Welcome to this month's issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. The rapid pace at which technology and data privacy and security regulation are evolving can make it a challenge to keep up with worldwide legal events affecting businesses′ use of personal data. The BR Privacy & Security Download keeps you up to date with the important data privacy and security-related news of the past month. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.
Privacy & Security Developments
STATE & LOCAL LAWS & REGULATION
- Virginia Consumer Data Protection Act Work Group Issues Final Report: On November 1, 2021, the Virginia Consumer Data Protection Act Work Group (“Work Group”) released its final report. The Virginia Consumer Data Protection Act (“VCDPA”) requires the Chairman of the Virginia Joint Commission on Technology and Science to set up the Work Group to review the provisions of the VCDPA and discuss issues relating to its implementation. Points of emphasis and recommendations cited by the Work Group in its final report include submitting a budget amendment to fund a small staff to lead VCDPA enforcement on day one of enactment, allowing the state Attorney General to pursue actual damages based on consumer harm, authorizing consumers to submit opt-out requests via a global opt-out setting, sunsetting the “right to cure” provisions, amending the right to delete under the VCDPA to be a right to opt out of sale to restrict further dissemination of personal data, and directing a Virginia state agency to promulgate VCDPA-related regulations. The Work Group’s recommendations will be presented to the Virginia legislature in its upcoming session and could influence potential amendments to the VCDPA ahead of its January 1, 2023, effective date.
- New York Requires Notification to Employees for Electronic Monitoring: On November 8, 2021, New York Governor Kathy Hochul signed S2628 into law, requiring employers with a place of business in New York who engage in electronic monitoring of telephone, e-mail, and internet access or usage to provide written notice upon hiring to employees subject to such electronic monitoring. The written notice must be conspicuously posted and readily available for viewing by employees and must be acknowledged by employees in writing or electronically. The New York Attorney General has enforcement authority and violations of S2628 result in a maximum civil penalty of $500 for the first offense, $1,000 for the second offense, and $3,000 for the third and each subsequent offense. S2628 does not apply to processes that are: (1) designed to manage the type or volume of incoming or outgoing e-mail or telephone voice mail or internet usage; (2) not targeted to monitor or intercept the e-mail or telephone voice mail or internet usage of a particular individual; and (3) are performed solely for the purpose of computer system maintenance and/or protection.
FEDERAL LAWS & REGULATION
- Introduction of Protecting Sensitive Personal Data Act: On November 2, 2021, U.S. Senators Marco Rubio (R-FL) and Raphael Warnock (D-GA) introduced the Protecting Sensitive Personal Data Act, which expands the U.S. Department of the Treasury’s Committee on Foreign Investment’s (“CFIUS”) oversight authority of transactions involving sensitive personal data. Currently, there are limited circumstances in which CFIUS is able to require companies to make a mandatory declaration prior to completing a transaction. The bill would expand the CFIUS’ authority to issue regulations that require mandatory declarations to foreign investments in U.S. companies that handle sensitive personal data, which includes genetic test results, health conditions, insurance applications, financial hardship data, security clearance information, geolocation data, private e-mails, data for generating government identification, and credit report information.
- CISA Releases Operational Directive Order Requiring Federal Agencies to Remediate Cyber Vulnerabilities: On November 3, 2021, the Department of Homeland Security’s Cybersecurity Infrastructure and Security Agency (“CISA”) issued Binding Operational Directive 22-01 (the “Directive”) requiring federal agencies to remediate vulnerabilities in accordance with the CISA-managed vulnerability catalog (the “Catalog”). The Catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise and require federal agencies to remediate vulnerabilities with a Common Vulnerabilities and Exposures (“CVE”) ID assigned prior to 2021 within six months and all other vulnerabilities within two weeks. The Directive also requires federal agencies to, by January 2, 2022, review and update agency internal vulnerability management procedures, including providing a copy of those procedures to CISA upon request. Additionally, federal agencies must report on the status of listed vulnerabilities through the Continuous Diagnostics and Mitigation (“CDM”) Federal Dashboard.
- Department of Defense Announces Cybersecurity Maturity Model Certification 2.0: The U.S. Department of Defense (“DoD”) announced the strategic direction of the Cybersecurity Maturity Model Certification (“CMMC”) program on November 4, 2021. The DoD stated that the “CMMC 2.0,” which won’t be effective until the DoD issues rules for the program, will maintain the program’s goal of safeguarding sensitive information while simplifying CMMC standards and providing clarity on requirements, focusing advanced cybersecurity standards and third party assessment requirements on companies supporting the highest priority programs, and increase DoD oversight of professional and ethical standards for assessments. CMMC 2.0 seeks to reduce compliance burden on contractors that may not hold particularly sensitive data or support high-priority programs by allowing them to conduct self-assessments and attest to their compliance with CMMC standards. While this may reduce certification burdens for contractors that are able to take advantage of self-attestation, it may not necessarily reduce compliance risk for such contractors in light of the U.S. Department of Justices’ recently announced Civil Cyber Fraud Initiative, emphasizing enforcement against contractors that “put U.S. information or systems at risk.” Accordingly, companies that may self-attest when CMMC 2.0 rules become effective should invest in appropriate processes designed to promote accurate internal cybersecurity assessments and reporting.
- Federal Banking Regulator Final Rule on Bank Incident Reporting: On November 18, 2021, the U.S. Office of the Comptroller of the Currency (“OCC”), the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (“FDIC”) approved a final rule to improve the sharing of information about cyber incidents that may affect the U.S. banking system (the “Final Rule”). The Final Rule requires banks to notify their primary federal regulator of any significant computer-security incident as soon as possible and no later than 36 hours after they determine that a cyber incident has occurred. Notification is required for incidents that have materially affected or are reasonably likely to materially affect the viability of a bank’s operations, its ability to deliver banking products and services, or the stability of the financial sector. The Final Rule also requires a bank service provider to notify affected bank customers as soon as possible after determining it has experienced a computer-security incident that has materially affected or is reasonably likely to materially affect customers for four or more hours. Compliance with the Final Rule is required by May 1, 2022.
- Reintroduction of Online Privacy Act: On November 18, 2021, U.S. Representatives Anna Eshoo (D-CA) and Zoe Lofgren (D-CA) reintroduced the Online Privacy Act, which was previously introduced in 2019. The revised bill continues to provide individuals the rights to access, correct, and delete their personal information as well as the right to request human review of automated decisions. The revised bill additionally provides individuals the right to decide how long companies can retain their data. The revised bill also continues to provide for the creation of the Data Privacy Agency (“DPA”) to enforce the Online Privacy Act. However, the revised bill establishes an Office of Civil Rights within the DPA and authorizes state privacy regulators, such as the California Privacy Protection Agency, to enforce the Online Privacy Act alongside state attorneys general. The Online Privacy Act also sets forth obligations for companies, including but not limited to requiring companies to articulate the need for and minimize the data they collect, process, disclose, and maintain; not disclose or sell personal information without explicit consent; not use dark patterns to obtain consent; employ reasonable cybersecurity policies to protect data; and notify the DPA and affected individuals of breaches and data sharing abuses.
- Snapchat Investor Class Action Alleges Snapchat Misled on Effect of Apple Privacy Features: Investors filed a putative class action lawsuit against Snap Inc. (“Snap”) and company executives on November 11, 2021, alleging Snap “continuously downplayed and misled investors regarding the impact of Apple’s new data privacy features would have on its business.” Apple announced the features, which include providing users with the ability to opt out of certain data tracking in June 2020 and released the features in April 2021. The suit alleges that Snap relies on user data for its advertising business and that, following the announcement of the new features, Snap made several statements in SEC filings and quarterly earnings calls that misrepresented or failed to disclose the risks and impact of the changes on Snap’s advertising business. According to the suit, it wasn’t until Snap’s third quarter 2021 10-Q filing that Snap disclosed the negative effect of the changes to investors. The lead plaintiff claims that investors were damaged by a 26 percent decrease in Snap’s share price following the disclosure.
- Robinhood Faces Class Action over Data Breach: On November 12, 2021, a class action was filed against Robinhood Markets Inc. (“Robinhood”) arising out of a data breach affecting millions of Robinhood users. The complaint alleges that the breach, which resulted from an attacker socially engineering a Robinhood customer support employee by telephone according to Robinhood regulatory filings, could have been avoided through basic security measures, authentications, and training. The suit asserts negligence, breach of contract, and misrepresentation claims, as well as claims of breach of fiduciary duty and violation of New York’s general business law.
- SolarWinds Shareholders File Derivative Suit against Company and Directors over Sunburst Attack: On November 5, 2021, a shareholder derivative suit was filed against current and former directors of SolarWinds Inc. (“SolarWinds”) claiming directors breached their fiduciary duties by failing to monitor or oversee “any aspect of the company’s known mission critical cybersecurity risks.” Specifically, the complaint alleges that directors ignored Securities and Exchange Commission and New York Stock Exchange guidelines on cybersecurity oversight and that serious cybersecurity deficiencies persisted at SolarWinds for years, including directing clients to disable firewall and other security protections on SolarWinds software, overseeing cybersecurity budget cuts, and publicly listing sensitive and high-value clients on its website. The derivative suit follows a class action filed against the company on behalf of shareholders in January 2021.
- Colorado Attorney General Settles Enforcement Action against Construction Company Relating to Data Breach: On November 8, 2021, the Colorado Attorney General’s office announced that it had settled an action against SEMA Construction (“SEMA”) alleging violation of Colorado law requiring companies to take reasonable steps to protect personal sensitive personal information, dispose of such information when it is no longer needed, and promptly notify Colorado residents in the event of a data breach. SEMA was the target of a phishing attack in 2018 that impacted employee e-mail accounts and the personal information of nearly 2000 individuals stored in those accounts. The Colorado Attorney General alleged that SEMA did not have a data disposal policy in place at the time of the attack and failed to notify some individuals of the breach until nearly two years after it was discovered by SEMA. Under the settlement, SEMA will pay a $63,000 civil penalty and is required to update its security practices to maintain an incident response plan, an information security plan, and an information disposal policy, as well as regularly submit reports regarding its cybersecurity practices to the Colorado Department of Law.
INTERNATIONAL LAWS & REGULATION
- European Parliament Adopts Draft Cybersecurity Directive: On October 28, 2021, the European Parliament Committee on Industry, Research and Energy adopted a draft cybersecurity directive (“NIS 2 Directive”). The NIS 2 Directive is anticipated to replace the existing EU Directive on the Security of Network Information Systems enacted in 2017. The original directive was implemented in different ways by EU member states, fragmenting the EU’s approach to cybersecurity. The NIS 2 Directive seeks to harmonize approaches within the bloc. The NIS 2 Directive would also broaden the scope of the existing directive by expanding requirements to “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles, and digital providers in addition to “essential sectors” such as energy, transport, banking, and health. The NIS 2 Directive imposes stronger security requirements using a risk management approach, including mandating requirements for incident response, supply chain security, and encryption and vulnerability disclosure, among other things. It also establishes a framework intended to facilitate better information sharing between governmental authorities and member states to help coordinate management of large-scale cybersecurity incidents. The proposal will now be negotiated by European Parliament legislators to seek agreement on the final form of the NIS 2 Directive.
- UK Supreme Court Denies Class Action Lawsuit: On November 10, 2021, the UK Supreme Court issued a decision in Lloyd v. Google LLC denying a claim seeking billions of dollars in damages from Google through a class action alleging violations of the UK Data Protection Act of 1998 (“UK DPA”). Lead claimant Lloyd alleged on his own behalf and on behalf of a class of approximately four million iPhone users that Google’s use of browser information to track users between August 2011 and February 2012 violated the UK DPA. The Court determined that the DPA did not permit recovery of compensation for mere “loss of control” of personal data, but requires some form of material damage such as financial loss or distress. The Court further held that a representative claim should not be allowed to proceed because Lloyd was unable to demonstrate that each individual in the class had suffered a violation of their rights and material damages as a result of that violation. Rather, each class member would require an individualized assessment of the impact of the violation, the Court stated. The decision will limit such representative claims in the future and provide assurance to companies that technical breaches of UK data protection law that do not result in material damages will not support an award for damages in future claims.
- Draft Implementing Regulations for China’s Personal Information Protection Law and Data Security Law Released: On November 14, 2021, the Cyberspace Administration of China (“CAC”) released a draft of the Administrative Regulations on Network Data Security (the “Regulations”) for China’s Personal Information Protection Law and Data Security Law. Highlights of the Regulations include: (1) requiring organizations to notify affected individuals of data security incidents that cause harm within three working days and report incidents involving the personal data of more than 100,000 people to the provincial-level CAC branch within eight hours and submit a written incident report within five working days; (2) establishing a security gateway through which all data transferred out of China must pass; (3) requiring organizations to respond to data subject requests within 15 working days; (4) requiring organizations transferring personal data outside of China to submit an annual data exit assessment report to the provincial-level CAC by January 31 of each year; and (5) requiring a cybersecurity review and approval from the CAC for certain data processors, including those listed outside of Mainland China if they process personal information of more than 1,000,000 people and those listed in Hong Kong if their activities may affect national security. The Regulations are subject to comments until December 13, 2021.
- EDPB Issues Draft Guidelines on International Data Transfers: On November 18, 2021, the European Data Protection Board (“EDPB”) adopted Guidelines on the interplay between Art. 3 and Chapter V GDPR (the “Guidelines”) to assist controllers and processors in the European Union in identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers. The Guidelines specify three cumulative criteria that qualify a processing as a transfer: (1) the data exporter (a controller or processor) is subject to the GDPR for the given processing; (2) the data exporter transmits or makes available the personal data to the data importer (another controller, joint controller, or processor); and (3) the data importer is in a third country or is an international organization. The processing will be considered a transfer, regardless of whether the importer established in a third country is already subject to the GDPR under Art. 3 GDPR. However, the EDPB considers that collection of data directly from data subjects in the EU at their own initiative does not constitute a transfer. The Guidelines will be open to public comments until January 31, 2022.