As 2021 comes to a close, so does our 12 Days of Data series, but we will see you on the other side in 2022 with more posts on the top privacy and data protection issues. 2021 was an interesting year. While vaccinations spread and some sense of normalcy started to return, new strains of COVID-19 led to additional waves of shutdowns that stalled many of the debates. In 2022, we anticipate that the move toward a new normal will continue, and we will once again start to see traction on some of these data, privacy, and cybersecurity issues. As a preview, here are some of the key areas where we expect to see potential developments in 2022.

Continue Reading Closing out the 12 Days of Data: What to Expect in 2022

The onset of the COVID-19 pandemic in 2020 shuttered daycare centers, shifted schools to virtual settings, and fueled the rapid growth of children’s applications and educational technology (“ed-tech”) to facilitate the shelter-in-place childcare and remote learning paradigms. The federal Children’s Online Privacy Protection Act (COPPA) and Family Educational Rights and Privacy Act (FERPA), as well as numerous state laws protect children’s and students’ privacy when using these platforms. In 2021, increased scrutiny of the data collection practices of these platforms has followed their rapid deployment, as new variants led to renewed restrictions on in-person education and childcare. That scrutiny is likely to continue in the new year, as the use of such platforms persists, even as the pandemic subsides. In this post, we survey the developments during 2021 and assess the future of child and student privacy in 2022.

Continue Reading Trends in Child and Student Privacy

If 2021 is any indication, the Federal Trade Commission (FTC) shows no signs of slowing down in its pursuit of enforcement actions to address a wide variety of alleged privacy and cybersecurity issues. Under the leadership of new chair, Lina Khan, the past year has seen the FTC engage is a variety of new and expanding enforcement actions exhibiting an increasing interest in regulating data privacy and security, as well as other consumer protection areas.

While the FTC has become the de facto regulator for entities that are not subject to other sector-specific regulations, the Commission’s assertion of authority over privacy and cybersecurity matters is limited by its statutory powers under section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices” that injure consumers. The FTC’s expansion of that authority to cover privacy and cybersecurity matters has only grown more aggressive in recent years but has also become the subject of close judicial review. Notably, in 2018, the Eleventh Circuit ruled, in LabMD, Inc. v. FTC, that the FTC did not have unlimited authority to dictate the details of companies’ privacy and cybersecurity protections. Earlier this year, the Supreme Court, in AMG Capital Mgmt., LLC v. FTC, held that Section 13(b) of the FTC Act does not allow the FTC to obtain monetary relief in federal court. The FTC has asked Congress to use its authority to remedy this ability, and claims that this constitutes a loss of its “best and most efficient tool for returning money to consumers who suffered losses as a result of deceptive, unfair, or anticompetitive conduct.”

The FTC has pushed for a more expansive view of its authority for several years, and this has only intensified over the last year. Even before the AMG decision, the FTC had been advocating for Congress to address the gap in Section 13(b), which only explicitly provides for the FTC’s ability to order injunctive relief and is silent on monetary relief. While waiting on Congress to address the issue, we expect for the FTC to continue to bring enforcement actions and order restitution and disgorgement via their Section 19 authority, which provides for these types of relief, but only after a final cease-and-desist order, which can be challenged and is subject to review of appellate courts.


Continue Reading FTC Signals Increased Focus on Privacy and Data Misuse

As ransomware attacks continue to proliferate, organizations are facing increasingly complex practical and legal considerations. Ransomware threats can range from simple Ransomware-as-a-Service models to sophisticated attacks with network-wide impacts. In many cases, ransomware attacks involve not only encryption but also data exfiltration with accompanying regulatory and contractual notification obligations. Ransomware attacks are now so pervasive that they were deemed “a direct threat to our economy” by a Treasury Department Press Release. The resulting governmental focus on ransomware will create new and evolving regulatory challenges for organizations experiencing an attack.

Ransomware in 2021

If 2020 initiated a new era of ransomware threat due to pandemic-related shifts to remote work and the associated security risks, 2021 proved that this threat is only likely to increase in 2022, as the toxic mix of host nations accommodating ransomware gangs, the widespread ability of businesses to pay ransomware under insurance policies, the decreasing technical barriers to entry for attackers, and the ready availability of often untraceable cryptocurrency all remain strong. High-profile ransomware attacks in 2021 included the Colonial Pipeline attack, which interrupted gas supplies along the East Coast of the United States and the attack on JBS Food, one of the world’s largest meat producers, which caused panic buying by some consumers. As with other cybersecurity threats, supply chains were also exploited, with the REvil ransomware gang leveraging unauthorized access to Kaseya’s IT administrator software infrastructure to push out a fake software update containing ransomware. In that instance, the FBI was able to provide some assistance by obtaining encryption keys, but victims of future attacks may not be so fortunate.


Continue Reading Ransomware Threat Continues to Explode with New Legal and Regulatory Risks

A pair of government contract-related initiatives may mark a new path for federal cybersecurity efforts.  Past federal initiatives have attempted to use the enormous leverage of federal contract spending to incentivize contractors to protect governmental data, but 2021 saw the Biden Administration launch a significant two-pronged attack on the issue through a new Executive Order and a new civil fraud initiative at the Department of Justice.

Significantly, the Biden Administration’s approach of using an Executive Order to mandate cybersecurity requirements for government contractors and their vendors will affect a large portion of the U.S. economy, without the need for congressional action.  While an Executive Order cannot dictate cybersecurity measures for private companies, the Order does require stricter software security standards for vendors and publication of enhanced National Institute of Standards and Technology (NIST) guidelines that address supply chain security. These provisions would require all vendors who provide services to meet these standards before they could contract with federal agencies.


Continue Reading How FAR Can Raise the Cybersecurity Bar

In 2021, the U.S. Security and Exchange Commission (SEC) continued to stake its claim as a lead regulator for cybersecurity. Going into 2022, we expect the SEC will continue to aggressively scrutinize and pursue enforcement actions related to cybersecurity disclosures by public companies and cybersecurity practices of SEC-regulated entities like broker-dealers and investment advisers.  Moreover, Chair Gensler has announced that the SEC is currently working on a proposal for clearer cybersecurity governance rules, including topics such as “cyber hygiene and incident reporting.”

In many cases, the alleged faults that the SEC has found in the cybersecurity disclosures and practices of these entities go beyond the requirements of any other state or federal cybersecurity regulations. By making itself a leader in its expectations from regulated businesses, the SEC may become the agency that sets industry standard guidance for cybersecurity risk through the SEC mandates formed during its investigations and enforcement actions.


Continue Reading The Future of SEC Cybersecurity Enforcement

It has been eight months since the Supreme Court of the United States decided, in Facebook v. Duguid, that the federal Telephone Consumer Protection Act’s (TCPA) outdated definition of an automated telephone dialing system (ATDS or autodialer) did not cover devices—like most modern phones—which can store numbers that are not randomized. This decision resolved a long-standing circuit split over how to interpret the TCPA, but it has not led to the clarity that many companies desired.

While courts have started applying the narrowed ATDS definition under Duguid, companies engaged in telemarketing are not yet in the clear as many had initially thought in the immediate aftermath of Duguid. A number of trends have emerged that give new teeth to TCPA-like claims, including a spike in cases at the state level, novel legal theories, and a focus on other aspects of the TCPA. Moving into 2022, we expect a continued evolution in complaints brought under state telemarketing laws, and we might also see legislation or FCC guidance intended to update the TCPA so that it applies to modern dialing technologies.


Continue Reading The TCPA, State Analogues, and the Future of Telemarketing Litigation

As 2021 comes to a close, it is a great time to take stock of the present state of affairs with respect to U.S. privacy laws. With the relatively recent passage of comprehensive privacy laws in California, and additional countries adopting laws that closely follow the principles of the EU’s General Data Protection Regulation (GDPR), along with increasing public concerns regarding how companies manage customers’ personal data, legal practitioners entered 2021 with high hopes that comprehensive federal privacy legislation may finally be on the horizon. Nevertheless, in a trend that is likely to continue in the year ahead, it was the states rather than federal legislatures that successfully added to the ranks of privacy laws with which businesses will soon need to comply.

Continue Reading Momentum Builds for State Privacy Laws but the Possibility of a Federal Law Remains Remote

On December 15, 2021, Australia and the United States signed an agreement that will make it more efficient for law enforcement agencies in both countries to obtain data about criminal suspects, but it leaves technology companies with concerning questions. The new agreement was forged under the Clarifying Lawful Overseas Use of Data (CLOUD) Act, a 2018 statute that enables law enforcement to more easily secure important electronic information about suspected crimes—including terrorism, violent crimes, sexual exploitation of children, and cybercrimes like ransomware or attacks on critical infrastructure—from global technology companies based in the United States. Although the agreement was designed to facilitate law enforcement investigations, it leaves unanswered the encryption privacy questions that have beset preceding agreements.

Continue Reading United States-Australia CLOUD Act Agreement Leaves Encryption Uncertainties

Federal banking regulators have recently moved the goal post for financial institutions that suffer a data breach with approval of a new rule mandating the disclosure of certain cyber incidents within 36 hours after banks determine that a triggering incident has occurred. The rule, which puts in place the fastest regulatory notification clock we have seen in the U.S., was issued by the Federal Reserve, the Federal Deposit Insurance Corporation, and the Treasury Department’s Office of the Comptroller of the Currency, and largely conforms to the notice of proposed rulemaking that the agencies issued in January. The new rule goes into effect April 1, 2022, and covered banks must begin compliance by May 1, 2022—leading many banks to revamp systems designed to give notice in 30 days.

The new rule comes at a time in which cyberattacks are a larger problem than ever and show no sign of slowing. Financial institutions have always been major targets but have recently suffered an even greater barrage. While the Bank Secrecy Act and the Interagency Guidance on Response Programs for Unauthorized Access to Consumer Information and Customer Notice already require banks to provide the agencies with information regarding certain computer security incidents, the new rule encapsulates regulators’ desire for even more rapid alerts regarding a wider range of such events. According to the banking regulators, the new rule will promote early agency awareness of the most serious threats, helping banks and their supervisory agencies address these threats before they endanger the entire financial system.


Continue Reading Banking Rule Sets a New Bar for Cyber Incident Notification Timelines