Selected Developments in U.S. Law
Colorado Privacy Act Becomes Third Comprehensive State Privacy Act in the United States
Our Privacy, Cyber & Data Strategy Team highlights some of the similarities and differences between Colorado’s new consumer privacy law and its older siblings in California and Virginia.
Biden Administration to Issue Cybersecurity “Performance Goals” for Critical Infrastructure
On July 18, 2021, the Biden Administration issued a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. The primary takeaway is that the government will be establishing preliminary cybersecurity performance goals for certain industries no later than September 2021. While we do not yet know what these “performance goals” will be, there is a potential risk that failure to meet these goals, once they are published, could be seen by a regulator as negligence or lack of reasonable security. The memorandum states these goals “should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services.”
U.S. and Allies Formally Accuse China of Microsoft Hack and Cyber-Espionage
On July 19, 2021, the Biden Administration, along with a group of allies, publicly accused the Chinese government of malicious cyber-activities and irresponsible state behavior. The joint announcement states the U.S. uncovered a wide array of cyber-attacks by hackers with a history of working for China’s Ministry of State Security (MSS). Importantly, the announcement attributes an attack on Microsoft’s Exchange email software – an attack that infected tens of thousands of businesses, government offices, and schools in the U.S. alone – to the MSS.
Department of Defense’s CMMC: Where Is It Now?
Our Privacy, Cyber & Data Strategy Team updates the slow progress of the Cybersecurity Maturity Model Certification and the slower progress of clearing assessment organizations that can actually certify contractors.
U.S. Government Launches StopRansomware.gov
On July 15, 2021, the U.S. Department of Justice (DOJ) and the U.S. Department of Homeland Security (DHS), together with additional federal partners, launched StopRansomware.gov, a one-stop hub intended to help the private and public sectors mitigate the threat of ransomware. The website includes a range of resources geared toward private organizations, public and private critical infrastructure sectors, K-12 educational institutions, and state, local, tribal, and territorial governments.
Colorado Becomes the Third State to Adopt a General Privacy Law
On July 7, 2021, Colorado became the third state after California and Virginia to adopt a comprehensive privacy law when Governor Jared Polis signed the Colorado Privacy Act (CPA) into law. The CPA contains many similarities to the Virginia Consumer Data Protection Act (VCDPA) and the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA). But there are several key differences, including the scope of certain consumer privacy rights and the contract terms required in agreements with processors. Like the CPRA, but unlike the VCDPA, the statute mandates a formal rulemaking process. Notably, the law does not contain a private right of action, but a violation of the CPA is considered a deceptive trade practice and may result in a fine of $20,000 per violation. The CPA takes effect July 1, 2023.
A Practical Guide to Challenging Gag Orders Under the Stored Communications Act
When is it a good idea to challenge a government request for information, especially gag orders? Our Privacy, Cyber & Data Strategy Team summarizes the statutory, constitutional, and policy rules governing gag orders and offers some practical tips for when and how they might be challenged.
NYDFS Issues Guidance on Cybersecurity Controls to Combat Ransomware and Clarifies Reporting Obligations
On June 30, 2021, the New York Department of Financial Services (NYDFS) issued new guidance intended to assist organizations in thwarting ransomware attacks. The guidance clarifies the NYDFS’s expectation that NYDFS-regulated companies should “implement these controls whenever possible” and report any successful deployment of ransomware or unauthorized access to privilege accounts to the NYDFS under its established cybersecurity event reporting regulations. This guidance comes at an inflection point for cybersecurity and ransomware – “the rate of ransomware attacks increased 300% in 2020,” as recently noted by DHS Secretary Alejandro Mayorkas, and the NYDFS continues to focus on the silent and systemic risks posed by ransomware to the financial services sector. In connection with releasing its guidance, the NYDFS warned that ransomware attacks “could cause the next great financial crisis” and “lead to a loss of confidence in the financial system.”
State Legislatures Consider Bans on Ransomware Payments
As ransomware attacks continue to dominate the news cycle, legislation has recently been introduced in several states that would place limits on certain entities’ ability to pay a ransom payment after a ransomware attack. Although the proposed limits would generally apply to state agencies and other local governmental authorities, certain state proposals may also apply to state agencies’ IT service providers, entities that receive public funds, and business entities more broadly.
SEC Settles Enforcement Action for Disclosure Controls Violations Stemming from Data Security Incident
The U.S. Securities and Exchange Commission (SEC) has settled an enforcement action against a large title insurer in connection with public statements and disclosures made by the company in May 2019 relating to a data security incident. The underlying data security incident was the subject of the first set of charges brought by the NYDFS under its cybersecurity regulations in 2020 and involved an application vulnerability that allegedly exposed sensitive personal information dating back to 2003 and was first publicly reported in May 2019 by the media.
DOJ Seizure of Ransom Payment Signals More Aggressive Stance by U.S. Government
Following the creation of the DOJ’s Ransomware and Digital Extortion Task Force in April 2021 and on the heels of the Biden Administration’s characterization of ransomware as a national security threat, on June 7, 2021, the DOJ announced it seized $2.3 million (63.7 bitcoin) in proceeds from a recent ransom paid to DarkSide in connection with a ransomware attack on U.S. critical infrastructure.
The Supreme Court Narrows the Scope of the Computer Fraud and Abuse Act
The Supreme Court issued a long-awaited decision in Van Buren v. United States interpreting the meaning of “exceeds authorized access” under the Computer Fraud and Abuse Act. The 6–3 majority, led by Justice Barrett and joined by Justices Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh, rejected the government’s broad definition of this phrase. While the Van Buren majority and dissent provide an excellent workshop on the canons of statutory interpretation, the key takeaway for cyber and privacy practitioners is that motive for access can no longer factor into the “exceeds authorized access” analysis.
New York and Illinois Regulators Recommend Third-Party Cybersecurity Review for Specific Vulnerabilities
The Illinois Department of Insurance issued guidance to insurers recommending assessments in response to a Microsoft Exchange vulnerability, detailed in the guidance. In the bulletin dated May 5, 2021, the department encourages regulated entities to “assess the risk to their systems and consumers and take steps necessary to address vulnerabilities and customer impact.” The bulletin states that the assessment should identify “any use of these products by critical third parties.”
Top 7 Issues All General Counsel Need to Know About Ransomware
Companies face increasingly tough decision points in preparing for and responding to the proliferation of ransomware attacks. Our Privacy, Cyber & Data Strategy Group outlines seven issues for general counsel to consider as companies calibrate their cybersecurity preparedness to the current ransomware threat landscape.
Executive Order Details Cybersecurity Changes for Public and Private Sectors
In a lengthy Executive Order issued on May 12, 2021, the Biden Administration has taken steps “to make bold changes and significant investments” in both public and private sector cybersecurity “in order to defend the vital institutions that underpin the American way of life.” The full scope of the order remains to be seen. Much will depend on the recommendations and rules issued by various agencies over the coming months.
Securities Class Actions Filed Against Three Chinese Tech Titans After Announcement of Cyber-Related Investigations
In early July, investigations by a Chinese cybersecurity regulatory agency, the Cyberspace Administration of China, into at least three China-based technology companies – DiDi Global Inc., Full Truck Alliance Co. Ltd., and Kanzhun Ltd. – were purportedly revealed weeks after each conducted a substantial initial public offering on a U.S. stock exchange. These purported disclosures follow, and appear to align with, China’s recent promulgation of significant data privacy rules and increased interest in data sovereignty and reining in the power of homegrown technology companies.
EU Spotlight: Top 6 Issues All General Counsel Need to Know About Ransomware
Ransom demands from cyber-attacks show no signs of slowing down, and the costs – both from ransom payments and repairing the damage – are rising precipitously. Our Privacy, Cyber & Data Strategy Team outlines six ways companies can calibrate their cybersecurity preparedness to the current ransomware threat landscape.
EDPB Publishes Guidelines on the Concepts of Controller and Processor in the GDPR
On July 7, 2021, the European Data Protection Board (EDPB) adopted its finalized guidelines on the concepts of controller and processor in the General Data Protection Regulation (GDPR). While the EDPB’s predecessor – the Article 29 Working Party – had issued guidance on the concepts of controller/processor back in 2010, many practical concerns have been raised since the GDPR came into force. These concerns relate in particular to the concept of joint controllership and the specific obligations imposed on processors. To address these concerns, last year the EDPB published draft guidelines, which were open to public consultation. The newly released guidelines take into account the feedback from various stakeholders.
Partner and Former Deputy Assistant Attorney General Kellen Dwyer Discussed China Tech Crackdown on CNBC
Partner Kellen Dwyer joined CNBC’s Squawk on the Street to discuss what he sees in China’s tech crackdown.
People’s Republic of China Passes the Data Security Law: A Summary of What We Know
On June 10, 2021, almost exactly three years after the passing of its Cybersecurity Law (CSL), the National People’s Congress of China passed a new Data Security Law (DSL), which goes into effect September 1, 2021. Where the CSL is primarily focused on cybersecurity for critical information infrastructure operators and network operators, the DSL was promulgated to regulate data processing activities, promote data security, protect the lawful rights and interests of individuals and organizations, and safeguard national sovereignty, security, and development interests. The scope of the DSL is quite broad, and without clarifying regulations or guidance, the law lacks significant detail on how companies should comply, leaving many open questions ahead of the September 2021 effective date. While the relevant authorities in China are expected to issue guidance and formulate certain corresponding regulations, it is clear that given its sweeping scope and broad territorial reach, the DSL may have far-reaching implications for many companies.
FAQs – Standard Contractual Clauses for Controllers and Processors in the EU/EEA
Our Privacy, Cyber & Data Strategy Team answers five questions about the standard contractual clauses (SCCs) that aim to ensure compliance with Articles 28(3) and (4) of the General Data Protection Regulation.
10 Key Takeaways from the European Commission’s New SCCs
Our Privacy, Cyber & Data Strategy Team offers 10 observations companies can use to better understand the EU’s overhaul of the SCCs that allow compliance with the General Data Protection Regulation’s rules on international data transfers.
European Commission Publishes Long-Awaited New Standard Contractual Clauses
On June 4, 2021, the European Commission published finalized versions of new SCCs. The Commission has published two sets of clauses: (1) a set of SCCs to be used in controller-to-processor situations in conjunction with Art. 28 GDPR “data processor” terms applicable to such situations; and (2) a more general set of modular SCCs that can be used to support transfers of data to third countries in controller-to-controller, controller-to-processor, processor-to-processor, or processor-to-controller situations.