COVID-19 and beyond.
California’s next wave of privacy legislation, the California Privacy Rights Act (CPRA), expands the freshly enacted California Consumer Privacy Act (CCPA).
Legal tech is constantly changing, but with so many tools out there, finding the best solutions takes time and effort. Enter the Observatory.
Got data? Of Course You Do! Data is the biggest opportunity of the next decade.
Orrick’s CFIUS Assessment Tool guides parties through the complex legal scheme surrounding foreign investment in the United States.
COVID-19 and beyond.
California’s next wave of privacy legislation, the California Privacy Rights Act (CPRA), expands the freshly enacted California Consumer Privacy Act (CCPA).
Legal tech is constantly changing, but with so many tools out there, finding the best solutions takes time and effort. Enter the Observatory.
Got data? Of Course You Do! Data is the biggest opportunity of the next decade.
Orrick’s CFIUS Assessment Tool guides parties through the complex legal scheme surrounding foreign investment in the United States.
7 minute read | January.10.2023
In 2022, the stakes for data breaches grew in more ways than one. IBM reported the average cost of a data breach is up to $4.35 million. More importantly, though, regulators have zeroed in on higher-level executives and boards for both their management of cyber risk and their involvement in breach response. All this is flowing from a growing number of breach notifications stemming from a variety of new breach notification requirements and expectations.
Here are the Top 5 cyber law developments in 2022:
And here are the details:
1. FTC and DOJ Target Executives for Cyber-Related Conduct
First, in October, the FTC resolved a data breach-related enforcement action against Drizly, which for the first time in a cybersecurity action individually named a CEO. The FTC alleged he failed to implement, or delegate the implementation of, reasonable security practices. The Complaint specifically called out the lack of a CISO. As a result of the settlement, the CEO is bound to the affirmative security obligations in the resolution agreement even if he leaves Drizly, meaning if he should leave Drizly and be hired at a new company the affirmative obligations will follow him to that company. It also creates the possibility of individual penalties for violations of the order, currently $46,517 per violation.
Second, also in October, the DOJ obtained a conviction of the former Uber CSO for covering up a data breach from an ongoing FTC investigation. The cover-up involved messaging to hide the incident, a payment of $100,000 to a hacker to obtain return of stolen data, and a nondisclosure agreement with false statements. The DOJ’s initial statements regarding the matter suggested that the DOJ may be more aggressively seeking to use criminal laws in cybersecurity matters. However, more recently, a senior DOJ official clarified that “[t]he prosecution of the Uber CSO stemmed from an extreme set of actions that represent an acute outlier from regular compliance practice.” He added: “No one should take away from this case that good-faith compliance decisions will be the subject of criminal prosecution.” That said, the conviction itself means that companies should be carefully evaluating ongoing disclosure obligations of security issues to regulatory agencies during an investigation.
2. The SEC Proposes Expansive New Rules for Cyber Reporting and Disclosures
In February, the SEC proposed new cyber risk management Rules for Investment Funds and Advisors. The Rules include a 48-hour reporting requirement for certain cyber incidents (it’s a mouthful):
The rules also require the adoption of a comprehensive cybersecurity risk management program that includes risk assessments, secure user access, system protection, vulnerability management, incident preparedness, and board review. The proposed rule updates advisers’ and funds’ disclosure forms to include reportable cyber incidents in the prior two years, as well as cybersecurity risks and in-place mitigations.
In March, the SEC proposed new cybersecurity disclosure rules that include:
3. FTC and EU Expand Notice Expectations
In May, the FTC announced that “[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.” The goal seems to be to push companies to provide notice to individuals where the breach increases the risk of financial fraud, though it could also target other forms of harm as well. The announcement also emphasizes the importance of timely notices that accurately convey the affected information and response efforts.
The move adds new and amorphous analysis to the breach notice process for many U.S. businesses. However, it brings the FTC closer in line with the HIPAA Breach Notification Rule, GDPR, and breach notification requirements around the world, which may simplify the breach notice analysis and decisioning for some businesses.
Speaking of GDPR, the European Data Protection Board published Guidelines on breach notification that clarify that covered businesses that have a personal data breach and are not established in the EU are required to notify the data protection authorities of all member states where affected individuals reside. In the worst-case scenario, this is 42 authorities. In practice, this can require extensive coordination to file or submit notifications according to the varying local requirements or expectations, in the local languages, and of course, within 72 hours. It also means that businesses are more likely to face more scrutiny from more regulators following a data breach. The key here is preparation, and some strategies to consider are here.
4. Prevent, Detect, Respond, and Notify Expectations for Credential Stuffing (and Account Takeovers)
The New York Attorney General (NY AG) kicked off a busy 2022 with a Business Guide for Credential Stuffing Attacks. Credential stuffing is a type of cyberattack that typically involves trying to gain access to or login to an application using credentials stolen from other online services, including brute forcing the application’s authentication features. These kinds of attacks can result in the compromised account access being used for fraudulent transactions or to collect information that can be used for scams or phishing.
5. NYDFS Proposes Significant Amendments to Its Cybersecurity Regulation
In November, the New York Department of Financial Services (NYDFS) published proposed amendments to its already-onerous Part 500 Cybersecurity Regulation. If adopted, the amendments will impose significant new requirements on covered entities, including:
The comment period will close on January 9, 2023. If the amendments are adopted after the 60-day comment period, most of the new provisions will take effect 180 days from the date of adoption.
Seattle; Boston
Seattle; Boston
Data is igniting a global, technological revolution. Increased collection, use, storage, and transfer of data has shifted the paradigm of innovation – and created a global security problem. Fortune 500 companies with large quantities of data, cities with vulnerable infrastructure, and every institution in-between must manage that risk, without encumbering progress or technological advancement. To do so, they turn to Aravind Swaminathan. Aravind is ranked by Chambers USA in the categories of both Privacy and Data Security: Litigation (Band 2) and Privacy and Data Security: Incident Responses, as well as Chambers Global, which described him as “formidable in assisting clients with both the noncontentious and litigious elements of cyber-attacks and security breaches, including resulting class actions.” Clients endorse Aravind, telling Chambers, that he is “very substantively knowledgeable” and has “knowledge gained from prosecuting hackers, meaning he fundamentally understands what they do.”
As a strategic cybersecurity advisor, Aravind partners with clients to proactively plan for a crisis and develop strategies to improve resiliency, respond efficiently and effectively, protect their business and brand, and defend them in the onslaught of litigation and enforcement actions that follow. He guides organizations from large public company financial institutions to start-up technology companies to critical infrastructure providers through incidents, and develops business and brand-centric strategies to mitigate and manage risk. He has directed more than 200 cybersecurity incident and data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications.
With extensive trial, litigation and appellate experience, he defends his clients in cyber, privacy, and payments-related class actions and other civil litigation (particularly Computer Fraud and Abuse Act matters), and when these issues lead to regulatory investigations by the Securities and Exchange Commission (SEC), the Department of Justice (DOJ), the Federal Trade Commission (FTC), and State Attorneys General.
Aravind’s background as an assistant United States attorney and Computer Hacking and Intellectual Property Section attorney gives him first-hand understanding of federal agencies that allows him to swiftly navigate the system, partner with investigators and find creative solutions for his clients. As a federal cybercrime prosecutor, Aravind investigated and prosecuted a broad array of cybercrime cases, including hacking, phishing, trade secrets theft, click fraud, cyber threats, and identity theft. Aravind also led the cybercrime outreach program, where he worked with members of the Department of Justice, state and federal regulators, law enforcement and other organizations on cybersecurity and related privacy issues. During his time as federal prosecutor in the Complex Crimes Unit, he also investigated and prosecuted a wide array of white-collar crimes, including investment schemes, corporate fraud and embezzlement, securities fraud, tax evasion and the nation’s largest bank failure.
Seattle
Seattle
Joseph Santiesteban is a trusted cyber law advisor. He regularly advises clients regarding incident response, as well as litigation and government enforcement that commonly arise from privacy and cybersecurity incidents. He uses this experience to offer clients practical advice regarding their data innovation and incident preparedness strategies. He also provides strategic advice to cybersecurity companies, including those looking to push technological boundaries in cyber defense, incident response, and threat intelligence.
Joseph regularly advises companies regarding privacy and cybersecurity incident response, including directing incident investigations, analyzing potential claims and defenses, examining potential notification obligations, and advising regarding communications strategies. He also advises clients regarding regulatory investigations, class actions, and contract disputes that frequently flow from privacy and cybersecurity incidents.
Joseph uses his experience to help clients leverage the value of data and digital technologies in ways that not only meet compliance obligations, but also support innovation, deliver value to the business, meet security needs, and solidify brand and consumer trust. This includes guiding clients through the complexity of federal privacy and cybersecurity laws and regulations, including the Electronic Communications Privacy Act (ECPA), the Federal Trade Commission Act (FTC Act), the Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA), state privacy and cybersecurity laws, including the California’s Consumer Privacy Act (CCPA), international laws such as the European Union General Data Protection Regulation (GDPR), and self-regulatory frameworks, including those covering online advertising and payment card processing. It also includes assisting clients to practically evaluate legal risk of security decisions in a variety of transactions and across the product lifecycle.
He also provides strategic advice to cybersecurity companies, including those looking to push technological and defense boundaries in cyber defense, incident response, and threat intelligence. This includes helping companies maximize their security offerings by navigating the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and the Federal Wiretap Act, as well as state law analogs.
New York
New York
Alyssa Wolfington assists clients from a wide array of industries with identifying, evaluating and managing complex global privacy and data security matters.
Alyssa navigates clients through privacy programs and policy creation, and provides guidance on compliance with federal, state and international laws and regulations, including the California Consumer Privacy Act (CCPA), the Children’s Online Privacy Protection Act (COPPA), the General Data Protection Regulation (GDPR), the Federal Trade Commission Act (FTC Act), the Health Insurance Portability and Accountability Act (HIPAA) and state data breach notification laws. She advises clients on security incident response and federal and state investigations related to privacy and data security. She also provides assessments of privacy and security practices for companies carrying out due diligence in the context of corporate transactions.
© 2023 Orrick Herrington & Sutcliffe LLP. All rights reserved.
Please do not include any confidential, secret or otherwise sensitive information concerning any potential or actual legal matter in this e-mail message. Unsolicited e-mails do not create an attorney-client relationship and confidential or secret information included in such e-mails cannot be protected from disclosure. Orrick does not have a duty or a legal obligation to keep confidential any information that you provide to us. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.
By clicking “OK” below, you understand and agree that Orrick will have no duty to keep confidential any information you provide.