Selected Developments in U.S. Law
Fifth Circuit Decision Raises Cyber Enforcement Complications for the U.S. Department of Health and Human Services
As the Biden Administration begins detailing its regulatory and enforcement priorities, it faces a new challenge on the health data privacy and security front. In University of Texas M.D. Anderson Cancer Center v. United States Department of Health and Human Services, the Fifth Circuit vacated a $4.3 million penalty against a covered entity, limited the U.S. Department of Health and Human Services’ (HHS) interpretation of two key data privacy and security regulations, and required the agency to consider penalties assessed against other similarly situated covered entities when issuing new penalties for regulatory violations. As the summary of key points from the decision makes clear, the opinion is a “win” for the concept of reasonable security, rather than perfect security, and new or revised Health Insurance Portability and Accountability Act (HIPAA) regulations might be forthcoming from the new Administration in response.
Managing a Cyber Crisis: 7 Practical Tips to Recover with Strength
Cybersecurity incidents – including second wave attacks – are on the rise. Our Privacy, Cyber & Data Strategy Team outlines seven tips for managing a cybersecurity incident – and recovering with strength.
Virginia Ready to Pass First State Privacy Statute after CCPA
Both houses of Virginia’s legislature passed the Virginia Consumer Data Protection Act (VCDPA). If approved by the governor, the VCDPA would become the United States’ second comprehensive state privacy law after the California Consumer Privacy Act (CCPA).
U.S. Takes Part in Multinational Efforts to Disrupt Netwalker Ransomware and Emotet Malware
On January 27 and 28, 2021, the U.S. Department of Justice (DOJ) announced two successful operations to disrupt two different strains of malware, Netwalker ransomware and a banking Trojan known as Emotet, which have affected victims around the globe and caused millions of dollars in damage in recent years.
New Law Requires HHS to Consider Recognized Security Practices as Mitigating Factor When Determining Penalties
On January 5, 2021, the President signed into law H.R. 7898, an Act that amends the Health Information Technology for Economic and Clinical Health (HITECH) Act to require the Secretary of HHS to consider specific recognized security practices of covered entities and business associates when making certain determinations regarding fines, penalties, and other remedies related to HIPAA violations, as well as determinations relating to the length and extent of HITECH audits.
Federal Court Rules Cyber Forensic Report Is Not Protected Under Attorney-Client Privilege or Work Product Doctrine
On January 12, 2021, Judge James E. Boasberg (D.D.C.) ruled that a forensic report prepared for outside counsel following a cyber incident investigation was not protected under either attorney-client privilege or the work product doctrine. The investigation in question was run by outside counsel, and the security firm had been retained by the same. This decision is the latest in a line of cases suggesting that cybersecurity forensic reports may not receive work product protection, but it goes further than the other cases by finding that the forensics report was not protected as a matter of law by the attorney-client privilege.
Financial Regulatory Agencies Announce Proposed Rule Requiring Notice of Computer Security Incidents
On December 18, 2020, federal financial regulatory agencies jointly announced a proposed rule that would impose new and expanded reporting requirements on supervised banking organizations that experience a “computer-security incident,” requiring notice within 36 hours of any computer-security incident that rises to the level of a “notification incident.” In a significant departure from current reporting requirements for financial institutions that experience a security incident, the proposed rule would broadly require notification of any incident that could impair an organization’s ability to deliver services to a material portion of its customer base, jeopardize the viability of key operations of a banking organization, or impact the stability of the financial sector, regardless of the type or quantity of information affected.
SolarWinds Hack: Unparalleled Supply Chain Attack Results in Potential Compromise of Private and Public Sector Organizations
On December 13, 2020, SolarWinds announced that it had learned of a “highly sophisticated, manual supply chain attack” by a nation-state affecting its Orion Platform, which is used by a wide variety of public and private sector organizations for IT infrastructure monitoring and management. In this attack, adversaries were able to compromise the Orion software build system for certain versions of the software, and trojanized software updates were distributed to customers between March and June 2020. According to SolarWinds, this attack may have affected as many as 18,000 customers.
Peter Swire Testifies on Future of Transatlantic Data Flows
Senior counsel Peter Swire, Elizabeth and Tommy Holder Chair of Law and Ethics at the Georgia Tech Scheller College of Business and research director of the Cross-Border Data Forum, recently testified before the U.S. Senate Committee on Commerce, Science, & Transportation on the invalidation of the EU-U.S. Privacy Shield and the future of transatlantic data flows. His written statement and a recording of the webcast (including his testimony as well as the testimony of other witnesses) is available via this blog post.
California Attorney General Proposes Regulatory Changes to the California Consumer Privacy Act
On December 10, 2020, the California attorney general’s office provided “Notice of Fourth Set of Modifications” to regulations under the CCPA. The new proposed regulatory text would modify the current regulations that took effect in August. The latest proposal responds to comments on a prior draft and primarily addresses the presentation of the right to opt out of sales of personal data. The California attorney general has provided a webpage with full details on this latest rulemaking effort.
Alston & Bird Attorneys Propose Assessing Data Portability in Antitrust Context
In the November 2020 edition of the Competition Policy International Antitrust Chronicle, Peter Swire and partner John Snyder discussed ways to utilize the Portability and Other Required Transfers Impact Assessment (PORT-IA) in the context of antitrust law. The PORT-IA is a structured set of questions based on case studies of historical mandates in a range of industries that Swire proposed to assist in the evaluation of data portability and interoperability proposals and, ultimately, in making informed policy and enforcement decisions. Swire was recently a key speaker on this topic at the FTC Workshop on Data Portability.
The EDPB-EDPS Joint Opinion on Data Processing Standard Contractual Clauses: Key Takeaways
When a controller engages a processor, the European Union’s (EU) General Data Protection Regulation (GDPR) requires that the parties enter into a specific contract that contains certain mandatory provisions. This contract is often referred to as a “data processing agreement” (DPA). To facilitate compliance with this requirement, the GDPR has provided the European Commission with the power to issue standard contractual clauses (SCCs), which essentially constitute a template DPA, the idea being that if controllers and processors implement SCCs, they have entered into a DPA that complies with the EU’s GDPR. The data processing SCCs should not be confused with the European Commission’s standard contractual clauses for data transfers outside the European Economic Area (EEA), which serve a different purpose.
Brexit Trade Agreement Provides a Temporary Solution for Companies Transferring Personal Data from the EEA to the UK
On December 24, 2020, the EU and the United Kingdom reached an agreement on the terms of their future cooperation following the end of the Brexit Transition Period (i.e., following December 31, 2020). The EU-UK Trade and Cooperation Agreement contains a temporary solution for companies transferring personal data from the EEA to the UK, in the form of an extended period when personal data may freely flow from the EEA to the UK. During this extended free-flow period, companies will not need to put in place data transfer mechanisms – such as SCCs – or rely on the derogations in Article 49 of the EU’s GDPR to legitimize such data flows. In principle, the extended free-flow period will last no longer than six months.
UK ICO Publishes New Data Sharing Code
On December 17, 2020, the UK’s Information Commissioner’s Office (ICO) published its Data Sharing Code of Practice following a public consultation that commenced in 2019. The Code mainly focuses on data sharing among data controllers that are subject to the EU’s GDPR and the UK Data Protection Act of 2018. Data controllers falling within the scope of the ICO’s enforcement powers should take the Code into account when sharing personal data because it will help them comply with their data protection obligations.
French Data Protection Regulator Fines Google and Amazon for Noncompliance with EU Cookie Rules
On December 7, 2020, the French data protection authority Commission Nationale de l’Informatique et des Libertés (CNIL) imposed substantive fines on Amazon and Google for allegedly placing advertising cookies on the computers of users in France without prior consent or providing adequate information. Amazon Europe Core was fined €35 million, and Google LLC and Google Ireland Limited received a total fine of €100 million. In determining the level of these fines, the CNIL took account of the seriousness of the alleged violations, the number of users affected, and the companies’ advertising revenues indirectly generated from the data collected via advertising cookies.
Brexit and Data Protection: What You Need to Know
With the end of the Brexit transition period around the corner, companies doing business in the EU and UK must prepare for data protection change – and not only international data transfers. Our Privacy & Data Security Team offers key action points for companies to take to ensure compliance.
Breach Notification in the EU and U.S.: Practical Implications of 5 Key Distinctions
When it comes to data breach notification laws, differences between the patchwork of U.S. state laws and the EU’s GDPR can impact the focus of and approach to an investigation. Our Privacy & Data Protection Team highlights five particular distinctions and provides practical takeaways for calibrating a global incident response process.
European Commission Publishes Draft “Article 28” Standard Contractual Clauses
On November 12, 2020, in addition to issuing new (draft) SCCs for transferring personal data outside the EEA, the European Commission published a draft decision on SCCs between controllers and processors for the matters referred to in Article 28(3) and (4) of the GDPR.