Digital Download May 2022

The Digital Download – Alston & Bird’s Privacy & Data Security Newsletter – May 2022

Selected Developments in U.S. Law

U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
On April 21, 2022, Canada, Japan, South Korea, the Philippines, Singapore, Taiwan, and the United States issued a Global Cross-Border Privacy Rules Declaration announcing the establishment of the Global Cross-Border Privacy Rules Forum. U.S. Secretary of Commerce Gina M. Raimondo described the establishment of the Global CBPR Forum as “the beginning of a new era of multilateral cooperation in promoting trusted global data flows” and highlighted its intent to create “first-of-their-kind data privacy certifications that help companies demonstrate compliance with internationally recognized data privacy standards.”  

Colorado Issues Pre-rulemaking Considerations for the Colorado Privacy Act
On April 12, 2022, the Colorado Department of Law released its Pre-rulemaking Considerations for the Colorado Privacy Act (CPA), following state attorney general Phil Weiser’s remarks at the International Association of Privacy Professionals’ Global Privacy Summit in Washington, D.C. The department seeks informal input on several topics in addition to general comments on the CPA. Comments may be provided until the end of August 2022 by using the CPA Comment Form and attending to-be-scheduled informal listening sessions.  

Recent Updates in Two Closely Watched Cybersecurity and Privacy-Related Securities Fraud Class Actions
Observers have been awaiting decisions on a number of cybersecurity and privacy securities fraud class actions with potentially important implications for corporate liability. Over the last several months, critical developments emerged in two cases: the defendants’ motion to dismiss was granted in part and denied in part in In re Zoom Securities Litigation, and the Supreme Court denied cert of the Ninth Circuit’s decision reviving the claims in Alphabet Inc. v. Rhode Island.  

White House Releases Recommendations to Protect Against Potential Cyber-Attacks
The potential for malicious cyber activity has been a concern for the Biden Administration throughout the evolving crisis in Ukraine (including the imposition of sanctions against Russia). In response to the concern, the Administration, which faced “evolving intelligence that Russia may be exploring options for potential cyberattacks,” released recommendations on March 21, 2022 for companies to protect against cyber-attacks.  

President Biden Issues Executive Order Directing Coordinated Federal Approach to Digital Assets
As a result of the rise in digital assets, President Biden signed an Executive Order on March 9, 2022 ordering a review of the nation’s approach to cryptocurrency. The Executive Order on Ensuring Responsible Development of Digital Assets contains broad policy objectives and specific analysis to be conducted by the federal government. The Order identifies several key national priorities related to digital assets and directs the executive branch to follow the interagency process that President Biden previously implemented for the National Security Council to implement the Order. The Order directs a broad swath of U.S. federal agencies to analyze and issue assessments related to digital assets, including the viability of a U.S. central bank digital currency, a digital form of U.S. sovereign currency.  

Colorado Attorney General’s Office Issues Notice of Invitation for Informal Input on CPA Rulemaking
On March 7, 2022, the Colorado Attorney General’s Office issued to the public an invitation to submit initial input on the CPA and future rulemaking. The Attorney General’s Office is accepting informal comments on any area on which it has the authority to adopt rules and provides examples of input in the invitation. The public has until August 31, 2022 to submit comments.  

Senate Passes Significant Cyber Bill Requiring Cyber-Incident Reporting
The Strengthening American Cybersecurity Act of 2022, a bill that narrowly failed to become law last year, was passed in the Senate on Tuesday, March 1, 2022 as a package of cybersecurity measures that would require operators of critical infrastructure and federal civilian agencies to report cyber-incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency. With bipartisan support, the bill was backed by Senators Gary Peters (D-MI) and Rob Portman (R-OH). This marks the most significant cyber bill to make it through the Senate in the chamber’s history, and if passed would be the first significant cyber legislation to pass since the 2015 Cybersecurity Information Sharing Act, which gave companies legal cover to voluntarily share cyber-threat information with the government.  

CPPA Expected Not to Meet CPRA Rulemaking Deadline
At a board meeting held by the California Privacy Protection Agency (CPPA) on February 17, 2022, Executive Director Ashkan Soltani announced that the CPPA does not expect to meet the July 1, 2022, statutory deadline for adopting final regulations under the California Privacy Rights Act. The CPPA plans to schedule meetings in March and April to solicit comments from experts and the public.  

Georgia Introduces Privacy Bill Stricter Than CCPA – The Top 10 Issues
On January 26, 2022, the Georgia General Assembly introduced the Georgia Computer Data Privacy Act (GCDPA). Despite its title, the GCDPA is not a “computer”-focused bill. It is instead an omnibus privacy statute modeled after California’s Consumer Privacy Act (CCPA).  

Incomplete Cybersecurity Compliance Disclosures May Support Fraud Claim Under the False Claims Act, Federal Court Holds
On the heels of a recent Civil Cyber-Fraud Initiative related to cybersecurity practices and the False Claims Act (FCA), a cybersecurity-related FCA case has survived a motion for summary judgment, teeing up a trial to determine if the defendants’ cybersecurity compliance disclosures were materially incomplete and if any misstatements were knowingly made.    

Global Updates

EU and U.S. Reach Agreement in Principle on a Replacement for the EU-U.S. Privacy Shield
On March 25, 2022, the European Commission and the United States announced that they have reached an “agreement in principle” on a replacement for the EU-U.S. Privacy Shield, which was invalidated by the Court of Justice of the European Union in 2020. The new framework will be designed to allow personal data to flow freely between the EU and participating U.S. companies and will likely be seen as the main alternative to the standard contractual clauses released by the European Commission last year.  

Italian Supervisory Authority Imposes €20 Million Fine on Controller Outside of Europe
The Italian Garante per la Protezione dei Dati Personali published a decision on February 10, 2022 in which it imposes a €20 million fine on a company outside of Europe for violations of the EU General Data Protection Regulation.  

U.S., UK, and Australia Issue Joint Cybersecurity Advisory on Ransomware Threat to Critical Infrastructure
On February 9, 2022, the United States, United Kingdom, and Australia issued a Joint Cybersecurity Advisory on the “Increased Globalized Threat of Ransomware” against critical infrastructure sectors. The advisory lists trends in cyber-criminal activity from the last year and also provides mitigation strategies and recommendations to reduce the risk of compromise and the impact of ransomware incidents.  


In the News

  • March 16, 2022 – Kim Peretti is quoted on the significance of new federal cybersecurity incident reporting regulations in Law360.
  • March 15, 2022 – Maki DePalo is noted for representing Corient Capital Partners in its planned acquisition by CI Financial Corp in Global Legal Chronicle.
  • March 11, 2022 – Peter Swire is quoted on the implications of the proposed Foreign Intelligence Redress Authority in Bloomberg Law.
  • February 28, 2022 – Kellen Dwyer shared his concerns about misfires, misattribution, and miscalculations resulting from non-state actors joining the cyber warfare between Ukraine and Russia in the Wall Street Journal.
  • February 11, 2022 – Kellen Dwyer commented on how companies suffering a data breach could be grilled by regulators over their handling of the Log4j cybersecurity risk in Law360.
  • February 10, 2022 – Kellen Dwyer commented on a potential timeline for determining restitution following the Bitfinex bitcoin money-laundering arrests in Bloomberg Law, the Los Angeles Times, and MSN.

Publications and Advisories

Press Releases

Kim Peretti Named to Cybersecurity Docket’s 2022 “Incident Response 40”
Kim Peretti has been named to Cybersecurity Docket’s 2022 “Incident Response 40,” marking the sixth time she has been recognized among this select group of leaders in security incident management and data breach response. As described by the publication, the Incident Response 40 celebrates the “40 best data breach response lawyers in the business.”  

Amy Mushahwar Recognized as a Leading Woman in Data by Global Data Review
Amy Mushahwar has been named to Global Data Review’s (GDR) “Women in Data 2022” list, recognizing women at the cutting edge of legislation, regulation, and technology around the world. GDR analyzes the law and regulation of the use and trade of data globally.  

Alston & Bird Recognized by Chambers Global 2022
Alston & Bird has been recognized in the 2022 edition of Chambers Global, with 10 practices and 16 lawyers cited for excellence, including Privacy & Data Security (Band 4) and Kim Peretti for Privacy & Data Security and Privacy & Data Security: Incident Response (Band 3, Spotlight Table).  

Eight Alston & Bird Attorneys Named 2021 BTI “Client Service All-Stars”
Eight Alston & Bird attorneys have been named 2021 “Client Service All-Stars” in BTI Consulting Group’s annual survey of corporate counsel. Described by BTI as the “gold standard” for measuring the “absolute best levels of client service,” the report singles out Privacy, Cyber & Data Strategy attorneys Jim Harvey, Wim Nauwelaerts, and Kim Peretti.  

“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti, David Keating, and Jim Harvey. It is edited by Paul Greaves and Dorian Simmons.

For additional updates, please be sure to visit our blog at

Media Contact
Alex Wolfe
Communications Director

This website uses cookies to improve functionality and performance. For more information, see our Privacy Statement. Additional details for California consumers can be found here.