Selected Developments in U.S. Law
Department of Defense Suspends the CMMC Pilot Program and CMMC Requirements in DoD Solicitations Pending Major Changes for CMMC 2.0. On November 5, 2021, the Department of Defense (DoD) announced it will be revamping the nascent Cybersecurity Maturity Model Certification (CMMC) program pending two separate rulemaking processes. The DoD will be updating “the program structure and the requirements to streamline and improve implementation of the CMMC program.” The primary short-term takeaway is that until the rulemaking process is complete, the DoD is suspending the CMMC Pilot Program and will not include CMMC requirements in any DoD solicitations.
FTC Revises the Safeguards Rule and Proposes Mandatory Reporting of Cybersecurity Events On October 27, 2021, the FTC released its much-anticipated final revisions to the Gramm–Leach–Bliley Safeguards Rule, following a 3–2 vote along party lines, and also released a notice of proposed rulemaking that would require reporting to the FTC of certain cybersecurity events.
Treasury FinCEN Releases Financial Trend Analysis of Ransomware Trends in 2021 On October 15, 2021, the Financial Crimes Enforcement Network (FinCEN) of the Treasury Department issued a financial trend analysis on ransomware relating to Bank Secrecy Act reporting filed in the first half of this year. FinCEN examined ransomware-related Suspicious Activity Reports (SARs) filed between January 1 and June 30, 2021, which included a total of 635 reports and 458 confirmed transactions that total over $590 million in suspected ransom payments. This number reflects a 42% increase from the total ransomware payments identified by FinCEN in all of 2020. If this trend continues, FinCEN estimates a higher ransomware-related transaction value in the SARs filed in 2021 than the last 10 years combined.
Department of Justice Announces New Cryptocurrency Enforcement Team On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced the creation of the National Cryptocurrency Enforcement Team (NCET). This team was created to tackle complex investigations and prosecutions of criminal misuses of cryptocurrency, particularly crimes committed by virtual exchanges and money laundering infrastructure actors. Because of the vast potential for criminal use of cryptocurrency, the Department of Justice intends to have NCET involved in cryptocurrency and blockchain technologies across all aspects of the department’s work. This initiative will build upon the work of the Criminal Division’s Money Laundering and Asset Recovery Section and Computer Crime and Intellectual Property Section.
Department of Justice Announces New Civil Fraud Cybersecurity Enforcement Team On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced the launch of the Department of Justice’s Civil Cyber-Fraud Initiative. The department plans to use civil enforcement tools to “pursue … those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards.” This initiative will combine the department’s roles in civil fraud enforcement, government procurement, and cybersecurity to combat new and emerging cyber-threats to the security of sensitive information and critical systems.
California Federal Court Dismisses Data-Security-Related Securities Fraud Class Action On September 22, 2021, a California federal court dismissed a putative securities fraud class action alleging that a large title insurer that disclosed a data security incident in May 2019 made false and misleading statements related to its data security practices and the incident. The dismissal follows the June 2021 settlement of a related U.S. Securities & Exchange Commission (SEC) enforcement action. An enforcement action brought by the New York State Department of Financial Services, the first set of charges brought under that office’s cybersecurity regulations, remains pending.
California Privacy Protection Agency Issues Notice of Invitation for Preliminary Comments on Proposed Rulemaking On September 23, 2021, the California Privacy Protection Agency (CPPA) issued to the public an invitation to submit preliminary comments on proposed rulemaking under the California Privacy Rights Act (CPRA). The CPPA is accepting comments on any area where it has the authority to adopt rules, and specifically on those areas flagged in the invitation. The CPPA is “particularly interested in comments on new and undecided issues not already covered by the existing CCPA regulations.”
Key Takeaways from OFAC’s Updated Ransomware Advisory On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” While this advisory explicitly supersedes OFAC’s previous ransomware advisory from October 2020, it does not fundamentally alter OFAC’s approach toward ransom payments. Like the prior guidance, OFAC’s recent advisory reiterates the U.S. policy of “strongly discouraging” ransom payments, warns that such payments carry sanctions risk, and lists a number of “significant mitigating factors” that OFAC will consider when deciding whether to bring an enforcement response. Still, there are several significant takeaways from the updated guidance.
California Privacy Protection Agency Board Meets to Review the CPRA Rulemaking Process On September 7 and 8, 2021, the CPPA board held a public virtual meeting on the rulemaking process under the CPRA. The CPPA board indicated that it expects to initiate preliminary rulemaking activities this fall, including soliciting public comments and holding informational hearings, and to publish a Notice of Proposed Rulemaking this winter, with public hearings to take place winter 2021 / spring 2022. The CPRA requires the CPPA to adopt final regulations by July 1, 2022.
Belgian Supreme Court Rules That Data Protection Authority May Impose Administrative Fines Even When a Data Subject’s Personal Data Were Not Processed The Belgian Supreme Court ruled in a judgment on October 7, 2021 that a data subject has the right to lodge a complaint with the data protection authority (DPA) against a processing practice that violates the General Data Protection Regulation (GDPR) (in this case, the data minimization principle in Article 6 of the GDPR), even when the data subject’s personal data were not processed.
China’s First Comprehensive Personal Information Protection Law – Key Takeaways On August 20, 2021, China’s first comprehensive Personal Information Protection Law (PIPL) was passed. The Cybersecurity Law, the Data Security Law, and the PIPL are the three pillars of China’s data protection framework, which govern cybersecurity, data security, and personal information protection, respectively. The Cybersecurity Law largely governs cybersecurity requirements for critical information infrastructure operators and network operators, and the Data Security Law regulates the security of data processing activities, specifically “important data” and “national core data.” PIPL, on the other hand, focuses on “personal information,” serving as China’s first comprehensive personal data privacy law, similar to the EU’s GDPR. Understanding and complying with all three laws are vital for organizations to process data of individuals in China.
September 27 Deadline Looming for EU Standard Contractual Clauses On June 4, 2021, the European Commission issued modernized standard contractual clauses (SCCs) for the purposes of legitimizing international transfers of personal data under the GDPR. The modernized SCCs replace the three sets of SCCs that were adopted under the predecessor of the GDPR – the Data Protection Directive 95/46/EC – with effect from September 27, 2021. Contracts concluded before September 27, 2021 on the basis of the European Commission’s old SCCs will still be deemed to provide appropriate safeguards within the meaning of the GDPR until December 27, 2022.
UK Unveils Post-Brexit Data Plans with an Emphasis on International Transfers of Personal Data On August 26, 2021, the UK Department of Digital, Culture, Media, and Sport made a series of announcements shedding light on the UK’s post-Brexit data strategy. The announcements emphasized the importance of international transfers of personal data to global trade.
EDPB Reports on EU Data Protection Authorities’ Resources and Enforcement Actions On August 23, 2021, the European Data Protection Board (EDPB) published a report on the resources that the EU Member States make available to their DPAs and on the enforcement actions initiated by those DPAs.
Swiss Data Protection Regulator Is Latest to Outline Framework for Transferring Data to the SEC On June 25, 2021, the Swiss Federal Data Protection and Information Commissioner released its framework for U.S. SEC registrants to be able to provide personal data in response to SEC examination and inspection requests, while maintaining compliance with Swiss data protection laws. Entities registered with the SEC must maintain certain books and records and can be subject to the SEC’s examination, inspection, and enforcement authority. Responding to SEC requests can require cross-border transfers of personal data, and this has historically risked noncompliance under foreign data protection law.
- December 16, 2021 – Amy Mushahwar will be a roundtable speaker at The Cyber Security ConfEx.
- December 8, 2021 – Kim Peretti will speak on the panel “Ransomware – Lessons Learned from the Trenches” during a conference presented by the Georgia Bar Corporate Counsel.
- November 18, 2021 – Peter Swire will speak on the panel “Privacy Protections for Government Requests Across Borders: EU and Globally” during the IAPP Europe Data Protection Congress 2021.
- November 15, 2021 – Amy Mushahwar presented “The Current State of Phishing Attacks and How to Prevent Them” during a Lorman live webinar.
- November 9, 2021 – Amy Mushahwar presented “Alston & Bird 2021 Cyber Insurance Updates Webinar – Coverage Shock: Is It Me or Is It the Market?”
- November 9, 2021 – Kellen Dwyer spoke at the American Petroleum Institute’s Annual Cybersecurity Conference on the Biden Administration’s Cybersecurity Regulations.
- November 8, 2021 – Kim Peretti participated on a ransomware panel at the National Association of Attorneys General Consumer Protection Fall Conference.
- October 12, 2021 – Amy Mushahwar and Kim Peretti presented “EWF and A&B Women in CyberTM Present: Promotion in the Workplace and Strategies for Advancement.”
- October 6, 2021 – David Keating, Wim Nauwelaerts, Paul Greaves, and Yung Shin Van Der Sype presented “Data Strategy Webinar Series - Data Transfers Out of Europe – Recent Regulatory Developments.”
- October 4, 2021 – Kim Peretti spoke on the panel “Combating and Outpacing Ransomware: Yes, It’s Possible” at the United Women in Cyber Conference 2021.
- September 29, 2021 – Daniel Felz, Jon Knight, and Gavin Reinke spoke at The 2021 Privacy + Security Forum, Fall Academy.
- September 28, 2021 – Maki DePalo, Kellen Dwyer, Donald Houser, Rachel Lowe, Amy Mushahwar, Wim Nauwelaerts, Kim Peretti, Gavin Reinke, and Peter Swire presented the Third Annual Cyber, Privacy, and Litigation Summit – Back to Basics and New Trends.
- September 27, 2021 – Kim Peretti spoke on the panel “That’s Secret – Can a Forensic Report Be Protected as a Privileged Work Product?” during the 2021 National Cyber Summit.
- September 23, 2021 – Wim Nauwelaerts spoke on the panel “Cyberattacks on the Supply Chain: Incident Response Strategies” during the Incident Response Forum Europe 2021.
- September 15, 2021 – Amy Mushahwar spoke about “Global Cybersecurity Compliance Integrity – USA Perspective” at a cybersecurity roundtable.
- September 14, 2021 – Amy Mushahwar spoke on “From a ‘Nice-To-Have’ to a ‘Must-Have’: How Is Your Organization Prepared for Data Retention Requirements in the New & Upcoming Privacy Laws,” hosted by GRC World Forums.
- August 31, 2021 – Kim Peretti presented “Cyber Threats and Cyber Crime, What Every In-House Counsel Needs to Know.”
In the News
- November 3, 2021 – Wim Nauwelaerts’s article “10 Key Takeaways from the European Commission’s New SCCs” was published in The Computer & Internet Lawyer.
- October 15, 2021 – Kellen Dwyer is quoted in The Washington Post on the Department of Justice’s (DOJ) ransomware and cryptocurrency enforcement strategies.
- October 15, 2021 – Kellen Dwyer is quoted in SC Magazine on plans by the DOJ to use the False Claims Act to regulate the cybersecurity standards of federal contractors.
- October 7, 2021 – Kellen Dwyer is quoted in The Wall Street Journal on the DOJ’s use of the False Claims Act to pursue federal contractors that do not adhere to cybersecurity standards.
- October 1, 2021 – Kim Peretti and Kate Hanniford’s article “Top 7 Issues All General Counsel Need to Know About Ransomware” was published in The Computer & Internet Lawyer.
- September 24, 2021 – Cara Peterman and Sierra Shear’s article “Key Trends in Recent Cyber-Related Securities Class Actions” was published in Law360.
- September 7, 2021 – Kellen Dwyer’s article “The Best Way to Stop Ransomware Attacks: Be Proactive, Not Reactive” was published in The Wall Street Journal.
- August 26, 2021 – Sean Sullivan contributed to the American Health Law Association survey “Survey of Applicability of State General Privacy and Breach Notification Laws to Health Information.”