On March 24, 2022, Utah Governor Spencer Cox signed into law the Utah Consumer Privacy Act (“UCPA”), which was unanimously passed by the state legislature earlier this month. Utah is the fourth U.S. state to pass a comprehensive privacy law, following California, Virginia, and Colorado. The UCPA will go into effect on December 31, 2023.

The Utah law generally resembles the three existing state privacy models, but closely tracks with the Virginia Consumer Data Protection Act (CDPA) and Colorado Privacy Act (CPA), suggesting that states are shifting away from California’s more stringent strand of privacy regulation toward a version that balances the spirit of the EU’s General Data Protection Regulation (GDPR), in terms of purpose limitation and consumer protection, against the need to avoid overly burdening companies. In fact, the UCPA is seen by some as more business-friendly than legislation passed in Virginia and Colorado: Utah’s law does not require businesses to conduct data protection assessments and does not compel companies to provide a mechanism for consumers to appeal denials of requests to exercise personal data rights.

Continue Reading Utah Passes Comprehensive Privacy Law

Today RopesDataPhiles brings you thoughts from across the pond, with an update on the UK Information Commissioner’s international data transfer agreement and its supporting documentation.

Some days it all comes together.  The sun’s shining in London for what feels like the first time in months.  One of the kids is going on a week-long school trip.  And just when you think it can’t get any better, you remember that the UK Information Commissioner’s international data transfer agreement and its supporting documentation have come into effect, following a period of Parliamentary approval.

As of Monday, 21 March, organisations transferring personal data from the UK have a range of options for papering those transfers.  As you’ll see, it’s going to feel much like the pick ‘n’ mix you get at the cinema, only without the intense initial rush followed by a crippling sense of doom when you realise what’s ahead.  Or maybe it’s exactly like that.

Continue Reading The IDTAs of March

On March 15, 2022, President Biden signed into law significant new federal data breach reporting legislation that could vastly expand data breach notice requirements far beyond regulated entities or entities processing personal data. Unceremoniously tucked as Division Y into the H.R. 2471 Consolidated Appropriations Act, 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will require “covered entities” —organizations in certain critical infrastructure sectors—to report substantial cybersecurity incidents to the Department of Homeland Security within 72 hours after the organization reasonably believes the cyber-incident has occurred. Covered entities will also be required to report ransom payments within 24 hours of making a payment in response to a ransomware attack.

For more details, click here to read Ropes & Gray’s client alert on the expansive new federal breach reporting requirement.

On March 9, 2022, the Securities and Exchange Commission (“SEC”) proposed updates to its disclosure rules intended to “enhance and standardize” public company disclosure regarding cybersecurity risk management, strategy, governance, and incident reporting (the “Proposed Rules”). The Proposed Rules may require issuers to update their disclosure controls and procedures, in particular with respect to determining the materiality of cybersecurity events and providing prompt disclosure.

The Proposed Rules build on a body of pre-existing SEC guidance regarding cybersecurity disclosures. In 2011, the Division of Corporation Finance issued interpretive guidance regarding disclosure obligations relating to cybersecurity risks and cyber incidents. The SEC followed up that guidance with a 2018 statement on cybersecurity disclosure addressing, among other things, the materiality of incidents, updates to risk factors, and board risk oversight. If adopted, the proposed rules make many of these recommendations express requirements, while adding additional clarity and detail regarding cybersecurity risks and practices that must be reported. While the proposed rules are focused on disclosure, if adopted, they may lead issuers to enhance cybersecurity risk management and oversight, as well as to add directors with expertise in cybersecurity.

For more details, click here to read Ropes & Gray’s client alert on the Proposed Rules.

On March 1, 2022, the Senate passed a data breach and cybersecurity bill that could vastly expand data breach notice requirements. The Strengthening American Cybersecurity Act (the “Senate Bill”), which now shifts to the House of Representatives, would require organizations in certain critical infrastructure sectors to report substantial cybersecurity incidents to the Department of Homeland Security within 72 hours after the organization reasonably believes the cyberincident has occurred, among other measures intended to enhance the nation’s cybersecurity posture. Covered organizations would also be required to report ransom payments within 24 hours of making a payment in response to a ransomware attack. These provisions are not limited to data breaches affecting personal data and would significantly expand the breadth of data breach reporting requirements to many commercial enterprises that have not focused on consumer privacy issues.

While the bill was criticized by FBI Director Christopher Wray and Deputy Attorney General Lisa Monaco for shifting cyber-focus from the DOJ/FBI to DHS/CISA, it remains likely to pass the House, where similar legislation was supported last year as part of the annual defense authorization package. In addition to its breach reporting provisions, the Senate Bill would also require or encourage new cybersecurity measures for federal agencies, clarify the roles of certain cybersecurity officials and authorize the federal contractor cybersecurity FedRAMP program for five years.

Continue Reading Senate Approves Breach Reporting Legislation; Likely to Pass House

Anxiety is running high as a result of Russia’s invasion of Ukraine, particularly in cybersecurity circles. The 2017 NotPetya attack was a Russian cyber-weapon fired at the Ukraine.  In 2017, NotPetya spread to FedEx, Maersk, Merck, and several other companies, and it would be naïve not to expect a spillover from the 2022 attack.  Indeed, a barrage of similar “wipers” has already been fired in 2022, and reports are circulating that some computers in Lithuania have been impacted.

Many cyber-weapons are delivered through phishing attacks, and companies can take three important steps to help prevent these attacks:

  • Send out a training reminder to all employees about spotting and avoiding phish email that may carry the malware into your environment.
  • Recognize that training will not be enough; increase filtering for malicious messages.
  • Push for multi-factor authentication for remote access to email.

Continue Reading The Ukrainian Cybersecurity Spillover Problem

On February 9, 2022, the SEC published a release addressing Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies (“Release”). The Release contained proposed new rules under the Advisers Act (Rules 206(4)-9 and 204-6) and the Investment Company Act of 1940 (Rule 38a-2) and amendments (collectively, the “Proposals”), which would require registered investment advisers (“advisers”) and registered investment companies (“registered funds”) to implement cybersecurity risk management programs and new incident notification regimes. If adopted, the Proposals would:

  • Require advisers and registered funds to disclose detailed information about their “cybersecurity risks” and “cybersecurity incidents” to current and prospective clients and shareholders;
  • Require reporting of any “significant adviser cybersecurity incidents” (which may occur with respect to private funds or clients) and “significant fund cybersecurity incidents” (for registered funds) to the SEC within 48 hours of reasonably concluding an incident occurred; and
  • Require advisers and registered funds to adopt and implement cybersecurity policies and procedures that are reasonably designed to address cybersecurity risks.

The proposed rules would not apply to private funds, which are exempt from the Investment Company Act of 1940 and thus are subject to the FTC’s Safeguards Rule for cybersecurity. The proposed SEC rules would, however, apply to registered investment advisers who advise those private funds. Fortunately, the proposed rules appear to be largely consistent with the FTC’s revised Safeguards Rule.

For more details, you can read Ropes & Gray’s client alert on the Proposals here.

In a recent article in Global Data Review, Ed McNicholas provided insights on a proposal by the Arizona legislature to ban tax-payer funded ransomware payments. The bill, recently introduced in the Arizona House of Representatives, would restrict public entities from paying ransoms demanded by hackers. A companion bill would require that cyber attacks be reported to the director of the Arizona Department of Homeland Security.  While a novel idea, any restrictions on paying ransoms would need to provide exemptions for hospitals and other critical infrastructure. In addition, the bill could inflict serious harms on individuals and infrastructure if it is not paired with significant updates to  public IT systems to protect against ransomware attacks. You can read the full Global Data Review article on the Arizona bill here. We will continue to watch this bill and other state privacy and cybersecurity law developments. Subscribe to RopesDataphiles.com for updates.

In a unanimous decision issued on February 3, 2022, the Illinois Supreme Court held in McDonald v. Symphony Bronzeville Park that the Illinois State Workers’ Compensation Act (“WCA”) did not bar claims under the Illinois’ Biometric Information Privacy Act (“BIPA”). In doing so, the court eliminated one significant defense commonly raised in such cases, since many BIPA class actions are brought in the context of employment (many of which were stayed pending the decision in McDonald). Critically, though, the decision does not preclude other potential defenses including claims of federal preemption.

BIPA is one of the most actively litigated privacy statutes in the United States. Among other things, it requires that businesses obtain consent prior to collecting biometric information (fingerprints, facial geometry information, iris scans and the like), issue a publicly available data retention policy, and refrain from certain data sales and disclosures. Because BIPA provides for a private right of action along with statutory damages of $1,000 to $5,000 per violation, it has proved fertile ground for the plaintiff’s bar.

Continue Reading Illinois Supreme Court Finds Illinois Biometric Information Privacy Act Not Preempted By State Workers’ Compensation Law

A recent decision by the Austrian Supervisory Authority (“SA”) casts a spotlight on the complexities of data transfers and cookie use, and highlights a shift in regulatory focus onto these topics in the year ahead. Regulators around Europe are increasingly beginning to weigh in on such transfers, and the outcomes of their deliberations will shape the data transfer compliance landscape in the months to come. These decisions present complex questions about the future of data transfers in the EU and UK.

Continue Reading Increased EU Scrutiny of US Data Transfers Through Cookie Use