As 2021 comes to a close, so does our 12 Days of Data series, but we will see you on the other side in 2022 with more posts on the top privacy and data protection issues. 2021 was an interesting year. While vaccinations spread and some sense of normalcy started to return, new strains of COVID-19 led to additional waves of shutdowns that stalled many of the debates. In 2022, we anticipate that the move toward a new normal will continue, and we will once again start to see traction on some of these data, privacy, and cybersecurity issues. As a preview, here are some of the key areas where we expect to see potential developments in 2022.

Continue Reading Closing out the 12 Days of Data: What to Expect in 2022

As ransomware attacks continue to proliferate, organizations are facing increasingly complex practical and legal considerations. Ransomware threats can range from simple Ransomware-as-a-Service models to sophisticated attacks with network-wide impacts. In many cases, ransomware attacks involve not only encryption but also data exfiltration with accompanying regulatory and contractual notification obligations. Ransomware attacks are now so pervasive that they were deemed “a direct threat to our economy” by a Treasury Department Press Release. The resulting governmental focus on ransomware will create new and evolving regulatory challenges for organizations experiencing an attack.

Ransomware in 2021

If 2020 initiated a new era of ransomware threat due to pandemic-related shifts to remote work and the associated security risks, 2021 proved that this threat is only likely to increase in 2022, as the toxic mix of host nations accommodating ransomware gangs, the widespread ability of businesses to pay ransomware under insurance policies, the decreasing technical barriers to entry for attackers, and the ready availability of often untraceable cryptocurrency all remain strong. High-profile ransomware attacks in 2021 included the Colonial Pipeline attack, which interrupted gas supplies along the East Coast of the United States and the attack on JBS Food, one of the world’s largest meat producers, which caused panic buying by some consumers. As with other cybersecurity threats, supply chains were also exploited, with the REvil ransomware gang leveraging unauthorized access to Kaseya’s IT administrator software infrastructure to push out a fake software update containing ransomware. In that instance, the FBI was able to provide some assistance by obtaining encryption keys, but victims of future attacks may not be so fortunate.


Continue Reading Ransomware Threat Continues to Explode with New Legal and Regulatory Risks

A pair of government contract-related initiatives may mark a new path for federal cybersecurity efforts.  Past federal initiatives have attempted to use the enormous leverage of federal contract spending to incentivize contractors to protect governmental data, but 2021 saw the Biden Administration launch a significant two-pronged attack on the issue through a new Executive Order and a new civil fraud initiative at the Department of Justice.

Significantly, the Biden Administration’s approach of using an Executive Order to mandate cybersecurity requirements for government contractors and their vendors will affect a large portion of the U.S. economy, without the need for congressional action.  While an Executive Order cannot dictate cybersecurity measures for private companies, the Order does require stricter software security standards for vendors and publication of enhanced National Institute of Standards and Technology (NIST) guidelines that address supply chain security. These provisions would require all vendors who provide services to meet these standards before they could contract with federal agencies.


Continue Reading How FAR Can Raise the Cybersecurity Bar

In 2021, the U.S. Security and Exchange Commission (SEC) continued to stake its claim as a lead regulator for cybersecurity. Going into 2022, we expect the SEC will continue to aggressively scrutinize and pursue enforcement actions related to cybersecurity disclosures by public companies and cybersecurity practices of SEC-regulated entities like broker-dealers and investment advisers.  Moreover, Chair Gensler has announced that the SEC is currently working on a proposal for clearer cybersecurity governance rules, including topics such as “cyber hygiene and incident reporting.”

In many cases, the alleged faults that the SEC has found in the cybersecurity disclosures and practices of these entities go beyond the requirements of any other state or federal cybersecurity regulations. By making itself a leader in its expectations from regulated businesses, the SEC may become the agency that sets industry standard guidance for cybersecurity risk through the SEC mandates formed during its investigations and enforcement actions.


Continue Reading The Future of SEC Cybersecurity Enforcement

Federal banking regulators have recently moved the goal post for financial institutions that suffer a data breach with approval of a new rule mandating the disclosure of certain cyber incidents within 36 hours after banks determine that a triggering incident has occurred. The rule, which puts in place the fastest regulatory notification clock we have seen in the U.S., was issued by the Federal Reserve, the Federal Deposit Insurance Corporation, and the Treasury Department’s Office of the Comptroller of the Currency, and largely conforms to the notice of proposed rulemaking that the agencies issued in January. The new rule goes into effect April 1, 2022, and covered banks must begin compliance by May 1, 2022—leading many banks to revamp systems designed to give notice in 30 days.

The new rule comes at a time in which cyberattacks are a larger problem than ever and show no sign of slowing. Financial institutions have always been major targets but have recently suffered an even greater barrage. While the Bank Secrecy Act and the Interagency Guidance on Response Programs for Unauthorized Access to Consumer Information and Customer Notice already require banks to provide the agencies with information regarding certain computer security incidents, the new rule encapsulates regulators’ desire for even more rapid alerts regarding a wider range of such events. According to the banking regulators, the new rule will promote early agency awareness of the most serious threats, helping banks and their supervisory agencies address these threats before they endanger the entire financial system.


Continue Reading Banking Rule Sets a New Bar for Cyber Incident Notification Timelines

In the wake of major cybersecurity incidents, it is becoming increasingly common for shareholders to bring derivative lawsuits alleging that the officers or board members failed to exercise proper governance over cybersecurity. Some companies have paid settlements to resolve such matters, but few derivative actions have ended in judgment on the merits in favor of plaintiffs, largely because plaintiffs are rarely able to show that directors failed to execute their oversight responsibilities. A recent ruling by the Delaware Court of Chancery dismissing a derivative lawsuit against Marriott International, Firemen’s Ret. Sys. of St. Louis v. Sorenson, No. 2019-0965-LWW (Del. Ch. Oct. 5, 2021), reiterates that directors who monitor cybersecurity governance, work to mitigate cyber risks, and seek outside advice on data protection issues will usually not face liability.

Continue Reading Marriott Data Breach Ruling Puts Corporate Boardrooms on Notice

Recognizing the persistent and increasingly sophisticated nature of cyber incidents threatening the safety and security of the U.S., the Biden administration is launching a new bureau focused on cybersecurity and digital policy. On October 27, 2021, Secretary of State Antony Blinken formally announced a plan to establish a Bureau of Cyberspace and Digital Policy, which includes appointing a special envoy to address critical and emerging technologies. The new bureau and special envoy will address issues such as cyber threats, digital freedom, and surveillance risks, and will coordinate with the U.S.’s allies to establish international standards on emerging technologies.

Continue Reading State Department Makes Cybersecurity a Priority

Attorneys for Blackbaud and the putative class action plaintiffs allegedly impacted by the publicly-traded software company’s data breach last year were scheduled to meet last month to discuss a possible resolution of the remaining claims in the multi-district litigation. But the only filings in the case since then concern a contemplated amended complaint, suggesting the MDL is entering a new phase rather than nearing a conclusion.

The planned mediation and order regarding the expected new pleading came several days after Blackbaud announced, along with strong third-quarter financial results, that it has nearly exhausted its $50 million in relevant insurance coverage.

“Based on our review of expenses incurred to date, and upon consideration of the number of matters outstanding,” the company reported, referring to hundreds of customer requests for reimbursement in addition to the putative consumer class actions in the U.S. and Canada, “we believe that total costs related to the Security Incident will exceed the limits of our insurance coverage during the fourth quarter of 2021.” The company, whose fundraising and constituent-relationship software is widely used by nonprofits, noted that breach-related costs would “negatively impact our [Generally Accepted Accounting Principles] profitability and cash flow for the foreseeable future.”


Continue Reading Blackbaud Ransomware Litigation Update

Preeminent privacy scholar and George Washington University Law School professor, Daniel Solove joined Ropes & Gray’s virtual conference on “The Future of Global Data Protection,” for a wide-ranging discussion with Edward McNicholas, co-leader of the Ropes & Gray data, privacy & cybersecurity practice, in which the pair explored:

  • The state of complexity and inconsistency in the international privacy law landscape
  • The inherent flaws in the models on which privacy laws are currently based
  • The risks of moving toward a regulatory model
  • Theories of harm in data breach cases
  • The role of the courts in adjudicating privacy laws

Please see below for an overview of some of these topics, or to access a recording of the session please visit our blog: RopesDataPhiles.


Continue Reading How Data Breaches Are Shaping the Global Data Protection Debate

On October 27, 2021, the FTC updated its financial services cybersecurity Safeguards Rule and made other revisions to its associated privacy rule.  The FTC also issued a request for comment on a new proposed 30-day data breach notification rule for financial institutions subject to its jurisdiction.  The updated Safeguards Rule breaks new ground for the FTC by requiring specific security controls and accountability measures expressly modeled on the New York Department of Financial Services cybersecurity rule.  For entities covered by the Safeguards Rule, these changes will require prompt review, since many of the newly required controls will take time to implement if they are not already in place.  Among other things, the Safeguards Rule will now require multifactor authentication for any individual accessing information systems storing customer information (or compensating controls), encryption of all customer information both in transit and at rest (again with the option of alternative compensating controls), and updates to record retention procedures.  The revisions also dictate specific governance controls by requiring reporting, at least annually, to a board of directors or senior officer about the institution’s security posture and the adoption of a formal incident response plan.

Continue Reading FTC Updates Safeguards Rule To Specify Security Requirements