The Digital Download – Alston & Bird’s Privacy & Data Security Newsletter – August 2022

Selected Developments in U.S. Law

Recent Exploits of Blockchain Bridges Highlight Need for Cybersecurity in Crypto and Risk of Liability
According to recent media reports, there have been several instances of blockchain bridges being hacked this year, including reports on August 2 that a bridge lost close to $200 million to upwards of 40 hackers who exploited a bug in its protocol. There were also reports in June that another bridge lost $100 million from hackers allegedly exploiting a weakness in the bridge to seize a number of different tokens, including Ethereum, Binance Coin, Tether, and Dai.

CPPA Board Opposes American Data Privacy and Protection Act
On July 28, 2022, the California Privacy Protection Agency (CPPA) board held a special public meeting to discuss state-law preemption in the American Data Privacy and Protection Act (ADPPA). The ADPPA, as currently drafted, preempts much of the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). The board moved to approve the CPPA’s recommendation to oppose the ADPPA and any other federal law that would preempt the CCPA and other state-law initiatives.  

SEC Settles Enforcement Actions with Broker-Dealers and Investment Advisers for Identity Protection Deficiencies
On July 27, 2022, the Securities and Exchange Commission (SEC) separately settled three enforcement actions with broker-dealers and investment advisers for alleged deficiencies in preventing customer identity theft in violation of the SEC’s identity theft red flags rule, or Regulation S-ID. Regulation S-ID requires registered financial institutions, broker-dealers, and investment advisers that offer or maintain one or more covered accounts to maintain a written identify theft prevention program designed to detect, prevent, and mitigate identity theft of covered accounts.  

CPPA Formal Rulemaking Began on July 8, 2022
On July 8, 2022, the CPPA began the formal rulemaking process to adopt regulations implementing the amendments to the CCPA introduced by the CPRA. The proposed CCPA regulations were originally released by the CPPA on May 27, 2022, and no substantive changes have been made.

California Privacy Protection Agency Initiates Notice and Comment Period for CCPA Regulations
The CPPA issued a notice of proposed rulemaking, as anticipated, for amendments to regulations the California attorney general promulgated in 2020 and to propose new regulations under the CPPA’s mandate provided in the CPRA.

Maryland Amends Data Breach and Reasonable Security Requirements
Maryland passed House Bill 962, amending Maryland’s Personal Information Protection Act (PIPA). House Bill 962 amends certain aspects of PIPA relating to breach notification and maintaining reasonable security measures to protect personal information. The bill becomes effective October 1, 2022.  

DOJ Issues New Policy on CFAA Prosecutions
On May 19, 2022, the Department of Justice (DOJ) updated its policy for charging violations under the Computer Fraud and Abuse Act (CFAA). This is the first update to the DOJ’s policy since 2014, and it is effective immediately. The policy states that all federal prosecutors who wish to charge cases under the CFAA must follow the new policy and consult with the Criminal Division’s Computer Crime and Intellectual Property Section before bringing any charges. Importantly, the policy delineates what activities should not be criminal violations of the CFAA and emphasizes that the DOJ’s “goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems.”

The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
The CPPA board began its preliminary rulemaking activities to solicit input on forthcoming regulations under the CPRA in September 2021 when it met to review the CPRA rulemaking process. On September 22, 2021, the CPPA began soliciting preliminary written public comments. The CPPA board then held informational sessions on March 29 and 30, 2022 and stakeholder sessions between May 4 – 6, 2022. These pre-rulemaking sessions yielded some helpful information on the views of the CPPA board and the potential direction of the new regulations.  

Global Updates

Germany’s Cyber Threat Landscape – Top 3 Lessons from the BKA Situation Report
Germany boasts one of the world’s largest, most sophisticated, and international economies. Companies doing business in Germany are an increasingly relevant target for cyber-attacks. Germany’s Federal Criminal Police Office (BKA) is the federal law enforcement agency charged with investigating cyber-crime and for coordinating federal-state cooperation in cyber-crime matters. The BKA recently published an annual “Situation Report” summarizing the primary cyber-threats Germany faced in 2021. The BKA report provides a unique look into the Germany-specific threat landscape. This post summarizes three salient insights from the BKA report – the preferred targets, attack types, and attack vectors – that affected the German market in 2021.  

UK Information Commissioner’s Office Issues Warning on Ransomware Payments
On July 8, 2022, the UK Information Commissioner’s Office, together with the UK National Cyber Security Centre, published a joint letter asking the Law Society of England & Wales to remind its members that they should not advise clients to pay ransomware demands should they fall victim to a cyber-attack.

New Cybersecurity Rules in India Impose Strict Reporting Requirements and Steep Penalties
The Indian Computer Emergency Response Team (CERT-In) issued directions on April 28, 2022 to “strengthen the cybersecurity in the country.” The directions have significant implications for the cybersecurity landscape. Effective June 27, 2022, the directions, among other requirements, impose a strict six-hour timeline for notice of a cybersecurity incident and expand the types of cybersecurity incidents that must be reported. These directions effectively amend the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-In Rules) issued under Section 70B(5) of the IT Act.  

Belgian Supervisory Authority Sanctions News Media Company for Violating Cookie Rules
On May 25, 2022, the Belgian Supervisory Authority (GBA) announced that it had imposed a fine of €50,000 on a Belgium-based news media company for using cookies on its websites without complying with applicable cookie law requirements. The GBA decided to sanction the company mainly because although the company had obtained consent from website visitors to place cookies on their devices, the consent did not meet all the requirements of the EU General Data Protection Regulation (GDPR). This is the GBA’s first enforcement action on cookie use following a thematic investigation by the GBA into the management of cookies on the most popular news media sites in Belgium.  

EDPB Issues Draft Guidelines on the Calculation of Administrative Fines
On May 16, 2022, the European Data Protection Board (EDPB) published draft regulatory guidelines on the calculation of administrative fines for infringements of the EU GDPR. In the draft guidance, the EDPB sets out its methodology, consisting of five steps, for calculating administrative fines.  

Events

• August 30, 2022 – Kim Peretti and Cara Peterman will present “Women in Cyber – SEC Cyber Risk and Incident Disclosures: Current Trends and Looking Ahead.”
• July 20, 2022 – Dan Felz presented “The Future of the Ad-Supported Internet.”
• July 14, 2022 – Amy Mushahwar, Kim Peretti, Kate Hanniford, Alex Brown, Cliff Stanford, Jessica Keenum, Mitchell Griffith, Lee Rimler, and Todd Benoff presented during the Fourth Annual Alston & Bird Cyber, Privacy, and Litigation Virtual Summit.
• June 9, 2022 – David Keating participated in the Teach Privacy webinar “Privacy and Innovation: Strategies for Privacy Analyses of New Technologies.”
• June 9, 2022 – Yung Shin Van Der Sype chaired the 2nd Brussels Esports Seminar: “The Impact of Esports & VR in Education.”
• June 6–9, 2022 – Peter Swire spoke on the panel “Are Data Localization Policies a Looming Disaster for Cybersecurity” during RSA Conference 2022.
• June 6–7, 2022 – Kim Peretti co-chaired the PLI Institute and spoke on the panel “Keeping Up with the Latest Cybersecurity Challenges,” and Paul Greaves spoke on the panel “EU and UK Privacy Developments: New SCCs, New Guidance, and New Directions in the UK” at PLI’s 23rd Annual Institute on Privacy and Cybersecurity Law.
• May 24, 2022 – Amy Mushahwar presented “2022 PCI Security Compliance Refresh: New 4.0 Standard, Tokenization, PP2E, and the SSF.”
• May 23, 2022 – Peter Swire spoke on the panel “Government Access to Data Held by the Private Sector: How Can Democracies Show the Way” at the Computers, Privacy, and Data Protection 15th International Conference.
• May 5, 2022 – Dan Felz presented “Alston & Bird IP2022 Webinar Series: Artificial Intelligence – Legal Issues and Regulation.”

In the News

• July 7, 2022 – Kellen Dwyer is quoted on the NDO Fairness Act and the impact it will have on how judges review government requests for nondisclosure orders in Bloomberg Law.
• June 14, 2022 – Alex Brown is quoted on the significance of the proposed American Data Privacy and Protection Act in The Hill.
• June 1, 2022 – Wim Nauwelaerts is quoted on the EU’s Digital Services Act and what it means for data privacy and EU-wide obligations for digital services in Data Guidance.
• May 24, 2022 – Alston & Bird is noted for successfully representing Americold Logistics in the dismissal of a data breach lawsuit in Bloomberg Law.

Publications and Advisories

• June 1, 2022 – Alex Brown, Kathleen Benway, and Dan Felz published “FTC Blog Seems to Widen Scope of Breach Reporting Law” in Law360.
• May 24, 2022 – Our Blockchain & Digital Assets Team published “U.S. Government Steps Up Its Enforcement in the Digital Assets Space.”
• May 24, 2022 – Alysa Austin and Lance Taubin discuss OCR expectations for recognized security practices, penalties, and HIPAA settlement sharing in an Alston & Bird Healthy Byte.
• May 13, 2022 – Kellen Dwyer and Kim Peretti published “How to Fight Foreign Hackers with Civil Litigation” in Lawfare.

Press Releases

Alston & Bird Attorneys Recognized in 2023 Best Lawyers UK and Belgium
Wim Nauwelaerts has been selected by his peers for inclusion in the 2023 edition of The Best Lawyers in Belgium™ for Privacy and Data Security Law.  

Alston & Bird Widely Recognized in Chambers USA 2022
Alston & Bird has earned wide recognition in the 2022 edition of Chambers USA: America’s Leading Lawyers for Business, with 63 practice rankings and 128 leading lawyer listings, including Privacy & Data Security: The Elite and Kim Peretti (Privacy & Data Security: Band 2).  

“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti, David Keating, and Jim Harvey. It is edited by Paul Greaves and Dorian Simmons.

For additional updates, please be sure to visit our blog at www.alstonprivacy.com.

The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.