Not only are public and private companies increasingly targeted for cyber-attacks, but local and state governments across the country are as well. In our latest Privacy and Security Roundup, we cover the Senate-passed bill that includes nearly $2 billion in national cybersecurity funding, recent sanctions by the SEC on investment advisors and broker-dealers, a new initiative that aims to improve defense planning and information sharing between the public and private sectors, and more.
RECENT DEVELOPMENTS
An opportunity to improve national cybersecurity at state and local levels
Following weeks of stalemate and negotiation, the Senate passed its version of the Infrastructure Investment and Jobs Act (H.R. 3684) that includes hundreds of billions of dollars in new spending on traditional infrastructure like the transportation system, airports, the electrical grid, and broadband. Not surprisingly, however, amid growing threats to critical infrastructure, the bill also aims at shoring up national cybersecurity.
As passed by the Senate, the measure includes more than $1.9 billion in cybersecurity funding. Among other uses, the bill would allocate funds to improve the cybersecurity of state and local governments — entities that malicious actors have targeted with increased frequency. Specifically, the bill would create a specialized grant program under the Department of Homeland Security (DHS) to provide funds to state and local governments over four years, with 25% of the funds going to particularly vulnerable rural government entities. The bill also would allocate funds to various federal agencies and entities tasked with cybersecurity, including the Department of Energy (DOE) to provide enhanced grid and energy cybersecurity, and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA).
While bipartisan support for national cybersecurity initiatives found in the legislation helped the bill pass the Senate, this massive legislation faces a somewhat uncertain future in the House. That said, if passed, the legislation could be a big win for state and local governments as well as utilities and energy providers dealing with cybersecurity risks.
SEC sanctions investment advisors and broker-dealers over email hacks
On Aug. 30, 2021, the Securities and Exchange Commission (SEC) sanctioned eight firms in three actions for failures related to cybersecurity policies and procedures. The failures resulted in the exploitation of vulnerable email accounts and exposed the personal information of thousands of customers and clients. The SEC sanctions included both cease-and-desist orders and financial penalties against investment advisors and broker-dealers for violation of the Safeguards Rule. Broadly, the Safeguards Rule requires every registered broker-dealer and investment advisor to adopt policies/procedures reasonably designed to:
- insure security and confidentiality of customer information;
- protect against anticipated threats or hazards to the security or the integrity of customer records or information; and
- protect against unauthorized access to or use of customer information or records that could result in harm to any customer.
As noted in an SEC statement on the matter, these actions make clear that simply having a policy requiring enhanced security is not enough if those requirements are not implemented, especially in the face of known attacks. In other words, for SEC registered broker-dealers and investment advisors, the ROI for following national cybersecurity best practices includes avoiding run-ins with regulators.
ITEMS TO KNOW AND KEEP IN MIND GOING FORWARD
A new public and private effort to combat cyber threats
CISA unveiled its Joint Cyber Defense Collaborative at a BlackHat 2021 keynote event in August. This initiative, which aims to improve defense planning and information sharing between the public and private sectors, comes on the heels of several high-profile ransomware, supply chain and other attacks (e.g., Solar Winds, Colonial Pipeline, Kaseya, etc.). Not surprisingly, initial efforts under the collaborative will focus on ransomware and developing a planning framework to coordinate incidents affecting cloud service providers.
Participants in the Joint Cyber Defense Collaborative include several well-known cybersecurity companies and telecommunications vendors. Generally, following almost every high-profile cybersecurity incident, commentators highlight the degree of information sharing (or lack thereof) between the private and public sectors. Consequently, as pointed out by CISA’s director, this initiative can be seen as a response to the need to improve information sharing between government and companies in an effort to identify and combat threats “such as what happened with SolarWinds.” That said, while some may view a voluntary public and private effort at collaboration to be a step in the right direction, Congress is eyeing legislation that might make collaboration mandatory in the form of CISA reporting requirements for critical infrastructure operations that suffer cyber incidents.
UK data transfers: New developments and alignment with the EU
In the wake of Brexit, the UK’s data protection regulator, the Information Commissioner’s Office (ICO), launched a public consultation on data transfers. In short, despite the significant overlap between the EU and UK’s General Data Protection Regulation (GDPR) variants, changes are necessary to account for UK law, making the consolation relevant to any entity that transfers personal data from the UK or provides services in the UK. Broadly, commentators have also noted that the UK may seek to more definitively chart its own course on privacy, a move which could have adequacy implications with respect to the EU. That said, the consolation asks for input on several items, including:
- Use of SCCs: At present, the EU’s Standard Contractual Clauses (SCCs) cannot be used for transfers from the UK, leading organizations to prepare new vendor, customer or intra-group alternatives for the EU and UK, a costly and time-consuming prospect. However, the ICO is considering issuing an international data transfer agreement in the form of a UK addendum to data transfer agreements that could be used for the EU SCCs. The UK addendum would modify those parts of the SCCs that refer to EU member state law/institutions. The addendum would be compact, flexible and able to be modified if appropriate safeguards are maintained. That said, the challenge will likely be in the fine print. Organizations transferring data from the UK should remember that the EU’s new SCCs will only be permitted if amended, and the old SCCs do not account for Schremes II. Moreover, because the ICO is unlikely to approve and issue an addendum until very late this year or in 2022, organizations will, in effect, need two different data transfer agreements for the EU and UK. However, they may later be able to utilize the SCCs with the UK addendum for UK transfers.
- UK Specific Data Transfer Agreement (IDTA): The ICO has asked for feedback on its draft IDTA. Unlike the modular structure of the SCCs, the IDTA is a one-size-fits-all agreement, meaning there is no need for the parties to cut and paste text to create an agreement appropriate to their situation. Additionally, while certain mandatory clauses cannot be changed, parties are free to edit and delete sections irrelevant to them. The draft IDTA also allows parties to cross-reference items like master service or data processing agreements. While still early, one issue will likely be the mandated annual transfer risk assessment, a requirement that might be excessive for low-risk data transfers.
- Transfer Risk Assessment (TRA): Designed for use alongside the IDTA, the ICO is seeking input on its draft TRA. Unlike the EU’s approach, the TRA leaves room for legitimate laws regulating surveillance. Additionally, the TRA offers accessible scenarios and better clarity on low, medium or high-risk transfers. Finally, the TRA takes a more holistic approach to assessing risk. When it comes to enforcement actions involving a TRA, the ICO will take into account situations where an organization can show best efforts to complete the TRA, but whose analysis is incorrect. However, in its current form, the TRA is lengthy and somewhat cumbersome for smaller enterprises.
Questions on the efficacy of the CCPA
The California Consumer Privacy Protection Act (CCPA) is one well-known and high-profile example of comprehensive privacy legislation. As initially enacted, the landmark legislation aimed, in part, to force entities that collect personal information to account for how that information is used and disclosed. Additionally, the CCPA’s regulations also require certain companies to report consumer request metrics annually. Yet, with the numbers now public, exactly how many California consumers have exercised their rights under the CCPA, and how the most prominent players are specifically complying, is challenging to ascertain. CCPA supporters hoped that disclosures would show voters what they were getting and help track enforcement of the law. However, based on disclosures, the number of consumer requests made under the CCPA varied significantly from company to company. Moreover, in terms of enforcement, the California Department of Justice has not maintained a complete list of firms that must comply with the CCPA’s requirements.
Arguably, an explanation for the broad inconsistencies in the exercise of individual rights under the CCPA and a lack of clarity on enforcement might be found in the different compliance approaches of individual companies. For example, while some companies prominently display CCPA related links and notices, others are buried and hard to find. Similarly, companies may use different metrics to track compliance (e.g., nationwide versus California-specific metrics). Functionally, this makes tracking compliance difficult. Moreover, it highlights that companies have drawn different conclusions regarding their responsibilities under the CCPA. For example, companies that allow people to opt-out of sales of information seem to report a higher volume of those requests than any other. Alternatively, companies can take the position that they don’t sell personal data to third parties and, therefore, the CCPA’s right to opt-out of sales doesn’t apply.
Yet, despite company views to the contrary, privacy advocates might argue that the CCPA applies to certain commonly-used tools, such as third-party cookies that track users across sites for marketing purposes. Privacy may now be in the public consciousness and something companies are more likely to take seriously. Nevertheless, with the California Privacy Rights Act effective in 2023 (bringing greater enforcement and prohibitions), the most recent metrics highlight major questions on efficacy and enforcement that may need to be addressed going forward.