The Digital Download – Alston & Bird’s Privacy & Data Security Newsletter – May 2022 | Alston & Bird





Selected Developments in U.S. Law

U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
On April 21, 2022, Canada, Japan, South Korea, the Philippines, Singapore, Taiwan, and the United States issued a Global Cross-Border Privacy Rules Declaration announcing the establishment of the Global Cross-Border Privacy Rules Forum. U.S. Secretary of Commerce Gina M. Raimondo described the establishment of the Global CBPR Forum as “the beginning of a new era of multilateral cooperation in promoting trusted global data flows” and highlighted its intent to create “first-of-their-kind data privacy certifications that help companies demonstrate compliance with internationally recognized data privacy standards.”  

Colorado Issues Pre-rulemaking Considerations for the Colorado Privacy Act
On April 12, 2022, the Colorado Department of Law released its Pre-rulemaking Considerations for the Colorado Privacy Act (CPA), following state attorney general Phil Weiser’s remarks at the International Association of Privacy Professionals’ Global Privacy Summit in Washington, D.C. The department seeks informal input on several topics in addition to general comments on the CPA. Comments may be provided until the end of August 2022 by using the CPA Comment Form and attending to-be-scheduled informal listening sessions.  

Recent Updates in Two Closely Watched Cybersecurity and Privacy-Related Securities Fraud Class Actions
Observers have been awaiting decisions on a number of cybersecurity and privacy securities fraud class actions with potentially important implications for corporate liability. Over the last several months, critical developments emerged in two cases: the defendants’ motion to dismiss was granted in part and denied in part in In re Zoom Securities Litigation, and the Supreme Court denied cert of the Ninth Circuit’s decision reviving the claims in Alphabet Inc. v. Rhode Island.  

White House Releases Recommendations to Protect Against Potential Cyber-Attacks
The potential for malicious cyber activity has been a concern for the Biden Administration throughout the evolving crisis in Ukraine (including the imposition of sanctions against Russia). In response to the concern, the Administration, which faced “evolving intelligence that Russia may be exploring options for potential cyberattacks,” released recommendations on March 21, 2022 for companies to protect against cyber-attacks.  

President Biden Issues Executive Order Directing Coordinated Federal Approach to Digital Assets
As a result of the rise in digital assets, President Biden signed an Executive Order on March 9, 2022 ordering a review of the nation’s approach to cryptocurrency. The Executive Order on Ensuring Responsible Development of Digital Assets contains broad policy objectives and specific analysis to be conducted by the federal government. The Order identifies several key national priorities related to digital assets and directs the executive branch to follow the interagency process that President Biden previously implemented for the National Security Council to implement the Order. The Order directs a broad swath of U.S. federal agencies to analyze and issue assessments related to digital assets, including the viability of a U.S. central bank digital currency, a digital form of U.S. sovereign currency.  

Colorado Attorney General’s Office Issues Notice of Invitation for Informal Input on CPA Rulemaking
On March 7, 2022, the Colorado Attorney General’s Office issued to the public an invitation to submit initial input on the CPA and future rulemaking. The Attorney General’s Office is accepting informal comments on any area on which it has the authority to adopt rules and provides examples of input in the invitation. The public has until August 31, 2022 to submit comments.  

Senate Passes Significant Cyber Bill Requiring Cyber-Incident Reporting
The Strengthening American Cybersecurity Act of 2022, a bill that narrowly failed to become law last year, was passed in the Senate on Tuesday, March 1, 2022 as a package of cybersecurity measures that would require operators of critical infrastructure and federal civilian agencies to report cyber-incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency. With bipartisan support, the bill was backed by Senators Gary Peters (D-MI) and Rob Portman (R-OH). This marks the most significant cyber bill to make it through the Senate in the chamber’s history, and if passed would be the first significant cyber legislation to pass since the 2015 Cybersecurity Information Sharing Act, which gave companies legal cover to voluntarily share cyber-threat information with the government.  

CPPA Expected Not to Meet CPRA Rulemaking Deadline
At a board meeting held by the California Privacy Protection Agency (CPPA) on February 17, 2022, Executive Director Ashkan Soltani announced that the CPPA does not expect to meet the July 1, 2022, statutory deadline for adopting final regulations under the California Privacy Rights Act. The CPPA plans to schedule meetings in March and April to solicit comments from experts and the public.  

Georgia Introduces Privacy Bill Stricter Than CCPA – The Top 10 Issues
On January 26, 2022, the Georgia General Assembly introduced the Georgia Computer Data Privacy Act (GCDPA). Despite its title, the GCDPA is not a “computer”-focused bill. It is instead an omnibus privacy statute modeled after California’s Consumer Privacy Act (CCPA).  

Incomplete Cybersecurity Compliance Disclosures May Support Fraud Claim Under the False Claims Act, Federal Court Holds
On the heels of a recent Civil Cyber-Fraud Initiative related to cybersecurity practices and the False Claims Act (FCA), a cybersecurity-related FCA case has survived a motion for summary judgment, teeing up a trial to determine if the defendants’ cybersecurity compliance disclosures were materially incomplete and if any misstatements were knowingly made.    

Global Updates

EU and U.S. Reach Agreement in Principle on a Replacement for the EU-U.S. Privacy Shield
On March 25, 2022, the European Commission and the United States announced that they have reached an “agreement in principle” on a replacement for the EU-U.S. Privacy Shield, which was invalidated by the Court of Justice of the European Union in 2020. The new framework will be designed to allow personal data to flow freely between the EU and participating U.S. companies and will likely be seen as the main alternative to the standard contractual clauses released by the European Commission last year.  

Italian Supervisory Authority Imposes €20 Million Fine on Controller Outside of Europe
The Italian Garante per la Protezione dei Dati Personali published a decision on February 10, 2022 in which it imposes a €20 million fine on a company outside of Europe for violations of the EU General Data Protection Regulation.  

U.S., UK, and Australia Issue Joint Cybersecurity Advisory on Ransomware Threat to Critical Infrastructure
On February 9, 2022, the United States, United Kingdom, and Australia issued a Joint Cybersecurity Advisory on the “Increased Globalized Threat of Ransomware” against critical infrastructure sectors. The advisory lists trends in cyber-criminal activity from the last year and also provides mitigation strategies and recommendations to reduce the risk of compromise and the impact of ransomware incidents.  

[View source.]




Leave a Comment

x