Selected Developments in U.S. Law
NYDFS Issues Report on the SolarWinds Attack and Covered Entities’ Responses
Following the SolarWinds cyber espionage attack and the resulting focus on supply chain risk, the New York Department of Financial Services (NYDFS) issued a report detailing the attack’s impact on covered entities and responses by covered entities to the attack. Although there have been no reported instances of active exploitation of NYDFS-regulated companies as a result of the attack, the networks of approximately 100 NYDFS-regulated companies were compromised.
FBI Releases IC3 2020 Internet Crime Report Showing Record Increase in Cybercrime
The FBI’s Internet Crime Complaint Center (IC3) recently released its annual report, the 2020 Internet Crime Report, which gathers statistics from nearly 800,000 complaints of suspected cybercrimes that the department received in 2020. This is a record number of complaints—a 69% increase from 2019—with reported losses exceeding $4.2 billion. According to the FBI, the three most reported crimes in 2020 were phishing scams, nonpayment/nondelivery scams, and extortion/ransomware.
Department of Labor Issues Cybersecurity Guidelines
On April 14, 2021, the U.S. Department of Labor announced new cybersecurity guidance for plan sponsors, plan fiduciaries, record-keepers, and plan participants. The guidance is specifically “directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act, and plan participants and beneficiaries” and is intended to mitigate cybersecurity risks to pension plans and contribution plans.
2021 Developments in State Cybersecurity Safe Harbor Laws
Only four months in and 2021 has already been a big year for state cybersecurity safe harbor legislation. Two states, Utah and Connecticut, have recently enacted or introduced a breach litigation safe harbor to incentivize businesses to protect personal information by adopting industry-recognized cybersecurity frameworks such as the National Institute of Standards and Technology’s Cybersecurity Framework and the Center for Internet Security’s Critical Security Controls.
Russia Sanctioned for Role in SolarWinds Supply Chain Attack
On April 15, 2021, the Biden Administration took a significant step in announcing sanctions against the Russian government and private Russian entities for multiple internationally destabilizing activities, including the Russian Foreign Intelligence Service’s (SVR) supply chain attack of the SolarWinds Orion platform and other technology infrastructures.
U.S. Takes Unprecedented Action to Disrupt State-Sponsored Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
On April 13, 2021, a federal district court granted a motion to partially unseal an FBI application and search warrant following the successful conclusion of an FBI operation to eradicate malicious web shells placed on U.S.-based computers by Chinese state-sponsored actors. The FBI’s use of credentialed, remote-access techniques to access, copy, and remove malware without the knowledge of the computer’s owner appears to be a novel approach by the FBI in counteracting state-sponsored cyber-attacks.
NYDFS Announces Cybersecurity Settlement, Addresses Multi-Factor Authentication Rules
On April 14, 2021, the NYDFS announced a settlement with National Securities Corporation, a licensed insurer, in connection with claims under the NYDFS Cybersecurity Regulation. The consent order requires payment of a $3 million penalty and mandatory remediation in response to alleged failures to properly implement multi-factor authentication and provide notice to the NYDFS of two cybersecurity events reported to other regulators in 2018 and 2019 and for falsely certifying compliance for the calendar year 2018.
Another Court Dismisses Data Breach Class Action for Lack of Standing
In what appears to be a growing trend, another federal district court has dismissed a data breach case for lack of standing. In Springmeyer v. Marriott International Inc., the plaintiffs, former guests of Marriott hotels, sued Marriott in connection with a data breach affecting over 5 million guests. Marriott moved to dismiss the plaintiff’s complaint for lack of standing and failure to state a claim. The court dismissed the plaintiff’s claims for lack of standing, holding that they failed to plausibly allege that their alleged injuries were fairly traceable to Marriott’s conduct—an essential element of standing.
NYDFS Reports Major Cybersecurity Settlement
In early March, the NYDFS announced a settlement involving a $1.5 million penalty and mandatory remediation in response to a mortgage lender’s alleged failure to report a cyber-breach and other alleged cybersecurity failures. This enforcement action marks the second public enforcement action under the Cybersecurity Regulation.
Virginia Becomes First State with Comprehensive Privacy Law After CCPA
On March 2, 2021, Virginia became the second state after California to pass a comprehensive privacy law when Governor Ralph Northam signed the Consumer Data Protection Act (CDPA). The CDPA contains many elements found in the California Consumer Privacy Act and other proposed privacy frameworks, as well as a number of new requirements for businesses.
President Biden Issues Executive Order on America’s Supply Chains
On February 24, 2021, President Biden announced a new Executive Order on America’s supply chains. The Order provides for two key initiatives, including a 100-day review of the supply chains for certain vital products and a long-term review of supply chains in six different sectors of the U.S. economy, including the information and communications technology industrial base.
Eleventh Circuit Holds Risk of Future Harm Does Not Establish Article III Standing
As part of a growing trend, the Eleventh Circuit recently held that an alleged risk of future identity theft does not establish standing if the plaintiff does not allege any information has actually been misused. The decision, Tsao v. Captiva MVP Restaurant Partners LLC, is a blow to the data breach plaintiffs’ bar, which routinely attempts to rely on third-party reports and other generic allegations concerning a risk of future harm to attempt to establish Article III standing.
NYDFS Issues Best Practices for Cyber Insurance Risk Management
Against the backdrop of the disruptions associated with the COVID-19 pandemic and SolarWinds cyber-espionage campaign, the NYDFS has released guidance for insurers that underwrite cyber-insurance policies that contains a number of provisions expected to impact companies applying for or renewing cyber-insurance coverage, not the least of which is a specific recommendation that insurers require insureds to report cybersecurity incidents to law enforcement. Although not technically a part of the seven-pronged Cyber Insurance Risk Framework, the NYDFS guidance includes a specific recommendation against making ransom payments in response to ransomware cybersecurity incidents.
Swire Report Addresses EU Data Localization Comments, Portuguese Order Restricting U.S. Data Flow
In November, the European Data Protection Board issued draft guidance on transfers of personal data from the European Union. That guidance has prompted nearly 200 comments from companies, trade groups, and interested observers. Senior Counsel Peter Swire, along with co-author DeBrae Kennedy-Mayo, has now published a report reviewing these comments through the Cross-Border Data Protection Forum.
The GDPR Reaches the U.S. Supreme Court in Cert Petition
The EU’s General Data Protection Regulation (GDPR) has been raised in a petition for certiorari before the U.S. Supreme Court, apparently for the first time since the GDPR went into effect in 2018. A party in Vesuvius USA Corp. v. Phillips has filed a petition for certiorari in a GDPR-related discovery dispute. Of course, since this is a petition for certiorari, the Court has not decided if it will hear this GDPR issue. Even so, this case marks what appears to be the first time the GDPR has been raised in a certiorari petition to the Court as an outcome-determinative issue.
European Commission Adopts Draft UK Adequacy Decision
On February 19, 2021, the European Commission adopted a draft “adequacy decision” in favor of the UK. The adoption of the draft adequacy decision marks the first step in ensuring the continued free flow of personal data from EEA countries to the UK under the GDPR. Once (and if) the final adequacy decision is adopted, companies in the EEA can (continue to) transfer personal data to data recipients the UK without putting in place additional compliance measures—such as standard contractual clauses or binding corporate rules.