Cybersecurity and Privacy Law Developments in the First Quarter of 2021
PDFProfessionals
Practice Areas
Cybersecurity and privacy law is evolving rapidly as lawmakers, government agencies and plaintiffs respond to the growth of new technologies, privacy concerns and cyberattacks. Businesses are facing new compliance obligations, greater legal uncertainty, and expanding liability risk from data breaches and privacy scandals. This trend will only increase as social-distancing measures in response to the COVID-19 public health emergency drive people and businesses to greater reliance on digital and telecommunications services. Keeping track of the many legal developments can be challenging, but Robinson Bradshaw attorneys are here to help. We publish quarterly updates to highlight noteworthy developments of cybersecurity and privacy law from the previous quarter. Click here to subscribe to our Cybersecurity and Privacy list and receive future updates via email, and click here to view all of our quarterly updates.
The first quarter of 2021 began with the U.S. Senate’s enactment of the National Defense Authorization Act for Fiscal Year 2021 to boost the nation’s cyber defense and how the government and private sector handle cyberthreats. With the new administration, Congress continues its efforts to create privacy and cybersecurity legislation, such as the re-introduction of the Information Transparency and Personal Data Control Act, the year’s first proposed comprehensive federal privacy law. Meanwhile, the European Data Protection Board and the European Data Protection Supervisor issued joint opinions on the draft Standard Contractual Clauses under the General Data Protection Regulation. This guidance, provided in response to the Schrems II decision by the EU Court of Justice, highlights the remaining challenges this decision has caused throughout Europe. Back in the United States, states continue to shape the privacy and cybersecurity legal landscape. For example, Virginia joined California as the second state to enact a comprehensive privacy law, and Utah amended its data breach notification law to add an affirmative defense for claims stemming from a data breach.
If you have questions about any of the legal developments highlighted in this quarterly update, please contact any member of our Cybersecurity and Privacy Practice Group for assistance.
State Law Developments
- Virginia; Consumer Data Protection Act. On March 2, Virginia Gov. Ralph Northam signed into law the Consumer Data Protection Act (CDPA).[1] Following the landmark California Consumer Privacy Act (CCPA) enacted last year, this makes Virginia the second state or commonwealth in the United States to have enacted comprehensive privacy legislation of general applicability. Modeled on the CCPA, the new privacy law from Virginia will affect businesses across the country when it goes into effect on Jan. 1, 2023. Please see our CDPA analysis for guidance to help businesses comply with the CDPA.
- Utah; Cybersecurity Affirmative Defense Act. On March 11, Utah enacted the Cybersecurity Affirmative Defense Act (CADA), which amends its data breach notification law.[2] CADA provides an affirmative defense in certain causes of action related to data breaches if the entity has created, maintained and reasonably complied with a written cybersecurity program at the time of the breach. Utah, following Ohio, is the second state to create an affirmative defense to claims in connection with a data breach.
- California; CCPA. On March 15, California’s attorney general rolled out amendments to the regulations implementing the California Consumer Privacy Act effective immediately.[3] The new regulations clarified requirements related to the notice of right to opt-out, submission of opt-out requests, and submission of proof by authorized agents and consumers, as well as a technical correction to notice requirements for businesses processing personal information of consumers under 16 years of age. Notably, the revised regulations prohibit “dark patterns” that hinder a consumer’s ability to opt out and provide an optional opt-out icon designed to be used alongside a posted notice of the right to opt-out.
- California; CPRA. On March 17, California Gov. Gavin Newsom, then-Attorney General Xavier Becerra and other California officials named the five board members of the California Privacy Protection Agency (CPPA) for the first time. The CPPA is a new agency created by the California Privacy Rights Act (CPRA). The agency’s purpose is to enforce, implement and educate the public about the CPRA.[4]
[1] The text of Virginia’s Consumer Data Protection Act can be found here: https://lis.virginia.gov/cgi-bin/legp604.exe?211+ful+SB1392+pdf.
[2] The text of Utah’s Cybersecurity Affirmative Defense Act can be found here: https://le.utah.gov/~2021/bills/hbillenr/HB0080.pdf.
[3] The text of the finalized amendments to the CCPA regulations can be found here: https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-add-adm.pdf.
[4] The California Privacy Protection Agency announcement can be found here: https://oag.ca.gov/news/press-releases/california-officials-announce-california-privacy-protection-agency-board.
Federal Law Developments
- National Cyber Defense. On Jan. 1, the U.S. Senate voted to override former President Donald Trump’s veto and enact the National Defense Authorization Act for Fiscal Year 2021 (NDAA). Implementing recommendations from the Cyberspace Solarium Commission report last year, the newly enacted NDAA contains various provisions to enhance the nation’s cyber defense and address how the government and private sector combat cyberthreats. Among other developments, Section 1752 of the NDAA creates a Senate-confirmed national cyber director position within the Executive Office of the President to oversee cyber policy; Section 1716 authorizes the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) to issue administrative subpoenas to internet service providers and other companies in order to gather evidence of cyberthreats and vulnerabilities that may impact critical infrastructure; and Section 1705 authorizes CISA to carry out threat-hunting and vulnerability assessment across federal government networks. The NDAA also calls upon the Government Accountability Office to issue a report studying how to improve the cybersecurity insurance market, and requires the Department of Defense to conduct an assessment regarding the creation of a uniformed, civilian or mixed cyber reserve force to remedy shortfalls in expertise and capacity in the event of a major national cyber emergency.
- HHS; HIPAA. On March 9, the Department of Health and Human Services extended the deadline to submit comments to the proposed rule that would revise the Health Insurance Portability and Accountability Act of 1996 regulations to May 6, 2021. The proposed regulations would strengthen patient access to information and relax certain privacy standards to eliminate any barriers to coordinated care.
- Federal Privacy Bill. On March 10, Rep. Susan DelBene (D-Wash.) put forth the first proposal of 2021 for a comprehensive federal privacy law by re-introducing the Information Transparency and Personal Data Control Act. The proposed legislation seeks to create a national consumer data privacy standard: (i) by providing enhanced protections to “sensitive” personal information, including children’s data and information covering a person’s finances, health, genetics, biometrics, geolocation, content of oral or electronic communications, personal call detail records, sexual orientation, gender identity, citizenship and immigration status, Social Security numbers, religious beliefs, and web browsing history or application history usage; (ii) by requiring controllers, processors and third parties to obtain specific opt-in consent from consumers before they collect, use or share sensitive personal information; to not use or disclose sensitive personal information in any way that exceeds the limits of consent; to publicly post a “transparent privacy, security and data use policy” that satisfies specific statutory requirements; and to submit an independent privacy audit every two years to the Federal Trade Commission, unless an entity collects, stores, processes, sells, shares or uses personal information of 250,000 or fewer persons in a year; and (iii) by preempting conflicting state laws. The bill does not contain provisions providing consumers with rights of access, correction or deletion. The bill does not provide a private right of action; rather, it provides rulemaking and enforcement authority to the FTC and allows state attorneys general to bring actions on behalf of consumers.[5]
[5] The text of the proposed legislation can be found here: https://www.congress.gov/116/bills/hr2013/BILLS-116hr2013ih.pdf.
Foreign Law Developments
- Joint Opinions on Standard Contractual Clauses. On Jan. 15, the EU’s two General Data Protection Regulation (GDPR) supervisory bodies, the European Data Protection Board and the European Data Protection Supervisor, issued joint opinions on the draft Standard Contractual Clauses that the EU Commission promulgated on Nov. 12, 2020. The SCCs enable lawful data transfers to countries (like the United States) whose data protection does not meet EU standards. The revised SCCs are being issued in response to the European Court of Justice’s Schrems II decision, which found the current version inadequate. The joint opinions generally endorse the draft but suggest several amendments “to bring more clarity to the text and to ensure its practical usefulness in day-to-day operations of the controllers and processors.” Although several steps remain before approval, final implementation is still expected in the first half of this year.[7]
- Territorial Scope of GDPR. On Jan. 15, in a rare case testing the territorial scope of the GDPR, the United Kingdom’s High Court of Justice held that a U.K. citizen could not get GDPR jurisdiction over a U.S.-based investigative journalism website. (The GDPR continues to apply in the United Kingdom during a post-Brexit transition period that extends to June 30, 2021.) The plaintiff alleged libel as well as violation of his rights as a GDPR data subject. Applying the various territorial scope provisions of the GDPR, the court found that the defendant website did not have an establishment in the EU, nor did it offer goods or services to EU residents despite its availability and solicitation of contributions in the EU. The decision is further evidence that GDPR jurisdiction is evolving in a way that is consistent with the U.S. principle of minimum contacts.[8]
- Draft Decision on U.K.’s Personal Data Protection. On Feb. 18, the EU Commission issued a draft decision on the adequacy of the United Kingdom’s protection of personal data. If ultimately adopted, the decision would permit the continued transfer of personal data from the EU to the United Kingdom without violation of the GDPR. Since Brexit, data flows have continued under a temporary “bridging mechanism” that expires on June 30. Several steps remain before the draft decision can become final, including a favorable opinion from the European Data Protection Board and approval by the member states. There has been extensive criticism of the draft, so its future is uncertain, but most observers still expect the June 30 deadline to be met.[9]
[7] The announcement of the joint opinions can be found here: https://edps.europa.eu/sites/edp/files/edpsweb_press_releases/edpb-edps_pressrelease_onsccs_en.pdf.
[8] The decision can be found here: https://www.bailii.org/ew/cases/EWHC/QB/2021/56.html.
[9] At the time of publishing, the draft decision could be found here: https://ec.europa.eu/info/sites/default/files/draft_decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_19_feb_2020.pdf.
Litigation and Enforcement
- FTC; Data Privacy. In January, the Federal Trade Commission announced two proposed settlements with app developers who had allegedly misrepresented to users how their data was being used. The FTC and Everalbum, Inc., a developer of a photo storage app, settled allegations that Everalbum (i) enabled certain facial recognition technology by default despite representations that it would not apply the technology to content without a user’s affirmative choice to do so, (ii) used the facial recognition technology on users’ photos in ways that were not disclosed to users and (iii) failed to delete photos and videos of users who deactivated their accounts as it had promised users it would do. In addition to prohibiting Everalbum from making misrepresentations about its privacy practices and requiring it to obtain express consent from users for the use of any collected biometric information, under the proposed settlement, Everalbum must delete all content of users who deactivated their accounts, all face-related data the company derived from photos of users who did not give express consent to their use, and any facial recognition models or algorithms developed with users’ photos or videos.[10] The FTC and Flo Health, Inc., a developer of a popular period and fertility-tracking app, settled allegations that the company shared millions of women’s health information with third parties that provided marketing and data analytics services to the app, despite promising that such information would be kept private. The FTC alleged that Flo disclosed sensitive health information, such as the fact of a user’s pregnancy, to third parties, including Facebook’s analytics division and Google’s analytics division, and did not limit how third parties could use the sensitive information. As part of the settlement, Flo is prohibited from making misrepresentations about its privacy practices, must notify affected users about the disclosure of their information, and must instruct any third parties that received health information to destroy that data.[11]
- HIPAA Violations; Fifth Circuit. On Jan. 15, the Fifth Circuit vacated a $4.3 million penalty that the Office of Civil Rights had issued against the University of Texas M.D. Anderson Cancer Center. The penalty was levied against M.D. Anderson by OCR after the hospital disclosed three separate security breaches where unencrypted devices were lost or stolen. On appeal from an administrative law judge (who had upheld OCR’s ruling), the Fifth Circuit disagreed with OCR and the administrative law judge’s findings that M.D. Anderson failed to properly comply with the Security Rule and that the loss of an unencrypted device constituted a “disclosure” as defined under the Privacy Rule. With respect to the Security Rule, the court found that even though the particular devices at issue had not yet been encrypted, the fact that M.D. Anderson had policies in place requiring encryption was a sufficient mechanism to satisfy the Security Rule standards. The court also determined that a “disclosure” under the Privacy Rule requires the Covered Entity to be an active participant in the release of protected health information – stolen information did not constitute a disclosure. The Fifth Circuit also focused on M.D. Anderson’s assertion that it had been treated disparately compared to other similar OCR investigations and agreed that while each OCR investigation was a fact-specific inquiry, the agency could not hide behind this fact to “ignore irrational distinctions between cases.”[12]
- Article III Standing; Eleventh Circuit. On Feb. 4, the Eleventh Circuit Court of Appeals, in Tsao v. Captiva MVP Restaurant Partners, LLC, held that data breach victims must show more than a heightened risk of future harm, or costs incurred to mitigate potential harm, in order to establish Article III standing. The plaintiff had alleged that a data breach targeted at a restaurant’s point-of-sale system revealed class members’ credit and debit card information, exposing class members to possible future identity theft and fraud. The court held that a plaintiff alleging threat of future harm does not have Article III standing “unless the hypothetical harm alleged is either ‘certainly impending’ or there is ‘substantial risk’ of such a harm.” The court also held a plaintiff cannot “conjure standing” by incurring costs to mitigate a “non-imminent harm.” With this ruling, the Eleventh Circuit joins the Second, Third and Eighth Circuits, which have declined to find standing based on increased risk of identity theft, and deepened the circuit split with the Sixth, Seventh, Ninth and D.C. Circuits over this issue.[13]
- Warrantless Searches; First Circuit. On Feb. 9, in Alasaad v. Mayorkas, the First Circuit held that searches of cellphones and other electronic devices at the U.S. border do not require a warrant or probable cause. The plaintiffs, 10 U.S. citizens and a lawful permanent resident, challenged Customs and Border Patrol and ICE policies that permit border agents to perform “basic” searches of electronic devices without reasonable suspicion and “advanced” searches only with reasonable suspicion. The plaintiff contended these policies violate the Fourth and First Amendments because they allow agents to conduct searches of electronic devices without a warrant or reasonable suspicion. All of the plaintiffs had undergone warrantless searches of their phones while traveling between the country’s border. The court, however, held that the searches were constitutional because, under well-established precedent, the plaintiffs had a diminished expectation of privacy at the border and that a warrant was unnecessary under the border search exception to the warrant requirement. The court noted that “given the volume of travelers passing through our nation’s borders, warrantless electronic searches are essential to ... adequately protect the border.” The court also held that “routine” searches at the border do not involve an intrusive search of a “person” and, thus, need not be supported by reasonable suspicion. Further, the court ruled that such searches are not restricted to searches for contraband, as the plaintiffs contended, but may also be conducted in furtherance of evidence of contraband or a border-related crime.[14] Finally, the court rejected the plaintiff’s First Amendment challenges noting that the policies at issue were content-neutral and that a “higher level of suspicion is not generally required to search potentially expressive materials.”[15]
- DOJ; Cybercrime. On Feb. 17, the Department of Justice announced a federal grand jury indictment against three North Korean computer programmers known to the cybersecurity community as the “Lazarus Group” or “Advanced Persistent Threat 38.” The defendants Jon Chang Hyok, 31, Kim Il, 27, and Park Jin Hyok, 36, face multiple charges for a series of cyberattacks allegedly orchestrated by the North Korean military, including the 2014 hack into Sony Pictures, the 2016 theft of $81 million from a bank in Bangladesh, and the 2017 “WannaCry” ransomware attack impacting hundreds of thousands of computers across the globe. In addition to these well-known cyberattacks, the defendants are also allegedly responsible for cyberattacks on banks worldwide targeting about $1.2 billion in funds and cryptocurrency; for schemes that enabled unlimited cash-outs at ATMs; and for cyber-extortion campaigns against Central American online casinos. According to the indictment, Jon, Kim and Park are members of the Reconnaissance General Bureau of the North Korean military, which authorities in the United States and elsewhere have long accused of launching cyberattacks to raise funds for the government, including to enable North Korea’s nuclear program.
- NYDFS; Cybersecurity. On March 3, the New York Department of Financial Services settled with Residential Mortgage Services, Inc. for alleged violations of NYDFS’s Cybersecurity Regulation, 23 NYCRR Part 500. The Consent Order included a $1.5 million fine and required the adoption of multiple security processes. This is NYDFS’s second enforcement action for a violation of the Cybersecurity Regulation, which was effective in March 2017 and implemented by March 2019. The Cybersecurity Regulation requires covered entities to follow certain cybersecurity protocols, standards and procedures.[16]
- Warrantless Searches; First Circuit. On March 23, a First Circuit panel held oral argument in United States v. Moore-Bush, to address police use of pole-mounted cameras to monitor homes without warrants or reasonable suspicion. In this drug-trafficking case, the court considered whether the appeals court had correctly ruled last June that footage obtained from pole-mounted cameras during an eight-month video stakeout of the defendants’ home was admissible. Prosecutors argued that because the defendants’ home was in public view, a camera recording the comings and goings from the property did not qualify as a search triggering the Fourth Amendment. However, the panel was skeptical of this claim. One judge commented that the prolonged observation would “make me feel a little insecure,” while another noted that “there has to be some kind of suspicion of criminal activity” to justify the prolonged use of pole-mounted cameras. The panel also pressed the parties on whether the use of pole-mounted cameras would always constitute a search or whether it becomes a search after a certain amount of time. The defense argued that the surveillance becomes a search “when it goes beyond what a person would expect a reasonably nosey neighbor or passerby to see.” The prosecution, on the other hand, conceded that the duration of the surveillance at issue in the case may present concern. The First Circuit has yet to rule in the case.[17]
- FCRA Article III Standing; U.S. Supreme Court. On March 30, the U.S. Supreme Court heard oral arguments in the class action case TransUnion LLC v. Ramirez, brought by plaintiffs alleging that the credit reporting agency’s inaccurate designation of them as terrorists in violation of the Fair Credit Reporting Act caused reputational harm sufficient for Article III standing and to satisfy Rule 23’s typicality requirement for class certification.[18] In the underlying case, plaintiff Ramirez alleged that TransUnion willfully violated the FCRA by producing erroneous consumer reports without a reasonable procedure to ensure accuracy of the designation of class members as included on the Treasury Department’s Office of Foreign Assets Control list. The district court certified the class of individuals who had received a letter from TransUnion indicating their name was a “potential match” for the OFAC list, although only a limited group of the class had their credit reports shared with any third party. The jury awarded damages to all class members. On appeal, TransUnion asserted that only the representative plaintiff suffered a sufficient “injury in fact” for Article III standing because he was prevented from buying a car as a result of the erroneous credit report. The Ninth Circuit concluded every member of the class demonstrated Article III standing because TransUnion’s actions “exposed every class member to real risk of harm to their concrete privacy, reputational, and informational interests protected by the FCRA.” Oral arguments focused on whether all members of the class met the Article III standing requirements as most recently described in Spokeo v. Robbins and whether Rule 23 permits a damages class action when not all members of the class suffered an injury similar to that of the class representative. On the standing issue, a number of the justices focused on whether or not class members had their erroneous credit reports disclosed to third parties. The outcome of this case could impact data security and privacy class action litigation by providing further guidance on the Article III standing requirement for statutory privacy violations.
[10] A copy of the consent order can be found here: https://www.ftc.gov/system/files/documents/cases/everalbum_order.pdf.
[11] A copy of the consent order can be found here: https://www.ftc.gov/system/files/documents/cases/flo_health_order.pdf.
[12] The Fifth Circuit’s court decision may be found here: https://www.robinsonbradshaw.com/assets/htmldocuments/MDAnderson.pdf.
[13] The Eleventh Circuit’s court decision can be found here: https://www.robinsonbradshaw.com/assets/htmldocuments/Tsao.pdf.
[14] This aspect of the court’s ruling is counter to the Ninth Circuit’s holding in United States v. Cano, 934 F.3d 1002, 1018 (9th Cir. 2019) (holding that the border search exception “is restricted in scope to searches for contraband”).
[15] The First Circuit court’s decision may be found at Alasaad v. Mayorkas, 988 F.3d 8 (1st Cir. 2021): https://www.robinsonbradshaw.com/assets/htmldocuments/Alasaad.pdf.
[16] The Consent Order can be found here: https://www.dfs.ny.gov/system/files/documents/2021/03/ea20210303_residential_mortgage_0.pdf.
[17] The First Circuit oral arguments for United States v. Moore-Bush are available here: http://media.ca1.uscourts.gov/files/audio/19-1582.mp3.
[18] More information about the U.S. Supreme Court oral arguments for TransUnion LLC v. Ramirez is available here: https://www.supremecourt.gov/search.aspx?filename=/docket/docketfiles/html/public/20-297.html.
Additional Developments
- Public Utility Cyberattack. On Feb. 5, an attacker gained unauthorized access to a computer system at the water treatment facility in Oldsmar, Florida, and attempted to increase levels of sodium hydroxide or “lye” by more than a hundredfold – a hazardous level that could have corroded pipes and poisoned the approximately 15,000 city residents. The cyberattack was discovered fortuitously when a plant operator noticed his mouse cursor move around on his screen, apparently on its own accord, to change the levels. The operator was then able to quickly fix the levels of sodium hydroxide after the cyber incident. The attack has drawn increased attention to the vulnerability of our nation’s water supply and other public utilities to cyberthreats. On Feb. 17, Senate Intelligence Committee Chairman Mark Warner sent a letter to the Federal Bureau of Investigation and the Environmental Protection Agency demanding answers around the investigation of the cyberattack and efforts to prevent similar attacks in the future.[19]
- Microsoft Email Breach. On March 2, Microsoft acknowledged via a blog post that a Chinese state-sponsored hacking group had successfully exploited previously unknown “zero day” vulnerabilities in its Microsoft Exchange on-premises products.[20] According to security firm Volexity, which first discovered the vulnerabilities, hackers had been using the zero-day exploits to access victims’ email environments since as far back as Jan. 6. The cyberattack impacted an estimated 30,000 U.S. organizations, including many small and medium-sized companies, universities and government agencies. On March 3, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an emergency directive to organizations running Microsoft Exchange on-premises products. According to the directive, affected organizations should check for the indicators of compromise and anomalous behavior, deploy the security updates provided by Microsoft and take appropriate steps in the event of compromise.[21]
[19] The letter can be found here: https://www.warner.senate.gov/public/_cache/files/5/5/55e585a3-f6a7-45d2-a056-84033d0ce500/96C55D97D21BC0E6DD745FC8AC0A4A6A.epa-fbi-letter-fl-water-cyber-incident-02172021-final.pdf.
[20] Microsoft’s blog post can be found here: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/.
[21] The directive is available here: https://cyber.dhs.gov/ed/21-02/.