Dechert Cyber Bits
Issue 45 - November 16, 2023
The Biden Administration Issues Executive Order on Artificial Intelligence
On October 30, 2023, President Biden signed an Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (the “Order”) establishing standards for artificial intelligence (“AI”) safety and security. The Order is the latest initiative by the Biden administration to establish parameters in the AI space. The Order’s requirements fall under eight principles: (1) new standards for AI safety and security; (2) protecting Americans’ privacy; (3) advancing equity and civil rights; (4) standing up for consumers, patients and students; (5) supporting workers; (6) promoting innovation and competition; (7) advancing American leadership abroad; and (8) ensuring responsible and effective government use of AI.
The Order calls on Congress to pass bipartisan data privacy legislation to protect all Americans’ privacy, particularly children. The Order specifically directs multiple government agencies to produce guidelines regarding the development and use of AI. For example, the Order instructs (i) the National Institute of Standards and Technology (NIST) to establish guidelines and best practices to promote consensus industry standards that help ensure the development and deployment of safe, secure, and trustworthy AI systems; (ii) the Secretary of Commerce to require companies “developing or demonstrating an intent to develop potential ‘dual-use foundation models’” (as defined in section 3 of the Order) to provide the U.S. government with detailed information regarding such models on an ongoing basis, including the results of any relevant AI red-team testing; (iii) the Secretary of Homeland Security to establish an Artificial Intelligence Safety and Security Board, including AI experts from the private sector, academia, and government, to provide advice and recommendations for improving security, resilience, and incident response related to AI usage in critical infrastructure; and (iv) agencies that fund life-science projects to establish, as a condition of federal funding, strong new standards to protect against the risks of using AI to engineer dangerous biological materials.
The Order also contemplates the risks of harm to consumers posed by AI. The Order directs the Department of Health and Human Safety to establish a program to receive reports of – and act to remedy – harms or unsafe healthcare practices involving AI. The Order also directs the Secretary of Labor to provide clear guidance to federal contractors, among others, to keep AI algorithms from being used to exacerbate discrimination. Of particular note, the Order encourages the Federal Trade Commission to consider whether to exercise its existing authorities, including its rulemaking authority to “ensure fair competition in the AI marketplace and to ensure that consumers and workers are protected from harms that may be enabled by the use of AI.”
Implementation of the Order’s requirements range from 30 days to 365 days from the date of the Order.
Takeaway: The Order telegraphs the Biden Administration’s concerns regarding how companies are using AI and the potential for harm to consumers. Credit should be given for taking a proactive step, though the Order does little in the way of requirements for most companies in the short term. We have been waiting for a federal privacy law for close to two decades, so we don’t expect anything soon to be passed on AI. That said, this is just the start and companies should expect continued scrutiny regarding the use of AI in all aspects of their business, including hiring, marketing, and customer service.
FTC Approves Amendment to the Safeguards Rule to Require Non-Banking Financial Institutions to Report Data Security Breaches
On October 27, 2023, the Federal Trade Commission (“FTC”) approved an amendment to the FTC’s implementation of the Gramm-Leach-Bliley Act’s Safeguards Rule, which includes a new rule requiring notification of certain data breaches to the FTC (the “Amendment”). The Amendment will be applicable to non-banking financial institutions within the FTC’s jurisdiction, including mortgage lenders, payday lenders, car dealerships, collection agencies, etc. The Amendment requires these financial institutions to report any breach that constitutes a “Notification Event,” which is the unauthorized acquisition of unencrypted customer information that has been acquired without the authorization of the individual to which the information pertains and involves at least 500 customers. The notice would need to be sent to (i) the FTC electronically through a form that will be available on the FTC’s website; and (ii) any affected individuals.
The notice to the FTC must include:
- the name and contact information of the reporting financial institution;
- a description of the types of information that were involved in the notification event;
- 3.if the information is possible to determine, the date or date range of the notification event;
- the number of consumers affected;
- a general description of the notification event; and,
- if applicable, whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the FTC to contact the law enforcement official.
Notice must be made “as soon as possible” but not later than 30 days after “discovery” of the notification event.
The FTC will make the information reported through the FTC’s website available to the public. A link to the Amendment is here. The Amendment will become effective on May 11, 2024, which is 180 days following publication in the Federal Register.
Takeaway: The publication of the intricate details of breaches that affected companies report to the FTC is unprecedented from a US standpoint. While some agencies, such as the U.S. Department of Health and Human Services Office for Civil Rights, and certain states, such as California, publish some information that affected companies report regarding data breaches, such information is generally summary in nature and does not contain the detailed description the Amendment requires. In addition, the Amendment adds another layer of legal complexity to US non-banking financial institutions that experience data breaches that already must notify various governmental entities and applicable states each of which contain slightly different notification triggers. Overall, the Amendment underscores the FTC’s continued interest in regulating cybersecurity, but while, yet again, giving little thought to further complicating the notification landscape for companies that in most cases are victims of a crime.
Solar Winds CISO Named Alongside Company in SEC Complaint for Data Breach Response
On October 30, 2023, the Securities and Exchange Commission (“SEC”) announced charges against SolarWinds Corporation (“SolarWinds”), a software development company, and its chief information security officer (“CISO”), alleging fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities (“Complaint”). The Complaint alleges that from at least October 2018, when SolarWinds made its initial public offering, through at least December 2020, when SolarWinds announced that it was the target of a cyberattack, SolarWinds and its CISO defrauded investors by overstating the firm’s cybersecurity practices and understating or failing to disclose known risks. The Complaint also alleges that SolarWinds misled investors in SEC filings by disclosing only generic and hypothetical risks when the firm and the CISO were actually aware of specific cybersecurity practice deficiencies and the increasingly elevated risks the firm faced at the time.
The SEC alleges that SolarWinds’ public statements regarding its cybersecurity practices and risks conflicted with its internal assessments and that multiple communications among SolarWinds employees, including the CISO, questioned the firm’s ability to protect its critical assets from cyberattacks. The Complaint also claims that the CISO was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the problems or to sufficiently raise the issues within the company. Due to these failures, the SEC asserts that SolarWinds could not provide reasonable assurances that its critical assets were adequately protected.
The Complaint alleges that SolarWinds and the CISO violated the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934 (“Exchange Act”); SolarWinds violated reporting and internal controls provisions of the Exchange Act; and the CISO aided and abetted SolarWinds’ violations. The Complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against the CISO.
Takeaway: Charges in relation to information security violations and breaches against directors and officers, including CISOs, are likely to continue. Companies will need to assess and provide appropriate support to their CISOs so they have the resources necessary to do their jobs. Companies also will want to retain counsel at the first sign of a data security incident for advice on responding to the operational and legal issues such incidents inevitably raise and to maintain attorney-client privilege. Implicating executives personally is the latest tool to be used by both the SEC and FTC in connection with cybersecurity. Unless there is specific malfeasance, this likely will serve to deter individuals from taking these jobs, out of fear that they may be a target for regulators to take a shot at with 20/20 hindsight after a major data breach. Accordingly, this may backfire and ultimately only create more risk.
Counter Ransomware Initiative Members Agree to Policy Statement that Governments Should not Pay Ransoms to Cybercriminals, Other Initiatives
The International Counter Ransomware Initiative (“CRI”) held its third annual summit in Washington, D.C. earlier this month, attended by its 50 members, including representatives from the United States, the United Kingdom, the European Union and INTERPOL.
According to a Joint Statement issued through the White House, CRI members developed “the first-ever joint CRI policy statement declaring that member governments should not pay ransoms.” In addition to the pledge not to pay ransoms:
- a new information sharing platform will be established for the CRI’s members with the aim that as soon as a country is attacked by ransomware, it will share information so that other countries can defend themselves;
- member governments will declare that they will help any other member government hit by a ransomware attack with incident response; and
the CRI will share a “blacklist of wallets” through the U.S. Department of Treasury to track where payments are flowing with a view to blocking or freeze those transactions.
Takeaway: The global cost of ransomware attacks was $20 billion in 2021 and it is estimated that will be around $71.5 billion by 2026. International cooperation is an important step in combatting such attacks. Government victims of ransomware attacks face a real dilemma – on the one hand, a refusal to pay a ransom puts a country at serious risk that essential service providers such as schools, hospitals and energy suppliers will be unable to function during the attack. On the other hand, as long as countries remain willing to pay ransoms, attacks will continue and perhaps become more prevalent. Of course, this does not affect the decision of private companies to pay ransom which, after weighing a number of factors, many companies choose to do.
NY DFS Issues Amended Cybersecurity Regulations
On November 1, 2023, the New York State Department of Financial Services (the “DFS”) released finalized strengthened cybersecurity regulations which amend its 2017 cybersecurity regulations (the “Amended Regulations”). The Amended Regulations apply to any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law of New York (“Covered Entity”). Covered Entities will be required to comply with the updated regulations within 180 days of the date of their adoption (i.e., by April 29, 2024) although certain requirements will take effect sooner.
The objective of the Amended Regulations is to create new rules and strengthen existing rules to protect businesses and consumers from online threats and to maintain the integrity of financial systems in the State of New York. There are enhanced rules for larger companies, (class A companies) whilst smaller companies are subject to more limited requirements.
Key changes introduced by the Amended Regulations include:
- enhanced governance requirements, such as the appointment of a chief information security officer with prescribed duties and the requirement for class A companies to audit their cybersecurity annually;
- requirements for more regular risk and vulnerability assessments, as well as more robust incident response, business continuity, and disaster recovery planning;
- updated notification requirements including a new requirement to report ransomware payments within 24 hours of a ransom being paid; and
- an updated direction to invest in at least annual training and cybersecurity awareness programs relevant to an entity’s business model and personnel.
Takeaway: The Amended Regulations continue the trend of regulators increasing compliance burdens—particularly the new 24-hour notification requirement regarding extortion payments and the requirement that certain Covered Entities design and engage in independent audits of their cybersecurity program. This is the first law to require notification of a ransom payment—making what previously was a private decision a public event. This key element will have to be factored into a company’s decision whether to pay or not. While not all companies are subject to these Amended Regulations (and certain additions to the Regulations only apply to Class A companies), the companies that are subject to the Amended Regulations should prepare now to comply with new requirements and the rolling effective dates.
UK PM Says All New AI Models to be Tested Before Release
On November 2, 2023, following a two-day AI Safety Summit, the British prime minister, Rishi Sunak, announced that 10 “like-minded” governments (including the UK, the United States, Japan, France and Germany), together with leading artificial intelligence companies had reached “a landmark agreement” which would see companies allowing regulators to test the safety of AI products before and after their release to the public. The summit, inspired by the Intergovernmental Panel on Climate Change, was attended by representatives from 28 countries, although China did not participate in the second day of the summit and did not sign the agreement.
European Commission and G7 Agree to Principles and a Code of Conduct for Artificial Intelligence
Following the May 2023 G7 summit, known as the “Hiroshima AI process”, the G7 and EU countries have agreed to new guiding principles and a voluntary Code of Conduct to promote trustworthy AI. The Code of Conduct complements the EU AI Act currently being negotiated and AI developers have been urged to sign it as soon as possible.
UN Announces Formation of an Advisory Body on AI
On October 26, 2023, the Secretary-General of the United Nations announced the creation of a 39-member advisory body on AI to undertake analysis and advance recommendations for the international governance of AI. Members include tech company executives, government officials and academics from across the globe.
China Bans Anonymous Use of Social Media Sites
On October 31, 2023, China’s most popular social media platforms announced that they will soon remove anonymity for any “self-media” account with more than 500,000 followers. Such users will be required to publicly disclose their real names.
We are honored to have been recognized in The Legal 500 2023, Chambers USA 2023, nominated by The American Lawyer for the Best Client-Law Firm Team award with our client Flo Health, Inc., and named Law360 Cybersecurity & Privacy Practice Group of the year! Thank you to our clients for entrusting us with the types of matters that led to these recognitions.
- 5 Takeaways from ICO's Biometric Recognition Guidance (Published in Law360, October 18, 2023)
- Bridge Over Troubled Data Flows: UK-US Data Bridge Approved (Dechert OnPoint published September 22, 2023)
- US-EU Plan On AI Illustrates Differing Opinions On Regulation (Published in Law360, August 2, 2023)
- SEC Final Rule Exempts ABS Issuers from New Cybersecurity Disclosure and Reporting Requirements (Dechert OnPoint published August 16, 2023)
- SEC Finalizes Cybersecurity Disclosure Rules for Public Companies (Dechert OnPoint published August 7, 2023)
- Ready. Set. Flow: Green Light from the Commission for EU-U.S. Data Privacy Framework (Dechert OnPoint published July 11, 2023)
- EU General Court Examines Data Anonymisation and Pseudonymisation (Dechert OnPoint published May 25, 2023)
- SEC Proposes New Cybersecurity Risk Management Rule for Various Market Entities (Dechert OnPoint published May 10, 2023)
- Artificial Intelligence: Legal and Regulatory Issues for Financial Institutions (Dechert OnPoint published April 26, 2023)
- BioDech | A Global Life Sciences Broadcast Series - What Every Life Sciences Company Needs to Know About Cybersecurity
- The group was named 2022 Law360 Practice Group of the Year.
- Winner of the International Association of Privacy Professionals (“IAPP”) Legal Innovation Award for the Americas for 2022, for its work with client Flo Health, Inc., the world’s leading women’s health App on its “Anonymous Mode” feature in the wake of the Dobbs decision by the U.S. Supreme Court.
- Recognized as a 2022 “Standout” by London’s Financial Times in a legal innovation award for the Americas in the category of “Innovation in Enabling Business Resilience.”
- Visit Dechert's California Consumer Privacy Act Resource Center
- Exploiting Public Health Data for R&D: UK Progresses Secure Data Environments (Dechert OnPoint published July 20, 2023)
- EU Data and Digital Drive: 10 Things to Know About the Digital Services Act (Dechert OnPoint published February 17, 2023) By: Paul Kavanagh, Dr. Olaf Fasshauer, and Madeleine White.
- Your Company’s Data Is for Sale on the Dark Web. Should you Buy it Back? (Published in the Harvard Business Review January 4, 2023) By: Brenda Sharton.
- Brenda Sharton and Steven Rabitz quoted in Plan Sponsors Have Myriad Responsibilities to Protect Against Cyberthreats (Published in PLANSPONSOR December 22, 2022).
- English High Court Maintains Claimant’s Anonymity in Cyberattack Case (Dechert OnPoint published December 19, 2022) By: Paul Kavanagh, Brenda Sharton, Dylan Balbirnie, and Anita Hodea.
- The entry into force of the Digital Markets Act kicks off new era of digital regulation in Europe (Dechert OnPoint published October 25, 2022), by members of the Dechert antitrust practice.
- Brenda Sharton was named a 2022 Law360 MVP for Cybersecurity & Privacy.
- Brenda Sharton was recognized as one of Massachusetts Lawyers Weekly's Go To Cybersecurity/Data Privacy Lawyers for 2022 (Published in Mass. Lawyers Weekly October 31st issue)
- Practice leaders Brenda Sharton and Karen Neuman are discussed in Litigation Leaders: Dechert’s Cathy Botticelli and Jonathan Streeter on Counseling Clients With an Eye Toward Avoiding Litigation (Published in Law.com August 15, 2022).
- Brenda Sharton quoted in Why hackers are able to steal billions of dollars worth of cryptocurrency (Published in the Washington Post August 11, 2022).
- FDA Medical Device Cyber Guidance Protects Patients, Cos. (Published in Law360 June 9, 2022) By: Brenda Sharton, Emily Van Tuyl, and Kathleen Fay
- Olaf Fasshauer was ranked in the 2022 publication of German’s daily newspaper Handelsblatt (in cooperation with Best Lawyers) as best lawyers in Germany for Data Security and Privacy Law
- Brenda Sharton presented at the WSJ Pro Cyber Forum (June 1, 2022).
- Brenda Sharton was a moderator on the panel, "The Digital Transformation of Customer Experience" at the LendIt Fintech Conference (May 25, 2022).
- Ranked by The Legal 500 US – Media, Technology and Telecoms: Cyber Law (including Data Privacy and Data Protection). Brenda Sharton was named a Leading Lawyer and Hilary Bonaccorsi was named a Rising Star.
- Brenda Sharton named to Cybersecurity Docket’s Incident Response 40 2021 list.
- Dubai data protection authority plans to launch international privacy risk index and update international data transfer mechanisms (Dechert OnPoint published May 5, 2022) By: Paul Kavanagh and Dylan Balbirnie.
- Brenda Sharton quoted in Global Data Review article, "SEC proposes 4-day breach reporting rule" (April 26, 2022).
- CJEU rules on private copying exception to storage in the cloud (Dechert OnPoint published April 11, 2022) By: Paul Kavanagh and Nathan Smith.
- SEC Proposes New and Amended Cybersecurity Rules for Public Companies (Dechert OnPoint published March 17, 2022) By: Timothy Blank, Kevin Cahill, Brenda Sharton and Daniel Murdock.
- Brenda Sharton was quoted in the Law360 article, “Congress Seizes On Incident Reports In Fighting Cyberattacks” (March 16, 2022).
- 4 Takeaways For Asset Managers From SEC's Cyber Rule Plan (Published in Law360 on March 10, 2022) By: Kevin Cahill and Hilary Bonaccorsi.
- California Privacy Protection Agency Signals Delay for Final CPRA Rules & California AG Conducts CCPA Investigative Sweep (Dechert Newsflash published February 25, 2022) By: Karen Neuman, Hilary Bonaccorsi, Bailey E. Dervishi.
- SEC Proposes New Cybersecurity Rules for SEC Registered Advisers and Funds (Dechert OnPoint published February 23, 2022) By: Kevin Cahill, Timothy Blank, Brenda Sharton, Hilary Bonaccorsi, Colleen Hespeler and Bailey Dervishi.
- Exploiting Public Health Data for R&D: UK Progresses Secure Data Environments (Dechert OnPoint published July 20, 2023)
Dechert Cyber Bits Partner Committee
"Dechert has assembled a truly global team of privacy and data security lawyers. The cross-practice specialization ensures that clients have access to lawyers dedicated to solving a range of client’s legal issues both proactively and reactively during a data security related crisis or a litigation."
"The privacy and security team collaborates seamlessly across the globe when advising clients."
- Quotes from The Legal 500, 2023
Dechert’s global Privacy & Cybersecurity practice provides a multidisciplinary, integrated approach to clients’ privacy and cybersecurity needs. Our practice is top ranked by The Legal 500 and our partners are well-known thought leaders and sought after advisors in the space with unparalleled expertise and experience. Our litigation team provides pre-breach counseling and handles all aspects of data breach investigations as well as the defense of government regulatory enforcement actions and class action litigation for clients across a broad spectrum of industries. We have handled over a thousand data breach investigations of all types including nation states, ransom/cyber extortion, vendor/supply chain, DDoS, brought by threat actors of all types, from nation-state threat actors to organized crime to insiders. We also represent clients holistically through the entire life cycle of issues, providing sophisticated, solution oriented advice to clients and counseling on cutting edge data-driven products and services including for trend forecasting, personalized content and targeted advertising across sectors on such key laws as the CCPA, CPRA and state consumer privacy laws, Section 5 of the FTC Act; the EU/UK GDPR, e-Privacy Directive, and cross-border data transfers. We also conduct privacy and cybersecurity diligence for mergers and acquisitions, financings, corporate transactions, and securities offerings.
- Issue 44 - November 2, 2023
- Issue 43 - October 19, 2023
- Issue 42 - October 5, 2023
- Issue 41 - September 21, 2023
- Issue 40 - August 31, 2023
- Issue 39 - August 17, 2023
- Issue 38 - August 3, 2023
- Issue 37 - July 20, 2023
- Issue 36 - June 29, 2023
- Issue 35 - June 15, 2023
- Issue 34 - May 25, 2023
- Issue 33 - May 11, 2023
- Issue 32 - April 27, 2023
- Issue 31 - March 30, 2023
- Issue 30 - March 16, 2023
- Issue 29 - March 2, 2023
- Issue 28 - February 16, 2023
- Issue 27 - February 2, 2023
- Issue 26 - January 19, 2023
- Issue 25 - December 15, 2022
- Issue 24 - November 10, 2022
- Issue 23 - October 27, 2022
- Issue 22 - October 12, 2022
- Issue 21 - September 29, 2022
- Issue 20 - September 15, 2022
- Issue 19 - August 18, 2022
- Issue 18 - August 3, 2022
- Issue 17 - July 21, 2022
- Issue 16 - June 23, 2022
- Issue 15 - June 10, 2022
- Issue 14 - May 26, 2022
- Issue 13 - May 12, 2022
- Issue 12 - April 28, 2022
- Issue 11 - April 7, 2022
- Issue 10 - March 24, 2022
- Issue 9 - March 10, 2022
- Issue 8 - February 24, 2022
- Issue 7 - February 10, 2022
- Issue 6 - January 27, 2022
- Issue 5 - January 13, 2022