Things You Should Know Leading Up to World Data Privacy Day 2021
January 20 - January 28, 2021
HIPAA and Sharing of Medical Information During COVID-19
January 27, 2021
By: Craig W. Anderson
In Bond’s Jan. 26 webinar about the evolving legal implications of COVID-19 for businesses, healthcare and data privacy attorney Craig W. Anderson recorded a short video discussing application of the Health Insurance Portability and Accountability Act (HIPAA) to medical information being exchanged for to comply with mandates pertaining to vaccinations and reporting.
Although the Office for Civil Rights (OCR) is exercising “enforcement discretion” during the public health emergency for certain uses and disclosures of protected health information, as a general rule, HIPAA’s privacy and security rules are still in force. HIPAA still applies to covered entities and business associates who are exchanging protected health information. Generally speaking, entities that are not covered entities or business associates (as defined by HIPAA) need not comply with HIPAA’s regulations; however, other privacy or confidentiality laws – for example those under the ADA, FMLA or FERPA – may still apply.
What’s On the Horizon: 2021 State and Federal Data Privacy Legislation
January 26, 2021
By: Elizabeth L. Lehmann, Fred J. M. Price, and Shannon A. Knapp
The United States is continuing to see a flurry of state legislation concerning consumer data privacy. In 2020, at least 30 states and Puerto Rico considered some type of legislation related to consumer privacy. Most of these laws failed or were indefinitely tabled, likely due to the coronavirus. Most notably, the end of 2020 saw the passage of Proposition 24, also known as the California Privacy Rights Act (CPRA) (see our article available here for more information on CPRA).
The beginning of 2021 has followed 2020’s trajectory. Numerous state legislatures have already introduced comprehensive consumer privacy laws. These states include Connecticut, Minnesota, New York, Virginia and Washington. Washington state has been considering the Washington Privacy Act for two years, but it has failed each time in the Assembly. However, Washington has a good chance of passing a GDPR-like bill this year. The bill has overwhelming support in the Washington state Senate, and the primary stalling point in the state Assembly has been whether there should be a private right of action. Once this issue is resolved, the bill will have the support needed to pass. Unlike previous bills, this bill is divided into four parts. Part one concerns the processing of personal data by the private sector. In response to the COVID-19 pandemic, parts two and three concern the processing of personal data for public health emergencies. Part four includes miscellaneous provisions. If passed, the provisions would become effective July 31, 2022. Similarly, New York and Minnesota both reintroduced bills concerning comprehensive data privacy protections.
On the federal side, it is reported that President Biden has data privacy and cybersecurity on his executive agenda. With Democratic control of Congress, there is high potential for viable federal data privacy legislation in 2021 or in the years to come. The tech field anticipates that the Biden administration may focus on passage of a comprehensive federal data privacy law along with other acts related to data privacy and cybersecurity, such as reintroducing a cybersecurity coordinator to the White House and increasing Federal Trade Commission (FTC) enforcement activity. There is also bipartisan support for data privacy legislation as both Republican and Democrat representatives have proposed bills in prior Congressional terms that contain many similar provisions. The federal government is also working to address the invalidation of the EU-U.S. data privacy shield after the CJEU Schrems II decision.
2021 will likely see increased data privacy legislation enacted here in the U.S. and abroad. The COVID-19 pandemic increased business and non-business online activity pushing many legislatures to consider the need for increased data privacy regulations.
For more information regarding these new laws and how to prepare your business for compliance, contact Fred Price, Elizabeth Lehmann, Shannon Knapp or any one of our attorneys in the Cybersecurity and Data Privacy practice.
In the Wake of the SolarWinds Breach: President Biden Pivots U.S. Towards Prioritizing Cybersecurity
January 25, 2021
By: Jessica L. Copeland and Kathleen H. McGraw
In December 2020, the United States discovered that it had fallen victim to a major cyberattack believed to be backed by a Russian intelligence agency. The sophisticated attack was perpetrated through Orion, an IT management software platform developed and provided by SolarWinds to its tens of thousands of customers. The hackers implemented malware into the Orion software so when SolarWinds pushed an update out to its customers (as is common practice), the malware made its way onto the customers’ servers. From there, the hackers gained unfettered access to the infected servers.
The attack went undetected for months and infected both private and public sector companies and agencies. It wasn’t until a private cybersecurity company, FireEye, discovered and revealed the SolarWinds breach to law enforcement. Until then, the U.S. was unaware that it had fallen victim to this cyberattack.
While the attack is thought to be an act of espionage by the Russian government and not an act of war, some commentators have compared the breach to a “cyber 9/111” or a “cyber Pearl Harbor.2”
The extent of the attack on the U.S. government, including exactly what data has been compromised and which agencies were targeted, is still unknown—and is unlikely to be fully known any time soon. Among the agencies known to have been victimized are the Department of the Treasury, the Commerce Department, the Department of Defense, the Department of Energy, the Department of Homeland Security, the Department of Justice, the State Department and the National Institute of Health. This list is expected to grow as the investigation and cleanup continues. What remains clear, however, is that the U.S. was and still is vulnerable to this sort of cybersecurity breach.
One immediate fallout from the SolarWinds breach is that it has exposed truly how vulnerable the country is to large-scale cyberattack. It doesn’t take a cybersecurity or intelligence expert to understand—even from the short list of federal agencies known to have been targeted—that the type of potentially compromised data can have crippling national security effects. And it’s not just the Russians that are targeting U.S. cyberspace.
On Jan. 3, 2021, New York air traffic controllers received a cryptic message on their radio frequency that threatened to fly a plane into the Capitol to avenge the death of Iranian general Qassem Soleimani. While it is not clear at this point that the threat in fact came from Iran, the message itself evidences a breach of the U.S. air traffic control radio frequencies. Although the threat was not determined to be credible, the FAA and the FBI are still investigating how the frequency breach occurred. Breaching government telecommunications platforms, including radio frequencies, has been a threat since the British’s interception and decryption of the infamous Zimmermann Telegram encouraged the US’ entry into World War I in 1917, but this sort of breach into U.S. air traffic control is still unnerving more than a hundred years later.
Looking forward, the U.S. is likely to pivot towards making cybersecurity and cyber-defense a national priority. In response to the SolarWinds breach, the Biden administration has promised to “make cybersecurity a top priority at every level of government.3” Furthermore, President Biden has committed to roll out a $9 billion plan to enhance U.S. cybersecurity by partnering with private sector companies. This could mean a serious overhaul in U.S. cybersecurity and data storing practices which hopefully will result in the U.S. taking a proactive and aggressive stance on national cybersecurity.
If you have any questions about the content discussed here, or privacy laws or rules in general, please contact Jessica Copeland, Kathleen H. McGraw, any of the attorneys in the Cybersecurity and Data Privacy practice or the Bond attorney with whom you routinely communicate.
1 See "SolarWinds Orion Breach – What It Means for the Industry Writ Large,” Recorded Future; Gilman Louie, “SolarWinds hack: What we must do to avoid the next attack,” The Hill.
2 See Steve Grobman, “Why SolarWinds-SUNBURST is our Cyber Pearl Harbor,” McAfee; According to CBS News, Colorado Democratic Rep. Jason Crow called referred to it as "our modern-day 'Cyber Pearl Harbor'"; Lindsay McKenzie, “What SolarWinds Hack Means for Campuses,” Inside Higher Ed.
3 See "Biden Calls Cybersecurity a ‘Top Priority’ After Russian Hack," Bloomberg; "Cybersecurity to Get $9 Billion Boost in Biden Plan After Hack," Bloomberg.
Restricted Data Flow: What US Businesses Need to Know about International Data Transfers in the Wake of Schrems II and the GDPR
January 22, 2021
By: Amber L. Lawyer, John D. Clopper and Shannon A. Knapp
International corporations, technology companies, businesses selling goods and services, and various other entities must comply with strict regulations when transferring personal data from the European Economic Area (EEA) to the U.S. The European Union’s (EU) General Data Protection Regulation (GDPR), which became effective in 2018, mandates that companies comply with certain data protection obligations in order to transfer personal data from the EEA to the U.S. A transfer of personal data out of the EEA may only take place if (1) the European Commission (EC) determines that a country, through its own data protection laws, provides for adequate level of data protection, or (2) private entities put into place appropriate safeguards to adequately protect the personal data and privacy rights of EU residents. Because the U.S. does not have a federal data privacy law comparable to the GDPR, the EC has not certified that the U.S. provides an adequate level of protection for the personal data of EU residents. As such, organizations in the U.S. must work individually to put into place appropriate safeguards to transfer data outside of the EU.
As of its effective date, the GDPR set forth four ways in which an organization could implement adequate safeguards to permit data transfer from the EEA: (1) certification under the EU-U.S. Privacy Shield; (2) use of EU Standard Contract Clauses (SCCs); (3) adoption of Binding Corporate Rules (BCRs); or (4) through certain derogations enumerated in the GDPR (collectively known as “Data Transfer Mechanisms”).
In July 2020, the Court of Justice of the European Union (CJEU) issued its decision in Data Protection Commission v. Facebook Ireland and Maximillian Schrems, Case C-311/18 (Schrems II) which invalidated the EU-U.S. Privacy Shield Framework, the principal mechanism relied on by thousands of U.S. companies to conduct trans-Atlantic data transfers. In Schrems II, the CJEU invalidated the European Commission’s previous determination that the EU-U.S. Privacy Shield offered an adequate level of protection. The CJEU found that the U.S. does not adequately limit government access to or surveillance of personal information. The CJEU also found that U.S. law failed to provide adequate mechanisms for judicial redress for persons whose data had been collected by means of certain U.S. surveillance laws. As a result, the CJEU held that the Privacy Shield did not offer a level of protection essentially equivalent to that offered by EU law.
While the CJEU’s decision only invalidated the Privacy Shield, and expressly allowed the continued use of SCCs to comply with the GDPR, the CJEU decision required businesses to verify, on a case by case basis, that individuals would be granted a level of protection in the receiving country essentially equivalent to that guaranteed within the EU. If the company determines that the law of the receiving country does not ensure an adequate level of protection, then companies must provide additional contractual safeguards in order to transfer personal data to the receiving country.
On Nov. 10, 2020, the European Data Protection Board (EDPB) released their recommendations on supplementary measures. The recommendations outlined a six-step plan to ensure compliance with the Schrems II decision. This plan included recommendations for additional safeguards, such as technical safeguards (e.g., encryptions and pseudonymization), contract mechanisms (e.g., technical and transparency obligations), as well as organizational mechanisms (e.g., internal guidelines). On Nov. 12, 2020, the European Commission proposed a draft decision updating the available SCCs in light of Schrems II. Most recently, on January 15, 2020, the EDPB and the European Data Protection Supervisor (EDPS) adopted a joint opinion welcoming many of the provisions contained in the EC’s draft SCC updates, but noting that several provisions could be improved, such as those relating to the SCCs’ scope, obligations regarding onward transfers, certain aspects of the assessment of third country laws regarding data access by public authorities and the notification to supervisory authorities.
It is more important than ever that U.S. businesses review their data transfer agreements and vendor contracts. After the invalidation of the EU-U.S. Privacy Shield, compliance with the GDPR has become even more complicated. Revisions to existing contracts incorporating SCCs may be necessary, and implementation of additional safeguards may also be necessary.
If you have any questions regarding this memo, GDPR, or any other related matter, please contact Amber Lawyer, John Clopper, Shannon Knapp or any one of our attorneys in the Cybersecurity and Data Privacy practice.
The Aftermath of the FireEye Hack Makes Clear the Importance of a Quick Response to any Breach
January 21, 2021
By: Kristin Warner
Last month, cybersecurity firm FireEye, Inc. discovered it had been hacked. This was no ordinary hack conducted merely to gain access to customer data; the target here was much more focused. The hackers, widely believed to be affiliated with Russian intelligence agencies, stole FireEye’s own tool kit consisting of roughly 300 proprietary software tools. You see, a very important part of FireEye’s business has been helping identify the perpetrators of some of the largest data breaches in history. Notably, they were involved in the aftermath of the infamous Sony and Equifax breaches, as well as assisted the State Department and other American government agencies in dealing with the breach by Russian hackers in 2015.
This is not the first time a hack of this nature has occurred. In 2016, a still anonymous group called the ShadowBrokers, made off with the National Security Agency’s hacking tools and then released them publicly over the course of several months. This hack proved devastating as it is believed that both North Korea and Russia have utilized these stolen tools. The damages caused by them number in the billions of dollars.
While investigating its own hack, FireEye came across a vulnerability in a product made by one of its software providers, SolarWinds Corp. The same hackers are believed to have planted malware using this vulnerable backdoor, which was then transferred to the systems of SolarWinds customers during a routine software update. At least 25 entities have been identified as being victims of the attack, though SolarWinds acknowledges that the number could actually be in the tens of thousands.
Using the SolarWinds backdoor, these hackers have now infiltrated the U.S. Departments of Treasury, State and Commerce, the National Institute of Health and the Department of Homeland Security. Homeland Security’s Cybersecurity and Infrastructure Security Agency went so far as issuing an emergency directive ordering all federal agencies to disconnect the potentially infected products from their networks.
Because this is an ongoing investigation, the full extent of the damages is not yet clear. The personal information of millions of Americans is stored within the federal government’s network and it is not yet known whether that data has been compromised. It is also estimated that most Fortune 500 companies used the very popular server software offered by SolarWinds so the effects of this breach could be the widest reaching in history. We will continue to provide updates as they are made known.
If you have any questions about the FireEye or SolarWinds breach, or about cybersecurity or breach response in general, please contact any attorney in the Cybersecurity and Data Privacy practice.
New Year, New Rules: California Passes the California Privacy Rights Act
January 20, 2021
By: Amber L. Lawyer, Hannah K. Redmond and Shannon A. Knapp
On Election Day, Nov. 3, 2020, California voters were tasked with more than casting their votes in the presidential election. Californians also voted on California Proposition 24, which is the California Privacy Rights Act (CPRA). Proposition 24 passed, receiving about 56% of the vote. Proposition 24 both supplements and revises certain aspects of the California Consumer Privacy Act (CCPA), the first domestic data privacy statute of its kind, which was signed into law in 2018.
To date, California is the only state that has a comprehensive consumer data privacy law in place. The CCPA’s main provisions took effect on Jan. 1, 2020, and regulations implementing the CCPA became effective on Aug. 14, 2020. Since its inception, the CCPA has been periodically edited, clarified and changed by the legislature. Of note, on Sept. 25, 2020, the California governor, Gavin Newsom, signed a bill establishing new exemptions under the CCPA for certain types of medical and health information. Other nonsubstantive changes were implemented on Sept. 30, 2020.
However, the biggest change to California’s privacy law came with the passing of the CPRA. Although the law does not become effective until Jan. of 2023, enforcement agencies may review a business’s compliance with the CPRA as of Jan. 2022 when assessing penalties for violation of the law. Just as businesses started to become compliant with CCPA, new regulations under the CPRA will require additional measures to be taken by businesses to protect consumers’ information. Some of the many changes under CPRA are detailed below.
Business Specific Changes
The CPRA changes the definition of covered “businesses” in several respects. On the one hand, it expanded the definition of “business” to include certain types of joint ventures and partnerships that were not included under the CCPA. The CPRA also includes businesses that voluntarily agree to be subject to it. On the other hand, the CPRA narrowed the definition of covered businesses by increasing the threshold for coverage based on the collection of consumer information. Under CCPA, a business that collected the personal information of 50,000 or more California consumers, households, or devices was subject to the CCPA. Under the CPRA, that number is now 100,000.
Much like the EU’s notorious General Data Protection Regulation (GDPR), the CPRA requires data minimization. This means that businesses must minimize the use, retention and sharing of personal information to “what is reasonably necessary and proportionate to achieve the purposes” for which the information was collected. In other words, covered businesses must take inventory of their data collection and retention practices and determine whether the information collected is necessary for the operation of their business. If it is not, it should not be collected.
The CPRA also extended the CCPA’s limited employee and business-to-business exemptions until Jan. 1, 2023. These exemptions limit data subject rights for employees, job applicants and independent contractors.
Consumer Rights Changes
In terms of consumers’ rights, the CPRA made changes to the right to know, the right to correct and the right to delete provisions. It removed the CCPA’s 12-month lookback period, drastically expanding the right to know. This change gives consumers the right to request information that predates the previous 12 months. The right to correct was created under CPRA. This right allows a consumer to request that a business correct any inaccurate personal information it maintains about them. Lastly, the CPRA creates the right to delete, allowing consumers to request that a business delete their data. However, businesses can deny a person’s request to delete such data when maintaining the information is “reasonably necessary and proportionate” to security and integrity purposes.
Further, the CPRA allows consumers to stop a business from sharing their personal information with third parties for the purpose of engaging in “cross-context behavioral advertising,” which is essentially targeted advertising. Businesses can comply by either displaying an opt-out link that states “do not sell or share my personal information,” or by following the consumer’s preferences communicated through a cross-platform global privacy control.
In addition, the CPRA created a new category of information called “sensitive personal information” that is entitled to additional protections. Broadly defined, sensitive personal information includes government-issued identifiers, account credentials, financial information, precise geolocation, race or ethnic origin, religious beliefs, contents of certain types of messages, genetic data, biometric information and more.
Lastly, the CPRA expanded breach liability for the unauthorized access or disclosure of email addresses and passwords, or security questions, that would permit access to accounts if businesses fail to maintain adequate security.
Enforcement Agency
One of the most significant changes introduced by the CPRA is the establishment of the California Privacy Protection Agency, which is tasked with implementing and enforcing California privacy laws. The agency will be governed by a five-member board. The chair and one member will be appointed by the governor. The attorney general, the speaker of the assembly, and the Senate Rules Committee each get to select one of the additional seats. It is expected that the members of the board will be announced at the end of Jan. 2021. Although the new agency has enforcement power, the California attorney general still retains the power to enforce the CPRA through civil penalties. The agency, once assembled, will be tasked with clarifying and making new rules concerning the CCPA and CPRA.
For more information regarding California consumer privacy laws and compliance efforts businesses should be taking, contact Amber Lawyer, Hannah Redmond, Shannon Knapp or any attorney in the Cybersecurity and Data Privacy practice.
Things You Should Know Leading Up to World Data Privacy Day 2021
January 20 - January 28, 2021
HIPAA and Sharing of Medical Information During COVID-19
January 27, 2021
By: Craig W. Anderson
In Bond’s Jan. 26 webinar about the evolving legal implications of COVID-19 for businesses, healthcare and data privacy attorney Craig W. Anderson recorded a short video discussing application of the Health Insurance Portability and Accountability Act (HIPAA) to medical information being exchanged for to comply with mandates pertaining to vaccinations and reporting.
Although the Office for Civil Rights (OCR) is exercising “enforcement discretion” during the public health emergency for certain uses and disclosures of protected health information, as a general rule, HIPAA’s privacy and security rules are still in force. HIPAA still applies to covered entities and business associates who are exchanging protected health information. Generally speaking, entities that are not covered entities or business associates (as defined by HIPAA) need not comply with HIPAA’s regulations; however, other privacy or confidentiality laws – for example those under the ADA, FMLA or FERPA – may still apply.
What’s On the Horizon: 2021 State and Federal Data Privacy Legislation
January 26, 2021
By: Elizabeth L. Lehmann, Fred J. M. Price, and Shannon A. Knapp
The United States is continuing to see a flurry of state legislation concerning consumer data privacy. In 2020, at least 30 states and Puerto Rico considered some type of legislation related to consumer privacy. Most of these laws failed or were indefinitely tabled, likely due to the coronavirus. Most notably, the end of 2020 saw the passage of Proposition 24, also known as the California Privacy Rights Act (CPRA) (see our article available here for more information on CPRA).
The beginning of 2021 has followed 2020’s trajectory. Numerous state legislatures have already introduced comprehensive consumer privacy laws. These states include Connecticut, Minnesota, New York, Virginia and Washington. Washington state has been considering the Washington Privacy Act for two years, but it has failed each time in the Assembly. However, Washington has a good chance of passing a GDPR-like bill this year. The bill has overwhelming support in the Washington state Senate, and the primary stalling point in the state Assembly has been whether there should be a private right of action. Once this issue is resolved, the bill will have the support needed to pass. Unlike previous bills, this bill is divided into four parts. Part one concerns the processing of personal data by the private sector. In response to the COVID-19 pandemic, parts two and three concern the processing of personal data for public health emergencies. Part four includes miscellaneous provisions. If passed, the provisions would become effective July 31, 2022. Similarly, New York and Minnesota both reintroduced bills concerning comprehensive data privacy protections.
On the federal side, it is reported that President Biden has data privacy and cybersecurity on his executive agenda. With Democratic control of Congress, there is high potential for viable federal data privacy legislation in 2021 or in the years to come. The tech field anticipates that the Biden administration may focus on passage of a comprehensive federal data privacy law along with other acts related to data privacy and cybersecurity, such as reintroducing a cybersecurity coordinator to the White House and increasing Federal Trade Commission (FTC) enforcement activity. There is also bipartisan support for data privacy legislation as both Republican and Democrat representatives have proposed bills in prior Congressional terms that contain many similar provisions. The federal government is also working to address the invalidation of the EU-U.S. data privacy shield after the CJEU Schrems II decision.
2021 will likely see increased data privacy legislation enacted here in the U.S. and abroad. The COVID-19 pandemic increased business and non-business online activity pushing many legislatures to consider the need for increased data privacy regulations.
For more information regarding these new laws and how to prepare your business for compliance, contact Fred Price, Elizabeth Lehmann, Shannon Knapp or any one of our attorneys in the Cybersecurity and Data Privacy practice.
In the Wake of the SolarWinds Breach: President Biden Pivots U.S. Towards Prioritizing Cybersecurity
January 25, 2021
By: Jessica L. Copeland and Kathleen H. McGraw
In December 2020, the United States discovered that it had fallen victim to a major cyberattack believed to be backed by a Russian intelligence agency. The sophisticated attack was perpetrated through Orion, an IT management software platform developed and provided by SolarWinds to its tens of thousands of customers. The hackers implemented malware into the Orion software so when SolarWinds pushed an update out to its customers (as is common practice), the malware made its way onto the customers’ servers. From there, the hackers gained unfettered access to the infected servers.
The attack went undetected for months and infected both private and public sector companies and agencies. It wasn’t until a private cybersecurity company, FireEye, discovered and revealed the SolarWinds breach to law enforcement. Until then, the U.S. was unaware that it had fallen victim to this cyberattack.
While the attack is thought to be an act of espionage by the Russian government and not an act of war, some commentators have compared the breach to a “cyber 9/111” or a “cyber Pearl Harbor.2”
The extent of the attack on the U.S. government, including exactly what data has been compromised and which agencies were targeted, is still unknown—and is unlikely to be fully known any time soon. Among the agencies known to have been victimized are the Department of the Treasury, the Commerce Department, the Department of Defense, the Department of Energy, the Department of Homeland Security, the Department of Justice, the State Department and the National Institute of Health. This list is expected to grow as the investigation and cleanup continues. What remains clear, however, is that the U.S. was and still is vulnerable to this sort of cybersecurity breach.
One immediate fallout from the SolarWinds breach is that it has exposed truly how vulnerable the country is to large-scale cyberattack. It doesn’t take a cybersecurity or intelligence expert to understand—even from the short list of federal agencies known to have been targeted—that the type of potentially compromised data can have crippling national security effects. And it’s not just the Russians that are targeting U.S. cyberspace.
On Jan. 3, 2021, New York air traffic controllers received a cryptic message on their radio frequency that threatened to fly a plane into the Capitol to avenge the death of Iranian general Qassem Soleimani. While it is not clear at this point that the threat in fact came from Iran, the message itself evidences a breach of the U.S. air traffic control radio frequencies. Although the threat was not determined to be credible, the FAA and the FBI are still investigating how the frequency breach occurred. Breaching government telecommunications platforms, including radio frequencies, has been a threat since the British’s interception and decryption of the infamous Zimmermann Telegram encouraged the US’ entry into World War I in 1917, but this sort of breach into U.S. air traffic control is still unnerving more than a hundred years later.
Looking forward, the U.S. is likely to pivot towards making cybersecurity and cyber-defense a national priority. In response to the SolarWinds breach, the Biden administration has promised to “make cybersecurity a top priority at every level of government.3” Furthermore, President Biden has committed to roll out a $9 billion plan to enhance U.S. cybersecurity by partnering with private sector companies. This could mean a serious overhaul in U.S. cybersecurity and data storing practices which hopefully will result in the U.S. taking a proactive and aggressive stance on national cybersecurity.
If you have any questions about the content discussed here, or privacy laws or rules in general, please contact Jessica Copeland, Kathleen H. McGraw, any of the attorneys in the Cybersecurity and Data Privacy practice or the Bond attorney with whom you routinely communicate.
1 See "SolarWinds Orion Breach – What It Means for the Industry Writ Large,” Recorded Future; Gilman Louie, “SolarWinds hack: What we must do to avoid the next attack,” The Hill.
2 See Steve Grobman, “Why SolarWinds-SUNBURST is our Cyber Pearl Harbor,” McAfee; According to CBS News, Colorado Democratic Rep. Jason Crow called referred to it as "our modern-day 'Cyber Pearl Harbor'"; Lindsay McKenzie, “What SolarWinds Hack Means for Campuses,” Inside Higher Ed.
3 See "Biden Calls Cybersecurity a ‘Top Priority’ After Russian Hack," Bloomberg; "Cybersecurity to Get $9 Billion Boost in Biden Plan After Hack," Bloomberg.
Restricted Data Flow: What US Businesses Need to Know about International Data Transfers in the Wake of Schrems II and the GDPR
January 22, 2021
By: Amber L. Lawyer, John D. Clopper and Shannon A. Knapp
International corporations, technology companies, businesses selling goods and services, and various other entities must comply with strict regulations when transferring personal data from the European Economic Area (EEA) to the U.S. The European Union’s (EU) General Data Protection Regulation (GDPR), which became effective in 2018, mandates that companies comply with certain data protection obligations in order to transfer personal data from the EEA to the U.S. A transfer of personal data out of the EEA may only take place if (1) the European Commission (EC) determines that a country, through its own data protection laws, provides for adequate level of data protection, or (2) private entities put into place appropriate safeguards to adequately protect the personal data and privacy rights of EU residents. Because the U.S. does not have a federal data privacy law comparable to the GDPR, the EC has not certified that the U.S. provides an adequate level of protection for the personal data of EU residents. As such, organizations in the U.S. must work individually to put into place appropriate safeguards to transfer data outside of the EU.
As of its effective date, the GDPR set forth four ways in which an organization could implement adequate safeguards to permit data transfer from the EEA: (1) certification under the EU-U.S. Privacy Shield; (2) use of EU Standard Contract Clauses (SCCs); (3) adoption of Binding Corporate Rules (BCRs); or (4) through certain derogations enumerated in the GDPR (collectively known as “Data Transfer Mechanisms”).
In July 2020, the Court of Justice of the European Union (CJEU) issued its decision in Data Protection Commission v. Facebook Ireland and Maximillian Schrems, Case C-311/18 (Schrems II) which invalidated the EU-U.S. Privacy Shield Framework, the principal mechanism relied on by thousands of U.S. companies to conduct trans-Atlantic data transfers. In Schrems II, the CJEU invalidated the European Commission’s previous determination that the EU-U.S. Privacy Shield offered an adequate level of protection. The CJEU found that the U.S. does not adequately limit government access to or surveillance of personal information. The CJEU also found that U.S. law failed to provide adequate mechanisms for judicial redress for persons whose data had been collected by means of certain U.S. surveillance laws. As a result, the CJEU held that the Privacy Shield did not offer a level of protection essentially equivalent to that offered by EU law.
While the CJEU’s decision only invalidated the Privacy Shield, and expressly allowed the continued use of SCCs to comply with the GDPR, the CJEU decision required businesses to verify, on a case by case basis, that individuals would be granted a level of protection in the receiving country essentially equivalent to that guaranteed within the EU. If the company determines that the law of the receiving country does not ensure an adequate level of protection, then companies must provide additional contractual safeguards in order to transfer personal data to the receiving country.
On Nov. 10, 2020, the European Data Protection Board (EDPB) released their recommendations on supplementary measures. The recommendations outlined a six-step plan to ensure compliance with the Schrems II decision. This plan included recommendations for additional safeguards, such as technical safeguards (e.g., encryptions and pseudonymization), contract mechanisms (e.g., technical and transparency obligations), as well as organizational mechanisms (e.g., internal guidelines). On Nov. 12, 2020, the European Commission proposed a draft decision updating the available SCCs in light of Schrems II. Most recently, on January 15, 2020, the EDPB and the European Data Protection Supervisor (EDPS) adopted a joint opinion welcoming many of the provisions contained in the EC’s draft SCC updates, but noting that several provisions could be improved, such as those relating to the SCCs’ scope, obligations regarding onward transfers, certain aspects of the assessment of third country laws regarding data access by public authorities and the notification to supervisory authorities.
It is more important than ever that U.S. businesses review their data transfer agreements and vendor contracts. After the invalidation of the EU-U.S. Privacy Shield, compliance with the GDPR has become even more complicated. Revisions to existing contracts incorporating SCCs may be necessary, and implementation of additional safeguards may also be necessary.
If you have any questions regarding this memo, GDPR, or any other related matter, please contact Amber Lawyer, John Clopper, Shannon Knapp or any one of our attorneys in the Cybersecurity and Data Privacy practice.
The Aftermath of the FireEye Hack Makes Clear the Importance of a Quick Response to any Breach
January 21, 2021
By: Kristin Warner
Last month, cybersecurity firm FireEye, Inc. discovered it had been hacked. This was no ordinary hack conducted merely to gain access to customer data; the target here was much more focused. The hackers, widely believed to be affiliated with Russian intelligence agencies, stole FireEye’s own tool kit consisting of roughly 300 proprietary software tools. You see, a very important part of FireEye’s business has been helping identify the perpetrators of some of the largest data breaches in history. Notably, they were involved in the aftermath of the infamous Sony and Equifax breaches, as well as assisted the State Department and other American government agencies in dealing with the breach by Russian hackers in 2015.
This is not the first time a hack of this nature has occurred. In 2016, a still anonymous group called the ShadowBrokers, made off with the National Security Agency’s hacking tools and then released them publicly over the course of several months. This hack proved devastating as it is believed that both North Korea and Russia have utilized these stolen tools. The damages caused by them number in the billions of dollars.
While investigating its own hack, FireEye came across a vulnerability in a product made by one of its software providers, SolarWinds Corp. The same hackers are believed to have planted malware using this vulnerable backdoor, which was then transferred to the systems of SolarWinds customers during a routine software update. At least 25 entities have been identified as being victims of the attack, though SolarWinds acknowledges that the number could actually be in the tens of thousands.
Using the SolarWinds backdoor, these hackers have now infiltrated the U.S. Departments of Treasury, State and Commerce, the National Institute of Health and the Department of Homeland Security. Homeland Security’s Cybersecurity and Infrastructure Security Agency went so far as issuing an emergency directive ordering all federal agencies to disconnect the potentially infected products from their networks.
Because this is an ongoing investigation, the full extent of the damages is not yet clear. The personal information of millions of Americans is stored within the federal government’s network and it is not yet known whether that data has been compromised. It is also estimated that most Fortune 500 companies used the very popular server software offered by SolarWinds so the effects of this breach could be the widest reaching in history. We will continue to provide updates as they are made known.
If you have any questions about the FireEye or SolarWinds breach, or about cybersecurity or breach response in general, please contact any attorney in the Cybersecurity and Data Privacy practice.
New Year, New Rules: California Passes the California Privacy Rights Act
January 20, 2021
By: Amber L. Lawyer, Hannah K. Redmond and Shannon A. Knapp
On Election Day, Nov. 3, 2020, California voters were tasked with more than casting their votes in the presidential election. Californians also voted on California Proposition 24, which is the California Privacy Rights Act (CPRA). Proposition 24 passed, receiving about 56% of the vote. Proposition 24 both supplements and revises certain aspects of the California Consumer Privacy Act (CCPA), the first domestic data privacy statute of its kind, which was signed into law in 2018.
To date, California is the only state that has a comprehensive consumer data privacy law in place. The CCPA’s main provisions took effect on Jan. 1, 2020, and regulations implementing the CCPA became effective on Aug. 14, 2020. Since its inception, the CCPA has been periodically edited, clarified and changed by the legislature. Of note, on Sept. 25, 2020, the California governor, Gavin Newsom, signed a bill establishing new exemptions under the CCPA for certain types of medical and health information. Other nonsubstantive changes were implemented on Sept. 30, 2020.
However, the biggest change to California’s privacy law came with the passing of the CPRA. Although the law does not become effective until Jan. of 2023, enforcement agencies may review a business’s compliance with the CPRA as of Jan. 2022 when assessing penalties for violation of the law. Just as businesses started to become compliant with CCPA, new regulations under the CPRA will require additional measures to be taken by businesses to protect consumers’ information. Some of the many changes under CPRA are detailed below.
Business Specific Changes
The CPRA changes the definition of covered “businesses” in several respects. On the one hand, it expanded the definition of “business” to include certain types of joint ventures and partnerships that were not included under the CCPA. The CPRA also includes businesses that voluntarily agree to be subject to it. On the other hand, the CPRA narrowed the definition of covered businesses by increasing the threshold for coverage based on the collection of consumer information. Under CCPA, a business that collected the personal information of 50,000 or more California consumers, households, or devices was subject to the CCPA. Under the CPRA, that number is now 100,000.
Much like the EU’s notorious General Data Protection Regulation (GDPR), the CPRA requires data minimization. This means that businesses must minimize the use, retention and sharing of personal information to “what is reasonably necessary and proportionate to achieve the purposes” for which the information was collected. In other words, covered businesses must take inventory of their data collection and retention practices and determine whether the information collected is necessary for the operation of their business. If it is not, it should not be collected.
The CPRA also extended the CCPA’s limited employee and business-to-business exemptions until Jan. 1, 2023. These exemptions limit data subject rights for employees, job applicants and independent contractors.
Consumer Rights Changes
In terms of consumers’ rights, the CPRA made changes to the right to know, the right to correct and the right to delete provisions. It removed the CCPA’s 12-month lookback period, drastically expanding the right to know. This change gives consumers the right to request information that predates the previous 12 months. The right to correct was created under CPRA. This right allows a consumer to request that a business correct any inaccurate personal information it maintains about them. Lastly, the CPRA creates the right to delete, allowing consumers to request that a business delete their data. However, businesses can deny a person’s request to delete such data when maintaining the information is “reasonably necessary and proportionate” to security and integrity purposes.
Further, the CPRA allows consumers to stop a business from sharing their personal information with third parties for the purpose of engaging in “cross-context behavioral advertising,” which is essentially targeted advertising. Businesses can comply by either displaying an opt-out link that states “do not sell or share my personal information,” or by following the consumer’s preferences communicated through a cross-platform global privacy control.
In addition, the CPRA created a new category of information called “sensitive personal information” that is entitled to additional protections. Broadly defined, sensitive personal information includes government-issued identifiers, account credentials, financial information, precise geolocation, race or ethnic origin, religious beliefs, contents of certain types of messages, genetic data, biometric information and more.
Lastly, the CPRA expanded breach liability for the unauthorized access or disclosure of email addresses and passwords, or security questions, that would permit access to accounts if businesses fail to maintain adequate security.
Enforcement Agency
One of the most significant changes introduced by the CPRA is the establishment of the California Privacy Protection Agency, which is tasked with implementing and enforcing California privacy laws. The agency will be governed by a five-member board. The chair and one member will be appointed by the governor. The attorney general, the speaker of the assembly, and the Senate Rules Committee each get to select one of the additional seats. It is expected that the members of the board will be announced at the end of Jan. 2021. Although the new agency has enforcement power, the California attorney general still retains the power to enforce the CPRA through civil penalties. The agency, once assembled, will be tasked with clarifying and making new rules concerning the CCPA and CPRA.
For more information regarding California consumer privacy laws and compliance efforts businesses should be taking, contact Amber Lawyer, Hannah Redmond, Shannon Knapp or any attorney in the Cybersecurity and Data Privacy practice.