Dechert Cyber Bits
Issue 51 - March 14, 2024
Biden Administration Issues Executive Order Restricting Bulk Transfers of U.S. Citizens' Personal Data to “Countries of Concern”
On February 28, 2024, President Biden issued an Executive Order (“EO”) to address the supposed national security threat posed by certain countries' attempts to access Americans' sensitive personal data and U.S. Government-related data. The EO is the Biden Administration’s response to concerns about foreign powers and state-sponsored actors using sensitive personal data for intelligence collection and economic espionage.
The EO defines "sensitive data" to include biometric, financial, genomic, geolocation, and health data, among other personal identifiers. It directs the Attorney General, in consultation with the Secretary of Homeland Security and other heads of relevant agencies, to issue proposed rules within 180 days that would restrict U.S. persons from engaging in bulk data transactions with foreign countries or nationals that meet certain enumerated criteria. These proposed rules strive to clarify several open-ended criteria in the EO, such as identifying specific categories of "data transactions" that pose an unacceptable risk to national security that should be prohibited or restricted.
The EO establishes a framework for the Attorney General to identify particular countries as “countries of concern,” and aims to create a new DOJ program to combat foreign exploitation of U.S. data by those nations. The EO also aims to regulate transactions with "covered persons." Such “covered persons,” which can be entities or individuals, also will be designated by the Attorney General and selected based on their relationships with countries of concern. Further, the EO aims to enhance existing DOJ authority to address data security risks. The DOJ also is considering prohibiting data-brokerage transactions and certain genomic-data transactions, and restricting vendor (including cloud-service), employment and investment agreements. Once the proposed rules are promulgated, there will be a 45-day notice and comment period.
Takeaway: The EO, issued under the International Emergency Economic Powers Act, is likely to significantly increase the DOJ's power to enforce data-related issues involving foreign interference. In particular, the EO is expected to have a sizable impact on persons and companies involved in international data exchanges. For now, however, the specifics on what kinds of data and transactions are affected remain vague pending forthcoming rulemaking by the Attorney General.
FTC Settlement with Avast Includes Ban on Selling Browsing Data and a $16.5 Million Fine
On February 22, 2024, the U.S. Federal Trade Commission (“FTC”) announced a proposed settlement with Avast Limited and Avast Software s.r.o. (collectively, “Avast”), and Avast Limited’s subsidiary Jumpshot Inc. (“Jumpshot”), to resolve allegations that consumers’ browsing information had been collected and distributed in identifiable form to third parties in violation of Section 5 of the FTC Act. According to the FTC’s complaint (“Complaint”), Avast installed on consumers’ computers and mobile devices browser extensions and antivirus software that collected browser information, and Jumpshot sold identifiable browser information to third parties from data they collected. The FTC alleged that these sales occurred despite representations that (i) the software was intended to prevent tracking activity, (ii) Avast and Jumpshot would not sell such browsing information; and (iii) consumer browsing information would be transferred only after it had been aggregated and de-identified. Avast and Jumpshot have not admitted to any wrongdoing in connection with the settlement.
Under the FTC’s proposed decision and order (“Proposed Order”), Avast and Jumpshot would be required to pay $16.5 million to the FTC. Among other things, they also would: (i) be prohibited from selling or sharing browsing information from Avast products, or using browsing information for advertising purposes without express consent; (ii) be prohibited from misrepresenting the purposes for having, the anonymization of, or other protections surrounding sensitive information; and (ii) be required to delete all Jumpshot data, and any products or algorithms derived from that data, contained by Avast, Jumpshot, or third parties; (iv) be required to provide notice of Avast and Jumpshot’s misuse of information to consumers; and (v) be required to implement a comprehensive privacy program. The Commissioners’ joint statement (“Joint Statement”) argued that the facts in this matter “underscore the sensitivity” of browsing records, and explained that such sensitive personal information must receive “heightened privacy obligations and a default presumption against its sharing or sale” as the FTC requires for precise geolocation data, biometric data, and health information.
Takeaway: The Avast settlement follows the X-Mode and InMarket settlements, discussed here and here, as the latest in a string of recent enforcement actions where the FTC alleges a failure to properly collect, safeguard, or process purportedly sensitive personal information. Companies should handle browsing and location data with care, given that the FTC considers it to be sensitive data.
UK Data Regulator Orders Company to Stop Using Facial Recognition for Employee Monitoring
In a February 19, 2024 enforcement notice (“Notice”), the UK Information Commissioner’s Office (the “ICO”) ordered leisure facilities operator Serco to stop using facial recognition technology and fingerprint scanning to monitor employee attendance of more than 2,000 employees at 38 Serco-operated leisure facilities.
Serco processed biometric data as a controller or joint controller with seven community leisure trusts on whose behalf it operated various facilities, to monitor employee attendance for the purpose of attendance checks and subsequent payment for employees’ time worked. Serco had argued that using biometric technology for these purposes was the only way to prevent “buddy punching and falsified timecards” and that biometric solutions are “more accurate and secure than cards or keys, because a fingerprint or face scan cannot be lost, stolen or (easily) replicated.”
The ICO was not convinced. According to the Notice, Serco failed to demonstrate a lawful basis for its processing, in particular the necessity and proportionality of using facial recognition and fingerprint scanning for this purpose, because less intrusive means of checking attendance, such as ID cards and fobs, were available. Moreover, the ICO found that the processing of biometric data was highly intrusive and had the potential to cause distress to data subjects, while no genuine alternative was offered to employees. Serco had stated that alternative mechanisms were available, but did not explain what these were, and policies stated that employees were expected to use the biometric system and could be subject to disciplinary action if they refused. The ICO’s analysis also looked at the imbalance of power between employee and employer which, according to the ICO, made it unlikely that employees would feel able to object to the collection and use of their biometric data for monitoring attendance.
The ICO ordered Serco and the associated community leisure trusts to cease the processing of biometric data to monitor employee attendance and to delete all biometric data that they are not legally required to retain within three months.
Takeaway: The ICO’s latest enforcement action highlights its focus on biometric data, with the Commissioner, John Edwards, saying that the action “serves to put industry on notice that biometric technologies cannot be deployed lightly. [The ICO] will intervene and demand accountability, and evidence that they are proportional to the problem organizations are seeking to solve.” Organizations wishing to make use of biometric technologies, in particular those operating in the UK, will want to undertake careful analysis of the risks and benefits and document their assessments.
FTC Warns AI (and Other) Companies Against Surreptitious Changes to Their Terms of Service or Privacy Policies
The U.S. Department of Commerce’s National Institute of Standards and Technology (“NIST”) released its Cybersecurity Framework (“CSF”) 2.0 on February 26, 2024.
The NIST Cybersecurity Framework is a set of best practices for organizations to use in building their cybersecurity programs. It provides guidance on how to prepare for, respond to, and recover from cyber incidents. CSF 2.0 builds from NIST’s original version, which it designed and released in 2014, to act as a tool that could be implemented voluntarily by owners and operators in the businesses of securing critical infrastructure, such as banks and utilities. According to NIST, CSF 2.0 is meant to provide guidance to a broad range of users, from “the smallest schools and nonprofits to the largest agencies and corporations — regardless of their degree of cybersecurity sophistication.” In an effort to encourage the implementation of CSF 2.0 among this more diverse range of entities, NIST created Quick Start Guides to help distill the CSF into actionable steps that organizations can use to get started.
CSF 2.0 contains three notable changes. First, CSF 2.0 creates a new “govern” function—encouraging organizations to view—cybersecurity through the lens of the entire enterprise by setting a strong foundation and focusing on the management of people and policies intended to prevent and address cyber events. Second, CSF 2.0 increases acknowledgement of supply chain and vendor security. For example, CSF 2.0 contains a section that provides organizations with the tools necessary to manage and respond to cyber threats within supply chains. Finally, CSF 2.0 expands its target audience for critical infrastructure issues beyond businesses by making the Framework’s guidelines applicable to smaller organizations, including schools and nonprofits.
Takeaway: Since its implementation in 2014, NIST has served as a benchmark that private sector companies can use in designing and developing their cybersecurity programs. The latest updates, and in particular the addition of NIST CSF 2.0’s “govern” function, track the U.S. Federal Trade Commission’s recent enforcement actions, such a requiring board-level oversight of companies’ cybersecurity programs. Companies should therefore prepare for further regulatory action based on the best practices found in CSF 2.0.
California Bill Introduced to Expand Access to Opt-Out Preference Signals
On February 16, 2024, California State Assembly Member Josh Lowenthal introduced Assembly Bill 3048 (“AB 3048”) to provide consumers with a universal opt-out preference signal in their browsers or devices. A universal opt-out signal would provide consumers with a one-step mechanism to exercise their privacy preferences regarding the sale and sharing of their personal information by sending a signal to businesses from the user’s browser or device that the user opts of out of data sharing. Under the bill, businesses would be prohibited from developing or maintaining browsers and devices without providing customers with the option of sending a preference signal and subsequently honoring the customers’ selection.
AB 3048 has received support from the California Privacy Protection Agency (“CPPA”), which in a statement asserted that AB 3048 will make it easier for consumers to exercise opt-out choices because they will no longer need to “opt-out at each business one-by-one.” According to the CPPA, some smaller browsing vendors have already implemented such practices; under the bill, other providers would be required to implement the use of preference signals.
Takeaway: California has consistently demonstrated a more demanding approach to protecting consumers’ personal information. If AB 3048 is passed, California would become the first U.S. state to mandate that browser vendors directly support the use of universal opt-out preference signals. Companies should be prepared to see an uptick in the inaccessibility of consumer data if AB 3048 is passed.
Dechert Tidbits
White House Urges Use of Memory-Safe Programming Languages
On February 26, 2024, the U.S. Office of the National Cyber Director (“ONCD”) published a report titled “Back to the Building Blocks: A Path Toward Secure and Measurable Software” (the “Report”) underlining the need to address vulnerabilities in certain programing languages that can be exploited by malicious actors. The Report outlines two strategic approaches: (1) reducing cyberattack opportunities by preventing certain vulnerability types from entering the digital ecosystem; and (2) anticipating systemic security risk by enhancing diagnostics that measure cybersecurity levels. According to the White House, “[l]eading technology companies, academics, and civil society organizations” have generally been supportive of this initiative, though some computer scientists have cautioned that there is no “magic wand” to translate “all existing software … to a memory-safe language.”
EDPB’s New Coordinated Enforcement Effort Turns to Right of Access
On February 28, 2024, the European Data Protection Board (“EDPB”) initiated its Coordinated Enforcement Framework (“CEF”) action for 2024, involving 31 Data Protection Authorities (“DPAs”) across the European Economic Area. The focus for this year is the implementation of the right of access, a key data protection right that allows individuals to verify if their personal data is being processed compliantly. As part of the CEF, DPAs will send questionnaires to organizations, initiate formal investigations, and follow up on ongoing investigations. The results will be analyzed collectively, leading to potential further supervision and enforcement actions. This initiative is the third under the CEF, which was adopted on October 20, 2020. Previous CEF initiatives focused on the use of public sector cloud services in 2022 and the role of Data Protection Officers in 2023.
UK ICO and U.S. FCC Sign Memorandum of Understanding
The U.S. Federal Communications Commission (“FCC”) and the UK's Information Commissioner’s Office (“ICO”) have announced a formal partnership to collaborate on enforcement matters related to unlawful robocalls, robotexts, and the protection of consumer privacy and data. The partnership acknowledges the need for international cooperation to protect consumer privacy and data, especially as consumers share vast amounts of personal information with global telecommunications carriers.
HHS Announces HIPAA Cybersecurity Settlement
On February 21, 2024, the U.S. Department of Health and Human Services (“HHS”) announced through its Office for Civil Rights (“OCR”) that it had reached its second-ever settlement in response to a ransomware attack that caused violations of the Health Insurance Portability and Accountability Act, as amended (“HIPAA”). According to HHS OCR’s press release, the ransomware attack targeted a Maryland-based behavioral health practice, Green Ridge Behavioral Health, and it impacted nearly 15,000 individuals. The settlement mandated that Green Ridge pay $40,000 and enter into a corrective action plan that will be monitored by OCR for three years.
We are honored to have been recognized in The Legal 500 2023, Chambers USA 2023, nominated by The American Lawyer for the Best Client-Law Firm Team award with our client Flo Health, Inc., and named Law360 Cybersecurity & Privacy Practice Group of the year! Thank you to our clients for entrusting us with the types of matters that led to these recognitions.
Recent News and Publications
- Tribunal Overturns UK ICO’s Enforcement Action Against Clearview AI (Dechert OnPoint published November 8, 2023)
- 5 Takeaways from ICO's Biometric Recognition Guidance (Published in Law360, October 18, 2023)
- Bridge Over Troubled Data Flows: UK-US Data Bridge Approved (Dechert OnPoint published September 22, 2023)
- US-EU Plan On AI Illustrates Differing Opinions On Regulation (Published in Law360, August 2, 2023)
- SEC Final Rule Exempts ABS Issuers from New Cybersecurity Disclosure and Reporting Requirements (Dechert OnPoint published August 16, 2023)
- SEC Finalizes Cybersecurity Disclosure Rules for Public Companies (Dechert OnPoint published August 7, 2023)
- Ready. Set. Flow: Green Light from the Commission for EU-U.S. Data Privacy Framework (Dechert OnPoint published July 11, 2023)
- EU General Court Examines Data Anonymisation and Pseudonymisation (Dechert OnPoint published May 25, 2023)
- SEC Proposes New Cybersecurity Risk Management Rule for Various Market Entities (Dechert OnPoint published May 10, 2023)
- Artificial Intelligence: Legal and Regulatory Issues for Financial Institutions (Dechert OnPoint published April 26, 2023)
- BioDech | A Global Life Sciences Broadcast Series - What Every Life Sciences Company Needs to Know About Cybersecurity
- The group was named 2022 Law360 Practice Group of the Year.
- Winner of the International Association of Privacy Professionals (“IAPP”) Legal Innovation Award for the Americas for 2022, for its work with client Flo Health, Inc., the world’s leading women’s health App on its “Anonymous Mode” feature in the wake of the Dobbs decision by the U.S. Supreme Court.
- Recognized as a 2022 “Standout” by London’s Financial Times in a legal innovation award for the Americas in the category of “Innovation in Enabling Business Resilience.”
- Visit Dechert's California Consumer Privacy Act Resource Center
-
- Exploiting Public Health Data for R&D: UK Progresses Secure Data Environments (Dechert OnPoint published July 20, 2023)
- EU Data and Digital Drive: 10 Things to Know About the Digital Services Act (Dechert OnPoint published February 17, 2023) By: Paul Kavanagh, Dr. Olaf Fasshauer, and Madeleine White.
- Your Company’s Data Is for Sale on the Dark Web. Should you Buy it Back? (Published in the Harvard Business Review January 4, 2023) By: Brenda Sharton.
- Brenda Sharton and Steven Rabitz quoted in Plan Sponsors Have Myriad Responsibilities to Protect Against Cyberthreats (Published in PLANSPONSOR December 22, 2022).
- English High Court Maintains Claimant’s Anonymity in Cyberattack Case (Dechert OnPoint published December 19, 2022) By: Paul Kavanagh, Brenda Sharton, Dylan Balbirnie, and Anita Hodea.
- The entry into force of the Digital Markets Act kicks off new era of digital regulation in Europe (Dechert OnPoint published October 25, 2022), by members of the Dechert antitrust practice.
- Brenda Sharton was named a 2022 Law360 MVP for Cybersecurity & Privacy.
- Brenda Sharton was recognized as one of Massachusetts Lawyers Weekly's Go To Cybersecurity/Data Privacy Lawyers for 2022 (Published in Mass. Lawyers Weekly October 31st issue)
- Practice leaders Brenda Sharton and Karen Neuman are discussed in Litigation Leaders: Dechert’s Cathy Botticelli and Jonathan Streeter on Counseling Clients With an Eye Toward Avoiding Litigation (Published in Law.com August 15, 2022).
- Brenda Sharton quoted in Why hackers are able to steal billions of dollars worth of cryptocurrency (Published in the Washington Post August 11, 2022).
- FDA Medical Device Cyber Guidance Protects Patients, Cos. (Published in Law360 June 9, 2022) By: Brenda Sharton, Emily Van Tuyl, and Kathleen Fay
- Olaf Fasshauer was ranked in the 2022 publication of German’s daily newspaper Handelsblatt (in cooperation with Best Lawyers) as best lawyers in Germany for Data Security and Privacy Law
- Brenda Sharton presented at the WSJ Pro Cyber Forum (June 1, 2022).
- Brenda Sharton was a moderator on the panel, "The Digital Transformation of Customer Experience" at the LendIt Fintech Conference (May 25, 2022).
- Ranked by The Legal 500 US – Media, Technology and Telecoms: Cyber Law (including Data Privacy and Data Protection). Brenda Sharton was named a Leading Lawyer and Hilary Bonaccorsi was named a Rising Star.
- Brenda Sharton named to Cybersecurity Docket’s Incident Response 40 2021 list.
- Dubai data protection authority plans to launch international privacy risk index and update international data transfer mechanisms (Dechert OnPoint published May 5, 2022) By: Paul Kavanagh and Dylan Balbirnie.
- Brenda Sharton quoted in Global Data Review article, "SEC proposes 4-day breach reporting rule" (April 26, 2022).
- CJEU rules on private copying exception to storage in the cloud (Dechert OnPoint published April 11, 2022) By: Paul Kavanagh and Nathan Smith.
- SEC Proposes New and Amended Cybersecurity Rules for Public Companies (Dechert OnPoint published March 17, 2022) By: Timothy Blank, Kevin Cahill, Brenda Sharton and Daniel Murdock.
- Brenda Sharton was quoted in the Law360 article, “Congress Seizes On Incident Reports In Fighting Cyberattacks” (March 16, 2022).
- 4 Takeaways For Asset Managers From SEC's Cyber Rule Plan (Published in Law360 on March 10, 2022) By: Kevin Cahill and Hilary Bonaccorsi.
- California Privacy Protection Agency Signals Delay for Final CPRA Rules & California AG Conducts CCPA Investigative Sweep (Dechert Newsflash published February 25, 2022) By: Karen Neuman, Hilary Bonaccorsi, Bailey E. Dervishi.
- SEC Proposes New Cybersecurity Rules for SEC Registered Advisers and Funds (Dechert OnPoint published February 23, 2022) By: Kevin Cahill, Timothy Blank, Brenda Sharton, Hilary Bonaccorsi, Colleen Hespeler and Bailey Dervishi.
- Exploiting Public Health Data for R&D: UK Progresses Secure Data Environments (Dechert OnPoint published July 20, 2023)
Content Editors
Julie Jones, James Smith, Theodore Yale, and Anna Ziegler
Production Editors
Daniel Murdock and Madeleine White
Senior Editor
Partner Committee
Paul Kavanagh, Benjamin Sadun, Kevin Cahill, and Timothy Blank
Dechert Cyber Bits Partner Committee
Brenda R. Sharton
Partner, Chair, Privacy & Cybersecurity
Boston
brenda.sharton@dechert.com
Timothy C. Blank
Senior Counsel
Boston
timothy.blank@dechert.com
Kevin F. Cahill
Partner
Los Angeles
kevin.cahill@dechert.com
Dr. Olaf Fasshauer
National Partner
Munich
olaf.fasshauer@dechert.com
Vernon L. Francis
Partner, Senior Editor
Philadelphia
vernon.francis@dechert.com
Paul Kavanagh
Partner
London
paul.kavanagh@dechert.com
Laura Rossi
Partner
Luxembourg
laura.rossi@dechert.com
Benjamin Sadun
Partner
Los Angeles
benjamin.sadun@dechert.com
"Dechert has assembled a truly global team of privacy and data security lawyers. The cross-practice specialization ensures that clients have access to lawyers dedicated to solving a range of client’s legal issues both proactively and reactively during a data security related crisis or a litigation."
"The privacy and security team collaborates seamlessly across the globe when advising clients."
- Quotes from The Legal 500, 2023
Dechert’s global Privacy & Cybersecurity practice provides a multidisciplinary, integrated approach to clients’ privacy and cybersecurity needs. Our practice is top ranked by The Legal 500 and our partners are well-known thought leaders and sought after advisors in the space with unparalleled expertise and experience. Our litigation team provides pre-breach counseling and handles all aspects of data breach investigations as well as the defense of government regulatory enforcement actions and class action litigation for clients across a broad spectrum of industries. We have handled over a thousand data breach investigations of all types including nation states, ransom/cyber extortion, vendor/supply chain, DDoS, brought by threat actors of all types, from nation-state threat actors to organized crime to insiders. We also represent clients holistically through the entire life cycle of issues, providing sophisticated, solution oriented advice to clients and counseling on cutting edge data-driven products and services including for trend forecasting, personalized content and targeted advertising across sectors on such key laws as the CCPA, CPRA and state consumer privacy laws, Section 5 of the FTC Act; the EU/UK GDPR, e-Privacy Directive, and cross-border data transfers. We also conduct privacy and cybersecurity diligence for mergers and acquisitions, financings, corporate transactions, and securities offerings.
-
- Issue 50 - February 29, 2024
- Issue 49 - February 19, 2024
- Issue 48 - February 1, 2024
- Issue 47 - January 18, 2024
- 2024 Crystal Ball Edition - January 5, 2024
-
- Issue 46 - December 14, 2023
- Issue 45 - November 16, 2023
- Issue 44 - November 2, 2023
- Issue 43 - October 19, 2023
- Issue 42 - October 5, 2023
- Issue 41 - September 21, 2023
- Issue 40 - August 31, 2023
- Issue 39 - August 17, 2023
- Issue 38 - August 3, 2023
- Issue 37 - July 20, 2023
- Issue 36 - June 29, 2023
- Issue 35 - June 15, 2023
- Issue 34 - May 25, 2023
- Issue 33 - May 11, 2023
- Issue 32 - April 27, 2023
- Issue 31 - March 30, 2023
- Issue 30 - March 16, 2023
- Issue 29 - March 2, 2023
- Issue 28 - February 16, 2023
- Issue 27 - February 2, 2023
- Issue 26 - January 19, 2023
-
- Issue 25 - December 15, 2022
- Issue 24 - November 10, 2022
- Issue 23 - October 27, 2022
- Issue 22 - October 12, 2022
- Issue 21 - September 29, 2022
- Issue 20 - September 15, 2022
- Issue 19 - August 18, 2022
- Issue 18 - August 3, 2022
- Issue 17 - July 21, 2022
- Issue 16 - June 23, 2022
- Issue 15 - June 10, 2022
- Issue 14 - May 26, 2022
- Issue 13 - May 12, 2022
- Issue 12 - April 28, 2022
- Issue 11 - April 7, 2022
- Issue 10 - March 24, 2022
- Issue 9 - March 10, 2022
- Issue 8 - February 24, 2022
- Issue 7 - February 10, 2022
- Issue 6 - January 27, 2022
- Issue 5 - January 13, 2022
-
- Issue 4 - December 9, 2021
- Issue 3 - November 18, 2021
- Issue 2 - November 4, 2021
- Issue 1 - October 21, 2021