Cybersecurity and Privacy Law Developments in the First Quarter of 2021

PDF

Professionals

Practice Areas

Attorneys of the Cybersecurity and Privacy Practice Group
Robinson Bradshaw Publication
April 28, 2021

Cybersecurity and privacy law is evolving rapidly as lawmakers, government agencies and plaintiffs respond to the growth of new technologies, privacy concerns and cyberattacks. Businesses are facing new compliance obligations, greater legal uncertainty, and expanding liability risk from data breaches and privacy scandals. This trend will only increase as social-distancing measures in response to the COVID-19 public health emergency drive people and businesses to greater reliance on digital and telecommunications services. Keeping track of the many legal developments can be challenging, but Robinson Bradshaw attorneys are here to help. We publish quarterly updates to highlight noteworthy developments of cybersecurity and privacy law from the previous quarter. Click here to subscribe to our Cybersecurity and Privacy list and receive future updates via email, and click here to view all of our quarterly updates.

The first quarter of 2021 began with the U.S. Senate’s enactment of the National Defense Authorization Act for Fiscal Year 2021 to boost the nation’s cyber defense and how the government and private sector handle cyberthreats. With the new administration, Congress continues its efforts to create privacy and cybersecurity legislation, such as the re-introduction of the Information Transparency and Personal Data Control Act, the year’s first proposed comprehensive federal privacy law. Meanwhile, the European Data Protection Board and the European Data Protection Supervisor issued joint opinions on the draft Standard Contractual Clauses under the General Data Protection Regulation. This guidance, provided in response to the Schrems II decision by the EU Court of Justice, highlights the remaining challenges this decision has caused throughout Europe. Back in the United States, states continue to shape the privacy and cybersecurity legal landscape. For example, Virginia joined California as the second state to enact a comprehensive privacy law, and Utah amended its data breach notification law to add an affirmative defense for claims stemming from a data breach.

If you have questions about any of the legal developments highlighted in this quarterly update, please contact any member of our Cybersecurity and Privacy Practice Group for assistance.

State Law Developments


[1] The text of Virginia’s Consumer Data Protection Act can be found here: https://lis.virginia.gov/cgi-bin/legp604.exe?211+ful+SB1392+pdf.

[2] The text of Utah’s Cybersecurity Affirmative Defense Act can be found here: https://le.utah.gov/~2021/bills/hbillenr/HB0080.pdf.

[3] The text of the finalized amendments to the CCPA regulations can be found here: https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-add-adm.pdf.

[4] The California Privacy Protection Agency announcement can be found here: https://oag.ca.gov/news/press-releases/california-officials-announce-california-privacy-protection-agency-board.

Federal Law Developments


[5] The announcement can be found here: https://www.hhs.gov/about/news/2021/03/09/extension-public-comment-period-proposed-modifications-hipaa-privacy-rule.html.

[6] The text of the proposed legislation can be found here: https://www.congress.gov/116/bills/hr2013/BILLS-116hr2013ih.pdf

Foreign Law Developments


[7] The announcement of the joint opinions can be found here: https://edps.europa.eu/sites/edp/files/edpsweb_press_releases/edpb-edps_pressrelease_onsccs_en.pdf

[8] The decision can be found here: https://www.bailii.org/ew/cases/EWHC/QB/2021/56.html

[9] The draft decision can be found here: https://ec.europa.eu/info/sites/default/files/draft_decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_19_feb_2020.pdf

Litigation and Enforcement


[10] A copy of the consent order can be found here: https://www.ftc.gov/system/files/documents/cases/everalbum_order.pdf

[11] A copy of the consent order can be found here: https://www.ftc.gov/system/files/documents/cases/flo_health_order.pdf

[12] The Fifth Circuit’s court decision may be found here: https://www.robinsonbradshaw.com/assets/htmldocuments/MDAnderson.pdf.

[13] The Eleventh Circuit’s court decision can be found here: https://www.robinsonbradshaw.com/assets/htmldocuments/Tsao.pdf.

[14] This aspect of the court’s ruling is counter to the Ninth Circuit’s holding in United States v. Cano, 934 F.3d 1002, 1018 (9th Cir. 2019) (holding that the border search exception “is restricted in scope to searches for contraband”).

[15] The First Circuit court’s decision may be found at Alasaad v. Mayorkas, 988 F.3d 8 (1st Cir. 2021): https://www.robinsonbradshaw.com/assets/htmldocuments/Alasaad.pdf.

[16] The Consent Order can be found here: https://www.dfs.ny.gov/system/files/documents/2021/03/ea20210303_residential_mortgage_0.pdf.

[17] The First Circuit oral arguments for United States v. Moore-Bush are available here: http://media.ca1.uscourts.gov/files/audio/19-1582.mp3

[18] More information about the U.S. Supreme Court oral arguments for TransUnion LLC v. Ramirez is available here: https://www.supremecourt.gov/search.aspx?filename=/docket/docketfiles/html/public/20-297.html.

Additional Developments


[19] The letter can be found here: https://www.warner.senate.gov/public/_cache/files/5/5/55e585a3-f6a7-45d2-a056-84033d0ce500/96C55D97D21BC0E6DD745FC8AC0A4A6A.epa-fbi-letter-fl-water-cyber-incident-02172021-final.pdf

[20] Microsoft’s blog post can be found here: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/.

[21] The directive is available here: https://cyber.dhs.gov/ed/21-02/.


Main Menu