Dechert Cyber Bits  

Issue 18

Federal Privacy Bill (ADPPA) is Sent to the House Floor but Obstacles to its Passage Remain

On July 20, 2022, the House Committee on Energy and Commerce (“the Committee”) voted 53-2 in favor of advancing The American Data Privacy and Protection Act (“ADPPA”) for full consideration by the House of Representatives. The ADPPA is a comprehensive federal privacy bill that would establish a national framework for protecting consumer privacy. The Committee’s vote to send the ADPPA to the House floor is the first time that a comprehensive federal privacy bill has been advanced to the House or the Senate for a full vote.

Several amendments were made to the bill approved by the House Committee.  In particular, the ADPPA’s private right of action, which has been one of the more heavily debated aspects of the ADPPA, was amended so that it would go into effect two years after the ADPPA’s adoption, rather than after four years, as previously drafted. The ADPPA also was amended to expand the definition of “sensitive personal information.” 

However, crucial aspects of the ADPPA’s ultimate framework remain controversial. Senator Maria Cantwell, the Washington Democrat who chairs the Senate Commerce Committee, remains opposed to the bill in its current form and, according to news reports, has no plans to bring the measure to the Senate floor. She has said previously that she will not support the ADPPA’s enforcement provisions unless they include limits on forced arbitration and a broad private right of action.

There is also debate on the ADPPA’s preemption provisions, which as currently drafted would preempt most of the California Consumer Privacy Act (“CCPA”) and California Consumer Privacy Rights Act (“CPRA”), as well as other states’ privacy statutes. Various critics, including members of Congress, questioned the ADPPA’s preemption scheme, arguing that it would create a regulatory “ceiling” that would block future reforms, rather than a “floor” that would allow states to continue to address new privacy issues as they arise.

The California Privacy Protection Agency (“CPPA)” has shared its concerns about the effects of the ADPPA’s preemption provisions on California’s privacy statute with Congress. Most recently, the CPPA held a special meeting on July 28 to discuss responses to the ADPPA’s preemption provisions.  The CPPA voted unanimously to oppose the ADPPA as currently drafted, expressly stating its opposition to the ADPPA’s preemption clause because it would impose a ceiling on the ability of California and other states to strengthen the privacy rights of their residents in the future. It also voted to oppose any federal bill that would meaningfully weaken California consumer privacy rights and the ability of the CPPA to enforce such rights. 

Takeaway: The Committee’s vote in support of the ADPPA and, if held, a vote on the House floor represent significant steps towards the enactment of a federal privacy bill. However, there is still significant opposition to the ADPPA as currently drafted, and it remains to be seen whether the bill will continue to move forward in the legislative process. Businesses should continue to monitor developments on the ADPPA to see if agreements can be reached on the provisions that continue to divide the Congress.  

DHS Cyber Safety Review Board Issues its First Report, Focusing on Log4j Incident and Response

On July 14, 2022, the U.S. Department of Homeland Security’s Cyber Safety Review Board (“CSRB”) issued its first report (the “Report”) addressing vulnerabilities that were discovered in the Apache Log4j software library, a widely used, open source software that developers have integrated into millions of systems. The CSRB, established pursuant to Executive Order 14028 in February 2022, is comprised of cybersecurity leaders from the federal government and the private sector. Its mission is to investigate and analyze significant cyber incidents in order to develop recommendations for improving cybersecurity.

The CSRB’s Report focuses on a vulnerability in Log4j that was discovered in November 2021. The vulnerability allowed an attacker who gains access to logging messages to “inject fraudulent messages that enable arbitrary code execution and exploitation of a vulnerable system.” When the Log4j vulnerability was publicly disclosed in December 2021, US officials estimated that hundreds of millions of devices around the world had been exposed.

The Report outlines 19 actionable recommendations for the government and industry to address the Log4j vulnerability, including recommendations for mitigating continued risks, to adopt industry-standard vulnerability management practices and build a better software ecosystem. While the CSRB did not identify any significant Log4j-based attacks on critical infrastructure systems, the Report noted that Log4j is an “endemic vulnerability,” and that “vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer.”

In a press release accompanying the Report, CSRB Chair and DHS Under Secretary for Policy Robert Silvers said, “The Cyber Safety Review Board has established itself as a new, innovative, and enduring institution in the cybersecurity ecosystem. Never before have industry and government cyber leaders come together in this way to review serious incidents, identify what happened, and advise the entire community on how we can do better in the future. Our review of Log4j produced recommendations that we are confident can drive change and improve cybersecurity.”

Takeaway: The CSRB’s Report highlights the significance of broader scale intrusions like the Log4j vulnerability. Organizations that use the Log4j software should review the Report and evaluate whether the Log4j vulnerability has been appropriately addressed in their systems. Specifically, the CSRB recommends that organizations should proactively monitor for and upgrade vulnerable versions of Log4j and use robust business processes to prevent the reintroduction of vulnerable versions of Log4j. On a broader level, the CSRB’s reports can provide insights into preventing or responding to future events.

UK Government’s Proposals for New AI Regulatory Framework

On July 18, 2022, the UK government published an AI Regulation Policy Paper (the “Paper”) outlining its proposed framework for regulating artificial intelligence (“AI”). The framework is described as “pro-innovation” and is built on six proposed cross-sectoral principles that the government anticipates will be implemented by existing regulators such as the Information Commissioner’s Office, Competition and Markets Authority and Medicine and Healthcare Regulatory Authority, depending on the context of use of the AI. 

The core themes of the Paper are flexibility and proportionality. Regulators will have the flexibility to apply a tailored approach to the use of AI within their sectors, which is hoped will create proportionate and adaptable regulation to support the rapid pace of innovation and growth of AI technologies. The Paper specifically calls out the distinction between the EU’s fixed definition of AI set out in its proposed AI Regulation, and the government’s approach of setting out “the core characteristics of AI to inform the scope of the AI regulatory framework but allow regulators to set out and evolve more detailed definitions of AI according to their specific domains or sectors.” In an attempt to compensate for the lack of coherency inherent in a context-driven approach, the Paper proposes the following overarching principles:

(1) Ensuring that AI is used safely.
(2) Ensuring that AI is technically secure and functions as designed.
(3) Ensuring that AI is appropriately transparent and explainable.
(4) Embedding considerations of fairness into AI.
(5) Defining legal persons’ responsibility for AI governance.
(6) Clarifying routes to redress or contestability. 

The government proposes that the principles will be introduced on a non-statutory basis with this position to be kept under review. The Paper invites stakeholder views on the regulation of AI with the public consultation period open until September 26, 2022 ; feedback will be considered with a White Paper to be published in late 2022.  

Takeaway: The context-specific and non-statutory approach proposed by the UK government is in sharp contrast to the centralised approach taken in the EU’s proposed AI Regulation. While it remains to be seen if the UK government will maintain this approach, businesses that are active in the development or use of AI systems should consider providing feedback in the consultation period to seek to take advantage of the UK’s proposed flexible and proportionate system.

China Fines Ride-Share Company Didi US$1.2 Billion for Privacy and Cybersecurity Violations 

On July 21, 2022, China’s cyberspace regulator, the Cyberspace Administration of China (“CAC”), announced that it is imposing an 8 billion yuan ($1.2 billion) fine on the Chinese ride sharing company, Didi Global (“Didi”) for allegedly breaching China’s cybersecurity law, data security law, and personal information protection law. In addition to the fine against Didi, the CAC also imposed personal fines of 1 million yuan ($147,000) against Didi’s chairman and CEO, Cheng Wei, and Didi’s president Liu Qing.

The CAC launched its investigation into Didi over a year ago, just days after Didi’s IPO on the New York Stock Exchange (“NYSE”) on June 30, 2021. Didi’s listing on the NYSE reportedly never received authorization from Chinese authorities, and all 26 of Didi’s apps were taken down from app stores in China in July 2021 after the CAC began its investigation. In December 2021, Didi announced that it had started the process to delist from the NYSE and was preparing a listing in Hong Kong.

In the CAC’s announcement, the CAC said that it found that Didi illegally collected 12 million pieces of “screenshot information” from users’ mobile photo albums, and that it had excessively accumulated 107 million pieces of passenger facial recognition information and 1.4 million pieces of family relationship information, among other violations. The CAC also said that it found “severe security risks” in Didi’s data-processing methods, but that could not be detailed because they related to “national security.” In a separate statement, the CAC said that Didi had “avoided fulfilling the explicit requirements from the regulatory authorities, and maliciously evaded supervision.”

In response to the CAC’s enforcement action, Didi issued a statement acknowledging the CAC’s decision, stating: “We sincerely accept this decision, and resolutely obey it. We will strictly follow the penalty decision and the requirements of relevant laws and regulations, conduct comprehensive and in-depth self-examination, and actively cooperate with supervision and complete rectification carefully.”

Takeaway: The CAC’s enforcement action against DiDi is the latest development in the Chinese government’s heightened scrutiny of the country’s tech sector. Given the intensity of the government’s scrutiny, companies subject to China’s cybersecurity law should follow reports on these actions for the information they can provide about the CAC’s approach to enforcement, including its priorities.

FCC to Investigate Whether US Mobile Carriers are Exposing Their Users’ Geolocation Data

On July 19, 2022, the Federal Communications Commission (“FCC”) Chairwoman Jessica Rosenworcel wrote to 15 top mobile internet service providers requesting information on the companies’ policies for collecting subscriber geolocation data and sharing it with third parties. 

The request asked mobile providers to describe, amongst other items, the type of data collected, the duration and reason for retention, the locations of data centers where the data is stored, the safeguards implemented to protect such data, how the data is shared with third parties, including law enforcement, and whether subscribers have the opportunity to opt-out of having their geolocation data retained. The letters highlight the “highly sensitive nature” of geolocation data, especially when combined with other data types, and the “unique position” mobile providers are in to “capture a trove of data about their subscribers”. 

This is not the FCC’s first investigation into the use of data collected by mobile providers. In February 2020 , the FCC proposed more than $200 million in fines against four major wireless carriers for disclosing customers’ location information without their consent and selling access to that information without reasonable safeguards in place to prevent unauthorized access. The number of companies targeted in the current investigation suggests a broader reach. 

Next steps are uncertain. The FCC’s authority to continue its investigation will depend on the outcome of current deliberations regarding the American Data Privacy and Protection Act (“ADPPA”), which was passed by the House Commerce Committee on July 20. The ADPPA would prevent the FCC from enforcing privacy rules in the telecom sector and grant enforcement authority to the Federal Trade Commission. 

Takeaway: The latest FCC inquiry highlights the agency's strong focus on sensitive personal data and the risks faced by companies handling such data. While the outcome of the investigation is uncertain, companies should review their collection, use and sharing of geolocation data, monitor regulatory and lawmaking activity in this area and consider whether mitigating measures would be necessary. Companies that may rely on geolocation data, or insights derived from geolocation data, to make commercial decisions should stay current with the FCC’s inquiry. 

T-Mobile to Pay $350 Million to Customers to Settle Data Breach Case

On July 22, 2022, T-Mobile agreed to pay $350 million to a fund to settle multiple class-action lawsuits filed after a 2021 data breach, and committed to invest at least an additional $150 million in data security and related technology in 2022 and 2023. 

On August 16, 2021, T-Mobile announced that it had suffered a massive cyberattack compromising the data of approximately 76.6 million U.S. residents, one of the largest data breaches in U.S. history. Following the announcement, multiple putative class action lawsuits were filed against T-Mobile, alleging that it had failed to properly protect personal information. Certain of the allegations focused on the fact that T-Mobile did not implement “rate limiting” solutions, which the lawsuits alleged is an industry-standard practice for data protection to prevent brute force attacks. The lawsuits also contended that T-Mobile failed to properly notify impacted individuals of the breach, preventing them from taking timely steps to prevent further damages. 

T-Mobile denies any wrongdoing. Although the proposed settlement does not provide details on upcoming cybersecurity investments, in a post  published on the same day on its website, T-Mobile committed to (i) creating a Cybersecurity Transformation Office; (ii) engaging in long-term collaborations with industry experts to further transform its cybersecurity program; (iii) investing to enhance its current cybersecurity tools and capabilities; and (iv)  conducting training for its employees. 

Takeaways: The T-Mobile case highlights the significant financial consequences that can follow from a cyber-attack, and the importance of putting in place appropriate security measures and engaging in timely analysis of notification obligations in the wake of a breach. 

Recent News and Publications

FDA Medical Device Cyber Guidance Protects Patients, Cos. (Published in Law360 June 9, 2022) By: Brenda Sharton, Emily Van Tuyl, and Kathleen Fay

Olaf Fasshauer was ranked in the 2022 publication of German’s daily newspaper Handelsblatt (in cooperation with Best Lawyers) as best lawyers in Germany for Data Security and Privacy Law 

Brenda Sharton presented at the WSJ Pro Cyber Forum (June 1, 2022).

Brenda Sharton was a moderator on the panel, "The Digital Transformation of Customer Experience" at the LendIt Fintech Conference (May 25, 2022).

California Consumer Privacy Act Resource Center

Ranked by The Legal 500 US – Media, Technology and Telecoms: Cyber Law (including Data Privacy and Data Protection). Brenda Sharton was named a Leading Lawyer and Hilary Bonaccorsi was named a Rising Star.

Brenda Sharton named to Cybersecurity Docket’s Incident Response 40 2021 list.

Dubai data protection authority plans to launch international privacy risk index and update international data transfer mechanisms (Dechert OnPoint published May 5, 2022) By: Paul Kavanagh and Dylan Balbirnie.

Brenda Sharton quoted in Global Data Review article, "SEC proposes 4-day breach reporting rule" (April 26, 2022).

CJEU rules on private copying exception to storage in the cloud (Dechert OnPoint published April 11, 2022) By: Paul Kavanagh and Nathan Smith.

SEC Proposes New and Amended Cybersecurity Rules for Public Companies (Dechert OnPoint published March 17, 2022) By: Timothy Blank, Kevin Cahill, Brenda Sharton and Daniel Murdock.

Brenda Sharton was quoted in the Law360 article, “Congress Seizes On Incident Reports In Fighting Cyberattacks” (March 16, 2022).

4 Takeaways For Asset Managers From SEC's Cyber Rule Plan (Published in Law360 on March 10, 2022) By: Kevin Cahill and Hilary Bonaccorsi.

California Privacy Protection Agency Signals Delay for Final CPRA Rules & California AG Conducts CCPA Investigative Sweep (Dechert Newsflash published February 25, 2022) By: Karen Neuman, Hilary Bonaccorsi, Bailey E. Dervishi.

SEC Proposes New Cybersecurity Rules for SEC Registered Advisers and Funds (Dechert OnPoint published February 23, 2022) By: Kevin Cahill, Timothy Blank, Brenda Sharton, Hilary Bonaccorsi, Colleen Hespeler and Bailey Dervishi.

Posts authored by

Senior Content Editors: Hilary Bonaccorsi

Content Editors: Logan Dalton and Delphine Strohl

Dechert Cyber Bits Partner Committee

Vernon L. Francis
Partner, Senior Editor

Karen L. Neuman
Partner, Co-Chair, Privacy & Cybersecurity
Washington, D.C.

Brenda R. Sharton
Partner, Co-Chair, Privacy & Cybersecurity

“Dechert has assembled a truly global team…. The cross practice specialization ensures that clients have access to lawyers dedicated to solving a range of client’s legal issues both proactively and reactively during a data security related crisis. The privacy and security team collaborates seamlessly across the globe... [with] experienced lawyers that can parachute in, establish client rapport and trust and develop a multifaceted workflow to tackle any client challenge.” -- The Legal 500 USA, June 2021

Dechert’s global Privacy & Cybersecurity practice provides a multidisciplinary, integrated approach to clients’ privacy and cybersecurity needs. Our practice is top ranked by The Legal 500 and our partners are well-known thought leaders and sought after advisors in the space with unparalleled expertise and experience. Our litigation team provides pre-breach counseling and handles all aspects of data breach investigations as well as the defense of government regulatory enforcement actions and class action litigation for clients across a broad spectrum of industries. We have handled over a thousand data breach investigations of all types including nation states, ransom/cyber extortion, vendor/supply chain, DDoS, brought by threat actors of all types, from nation-state threat actors to organized crime to insiders. We also represent clients holistically through the entire life cycle of issues, providing sophisticated, solution oriented advice to clients and counseling on cutting edge data-driven products and services including for trend forecasting, personalized content and targeted advertising across sectors on such key laws as the CCPA, CPRA and state consumer privacy laws, Section 5 of the FTC Act; the EU/UK GDPR, e-Privacy Directive, and cross-border data transfers. We also conduct privacy and cybersecurity diligence for mergers and acquisitions, financings, corporate transactions, and securities offerings.