Selected Developments in U.S. Law
NYDFS Issues Report on the SolarWinds Attack and Covered Entities’ Responses
Following the SolarWinds cyber espionage attack and the resulting focus on supply chain risk, the New York Department of Financial Services (NYDFS) issued a report detailing the attack’s impact on covered entities and responses by covered entities to the attack. Although there have been no reported instances of active exploitation of NYDFS-regulated companies as a result of the attack, the networks of approximately 100 NYDFS-regulated companies were compromised.
FBI Releases IC3 2020 Internet Crime Report Showing Record Increase in Cybercrime
The FBI’s Internet Crime Complaint Center (IC3) recently released its annual report, the 2020 Internet Crime Report, which gathers statistics from nearly 800,000 complaints of suspected cybercrimes that the department received in 2020. This is a record number of complaints—a 69% increase from 2019—with reported losses exceeding $4.2 billion. According to the FBI, the three most reported crimes in 2020 were phishing scams, nonpayment/nondelivery scams, and extortion/ransomware.
Department of Labor Issues Cybersecurity Guidelines
On April 14, 2021, the U.S. Department of Labor announced new cybersecurity guidance for plan sponsors, plan fiduciaries, record-keepers, and plan participants. The guidance is specifically “directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act, and plan participants and beneficiaries” and is intended to mitigate cybersecurity risks to pension plans and contribution plans.
2021 Developments in State Cybersecurity Safe Harbor Laws
Only four months in and 2021 has already been a big year for state cybersecurity safe harbor legislation. Two states, Utah and Connecticut, have recently enacted or introduced a breach litigation safe harbor to incentivize businesses to protect personal information by adopting industry-recognized cybersecurity frameworks such as the National Institute of Standards and Technology’s Cybersecurity Framework and the Center for Internet Security’s Critical Security Controls.
Russia Sanctioned for Role in SolarWinds Supply Chain Attack
On April 15, 2021, the Biden Administration took a significant step in announcing sanctions against the Russian government and private Russian entities for multiple internationally destabilizing activities, including the Russian Foreign Intelligence Service’s (SVR) supply chain attack of the SolarWinds Orion platform and other technology infrastructures.
U.S. Takes Unprecedented Action to Disrupt State-Sponsored Exploitation of Microsoft Exchange Zero-Day Vulnerabilities
On April 13, 2021, a federal district court granted a motion to partially unseal an FBI application and search warrant following the successful conclusion of an FBI operation to eradicate malicious web shells placed on U.S.-based computers by Chinese state-sponsored actors. The FBI’s use of credentialed, remote-access techniques to access, copy, and remove malware without the knowledge of the computer’s owner appears to be a novel approach by the FBI in counteracting state-sponsored cyber-attacks.
NYDFS Announces Cybersecurity Settlement, Addresses Multi-Factor Authentication Rules
On April 14, 2021, the NYDFS announced a settlement with National Securities Corporation, a licensed insurer, in connection with claims under the NYDFS Cybersecurity Regulation. The consent order requires payment of a $3 million penalty and mandatory remediation in response to alleged failures to properly implement multi-factor authentication and provide notice to the NYDFS of two cybersecurity events reported to other regulators in 2018 and 2019 and for falsely certifying compliance for the calendar year 2018.
Another Court Dismisses Data Breach Class Action for Lack of Standing
In what appears to be a growing trend, another federal district court has dismissed a data breach case for lack of standing. In Springmeyer v. Marriott International Inc., the plaintiffs, former guests of Marriott hotels, sued Marriott in connection with a data breach affecting over 5 million guests. Marriott moved to dismiss the plaintiff’s complaint for lack of standing and failure to state a claim. The court dismissed the plaintiff’s claims for lack of standing, holding that they failed to plausibly allege that their alleged injuries were fairly traceable to Marriott’s conduct—an essential element of standing.
NYDFS Reports Major Cybersecurity Settlement
In early March, the NYDFS announced a settlement involving a $1.5 million penalty and mandatory remediation in response to a mortgage lender’s alleged failure to report a cyber-breach and other alleged cybersecurity failures. This enforcement action marks the second public enforcement action under the Cybersecurity Regulation.
Virginia Becomes First State with Comprehensive Privacy Law After CCPA
On March 2, 2021, Virginia became the second state after California to pass a comprehensive privacy law when Governor Ralph Northam signed the Consumer Data Protection Act (CDPA). The CDPA contains many elements found in the California Consumer Privacy Act and other proposed privacy frameworks, as well as a number of new requirements for businesses.
President Biden Issues Executive Order on America’s Supply Chains
On February 24, 2021, President Biden announced a new Executive Order on America’s supply chains. The Order provides for two key initiatives, including a 100-day review of the supply chains for certain vital products and a long-term review of supply chains in six different sectors of the U.S. economy, including the information and communications technology industrial base.
Eleventh Circuit Holds Risk of Future Harm Does Not Establish Article III Standing
As part of a growing trend, the Eleventh Circuit recently held that an alleged risk of future identity theft does not establish standing if the plaintiff does not allege any information has actually been misused. The decision, Tsao v. Captiva MVP Restaurant Partners LLC, is a blow to the data breach plaintiffs’ bar, which routinely attempts to rely on third-party reports and other generic allegations concerning a risk of future harm to attempt to establish Article III standing.
NYDFS Issues Best Practices for Cyber Insurance Risk Management
Against the backdrop of the disruptions associated with the COVID-19 pandemic and SolarWinds cyber-espionage campaign, the NYDFS has released guidance for insurers that underwrite cyber-insurance policies that contains a number of provisions expected to impact companies applying for or renewing cyber-insurance coverage, not the least of which is a specific recommendation that insurers require insureds to report cybersecurity incidents to law enforcement. Although not technically a part of the seven-pronged Cyber Insurance Risk Framework, the NYDFS guidance includes a specific recommendation against making ransom payments in response to ransomware cybersecurity incidents.
Global Updates
Swire Report Addresses EU Data Localization Comments, Portuguese Order Restricting U.S. Data Flow
In November, the European Data Protection Board issued draft guidance on transfers of personal data from the European Union. That guidance has prompted nearly 200 comments from companies, trade groups, and interested observers. Senior Counsel Peter Swire, along with co-author DeBrae Kennedy-Mayo, has now published a report reviewing these comments through the Cross-Border Data Protection Forum.
The GDPR Reaches the U.S. Supreme Court in Cert Petition
The EU’s General Data Protection Regulation (GDPR) has been raised in a petition for certiorari before the U.S. Supreme Court, apparently for the first time since the GDPR went into effect in 2018. A party in Vesuvius USA Corp. v. Phillips has filed a petition for certiorari in a GDPR-related discovery dispute. Of course, since this is a petition for certiorari, the Court has not decided if it will hear this GDPR issue. Even so, this case marks what appears to be the first time the GDPR has been raised in a certiorari petition to the Court as an outcome-determinative issue.
European Commission Adopts Draft UK Adequacy Decision
On February 19, 2021, the European Commission adopted a draft “adequacy decision” in favor of the UK. The adoption of the draft adequacy decision marks the first step in ensuring the continued free flow of personal data from EEA countries to the UK under the GDPR. Once (and if) the final adequacy decision is adopted, companies in the EEA can (continue to) transfer personal data to data recipients the UK without putting in place additional compliance measures—such as standard contractual clauses or binding corporate rules.
Events
- May 4, 2021 – Kim Peretti, Wim Nauwelaerts, and Larry Sommerfeld spoke at Alston & Bird’s 2nd Annual Cyber Seminar “Handling Personal Data Breaches Under the GDPR.”
- April 22, 2021 – Kim Peretti moderated the Alston & Bird Women in Cyber™ network panel discussion “Post SolarWinds: The Role of Government in Cybersecurity.”
- April 19, 2021 – Kim Peretti spoke at the session “The Public & Private Sector’s Role in Cybersecurity” hosted by Cardozo’s Women in Tech Law (WiTL).
- March 24, 2021 – Peter Swire spoke at the session “Europe and Schrems II: What’s Next?” at the ABA’s 69th Antitrust Law Spring Meeting, discussing how companies can manage this shifting terrain, including using standard contractual clauses and binding corporate rules, to facilitate business between EU and non-EU countries.
- March 11, 2021 – Kim Peretti spoke at the session “Practice Areas, Demystified: Real Talk About Careers in 8 Fields: Cyber Security Law” during Meeting the Moment, Ms. JD’s 12th Annual Conference on Women in the Law.
- March 8, 2021 – Amy Mushahwar spoke at the “Current Issues in Cloud Computing” webinar hosted by Lorman, discussing the various challenges associated with transitioning more information systems, applications, and data to a cloud environment.
- March 3, 2021 – Kim Peretti spoke at the “Cybersecurity: The Latest and Best Practical Information” seminar, sponsored by the New England Corporate Counsel Association (NECCA).
In the News
- March 25, 2021 – Peter Swire commented for Bloomberg Law on the negotiations between the United States and European Union over the privacy shield framework for transatlantic data flows in the article “EU-U.S. Data Privacy Talks Pick Up as Companies Sit in ‘Limbo.’”
Publications and Advisories
- April 21, 2021 – Alysa Austin’s article “2021 Developments in State Cybersecurity Safe Harbor Laws” was highlighted by JD Supra in its “Morning Brief” newsletter.
- April 1, 2021 – Kim Peretti, Jon Knight, and Emily Poole’s article “Maintaining Attorney-Client Privilege and Work Product Protections over Forensic Reports in Light of ‘Wengui v. Clark Hill’” was published by Law Journal Newsletters.
- March 4, 2021 – Kim Peretti and Kate Hanniford’s article “Managing a Cyber Crisis: 7 Practical Tips to Recover with Strength” was published by Law Journal Newsletters.
Press Releases
Alston & Bird Recognized by Chambers Global 2021
Alston & Bird has been recognized in the 2021 edition of Chambers Global, with eight practices and 11 lawyers cited for excellence. Chambers Global also recognized Kim Peretti as a leading lawyer in the area of Privacy & Data Security.
Kim Peretti Named to Cybersecurity Docket’s 2021 “Incident Response 40”
Kim Peretti was named to Cybersecurity Docket’s 2021 “Incident Response 40,” marking the fifth time she has been recognized among this select group of leaders in security incident management and data breach response.
“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Jim Harvey, David Keating, and Kim Peretti. It is edited by Alysa Austin, Paul Greaves, and Dorian Simmons.
For additional updates, please be sure to visit our blog at www.alstonprivacy.com.
The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.