The Digital Download – Alston & Bird’s Privacy & Data Security Newsletter – November 2023

Publications and Advisories

• November 13, 2023 – Kathleen Benway, Kate Hanniford, Amy Mushahwar, Kim Peretti, and Lance Taubin published “Privacy, Cyber & Data Strategy Advisory: FTC Approved New Data Breach Notification Requirement for Nonbanking Financial Institutions.”
• November 10, 2023 – David Brown, Cara Peterman, Kate Hanniford, Kim Peretti, Madeleine Juszynski, and Sierra Shear published “Securities Litigation / Securities Law / Privacy, Cyber & Data Strategy Advisory: The SEC Sues SolarWinds and Its CISO for Alleged Fraud and Disclosure Controls Failures.”
• November 9, 2023 – Kristy Brown, Kim Peretti, Kate Hanniford, Ashley Miller, and Lance Taubin published “Privacy, Cyber & Data Strategy / Privacy & Cybersecurity Litigation Advisory: NYDFS Finalizes Second Amendment to Its Cybersecurity Regulation.”
• October 25, 2023 – Kim Peretti, Dan Felz, Andy Tuck, and Kai Knight published “Privacy, Cyber & Data Strategy Advisory: New Final AI Regulation from Colorado Department of Insurance—Others Likely to Follow Suit.”
• October 13, 2023 – Wim Nauwelaerts and Alice Portnoy published “Privacy, Cyber & Data Strategy Advisory: What You Should Know About the EU Data Governance Act.”
• October 12, 2023 – Kate Hanniford, Paul Monnin, and BJ Stieglitz published “White Collar, Government & Internal Investigations / Privacy, Cyber & Data Strategy Advisory: The Latest in the SEC’s Off-Network Communications Enforcement Sweep.”
• September 13, 2023 – Wim Nauwelaerts published “EU Privacy Framework Bodes Well for U.S. Life Sciences Companies” in Law360.
• September 7, 2023 – Wim Nauwelaerts and Paul Greaves published “Privacy, Cyber & Data Strategy Advisory: EU-U.S. Data Privacy Framework vs. EU Standard Contractual Clauses for Transatlantic Transfers of Personal Data.”
• September 1, 2023 – Wim Nauwelaerts published “The EU-U.S. Data Privacy Framework: Did Transferring Personal Data from the EU to the U.S. Just Get Easier?” in ALM.
• July 31, 2023 – Dave Brown, Kate Hanniford, Kim Peretti, Julia Mediamolle, Cara Peterman, Sierra Shear, Kristen Bartolotta, and Kezia Osunsade published “Securities Law / Securities Litigation / and Privacy, Cyber & Data Strategy Advisory: SEC Adopts New Cybersecurity Disclosure Rules for Public Companies.”

Selected U.S. Privacy and Cyber Updates

FTC Approves New Data Breach Notification Requirement for Non-Banking Financial Institutions

On October 27, 2023, the Federal Trade Commission (FTC) approved an amendment to the Safeguards Rule requiring nonbanking financial institutions to notify the FTC of any notification event where customer information of 500 or more individuals was subject to unauthorized acquisition. The amendment becomes effective 180 days after publication in the Federal Register. Importantly, the amendment requires notifying only the FTC—which will post the information publicly—and not the potentially impacted individuals.

FBI Cautions Organizations on Dual Ransomware Attacks

On September 27, 2023, the Federal Bureau of Investigation (FBI) issued a Private Industry Notification highlighting two concerning ransomware trends and providing companies with guidance on mitigating potential threat actor activity.

CISA and NSA Highlight Technology Gaps in New Guidance on Identity and Access Management

On October 4, 2023, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) published “Identity and Access Management: Developer and Vendor Challenges,” an advisory document developed by the Enduring Security Framework (ESF). The ESF is a CISA- and NSA-led cross-sector, public-private working group that works to address risks to U.S. national security systems and threats to critical infrastructure. This latest publication follows the ESF’s “Identity and Access Management: Recommended Best Practices for Administrators” advisory released earlier this year.

CISA Releases Advisory Concerning Chinese-Backed Threat Actor

On September 27, 2023, the NSA, FBI, CISA, Japanese National Police Agency, and Japanese National Center of Incident Readiness and Strategy for Cybersecurity released a joint cybersecurity advisory concerning the recent activity of a threat actor, known as BlackTech, that has been linked to the People’s Republic of China (PRC). The advisory states BlackTech is manipulating router firmware without detection to target a wide variety of entities in the government, industrial, technology, media, and telecommunications sectors. This includes multiple entities that support the Japanese and U.S. militaries.

New York Continues to Focus on Companies’ Data Security Practices

On October 5, 2023, the Office of the New York State Attorney General announced a $49.5 million multistate settlement with a donor management software company related to a 2020 data breach. Attorney General Letitia James also announced two settlements related to data breaches with entities that operate in the education industry. In both instances, the entities paid the ransom and received evidence of deletion of the stolen data.

California Privacy Protection Agency Releases Draft Regulations on Risk Assessments

On August 28, 2023, the California Privacy Protection Agency (CPPA) released two sets of draft regulations under the California Consumer Privacy Act (CCPA), one for risk assessments and another for cybersecurity audits, as part of the CPPA’s informal rulemaking process.

Penn State University Hit with False Claims Act Suit for Alleged Cybersecurity Deficiencies

On September 1, 2023, the Eastern District of Pennsylvania unsealed a qui tam False Claims Act lawsuit (originally filed on October 5, 2022) alleging Penn State University failed to provide adequate security for covered defense information as contractually required by the Defense Federal Acquisition Regulation Supplement in Section 252.204-7012.

California Proposes Annual Audits to Assess Sufficiency and Compliance of Company Cybersecurity

In August 2023, the CPPA released a discussion draft of proposed regulations under the CCPA. Importantly, the proposed regulations set forth more detailed obligations for companies’ cybersecurity programs, including routinely assessing and filing audits with the CPPA. Though these draft regulations are not yet part of an official rulemaking, the CPPA met to discuss the proposed regulations on September 8, 2023, providing additional insight into the CPPA’s priorities and what may ultimately be enacted.

Oregon Enacts Comprehensive State Privacy Law

On July 18, 2023, Oregon Governor Tina Kotek signed the Oregon Consumer Privacy Act (OCPA) into law, making Oregon the eleventh state to enact a comprehensive state privacy law. The OCPA will take effect on July 1, 2024; however, the effective date for covered nonprofits is delayed until July 1, 2025. While the OCPA aligns with some existing comprehensive state privacy laws, the various distinctions serve to highlight the fracturing data privacy and protection regulatory landscape that is emerging in the United States.

NIST Cybersecurity Framework 2.0 Released for Public Comment

On August 8, 2023, the National Institute of Standards and Technology (NIST) released the initial drafts of “Cybersecurity Framework 2.0” and “Cybersecurity Framework 2.0 Core with Implementation Examples” for public comment. This marks the first significant update to the NIST Cybersecurity Framework since its initial release in 2014. The update is intended to address current and future cybersecurity threats of all organizations and to make it easier for organizations to use the Framework. An updated Framework is important because the FTC has routinely relied on the existing Framework to determine whether a company’s data security practices are reasonable and not unfair or deceptive in violation of Section 5 of the FTC Act.

Oregon Becomes the Fourth State to Enact a Data Broker Law

On July 27, 2023, Oregon Governor Tina Kotek signed into law a bill relating to the registration of business entities that qualify as data brokers. Effective January 1, 2024, the law will require data brokers to annually register with the Oregon Department of Consumer and Business Services. The law makes Oregon the fourth state to enact a data broker law, following Vermont, California, and Texas.

Selected Global Privacy and Cybersecurity Updates

China Releases Major Changes in Its Draft Regulations on Cross-Border Data Flows

In September 2023, the Cyberspace Administration of China (CAC) released draft regulations regulating the cross-border flow of personal information and important data out of the PRC. The comment period for these regulations concluded on October 15, 2023, and the regulations may change if the CAC incorporates responses to any comments; however, the current draft regulations provide valuable insight into how the CAC intends to regulate cross-border data flows. Overall, the regulations represent a loosening of the CAC’s requirements for data transfers and an easing of the compliance burden—a welcome sign for multinational businesses with a presence in the PRC.

UK Government Makes a Bridge to the EU-U.S. Data Privacy Framework

On September 21, 2023, the UK adopted the Data Protection (Adequacy) (United States of America) Regulations 2023, also referred to as the “UK-U.S. Data Bridge.” The UK-U.S. Data Bridge will allow companies to legitimately transfer personal data from the UK to the United States on the basis of the recently enacted EU-U.S. Data Privacy Framework.

Why the New EU-U.S. Data Privacy Framework May Be Good News for Life Sciences Companies in the U.S.

U.S.-based life sciences companies can be subject to the EU General Data Protection Regulation (GDPR), even if they do not have any subsidiary, affiliate, or other physical presence in the EU. This can be the case if, for example, a pharmaceutical or medical device company in the United States acts as a sponsor of a clinical study that is conducted in one or more EU Member States with the help of local investigators or hospitals. The GDPR imposes restrictions on international data transfers and provides only limited options for justifying transfers of personal data to recipients in countries outside the EU. Sponsors in the United States may want to consider joining the EU-U.S. Data Privacy Framework—the successor to the EU-U.S. Privacy Shield—which has applied since July 10, 2023 to provide coverage for the transfer of study-related data from Europe to the United States.

Events

• November 15–16, 2023 – Alston & Bird is a sponsor of this year’s IAPP Europe Data Protection Congress in Brussels, Belgium, where the firm will be represented by Dan Felz, Kate Hanniford, David Keating, Wim Nauwelaerts, Peter Swire, Karen Sanzaro, Alysa Austin, Paul Greaves, Dorian Simmons, Lance Taubin, and Alice Portnoy. Paul Greaves will lead the roundtable “The Proposed Cyber Resilience Act: New Cybersecurity Rules for Connected Devices.”
• November 14, 2023 – Alston & Bird hosted a reception and dinner during the IAPP Europe Data Protection Congress with a panel of notable experts discussing key issues in cross-border and intra-EU data flows.
• November 8–11, 2023 – Kate Hanniford spoke on the panel “SEC Rules for Public Companies, Investment Advisers and Others,” Wim Nauwelaerts spoke on the panel “How to Prepare for the Upcoming AI Regulation in Europe,” and Peter Swire spoke on the panel “Key Issues in Legal Challenge to the EU/U.S. Data Privacy Framework” during the Privacy + Security Forum 2023, Fall Academy.
• November 7, 2023 – Dan Felz presented “The EU-U.S. Data Privacy Framework: An Update 3 Months After the Adequacy Decision” at a webinar hosted by the Austrian Association of Corporate Counsel (Vereinigung Österreichischer Unternehmensjuristen).
• October 18–19, 2023 – Kellen Dwyer spoke on the panel “Risk/Policy Track – Legal Updates” at the 24th Annual UNC Charlotte Cybersecurity Symposium.
• October 4, 2023 – Peter Swire presented “Rationalizing U.S. Cross-Border Data Policy Across the EU, China, and Global CBPRs,” hosted by Alston & Bird and the Cross-Border Data Forum.
• October 2, 2023 – David Keating moderated the panel “California Privacy Law Update & Panel Discussion: How Retailers Should Plan for 2024 and Beyond” during the California Retail Law Summit.
• September 19, 2023 – Angie Burnette presented “HIPPA: A Refresher, Trends, and What’s New” at a webinar hosted by the Ambulatory Surgery Center Association.

• November 9, 2023 – Amy Mushahwar is quoted on new measures by the New York Department of Financial Services and the FTC to beef up rules governing data breach disclosures and the protection of financial data in Law360.
• November 1, 2023 – Dan Felz is quoted on recommendations for federal agencies from the White House’s new Executive Order on artificial intelligence in LegalTech News.
• November 1, 2023 – Peter Swire is quoted on SEC cybersecurity litigation against SolarWinds in CFO Dive.
• October 31, 2023 – Dan Felz is quoted on considerations for financial services companies in the wake of the new White House Executive Order on artificial intelligence in American Banker.
• October 30, 2023 – Dan Felz is quoted on the industries impacted by the White House’s recent Executive Order on artificial intelligence in Law360 Employment Authority.
• October 19, 2023 – Amy Mushahwar is quoted on the Consumer Financial Protection Bureau’s discouragement of data scraping in American Banker.
• September 7, 2023 – Kate Hanniford is interviewed on the SEC’s new cyber-disclosure rule on The Lawfare Podcast.
• August 28, 2023 – Dan Felz is quoted on generative AI and concerns about its ripple effects in the business community in Bloomberg Law.
• August 23, 2023 – Dan Felz is quoted on new cyber-compliance reporting requirements for publicly traded companies in IT Brew.
• August 8, 2023 – Kate Hanniford and Dave Brown are quoted on how the SEC may be enforcing new rules on cyber-breach disclosures in Law360.

Press Releases

Alston & Bird Achieves 128 Tier-1 Rankings in 2024 Best Law Firms

Alston & Bird has been honored as one of the nation’s top law firms in the 2024 edition of Best Law Firms®, ranked by Best Lawyers. In addition, the firm received 27 national tier-one practice rankings and 101 metropolitan tier-one practice rankings, including Privacy and Data Security Law (Atlanta, Washington, D.C.) and Technology Law (Atlanta).

Alston & Bird Represents TRG Screen in Strategic Growth Investment

Alston & Bird advised TRG Screen, a portfolio company of Pamlico Capital and provider of enterprise subscription management solutions, in its sale to Vista Equity Partners, an enterprise software private equity firm. Amy Mushahwar, Dorian Simmons, and Kristen Bartolotta are noted from the Privacy, Cyber & Data Strategy Team.

Alston & Bird Earns Broad Recognition in 2024 Best Lawyers and Ones to Watch

The 2024 edition of The Best Lawyers in America® recognizes Kim Peretti, David Keating, Kristy Brown, Maki DePalo, and Jim Harvey, selected by their peers in the category Privacy and Data Security Law; and David Keating, Kristy Brown, Scott Kitchens, David Teske, and George Taulbee, selected by their peers in the category Technology Law.

In addition, Dan Felz and Kate Hanniford have been selected for the fourth edition of Best Lawyers: Ones to Watch® in America in the categories Privacy and Data Security Law and Technology Law.

Jim Harvey is named “Lawyer of the Year” in Privacy and Data Security Law for Atlanta.  

“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti and David Keating. It is edited by Paul Greaves and Dorian Simmons. For additional updates, please be sure to visit our blog at www.alstonprivacy.com.

The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.