On December 15, 2020, the U.S. Federal Deposit Insurance Corporation (FDIC) approved and the federal banking agencies jointly announced on December 18 a notice of proposed rulemaking, Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (NPR).1 The NPR is a joint proposal by the Office of the Comptroller (OCC), the Board of Governors of the Federal Reserve System (Board), and the FDIC.
The thesis articulated in the article linked here is that (1) nearly all companies relying on standard contractual clauses for data transfers to the US under the EU General Data Protection Regulation are not electronic communications service providers for purposes of FISA 702 (i.e., only companies in the business of providing communications services would be covered) and (2) data transfers from Europe to the US under SCCs may not be targeted under FISA 702 and EO 12333 because they are (i) quintessential “US person communications” because either the data exporter is a U.S. person or the data importer is a U.S. person, or more likely, both are US persons and (ii) received by a person located in the U.S. Accordingly, the concerns expressed by the EU Court of Justice in Schrems II should not be problematic for nearly all U.S. companies relying on SCCs.
On December 10, 2020, the California Attorney General (“AG”) proposed additional edits to the CCPA Regulations. These changes both build upon the updates that were proposed on October 12, 2020, and add some new content. All of the newly proposed changes relate to the right to opt-out of the sale of personal information. For a summary of all changes proposed on October 12, 2020, please see our post here.
On October 1, 2020, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) published an advisory that highlights the risk of potential U.S. sanctions law violations if U.S. individuals and businesses comply with ransomware payment demands.1
Ransomware attacks use malware, often injected through phishing schemes, to encrypt a victim’s data files or programs, followed by a ransom demand by the threat actor that offers the decryption key in exchange for payment. Payment is often demanded in bitcoin, and thus third-party services are often used to make such payments. Increasingly, ransomware attacks not only lock data up but steal data from the victim and threaten to publish sensitive files belonging to victims. According to OFAC, ransomware attacks have been increasing over the last two years and are a special risk during the COVID-19 pandemic, with cybercriminals targeting not only large corporations but also small to medium enterprises, hospitals, schools, and local government agencies.2
On September 28, the U.S. government released a “White Paper” addressing how U.S. companies might justify their continued transfer to the U.S. of personal data of EU residents, following the decision of the Court of Justice of the European Union (“CJEU,” or “ECJ”) in Schrems II – more formally known as Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Case C-311/18 (July 16, 2020). The Schrems II decision struck down the EU-U.S. Privacy Shield as a basis for transferring EU personal data to the United States because of the Court’s view that U.S. national security law did not provide equivalent privacy protections to those available in the EU. While the CJEU upheld Commission-approved Standard Contractual Clauses (“SCCs”) as a basis for transfers of EU personal data to the U.S., the Court imposed significant new hurdles for the use of SCCs.
*This article was adapted from “Global Overview,” appearing in The Privacy, Data Protection and Cybersecurity Law Review (7th Ed. 2020)(Editor Alan Charles Raul), published by Law Business Research Ltd., and first published by the International Association of Privacy Professionals Privacy Perspectives series on September 28, 2020.
Privacy, like everything else in 2020, was dominated by the COVID-19 pandemic. Employers and governments have been required to consider privacy in adjusting workplace practices to account for who has a fever and other symptoms, who has traveled where, who has come into contact with whom, and what community members have tested positive or been exposed.
As a result of all this need for tracking and tracing, governments and citizens alike have recognized the inevitable trade-offs between exclusive focus on privacy versus exclusive focus on public health and safety.
On August 14, 2020, California’s Office of Administrative Law approved and filed with the California Secretary of State final regulations implementing the California Consumer Privacy Act. The regulations, drafted by California’s Office of the Attorney General (OAG), went through three rounds of changes during the rulemaking process and were finally enacted more than two years after the CCPA was signed into law. The CCPA is a landmark state privacy law that grants consumers new privacy rights, and requires businesses to enhance disclosures about their data practices and facilitate consumer privacy rights. (more…)
On July 21, 2020, the New York State Department of Financial Services (NYDFS or the Department) issued a statement of charges and notice of hearing (the Statement) against First American Title Insurance Company (First American) for violations of the Department’s Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Part 500 (Cybersecurity Regulation or Regulation). The First American Statement of charges alleges six violations of the Cybersecurity Regulation and marks the Department’s first action pursuant to the Regulation, which is enforced by the recently created NYDFS Cybersecurity Division.1
NYDFS’s Statement seeks relief against First American, including civil monetary penalties and an order requiring First American to remediate any defined violations. Although the Statement does not include a calculation of the total penalty, the NYDFS explains that the civil monetary fines against First American are to be assessed pursuant to the Financial Services Law, which provides for a maximum civil monetary penalty of $1,000 per violation of the Regulation.2 Because First American’s violations included the exposure of millions of documents containing nonpublic information (NPI), the total penalty potentially could be substantial. The First American hearing is scheduled to occur on October 26, 2020, at the NYDFS.
Posting revised August 13, 2020
On July 2, 2020, Sidley partner Alan Raul, founder and co-head of Sidley’s Privacy and Cybersecurity practice, hosted Adam Klein, Chairman of the Privacy and Civil Liberties Oversight Board (“PCLOB” or “the Board”), for a Monitor-Side Chat.
The discussion focused largely on the Commission’s work since Mr. Klein became Chairman in October, 2018. Key topics of the chat included:
- Mission, Operation and Access of PCLOB
- Balancing Counter-Terrorism and Privacy
- Comparison of U.S. and Foreign Checks and Balances
- FISA Reform
- Emerging Technologies
In a decision with significant implications for international trade and cross-border data flows, the EU’s highest court – the Court of Justice of the European Union (“CJEU”) ruled on 16 July 2020 that a key legal mechanism (called the EU-US Privacy Shield program) used to enable transfers of personal data from the European Union (“EU”) was invalid, while also potentially requiring additional protections to be implemented when another key transfer mechanism (called Standard Contractual Clauses) is used. The case – Data Protection Commissioner v. Facebook Ireland, Max Schrems (“Schrems II”) – considered the validity of the EU-US Privacy Shield (“Privacy Shield”) program (a privacy certification made available for US organizations through an agreement between the European Commission and the US government) and Standard Contractual Clauses (“SCC”) (a form of international data transfer agreement made available for use by the European Commission).