The New Standard Contractual Clauses Deadline is Approaching

Posted on August 15, 2022 by Andrew Baer, Robert W. Rubenstein

On June 4, 2021, the European Commission introduced the new set of Standard Contractual Clauses (“SCCs”), a primary mechanism for lawfully transferring personal data from Europe to the United States under the European Union’s General Data Protection Regulation. These new SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46. For those entities that entered into a transfer agreement based on the previous SCCs before September 27, 2021, a transition period has been granted until December 27, 2022 to switch to the new SCCs, provided that the processing operations that are the subject matter of the contract remain unchanged. Thus, all new and existing contracts must be transitioned to the new SCCs by December 27, 2022. Below is an overview of key updates in the new SCCs, and recommendations for ensuring compliance prior to the December 27, 2022 deadline.

Important Updates for the New SCCS

Modular Approach

The new SCCs are divided into four modules to address four different cross-border transfer scenarios: (i) Module One: controller to controller; (ii) Module Two: controller to processor; (iii) Module Three: processor to processor; and (iv) Module Four: processor to controller. This is different from the previous SCCs, which only contemplated cross-border transfer scenarios involving two controllers, and a controller to a processor. Under the new SCCs, the parties can tailor the clauses for their specific transfer scenario, reflecting the complexity of modern processing chains.

Transfer Impact Assessment

The new SCCs impose an obligation on the parties in all modules to conduct and record a transfer impact assessment. At the time of entering into the new SCCs, the parties must warrant that they have no reason to believe that the laws and practices applicable to the data importer are not in line with the requirements under the new SCCs. In conducting the transfer impact assessment, the parties must also account for the circumstances of the intended transfer, define the parameters of the transfer (i.e. length of processing chain), define the safeguards that are implemented, and assess the risk posed by the laws and practices of the third country of destination.

Docking Clause

While the previous SCCs did not permit additional parties to join directly, the new SCCs contain a clause that allow additional data exporters or importers to accede to the new SCCs throughout the lifecycle of the contract. The acceding party will have the rights and obligations arising under the new SCCs from the point of entering into the new SCCs.

Recommendations

In addition to using the new SCCs in any future contracts that involve data transfers from the European Union, entities should develop strategies to prioritize and update existing contracts that involve personal data transfers from Europe to the U.S. Entities need to determine if the new SCCs are needed for cross-border transfer scenarios involving a processor to a controller or a processor to a processor, as the previous SCCs were not required for these scenarios. It is critical that entities identify all existing contracts that will need to be amended to include the new SCCs before the deadline of December 27, 2022.

Tagged with: cross-border transfers, data transfer, GDPR, impact assessment, SCCs, standard contractual clauses
Posted in GDPR, Regulations, Standards

AI and Cybersecurity Issues Look Set to Dominate the Privacy Landscape in 2022

Posted on April 15, 2022 by Andrew Baer, Meghan Stoppel

Meghan Stoppel, who spent over a decade serving as an Assistant Attorney General, and later a Consumer Protection Chief, to both Democratic and Republican state attorneys generals, talks to Andy Baer, Chair of Cozen O’Connor’s Technology, Privacy and Data Security practice, about how state AGs are weighing in on both policy and enforcement with respect to privacy.

Andy: Meghan, the state privacy legislation landscape is evolving rapidly, as you discussed in your recent article in WestLaw. What other “hot” topics in privacy drew the state AGs’ attention in 2021? How might that affect their priorities in 2022? Are there any takeaways for the business community?

Meghan: No doubt, 2021 was a revealing year. We saw state AGs publicly express concern, in multiple forums, about algorithms and the potential for bias-based discrimination in automated decision-making. A number of AGs called for both cooperation and increased transparency from the business community, while the D.C. Attorney General introduced his own legislation in late 2021 to ban “algorithmic discrimination.” And although the AGs did not announce any formal enforcement actions in this area in 2021, I would not be surprised if investigations are already underway. Businesses that rely on algorithms to make automated decisions should be aware of increased AG attention in this area, especially with respect to essential products and services such as housing and financial products (e.g. credit).

Posted in Legislation, Policies and Procedures, Regulations

SEC Proposes New Cybersecurity Disclosure Rules for Public Companies

Posted on March 24, 2022 by Robert W. Rubenstein

On March 9, 2022, the SEC proposed new rules (“Proposed Rules”) that would expand cybersecurity disclosures applicable to public companies subject to the reporting requirements of the Securities Exchange Act of 1934 (“Exchange Act”). Existing SEC rules do not explicitly require cybersecurity disclosures, and instead provide management with the discretion to reveal information based on materiality assessments. If the Proposed Rules are adopted, these rules would impose new reporting obligations with respect to cybersecurity matters, such as specifically mandating current and periodic reporting of material cybersecurity incidents, and also requiring periodic disclosure of a company’s policies and procedures to identify and manage cybersecurity risks, management’s role and expertise in implementing cybersecurity policies, procedures, and strategies, and the board of directors’ oversight role and cybersecurity expertise, if any.

Tagged with: breach, cyber security, cybersecurity, data breach, data security, public companies, rules
Posted in Regulations

Federal Agencies Announce a New 36-Hour Cybersecurity Incident Rule Reporting Requirement

Posted on January 5, 2022 by Robert W. Rubenstein

On November 18, 2021, the Office of the Comptroller of the Currency (“OCC”), the Board of Governors of the Federal Reserve System (“Board”), and the Federal Deposit Insurance Corporation (“FDIC”) (collectively, the “Agencies”) issued a new rule (the “Rule”) that requires banking organizations and their bank service providers to report any “significant” cybersecurity incident within 36 hours of discovery, as set forth in the Federal Register (see 12 CFR Part 53 for the OCC, 12 CFR Part 225 for the Board and 12 CFR Part 304 for the FDIC). Due to the frequency and severity of cyberattacks on the financial services industry, the Rule is intended to promote the timely notification of “computer-security incidents” (as defined below) that may materially and adversely affect entities regulated by the Agencies. The Rule takes effect on April 1, 2022, with full compliance required by May 1, 2022.

FTC’s Amended Safeguards Rule Imposes Significant Requirements on Covered Entities

Posted on December 17, 2021 by Robert W. Rubenstein

On October 27, 2021, the Federal Trade Commission (“FTC”) announced new updates to the Gramm-Leach-Bliley Act (“GLBA”) by amending the Standards for Safeguarding Customer Information, known as the “Safeguards Rule,” and issuing a final rule (the “Final Rule”). The Safeguards Rule is designed to protect the security and integrity of consumer personal information that is collected by financial institutions by ensuring that financial institutions put in place administrative, technical, and physical safeguards to protect personal information. The Safeguards Rule requires financial institutions under the FTC’s jurisdiction to implement measures to keep customer information secure and to ensure that their affiliates and service providers also safeguard customer information in their care.

Tagged with: data security, financial institutions, privacy, safeguards, Safeguards Rule, security practices
Posted in FTC, GLBA, Regulations

Statement of Work Can Make or Break Discoverability of Data Breach Report

Posted on September 2, 2021 by Matthew Siegel

A recent decision from a federal court in Pennsylvania highlights the importance of a carefully crafted statement of work (“SOW”) when commissioning an investigative report in response to a data security breach. A convenience store chain recently learned this lesson the hard way when it was ordered to produce to plaintiffs’ counsel a report it commissioned from a cybersecurity consultant to determine the scope of a data breach. The store — which is the defendant in a class action stemming from a 2019 malware attack that compromised customer information — argued that the report was protected from discovery under the attorney-client privilege and/or work product doctrine because the consultant was hired by counsel. The defendant had engaged that counsel for advice on any notification obligations flowing from the attack.

Posted in Data Breach, Discovery, Litigation

State Privacy Law Update – Colorado and Nevada

Posted on July 7, 2021 by Benjamin Mishkin

While a uniform federal privacy law in the United States continues to be an uncertain prospect overshadowed by other national priorities such as infrastructure and COVID relief, state legislatures have pushed forward with their own privacy regimes, resulting in an increasing patchwork of laws which businesses must parse in order to remain compliant. State legislatures across the country continue to develop and expand privacy protections for their citizens, as Colorado recently became the third state in the USA to create a privacy regime with echoes of the European Union’s General Data Protection Regulation (“GDPR”), and Nevada adjusted its existing data broker law in a manner that will require companies doing business in that state to reassess their exposure and compliance needs.

Posted in Data Security, Legislation, Privacy, Regulations

Introduction to the Virginia Consumer Data Protection Act – Part II

Posted on May 25, 2021 by Christopher Dodson

This is the second installment of our summary of the Virginia Consumer Data Protection Act (“VCDPA”). In our first post, we covered the goals of the law as well as its applicability and thresholds, what qualifies as personal data, the consumer rights created by the VCDPA, and introduced the concepts of controllers and processors. In this post, we address some of the specific requirements for controllers and processors, as well as de-identification and pseudonymization of personal data, and enforcement of the VCDPA.

Getting Tough with Zero Trust – Biden Bolsters Cybersecurity via Executive Order

Posted on May 17, 2021 by Benjamin Mishkin

On May 12, 2021, President Biden issued Executive Order No. 14028, entitled “Improving the Nation’s Cybersecurity”, setting out new and enhanced cybersecurity standards for federal government agencies and the commercial software products utilized by them. The Biden administration’s order comes in the wake of increasingly damaging and sophisticated cyber-attacks on American companies and infrastructure, most notably the recent Colonial Pipeline ransomware attack, which temporarily shuttered the nation’s largest fuel pipeline, creating gasoline shortages and inducing panic-buying at gas stations throughout the southeastern United States. Recognizing the gravity of the cybersecurity threat, President Biden’s order calls for “bold changes and significant investments in [cybersecurity in] order to defend the vital institutions that underpin the American way of life[,]” and identifies “the prevention, detection, assessment, and remediation of cyber incidents [a]s a top priority and essential to national and economic security[.]” The executive order has two main areas of focus: bolstering and harmonizing cybersecurity standards across the federal government, and calling for the creation of new, stricter cybersecurity requirements for commercial software products utilized by federal government agencies.

Introduction to the Virginia Consumer Data Protection Act – Part I

Posted on May 10, 2021 by Christopher Dodson

Virginia recently joined California in enacting a comprehensive data protection law intended to protect the privacy of its residents. The Virginia Consumer Data Protection Act (the “VCDPA”) is scheduled to take effect on January 1, 2023, so impacted businesses have significant lead time to prepare. This is the first of two posts covering the VCDPA.

The VCDPA has two main goals: (1) providing Virginia residents with expanded rights in connection with their personal data, and (2) imposing obligations on businesses, such as securing personal data, limiting use of personal data to disclosed purposes, and flowing down requirements to processors receiving personal data. While many of the details differ, the overall approach of the VCDPA is very reminiscent of the European Union’s General Data Protection Regulation (“GDPR”) but without some of the more prescriptive elements. Businesses with existing GDPR or California Consumer Privacy Act (“CCPA”) compliance programs will be well positioned for VCDPA compliance.

Tagged with: CCPA, consumer, controllers, GDPR, legislation, personal data, privacy, sensitive data, VCDPA
Posted in Data Security, Legislation, Privacy, Regulations, VCDPA