Global communication network concept.

Dechert Cyber Bits  

Issue 24

U.S. Government Releases Guide of ‘Minimum Baseline’ Cybersecurity Practices for Protecting Critical Infrastructure

The Cybersecurity & Infrastructure Security Agency (“CISA”) has released a guide to help organizations identify and prioritize the most impactful cybersecurity practices. The Cross-Sector Cybersecurity Performance Goals (“CPGs”) “are applicable across all [critical infrastructure] sectors and are

informed by the most common and impactful threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners.” The CPGs are intended to be “a minimum baseline of cybersecurity practices with known risk-reduction value” for critical infrastructure entities to implement in order to reduce cyber risk.

CISA Director Jen Easterly noted that the CPGs were created to be “easy to understand and relatively easy to communicate with non-technical audiences, including senior business leadership,” and to support cybersecurity professionals in “making a compelling argument to ensure adequate resources for driving down risk.”

CISA created the CPGs in response to President Biden’s July 2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, which required CISA to develop baseline cybersecurity performance goals that are consistent across all critical infrastructure sectors. CISA intends to regularly update the CPGs every 6-12 months, and feedback and ideas for new CPGs can be submitted via CISA’s GitHub page.

Takeaway: While the CPGs are voluntary, businesses should note that CISA views the practices described therein as “a floor, not a ceiling” and “a minimum baseline” of cybersecurity best practices. Companies that are arguably considered critical infrastructure should consider adopting these, as companies that do not adopt the CPGs will likely face increased scrutiny in the event of a data breach.

EDPB Consults on New Guidelines on the Identification of the Lead Supervisory Authority

On October 21, the European Data Protection Board (“EDPB”) published an updated version of its guidelines for identifying a controller or processor’s lead supervisory authority (“Guidelines 8/2022”). The updated guidelines aim to clarify previous guidance (“WP244 rev.01”) in cases involving EEA joint controllers.

The Guidelines 8/2022 affirm that joint controllers should allocate responsibilities between them in a clear and transparent manner (“who does what”). The Guidelines 8/2022 also clarify that:

Although joint controllers have to allocate their controller responsibilities between them, they cannot choose a lead supervisory authority if they are located in different jurisdictions: the relevant supervisory authority for each respective joint controller will be determined by the GDPR and will be the authority of the country where such controller has its central administration.

Two or more controllers, acting as joint controllers, also may not designate a common main establishment under the GDPR, as this notion is inherently linked to a single controller and cannot be extended.
Agreements between joint controllers on task allocation are not binding on supervisory authorities, including with regard to the designated point of contact.

The Guidelines 8/2022 clarify that two or more controllers acting as joint controllers do not have the authority to designate a lead supervisory authority in their joint controllership agreement. Each of the joint controllers will be subject to the jurisdiction of its local supervisory authority. It may be challenging in instances of joint controllership to reconcile regulatory approaches that are not aligned. Interested parties can submit comments on the updated parts of the Guidelines 8/2022 until December 2, by using the form provided by the EDBP.

Takeaway: EEA companies acting as joint controllers under the GDPR should carefully review the updated Guidelines 8/2022 and use the opportunity to seek clarification from the EDBP on aspects of the guidance that remain challenging for companies. Joint controller agreements should be reviewed to determine if they: (i) clearly allocate compliance obligations; and (ii) cover contact with data subject and supervisory authorities.

U.S. Congress Report Released on EU-U.S. Data Privacy Framework

On October 24, the U.S. Congressional Research Service published a short report (“CRS Report”) summarizing the issues surrounding the EU-U.S. Trans-Atlantic Data Privacy Framework (“TADPF”). As set out in Cyber Bits Issue 11, the European Commission (“EC”) and the U.S. reached an agreement on a new framework for transatlantic data flows on March 25, 2022, aiming to establish the basis for a new EC adequacy decision.

The CRS Report provides an overview of the background of the TADPF, summarizing the events leading to the cancelation of the Privacy Shield by the Court of Justice of the European Union (“CJEU”) in 2020 and ensuing impacts on EU – U.S. data flows. The CRS Report also highlights the relevant provisions of the Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities signed by President Biden on October 7, 2022.

As set out in the CRS Report, the Executive Order is the latest step towards implementing the TADPF, and aims to address two main concerns raised by the CJEU:

  • the lack of adequate safeguards for data protection: the Executive Order introduces 12 legitimate objectives to carry out intelligence activities (e.g. protecting against terrorism, protecting the integrity of elections, etc.), and four objectives for which no intelligence activities are allowed, (e.g. suppressing criticism or dissent, or suppressing privacy interests); and
  • the lack of an adequate legal remedy: the Executive Order foresees a redress mechanism under the oversight of a new Data Protection Review Court staffed with independent judges.

The CRS Report also highlights two outstanding hurdles that may affect the effective implementation of the TADPF:

  • whether Congress will want to reduce the risk of revocation of the Executive Order by introducing the relevant safeguards through legislation; and
  • whether the EC – and the CJEU – would view safeguards in the Executive Order as sufficient for purposes of an adequacy decision.

Privacy advocates have already criticized the new framework for not sufficiently addressing the concerns raised by the CJEU.

Takeaway: Although the adoption of the Executive Order brought the TADPF one step closer to implementation, significant hurdles remain, subsequent legal challenges are likely, and the viability of the TADPF remains precarious. Companies may want to assess the risks of relying on the new framework for EU-U.S. data transfers before moving away from Standard Contractual Clauses while continuting to monitor the processes in the EU and U.S.

Securing Smart Homes: U.S. to Give Cybersecurity Ratings to IoT Devices in 2023

On October 19, representatives from the U.S. Government, academic institutions, and technology giants—including Amazon, Google, Samsung, and Comcast—gathered at the White House to discuss cyber threats in modern American homes. The conversation focused on the implementation of a national cybersecurity labeling program for Internet-of-Things (“IoT”) devices, with the goals of providing American consumers the peace of mind that the technology they are bringing into their homes is safe, incentivizing manufacturers to meet higher cybersecurity standards, and encouraging retailers to market secure devices.

The White House reported that the participants discussed how best to implement such a program, drive improved security standards for Internet-enabled devices, and generate a globally recognized label. The label, which will likely first appear on common devices such as routers and home cameras in spring 2023, will be a scannable barcode linking to information based on standards, such as software updating policies, data encryption, and vulnerability remediation. The barcode system will also allow for the labels to be updated as needed.

While the White House has not provided details on what the label may look like, Carnegie Mellon University, an attendee at the summit, has created a label and tested it with consumers.

Takeaway: Companies that create, market, and sell home technology products should prepare for the potential impacts of such labels, including consumer pressure to label products, and consider the implications of increased costs associated with updating home technology products (and the accompanying labels) to respond to new and emerging cybersecurity threats.

U.S. Department of Commerce Appoints Members for new Internet of Things Advisory Board

The U.S. Department of Commerce has appointed sixteen experts to the first Internet of Things Advisory Board (“IoTAB”). The IoTAB was created pursuant to the 2021 National Defense Authorization Act, will publicly meet at least twice a year, and includes a range of stakeholders with expertise relating to the Internet of Things (“IoT”).

The IoTAB will advise the IoT Federal Working Group on matters including “the identification of any federal regulations, programs or policies that may inhibit or promote the development of IoT; situations in which IoT could deliver significant and scalable economic and societal benefits to the United States . . .; IoT opportunities and challenges for small businesses; and any IoT-related international opportunities for the U.S.” The appointees will serve two-year terms, and will represent a broad range of disciplines from across academia, industry, and civil society—including organizations like Microsoft, Consumer Reports, Lawrence Berkely National Laboratory, Morgan State University, and TGL Enterprises LLC.

Takeaway: With the White House pushing the implementation of a national cybersecurity labeling program for IoT devices and the establishment of the new IoTAB, it is clear that regulators are increasingly interested in addressing privacy and data security in IoT products. Companies creating IoT-related products should therefore stay up to date on potentially rapid changes in the regulatory landscape.

Recent News and Publications

Read our Dechert OnPoint on the EU’s Digital Markets Act, headlined: The entry into force of the Digital Markets Act kicks off new era of digital regulation in Europe (Published October 25, 2022), by members of the Dechert antitrust practice. The OnPoint discusses the purposes underlying the Act, key provisions, and what to expect in terms of its implementation and enforcement going forward.

Visit Dechert's California Consumer Privacy Act Resource Center

Brenda Sharton was named a 2022 Law360 MVP for Cybersecurity & Privacy.

Brenda Sharton was recognized as one of Massachusetts Lawyers Weekly's Go To Cybersecurity/Data Privacy Lawyers for 2022  (Published in Mass. Lawyers Weekly October 31st issue)

Practice leaders Brenda Sharton and Karen Neuman are discussed in Litigation Leaders: Dechert’s Cathy Botticelli and Jonathan Streeter on Counseling Clients With an Eye Toward Avoiding Litigation (Published in August 15, 2022).

Brenda Sharton quoted in Why hackers are able to steal billions of dollars worth of cryptocurrency (Published in the Washington Post August 11, 2022).

FDA Medical Device Cyber Guidance Protects Patients, Cos. (Published in Law360 June 9, 2022) By: Brenda Sharton, Emily Van Tuyl, and Kathleen Fay

Olaf Fasshauer was ranked in the 2022 publication of German’s daily newspaper Handelsblatt (in cooperation with Best Lawyers) as best lawyers in Germany for Data Security and Privacy Law 

Brenda Sharton presented at the WSJ Pro Cyber Forum (June 1, 2022).

Brenda Sharton was a moderator on the panel, "The Digital Transformation of Customer Experience" at the LendIt Fintech Conference (May 25, 2022).

Ranked by The Legal 500 US – Media, Technology and Telecoms: Cyber Law (including Data Privacy and Data Protection). Brenda Sharton was named a Leading Lawyer and Hilary Bonaccorsi was named a Rising Star.

Brenda Sharton named to Cybersecurity Docket’s Incident Response 40 2021 list.

Dubai data protection authority plans to launch international privacy risk index and update international data transfer mechanisms (Dechert OnPoint published May 5, 2022) By: Paul Kavanagh and Dylan Balbirnie.

Brenda Sharton quoted in Global Data Review article, "SEC proposes 4-day breach reporting rule" (April 26, 2022).

CJEU rules on private copying exception to storage in the cloud (Dechert OnPoint published April 11, 2022) By: Paul Kavanagh and Nathan Smith.

SEC Proposes New and Amended Cybersecurity Rules for Public Companies (Dechert OnPoint published March 17, 2022) By: Timothy Blank, Kevin Cahill, Brenda Sharton and Daniel Murdock.

Brenda Sharton was quoted in the Law360 article, “Congress Seizes On Incident Reports In Fighting Cyberattacks” (March 16, 2022).

4 Takeaways For Asset Managers From SEC's Cyber Rule Plan (Published in Law360 on March 10, 2022) By: Kevin Cahill and Hilary Bonaccorsi.

California Privacy Protection Agency Signals Delay for Final CPRA Rules & California AG Conducts CCPA Investigative Sweep (Dechert Newsflash published February 25, 2022) By: Karen Neuman, Hilary Bonaccorsi, Bailey E. Dervishi.

SEC Proposes New Cybersecurity Rules for SEC Registered Advisers and Funds (Dechert OnPoint published February 23, 2022) By: Kevin Cahill, Timothy Blank, Brenda Sharton, Hilary Bonaccorsi, Colleen Hespeler and Bailey Dervishi.

Posts authored by

Senior Content Editors: Daniel Murdock and Marjolein De Backer

Content Editors: Bailey Dervishi and Delphine Strohl

Dechert Cyber Bits Partner Committee

Vernon L. Francis
Partner, Senior Editor

Karen L. Neuman
Partner, Co-Chair, Privacy & Cybersecurity
Washington, D.C.

Brenda R. Sharton
Partner, Co-Chair, Privacy & Cybersecurity

“Dechert has assembled a truly global team…. The cross practice specialization ensures that clients have access to lawyers dedicated to solving a range of client’s legal issues both proactively and reactively during a data security related crisis. The privacy and security team collaborates seamlessly across the globe... [with] experienced lawyers that can parachute in, establish client rapport and trust and develop a multifaceted workflow to tackle any client challenge.” -- The Legal 500 USA, June 2021

Dechert’s global Privacy & Cybersecurity practice provides a multidisciplinary, integrated approach to clients’ privacy and cybersecurity needs. Our practice is top ranked by The Legal 500 and our partners are well-known thought leaders and sought after advisors in the space with unparalleled expertise and experience. Our litigation team provides pre-breach counseling and handles all aspects of data breach investigations as well as the defense of government regulatory enforcement actions and class action litigation for clients across a broad spectrum of industries. We have handled over a thousand data breach investigations of all types including nation states, ransom/cyber extortion, vendor/supply chain, DDoS, brought by threat actors of all types, from nation-state threat actors to organized crime to insiders. We also represent clients holistically through the entire life cycle of issues, providing sophisticated, solution oriented advice to clients and counseling on cutting edge data-driven products and services including for trend forecasting, personalized content and targeted advertising across sectors on such key laws as the CCPA, CPRA and state consumer privacy laws, Section 5 of the FTC Act; the EU/UK GDPR, e-Privacy Directive, and cross-border data transfers. We also conduct privacy and cybersecurity diligence for mergers and acquisitions, financings, corporate transactions, and securities offerings.