthcare practices involving AI. The Order also directs the Secretary of Labor to provide clear guidance to federal contractors, among others, to keep AI algorithms from being used to exacerbate discrimination. Of particular note, the Order encourages the Federal Trade Commission to consider whether to exercise its existing authorities, including its rulemaking authority to “ensure fair competition in the AI marketplace and to ensure that consumers and workers are protected from harms that may be enabled by the use of AI.”

Implementation of the Order’s requirements range from 30 days to 365 days from the date of the Order.

Takeaway: The Order telegraphs the Biden Administration’s concerns regarding how companies are using AI and the potential for harm to consumers. Credit should be given for taking a proactive step, though the Order does little in the way of requirements for most companies in the short term. We have been waiting for a federal privacy law for close to two decades, so we don’t expect anything soon to be passed on AI. That said, this is just the start and companies should expect continued scrutiny regarding the use of AI in all aspects of their business, including hiring, marketing, and customer service.

FTC Approves Amendment to the Safeguards Rule to Require Non-Banking Financial Institutions to Report Data Security Breaches

On October 27, 2023, the Federal Trade Commission (“FTC”) approved an amendment to the FTC’s implementation of the Gramm-Leach-Bliley Act’s Safeguards Rule, which includes a new rule requiring notification of certain data breaches to the FTC (the “Amendment”). The Amendment will be applicable to non-banking financial institutions within the FTC’s jurisdiction, including mortgage lenders, payday lenders, car dealerships, collection agencies, etc. The Amendment requires these financial institutions to report any breach that constitutes a “Notification Event,” which is the unauthorized acquisition of unencrypted customer information that has been acquired without the authorization of the individual to which the information pertains and involves at least 500 customers. The notice would need to be sent to (i) the FTC electronically through a form that will be available on the FTC’s website; and (ii) any affected individuals.

The notice to the FTC must include:

1. the name and contact information of the reporting financial institution;
2. a description of the types of information that were involved in the notification event;
3. 3.if the information is possible to determine, the date or date range of the notification event;
4. the number of consumers affected;
5. a general description of the notification event; and,
6. if applicable, whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the FTC to contact the law enforcement official.

Notice must be made “as soon as possible” but not later than 30 days after “discovery” of the notification event.

The FTC will make the information reported through the FTC’s website available to the public. A link to the Amendment is here. The Amendment will become effective on May 11, 2024, which is 180 days following publication in the Federal Register.

Takeaway: The publication of the intricate details of breaches that affected companies report to the FTC is unprecedented from a US standpoint. While some agencies, such as the U.S. Department of Health and Human Services Office for Civil Rights, and certain states, such as California, publish some information that affected companies report regarding data breaches, such information is generally summary in nature and does not contain the detailed description the Amendment requires. In addition, the Amendment adds another layer of legal complexity to US non-banking financial institutions that experience data breaches that already must notify various governmental entities and applicable states each of which contain slightly different notification triggers. Overall, the Amendment underscores the FTC’s continued interest in regulating cybersecurity, but while, yet again, giving little thought to further complicating the notification landscape for companies that in most cases are victims of a crime.

Solar Winds CISO Named Alongside Company in SEC Complaint for Data Breach Response

On October 30, 2023, the Securities and Exchange Commission (“SEC”) announced charges against SolarWinds Corporation (“SolarWinds”), a software development company, and its chief information security officer (“CISO”), alleging fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities (“Complaint”). The Complaint alleges that from at least October 2018, when SolarWinds made its initial public offering, through at least December 2020, when SolarWinds announced that it was the target of a cyberattack, SolarWinds and its CISO defrauded investors by overstating the firm’s cybersecurity practices and understating or failing to disclose known risks. The Complaint also alleges that SolarWinds misled investors in SEC filings by disclosing only generic and hypothetical risks when the firm and the CISO were actually aware of specific cybersecurity practice deficiencies and the increasingly elevated risks the firm faced at the time.

The SEC alleges that SolarWinds’ public statements regarding its cybersecurity practices and risks conflicted with its internal assessments and that multiple communications among SolarWinds employees, including the CISO, questioned the firm’s ability to protect its critical assets from cyberattacks. The Complaint also claims that the CISO was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the problems or to sufficiently raise the issues within the company. Due to these failures, the SEC asserts that SolarWinds could not provide reasonable assurances that its critical assets were adequately protected.

The Complaint alleges that SolarWinds and the CISO violated the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934 (“Exchange Act”); SolarWinds violated reporting and internal controls provisions of the Exchange Act; and the CISO aided and abetted SolarWinds’ violations. The Complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against the CISO.

Takeaway: Charges in relation to information security violations and breaches against directors and officers, including CISOs, are likely to continue. Companies will need to assess and provide appropriate support to their CISOs so they have the resources necessary to do their jobs. Companies also will want to retain counsel at the first sign of a data security incident for advice on responding to the operational and legal issues such incidents inevitably raise and to maintain attorney-client privilege. Implicating executives personally is the latest tool to be used by both the SEC and FTC in connection with cybersecurity. Unless there is specific malfeasance, this likely will serve to deter individuals from taking these jobs, out of fear that they may be a target for regulators to take a shot at with 20/20 hindsight after a major data breach. Accordingly, this may backfire and ultimately only create more risk.

Counter Ransomware Initiative Members Agree to Policy Statement that Governments Should not Pay Ransoms to Cybercriminals, Other Initiatives

The International Counter Ransomware Initiative (“CRI”) held its third annual summit in Washington, D.C. earlier this month, attended by its 50 members, including representatives from the United States, the United Kingdom, the European Union and INTERPOL.

According to a Joint Statement issued through the White House, CRI members developed “the first-ever joint CRI policy statement declaring that member governments should not pay ransoms.” In addition to the pledge not to pay ransoms:

• a new information sharing platform will be established for the CRI’s members with the aim that as soon as a country is attacked by ransomware, it will share information so that other countries can defend themselves;
• member governments will declare that they will help any other member government hit by a ransomware attack with incident response; and
• the CRI will share a “blacklist of wallets” through the U.S. Department of Treasury to track where payments are flowing with a view to blocking or freeze those transactions.

Takeaway: The global cost of ransomware attacks was $20 billion in 2021 and it is estimated that will be around $71.5 billion by 2026. International cooperation is an important step in combatting such attacks. Government victims of ransomware attacks face a real dilemma – on the one hand, a refusal to pay a ransom puts a country at serious risk that essential service providers such as schools, hospitals and energy suppliers will be unable to function during the attack. On the other hand, as long as countries remain willing to pay ransoms, attacks will continue and perhaps become more prevalent. Of course, this does not affect the decision of private companies to pay ransom which, after weighing a number of factors, many companies choose to do.

NY DFS Issues Amended Cybersecurity Regulation.

On November 1, 2023, the New York State Department of Financial Services (the “DFS”) released finalized strengthened cybersecurity regulations which amend its 2017 cybersecurity regulations (the “Amended Regulations”). The Amended Regulations apply to any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law of New York (“Covered Entity”). Covered Entities will be required to comply with the updated regulations within 180 days of the date of their adoption (i.e., by April 29, 2024) although certain requirements will take effect sooner.

The objective of the Amended Regulations is to create new rules and strengthen existing rules to protect businesses and consumers from online threats and to maintain the integrity of financial systems in the State of New York. There are enhanced rules for larger companies, (class A companies) whilst smaller companies are subject to more limited requirements.

Key changes introduced by the Amended Regulations include:

• enhanced governance requirements, such as the appointment of a chief information security officer with prescribed duties and the requirement for class A companies to audit their cybersecurity annually;
• requirements for more regular risk and vulnerability assessments, as well as more robust incident response, business continuity, and disaster recovery planning;
• updated notification requirements including a new requirement to report ransomware payments within 24 hours of a ransom being paid; and
• an updated direction to invest in at least annual training and cybersecurity awareness programs relevant to an entity’s business model and personnel.

Takeaway: The Amended Regulations continue the trend of regulators increasing compliance burdens—particularly the new 24-hour notification requirement regarding extortion payments and the requirement that certain Covered Entities design and engage in independent audits of their cybersecurity program. This is the first law to require notification of a ransom payment—making what previously was a private decision a public event. This key element will have to be factored into a company’s decision whether to pay or not. While not all companies are subject to these Amended Regulations (and certain additions to the Regulations only apply to Class A companies), the companies that are subject to the Amended Regulations should prepare now to comply with new requirements and the rolling effective date.