Federal Agencies Announce a New 36-Hour Cybersecurity Incident Rule Reporting Requirement

Posted on January 5, 2022 by Robert W. Rubenstein

On November 18, 2021, the Office of the Comptroller of the Currency (“OCC”), the Board of Governors of the Federal Reserve System (“Board”), and the Federal Deposit Insurance Corporation (“FDIC”) (collectively, the “Agencies”) issued a new rule (the “Rule”) that requires banking organizations and their bank service providers to report any “significant” cybersecurity incident within 36 hours of discovery, as set forth in the Federal Register (see 12 CFR Part 53 for the OCC, 12 CFR Part 225 for the Board and 12 CFR Part 304 for the FDIC). Due to the frequency and severity of cyberattacks on the financial services industry, the Rule is intended to promote the timely notification of “computer-security incidents” (as defined below) that may materially and adversely affect entities regulated by the Agencies. The Rule takes effect on April 1, 2022, with full compliance required by May 1, 2022.

FTC’s Amended Safeguards Rule Imposes Significant Requirements on Covered Entities

Posted on December 17, 2021 by Robert W. Rubenstein

On October 27, 2021, the Federal Trade Commission (“FTC”) announced new updates to the Gramm-Leach-Bliley Act (“GLBA”) by amending the Standards for Safeguarding Customer Information, known as the “Safeguards Rule,” and issuing a final rule (the “Final Rule”). The Safeguards Rule is designed to protect the security and integrity of consumer personal information that is collected by financial institutions by ensuring that financial institutions put in place administrative, technical, and physical safeguards to protect personal information. The Safeguards Rule requires financial institutions under the FTC’s jurisdiction to implement measures to keep customer information secure and to ensure that their affiliates and service providers also safeguard customer information in their care.

Tagged with: data security, financial institutions, privacy, safeguards, Safeguards Rule, security practices
Posted in FTC, GLBA, Regulations

Statement of Work Can Make or Break Discoverability of Data Breach Report

Posted on September 2, 2021 by Matthew Siegel

A recent decision from a federal court in Pennsylvania highlights the importance of a carefully crafted statement of work (“SOW”) when commissioning an investigative report in response to a data security breach. A convenience store chain recently learned this lesson the hard way when it was ordered to produce to plaintiffs’ counsel a report it commissioned from a cybersecurity consultant to determine the scope of a data breach. The store — which is the defendant in a class action stemming from a 2019 malware attack that compromised customer information — argued that the report was protected from discovery under the attorney-client privilege and/or work product doctrine because the consultant was hired by counsel. The defendant had engaged that counsel for advice on any notification obligations flowing from the attack.

Posted in Data Breach, Discovery, Litigation

State Privacy Law Update – Colorado and Nevada

Posted on July 7, 2021 by Benjamin Mishkin

While a uniform federal privacy law in the United States continues to be an uncertain prospect overshadowed by other national priorities such as infrastructure and COVID relief, state legislatures have pushed forward with their own privacy regimes, resulting in an increasing patchwork of laws which businesses must parse in order to remain compliant. State legislatures across the country continue to develop and expand privacy protections for their citizens, as Colorado recently became the third state in the USA to create a privacy regime with echoes of the European Union’s General Data Protection Regulation (“GDPR”), and Nevada adjusted its existing data broker law in a manner that will require companies doing business in that state to reassess their exposure and compliance needs.

Posted in Data Security, Legislation, Privacy, Regulations

Introduction to the Virginia Consumer Data Protection Act – Part II

Posted on May 25, 2021 by Christopher Dodson

This is the second installment of our summary of the Virginia Consumer Data Protection Act (“VCDPA”). In our first post, we covered the goals of the law as well as its applicability and thresholds, what qualifies as personal data, the consumer rights created by the VCDPA, and introduced the concepts of controllers and processors. In this post, we address some of the specific requirements for controllers and processors, as well as de-identification and pseudonymization of personal data, and enforcement of the VCDPA.

Getting Tough with Zero Trust – Biden Bolsters Cybersecurity via Executive Order

Posted on May 17, 2021 by Benjamin Mishkin

On May 12, 2021, President Biden issued Executive Order No. 14028, entitled “Improving the Nation’s Cybersecurity”, setting out new and enhanced cybersecurity standards for federal government agencies and the commercial software products utilized by them. The Biden administration’s order comes in the wake of increasingly damaging and sophisticated cyber-attacks on American companies and infrastructure, most notably the recent Colonial Pipeline ransomware attack, which temporarily shuttered the nation’s largest fuel pipeline, creating gasoline shortages and inducing panic-buying at gas stations throughout the southeastern United States. Recognizing the gravity of the cybersecurity threat, President Biden’s order calls for “bold changes and significant investments in [cybersecurity in] order to defend the vital institutions that underpin the American way of life[,]” and identifies “the prevention, detection, assessment, and remediation of cyber incidents [a]s a top priority and essential to national and economic security[.]” The executive order has two main areas of focus: bolstering and harmonizing cybersecurity standards across the federal government, and calling for the creation of new, stricter cybersecurity requirements for commercial software products utilized by federal government agencies.

Introduction to the Virginia Consumer Data Protection Act – Part I

Posted on May 10, 2021 by Christopher Dodson

Virginia recently joined California in enacting a comprehensive data protection law intended to protect the privacy of its residents. The Virginia Consumer Data Protection Act (the “VCDPA”) is scheduled to take effect on January 1, 2023, so impacted businesses have significant lead time to prepare. This is the first of two posts covering the VCDPA.

The VCDPA has two main goals: (1) providing Virginia residents with expanded rights in connection with their personal data, and (2) imposing obligations on businesses, such as securing personal data, limiting use of personal data to disclosed purposes, and flowing down requirements to processors receiving personal data. While many of the details differ, the overall approach of the VCDPA is very reminiscent of the European Union’s General Data Protection Regulation (“GDPR”) but without some of the more prescriptive elements. Businesses with existing GDPR or California Consumer Privacy Act (“CCPA”) compliance programs will be well positioned for VCDPA compliance.

Tagged with: CCPA, consumer, controllers, GDPR, legislation, personal data, privacy, sensitive data, VCDPA
Posted in Data Security, Legislation, Privacy, Regulations, VCDPA

European Data Protection Board Releases Guidance on Cross-Border Data Flows in the Wake of Schrems II

Posted on December 14, 2020 by Andrew Baer

On November 10, the European Data Protection Board (EDPB), the European Union’s top data privacy regulator, issued long-awaited guidance setting out a framework for navigating transfers of data out of the European Economic Area (EEA) in light of this July’s landmark ruling from the Court of Justice of the European Union (CJEU) inData Protection Commissioner v. Facebook Ireland and Maximilian Schrems (otherwise known as Schrems II). The EDPB also issued a document describing the “essential guarantees” that must be respected in order to ensure that interference with data subjects’ privacy and data protection rights through surveillance of transferred data does not “go beyond what is necessary and proportionate in a democratic society.” These two documents outline the risk assessment that companies must make on a case-by-case basis (as required by Schrems II) in order to allow transfers of data out of the EEA, while the first also discusses examples of the supplementary measures that companies can employ, together with standard contractual clauses, binding corporate rules or other legal transfer tools recognized by the EU General Data Protection Regulation (GDPR), to ensure that European data subjects receive an essentially equivalent level of privacy and data protection when their data is transferred out of the EEA.

Tagged with: cross-border, data flow, data mapping, EDPD, GDPR, guidance, privacy shield, SCCs, Schrems, standard contractual clauses
Posted in GDPR, Regulations, Standards

California Privacy Rights Act Will Revamp CCPA to Include GDPR-Type Requirements

Posted on July 8, 2020 by Andrew Baer

On June 24, the eve of the July 1 enforcement date for the California Consumer Privacy Act (CCPA), the California Secretary of State certified the California Privacy Rights Act (CPRA), the latest brainchild of privacy activist (and CCPA spiritual father) Alastair Mactaggart, to appear on the November 2020 ballot after it gained the requisite number of signatures. Mactaggart’s organization Californians for Consumer Privacy, along with other prominent consumer privacy advocates, had repeatedly expressed frustration with the California legislature’s efforts to amend the CCPA in 2019 at the behest of the business community, and they responded with an even more robust comprehensive privacy law that will align California closely with the European Union’s General Data Protection Regulation (GDPR). Pre-pandemic polling has shown the CPRA to be overwhelmingly popular (with support ranging as high as 90 percent), and it is heavily favored to be approved by the voters this fall.

Posted in Uncategorized

Bipartisan Bill Would Regulate Automated COVID-19 Contact Tracing Technology

Posted on June 19, 2020 by Benjamin Mishkin

A new federal COVID-19 data privacy bill with bipartisan support, the Exposure Notification Privacy Act, would have a substantially narrower scope of application than two previous partisan draft COVID-19 privacy laws. The bipartisan bill specifically regulates “automated exposure notification services,” defined as any website or other online or mobile system “specifically to be used for . . . the purpose of digitally notifying, in an automated manner, an individual who may have become exposed to an infectious disease[.]” This definition of an “automated exposure notification service” is clearly meant to encompass the rapidly proliferating universe of COVID-19 contact tracing and notification systems which are increasingly being used to send alerts to individuals who have come into close physical proximity with someone later confirmed as COVID-19 positive (although it bears noting that the bill would regulate any contact tracing system for any infectious disease, not just COVID-19). Accordingly, this new bipartisan bill markedly diverges from the approaches of two previous “dueling” partisan COVID-19 data privacy bills, both of which would have protected individuals’ COVID-19-related health information in a variety of circumstances, not only in the context of automated contact tracing. For our comparison of the previously introduced Democrat- and Republican-sponsored bills, please click here.

Tagged with: coronavirus, COVID-19, Federal Privacy Legislation, legislation, technology
Posted in Legislation, Privacy, Regulations