The Digital Download – Alston & Bird’s Privacy & Data Security Newsletter – May 2022

Selected Developments in U.S. Law

U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
On April 21, 2022, Canada, Japan, South Korea, the Philippines, Singapore, Taiwan, and the United States issued a Global Cross-Border Privacy Rules Declaration announcing the establishment of the Global Cross-Border Privacy Rules Forum. U.S. Secretary of Commerce Gina M. Raimondo described the establishment of the Global CBPR Forum as “the beginning of a new era of multilateral cooperation in promoting trusted global data flows” and highlighted its intent to create “first-of-their-kind data privacy certifications that help companies demonstrate compliance with internationally recognized data privacy standards.”  

Colorado Issues Pre-rulemaking Considerations for the Colorado Privacy Act
On April 12, 2022, the Colorado Department of Law released its Pre-rulemaking Considerations for the Colorado Privacy Act (CPA), following state attorney general Phil Weiser’s remarks at the International Association of Privacy Professionals’ Global Privacy Summit in Washington, D.C. The department seeks informal input on several topics in addition to general comments on the CPA. Comments may be provided until the end of August 2022 by using the CPA Comment Form and attending to-be-scheduled informal listening sessions.  

Recent Updates in Two Closely Watched Cybersecurity and Privacy-Related Securities Fraud Class Actions
Observers have been awaiting decisions on a number of cybersecurity and privacy securities fraud class actions with potentially important implications for corporate liability. Over the last several months, critical developments emerged in two cases: the defendants’ motion to dismiss was granted in part and denied in part in In re Zoom Securities Litigation, and the Supreme Court denied cert of the Ninth Circuit’s decision reviving the claims in Alphabet Inc. v. Rhode Island.  

White House Releases Recommendations to Protect Against Potential Cyber-Attacks
The potential for malicious cyber activity has been a concern for the Biden Administration throughout the evolving crisis in Ukraine (including the imposition of sanctions against Russia). In response to the concern, the Administration, which faced “evolving intelligence that Russia may be exploring options for potential cyberattacks,” released recommendations on March 21, 2022 for companies to protect against cyber-attacks.  

President Biden Issues Executive Order Directing Coordinated Federal Approach to Digital Assets
As a result of the rise in digital assets, President Biden signed an Executive Order on March 9, 2022 ordering a review of the nation’s approach to cryptocurrency. The Executive Order on Ensuring Responsible Development of Digital Assets contains broad policy objectives and specific analysis to be conducted by the federal government. The Order identifies several key national priorities related to digital assets and directs the executive branch to follow the interagency process that President Biden previously implemented for the National Security Council to implement the Order. The Order directs a broad swath of U.S. federal agencies to analyze and issue assessments related to digital assets, including the viability of a U.S. central bank digital currency, a digital form of U.S. sovereign currency.  

Colorado Attorney General’s Office Issues Notice of Invitation for Informal Input on CPA Rulemaking
On March 7, 2022, the Colorado Attorney General’s Office issued to the public an invitation to submit initial input on the CPA and future rulemaking. The Attorney General’s Office is accepting informal comments on any area on which it has the authority to adopt rules and provides examples of input in the invitation. The public has until August 31, 2022 to submit comments.  

Senate Passes Significant Cyber Bill Requiring Cyber-Incident Reporting
The Strengthening American Cybersecurity Act of 2022, a bill that narrowly failed to become law last year, was passed in the Senate on Tuesday, March 1, 2022 as a package of cybersecurity measures that would require operators of critical infrastructure and federal civilian agencies to report cyber-incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency. With bipartisan support, the bill was backed by Senators Gary Peters (D-MI) and Rob Portman (R-OH). This marks the most significant cyber bill to make it through the Senate in the chamber’s history, and if passed would be the first significant cyber legislation to pass since the 2015 Cybersecurity Information Sharing Act, which gave companies legal cover to voluntarily share cyber-threat information with the government.  

CPPA Expected Not to Meet CPRA Rulemaking Deadline
At a board meeting held by the California Privacy Protection Agency (CPPA) on February 17, 2022, Executive Director Ashkan Soltani announced that the CPPA does not expect to meet the July 1, 2022, statutory deadline for adopting final regulations under the California Privacy Rights Act. The CPPA plans to schedule meetings in March and April to solicit comments from experts and the public.  

Georgia Introduces Privacy Bill Stricter Than CCPA – The Top 10 Issues
On January 26, 2022, the Georgia General Assembly introduced the Georgia Computer Data Privacy Act (GCDPA). Despite its title, the GCDPA is not a “computer”-focused bill. It is instead an omnibus privacy statute modeled after California’s Consumer Privacy Act (CCPA).  

Incomplete Cybersecurity Compliance Disclosures May Support Fraud Claim Under the False Claims Act, Federal Court Holds
On the heels of a recent Civil Cyber-Fraud Initiative related to cybersecurity practices and the False Claims Act (FCA), a cybersecurity-related FCA case has survived a motion for summary judgment, teeing up a trial to determine if the defendants’ cybersecurity compliance disclosures were materially incomplete and if any misstatements were knowingly made.    

Global Updates

EU and U.S. Reach Agreement in Principle on a Replacement for the EU-U.S. Privacy Shield
On March 25, 2022, the European Commission and the United States announced that they have reached an “agreement in principle” on a replacement for the EU-U.S. Privacy Shield, which was invalidated by the Court of Justice of the European Union in 2020. The new framework will be designed to allow personal data to flow freely between the EU and participating U.S. companies and will likely be seen as the main alternative to the standard contractual clauses released by the European Commission last year.  

Italian Supervisory Authority Imposes €20 Million Fine on Controller Outside of Europe
The Italian Garante per la Protezione dei Dati Personali published a decision on February 10, 2022 in which it imposes a €20 million fine on a company outside of Europe for violations of the EU General Data Protection Regulation.  

U.S., UK, and Australia Issue Joint Cybersecurity Advisory on Ransomware Threat to Critical Infrastructure
On February 9, 2022, the United States, United Kingdom, and Australia issued a Joint Cybersecurity Advisory on the “Increased Globalized Threat of Ransomware” against critical infrastructure sectors. The advisory lists trends in cyber-criminal activity from the last year and also provides mitigation strategies and recommendations to reduce the risk of compromise and the impact of ransomware incidents.  

Events

• May 2–5, 2022 – Peter Swire led the panel “Use and Collection of Racial, Ethnic, and Language Data” and Amy Mushahwar presented “To Ransomware and Beyond: the History and Future of Healthcare Cyberattacks” during the Blue Cross Blue Shield 2022 National Summit.
• April 21, 2022 – Kim Peretti and Kate Hanniford partnered with Ankura to present “Secure Data Disposal Strategies: Yes, You Can Delete!”
• April 29, 2022 – Kate Hanniford and BJ Stieglitz presented “Current Threats and Practical Solutions: The Regulatory and Enforcement Landscape” during the Alston & Bird Investment Management, Trading & Markets Symposium.
• April 13, 2022 – David Keating spoke during “State AGs Now Targeting Customer Loyalty Plans of Retailers” at the 2022 NRF Spring Privacy Meeting.
• April 13, 2022 – Sean Sullivan spoke on the panel “Preventing CyberHarm to Patients: Risk Management” at the Health Care Data: Navigating Legal and Operational Challenges Conference hosted by the American Health Law Association (AHLA).
• April 12, 2022 – Peter Swire led the discussion “The Past, Present, and Rapidly Approaching Future: Expert Views on EU/US/UK Data Transfers” along with two senior government officials for Alston & Bird’s annual luncheon during the IAPP Global Privacy Summit 2022.
• April 12–13, 2022 – Peter Swire spoke on the panel “Global Approaches to International Data Flows” at the IAPP Global Privacy Summit 2022.
• March 30, 2022 – Amy Mushahwar spoke on the webinar “Restoring Trust and Integrity to Cybersecurity” hosted by The Knowledge Group.
• March 30–31, 2022 – Kellen Dwyer spoke on the panel “Cyber Security, Privacy and Ransomware: Critical Steps to Take in the 24 Hours Following a Data Breach” during the 13th Annual Managed Care Disputes and Litigation Conference, sponsored by the American Conference Institute, in Chicago.
• March 23–25, 2022 – Kim Peretti spoke on the panel “Cybersecurity: A Fundamental Pillar of Privacy” and Maki DePalo and Dan Felz hosted the panel “Privacy and the Personalized Digital Customer Experience: Adapting Data Practices to Meet a New Era” during the 2022 Privacy + Security Forum, Spring Academy.
• March 22, 2022 – David Teske and BJay Pak presented “Traveling to the Metaverse: What You Need to Unpack re Blockchain, Crypto, and NFTs” during the Alston & Bird Alumni and Client CLE.
• March 21–23, 2022 – Amy Mushahwar spoke on the panel “Practical Tips to an Effective Cybersecurity Compliance” during the 2022 DRI Super Conference – Intellectual Property Litigation Seminar.
• March 15, 2022 – Amy Mushahwar spoke on security during operational digital transformation at the CISO Washington DC Summit hosted by CDM Media.
• March 8, 2022 – Kim Peretti and Amy Mushahwar partnered with CyberVista to host “Cyber Training for the Board and C-Suite.”
• March 3, 2022 – Amy Mushahwar presented “Privacy from the Corporate Perspective” at the Data and Cyber Governance Conference.
• February 23, 2022 – Kim Peretti presented “Women in Cyber™ – Debunking Ransomware Myths & Misconceptions: Lessons from an Expert in the Trenches.”
• February 16, 2022 – David Keating, Amy Mushahwar, Wim Nauwelaerts, Dorian Simmons, and Peter Swire presented “Alston & Bird Data Strategy Webinar Series: A Look Ahead: Privacy in 2022.”

In the News

• March 16, 2022 – Kim Peretti is quoted on the significance of new federal cybersecurity incident reporting regulations in Law360.
• March 15, 2022 – Maki DePalo is noted for representing Corient Capital Partners in its planned acquisition by CI Financial Corp in Global Legal Chronicle.
• March 11, 2022 – Peter Swire is quoted on the implications of the proposed Foreign Intelligence Redress Authority in Bloomberg Law.
• February 28, 2022 – Kellen Dwyer shared his concerns about misfires, misattribution, and miscalculations resulting from non-state actors joining the cyber warfare between Ukraine and Russia in the Wall Street Journal.
• February 11, 2022 – Kellen Dwyer commented on how companies suffering a data breach could be grilled by regulators over their handling of the Log4j cybersecurity risk in Law360.
• February 10, 2022 – Kellen Dwyer commented on a potential timeline for determining restitution following the Bitfinex bitcoin money-laundering arrests in Bloomberg Law, the Los Angeles Times, and MSN.

Publications and Advisories

• March 21, 2022 – Our team published “Blockchain & Digital Assets Advisory: Breaking Down Key Areas of Biden’s Executive Order on Ensuring Responsible Development of Digital Assets,” authored by Kellen Dwyer, Blake Estes, Brian Frey, Ted Kang, Kevin Minoli, Amy Mushahwar, BJay Pak, Kim Peretti, Cara Peterman, Clifford Stanford, David Teske, and Alicia Badley.
• March 17, 2022 – Our Privacy, Cyber & Data Strategy Team published “New Cybersecurity Law Will Require Cyber-Incident Reporting for Critical Infrastructure,” authored by Kellen Dwyer, Kim Peretti, and Kristen Bartolotta.
• March 17, 2022 – Wim Nauwelaerts and Yung Shin Van Der Sype published “Cybersecurity 2022: Belgium,” discussing major laws and regulations in the cybersecurity field for Chambers and Partners.
• March 15, 2022 – Our Privacy, Cyber & Data Strategy, Securities Law, and Securities Litigation Teams published “SEC Proposes Sweeping New Cybersecurity Disclosure Rules for Public Companies,” authored by David Brown, Kate Hanniford, Kim Peretti, Cara Peterman, Rebecca Valentino, Alysa Austin, Kezia Osunsade, and Sierra Shear.
• March 11, 2022 – Our Privacy, Cyber & Data Strategy Team and Investment Management, Trading & Markets Team published “SEC Cements Expectations for Investment Advisers’ and Investment Companies’ Cyber Preparedness and Disclosure,” authored by Blake Estes, Kate Hanniford, Kim Peretti, and Tim Selby.
• March 9, 2022 – Our Privacy, Cyber & Data Strategy Team and Consumer Protection/FTC Team published “FTC Brings Enforcement Action for App’s Collection of Children’s Personal Data in Violation of COPPA,” authored by Kathleen Benway and Kristen Bartolotta.

Press Releases

Kim Peretti Named to Cybersecurity Docket’s 2022 “Incident Response 40”
Kim Peretti has been named to Cybersecurity Docket’s 2022 “Incident Response 40,” marking the sixth time she has been recognized among this select group of leaders in security incident management and data breach response. As described by the publication, the Incident Response 40 celebrates the “40 best data breach response lawyers in the business.”  

Amy Mushahwar Recognized as a Leading Woman in Data by Global Data Review
Amy Mushahwar has been named to Global Data Review’s (GDR) “Women in Data 2022” list, recognizing women at the cutting edge of legislation, regulation, and technology around the world. GDR analyzes the law and regulation of the use and trade of data globally.  

Alston & Bird Recognized by Chambers Global 2022
Alston & Bird has been recognized in the 2022 edition of Chambers Global, with 10 practices and 16 lawyers cited for excellence, including Privacy & Data Security (Band 4) and Kim Peretti for Privacy & Data Security and Privacy & Data Security: Incident Response (Band 3, Spotlight Table).  

Eight Alston & Bird Attorneys Named 2021 BTI “Client Service All-Stars”
Eight Alston & Bird attorneys have been named 2021 “Client Service All-Stars” in BTI Consulting Group’s annual survey of corporate counsel. Described by BTI as the “gold standard” for measuring the “absolute best levels of client service,” the report singles out Privacy, Cyber & Data Strategy attorneys Jim Harvey, Wim Nauwelaerts, and Kim Peretti.  

“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti, David Keating, and Jim Harvey. It is edited by Paul Greaves and Dorian Simmons.

For additional updates, please be sure to visit our blog at www.alstonprivacy.com.