Introduction

On March 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) proposed mandates for cybersecurity disclosures by public companies. If adopted, these mandates seek to provide investors a deeper look into public companies’ cybersecurity risk, governance, and incident reporting practices. SEC chair Gary Gensler noted in a statement regarding the proposed mandates that cybersecurity incidents continue to become a growing risk with “significant financial, operational, legal, and reputational impacts.”

“The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk. Investors want to know more about how issuers are managing those growing risks.” – Gary Gensler, SEC Chairperson

Continue Reading SEC Proposes Mandatory Cybersecurity Disclosures by Public Companies

Introduction

On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The Act will require critical infrastructure organizations (defined below) to report cyber attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. The Act also creates an obligation to report ransomware payments within 24 hours.

According to the Federal Bureau of Investigation’s 2021 Internet Crime Report, released on March 23, 2022, cyber incidents rose 7% from 2020, with potential losses topping $6.9 billion. Many of the most threatened organizations fall into the critical infrastructure sector, and in 2021 alone, cyber incidents caused oil and food shortages, as well as supply chain threats. With cyber incidents reaching all-time highs in 2021, the legislation purports to protect U.S. critical infrastructure entities and investigate cyber crimes moving forward. The Act suggests that reporting obligations are being implemented to ensure that the government can support in the response, mitigation, and protection of both private and public companies that are covered under the Act. Within 24 months, CISA’s director is required to issue a proposed rule, and must issue a final rule 18 months after making the proposal. The legislation also authorizes the Director of CISA to issue future regulations to amend or revise that rule. Continue Reading President Biden Signs Bill Mandating Cyber Reporting for Critical Infrastructure Entities

Introduction 

The Utah legislature has passed Senate Bill 227, otherwise known as the Utah Consumer Privacy Act (UCPA). Barring a veto from Utah Governor Spencer J. Cox, who, as of March 15, 2022, officially has the bill on his desk for action, Utah will become the fourth state to pass a comprehensive privacy bill, following the likes of California, Virginia, and Colorado. If enacted, the UCPA would take effect on December 31, 2023. Continue Reading Utah To Become The Fourth State to Pass Privacy Legislation

Introduction

While previous cybersecurity legislation has largely been unable to pass through Congress, the Strengthening American Cybersecurity Act of 2022 was introduced by U.S. Senators Rob Portman (R-OH) and Gary Peters (D-MI), and has been viewed as a priority as threats of cyber incidents continue to rise. The Senate unanimously passed the Act, which, in its current form, would require federal agencies and critical infrastructure operators to report cyberattacks within 72 hours to the Cybersecurity and Infrastructure Security Agency (CISA). Should the legislative package make it through the House unchanged, it would also require critical infrastructure companies to report ransomware payments within 24 hours. The Act combines language from the three bills Senators Portman and Peters have authored in the past – the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act. Continue Reading U.S. Senate Unanimously Passes Cybersecurity Bill on March 2, 2022

Recently, a federal Special Master in the District of New Jersey addressed whether a requesting party waives its right to relevant and discoverable documents when it fails to timely follow up on the responding party’s objections. In In re Valeant Pharmaceuticals International, Inc. Securities Litigation,[1] the Special Master refused to entertain the plaintiffs’ waiver argument, finding that the relevant and discoverable documents should be produced regardless.

In that case, defendant served its first request for the production of documents from plaintiffs on October 22, 2018.[2]  On July 29, 2019, plaintiffs served objections and responses to those requests.[3] Certain responses included general objections.[4] The response to one request, Request No. 7, included a statement that plaintiffs were “willing to meet and confer” with defendant regarding the “appropriate scope of responsive documents.”[5] The response to another request, Request No. 11, included a statement that plaintiffs would conduct a “reasonable search for and produce responsive, non-privileged, or otherwise unprotected communications in their possession, custody, or control.”[6] Continue Reading Recent Decision Holds That Failure to Timely Follow Up On Objections to Discovery Requests Does Not Waive Discovery

On September 21, 2021 the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issue an updated memo on the potential sanctions risk associated with facilitating ransomware payments and to once again note “proactive steps” companies can take to mitigate such risks. See “The OFAC memo”, available here.  The memo comes on the heels of increased  regulatory activity and public statements regarding ransomware by the Biden Administration, and further, on the heels of the OFAC’ s designation and sanction of SUEX OTC, S.R.O for its part in facilitating financial transactions for ransomware actors involving illicit proceeds from at least eight ransomware variants.

The revised memo stresses OFAC’s concern with many different types of companies that have a role in ransomware cases and subsequent payment.  The memo notes:

Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations. The U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.(emphasis supplied).

The OFAC memo next notes that the growth and facilitation of ransomware payments threatens the national security and foreign policy of the country:

Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Such payments not only encourage and enrich malicious actors, but also perpetuate and incentivize additional attacks. Moreover, there is no guarantee that companies will regain access to their data or be free from further attacks themselves. For these reasons, the U.S. government strongly discourages the payment of cyber ransom or extortion demands. [emphasis supplied]. Continue Reading OFAC Issues a New Advisory Memo on Potential Sanctions Risk for Facilitating Ransomware Payments

This post has been cross-posted from Seyfarth’s Consumer Class Defense Blog.

Now more than ever, it is important for organizations to review and update their basic information security protocols (their incident response, business continuity and crisis communications plans), and to ensure they’re keeping apprised of potential and developing security threats that may imperil their organizations (like a catastrophic ransomware attack). Nation state attacks and cyber criminal gangs efforts seem to be aimed daily at US businesses. And the ransomware plague that continues unabated, affects nearly all industry verticals.¹

Unfortunately, sometimes even when threats are known and being addressed, when employees are trained frequently regarding information security, and when the highest security precautions are taken, a threat-actor can quickly capitalize on miniscule vulnerabilities, and an organization is faced with the grueling task of picking up the pieces. This usually includes conducting a forensic investigation, updating written information security protocols, deploying patches and password resets, replacing hardware, conducting additional employee training, as well as analyzing differing state breach legislation and notifying consumers, attorneys general, and credit bureaus in accordance with those laws.

Even after these efforts, an organization is still at risk of privacy class action litigation. This might arise through a state attorney general, federal regulator, or a consumer whose data was wrongly accessed or in fact stolen during the cyber-attack.

But in order for a consumer to sue, the threshold, and hot-button, question is whether the consumer has standing under Article III of the US Constitution. [T]he “irreducible constitutional minimum” of standing consists of three elements. The plaintiff must have (1) suffered an “injury in fact” (2) that is “fairly traceable” to the challenged conduct of the defendant and (3) that is likely to be redressed by a favorable judicial decision.²

This article discusses the first prong of the standing elements: injury in fact. Because it is generally difficult for plaintiffs in these actions to show financial harm, or other actual damages, arguments have been raised by the plaintiffs’ bar that the future risk of harm should suffice to meet the first prong of the standing elements. The Supreme Court stated in Spokeo, Inc. v. Robins that even when a statute has been violated, plaintiffs must show that an “injury-in-fact” has occurred that is both concrete and particularized. While this did provide some additional information, the question of how the future risk of harm fits in was left outstanding. Fortunately, on June 25, 2021 the Supreme Court revisited this issue in TransUnion LLC v. Ramirez, 20-297, 2021 WL 2599472, at *1 (U.S. June 25, 2021), when a credit reporting agency flagged certain consumers as potential matches to names on the United States Treasury Department’s Office of Foreign Assets Control (OFAC) list of terrorists, drug traffickers, or other serious criminals. The Court found that those “flagged” consumers whose information was divulged to third party businesses as being included in this list suffered a concrete injury in fact.. With regards to those consumers who were flagged as potential matches, but the information was never disseminated, the Court was unconvinced that a concrete injury occurred. Id. The Court further examined the risk of future harm for these individuals, but declined to find injury in fact, stating that risk of harm cannot be speculative, it must materialize, or have a sufficient likelihood of materializing. Id. It will be interesting to see how this ruling plays out in the circuits in the context of a data breach. The Court included in its opinion some interesting information regarding certain circumstances that may give rise to a concrete harm. Id. Aside from physical or financial harm, the Court also stated that reputational harm, the disclosure of private information, or intrusion upon seclusion may rise to the level of concrete harm. Id. This then begs the question of whether a risk of harm analysis might be necessary in the context of a breach, where private information is indeed accessed and disclosed (i.e., disseminated) to an unauthorized 3rd party. Continue Reading First There Was Litigation; And Then There Was Standing

Introduction

On June 10, 2021, China officially passed China’s first Data Security Law, which will take effect on September 1, 2021. Following the introduction of the Data Security Law, together with the Cybersecurity Law, which has been implemented since June 1, 2017, and the Personal Information Protection Law, which is undergoing public comment for its second draft released on April 29, 2021, data compliance is becoming increasingly important and complicated for companies operating business in China or with data originating from China.

Background

Before the enactment of the Cybersecurity Law in 2016, China didn’t have any dedicated national legislation on data security, and the duty of protecting data was mainly left to companies that collect and/or use data to implement voluntary protection schemes. The 2016 Cybersecurity Law encompassed the issue of cyber data management and security, but other types of data remain unregulated. The Data Security Law filled up the gap by addressing all types of data (including both electronic and non-electronic data) and covering the full cycle of data activities.

Scope of governance

Under the 2016 Cybersecurity Law, all the network owners, managers, and service providers (the “Network Operators”) are required to implement measures to safeguard network security and integrity, and ensure contents published on the network are legal and appropriate. Although technically speaking every enterprise providing services or operating business through a computer network would fall within the definition of Network Operator, based on the reported enforcement cases since 2017, website and mobile application operators were the primary targets of the crackdowns.

By contrast, the Data Security Law has a much wider jurisdiction. Firstly, unlike the 2016 Cybersecurity Law, which only governs cyber data, the scope of Data Security Law also covers non-electronic data. Secondly, although both laws imposed long-arm jurisdiction over illegal overseas activities, the sanctions under the 2016 Cybersecurity Law are limited to exportation of personal and core data originated from China, importation of illegal data from overseas, and activities severely undermining China’s core information infrastructure facilities, whereas any overseas data processing activity that jeopardizes China’s national security, public interest, or lawful rights of any person or entities are considered illegal under the Data Security Law. Obviously, the Data Security Law is taking a catch-all approach to provide a very broad grounds for future legal enforcement.

Points to note

Data classification system

From the fact that the term “national security” is mentioned 14 times in a law comprised of only 55 provisions, it is quite clear that enhancement of national security is a very big driver behind the promulgation of the Data Security Law, if not the most important one. Pursuant to the Data Security Law, the Chinese government will for the first time establish a centralized classification system by the level of importance of the data. Data that are pertinent to national security, national economy, social welfare, and important public interests will be regarded as core data, and will be subject to stricter scrutiny. In the near future, the Chinese government will publish national, regional, and departmental catalogues with classification guidance for the ease of reinforcing supervision on core data processing activities.

Data security monitoring system

As required by the Data Security Law, all data processors will be required to establish a data security policy and risk monitoring system. Processors of core data are required to report their data protection practice to the government on periodic basis, and processors of non-core data are required to report to the government in event of security failure. Companies who fail to protect their data and cause large scale data leakage may face a fine of up to RMB2 million and risk suspension or closure of business. If the violation concerns core data in jeopardy of China’s national interests, the fine may be up to RMB10 million.

Data exportation

The exportation of core cyber data will continue to be governed by the 2016 Cybersecurity Law, whereas China will introduce the new regime regarding exportation of other data. One of the most notable implications on such data exportation restriction is its counteracting effect against the Clarifying Lawful Overseas Use of Data Act (the “CLOUD Act”) promulgated by former US President Donald Trump in 2018. The CLOUD Act enables US law enforcement agencies to demand access to electronic data no matter which country the data is stored in. However, under the 2016 Cybersecurity Law, exportation of personal data and important data stored in core information infrastructure facilities in China are subject to safety review. This measure has been endorsed by the Data Security Law, which further provides that companies who failed to comply with this requirement may be fined up to RMB10 million and risk suspension or closure of business. The Data Security Law also allows countermeasures to be taken in response to any discriminatory measures against China’s data or data development related investment or trade adopted by foreign countries or regions.

Observation

So far, the Data Security Law has only set out a skeleton for the governance of data. The meaning of some important concepts remain unclear. For instance, the concept of “public interests” in the Data Security Law is widely used across various Chinese legislations, but there is neither specific definition for it within the Data Security Law itself, nor has the legislator published any guidance providing clarification. Further, it is unclear which governmental authority should be responsible for enforcement. Based on the latest enforcement case report, a large-scale violation of citizens’ information privacy by certain Chinese local companies operating mobile phone apps was sanctioned by a joint group consisting of The Public Security Bureau,  Cyberspace Administration  Office, and Communication Administration Bureau for “jeopardizing public interests.”  However, it is worth noting that the concept of “public interest” is going to be a bit different in the US than in China. Generally speaking, public interest in the US is limited to activities like public health (think pandemic response) or rule of law (think law enforcement). This is a much narrower concept than in other places in the world. As such, it will be prudent to see what the Chinese officials do with their approach to defining “public interest.”

While waiting for further implementation rules, enterprises with data originated from China should start assessing their exposure to risk of data leaks, unauthorized data exportation, and other violations in this new compliance environment, and seek professional advice.

This post was originally posted on The Global Privacy Watch blog.

In a long awaited decision, the European Commission (“Commission’) adopted two new sets of standard contractual clauses (“SCCs”) to reflect the EU’s General Data Protection Regulation (“EU GDPR”) and ‘the realities faced by modern business’ (see the Commission’s press release). These replace the current SCCs that were adopted over 10 years ago under the, now repealed, Data Protection Directive. The EU’s Commissioner for Justice, Didier Reynders, cited the SCCs as providing companies with ‘more safety and legal certainty’ and as being ‘user friendly tools’.

It is important to note that the new set of SCCs is significantly different than the previous set. For example, instead of focusing on the status of the parties as “controller” or “processor,” the new SCCs focus on the location of the parties, regardless of status. This is a significant departure from the prior form.

The two sets of SCCs are (i) for use between controllers and processers inside the EU/EEA, and (ii) for cross border transfers between controllers and processers. Both can be used as of 27 June 2021. Note that the effect of Brexit has added

What are the key takeaways?

  • There are now approved SCCs for intra-EU agreements under Article 28. As a consequence, there is now a “safe harbor” to ensure all of an entity’s processor (Article 28) agreements are compliant. This did not exist previously.
  • The SCCs have a ‘modular approach’, enabling multiple parties to join and use them. Additionally, now there will now only be a need for one agreement addressing both Article 28 and Article 46 requirements. Until the new SCCs came out, there was a need for a different agreement for each of the two Articles.
  • The SCCs account for the Schrems II decision, which in 2020 considered the validity of the previous SCCs in relation to international transfers. The SCCs outline the steps that data controllers/processors must follow to comply with the decision and provide possible supplementary measures that can be taken, if necessary (e.g. encryption, pseudonyms).
  • As part of the Schrems II consideration, both data exporters and importers must warrant that they have carried out a local law assessment (i.e. relating to the jurisdiction that will receive the data) and that they have no reason to believe that local laws/practices would prevent the importer from complying with its obligations under the SCCs.
  • There is an 18 month transition period for controllers and processors to update the current SCCs in their contracts, intra-group transfer agreements etc. This is a welcome improvement on the 12 month period suggested in the November drafts. The previous SCCs can still be included in new contracts until 27 September 2021, but these contracts will then need to be updated within the transition period.

Practical Implications

The new SCCs have made some significant changes in how to implement, and how hard it is to implement, the clauses. The previous SCCs were fairly simple to implement – you just filled out the blanks in the appropriate form (i.e. controller-to-controller, or controller-to-processor) and you were done. The new SCCs are not as easy an exercise. While the original data flows under the original SCCs are still present, the new SCCs recognize that services businesses in the EU shouldn’t be left out of the thinking of the SCCs. And considering the processor in the EU working with foreign (e.g. US) data shouldn’t impose the GDPR on exclusively non-EU data, we now have “processor to sub-processor” and “processor to controller” modules.

In addition to the various modules, there are embedded “options” in the various modules as well (e.g. Clause 13). This is a significantly new format, and one which will require legal counsel to determine which module to use.

Along with the counsel needed to figure out just which modules and options to use in the SCCs, the Schrems II considerations also now demand a much higher level of legal work as part of the execution of the SCCs. Now, parties have to undertake a legal evaluation of whether or not there are local law issues which might make the enforcement of the SCCs provisions (including enforcement by 3d party beneficiaries) problematic. This evaluation has to be documented, and this documentation has to be in a form that is available to a supervisory authority should they request it. This means the documentation can’t be hidden away under attorney-client confidentiality rules. It will need to be available to a public authority.

There are a number of other tactical changes, some of which are welcome (e.g. how to deal with general authorizations of sub-processors) and some of which are less so (e.g. having to identify a specific supervisory authority where the importer doesn’t have an EU Representative). However, these will have significantly less of a “cost to implement” than the new structural and analytical requirements.

How does this affect transfers with the UK?

The SCCs are not applicable to the UK GDPR. However, the UK’s Information Commissioner’s Office (“ICO”) has said it will consider recognizing the SCCs as a valid transfer mechanism under the UK GDPR. In any event, the ICO is planning to propose, and consult on, bespoke UK SCCs for international transfers later this year. That being said, it is possible that the recognition of EU SCCs will be a contingency on the UK retaining its adequacy decision, which is currently under scrutiny. Also, the ICO has already adopted the use of the prior SCCs as part of the Brexit package. It would follow that the UK would have some sort of recognition of the EU SCCs, even in light of the UK’s promulgating their own. This is similar to the way the Swiss and the EU have managed interoperability between each of their own SCCs.

Seyfarth Synopsis:  On May 12, 2021, President Joe Biden issued a very broad, 34 page “Executive Order on Improving the Nation’s Cybersecurity.” The Executive Order, or “EO”, can be found here. This order comes six months after the notorious SolarWinds attack, and mere weeks after other high-profile attacks have invaded our networks, and shut down pieces of the nation’s critical infrastructure causing gasoline shortages in certain parts of the country.

By “force of law” the EO applies only to the federal government and federal government systems. By extension, the EO applies, or will apply, to thousands of government contractors and subcontractors that provide IT goods and services (e.g., software) to the US government. Notably, many of the cybersecurity provisions have yet to be written and many will have to go through a drafting and comment period. Other of the provisions may look “new” but have actually been around for a while (like multi-factor authentication and end-point solutions).

The order does not touch on every aspect of US business, like critical infrastructure, but it is a wonderfully good start as it sets forth certain policies and procedures that every business must (if you are a government contractor) or at least should consider enacting. The clear implication of the EO is that the government, IT contractors and providers, and the private sector can no longer wait around for the next shoe to drop. The time for action is now.

So despite being aspirational (at least for today and for some time in the future), the EO makes probably its most important point in its opening statement (Section 1. “Policy”): “We are all in this together.” Indeed the EO opens by noting:

“(C)ybersecurity requires more than government action. Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector. The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.”

Let’s examine below certain pieces of the EO as it applies both to the federal government and government IT contractors and providers. The private sector should note that, similar to other “standards” like the NIST Cybersecurity Framework (issued under the Obama Administration in February 2014), to the extent it doesn’t follow the guidance and the policies in the EO, they might fall squarely in the headlights of plaintiffs’ class action counsel who may say, if it was in the EO, why didn’t you follow the same guidance.

Removing Barriers to Sharing Threat Information

Given their position in providing IT goods and services to the government, the EO notes that the IT providers are in a very good position to know better than the government the threat landscape and incident information that affect the federal systems they serve. But by contract, the IT provider might be precluded from sharing that information with the government.

In response, the EO pledges that within 120 days, amendments to the contractual language already in use by the federal government is to be recommended to ensure that information pertaining to cyber threat intelligence as well as cyber incident response information can be shared promptly, ideally within three days (a three-day period is already in place under certain federal, state and EU guidelines). The EO is clear on this point: information sharing is one of its highest priorities.

Modernizing Federal Government Cybersecurity

Another high priority of the Biden Administration is the modernization of the federal government cybersecurity architecture (see Section Three of the EO):

“To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties. The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”

What does this mean at the end of the day?

  • Recognizing that the Cloud is likely the future of data storage for the majority of the US Government, yet the cloud has its own set of unique risks and thus needs its own security and incident response strategy;
  • That the government will move towards a recognized system of identity and access management, including mandatory multi-factor authentication; and that
  • The government will adopt encryption of data at rest and in transit.

Enhancing Software Supply Chain Security

This section clearly relates to the government’s previous responses to the SolarWinds cybersecurity attack in December 2020. Here, the EO calls upon the National Institute of Standards and Technology to produce guidelines for enhancing the software supply chain security. This guidance shall include standards, procedures or criteria regarding:

  • secure software development environments, including such actions as:
    • using administratively separate build environments;
    • auditing trust relationships;
    • establishing multi-factor, risk-based authentication and conditional access across the enterprise;
    • documenting and minimizing dependencies on enterprise products that are part of the environments used to develop, build, and edit software;
    • employing encryption for data; and
    • monitoring operations and alerts and responding to attempted and actual cyber incidents;
  • generating and, when requested by a purchaser, providing artifacts that demonstrate conformance to the processes set forth in subsection (e)(i);
  • employing automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code;
  • employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release.

Improving Detection of Cybersecurity Vulnerabilities and Incidents

Finally, like is more common already in the private sector, the EO urges the adoption of endpoint detection and response initiatives to support proactive detection of cybersecurity incidents within federal government infrastructure, active cyber hunting, containment and remediation, and incident response. The hope is that such initiatives will support a “playbook” that would better demonstrate the EO’s mandate to provide a better level of incident response and remediation capabilities throughout all levels and departments of the levels of government.

The above is just a partial list of initiatives that the Biden Administration has put forth in the EO. There are indeed other initiatives that bear close examination like the NIST Cybersecurity Framework, and there are other technologies, like machine learning anomaly detection devices that also can potentially make the federal government more “cyber safe.” But, the most important part of the EO is that now “there is a plan.” A plan that will be reviewed by experts like the NIST, and thereafter refined and put into place. And with all good fortune that plan will spread like wildfire across the whole private sector as well. Then all parts of government and industry will likely be more cyber safe.