Selected Developments in U.S. Law
NIST Publishes Privacy Framework Version 1.0
On January 16, 2020, the National Institute of Standards and Technology (NIST) published Version 1.0 of its Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management. A draft version was initially published for public comment on September 6, 2019. The new Privacy Framework is designed to support organizations in building customers’ trust by fostering ethical, privacy-focused decision-making, fulfilling compliance obligations, and facilitating communication about privacy practice with individuals, business partners, assessors, and regulators.
FTC Blog Post Highlights Efforts to Strengthen Data Security Orders
On January 6, 2020, the Federal Trade Commission’s (FTC) Bureau of Consumer Protection Director Andrew Smith published a blog post summarizing the agency’s “new and improved FTC data security orders,” as part of its efforts to provide “better guidance for companies” and “better protection for consumers.” Smith noted that strengthening the FTC’s orders in data security cases was one of his and Chairman Joe Simons’s first priorities. Smith highlights three primary areas where the agency strengthened order provisions over the past year: increased specificity, increased accountability of third-party assessors, and improved corporate governance on data security issues.
Warning: Iranian Cyber Response Possible Against Private Industry
After the announcement of the killing of Major General Qassem Soleimani, a leader of Iran’s Quds Force, on January 3, 2020, several regulators put industry on high alert of the increased potential for cyber attacks. Iran has a known history of launching cyber attacks against U.S. industry, and regulators warned industry to prepare for a possible rise in cyber attacks.
“Calif. Privacy Law Compliance Strategy for In-House Counsel,” Law360, December 19, 2019
A company’s information security program may satisfy baseline notions of reasonable security (and may even be technically innovative), but how does it demonstrate reasonable technology deployment, staffing, and processes when faced with scrutiny from regulators, allegations by plaintiffs, or inquiries from business partners? Now that the California Consumer Privacy Act Jan. 1 compliance deadline has passed and regulatory scrutiny continues to intensify, the need to demonstrate successful implementation of reasonable security requirements has never been more critical.
Treasury Announces Sanctions Against Cybercriminal Group Behind “Dridex” Malware, Offering Mitigation Strategies for Businesses
On December 5, 2019, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued sanctions against Evil Corp, a Russian cybercriminal organization that is known for distributing the Dridex malware. Dridex is a banking trojan that has been used to target financial institutions across the globe and has resulted in more than $100 million in theft.
Critical Audit Matters Disclosure Implicates Information Technology and Security
As independent auditors to public companies and business development companies began to make required disclosures of critical audit matters to the audit committee in early November 2019, such reports included discussion of information security programs and information technology controls. Independent auditors have treated material weaknesses in certain information technology controls as material weaknesses in internal controls over financial reporting due to the potential to impact financial reporting.
SHIELD Act Overhauls New York’s Data Breach Notification Framework
New York’s new breach notification provisions came into effect, a result of New York’s passage of the Stop Hacks and Improve Electronic Data Security (SHIELD) Act in July. The SHIELD Act’s breach notification provisions went into effect on October 23, 2019, while the new data security requirement goes into effect on March 21, 2020.
Alston & Bird Details 21 Potentially Significant Impacts from Draft CCPA Regulations
On October 10, 2019, the California attorney general published much-anticipated proposed regulations under the California Consumer Privacy Act (CCPA). The regulations are extensive and contain a number of potentially material business impacts. To help companies work through the regulations, Alston & Bird’s Privacy & Data Security Team published a client advisory outlining “21 Potentially Significant Business Impacts” from the proposed CCPA regulations.
Nevada’s Online Privacy Law Takes Effect
Nevada’s online privacy law, SB 220, which was signed into law in May 2019, went into effect on October 1, 2019. Nevada’s law gives consumers greater control over the sale of personal information collected about them online. The Nevada law requires certain businesses, on receipt of a request from a Nevada consumer, to stop selling personal information and, within 60 days of a request, to respond to and honor requests not to sell going forward.
White Paper on Privacy Issues in Proposed New National Medical Claims Database
Prof. Peter Swire, Elizabeth and Thomas Holder Chair at the Georgia Tech Scheller College of Business and senior counsel at Alston & Bird, published a new white paper, “Possible Privacy, Cybersecurity, and Data Breach Issues in the Proposed National Medical Claims Database Under Section 303 of S. 1895.” This white paper solely discussed Section 303. The white paper discussed the four key stages of how data would flow in the proposed system.
California Passes Several Amendments to the California Consumer Privacy Act
The California legislature passed several amendments to the California Consumer Privacy Act of 2018 on September 13, 2019. (See our previous blog posts: “Which CCPA Amendments Made the Cut?” and “Potential Changes to the CCPA; California Senate Considers Amendments”).
New Hampshire Passes Insurance Data Security Law
New Hampshire passed its Insurance Data Security Law based on the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. The law establishes standards for insurance department licensees to develop risk-based information security programs and provide notification obligations in response to cybersecurity events.
EU Updates
French CNIL Launches Public Consultation on Cookie Consent Recommendations
On January 14, 2020, the French data protection authority (CNIL) launched a public consultation on its draft recommendations for the collection of consent in the context of cookies and other tracking technologies. Under EU ePrivacy rules, such technologies generally may not be placed on – or accessed from – users’ devices without informed consent.
Wim Nauwelaerts Authors Summary of EDPB’s Guidelines of the GDPR
Wim Nauwelaerts, Brussels partner and leader of the firm’s EU Privacy & Data Protection practice, authored a summary of the European Data Protection Board’s (EDPB) guidelines on the territorial scope of the GDPR. On November 12, 2019, the EDPB adopted the final version of its guidelines – almost one year after they had been published in draft form.
Schrems 2.0: Standard Contractual Clauses Declared Valid by EU Advocate General
The advocate general’s opinion of December 19, 2019 deemed valid the standard contractual clauses (SCCs) adopted by the European Commission for the transfer of personal data from controllers to processors. Many companies rely on SCCs as a mechanism for transferring personal data from the EU to non-EU countries in compliance with the GDPR. The opinion therefore confirmed that companies relying on SCCs do not need to consider changing their practices.
FashionID: Another Significant ECJ Case with Potential Impacts Across the AdTech Ecosystem
On July 29, 2019, the European Court of Justice (ECJ) issued its decision in the case of FashionID GmbH & Co. KG v. Verbraucherzentrale NRW. The ECJ found that websites that integrate Facebook plugins are jointly responsible for the data collected by those plugins and sent to Facebook. Despite the somewhat innocuous-sounding holding, this decision is a major milestone in determining who is responsible (and liable) for the routine integrations that occur on practically every website. The court’s reasoning arguably applies beyond Facebook to the broader third-party advertising environment. It will potentially have implications for website publishers of all kinds and the online advertising ecosystem.
EU Ethics Guidelines for AI Are Just the Beginning
As previously discussed on the Alston & Bird Privacy Blog, the European Commission High-Level Expert Group on Artificial Intelligence released on April 8, 2019 the final version of its Ethics Guidelines for Trustworthy AI. The guidelines, although not legally binding, are important because they represent the first significant government-initiated effort to influence the use of AI systems.
New Additions
Alston & Bird Expands Privacy and Cybersecurity Capabilities with FTC Veteran
Alston & Bird expanded its privacy and cybersecurity litigation practice in Washington, D.C. with partner Kathleen Benway. Benway, a former U.S. Federal Trade Commission (FTC) chief of staff, brings exceptional experience at the FTC, FCC, and Senate with consumer protection law and policy, especially in privacy and data security.
Senior Privacy, Cybersecurity Partner Wim Nauwelaerts Joins Alston & Bird
Alston & Bird has strengthened its global platform for advising on EU and international data protection with the addition of senior privacy and cybersecurity attorney Wim Nauwelaerts as partner in the firm’s Brussels office. Arriving from Sidley Austin LLP, Nauwelaerts is a veteran privacy and cybersecurity attorney with more than 20 years’ experience.
Upcoming Events
- Women in Cybersecurity (WiCyS) 2020 Conference – March 12–14, 2020. Kim Peretti and Amy Mushahwar will present on the panel “Best Practices for Companies to Engage with Law Enforcement and Counsel in Response to a Cybersecurity Incident.”
- 2020 IAA Investment Adviser Compliance Conference – March 5–6, 2020. Kim Peretti will present on the breakout session panel “Cybersecurity as a Second Language: Increasing Cybersecurity Fluency.”
- Webinar: Preparing, Responding, and Recovering from a Cyber Incident: Tools and Techniques – March 3, 2020. Kate Hanniford will present.
Additional Resources
- Webinar: Preparing for the CCPA – Reasonable Security: Can You Produce It? – January 16, 2020. Presented by Kim Peretti, Amy Mushahwar, and Kate Hanniford.
In the News
- January 27, 2020 – David Keating is quoted in AdExchanger on the regulatory variations companies face complying with the GDPR, CCPA, and COPPA.
- January 14, 2020 – David Keating is quoted in AdExchanger on trends in state-based privacy bills.
- January 10, 2020 – Maki DePalo is noted in Politico and The Daily Report for her promotion to partner in the firm’s Privacy & Data Security Group in Atlanta.
- December 18, 2019 – Kathleen Benway is quoted in Cybersecurity Law Report on the U.S. Federal Trade Commission’s strengthened data security orders and the implications for businesses. (Subscription required)
- December 2019 – Kathleen Benway is noted in Cybersecurity Law Report, The Hill, The Washington Post, Bloomberg Law, and The Deal as a new litigation partner in the firm’s Washington, D.C. office.
- October 2019 – Wim Nauwelaerts is noted in The Privacy Advisor, Legal Week, Legal Business, and Global Data Review for joining as a privacy and cybersecurity partner in the firm’s Brussels office.
- October 4, 2019 – Peter Swire comments in Bloomberg Law on how the U.S. and UK’s Bilateral Data Access Agreement will impact tech companies and cloud providers. (Subscription required)