Cybersecurity and Privacy Law Developments in Q4 of 2020PDF
Cybersecurity and privacy law is evolving rapidly as lawmakers, government agencies and plaintiffs respond to the growth of new technologies, privacy concerns and cyberattacks. Businesses are facing new compliance obligations, greater legal uncertainty, and expanding liability risk from data breaches and privacy scandals. This trend will only increase as social-distancing measures in response to the COVID-19 public health emergency drive people and businesses to greater reliance on digital and telecommunications services. Keeping track of the many legal developments can be challenging, but Robinson Bradshaw attorneys are here to help. We publish quarterly updates to highlight noteworthy developments of cybersecurity and privacy law from the previous quarter. Click here to subscribe to our Cybersecurity and Privacy list and receive future updates via email, and click here to view all of our quarterly updates.
The fourth quarter of 2020 was marked by a heated U.S. presidential election and contentious transfer of power, the worst phase yet of the COVID-19 pandemic, the discovery of a massive cyberattack against the U.S. government and the addition of Justice Amy Coney Barrett to the U.S. Supreme Court. These events will no doubt influence how cybersecurity and privacy law will evolve in the future. In the meantime, there were plenty of legal developments in the fourth quarter of 2020 as described in our update summaries. For example, among other U.S. developments, California voters approved the California Privacy Rights Act to further strengthen and enforce that state’s consumer privacy protections; various federal regulators rolled out new requirements for cybersecurity and individual access to protected information; outgoing President Trump signed into law the Internet of Things Cybersecurity Improvement Act; and the U.S. Supreme Court heard oral argument in two cases expected to resolve circuit splits regarding the scope of the Computer Fraud and Abuse Act and the Telephone Consumer Protection Act. Meanwhile, the implications of the Schrems II decision by the EU Court of Justice continued to unfold in Europe, with new guidance on cross-border data transfers and new requirements for Standard Contractual Clauses under the General Data Protection Regulation. Finally, Canada has proposed legislation that would dramatically revise its national privacy laws to implement a more stringent framework similar to GDPR. If you have questions about any of the legal developments that are described below in this quarterly update, please contact any member of our Cybersecurity and Privacy Practice Group for assistance.
State Law Developments
- California; CCPA. On Oct. 12, California’s attorney general released a third round of proposed modifications to the regulations implementing the California Consumer Privacy Act (CCPA). The attorney general made revisions concerning the notice of right to opt-out, submission of opt-out requests and submission of proof by authorized agents and consumers, along with a technical correction to notice requirements for businesses processing personal information of consumers under 16 years of age. These modifications were subject to comment until Oct. 28.
- California; CPRA. On Nov. 3, California voters approved Proposition 24, the California Privacy Rights Act of 2020 (CPRA), which amends the CCPA to expand privacy protections further and creates the California Privacy Protection Agency (CalPPA), a new privacy watchdog agency to implement and enforce the privacy law. Among other changes, the CPRA expands the definition of “sensitive personal information” and adds new consumer rights for limiting use of such data. California consumers also will have the right to request the correction of their personal information held by a business. The CPRA becomes operative Jan. 1, 2023, but some CPRA changes will take effect sooner. For example, the CPRS extended the CCPA’s exemptions for collected personal information related to HR records and B2B communications through Jan. 1, 2023. Additionally, the CalPPA will be created, funded and empowered to issue rulemakings, and must finalize these regulations by July 1, 2022. Although the CalPPA will not begin enforcing the CPRA until July 1, 2023, businesses should begin to comply with the CPRA provisions related to personal information collection sooner, because the CPRA enforcement provisions have a “look back” period to Jan. 1, 2022.
- California; CCPA. On Dec. 10, California’s attorney general published a fourth round of modifications to the CCPA’s implementing regulations. These modifications revise the third set of proposed modifications from Oct. 12 and contain minor changes related to the requirements for providing notice of right to opt out of the sale of personal information. These notice requirements now only apply to businesses that actually sell personal information of California consumers. The attorney general made these modifications in response to public comments received on the third set of proposed modifications, and they were open to public comment until Dec. 28.
 The third set of modifications to the CCPA regulations is available here: https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-notice-of-third-mod-101220.pdf.
 The full text of the CPRA may be found here: https://www.robinsonbradshaw.com/assets/htmldocuments/CPRA.pdf
 The fourth set of modifications to the CCPA regulations is available here: https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-prop-mods-text-of-regs-4th.pdf.
Federal Law Developments
- OFAC; Ransomware. On Oct. 1, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an advisory entitled “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” Ransomware is a type of malicious software designed to deny access to a computer system or data (often by encrypting data) until the victim pays a ransom to the attacker. As ransomware attacks become more widespread, the OFAC issued the advisory as a warning to companies that may be involved in facilitating ransom payments on behalf of victims such as financial institutions, cyber insurance carriers and data security firms handling incident response. The OFAC’s advisory explains that making or facilitating a ransomware payment to a cyberthreat actor could violate U.S. sanctions laws and OFAC regulations if the actor turns out to be subject to U.S. economic sanctions or linked with a sanctioned entity. For example, the WannaCry 2.0 ransomware that infected approximately 300,000 computers in over 150 countries during May 2017 has been linked to the Lazarus Group, a cybercriminal organization sponsored by North Korea and designated on the OFAC’s Specially Designated Nationals (SDN) and Blocked Persons List. Notably, the OFAC pointed out that civil penalties for sanctions violations may be imposed based on strict liability, meaning that a company could be liable even if it did not know or have reason to know that a ransom payment was made to a person prohibited under sanctions laws and OFAC regulations. The advisory encourages companies that may be involved in facilitating ransomware payments to review the OFAC’s Economic Sanctions Enforcement Guidelines (31 C.F.R. part 501, appx. A) and to implement a risk-based compliance program which specifically accounts for the risk that a ransomware payment may involve an SDN or blocked person or a comprehensively embargoed jurisdiction such as Iran, Syria, North Korea and the Crimea region of Ukraine.
- CFPB; Access to Financial Records. On Oct. 22, the Consumer Financial Protection Bureau (CFPB) issued an advance notice of proposed rulemaking (ANPR) requesting input on issues related to consumer access to financial records. This ANPR stems from the CFPB’s implementation of Section 1033 of the Dodd-Frank Act of 2010, which provides consumers with general data access rights. As technology innovation has grown in the financial services industry, this ANPR marks an attempt by the CFPB to regulate third parties with access to consumer data and not otherwise subject to existing federal privacy law applicable to the financial sector such as the Gramm-Leach Bliley Act of 1999. The ANPR was published in the Federal Register on Nov. 6, 2020, and the public may submit comments until Feb. 4, 2021.
- DOD; Cybersecurity. On Nov. 30, the Department of Defense’s new interim rule about contractor cybersecurity went into effect. Under this interim rule, Assessing Contractor Compliance with Cybersecurity Requirements (DFARS Case 2019-D041), almost all defense contractors and subcontractors will be required to implement cybersecurity programs that are certified under the Cybersecurity Maturity Model Certification (CMMC) framework. For this process, an accredited third-party assessor must certify a cybersecurity program at one of five cumulative levels (meaning a higher level includes the lower levels). Level 1 identifies 17 basic requirements for “basic cyber hygiene” that are equivalent to the general government contractor cybersecurity requirements spelled out in Federal Acquisition Regulation 48 CFR 52.204-21; Level 2 includes additional practices to support “intermediate cyber hygiene”; Level 3 aligns with full adherence to the familiar National Institute of Standards and Technology (NIST) SP 800-171 Rev 1 requirements; and Levels 4 and 5 require “proactive” and “progressive” cybersecurity programs, respectively, with additional practices derived from Draft NIST SP 800-171B and various other heightened cybersecurity standards. The DOD’s contract solicitations will specify the certification level required by each contractor and subcontractor. Such requirements are expected to be in almost all DOD contracts by 2025.
- Internet of Things; Cybersecurity. On Dec. 7, President Trump signed into law the Internet of Things (IoT) Cybersecurity Improvement Act of 2020. Although focused on IoT devices owned or controlled by the federal government, the law will impact government contractors who produce or supply IoT devices as well as other manufacturers in the supply chain, and it marks an important step toward greater regulation of IoT cybersecurity. This new federal law requires the NIST to develop and publish guidelines concerning government IoT devices within 90 days. The NIST’s guidelines must include minimum information security requirements for managing cybersecurity risks associated with IoT devices and must address secure development, identity management, patching, configuration management and security vulnerability management. The NIST must also, within 180 days, publish guidelines on processes for the disclosure and resolution of security vulnerabilities relating to federal information systems, including IoT devices. Once the NIST standards are implemented, federal agencies generally will be prohibited from procuring or using IoT devices if doing so would prevent compliance with the new NIST requirements.
- HHS; Access to Health Information. On Dec. 10, the Office of Civil Rights (OCR) for the U.S. Department of Health and Human Services issued a notice of proposed rulemaking as part of the HHS’s “Regulatory Sprint to Coordinated Care.” The Proposed Rule aims to strengthen individuals’ right to access to their medical records and improve information sharing for care coordination for individuals. In particular, the Proposed Rule would shorten the period of time covered entities have to respond to requests for information and allow individuals to take cell phone photos of their protected health information (PHI). Further, the Proposed Rule would make changes so that it is clear that providers may share PHI for individual-level care coordination and case management uses and disclosures. Finally, the Proposed Rule would give providers greater flexibility to disclose PHI in emergencies and life-threatening circumstances. Comments to the Proposed Rule are due 60 days after publication of the Proposed Rule in the Federal Register.
- Financial Regulators; Cyber Incident Notification. On Dec. 18, the Office of the Comptroller of the Currency, board of governors of the Federal Reserve System and Federal Deposit Insurance Corporation published a notice of proposed rulemaking related to cyber incident notification. Under the proposed rule, a banking organization would be required to notify its primary federal regulator as soon as possible (and no later than 36 hours) after the banking organization believes in good faith that a “computer-security incident” has occurred which, broadly speaking, could “materially disrupt, degrade or impair” its ability to serve customers, result in a "material loss of revenue, profit or franchise value” for any of its business lines, or jeopardize operations whose “failure or discontinuance … would pose a threat to the financial stability of the United States” (dubbed a “notification incident”). In addition, a service provider that provides services as described under the Bank Service Company Act (BSCA) would be required to notify at least two individuals at the affected banking organization immediately after the service provider has experienced a computer-security incident that it believes in good faith could disrupt, degrade or impair the provision of services subject to the BSCA for four or more hours. Comments on the proposed rule are due 90 days after its publication in the Federal Register.
 The OFAC’s Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments may be found at https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf.
 The CFPB’s advance notice of proposed rulemaking is available here: https://files.consumerfinance.gov/f/documents/cfpb_section-1033-dodd-frank_advance-notice-proposed-rulemaking_2020-10.pdf.
 The text of the CFPB’s advance notice of proposed rulemaking on consumer access to financial records may be found in the Federal Register at https://www.govinfo.gov/content/pkg/FR-2020-11-06/pdf/2020-23723.pdf. The CFPB’s press release may be found at https://www.consumerfinance.gov/about-us/newsroom/consumer-financial-protection-bureau-releases-advance-notice-proposed-rulemaking-consumer-access-financial-records/.
 The DOD’s interim rule is available here: https://www.govinfo.gov/content/pkg/FR-2020-09-29/pdf/2020-21123.pdf.
 The IoT Cybersecurity Improvement Act of 2020 is available here: https://www.congress.gov/116/bills/hr1668/BILLS-116hr1668eh.pdf.
 A copy of the proposed rulemaking by the Office of Civil Rights for the Department of Health and Human Services may be found at https://www.hhs.gov/sites/default/files/hhs-ocr-hipaa-nprm.pdf.
 The financial regulators’ press release about a proposed cybersecurity incident notification requirement, including a link to the text of the proposed rule, may be found at https://www.fdic.gov/news/press-releases/2020/pr20141.html.
Foreign Law Developments
- Europe; Cross-Border Data Transfers. On Nov. 11, the European Data Protection Board (EDPB), the European government body responsible for consistent application of the General Data Protection Regulation, issued its “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.” These recommendations address transferring personal data between the U.S. and Europe in light of the Schrems II decision by the EU Court of Justice in July 2020, which invalidated the EU-U.S. Privacy Shield. While the GDPR’s other lawful bases for cross-border data transfers remain in effect, such as Standard Contractual Clauses (SCCs), the EDPB’s recommendations stress that companies must assess the threat of government access to data and, where warranted, adopt “supplementary measures” to add to the protections provided by the SCCs. The recommendations also provide several examples of technical, contractual and organizational measures that companies might employ for this purpose, such as leveraging data encryption and pseudonymisation.
- Europe; Cross-Border Data Transfers. On Nov. 12, the European Commission (executive branch of the EU) published a draft implementing decision that contains replacements for the current SCCs. In substance, the new SCCs reflect the concerns raised by the EU Court of Justice’s Schrems II decision, including by imposing obligations on both the data exporter and importer to assess and guard against threats to data security in the recipient country. In form, the new SCCs are modular, with generally applicable provisions followed by modules that are specific to the particular exporter-importer relationship (e.g., controller-to-processor). The draft decision envisions a one-year transition period during which the current SCCs can still be used.
- Canada; Privacy Legislation. On Nov. 17, the Canadian government proposed legislation that would significantly revise the country’s national privacy laws. The proposed legislation, including the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act, would move Canada’s privacy laws even closer to Europe’s GDPR and tries to ensure that Canada addresses the concerns raised by the EU Court of Justice’s Schrems II decision related to protecting personal data against access and use by law enforcement and other government agencies. Among other changes, the proposed new law would provide Canadians with enhanced rights of data access, transparency and data portability, and would carry fines of up to 5% of revenue or C$25 million.
- Europe; Encryption. On Nov. 20, the Council of the EU adopted a resolution underlining its support for the development, implementation and use of strong encryption as a necessary means of protecting fundamental rights and the digital security of citizens, governments, industry and society, but also acknowledging the need for legitimate law enforcement access to encrypted data. Although the resolution in simply a forward-looking policy statement without direct legal effect, it is yet another reminder for U.S. companies that encryption will likely be a core element of data transfers from the EU in the medium and longer term.
- U.K./Europe; Cross-Border Data Transfers. On Dec. 28, the EU and the United Kingdom reached an agreement to allow the free flow of data between the United Kingdom and EU countries for up to six months, or until such earlier time as the EU adopts an adequacy decision concerning the United Kingdom’s data protection laws. Although Brexit took effect on Jan. 1, 2021, during this extended transition period the United Kingdom will continue to be treated as a member of the EU for purposes of cross-border data transfers.
 The EDPB’s “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” are available here: edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf (europa.eu).
 The European Commission’s draft implementing decision on the SSCs is available here: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries.
 The proposed legislation is available here: Government Bill (House of Commons) C-11 (43-2) - First Reading - Digital Charter Implementation Act, 2020 - Parliament of Canada.
 The Counsel of the EU’s resolution on encryption may be found at https://data.consilium.europa.eu/doc/document/ST-13084-2020-REV-1/en/pdf and the accompanying press release may be found at https://www.consilium.europa.eu/en/press/press-releases/2020/12/14/encryption-council-adopts-resolution-on-security-through-encryption-and-security-despite-encryption.
 The announcement of this agreement by the U.K.’s Information Commissioner’s Office is available here: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/12/ico-statement-in-response-to-uk-governments-announcement-on-the-extended-period-for-personal-data-flows-that-will-allow-time-to-complete-the-adequacy-process/.
Litigation and Enforcement
- FTC; Zoom Settlement. On Nov. 9, the FTC announced a proposed settlement with Zoom Video Communications, Inc. to resolve claims that Zoom unfairly and deceptively compromised user security. Zoom allegedly made misleading claims about its encryption practices while providing a lower level of encryption than promised and deceptively installed software that allowed the Zoom application to bypass browser safeguards, to reinstall itself after deletion, and to launch Zoom meetings automatically. As a result of the settlement, Zoom must implement a comprehensive written information security program, with specific features intended to address the unfair and deceptive actions alleged in the FTC’s complaint. In particular, Zoom must review any software updates for security flaws and confirm that such updates do not bypass third-party security features. Zoom must obtain biennial assessments of its security program by an independent third party, provide reports and certifications to the FTC and notify the FTC of any future data breach. Additionally, Zoom is prohibited from making misrepresentations about its privacy and security practices, its security features and the extent to which users can control privacy and security of their information. Notably, two FTC commissioners dissented from the approval of the consent agreement with Zoom. In their dissents, Commissioner Chopra argued the FTC should take new enforcement steps with large technology companies, and Commissioner Slaughter objected to the consent agreement’s failure to address privacy concerns adequately.
- BIPA; S.D. Ill. On Nov. 12, in Hazlitt v. Apple Inc., an Illinois federal judge allowed an attempted class action against Apple Inc. under Illinois' Biometric Information Privacy Act (BIPA) – which governs the use, collection, storage, protection and retention of biometric information – to remain in federal court as to one of its claims, while sending the rest of the lawsuit back to state court. The plaintiffs in the action allege Apple violated Subsections 15(a), 15(b) and 15(c) of the BIPA by collecting the facial geometry of iPhone users and individuals who appear in photos taken with the user’s iPhone without following certain requirements and procedures imposed by the BIPA. The court, however, following Seventh Circuit precedent, ruled that the plaintiffs’ allegations that Apple violated Section 15(a) of the BIPA by failing to create a written and publicly available policy on biometric information retention and deletion did not show the plaintiffs had suffered the kind of “concrete, particularized injury” needed to bring a lawsuit in federal court, as Section 15(a) creates only a duty owed “to the public generally.” The court similarly held the plaintiffs had not shown a particular injury related to Section 15(c), because that section prohibits an entity from profiting off of biometric information, and the plaintiffs did not allege Apple had actually sold or profited off of their individual facial geometry. Instead, they alleged only that Apple was profiting by marketing and selling its devices by featuring its facial-recognition technology, which the court said is not prohibited under the BIPA. However, the court allowed the plaintiffs’ claim that Apple had collected facial geometry without obtaining written consent necessary under Section 15(b) to proceed, and indicated that Apple’s further arguments against that claim would have to wait to be examined later in the case.
- CFAA; U.S. Supreme Court. On Nov. 30, the Supreme Court held oral arguments for Van Buren v. United States to address the federal circuit split on the thorny question of “exceed[ing] authorized access” under the Computer Fraud and Abuse Act (CFAA). In this case, a police officer appealed the Eleventh Circuit’s decision to affirm his CFAA conviction for “exceeding authorized access” by accessing police databases for improper personal purposes. Both parties looked to the text of the CFAA, which defines “exceed authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(a)(2). The government argued for a broad reading of “so to obtain or alter” – focusing on the word “so” such that an improper purpose for obtaining information by someone with permission to access a computer would violate the CFAA. In contrast, the officer argued that “so” only applied to the initial permission to access the computer itself and not to the purpose for accessing the information. Some justices pushed back against the government’s interpretation, such as Justice Sonia Sotomayor who expressed the following concern: “My problem is that you are giving definitions that narrow the statute that the statute doesn’t have. You’re asking us to write definitions to narrow what could otherwise be viewed as a very broad statute and dangerously vague.” Still, other justices questioned the officer about privacy risks associated with the officer’s narrow interpretation. Although this particular case involves criminal liability, the Court’s decision on this question will impact the scope of both criminal and civil liability under the CFAA and resolve the circuit split.
- TCPA; U.S. Supreme Court. On Dec. 8, the Supreme Court heard oral arguments in Facebook, Inc. v. Duguid, a case addressing the federal circuit split as to what constitutes an “automatic telephone dialing system,” or “autodialer,” under the Telephone Consumer Protection Act (TCPA). In the absence of guidance from the Federal Communications Commission, some federal courts have concluded that an autodialer is any system that is capable of automatically dialing – or texting – stored numbers; other federal courts have held the definition of autodialer is narrower and requires use of “a random or sequential number generator.” In circuits adopting the broader definition of autodialer, TCPA class action litigation has grown exponentially in recent years. The Supreme Court arguments focused on the application of grammatical rules to the text of the TCPA, Congress’s purpose in adopting the TCPA and the changes in technology since the law was adopted nearly 30 years ago. The Court’s decision is expected to resolve the circuit split and impact the prevalence of TCPA litigation.
- FTC; Section 6(b) Inquiry. On Dec. 14, the FTC announced its issuance of nine broad information and document production orders to social media and video streaming companies. These orders seek information related to how the companies collect, use, track, estimate or derive personal or demographic information; how they determine which ads and other content are shown to consumers; whether they apply algorithms or data analytics to personal information; how they measure, promote and research user engagement; and how their practices affect children and teens. The FTC issued the orders to Amazon.com Inc., ByteDance Ltd. (which operates TikTok), Discord Inc., Facebook Inc., Reddit Inc., Snap Inc., Twitter Inc., WhatsApp Inc. and YouTube LLC under Section 6(b) of the FTC Act, which authorizes the FTC to conduct studies that do not have a specific law enforcement purpose. In their joint statement on the matter, three FTC commissioners outlined their broad-reaching goals of the Section 6(b) inquiry of the business practices, incentives and privacy impacts of social media and video streaming services.
- FTC; Safeguards Rule. On Dec. 15, the FTC announced a proposed settlement with Ascension Data & Analytics, LLC, a mortgage industry data analytics company, for alleged violations of the Gramm-Leach-Bliley Act Safeguards Rule, including failure to ensure that its vendor adequately secured personal data about tens of thousands of mortgage holders. Ascension allegedly failed to develop, implement and maintain a comprehensive information security program as required by the Safeguards Rule. The FTC also alleged that Ascension failed to ensure that one of its vendors was adequately securing personal data, failed to require the vendor by contract to implement and maintaining appropriate safeguards for customer information, and failed to conduct risk assessments on its vendor as required by the Safeguards Rule. The FTC alleged that one of Ascension’s vendors was storing sensitive information about mortgage holders, such as names, dates of birth, social security numbers, loan and financial information, and drivers’ license numbers, on a cloud-based server without protections to prevent unauthorized access. Under the proposed settlement, Ascension must implement a comprehensive information security program, undergo biennial assessments of the effectiveness of its program by an independent third party, provide reports and certifications to the FTC, and notify the FTC of any future data breach.
 The FTC’s announcement of the settlement with Zoom, including links to the settlement document and the dissenting statements, may be found here: https://www.ftc.gov/news-events/press-releases/2020/11/ftc-requires-zoom-enhance-its-security-practices-part-settlement.
 The Illinois federal court’s decision may be found at Hazlitt v. Apple Inc., Case No. 3:20-CV-421-NJR: https://www.robinsonbradshaw.com/assets/htmldocuments/Apple.pdf
 The U.S. Supreme Court oral arguments for Van Buren v. United States are available here: https://www.supremecourt.gov/oral_arguments/audio/2020/19-783.
 The U.S. Supreme Court oral arguments for Facebook, Inc. v. Duguid are available here: https://www.supremecourt.gov/oral_arguments/audio/2020/19-511.
 The FTC announcement can be found here: https://www.ftc.gov/news-events/press-releases/2020/12/ftc-issues-orders-nine-social-media-video-streaming-services. The FTC Commissioner statement can be found here: https://www.ftc.gov/system/files/documents/public_statements/1584150/joint_statement_of_ftc_commissioners_chopra_slaughter_and_wilson_regarding_social_media_and_video.pdf.
 The FTC announcement can be found here: https://www.ftc.gov/news-events/press-releases/2020/12/mortgage-analytics-company-settles-ftc-allegations-it-failed. The proposed settlement can be found here: https://www.ftc.gov/system/files/documents/cases/1923126ascensionacco.pdf.
- SolarWinds Breach. On Dec. 13, Reuters broke the news that a massive breach of federal government computer systems had been discovered, including unauthorized access to email systems at the Department of Commerce and Department of the Treasury. The cybersecurity breach resulted from a so-called “supply-chain attack” in which the attackers concealed malicious code within legitimate software updates for the SolarWinds Orion Platform that is widely used for managing information technology resources. This allowed the attackers to gain a foothold within a victim’s network that they could then leverage to gain elevated credentials and broader unauthorized access. SolarWinds acknowledged the attack and explained that its Microsoft Office 365 accounts had been compromised. SolarWinds also disclosed that up to 18,000 customers could have been affected, including numerous federal government agencies and Fortune 500 companies. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive ordering all federal agencies to immediately disconnect the affected Orion products from their networks. On Jan. 5, 2021, the CISA and other U.S. cyber-intelligence agencies, including the FBI and NSA, issued a joint statement indicating “that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks” from the SolarWinds hack.