The past few weeks have provided some big developments in the area of data privacy and security. In this Privacy and Security Roundup, we cover a ransomware attack on the largest oil pipeline in the U.S., an Executive Order from President Joe Biden to enhance U.S. cybersecurity and potential mandatory reporting/sharing requirements, the U.S. Supreme Court weighing in on the Federal Trade Commission’s ability to seek monetary relief, and more.

Recent Developments

FBI confirms ransomware attack on Colonial Pipeline Co.

On May 9, 2021, the Federal Bureau of Investigation (FBI) announced that it was notified of a network disruption at Colonial Pipeline Co. and confirmed that the ransomware affiliate of the Eastern Europe-based cybercriminal group “DarkSide” was responsible for the attack. The well-publicized attack forced the largest U.S. pipeline system to cease operations for five days, resulting in gasoline shortages along the East Coast. While the initial attack vector has not been publicized, the attack notably targeted business rather than pipeline operation systems, indicating a financial motivation. Attacks against critical infrastructure are not a new occurrence (e.g. the widespread 2015 disruptions to the Ukrainian power grid), and ransomware attacks specifically seem to occur with increasing efficacy (e.g. rumors that, in March, a large U.S. insurance company paid $40 million to restore its systems following a ransomware attack).  However, the Colonial Pipeline attack underscores vulnerabilities within the U.S., demonstrates the potential reach of non-state criminal actors, and sheds light on the not-so-new reality that cybersecurity incidents can have practical “real-world” consequences. The attack has also stirred debate over whether victims should pay ransoms, whether such payments are or should be covered by the victim’s insurer, and the role of government in seeking to prevent and mitigate similar occurrences.

New Executive Order to enhance U.S. cybersecurity and potential mandatory reporting/sharing requirements

On the heels of the Colonial Pipeline attack and as a direct response to the SolarWinds compromise, on May 12, 2021 President Joe Biden signed an executive order (EO) aimed at improving U.S. cybersecurity practices and protecting federal information systems. The EO leverages the federal government’s procurement power to implement several measures, including:

  • Requiring stronger cybersecurity standards in federal government focused on deployment of secure cloud services and a zero-trust architecture (which assumes no implicit trust between assets and users based merely on their physical or network location, or based on asset ownership);
  • Improving supply chain security through baseline security standards for development of software sold to the government;
  • Establishing a Cybersecurity Safety Review Board modeled after the National Transportation Safety Board (NTSB) to review and assess significant cyber incidents;
  • Standardizing the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents, with an eye towards providing the public sector a template for its response efforts; and
  • Improving detection of cybersecurity incidents on federal systems by enabling a government-wide endpoint detection and response system (EDR tools gather and analyze data from endpoint devices to identify suspicious activities in order to improve detection of potential cyber threats).

Two other factors make this EO significant. First, its provisions may require modification of current contracts with the federal government. Second, it creates a requirement that technology providers doing business with the government report and share data on incidents that could pose a risk to federal systems. This provision has garnered the most attention and represents a substantial shift for the private sector, which has long resisted such requirements out of concern for reputational or financial damage resulting from release of sensitive data about breaches. Arguably, sharing may help to improve prevention, detection and responses to breaches, but smaller vendors with fewer resources to address compliance may feel the largest impact. Several questions remain including which vendors the EO will cover, what threat information must be reported and how quickly, and how government agencies will manage processing a potential flood of data.

A blow to cybersecurity and privacy enforcement and potential legislation to come

While the case arose in the context of payday lending, the decision in AMG Capital v. Federal Trade Commission will, at least in the near term, reduce the monetary threat posed by Federal Trade Commission (FTC) cybersecurity and privacy enforcement. In recent years, the FTC has sued under Section 13(b) of the FTC Act or threatened to pursue Section 13(b) equitable monetary remedies for data privacy and security related issues. However, in the AMG case, the U.S. Supreme Court specifically addressed whether Section 13(b) actually provides the FTC authority to obtain equitable monetary relief, like disgorgement and restitution. The Supreme Court said “no,” citing Section 13(b) itself which references only a “permanent injunction,” and the conditional grant of equitable monetary authority under Section 19 of the FTC Act which only permits such relief after the FTC and an administrative law judge have issued a final cease and desist order. In the court’s view, Congress would not have enacted Section 19 and its limitations had Section 13(b) already implicitly allowed the FTC to obtain the same monetary relief. Following the decision, citing the impact on the agency’s privacy and cybersecurity efforts, the FTC’s acting chair urged Congress to “restore and strengthen the power of the agency . . . to make wronged consumers whole.” While this decision could serve as a catalyst for legislation to come, in the meantime, the FTC’s enforcement ability is not without teeth. As noted by commentators, the FTC’s notoriously slow and onerous administrative adjudication process—a process over which FTC commissioners have final decision-making authority subject to judicial review—means the cost of litigating against the agency should not be ignored.

Items to know and keep in mind going forward

Ruling raises the stakes for trans-Atlantic data transfers

On May 14, 2021 an Irish High Court dismissed a procedural attempt by Facebook to delay implementation of a prior decision that threatens to halt the company’s data transfers from the European Union (EU) to the U.S. Ultimately, this case may have implications for trans-Atlantic data flows more broadly. This follows the 2020 Schrems II decision which invalidated the EU-U.S. Privacy Shield Framework relied on by thousands of U.S. companies for trans-Atlantic trade in compliance with E.U. data protection rules. For businesses that share data internally or otherwise, the lack of a suitable replacement for the Privacy Shield Framework has meant increased reliance on Standard Contractual Clauses (SCC) (standard sets of terms and conditions that include obligations aimed at protecting personal data when it leaves the European Economic Area. Yet, the legality and usability of SCCs have been, at best, questionable, a point underscored by this latest decision. Since Schrems II, some companies have opted to keep all storing and processing of EU data in the EU to avoid complex compliance requirements associated with transferring EU data to the U.S. Despite ongoing negotiations between EU and U.S. regulators, in the near-term, companies that must comply with EU privacy rules continue to face a degree of uncertainty.

More crypto currencies regulation likely on the horizon

As cryptocurrency use gains traction, government regulators, including the U.S. Treasury Department, are exploring certain aspects of cryptocurrency use that “pose a significant detection problem by facilitating illegal activity.” In its May 20, 2021 release, within the context of President Biden’s tax compliance initiatives and a new financial account reporting regime, the Treasury Department noted potential coverage of cryptocurrencies, cryptoassets exchange accounts and payment service accounts that accept cryptocurrencies. Further, as with cash transactions, the initiative would require reporting by businesses that receive cryptoassets with a fair market value greater than $10,000. On the same day, Securities and Exchange Commission (SEC) Chair Gary Gensler voiced similar views with respect to the financial industry, telling annual Financial Industry Regulatory Authority (FINRA) conference attendees that “the SEC and FINRA should be ready to bring cases involving issues such as crypto, cyber and fintech” while highlighting investor protection. In the short-term, certainly some investors and companies may respond to a regulatory push with concern, especially given that cryptocurrency values may not appropriately reflect legal and other risks. However, some regulation may serve to further legitimize cryptocurrencies as an asset class.