In the wake of one of the largest reported medical ransomware attacks in U.S. history, the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) issued last week a pair of advisories to assist in efforts to combat the increasing threat of ransomware attacks and related sanctions and anti-money laundering (AML) compliance issues. Like our blog post last month on the same topic, the advisories highlight the importance of considering the legal risks relating to ransomware payments and confirm that OFAC may pursue enforcement actions against ransomware payments that violate U.S. sanctions. Continue Reading OFAC and FinCEN Issue Advisories on Cyber Ransom Payments
A two-minute global status update two and a half months after the Schrems II judgment of the CJEU: we are still in the dark, but there is hope for light at the end of the 2020 tunnel. Here are the main events since the judgment:
- Desperately Seeking Guidance: We are still waiting for definitive guidance from the EDPB, which issued FAQs setting out a clear summary of the judgment but did not offer much in terms of practical advice or an outlook for a stable framework to transfer personal data outside the European Union.
- Germans Not Wasting Time: Unable to wait for the EDPB, a German state data protection authority (the Baden-Württemberg Commissioner for Data Protection and Freedom of Information) issued concrete guidance which, while not binding on other authorities, may inspire others to do the same. In a bold move, it also gives recommendations for a revised set of standard contractual clauses (SCCs).
- Playing “Whack-A-Mole” in Ireland. As a direct consequence of the Schrems II judgment, Facebook had to immediately stop relying on the Privacy Shield and attempted to use SCCs to transfer personal data from its Irish to its U.S. companies. The Irish Data Protection Commission issued an order blocking that transfer, but Facebook obtained that this decision be temporarily stayed by Ireland’s High Court until it is reviewed by the court in November. In the meantime, Facebook appears to have again switched grounds and to now be transferring personal data from Ireland to the United States on the basis of article 49(1)(b) of the GDPR (claiming that the transfer is necessary for the performance of its contracts with individual clients). Unsurprisingly, Max Schrems is disputing that move as well.
- Cruella De Vil and 101 Complaints: None of Your Business (an organization with strong ties to Max Schrems) launched 101 complaints to stop certain transfers of personal data to the United States, and also exercised data subject access requests to survey main tech players on how the Schrems II judgment changed their international data transfer practices, but these efforts did not yield much results or traction yet.
- Join the Club: Data protection authorities in Switzerland and Israel both followed the CJEU’s lead and declared the privacy shield no longer a valid ground to transfer personal data to the United States. This may inspire others in the “club” of countries that have adopted a data protection regime that is similar to, or compatible with, the GDPR to further scrutinize data transfers to the United States.
- The Empire Strikes Back: The U.S. administration only recently fought back by publishing a white paper explaining that the CJEU failed to take into consideration certain pro-privacy features of its legal regime, and giving arguments to data exporters in the European Economic Area wishing to use SCCs to transfer personal data to the United States. A call for clarity quickly followed.
- Announcing a Christmas Miracle: While talks between the European Commission and the U.S. Department of Commerce are underway “to evaluate the potential for an enhanced EU-U.S. Privacy Shield”, a more realistic option in the short run comes from the announcement by Executive Vice President of the European Commission Margrethe Vestager that revamped sets of SCCs will be issued before the end of the year. As ambitious as this may sound, the commissioner herself recognized that this would only be an “intermediate solution”. A permanent one may come from efforts to achieve a federal data privacy regime in the United States, but it is safe to predict that no such legislative framework will see the light of day in 2020.
On September 15, 2020, the Securities and Exchange Commission issued a cease‑and‑desist order against Unikrn, Inc. concerning its 2017 initial coin offering of UnikoinGold . The SEC found that the Unikrn ICO violated the prohibition in Section 5 of the Securities Act of 1933 against the unregistered public offer or sale of securities. The SEC imposed several remedies, including requiring Unikrn to permanently disable the UnikoinGold token and a civil money penalty of $6.1 million. Continue Reading SEC Issues Enforcement Action Against Unikrn, Inc. for its ICO, Prompting Rare Public Dissent from Commissioner Hester Peirce
Last month, reports surfaced that fitness technology company Garmin may have made a multimillion dollar payment in response to a ransomware attack with reported links to Evil Corp, a Russian hacking group subject to U.S. sanctions. This incident and other recent reports of ransomware attacks against large companies highlights that companies should consider potential civil and criminal liability under U.S. sanctions laws when responding to ransomware attacks. Continue Reading Ransomware and Sanctions Compliance: Considerations for Responses to Attacks
On August 20, 2020, the Department of Justice (“DOJ”) announced that it had charged Joseph Sullivan, the former Chief Security Officer (“CSO”) of Uber Technologies Inc. (“Uber”), with obstruction of justice and misprision of a felony for allegedly attempting to cover up Uber’s 2016 data incident during the course of an investigation by the Federal Trade Commission (“FTC”). While the DOJ and federal law enforcement have generally treated corporate hacking targets as victims in connection with data breaches, the charges against Sullivan reinforce that they will actively pursue any violations of federal law that are committed by entities or individuals during the course of responding to such incidents. Continue Reading DOJ Charges Former Uber Executive for Alleged Role in Attempted Cover-Up of 2016 Data Breach
In a landmark enforcement action related to a bank data breach, the Office of the Comptroller of the Currency (“OCC”) assessed an $80 million civil monetary penalty and entered into a cease and desist order with the bank subsidiaries of Capital One on August 6, 2020. The actions follow a 2019 cyber-attack against Capital One. The Federal Reserve Board also entered into a cease and desist order with the banks’ parent holding company. The OCC actions represent the first imposition of a significant penalty against a bank in connection with a data breach or an alleged failure to comply with the OCC’s guidelines relating to information security. Continue Reading OCC Imposes $80 Million Penalty in Connection with Bank Data Breach
In a highly-anticipated landmark judgment handed down on July 16, 2020, the Court of Justice of the European Union (the “CJEU”) in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”, summarised in part 3. below and the full text of which can be accessed here) has:
- invalidated the European Commission Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Data Protection Shield (the “EU-US Privacy Shield”) for transfer of personal data from the EU to entities certified under the mechanism located in the United States;
- upheld the European Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established outside the EU (the “SCCs”); and
- reminded that a transfer of data based on SCCs may be challenged before the competent supervisory authority, which has to “suspend or prohibit”, on a case-by-case basis, any such transfer when, in its view, the SCCs “are not or cannot be complied with.”
On June 25, 2020, a federal district court in the Eastern District of Virginia held that a bank must produce in discovery a report generated by its cybersecurity forensic investigator following a 2019 data breach involving unauthorized access to personal information of customers and individuals who had applied for accounts. Even though the report was produced at the direction of outside counsel, the court rejected arguments that the forensic report is protected from disclosure by the work product doctrine. Instead, the court determined that the report was not produced primarily in anticipation of litigation based on several factors, including the similarity of the report to past business-related work product by the investigator and the bank’s subsequent use and dissemination of the report. This decision raises questions about the scope of work product protection for forensic expert and other similar reports in the context of an internal investigation. Continue Reading Federal Court Compels Production of Data Breach Forensic Investigation Report
Last month, the Financial Services Information Sharing and Analysis Center (“FS-ISAC”) warned financial services companies, and particularly smaller firms, of a substantial increase in attempted cyberattacks since the start of the COVID-19 pandemic. In particular, cyber-attacks targeted at bank employees rose in the first quarter of 2020. As of early April, FS-ISAC had also identified over 1,500 fraudulent or phishing websites designed to look like pandemic-related lending or financial support programs to deceive visitors into disclosing sensitive personal information. Continue Reading FS-ISAC Warns that Cyberattacks Against Financial Services Firms Increased Substantially in Response to COVID-19 Mitigation Efforts
On May 5, 2020, the Seventh Circuit Court of Appeals held that a plaintiff has standing to assert a claim under the Illinois Biometric Information Privacy Act (BIPA) even without alleging any economic loss or data breach. The court’s decision in Bryant v. Compass Group USA, Inc., held that merely alleging a failure to receive adequate disclosure or provide informed consent is sufficient to state a claim, potentially establishing in the Seventh Circuit a low bar for making claims under BIPA and other state statutes modeled off of it. Continue Reading The Seventh Circuit Holds That Lack of Disclosure and Informed Consent Under Biometric Information Privacy Act Satisfies Article III Standing Requirement