The Digital Download – Alston & Bird’s Privacy, Cyber & Data Strategy Newsletter – February 2022

 Selected Developments in U.S. Law

SEC Proposed Rule Will Require Private Funds to Report Certain Cyber Events
On January 26, 2022, the U.S. Securities and Exchange Commission (SEC) proposed new rules to enhance hedge fund and private fund disclosure requirements and increase regulators’ visibility into the private funds industry. The proposed rules would amend the SEC’s Form PF, the confidential reporting form by which private funds disclose regulatory assets to the SEC, in an effort to provide regulators with information to better monitor systemic risks to the private markets as a result of the significant growth and complexity of the private fund industry, according to the SEC.

FTC Releases Warning to Companies That Fail to Mitigate Log4j Vulnerability
In December 2021, a critical vulnerability was identified in the ubiquitous, open source Log4j tool, prompting swift guidance from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and other security practitioners. Now, the Federal Trade Commission (FTC) has warned companies that it “intends to use its full legal authority” against any company that fails to take “reasonable steps” to protect consumers from the Log4j vulnerability.

Time to Restore Trust in Data Flows Between Countries? Peter Swire Discusses Recent OECD Efforts in Developing Principles for Government Access to Data
Alston & Bird Senior Counsel Peter Swire published “Towards OECD Principles for Government Access to Data” in Lawfare. Peter and his co-authors discuss recent efforts of the Organisation for Economic Co-operation and Development (OECD) to formulate common principles regulating governmental access to personal data held by the private sector for national security and law enforcement purposes. The OECD’s efforts, if successful, will help restore trust in how governments access personal data in a world where transnational data flows have become indispensable.

Update: FTC Amendments to the Safeguards Rule and Request for Comment on Proposed Reporting Requirement Published in the Federal Register
As an update to prior coverage of the FTC’s final revisions to the Gramm–Leach–Bliley Safeguards Rule, following its publication in the Federal Register on December 9, 2021, the final rule now will take effect on January 8, 2022, 30 days after publication.

NYDFS Issues Guidance on Multi-Factor Authentication
The New York State Department of Financial Services (NYDFS) continues to refine its position on the importance of and requirements for Multi-Factor Authentication (MFA), as evidenced most recently with the release of new guidance on December 7, 2021. This new guidance is consistent with its June guidance, in which the NYDFS clarified its expectation that NYDFS-regulated entities, subject to Section 500.12 of the NYDFS Cybersecurity Regulations, implement MFA for any individual accessing the covered entity’s internal networks, externally exposed enterprise applications, and third-party applications from an external network.

CISA Issues Statement on Log4j Critical Vulnerability
Log4j is a java-based tool from Apache’s open source library used for parsing logs and never seems to have made headlines before early December. Now, following the December 9, 2021 public announcement of a vulnerability in the tool, public and private sector security partners are issuing warnings about this “critical vulnerability.” While the full scope and exploitability of this vulnerability remains to be seen, CISA has issued a statement that it is taking “urgent action.”

The Cybersecurity Incident Reporting Requirements Fail in the Latest Version of the National Defense Authorization Act
On December 7, 2021, the U.S. House of Representatives passed the National Defense Authorization Act for Fiscal Year 2022, which notably excluded any cybersecurity incident reporting requirements. In September, the House approved a previous version of the bill that included a mandatory breach notification provision that would have required CISA to develop and establish standards, procedures, and timelines for critical infrastructure owners and operators to report cybersecurity incidents, including a requirement to report incidents as early as 72 hours after confirming the incidents occurred. Such a requirement would have been a broad expansion of the government’s involvement in cybersecurity for the private sector.

Federal Bank Regulatory Agencies Release Final Rule to Require Notification of Cyber-Incidents
On November 18, 2021, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation jointly announced the approval of a final rule to improve the sharing of information about cyber-incidents that may affect the U.S. banking system. The rule applies to banking organizations, including national banks, U.S. bank holding companies, and insured state savings associations, as well as bank service providers.

Global Updates

Belgian Data Protection Authority Fines Bank for DPO’s Conflicting Roles
In a decision on December 16, 2021, the Belgian Data Protection Authority imposed a €75,000 administrative fine on a bank in Belgium for failure to comply with the requirements of Article 38.6 of the EU General Data Protection Regulation (GDPR), which says that the tasks and duties of the data protection officer must not result in a conflict of interest.

EDPB Issues Draft Guidelines on Data Subject Access Rights
On January 28, 2022, the European Data Protection Board (EDPB) published draft regulatory guidelines on the right of data subjects to have access to their personal data under the GDPR. In the draft guidance, the EDPB explains the aim and components of the right. This analysis is followed by general considerations on the assessment of access requests and the scope of the right. The EDPB also provides guidance on the practicalities of providing access and the limitations and restrictions that the GDPR imposes on the right of access.

Major Overhaul of EU Clinical Trial Rules Kicks In on 31 January 2022
On January 31, 2022, the EU Clinical Trial Regulation (CTR) came into application, almost eight years after its adoption by the European Parliament and the Council of the EU. The CTR radically changes the regulatory framework for conducting clinical trials in EU Member States and the European Economic Area countries Iceland, Liechtenstein, and Norway.

Russia Arrests Suspected Members of REvil Ransomware Gang
On January 14, 2022, Russia’s Federal Security Service issued a press release claiming that it dismantled the REvil ransomware gang by arresting 14 suspected members and seizing computer equipment, luxury vehicles, bitcoin, and fiat currency valued over $1 million. REvil is a notorious cybercriminal organization that claimed responsibility for a ransomware attack last year that temporarily crippled the world’s largest meat company by sales, and according to public reports may be closely related to the DarkSide cybercriminal organization that claimed responsibility for the ransomware attack on a critical infrastructure pipeline distribution company.

CISA Releases Warning of Destructive Malware Targeting Ukrainian Organizations
On January 16, 2022, CISA released a warning regarding destructive malware targeting Ukrainian organizations, including Ukrainian government agencies. The malware was found in multiple government, nonprofit, and information technology organizations, all based in Ukraine. CISA’s warning comes on the heels of a separate targeted attack against Ukraine on January 14, 2022, where the threat actors left a troubling message – “Be afraid and expect the worst” – on the Ministry of Foreign Affairs of Ukraine’s website.

EDPB Issues New Guidance for Assessing Personal Data Breaches Under the EU GDPR
On Monday, January 3, 2022, the EDPB published the finalized version of its regulatory guidance “Examples Regarding Personal Data Breach Notification” following a public consultation on a draft set of guidelines in 2021. The finalized guidelines are a practice-oriented and case-based set of examples that leverage the experiences gained by EU supervisory authorities since the GDPR became applicable.

China’s Initial Draft Regulations on the Management of Online Data Security: Important Takeaways
On November 14, 2021, the Cyberspace Administration of China released draft regulations on the Management of Online Data Security for China’s data privacy and security laws, including the Cybersecurity Law, Data Security Law, and Personal Information Protection Law. Consistent with such laws, the regulations broadly apply to processing activities of individuals and organizations within and outside China. The regulations contain many similar principles to those set forth in other comprehensive data privacy and security laws, such as the GDPR and California Consumer Privacy Act. However, there are material differences that, if published, would reshape privacy and security compliance for many businesses.

EDPB Issues Draft Guidelines on the Interplay Between the GDPR’s Provisions on Territorial Scope and International Data Transfers
On November 18, 2021, the EDPB released draft guidelines on the interplay between Article 3 of the GDPR – which sets out the GDPR’s territorial scope – and the provisions in Chapter V of the GDPR, which impose restrictions on international data transfers. In this draft guidance, the EDPB clarifies which (cumulative) criteria must be fulfilled to have a transfer of personal data to a third country or to an international organization under the GDPR. The EDPB also discusses some of the consequences of international data transfers, in terms of making sure that appropriate safeguards are provided when transferring personal data outside the EU.

Event

• March 30–31, 2022 – Kellen Dwyer will speak on the panel “Cyber Security, Privacy and Ransomware: Critical Steps to Take in the 24 Hours Following a Data Breach” during the 13th Annual Managed Care Disputes and Litigation Conference, sponsored by the American Conference Institute, in Chicago.
• March 23–25, 2022 – Kim Peretti will speak on the panel “Cybersecurity: A Fundamental Pillar of Privacy” during the 2022 Privacy + Security Forum, Spring Academy.
• March 21–23, 2022 – Amy Mushahwar will speak on “Practical Tips to an Effective Cybersecurity Compliance” during the 2022 DRI Super Conference – Intellectual Property Litigation Seminar.
• March 15, 2022 – Amy Mushahwar will speak on security during operational digital transformation at the CISO Washington DC Summit hosted by CDM Media.
• March 10, 2022 – Jim Harvey will present “Cyber Threat Intelligence in the Real World: Using TI Solutions to Respond to, Defend Against, and Mitigate Enterprise Cybersecurity Threats.”
• March 8, 2022 – Kim Peretti and Amy Mushahwar will partner with CyberVista to host “Cyber Training for the Board and C-Suite.”
• March 3, 2022 – Amy Mushahwar will speak on the panel “Privacy from the Corporate Perspective” at the Data and Cyber Governance Conference.
• February 23, 2022 – Kim Peretti will present “Women in Cyber™ – Debunking Ransomware Myths & Misconceptions: Lessons from an Expert in the Trenches.”
• February 16, 2022 – David Keating, Amy Mushahwar, Wim Nauwelaerts, Dorian Simmons and Peter Swire will present “Alston & Bird Data Strategy Webinar Series: A Look Ahead: Privacy in 2022.”
• January 27, 2022 – Dan Felz hosted “Alston & Bird: Update on U.S. and International Privacy Laws.”
• January 13, 2022 – Kellen Dwyer spoke on the panel “Policy Discussion: How to Stop the Ransomware Pandemic” during the Incident Response Forum Ransomware 2022, sponsored by Cybersecurity Docket.
• January 10, 2022 – Amy Mushahwar was a panelist on “Data Security Law Firms – Managing & Preventing Complex Incidents” hosted by SentinelOne.
• December 16, 2021 – Amy Mushahwar was a roundtable speaker on the panel “Addressing USA Cyber Security and Trust Challenges: The Past, Present and Future” during The Cyber Security ConfEx.
• December 8, 2021 – Kellen Dwyer, Jody Hunt, and Ted Kang partnered with The Association of Corporate Counsel – CT Chapter to present “Discussing the DOJ’s Civil Cyber-Fraud Initiative.”
• December 7–10, 2021 – Kim Peretti spoke on the panel “Ransomware – Lessons Learned from the Trenches” during a conference presented by the Georgia Bar Corporate Counsel.
• December 2, 2021 – Peter Swire spoke about “Cross-Border Transfers: A Conversation” during a webinar hosted by WireWheel and TechPrivacy.
• November 17–18, 2021 – Peter Swire and Wim Nauwelaerts spoke on panels during the IAPP Europe Data Protection Congress 2021.

In the News

• January 20, 2022 – Peter Swire is quoted by the IAPP on the Austrian DPA’s Google Analytics decision.
• January 13, 2022 – Amy Mushahwar is quoted in CyberLaw Reporter on cybersecurity in product design.
• January 3, 2022 – Kellen Dwyer is quoted on CNN on the scheduled arraignment of a Russian businessman extradited to the U.S. on charges of cyber¬-hacking and securities fraud.
• December 16, 2021 – Donald Houser and Kristy Brown are noted in Law360 for representing T-Mobile in a proposed multidistrict data breach class action.
• December 15, 2021 – Kellen Dwyer is quoted in Law360 on where prosecutors may have misstepped in the trial of ex-Theranos CEO Elizabeth Holmes.
• December 15, 2021 – Peter Swire and Dan Felz’s article “New EU Data Blockages as German Court Would Ban Many Cookie Management Providers” is published by the IAPP.
• December 1, 2021 – Kathleen Benway is quoted in Cybersecurity Law Report on a proposal by the FTC that would restrict the collection and use of sensitive consumer data.
• November 15, 2021 – Kathleen Benway, Kate Hanniford, and Kim Peretti’ s article “FTC Revises the Safeguards Rule and Proposes Mandatory Reporting of Cybersecurity Events” is published by Westlaw Today.

Publications and Advisories

• February 3, 2022 – Our Securities Group publishes “SEC Proposes Amendments to Enhance Private Fund Reporting,” a deeper dive into the changes to Form PF.
• January 13, 2022 – Our Privacy, Cyber & Data Strategy Team publishes “The Log4j Vulnerability: What This Critical Vulnerability Means for Your Enterprise,” authored by Kim Peretti and Jon Knight.

Press Releases

Alston & Bird Recognized Again as a World Leader in Data Law by Global Data Review
For the second year in a row, Global Data Review (GDR) has recognized Alston & Bird as one of the world’s leading data law firms. In the “GDR 100 2022,” Alston & Bird ranks among the top 25 “Elite” firms that GDR identifies as having “consistently delivered top advice to multinational clients around the world.”

“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy team, led by Jim Harvey, David Keating, and Kim Peretti. It is edited by Paul Greaves and Dorian Simmons.

For additional updates, please be sure to visit our blog at www.alstonprivacy.com.