Digital Download February 2022

The Digital Download – Alston & Bird’s Privacy, Cyber & Data Strategy Newsletter – February 2022

 Selected Developments in U.S. Law

SEC Proposed Rule Will Require Private Funds to Report Certain Cyber Events
On January 26, 2022, the U.S. Securities and Exchange Commission (SEC) proposed new rules to enhance hedge fund and private fund disclosure requirements and increase regulators’ visibility into the private funds industry. The proposed rules would amend the SEC’s Form PF, the confidential reporting form by which private funds disclose regulatory assets to the SEC, in an effort to provide regulators with information to better monitor systemic risks to the private markets as a result of the significant growth and complexity of the private fund industry, according to the SEC.

FTC Releases Warning to Companies That Fail to Mitigate Log4j Vulnerability
In December 2021, a critical vulnerability was identified in the ubiquitous, open source Log4j tool, prompting swift guidance from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and other security practitioners. Now, the Federal Trade Commission (FTC) has warned companies that it “intends to use its full legal authority” against any company that fails to take “reasonable steps” to protect consumers from the Log4j vulnerability.

Time to Restore Trust in Data Flows Between Countries? Peter Swire Discusses Recent OECD Efforts in Developing Principles for Government Access to Data
Alston & Bird Senior Counsel Peter Swire published “Towards OECD Principles for Government Access to Data” in Lawfare. Peter and his co-authors discuss recent efforts of the Organisation for Economic Co-operation and Development (OECD) to formulate common principles regulating governmental access to personal data held by the private sector for national security and law enforcement purposes. The OECD’s efforts, if successful, will help restore trust in how governments access personal data in a world where transnational data flows have become indispensable.

Update: FTC Amendments to the Safeguards Rule and Request for Comment on Proposed Reporting Requirement Published in the Federal Register
As an update to prior coverage of the FTC’s final revisions to the Gramm–Leach–Bliley Safeguards Rule, following its publication in the Federal Register on December 9, 2021, the final rule now will take effect on January 8, 2022, 30 days after publication.

NYDFS Issues Guidance on Multi-Factor Authentication
The New York State Department of Financial Services (NYDFS) continues to refine its position on the importance of and requirements for Multi-Factor Authentication (MFA), as evidenced most recently with the release of new guidance on December 7, 2021. This new guidance is consistent with its June guidance, in which the NYDFS clarified its expectation that NYDFS-regulated entities, subject to Section 500.12 of the NYDFS Cybersecurity Regulations, implement MFA for any individual accessing the covered entity’s internal networks, externally exposed enterprise applications, and third-party applications from an external network.

CISA Issues Statement on Log4j Critical Vulnerability
Log4j is a java-based tool from Apache’s open source library used for parsing logs and never seems to have made headlines before early December. Now, following the December 9, 2021 public announcement of a vulnerability in the tool, public and private sector security partners are issuing warnings about this “critical vulnerability.” While the full scope and exploitability of this vulnerability remains to be seen, CISA has issued a statement that it is taking “urgent action.”

The Cybersecurity Incident Reporting Requirements Fail in the Latest Version of the National Defense Authorization Act
On December 7, 2021, the U.S. House of Representatives passed the National Defense Authorization Act for Fiscal Year 2022, which notably excluded any cybersecurity incident reporting requirements. In September, the House approved a previous version of the bill that included a mandatory breach notification provision that would have required CISA to develop and establish standards, procedures, and timelines for critical infrastructure owners and operators to report cybersecurity incidents, including a requirement to report incidents as early as 72 hours after confirming the incidents occurred. Such a requirement would have been a broad expansion of the government’s involvement in cybersecurity for the private sector.

Federal Bank Regulatory Agencies Release Final Rule to Require Notification of Cyber-Incidents
On November 18, 2021, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation jointly announced the approval of a final rule to improve the sharing of information about cyber-incidents that may affect the U.S. banking system. The rule applies to banking organizations, including national banks, U.S. bank holding companies, and insured state savings associations, as well as bank service providers.

Global Updates

Belgian Data Protection Authority Fines Bank for DPO’s Conflicting Roles
In a decision on December 16, 2021, the Belgian Data Protection Authority imposed a €75,000 administrative fine on a bank in Belgium for failure to comply with the requirements of Article 38.6 of the EU General Data Protection Regulation (GDPR), which says that the tasks and duties of the data protection officer must not result in a conflict of interest.

EDPB Issues Draft Guidelines on Data Subject Access Rights
On January 28, 2022, the European Data Protection Board (EDPB) published draft regulatory guidelines on the right of data subjects to have access to their personal data under the GDPR. In the draft guidance, the EDPB explains the aim and components of the right. This analysis is followed by general considerations on the assessment of access requests and the scope of the right. The EDPB also provides guidance on the practicalities of providing access and the limitations and restrictions that the GDPR imposes on the right of access.

Major Overhaul of EU Clinical Trial Rules Kicks In on 31 January 2022
On January 31, 2022, the EU Clinical Trial Regulation (CTR) came into application, almost eight years after its adoption by the European Parliament and the Council of the EU. The CTR radically changes the regulatory framework for conducting clinical trials in EU Member States and the European Economic Area countries Iceland, Liechtenstein, and Norway.

Russia Arrests Suspected Members of REvil Ransomware Gang
On January 14, 2022, Russia’s Federal Security Service issued a press release claiming that it dismantled the REvil ransomware gang by arresting 14 suspected members and seizing computer equipment, luxury vehicles, bitcoin, and fiat currency valued over $1 million. REvil is a notorious cybercriminal organization that claimed responsibility for a ransomware attack last year that temporarily crippled the world’s largest meat company by sales, and according to public reports may be closely related to the DarkSide cybercriminal organization that claimed responsibility for the ransomware attack on a critical infrastructure pipeline distribution company.

CISA Releases Warning of Destructive Malware Targeting Ukrainian Organizations
On January 16, 2022, CISA released a warning regarding destructive malware targeting Ukrainian organizations, including Ukrainian government agencies. The malware was found in multiple government, nonprofit, and information technology organizations, all based in Ukraine. CISA’s warning comes on the heels of a separate targeted attack against Ukraine on January 14, 2022, where the threat actors left a troubling message – “Be afraid and expect the worst” – on the Ministry of Foreign Affairs of Ukraine’s website.

EDPB Issues New Guidance for Assessing Personal Data Breaches Under the EU GDPR
On Monday, January 3, 2022, the EDPB published the finalized version of its regulatory guidance “Examples Regarding Personal Data Breach Notification” following a public consultation on a draft set of guidelines in 2021. The finalized guidelines are a practice-oriented and case-based set of examples that leverage the experiences gained by EU supervisory authorities since the GDPR became applicable.

China’s Initial Draft Regulations on the Management of Online Data Security: Important Takeaways
On November 14, 2021, the Cyberspace Administration of China released draft regulations on the Management of Online Data Security for China’s data privacy and security laws, including the Cybersecurity Law, Data Security Law, and Personal Information Protection Law. Consistent with such laws, the regulations broadly apply to processing activities of individuals and organizations within and outside China. The regulations contain many similar principles to those set forth in other comprehensive data privacy and security laws, such as the GDPR and California Consumer Privacy Act. However, there are material differences that, if published, would reshape privacy and security compliance for many businesses.

EDPB Issues Draft Guidelines on the Interplay Between the GDPR’s Provisions on Territorial Scope and International Data Transfers
On November 18, 2021, the EDPB released draft guidelines on the interplay between Article 3 of the GDPR – which sets out the GDPR’s territorial scope – and the provisions in Chapter V of the GDPR, which impose restrictions on international data transfers. In this draft guidance, the EDPB clarifies which (cumulative) criteria must be fulfilled to have a transfer of personal data to a third country or to an international organization under the GDPR. The EDPB also discusses some of the consequences of international data transfers, in terms of making sure that appropriate safeguards are provided when transferring personal data outside the EU.


In the News

  • January 20, 2022 – Peter Swire is quoted by the IAPP on the Austrian DPA’s Google Analytics decision.
  • January 13, 2022 – Amy Mushahwar is quoted in CyberLaw Reporter on cybersecurity in product design.
  • January 3, 2022 – Kellen Dwyer is quoted on CNN on the scheduled arraignment of a Russian businessman extradited to the U.S. on charges of cyber¬-hacking and securities fraud.
  • December 16, 2021 – Donald Houser and Kristy Brown are noted in Law360 for representing T-Mobile in a proposed multidistrict data breach class action.
  • December 15, 2021 – Kellen Dwyer is quoted in Law360 on where prosecutors may have misstepped in the trial of ex-Theranos CEO Elizabeth Holmes.
  • December 15, 2021 – Peter Swire and Dan Felz’s article “New EU Data Blockages as German Court Would Ban Many Cookie Management Providers” is published by the IAPP.
  • December 1, 2021 – Kathleen Benway is quoted in Cybersecurity Law Report on a proposal by the FTC that would restrict the collection and use of sensitive consumer data.
  • November 15, 2021 – Kathleen Benway, Kate Hanniford, and Kim Peretti’ s article “FTC Revises the Safeguards Rule and Proposes Mandatory Reporting of Cybersecurity Events” is published by Westlaw Today.

Publications and Advisories

Press Releases

Alston & Bird Recognized Again as a World Leader in Data Law by Global Data Review
For the second year in a row, Global Data Review (GDR) has recognized Alston & Bird as one of the world’s leading data law firms. In the “GDR 100 2022,” Alston & Bird ranks among the top 25 “Elite” firms that GDR identifies as having “consistently delivered top advice to multinational clients around the world.”

“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy team, led by Jim Harvey, David Keating, and Kim Peretti. It is edited by Paul Greaves and Dorian Simmons.

For additional updates, please be sure to visit our blog at

Media Contact
Alex Wolfe
Communications Director

This website uses cookies to improve functionality and performance. For more information, see our Privacy Statement. Additional details for California consumers can be found here.