
Dechert Cyber Bits
Issue 30
We are honored to have been named Law360 Cybersecurity & Privacy Practice Group of the year! Thank you to our clients for entrusting us with the types of matters that led to this recognition. See article here.
Cybersecurity Alert: Silicon Valley Bank and Signature Bank Fallout
Undoubtedly, cyber criminals are out in full force with phishing links and other scams trying to capitalize on the disruption and panic that many companies are experiencing around the Silicon Valley Bank receivership and related events. It is important to remind employees to respond with the utmost caution to any inquiries or offers that are purportedly from other financial institutions or entities offering to help. Threat actors may provide bogus wiring instructions, offer a malicious link to click on for more information, send targeted emails purporting to be from actual financial personnel or senior executives at the company, to name just a few, so this is the time to use caution before clicking or responding. Of course, be sure to use an “out of band” method to verify the identity of the person making the offer (i.e. call a number you obtain from a public source, not the number on the email) or to verify wiring instructions. Never accept a change in wiring instructions via email and, if you are transferring a large amount of funds, it is best to send a small test wire first and then call to be sure it went through to the real recipient before wiring a larger amount.
For Dechert’s updates on the situation, please see our FAQs Regarding the Failure of Silicon Valley Bank and Signature Bank.

President Biden Announces a Comprehensive Cybersecurity Strategy
On March 2, 2023, the Biden administration released its National Cybersecurity Strategy (“Strategy”), which seeks to encourage long-term investments in cybersecurity, while shifting the responsibility to defend cyberspace onto the organizations that are “most capable and best positioned” to reduce risks for all. To achieve these aims, the Strategy seeks to build and enhance collaboration around five pillars:
- Defend Critical Infrastructure: The Strategy details the need for mandatory minimum cybersecurity requirements in critical sectors. The Strategy also notes that Federal networks and systems require updating and/or replacement.
- Disrupt and Dismantle Threat Actors: The Strategy focuses on enhancing public-private sector collaboration, increasing the speed and scale of intelligence sharing and victim notification, and preventing the abuse of U.S. based infrastructure.
- Shape Market Forces to Drive Security and Resilience: The Strategy aims to place responsibility on those in the digital ecosystem that are best positioned to reduce risk, such as “the owners and operators of the systems that hold our data and make our society function, as well as the technology providers that build and service these systems.” The strategy suggests that this end could be achieved, for example, through shifting liability for software products and services to promote secure development practices.
- Invest in a Resilient Future: As part of the Strategy, the United States would use strategic investments and coordinate action to prioritize cybersecurity research and development and to make the digital ecosystem more resilient.
- Forge International Partnership to Pursue Shared Goals: To encourage responsible state behavior in cyberspace, the Strategy calls for securing trustworthy global supply chains for information, communications, and technology products and services. The Strategy also hopes to increase the capacity of partners and to leverage international coalitions to make irresponsible behavior isolating and costly.
Takeaway: While the Strategy is broadly applicable to all businesses, software developers and those involved in critical infrastructure should take particular note: (1) the Administration may press for legislation that establishes liability for software makers that fail to take reasonable precautions to make their products and services secure; and (2) the Federal Government will use existing authorities to set necessary cybersecurity requirements in critical sectors. Such changes would significantly alter compliance obligations and attendant risks, especially in light of the government mindset noted above. Moreover, while undoubtedly well-intended, the Strategy continues a long government tradition of “blaming the victims” when it comes to cyber risk. Too often the response to victim companies for collaboration is a regulatory enforcement action, most often by those agencies with no ability or mandate to hunt down the criminals. The Strategy’s stated goal of “shifting responsibility to those best positioned to reduce risk” needs to be accompanied by an acknowledgement that government needs to provide the first line of defense to assist companies in this endless arms race against sophisticated threat actors, often themselves state sponsored.

House Committee Renews Push for National Privacy Bill
While states continue to propose and pass data privacy laws, members of Congress are once again considering federal data privacy legislation. The U.S. House Committee on Energy and Commerce (the “Committee”) recently held a hearing dedicated to privacy and propping up the proposed American Data Privacy and Protection Act (“ADPPA”). Last July, the Committee voted in favor of the ADPPA by a bipartisan vote of 53-2, but the legislation stalled before advancing to the House floor for a vote. As a result, the ADPPA will need to be reintroduced in the current Congressional session.
During a March 1, 2023 hearing, Congressional members and witnesses stressed the need for a national framework that would allow businesses to escape the burden of having to comply with a hodgepodge of state data privacy laws. The hearings also indicated that there will be no substitute or competing framework proposed in Congress at this time.
Even with this renewed activity, the ADPPA continues to face opposition, particularly from California lawmakers, due to preemption provisions that set a ceiling for privacy standards. For example, on February 28, 2023, California Governor Gavin Newsom, California Attorney General Rob Bonta, and the California Privacy Protection Agency sent a joint letter to Congress opposing preemption language in the ADPPA, which they argue could undermine California’s stringent privacy protections.
Takeaway: Although members of Congress appear to recognize the need for a federal privacy framework, continued opposition to the current proposed bill means that Congress’ ability to deliver on comprehensive data privacy legislation in the near future remains unclear. Businesses should continue their efforts to comply with the growing number of state data privacy laws. Those of us working in this area since the 1990s have been waiting that long for a federal privacy law. It looks like the wait will continue.

EDPB: Adoption of Three New Guidelines to Formalize Data Protection Provisions
On February 14, 2023, the European Data Protection Board (“EDPB”) published three sets of adopted Guidelines. The new guidelines seek to update and clarify previous versions following public consultation and to promote a common understanding of EU data protection laws. A summary is set out below.
1. The Guidelines on the Interplay between the application of Article 3 (territorial scope) and the provisions on international transfers as per Chapter V of the GDPR
The General Data Protection Regulation (“GDPR”) does not contain a definition for what constitutes a “transfer” of personal data to a third country (a non-EU or EEA country that has adopted a national law implementing the GDPR) or international organization. In these Guidelines, the EDPB identifies three criteria that must be met for a processing operation to be classified as a “transfer” within the meaning of the GDPR:
I. a controller or processor (“exporter”) is subject to the GDPR for the given processing;
II. the exporter makes personal data subject to this processing, available to another controller or processor (“importer”); and
III. the importer is in a third country, irrespective of whether or not the given processing falls within the territorial scope of the GDPR, or is an international organization.
If these criteria are met, the transfer must comply with Chapter V of the GDPR, which aims to ensure the continued protection of personal data after the transfer and provides that a data transfer can only take place under certain conditions, e.g. in the context of an adequacy decision from the European Commission or by providing appropriate safeguards. It is important to note that even if these criteria are not met, and Chapter V does not apply, the controller must still ensure compliance with the other provisions of the GDPR.
The Guidelines provide further practical guidance by way of various examples of data flows to third countries.
2. Guidelines on deceptive design patterns in social media platform interfaces: how to recognize and avoid them
These are designed to help social media providers comply with the requirements of the GDPR and avoid "deceptive design patterns," (i.e. interfaces and user journeys implemented on social medial platforms that encourage users to make unintended or harmful decisions about the processing of their personal data). These include: overloading users with requests and options; skipping over data protection aspects; stirring emotions to influence choices; obstructing the process of becoming informed about or managing their data; fickle design that confuses users as to the purpose of the processing; and leaving users in the dark about how their data is processed and related rights. The Guidelines give concrete examples of deceptive design pattern types, provide best practice recommendations for designing user interfaces that facilitate the effective implementation of the GDPR and contain a checklist of deceptive design pattern categories.
3. Guidelines on certification as a tool for transfers
These provide guidance on the application of Article 46(2)(f) of the GDPR, which introduces certification as a new transfer mechanism for personal data to third countries or international organizations. They clarify that compliance with the general provisions of the GDPR must be ensured before using certification as a transfer tool. The Guidelines comprise four parts (and an annex) that cover the general requirements for certification, accreditation requirements, specific certification criteria, and binding and enforceable commitments for controllers or processors not subject to the GDPR.
Takeaway: With these updated Guidelines, the EDPB has provided what amount to three sets of best practices, all intended to promote the highest standards of data protection whilst making the applicable legislation clearer and more accessible. Although the Guidelines are as a formal matter not legally binding, regulators will almost certainly frown on failures to comply with them, absent a very good reason not to do so. Therefore, data controllers, and particularly those who engage in international data transfers, should ensure familiarity and compliance with these Guidelines.

The FTC Warns Companies to Keep AI Claims in Check
On February 27, 2023, Michael Atleson, Attorney for the Federal Trade Commission’s (“FTC”) Division on Advertising Practices, published a blog post warning about the use of what he referred to as artificial intelligence (“AI”) “hype” in advertising and marketing. The blog post refers to AI as a “hot” marketing term that “some advertisers won’t be able to stop themselves from overusing and abusing.”
Specifically, the FTC is concerned that some companies may be overpromising in terms of what their AI products or services can deliver, thereby misleading consumers and harming competition. Consequently, the FTC advises companies to ensure that their claims are supported by evidence and that they do not misrepresent the capabilities of their AI-powered products or services. The FTC blog post also emphasizes the importance of transparency in AI-powered systems; companies should be clear about how their AI works, what data it uses, and how it makes decisions. This is particularly important, in the FTC’s view, where AI is used to make decisions that could affect individuals.
The FTC blog post also reminds readers of the potential risks associated with the use of AI, referencing a blog post from April 2021 that focused on data bias, racial algorithms, and the proper use of machine learning.
The FTC recommends addressing the following questions when marketing an AI-related product:
- Are you exaggerating what your AI product can do?
- Are you promising that your AI product does something better than a non-AI product?
- Are you aware of the risks?
- Does the product actually use AI at all?
Takeaway: The warning at the end of this FTC post that “[y]ou don’t need a machine to predict what the FTC might do when [AI] claims are unsupported” should encourage companies to heed the FTC’s recommendations. The warning provides a crystal ball into the cases that we are likely to see in FTC enforcement press releases in the near future. While much of the focus to date has been on the potentially biased or discriminatory impact of AI, it is clear that the FTC takes equally seriously inflated and unsupported claims about products using AI. Companies should focus on the questions set out above to ensure that any AI claims in their marketing materials are not misleading and are accurate.
Recent News and Publications
- The group was named 2022 Law360 Practice Group of the Year.
- Your Company’s Data Is for Sale on the Dark Web. Should you Buy it Back? (Published in the Harvard Business Review January 4, 2023) By: Brenda Sharton.
- Brenda Sharton and Steven Rabitz quoted in Plan Sponsors Have Myriad Responsibilities to Protect Against Cyberthreats (Published in PLANSPONSOR December 22, 2022).
- Winner of the International Association of Privacy Professionals (“IAPP”) Legal Innovation Award for the Americas for 2022, for its work with client Flo Health, Inc., the world’s leading women’s health App on its “Anonymous Mode” feature in the wake of the Dobbs decision by the U.S. Supreme Court.
- Recognized as a 2022 “Standout” by London’s Financial Times in a legal innovation award for the Americas in the category of “Innovation in Enabling Business Resilience.”
- Visit Dechert's California Consumer Privacy Act Resource Center
-
- EU Data and Digital Drive: 10 Things to Know About the Digital Services Act (Dechert OnPoint published February 17, 2023) By: Paul Kavanagh, Dr. Olaf Fasshauer, and Madeleine White.
- English High Court Maintains Claimant’s Anonymity in Cyberattack Case (Dechert OnPoint published December 19, 2022) By: Paul Kavanagh, Brenda Sharton, Dylan Balbirnie, and Anita Hodea.
- The entry into force of the Digital Markets Act kicks off new era of digital regulation in Europe (Dechert OnPoint published October 25, 2022), by members of the Dechert antitrust practice.
- Brenda Sharton was named a 2022 Law360 MVP for Cybersecurity & Privacy.
- Brenda Sharton was recognized as one of Massachusetts Lawyers Weekly's Go To Cybersecurity/Data Privacy Lawyers for 2022 (Published in Mass. Lawyers Weekly October 31st issue)
- Practice leaders Brenda Sharton and Karen Neuman are discussed in Litigation Leaders: Dechert’s Cathy Botticelli and Jonathan Streeter on Counseling Clients With an Eye Toward Avoiding Litigation (Published in Law.com August 15, 2022).
- Brenda Sharton quoted in Why hackers are able to steal billions of dollars worth of cryptocurrency (Published in the Washington Post August 11, 2022).
- FDA Medical Device Cyber Guidance Protects Patients, Cos. (Published in Law360 June 9, 2022) By: Brenda Sharton, Emily Van Tuyl, and Kathleen Fay
- Olaf Fasshauer was ranked in the 2022 publication of German’s daily newspaper Handelsblatt (in cooperation with Best Lawyers) as best lawyers in Germany for Data Security and Privacy Law
- Brenda Sharton presented at the WSJ Pro Cyber Forum (June 1, 2022).
- Brenda Sharton was a moderator on the panel, "The Digital Transformation of Customer Experience" at the LendIt Fintech Conference (May 25, 2022).
- Ranked by The Legal 500 US – Media, Technology and Telecoms: Cyber Law (including Data Privacy and Data Protection). Brenda Sharton was named a Leading Lawyer and Hilary Bonaccorsi was named a Rising Star.
- Brenda Sharton named to Cybersecurity Docket’s Incident Response 40 2021 list.
- Dubai data protection authority plans to launch international privacy risk index and update international data transfer mechanisms (Dechert OnPoint published May 5, 2022) By: Paul Kavanagh and Dylan Balbirnie.
- Brenda Sharton quoted in Global Data Review article, "SEC proposes 4-day breach reporting rule" (April 26, 2022).
- CJEU rules on private copying exception to storage in the cloud (Dechert OnPoint published April 11, 2022) By: Paul Kavanagh and Nathan Smith.
- SEC Proposes New and Amended Cybersecurity Rules for Public Companies (Dechert OnPoint published March 17, 2022) By: Timothy Blank, Kevin Cahill, Brenda Sharton and Daniel Murdock.
- Brenda Sharton was quoted in the Law360 article, “Congress Seizes On Incident Reports In Fighting Cyberattacks” (March 16, 2022).
- 4 Takeaways For Asset Managers From SEC's Cyber Rule Plan (Published in Law360 on March 10, 2022) By: Kevin Cahill and Hilary Bonaccorsi.
- California Privacy Protection Agency Signals Delay for Final CPRA Rules & California AG Conducts CCPA Investigative Sweep (Dechert Newsflash published February 25, 2022) By: Karen Neuman, Hilary Bonaccorsi, Bailey E. Dervishi.
- SEC Proposes New Cybersecurity Rules for SEC Registered Advisers and Funds (Dechert OnPoint published February 23, 2022) By: Kevin Cahill, Timothy Blank, Brenda Sharton, Hilary Bonaccorsi, Colleen Hespeler and Bailey Dervishi.
- EU Data and Digital Drive: 10 Things to Know About the Digital Services Act (Dechert OnPoint published February 17, 2023) By: Paul Kavanagh, Dr. Olaf Fasshauer, and Madeleine White.
Editors for this Issue:
Angela Bujaj, Anna Ziegler, Daniel Murdock and Jennifer McGrandle
Dechert Cyber Bits Partner Committee
Timothy C. Blank
Partner
Boston
timothy.blank@dechert.com
Alec Burnside
Partner
Brussels
alec.burnside@dechert.com
Kevin F. Cahill
Partner
Los Angeles
kevin.cahill@dechert.com
Dr. Olaf Fasshauer
National Partner
Munich
olaf.fasshauer@dechert.com
Vernon L. Francis
Partner, Senior Editor
Philadelphia
vernon.francis@dechert.com
Paul Kavanagh
Partner
London
paul.kavanagh@dechert.com
Karen L. Neuman
Ret. Partner
Washington, D.C.
karen.neuman@dechert.com
Brenda R. Sharton
Partner, Chair, Privacy & Cybersecurity
Boston
brenda.sharton@dechert.com
“Dechert has assembled a truly global team…. The cross practice specialization ensures that clients have access to lawyers dedicated to solving a range of client’s legal issues both proactively and reactively during a data security related crisis. The privacy and security team collaborates seamlessly across the globe... [with] experienced lawyers that can parachute in, establish client rapport and trust and develop a multifaceted workflow to tackle any client challenge.” -- The Legal 500 USA, June 2021
Dechert’s global Privacy & Cybersecurity practice provides a multidisciplinary, integrated approach to clients’ privacy and cybersecurity needs. Our practice is top ranked by The Legal 500 and our partners are well-known thought leaders and sought after advisors in the space with unparalleled expertise and experience. Our litigation team provides pre-breach counseling and handles all aspects of data breach investigations as well as the defense of government regulatory enforcement actions and class action litigation for clients across a broad spectrum of industries. We have handled over a thousand data breach investigations of all types including nation states, ransom/cyber extortion, vendor/supply chain, DDoS, brought by threat actors of all types, from nation-state threat actors to organized crime to insiders. We also represent clients holistically through the entire life cycle of issues, providing sophisticated, solution oriented advice to clients and counseling on cutting edge data-driven products and services including for trend forecasting, personalized content and targeted advertising across sectors on such key laws as the CCPA, CPRA and state consumer privacy laws, Section 5 of the FTC Act; the EU/UK GDPR, e-Privacy Directive, and cross-border data transfers. We also conduct privacy and cybersecurity diligence for mergers and acquisitions, financings, corporate transactions, and securities offerings.
-
- Issue 29 - March 6, 2023
- Issue 28 - February 16, 2023
- Issue 27 - February 2, 2023
- Issue 26 - January 19, 2023
-
- Issue 25 - December 15, 2022
- Issue 24 - November 10, 2022
- Issue 23 - October 27, 2022
- Issue 22 - October 12, 2022
- Issue 21 - September 29, 2022
- Issue 20 - September 15, 2022
- Issue 19 - August 18, 2022
- Issue 18 - August 3, 2022
- Issue 17 - July 21, 2022
- Issue 16 - June 23, 2022
- Issue 15 - June 10, 2022
- Issue 14 - May 26, 2022
- Issue 13 - May 12, 2022
- Issue 12 - April 28, 2022
- Issue 11 - April 7, 2022
- Issue 10 - March 24, 2022
- Issue 9 - March 10, 2022
- Issue 8 - February 24, 2022
- Issue 7 - February 10, 2022
- Issue 6 - January 27, 2022
- Issue 5 - January 13, 2022
-
- Issue 4 - December 9, 2021
- Issue 3 - November 18, 2021
- Issue 2 - November 4, 2021
- Issue 1 - October 21, 2021