After nearly two years of detailed negotiations, on March 25, 2022, U.S. President Joe Biden and European Commission President Ursula von der Leyen announced an “agreement in principle” on a new Trans-Atlantic Data Privacy Framework (the “Framework”) to re-establish an important legal mechanism to effectuate cross-border transfers of personal data from the EU to the U.S. The Framework is hoped to address concerns raised by the decision of the Court of Justice of the European Union (the “CJEU”) in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (2020) (“Schrems II”). Continue Reading Schrems III? The European Commission and U.S. Government Announce New Trans-Atlantic Data Privacy Framework

Following the lead of California, Virginia and Colorado (as previously discussed here, here and here respectively), on March 24, 2022, Utah became the fourth state to enact an omnibus privacy law, creating compliance obligations for businesses that collect and process personal data of Utah residents and providing such residents more control over their data.
Continue Reading Businesses Buzzing With News of Utah’s New Comprehensive Privacy Law

On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which imposes federal reporting requirements for cyber incidents and ransomware attack payments.  The legislation will require covered critical infrastructure entities to report to the Cybersecurity and Infrastructure Security Agency within 72 hours of forming a reasonable belief that a substantial cyber incident has occurred and within 24 hours of making a ransom payment following a ransomware attack.  The reporting requirements will not take effect until implementing regulations are enacted by CISA, which will take time to navigate the rulemaking process.

Please click here to read the full alert memorandum.

In October 2021, the U.S. Department of Justice announced the launch of its new Civil Cyber-Fraud Initiative, which aims to hold government contractors and grant recipients accountable for cyber-related fraud under the False Claims Act.

Two recent developments provide insight into how the Justice Department will pursue cases under this new initiative, and reveal the broad conception of cyber fraud the Department is advocating in such cases.

  • Comprehensive Health Services LLC: On March 8, 2022, the Justice Department announced its first settlement under the Civil Cyber-Fraud Initiative.  Comprehensive Health Services, LLC, a global medical services provider, agreed to pay $930,000 to resolve allegations that it falsely represented to the federal government that it had consistently stored patient records on a secure electronic system.  The Justice Department intervened in the matter, which was brought originally by private whistleblowers, despite the fact that no breach of data was alleged to have occurred.
  • Aerojet RocketDyne Holdings, Inc.: On February 1, 2022, a federal court in the Eastern District of California mostly denied summary judgment to Aerojet Rocketdyne Holdings Inc., a defense and aerospace company that is alleged to have falsely represented its compliance with cybersecurity standards for government contractors.  The Justice Department filed a Statement of Interest that was largely adopted by the district court to reject Aerojet’s arguments that its alleged non-compliance was immaterial and did not harm the government.

Please click here to read the full alert memorandum.

On March 9, 2022, President Biden signed a wide-ranging Executive Order on Ensuring Responsible Development of Digital Assets (the “Order”).  While the Order does not mandate any particular regulatory prescriptions, it lays out key policy goals for a whole-of-government approach to digital asset regulation and directs the U.S. Government to assess the potential for a U.S. Central Bank Digital Currency (“CBDC”).  Reflecting the rapid growth and adoption of digital assets, the Order identifies potential benefits and risks while signifying that digital assets will be an important focus of U.S. financial regulatory efforts for the Biden Administration.

The Order emphasizes the link between federal action and national security – both in terms of ensuring appropriate regulation and in staking out a U.S. leadership role in developing digital asset technology.  Notably, in an area where some federal agencies have been criticized for moving slowly or failing to coordinate with each other, the Order mandates interagency cooperation on a series of reports, with most to be finished during 2022.  The Order sets the stage for an active and potentially transformative year for U.S. regulation of digital assets.

Please click here to read the full alert memorandum.

On March 1, 2022, the U.S. Senate passed by unanimous consent a package of three cybersecurity bills, known collectively as the Strengthening American Cybersecurity Act, which would enhance reporting requirements for certain major cyber incidents and ransomware attacks.  Senators Gary Peters and Rob Portman, who co-sponsored the Act, expressed the urgency of enhancing the nation’s cyber readiness “in the face of potential cyber-attacks sponsored by the Russian government in retaliation for U.S. support in Ukraine.”[i] Continue Reading U.S. Senate Fast Tracks Major Cybersecurity Legislation in Response to Russia Threat

The SEC and a consortium of 32 states recently announced a $100 million settlement with BlockFi Lending LLC over its crypto lending product, BlockFi Interest Accounts. The SEC alleged BlockFi had violated the securities laws by failing to register its interest-bearing crypto lending product as a security, failing to register itself as an investment company, and making false statements about the risks of its product.

On the heels of this settlement, BlockFi announced that it will seek to register its crypto lending product as a security. While hailed by SEC Chair Gary Gensler as a signal of “the Commission’s willingness to work with crypto platforms to determine how they can come into compliance with” the securities laws, the settlement leaves unanswered important questions for those similarly situated in the industry. However, given the SEC’s short 60-day timeline for BlockFi to come into compliance with the securities laws, the wait for regulatory clarity may not be long.

Please click here to read the full alert memorandum.

February 17, 2022 was a busy day for the Department of Justice and its growing cyber portfolio.  First, Deputy Attorney General Lisa O. Monaco delivered remarks at the Annual Munich Cyber Security Conference, stressing the Department’s efforts to confront cyber criminals and its increasing focus on disruption and prevention, even if doing so would limit criminal prosecutions.  Additionally, the Department announced the appointment of the first Director of the National Cryptocurrency Enforcement Team, which was established to address criminal misuse of cryptocurrencies and digital assets. Continue Reading Developments at Justice: The Deputy Attorney General Talks Cybersecurity and the National Cryptocurrency Enforcement Team Gets its First Director

On January 24, 2022, Securities and Exchange Commission Chair Gary Gensler gave a speech at the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute signaling the SEC’s intention to step up its cyber-related regulatory and enforcement efforts.  Gensler described the continued rise in cybersecurity incidents targeting the financial sector as a serious threat to the nation’s economy and critical infrastructure, with costs potentially in the trillions of dollars. Continue Reading SEC Chair Previews Ramp Up in Regulation and Enforcement in the Cybersecurity Context

Cybersecurity and data privacy continue to be among the most significant legal risks that businesses face today.

Last year brought a series of high-profile cyberattacks on major companies and U.S. infrastructure targets, continuing the trend seen in recent years. Regulators also brought a number of cybersecurity enforcement actions and announced new rules, guidance, and initiatives on ransomware and other cyber-related issues. In addition, after many years of debate, Congress made some progress in crafting legislation that would require certain companies to report significant cyberattacks and ransomware payments to the U.S. federal government. Companies should expect the demands of cybersecurity risk management and oversight to intensify as we enter 2022. Continue Reading 2021 Cybersecurity and Privacy Developments in the United States