Digital Download November 2021

The Digital Download – Alston & Bird’s Privacy, Cyber & Data Strategy Newsletter – November 2021

Selected Developments in U.S. Law

Department of Defense Suspends the CMMC Pilot Program and CMMC Requirements in DoD Solicitations Pending Major Changes for CMMC 2.0. On November 5, 2021, the Department of Defense (DoD) announced it will be revamping the nascent Cybersecurity Maturity Model Certification (CMMC) program pending two separate rulemaking processes. The DoD will be updating “the program structure and the requirements to streamline and improve implementation of the CMMC program.” The primary short-term takeaway is that until the rulemaking process is complete, the DoD is suspending the CMMC Pilot Program and will not include CMMC requirements in any DoD solicitations.  

FTC Revises the Safeguards Rule and Proposes Mandatory Reporting of Cybersecurity Events On October 27, 2021, the FTC released its much-anticipated final revisions to the Gramm–Leach–Bliley Safeguards Rule, following a 3–2 vote along party lines, and also released a notice of proposed rulemaking that would require reporting to the FTC of certain cybersecurity events.  

Treasury FinCEN Releases Financial Trend Analysis of Ransomware Trends in 2021 On October 15, 2021, the Financial Crimes Enforcement Network (FinCEN) of the Treasury Department issued a financial trend analysis on ransomware relating to Bank Secrecy Act reporting filed in the first half of this year. FinCEN examined ransomware-related Suspicious Activity Reports (SARs) filed between January 1 and June 30, 2021, which included a total of 635 reports and 458 confirmed transactions that total over $590 million in suspected ransom payments. This number reflects a 42% increase from the total ransomware payments identified by FinCEN in all of 2020. If this trend continues, FinCEN estimates a higher ransomware-related transaction value in the SARs filed in 2021 than the last 10 years combined.  

Department of Justice Announces New Cryptocurrency Enforcement Team On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced the creation of the National Cryptocurrency Enforcement Team (NCET). This team was created to tackle complex investigations and prosecutions of criminal misuses of cryptocurrency, particularly crimes committed by virtual exchanges and money laundering infrastructure actors. Because of the vast potential for criminal use of cryptocurrency, the Department of Justice intends to have NCET involved in cryptocurrency and blockchain technologies across all aspects of the department’s work. This initiative will build upon the work of the Criminal Division’s Money Laundering and Asset Recovery Section and Computer Crime and Intellectual Property Section.

Department of Justice Announces New Civil Fraud Cybersecurity Enforcement Team On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced the launch of the Department of Justice’s Civil Cyber-Fraud Initiative. The department plans to use civil enforcement tools to “pursue … those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards.” This initiative will combine the department’s roles in civil fraud enforcement, government procurement, and cybersecurity to combat new and emerging cyber-threats to the security of sensitive information and critical systems.  

California Federal Court Dismisses Data-Security-Related Securities Fraud Class Action On September 22, 2021, a California federal court dismissed a putative securities fraud class action alleging that a large title insurer that disclosed a data security incident in May 2019 made false and misleading statements related to its data security practices and the incident. The dismissal follows the June 2021 settlement of a related U.S. Securities & Exchange Commission (SEC) enforcement action. An enforcement action brought by the New York State Department of Financial Services, the first set of charges brought under that office’s cybersecurity regulations, remains pending.

California Privacy Protection Agency Issues Notice of Invitation for Preliminary Comments on Proposed Rulemaking On September 23, 2021, the California Privacy Protection Agency (CPPA) issued to the public an invitation to submit preliminary comments on proposed rulemaking under the California Privacy Rights Act (CPRA). The CPPA is accepting comments on any area where it has the authority to adopt rules, and specifically on those areas flagged in the invitation. The CPPA is “particularly interested in comments on new and undecided issues not already covered by the existing CCPA regulations.”

Key Takeaways from OFAC’s Updated Ransomware Advisory On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” While this advisory explicitly supersedes OFAC’s previous ransomware advisory from October 2020, it does not fundamentally alter OFAC’s approach toward ransom payments. Like the prior guidance, OFAC’s recent advisory reiterates the U.S. policy of “strongly discouraging” ransom payments, warns that such payments carry sanctions risk, and lists a number of “significant mitigating factors” that OFAC will consider when deciding whether to bring an enforcement response. Still, there are several significant takeaways from the updated guidance.

California Privacy Protection Agency Board Meets to Review the CPRA Rulemaking Process On September 7 and 8, 2021, the CPPA board held a public virtual meeting on the rulemaking process under the CPRA. The CPPA board indicated that it expects to initiate preliminary rulemaking activities this fall, including soliciting public comments and holding informational hearings, and to publish a Notice of Proposed Rulemaking this winter, with public hearings to take place winter 2021 / spring 2022. The CPRA requires the CPPA to adopt final regulations by July 1, 2022.

Global Updates

Belgian Supreme Court Rules That Data Protection Authority May Impose Administrative Fines Even When a Data Subject’s Personal Data Were Not Processed The Belgian Supreme Court ruled in a judgment on October 7, 2021 that a data subject has the right to lodge a complaint with the data protection authority (DPA) against a processing practice that violates the General Data Protection Regulation (GDPR) (in this case, the data minimization principle in Article 6 of the GDPR), even when the data subject’s personal data were not processed.  

China’s First Comprehensive Personal Information Protection Law – Key Takeaways On August 20, 2021, China’s first comprehensive Personal Information Protection Law (PIPL) was passed. The Cybersecurity Law, the Data Security Law, and the PIPL are the three pillars of China’s data protection framework, which govern cybersecurity, data security, and personal information protection, respectively. The Cybersecurity Law largely governs cybersecurity requirements for critical information infrastructure operators and network operators, and the Data Security Law regulates the security of data processing activities, specifically “important data” and “national core data.” PIPL, on the other hand, focuses on “personal information,” serving as China’s first comprehensive personal data privacy law, similar to the EU’s GDPR. Understanding and complying with all three laws are vital for organizations to process data of individuals in China.  

September 27 Deadline Looming for EU Standard Contractual Clauses On June 4, 2021, the European Commission issued modernized standard contractual clauses (SCCs) for the purposes of legitimizing international transfers of personal data under the GDPR. The modernized SCCs replace the three sets of SCCs that were adopted under the predecessor of the GDPR – the Data Protection Directive 95/46/EC – with effect from September 27, 2021. Contracts concluded before September 27, 2021 on the basis of the European Commission’s old SCCs will still be deemed to provide appropriate safeguards within the meaning of the GDPR until December 27, 2022.

UK Unveils Post-Brexit Data Plans with an Emphasis on International Transfers of Personal Data On August 26, 2021, the UK Department of Digital, Culture, Media, and Sport made a series of announcements shedding light on the UK’s post-Brexit data strategy. The announcements emphasized the importance of international transfers of personal data to global trade.

EDPB Reports on EU Data Protection Authorities’ Resources and Enforcement Actions On August 23, 2021, the European Data Protection Board (EDPB) published a report on the resources that the EU Member States make available to their DPAs and on the enforcement actions initiated by those DPAs.

Swiss Data Protection Regulator Is Latest to Outline Framework for Transferring Data to the SEC On June 25, 2021, the Swiss Federal Data Protection and Information Commissioner released its framework for U.S. SEC registrants to be able to provide personal data in response to SEC examination and inspection requests, while maintaining compliance with Swiss data protection laws. Entities registered with the SEC must maintain certain books and records and can be subject to the SEC’s examination, inspection, and enforcement authority. Responding to SEC requests can require cross-border transfers of personal data, and this has historically risked noncompliance under foreign data protection law.   


In the News

  • November 3, 2021 – Wim Nauwelaerts’s article “10 Key Takeaways from the European Commission’s New SCCs” was published in The Computer & Internet Lawyer.
  • October 15, 2021 – Kellen Dwyer is quoted in The Washington Post on the Department of Justice’s (DOJ) ransomware and cryptocurrency enforcement strategies.
  • October 15, 2021 – Kellen Dwyer is quoted in SC Magazine on plans by the DOJ to use the False Claims Act to regulate the cybersecurity standards of federal contractors.
  • October 7, 2021 – Kellen Dwyer is quoted in The Wall Street Journal on the DOJ’s use of the False Claims Act to pursue federal contractors that do not adhere to cybersecurity standards.
  • October 1, 2021 – Kim Peretti and Kate Hanniford’s article “Top 7 Issues All General Counsel Need to Know About Ransomware” was published in The Computer & Internet Lawyer.
  • September 24, 2021 – Cara Peterman and Sierra Shear’s article “Key Trends in Recent Cyber-Related Securities Class Actions” was published in Law360.
  • September 7, 2021 – Kellen Dwyer’s article “The Best Way to Stop Ransomware Attacks: Be Proactive, Not Reactive” was published in The Wall Street Journal.
  • August 26, 2021 – Sean Sullivan contributed to the American Health Law Association survey “Survey of Applicability of State General Privacy and Breach Notification Laws to Health Information.”

Publications and Advisories

Press Releases 

Alston & Bird Earns 117 Tier-1 Rankings in 2022 “Best Law Firms” Alston & Bird has been honored as one of the nation’s top law firms in the 2022 edition of U.S. News-Best Lawyers® “Best Law Firms.” The firm earned 117 national and metropolitan tier-one practice rankings.  

Jordan Myers and Cara Peterman Named to Daily Report’s “On the Rise” Class of 2021 Jordan Myers, partner in Alston & Bird’s Finance Group, and Cara Peterman, partner in the firm’s Securities Litigation Group, have been named to the Daily Report’s “On the Rise” class of 2021, representing Georgia’s most promising lawyers under the age of 40.

Alston & Bird Earns Broad Recognition in 2022 Best Lawyers and Ones to Watch Two hundred and thirteen Alston & Bird attorneys have been selected by their peers for inclusion in the 2022 edition of The Best Lawyers in America©, and 78 firm attorneys have been selected for the second edition of Best Lawyers: Ones to Watch.    

“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Jim Harvey, David Keating, and Kim Peretti. It is edited by Paul Greaves and Dorian Simmons. For additional updates, please be sure to visit our blog at The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.

Media Contact
Alex Wolfe
Communications Director

This website uses cookies to improve functionality and performance. For more information, see our Privacy Statement. Additional details for California consumers can be found here.