
Posted by Michael C. Titens, Justin S. Cohen, and Stephen E. Stein
Cybersecurity and data privacy issues have both been overshadowed and strongly impacted by 2020’s dominant story – COVID-19. As employees shifted to working from home and Zoom and other video conference services became the new norm, new cybersecurity issues arose. As testing, contact tracing and return to work questions took the forefront privacy concerns correspondingly increased. Below are some of the most significant privacy and data security developments of 2020.
1. Federal Legislation: On December 4, 2020, the Internet of Things Cybersecurity Improvement Act of 2020 (“IOT Act”) was signed into law. The IOT Act establishes security standards for IoT devices owned or controlled by the Federal government. While limited to securing devices at the federal level, the IOT Act requirements are naturally expected to impact IOT devices in the commercial sector (i.e. a federally qualified device can be sold in the commercial sector). Under the IOT Act the National Institute of Standards and Technology is charged with developing standards and guidelines for the appropriate use and management of IOT devices for federal agencies (and to the extent practical will be consistent with best industry practices).
The defense bill signed by the President in December creates a national cyber director within the president's office. The director would be tasked with coordination of federal cybersecurity policies. The hope is that leadership at the executive level will help both government and private sector security defenses.
2. California Privacy Rights Act Enacted: As covered in our Blog Post [link] on November 3rd the State of California passed the California Privacy Rights Act, or “CPRA.” This Act broadens the scope of the previously implemented California Consumer Privacy Protection Act (“CCPA”) and creates a new agency (effective July 2023) to enforce privacy obligations. As with the CCPA, this Act is expected to directly affect many companies that do business in California as well as influence legislation in other states.
3. Solar Winds Attack: The IT management company SolarWinds was subject to a data security breach believed to have started in March of 2020 and not identified until December. The breach, widely believed to be carried out by Russia, has impacted a large number of Fortune 500 firms as well as the Treasury Department, Department of Homeland Security, National Nuclear Security Administration and others. As SolarWinds sent out periodic software updates this year, the updates included code that had already been hacked, allowing access to the IT systems of up to 18,000 SolarWinds customers.
4. FireEye Attack: In early December FireEye, a recognized leader in intelligence-led security-as-a-service, reported that it was attacked by a highly sophisticated threat actor which FireEye believes to have been a state-sponsored attack by a nation with top-tier offensive capabilities. Per FireEye, “Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers.” The hackers are also believed to have stolen FireEye’s “Red Team tools” – the hacking tools that FireEye uses when conducting penetration tests and attempting to access its clients’ systems. As with the SolarWinds attack, the direct target may have been government agencies but the attack potentially affected thousands of customers across the globe.
5. Ransomware: Ransomware continued to be a significant cyber threat in 2020. Victims included municipal and county governments, universities, and local school districts, as well as manufacturing, service and other businesses. On October 28, the FBI and other government agencies issued a special warning to hospitals and other healthcare providers. Ransomware attackers adapted their methods to increase the pressure on victims. In addition to blocking access to computer systems and encrypting data, modern ransomware attackers also attempt to encrypt data backups, making it far more difficult for a victim to recover its files without paying the ransom. Attackers also exfiltrate data from a victim’s network, including personal information of customers and employees, and then threaten to release the data publicly on “walls of shame” unless the ransom is paid.
Further increasing the risks for ransomware victims, U.S. government agencies issued advisories in October warning that ransomware payments to certain attackers could violate U.S. sanctions laws. A party making such a payment, as well as others involved in the process such as forensics firms and insurance providers, can face civil liability even if they did not know they were dealing with a sanctioned group or individual at the time the payment was made.
6. Schrems II and Transatlantic Data Flows: On July 16, 2020, Europe’s top court invalidated the EU-US Privacy Shield program, finding that it did not provide an “essential equivalence” with European data privacy laws (GDPR). The EU-US Privacy Shield program was a popular way for U.S. companies to comply with the restrictions on cross-border data transfers set forth in GDPR (Article 44). Since the U.S. does not have an adequacy decision under European privacy laws, the Privacy Shield Program was the most efficient way for many U.S.-based companies to lawfully move data to the U.S. from Europe under GDPR. This decision largely centered on European concerns for U.S. surveillance programs and the ability for private data to end up with public authorities. The Court found that “the requirements of US national security, public interest and law enforcement have primacy [over individual data rights], thus condoning interference with the fundamental rights of persons whose data are transferred to that third country.” The Swiss and Israeli governments issued similar rulings shortly after the European high court decision, adding to the importance of this decision.
These decisions have placed increased emphasis on the “standard contractual clauses” as a potential lawful means of transatlantic data flow; however, the Court cautioned against blindly applying the standard clauses without a case-by-case analysis of the risk of the transfer. In November, a draft of updated standard clauses was published with a final set of updated standard clauses expected in 2021.
In December, the Senate Committee on Commerce, Science, and Transportation held hearings on the invalidation of Privacy Shield and the future of transatlantic data flows highlighting a growing fear of data localization.
7. Texas Privacy Protection Advisory Council Issues Interim Report: In September of this year, the Texas Privacy Protection Advisory Council released is interim report to the 87th Legislature. The Council was created following an amendment to proposed consumer privacy bills in Texas with a goal of studying existing data privacy laws in Texas, other states, and relevant foreign jurisdictions and making recommendations to the members of the legislature on specific statutory changes regarding the privacy and protection of personal information deemed necessary based on the study. While the report does not ultimately propose specific statutory provisions, it does provide a framework for future Texas privacy legislation based on six general recommendations:
a. State agencies should adhere to privacy standards that are continually reviewed and updated;
b. Legislative proposals should consider a balance between consumer privacy concerns and business compliance;
c. Legislative proposals should consider the impact on highly regulated data (e.g., PHI and financial information) and complement existing federal laws;
d. Legislative proposals should be written broadly enough to allow for the adoption of new technology and business standards;
e. Legislative proposals should consider existing laws in Texas and in other states so as not to create conflict; and
f. Texans have a right to know how their personal information is being used.
8. Insurance Market Tightens: Cyber insurers are charging more for coverage and being more careful with their underwriting due to a sharp rise in the frequency and severity of ransomware claims. However, ransomware is not the only concern. Cyber losses have also been driven by social engineering attacks, specifically business email compromise. The sharp uptick in claims may even push some insurers out of the cyber market. Premium increases reportedly range from 5% to 15%, with certain instances of even greater increases. Ransom payment is only part of the claim expense. Other large costs include IT expenditures related to investigating, identifying and containing attacks, and then restoring systems. Business interruption claims are also making up an increasing amount of the expense for the downtime after the attacks. Underwriters have started to introduce specific ransomware question sets during the underwriting process. Policyholders who give answers satisfactory to underwriters may obtain lower premiums but cannot expect discounts in this insurance market. Given the expected increase in attacks for 2021, this tightening of the market is unlikely to lessen anytime soon.