Selected Developments in U.S. Law
Recent Exploits of Blockchain Bridges Highlight Need for Cybersecurity in Crypto and Risk of Liability
According to recent media reports, there have been several instances of blockchain bridges being hacked this year, including reports on August 2 that a bridge lost close to $200 million to upwards of 40 hackers who exploited a bug in its protocol. There were also reports in June that another bridge lost $100 million from hackers allegedly exploiting a weakness in the bridge to seize a number of different tokens, including Ethereum, Binance Coin, Tether, and Dai.
CPPA Board Opposes American Data Privacy and Protection Act
On July 28, 2022, the California Privacy Protection Agency (CPPA) board held a special public meeting to discuss state-law preemption in the American Data Privacy and Protection Act (ADPPA). The ADPPA, as currently drafted, preempts much of the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). The board moved to approve the CPPA’s recommendation to oppose the ADPPA and any other federal law that would preempt the CCPA and other state-law initiatives.
SEC Settles Enforcement Actions with Broker-Dealers and Investment Advisers for Identity Protection Deficiencies
On July 27, 2022, the Securities and Exchange Commission (SEC) separately settled three enforcement actions with broker-dealers and investment advisers for alleged deficiencies in preventing customer identity theft in violation of the SEC’s identity theft red flags rule, or Regulation S-ID. Regulation S-ID requires registered financial institutions, broker-dealers, and investment advisers that offer or maintain one or more covered accounts to maintain a written identify theft prevention program designed to detect, prevent, and mitigate identity theft of covered accounts.
CPPA Formal Rulemaking Began on July 8, 2022
On July 8, 2022, the CPPA began the formal rulemaking process to adopt regulations implementing the amendments to the CCPA introduced by the CPRA. The proposed CCPA regulations were originally released by the CPPA on May 27, 2022, and no substantive changes have been made.
California Privacy Protection Agency Initiates Notice and Comment Period for CCPA Regulations
The CPPA issued a notice of proposed rulemaking, as anticipated, for amendments to regulations the California attorney general promulgated in 2020 and to propose new regulations under the CPPA’s mandate provided in the CPRA.
Maryland Amends Data Breach and Reasonable Security Requirements
Maryland passed House Bill 962, amending Maryland’s Personal Information Protection Act (PIPA). House Bill 962 amends certain aspects of PIPA relating to breach notification and maintaining reasonable security measures to protect personal information. The bill becomes effective October 1, 2022.
DOJ Issues New Policy on CFAA Prosecutions
On May 19, 2022, the Department of Justice (DOJ) updated its policy for charging violations under the Computer Fraud and Abuse Act (CFAA). This is the first update to the DOJ’s policy since 2014, and it is effective immediately. The policy states that all federal prosecutors who wish to charge cases under the CFAA must follow the new policy and consult with the Criminal Division’s Computer Crime and Intellectual Property Section before bringing any charges. Importantly, the policy delineates what activities should not be criminal violations of the CFAA and emphasizes that the DOJ’s “goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems.”
The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
The CPPA board began its preliminary rulemaking activities to solicit input on forthcoming regulations under the CPRA in September 2021 when it met to review the CPRA rulemaking process. On September 22, 2021, the CPPA began soliciting preliminary written public comments. The CPPA board then held informational sessions on March 29 and 30, 2022 and stakeholder sessions between May 4 – 6, 2022. These pre-rulemaking sessions yielded some helpful information on the views of the CPPA board and the potential direction of the new regulations.
Germany’s Cyber Threat Landscape – Top 3 Lessons from the BKA Situation Report
Germany boasts one of the world’s largest, most sophisticated, and international economies. Companies doing business in Germany are an increasingly relevant target for cyber-attacks. Germany’s Federal Criminal Police Office (BKA) is the federal law enforcement agency charged with investigating cyber-crime and for coordinating federal-state cooperation in cyber-crime matters. The BKA recently published an annual “Situation Report” summarizing the primary cyber-threats Germany faced in 2021. The BKA report provides a unique look into the Germany-specific threat landscape. This post summarizes three salient insights from the BKA report – the preferred targets, attack types, and attack vectors – that affected the German market in 2021.
UK Information Commissioner’s Office Issues Warning on Ransomware Payments
On July 8, 2022, the UK Information Commissioner’s Office, together with the UK National Cyber Security Centre, published a joint letter asking the Law Society of England & Wales to remind its members that they should not advise clients to pay ransomware demands should they fall victim to a cyber-attack.
New Cybersecurity Rules in India Impose Strict Reporting Requirements and Steep Penalties
The Indian Computer Emergency Response Team (CERT-In) issued directions on April 28, 2022 to “strengthen the cybersecurity in the country.” The directions have significant implications for the cybersecurity landscape. Effective June 27, 2022, the directions, among other requirements, impose a strict six-hour timeline for notice of a cybersecurity incident and expand the types of cybersecurity incidents that must be reported. These directions effectively amend the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-In Rules) issued under Section 70B(5) of the IT Act.
Belgian Supervisory Authority Sanctions News Media Company for Violating Cookie Rules
On May 25, 2022, the Belgian Supervisory Authority (GBA) announced that it had imposed a fine of €50,000 on a Belgium-based news media company for using cookies on its websites without complying with applicable cookie law requirements. The GBA decided to sanction the company mainly because although the company had obtained consent from website visitors to place cookies on their devices, the consent did not meet all the requirements of the EU General Data Protection Regulation (GDPR). This is the GBA’s first enforcement action on cookie use following a thematic investigation by the GBA into the management of cookies on the most popular news media sites in Belgium.
EDPB Issues Draft Guidelines on the Calculation of Administrative Fines
On May 16, 2022, the European Data Protection Board (EDPB) published draft regulatory guidelines on the calculation of administrative fines for infringements of the EU GDPR. In the draft guidance, the EDPB sets out its methodology, consisting of five steps, for calculating administrative fines.