Dechert Cyber Bits
We are honored and humbled to have been named Law360 Privacy and Cybersecurity Practice Group of the year for 2022! Congratulations to the team and thank you to our clients for entrusting us with the types of matters that led to this honor and for your confidence in us. See links to Dechert's announcement and the Law360 announcement.
FBI Seizes Hive Ransomware Servers—Blocks US$130 Million in Demanded Ransoms
On January 26, Attorney General Merrick Garland announced that the Department of Justice dismantled the “Hive” ransomware group, which had targeted more than 1,500 victims worldwide since June 2021. Between June 2021 and June 2022, Hive extorted over US$100 million in ransom payments, targeting hospital systems, school districts, food service companies, and other organizations.
Attorney General Garland explained the FBI infiltrated the Hive network in the summer of 2022 and began disrupting Hive’s attempts to extort victims—primarily by providing decryption keys to Hive’s victims. Since July 2022, the FBI and DOJ have assisted more than 300 victims, thwarting Hive’s efforts to collect approximately US$130 million in ransom payments. The FBI was assisted by U.S. and international law enforcement partners.
In July 2021, the Biden Administration launched the Ransomware and Digital Extortion Task Force, combining assets from DOJ and the U.S. Department of Homeland Security. The U.S. Department of the Treasury has estimated ransomware attacks cost U.S.-based organizations US$886 million in 2021. The DOJ’s dismantling of the Hive group is the latest example of federal law enforcement’s commitment to cybersecurity and data privacy.
Takeaway: This was a welcome victory for law enforcement vis-à-vis the organized crime syndicates that sponsor ransomware or carry out attacks via ransomware as a service. With a renewed vigor from the federal government post-Colonial Pipeline and post-Ukraine invasion, we hope and expect that law enforcement will continue to expend significant effort to disrupt these syndicates in 2023. In the interim, companies should continue to focus on prophylactic measures such as phishing training, multi-factor authentication, incident response planning, the deployment of EDR tools and good cybersecurity policies and hygiene, among other things. Read our additional resources on how to protect yourself from ransomware attacks in the Harvard Business Review HERE and HERE.
New Cybersecurity Laws Come into Force in the EU
The EU has updated its cybersecurity laws to set minimum standards for cybersecurity across the bloc, and to strengthen the resilience of entities which service the EU’s critical infrastructure.
The Directive on measures for a high common level of cybersecurity across the Union (“NIS 2”) is an update to NIS 1 and extends the range of service providers subject to cybersecurity requirements, which are somewhat general in nature. NIS 2 sets out reporting obligations and minimum standards of risk-management measures for qualifying entities who operate in key sectors including energy, banking and finance, health, digital infrastructure and space. Whether entities fall within the scope of NIS 2 will depend on their size and the nature of the services they provide.
“Essential” and “important” entities must register with their competent authority and report any incidents which have a “significant impact” on the provision of their services within 24 hours. They will also have to take appropriate measures to manage their cyber risks such as implementing cybersecurity policies, cyber hygiene practices, and training. EU Supervisory Authorities (“SAs”) will be given new enforcement powers including the power to issue fines of up to €10 million or 2% of the entity’s total worldwide annual turnover in appropriate cases. Crucially, there are also direct obligations on senior management who can be found personally liable for infringements (which could result in fines and/or a ban from managerial functions).
The Directive on the resilience of critical entities (“CER”) imposes obligations on “critical” entities operating in key sectors to enhance their resilience and safeguard services which are integral to the functioning of the EU market. Critical entities will be required to (i) conduct risk assessments identifying risks which could disrupt the provision of their essential services; (ii) create and implement resilience plans; and (iii) report all incidents which significantly disrupt, or have the potential to significantly disrupt, the provision of critical services. SAs will be given new enforcement powers, including the power to conduct on-site inspections, procure audits and require the provision of information. Member states will need to adopt national mechanisms for performing risk assessments and create criteria for their assessments. Entities of particular European significance (i.e., those that provide essential services to 6 or more EU member states), will be subject to specific oversight from the European Commission, which is likely to drive EU wide standards of compliance.
As directives, these laws are not directly applicable and instead must be transposed into national law by EU member states by October 17, 2024.
Takeaway: Like the US, the EU regulators are creating more robust policies and requirements for “critical infrastructure” entities. Businesses should carefully review the directives to determine whether they are in scope and look out for further guidance on the registration process under NIS 2 and the relevant national law implementations. In-scope businesses should also start assessing their cyber risks, and start planning to implement any necessary new measures to comply with their new obligations when they come into legal force in 2024.
EDPB Adopts Cookie Banner Taskforce Report
In September 2021, the European Data Protection Board (“EDPB”) established a Cookie Banner Taskforce (the “Taskforce”) to align the handling of various complaints received from NOYB (the Max Schrems-fronted privacy activism organization). On January 17, 2023, the EDPB adopted a report (the “Report”) on the work of the Taskforce, which sets out the Board’s position on the interpretation and application of EU privacy law to cookie banners.
The Taskforce concluded that certain practices, including banners which present an “accept all” option without presenting an option to “decline all” on the same layer, and pre-checked boxes which require the user to un-check the box to opt out, risk breaching EU privacy law. The Taskforce also agreed that cookie banners should not be designed to give users the impression that they must consent in order to access the website, and that practices such as, for example, burying the decline option in text or outside the cookie banner, with insufficient visual support to draw the user’s attention to the option to decline, would render a consent invalid. It also agreed that some designs which used contrast and color (i.e., so-called “dark patterns”) to promote the “accept” button over the “decline” button might be misleading and highlighted the importance of assessing complaints which relate to design features on a case-by-case basis. The Taskforce also highlighted that website operators should provide easily accessible routes for users to withdraw their consent at any time, such as hovering and permanently visible icons.
The Report stresses that the positions it sets out reflect common minimum thresholds to be considered alongside national laws.
Takeaway: This non-binding, but highly influential, report offers useful guidance on best practices in cookie banner design, including opinions as to what practices might fall afoul of EU privacy law. Website operators should review the recommendations and, where necessary and appropriate, consider making changes to follow these recommendations. In addition to the EU, the FTC also has taken up the charge against so-called “dark patterns.” You can read more about the FTC’s thinking on “dark patterns” in issue 21 of Cyber Bits.
President Biden Urges Congress to Pass Bipartisan Legislation Holding Big Tech Accountable
On January 11, 2023, the Wall Street Journal published an Op-Ed by President Biden calling on Congress “to pass strong bipartisan legislation to hold Big Tech accountable.” The President appealed to Democrats and Republicans with three broad principles for reform.
First, President Biden stressed the need for federal privacy protections with clear limits on how companies can collect, use and share personal data, including stricter protections on data collected from children. He also called for banning targeted advertising to children.
Second, the President called for amending Section 230 of the Communications Decency Act, which protects social media companies from legal responsibility for content posted by third parties on their platforms. President Biden also called for more transparency around the algorithms these companies use to match the information users see with their preferences.
Third, the President again called for more competition in the tech sector, building off his July 2021 Executive Order on Promoting Competition in the American Economy, and arguing that the “next generation of great American companies shouldn’t be smothered by the dominant incumbents.”
Takeaway: Regardless of whether Congress acts to regulate tech companies in response to pressure it is getting from the Biden Administration, we expect to see the Administration continue to use the executive function and agency regulatory authority to attempt to restrict the industry in the name of protecting Americans’ privacy, particularly that of children. Additionally, in this environment we expect enforcement in the privacy arena in this Administration to continue to be robust. To those unfamiliar with the US privacy landscape, the gridlock might seem surprising and the reasons for the impasse are complex. But, part of the log jam is that of some California’s Congressional delegation object to a national privacy standard that would overrule much of California’s influential privacy law. Also, disagreements persist among policymakers and commentators on how and how much to regulate the tech sector generally, with disputes surrounding issues of commercial growth and privacy concerns often contributing more heat than light. The Biden Administration has its own views about these issues, but there is no consensus on them and the prospects of momentum are unlikely.
US States Charge Ahead with Privacy Law Proposals
In the absence of comprehensive federal privacy legislation, an increasing number of U.S. states are forging ahead and working on enacting their own privacy laws. Five states currently have their own privacy laws on the books: California, Colorado, Connecticut, Virginia and Utah. Recent state-level legislative activity suggests that others may soon follow. The International Association of Privacy Professionals (“IAPP”) reports that 60 comprehensive consumer privacy bills were considered across 29 states in 2022, and that the first month of 2023 saw more than ten states considering state privacy legislation.
Navigating overlapping compliance regimes also can be expensive. In fact, the Information Technology and Innovation Foundation, a nonprofit research institution, published a 2022 study concluding that if all fifty U.S. states enacted separate data privacy laws, it could cost businesses US$1 trillion over ten years.
Takeaway: The old adage “power abhors a vacuum” is at work here. In the absence of a federal privacy law, for which we’ve been waiting for the better part of two decades, the states are stepping in. Given the gusto with which state legislatures are taking up privacy legislation, we would say that companies looking to avoid spending their finite resources on complying with a dizzying number of state-specific laws may want to consider pushing for a federal law. Both from a consumer protection perspective and from the need to create a simple pro-business system, the logic for harmonization is inescapable. Given the dysfunction in Congress, however, we don’t see that happening any time soon. In the interim, the practical approach is to implement policies that comply with those states having the strictest standards.
California Attorney General Announces CCPA Investigative Sweep
On January 27, 2023, California Attorney General Rob Bonta (“California AG”) announced that his office had initiated an investigative sweep, sending letters to mobile app providers that allegedly failed to comply with the California Consumer Privacy Act (“CCPA”). The sweep focuses on businesses’ alleged failures to (i) offer a mechanism for California consumers to opt out of the “sale” of their personal information and (ii) comply with consumer opt-out requests.
The sweep will also focus on businesses’ alleged failure to comply with requests submitted by authorized agents, with the California AG specifically calling out requests submitted via “Permission Slip”. Permission Slip is a mobile app developed by Consumer Reports that is designed to enable California consumers to send CCPA rights requests to businesses. The California AG stated that the sweep will focus on mobile app providers in the retail, travel and food service industries.
Importantly, in a statement accompanying the announcement of the investigative sweep, the California AG once again focused on compliance with user-enabled global privacy controls as valid requests to opt-out of “sales” of personal information. The California AG has addressed this requirement multiple times before, including in the AG’s sole public CCPA settlement.
Takeaway: Businesses that have not implemented a tool and process to enable California consumers to opt-out of sales of personal information and monitor for Global Privacy Control Signals need to prioritize doing so. Similarly, businesses need to ensure they have a process in place to verify and comply with authorized agent requests.
- The group was named 2022 Law360 Practice Group of the Year.
- Your Company’s Data Is for Sale on the Dark Web. Should you Buy it Back? (Published in the Harvard Business Review January 4, 2023) By: Brenda Sharton.
- Brenda Sharton and Steven Rabitz quoted in Plan Sponsors Have Myriad Responsibilities to Protect Against Cyberthreats (Published in PLANSPONSOR December 22, 2022).
- Winner of the International Association of Privacy Professionals (“IAPP”) Legal Innovation Award for the Americas for 2022, for its work with client Flo Health, Inc., the world’s leading women’s health App on its “Anonymous Mode” feature in the wake of the Dobbs decision by the U.S. Supreme Court.
- Recognized as a 2022 “Standout” by London’s Financial Times in a legal innovation award for the Americas in the category of “Innovation in Enabling Business Resilience.”
- Visit Dechert's California Consumer Privacy Act Resource Center
- English High Court Maintains Claimant’s Anonymity in Cyberattack Case (Dechert OnPoint published December 19, 2022) By: Paul Kavanagh, Brenda Sharton, Dylan Balbirnie, and Anita Hodea.
- The entry into force of the Digital Markets Act kicks off new era of digital regulation in Europe (Dechert OnPoint published October 25, 2022), by members of the Dechert antitrust practice.
- Brenda Sharton was named a 2022 Law360 MVP for Cybersecurity & Privacy.
- Brenda Sharton was recognized as one of Massachusetts Lawyers Weekly's Go To Cybersecurity/Data Privacy Lawyers for 2022 (Published in Mass. Lawyers Weekly October 31st issue)
- Practice leaders Brenda Sharton and Karen Neuman are discussed in Litigation Leaders: Dechert’s Cathy Botticelli and Jonathan Streeter on Counseling Clients With an Eye Toward Avoiding Litigation (Published in Law.com August 15, 2022).
- Brenda Sharton quoted in Why hackers are able to steal billions of dollars worth of cryptocurrency (Published in the Washington Post August 11, 2022).
- FDA Medical Device Cyber Guidance Protects Patients, Cos. (Published in Law360 June 9, 2022) By: Brenda Sharton, Emily Van Tuyl, and Kathleen Fay
- Olaf Fasshauer was ranked in the 2022 publication of German’s daily newspaper Handelsblatt (in cooperation with Best Lawyers) as best lawyers in Germany for Data Security and Privacy Law
- Brenda Sharton presented at the WSJ Pro Cyber Forum (June 1, 2022).
- Brenda Sharton was a moderator on the panel, "The Digital Transformation of Customer Experience" at the LendIt Fintech Conference (May 25, 2022).
- Ranked by The Legal 500 US – Media, Technology and Telecoms: Cyber Law (including Data Privacy and Data Protection). Brenda Sharton was named a Leading Lawyer and Hilary Bonaccorsi was named a Rising Star.
- Brenda Sharton named to Cybersecurity Docket’s Incident Response 40 2021 list.
- Dubai data protection authority plans to launch international privacy risk index and update international data transfer mechanisms (Dechert OnPoint published May 5, 2022) By: Paul Kavanagh and Dylan Balbirnie.
- Brenda Sharton quoted in Global Data Review article, "SEC proposes 4-day breach reporting rule" (April 26, 2022).
- CJEU rules on private copying exception to storage in the cloud (Dechert OnPoint published April 11, 2022) By: Paul Kavanagh and Nathan Smith.
- SEC Proposes New and Amended Cybersecurity Rules for Public Companies (Dechert OnPoint published March 17, 2022) By: Timothy Blank, Kevin Cahill, Brenda Sharton and Daniel Murdock.
- Brenda Sharton was quoted in the Law360 article, “Congress Seizes On Incident Reports In Fighting Cyberattacks” (March 16, 2022).
- 4 Takeaways For Asset Managers From SEC's Cyber Rule Plan (Published in Law360 on March 10, 2022) By: Kevin Cahill and Hilary Bonaccorsi.
- California Privacy Protection Agency Signals Delay for Final CPRA Rules & California AG Conducts CCPA Investigative Sweep (Dechert Newsflash published February 25, 2022) By: Karen Neuman, Hilary Bonaccorsi, Bailey E. Dervishi.
- SEC Proposes New Cybersecurity Rules for SEC Registered Advisers and Funds (Dechert OnPoint published February 23, 2022) By: Kevin Cahill, Timothy Blank, Brenda Sharton, Hilary Bonaccorsi, Colleen Hespeler and Bailey Dervishi.
Dechert Cyber Bits Partner Committee
“Dechert has assembled a truly global team…. The cross practice specialization ensures that clients have access to lawyers dedicated to solving a range of client’s legal issues both proactively and reactively during a data security related crisis. The privacy and security team collaborates seamlessly across the globe... [with] experienced lawyers that can parachute in, establish client rapport and trust and develop a multifaceted workflow to tackle any client challenge.” -- The Legal 500 USA, June 2021
Dechert’s global Privacy & Cybersecurity practice provides a multidisciplinary, integrated approach to clients’ privacy and cybersecurity needs. Our practice is top ranked by The Legal 500 and our partners are well-known thought leaders and sought after advisors in the space with unparalleled expertise and experience. Our litigation team provides pre-breach counseling and handles all aspects of data breach investigations as well as the defense of government regulatory enforcement actions and class action litigation for clients across a broad spectrum of industries. We have handled over a thousand data breach investigations of all types including nation states, ransom/cyber extortion, vendor/supply chain, DDoS, brought by threat actors of all types, from nation-state threat actors to organized crime to insiders. We also represent clients holistically through the entire life cycle of issues, providing sophisticated, solution oriented advice to clients and counseling on cutting edge data-driven products and services including for trend forecasting, personalized content and targeted advertising across sectors on such key laws as the CCPA, CPRA and state consumer privacy laws, Section 5 of the FTC Act; the EU/UK GDPR, e-Privacy Directive, and cross-border data transfers. We also conduct privacy and cybersecurity diligence for mergers and acquisitions, financings, corporate transactions, and securities offerings.
- Issue 25 - December 15, 2022
- Issue 24 - November 10, 2022
- Issue 23 - October 27, 2022
- Issue 22 - October 12, 2022
- Issue 21 - September 29, 2022
- Issue 20 - September 15, 2022
- Issue 19 - August 18, 2022
- Issue 18 - August 3, 2022
- Issue 17 - July 21, 2022
- Issue 16 - June 23, 2022
- Issue 15 - June 10, 2022
- Issue 14 - May 26, 2022
- Issue 13 - May 12, 2022
- Issue 12 - April 28, 2022
- Issue 11 - April 7, 2022
- Issue 10 - March 24, 2022
- Issue 9 - March 10, 2022
- Issue 8 - February 24, 2022
- Issue 7 - February 10, 2022
- Issue 6 - January 27, 2022
- Issue 5 - January 13, 2022