In the absence of overreaching federal privacy legislation, enforcement authority over privacy and cybersecurity is shared among several different government agencies. With attention on privacy and cybersecurity-related issues rapidly increasing, federal agencies seek to address these issues by actively engaging in rulemaking, enforcement, and policy development.
Throughout this blog post, we highlight and summarize some key recent developments concerning federal regulation of privacy and cybersecurity:
Consumer Financial Protection Bureau (CFPB)
On October 21, 2021, the CFPB ordered Google, Apple, Facebook (now Meta), Amazon, Square, and PayPal to provide information regarding their data harvesting and monetization activities, access restrictions and user choice policies, and consumer payment and fraud protection. In his full statement on the matter, Director Rohit Chopra remarked that the CFPB would also investigate the practices of Chinese tech giants that offer payment systems.
On January 27, 2022, the CFPB released its annual list of consumer reporting companies and urged consumers to “exercise their right to see what information these firms have, dispute inaccuracies, and file lawsuits if the firms violate the Fair Credit Reporting Act (FCRA).” This list (consisting of the three nationwide consumer reporting companies as well as specialty reporting companies that collect and sell access to people’s data) follows the CFPB’s November 2021 advisory opinion affirming that consumer reporting companies are violating the FCRA if they engage in inadequate information matching procedures.
On March 9, 2022, President Biden issued an Executive Order on Ensuring Responsible Development of Digital Assets. Among other priorities, the Executive Order directs the FTC Chair and the CFPB Director to investigate the “extent to which privacy or consumer protection measures within their respective jurisdictions may be used to protect users of digital assets and whether additional measures may be needed.”
Department of Homeland Security (DHS)
In the past year, DHS’s Transportation Security Administration (TSA) and Cybersecurity Infrastructure Security Agency (CISA) have focused on mitigating potential cybersecurity vulnerabilities and promoting public-private information sharing within the critical infrastructure and related industries. These efforts came in the form of several Security Directives. In response to the May 2021 Colonial Pipeline ransomware attack, TSA announced a Security Directive requiring critical pipeline owners and operators to (1) report confirmed and potential cybersecurity incidents to CISA; (2) designate a Cybersecurity Coordinator who would be on call 24/7; and (3) review current practices to identify gaps and remediation measures related to cyber risks, with a report of the results due to TSA and CISA within 30 days.
On July 20, 2021, TSA announced a second Security Directive requiring owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas to (1) implement specific mitigation measures to protect against ransomware attacks and other information technology and operational threats; (2) develop and implement a cybersecurity contingency and recovery plan; and (3) conduct a cybersecurity architecture design review. In December 2021, TSA released two Security Directives applicable to owners and operators of passenger railroad carriers and rail transit systems and to freight railroad carriers. Both Security Directives require rail owners and operators to (1) designate a Cybersecurity Coordinator who would be on call 24/7; (2) report cybersecurity incidents as soon as practicable, but no later than 24 hours; (3) develop and implement (within 180 days) a Cybersecurity Incident Response Plan; and (4) conduct a cybersecurity vulnerability assessment with results due to TSA within 90 days.
In addition to the above, DHS also established the Cyber Safety Review Board in accordance with President Biden’s May 2021 Executive Order on Improving the Nation’s Cybersecurity. The Cyber Safety Review Board aims to act as a bridge between the federal government and the private sector on matters relating to cybersecurity.
Furthermore, in the wake of Russia’s invasion of Ukraine, DHS and the FBI published advisories for critical infrastructure organizations regarding potential cyberattacks by Russian threat actors.
On March 10, 2022, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Signed into law by President Biden on March 15, this act requires covered critical infrastructure organizations to report covered cyber incidents to CISA within 72 hours and report ransomware payments within 24 hours.
Federal Communications Commission (FCC)
On January 12, 2022, FCC Chairwoman Jessica Rosenworcel shared a Notice of Proposed Rulemaking that would update the current data breach notification rules for telecommunication carriers. The changes include (1) elimination of the current 7 business day mandatory waiting period for notifying customers; (2) expansion of consumer protections by requiring notification of inadvertent breaches; and (3) requirement of notification to the FCC, the FBI, and the Secret Service.
In response to a petition filed by All About the Message, Rosenworcel announced on February 2, 2022, a proposal that would require callers to obtain a consumer’s consent before delivering a “ringless voicemail” message.
On February 28, 2022, the FCC published a Notice of Inquiry (NOI) seeking “comment on vulnerabilities threatening the security and integrity of the Border Gateway Protocol (BGP).” BGP, as a critical component of Internet infrastructure, is the routing protocol used to exchange reachability information amongst independently managed networks on the Internet. The FCC published this NOI in light of Russia’s invasion of Ukraine, and comments are due 30 days after publication in the Federal Register.
Federal Trade Commission (FTC)
The FTC is particularly active in multiple areas related to privacy and cybersecurity.
For example, at an open commission meeting on September 15, 2021, the FTC voted 3-2 to approve a policy statement affirming that health apps and connected devices that draw information from multiple sources must comply with the Health Breach Notification Rule. The policy statement served as a notice to health apps and connected devices – companies that are traditionally not covered entities under HIPAA - “of their ongoing obligation to come clean about breaches.” The FTC published a “Health Privacy” landing page with featured guides on “Complying with FTC’s Health Breach Notification Rule” and “The Basics for Business.” Businesses can find information regarding who is covered by the Health Breach Notification Rule, what triggers the notification requirement, and what to do if a breach occurs.
On September 31, 2021, the FTC delivered its “Report to Congress on Privacy and Security,” urging Congress to enact privacy and data security legislation.
On October 27, 2021, the FTC announced updates to the GLBA Safeguards Rule that would strengthen data security requirements for financial institutions. The amendments became effective on January 10, 2022.
In response to the critical Log4j vulnerability, the FTC has also been warning businesses about remediating Log4j vulnerabilities and emphasized that it would use its authority to pursue companies that fail to take reasonable steps to mitigate exposure. The FTC recommends that businesses (1) update their Log4j software package to the most current version; (2) consult CISA guidance regarding mitigation techniques; (3) ensure remedial steps are taken; and (4) distribute this information to any relevant third-party subsidiaries.
The FTC has also been active on the enforcement front.
Office of the Comptroller of the Currency in the Department of the Treasury (OCC)
On November 28, 2021, the OCC, the Fed Board, and the FDIC jointly approved a final rule that requires (1) “banking organizations” to notify their primary federal regulator of any significant “computer-security incidents” as soon as possible and no later than 36 hours after the bank determines a “notification incident” has occurred, and (2) “bank service providers” to notify any affected banking organization customer of “computer-security incidents” that has “caused, or is reasonably likely to cause, a material service disruption or degradation for 4 or more hours.” The rule became effective on April 1, 2022, with a compliance date of May 1, 2022.
Office of Foreign Assets Control in the Department of the Treasury (OFAC)
In response to the rising rates of cybercrime and the increasingly prominent role played by virtual currencies, OFAC released its “Sanctions Compliance Guidance for the Virtual Currency Industry” on October 15, 2021. This compliance guidance follows on the heels of the agency’s September 21, 2021 “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” Noting that demand for ransomware payments increased during the COVID-19 pandemic, OFAC warned all U.S. private companies and citizens of the potential sanctions risks associated with making and facilitating ransomware payments. OFAC further noted that the “existence, nature, and adequacy of a sanctions compliance program,” notification to and cooperation with law enforcement, and “meaningful steps taken to reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices” would be viewed as significant mitigating factors in any enforcement response.
On the same day, OFAC designated a virtual currency exchange, SUEX OTC, S.R.O., for its role in facilitating financial transactions for ransomware actors. Accordingly, all U.S. persons were thus prohibited from engaging in any sort of transactions with SUEX.
Furthermore, following Russia’s invasion of Ukraine, OFAC issued sweeping sanctions related to the Russian Direct Investment Fund, the Central Bank of the Russian Federation, the National Wealth Fund of the Russian Federation, and the Ministry of Finance at the Russian Federation. Additionally, OFAC has designated certain Russian and Belarusian entities and individuals. On February 24, 2022, OFAC also announced that all U.S. financial institutions are to close any Sberbank correspondent or payable-through accounts and that full blocking sanctions will be placed on VTB Bank. Businesses should keep a close eye on all updates from OFAC and the Department of Commerce’s Bureau of Industry and Security (BIS) related to sanctions and Export Administration Regulations (EAR).
Office of Management and Budget (OMB)
On December 6, 2021, the OMB published a “Memorandum for the Heads of Executive Departments and Agencies.” In this Memorandum, Deputy Director for Management Jason S. Miller called for the implementation of a Zero Trust Architecture, accelerated efforts toward ground truth testing, improvement of observable security outcomes, and emphasis on automated and machine-readable reporting. Additionally, the Memorandum urged agencies to report all major incidents to CISA and the OMB OFCIO within 1 hour of determining that a major incident had occurred. The Memorandum defines a “major incident” to be either (1) any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people,” or (2) a breach that involves personally identifiable information (PII) that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people.”
Securities and Exchange Commission (SEC)
On March 9, 2022, the SEC announced proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The proposed amendments include (1) amending Form 8-K to require registrants to disclose information about a cybersecurity incident within 4 business days after the registrant determines that it has experienced a material cybersecurity incident; (2) amending Forms 10-Q and 10-K to require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents and to require disclosure (to the extent known to management) when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate; (3) amending Form 10-K to require disclosures related to a registrant’s policies and procedures for identifying cybersecurity risks, cybersecurity governance, and management roles; (4) amending Item 407 of Regulation S-K to require disclosure about if any member of the registrant’s board of directors has cybersecurity expertise; (5) amending Form 20-F to require foreign private issuers to provide cybersecurity disclosures in their annual reports; (6) amending Form 6-K to add “cybersecurity incidents” as a reporting topic; and (7) requiring that proposed disclosures be provided in Inline XBRL. Comments are due by the 30th day after the date of publication in the Federal Register or by May 9, 2022 (whichever is later).
Key Takeaways
The data security and privacy landscape in the United States and worldwide is incredibly complex and becoming more complicated given the drastic increase in cyber-attacks over the past several years. Working with sophisticated legal counsel can help your organization better understand this landscape, work towards compliance with state, federal, and global privacy laws, and respond in the event of a cybersecurity incident. Our team of lawyers and technologists are uniquely positioned to help organizations navigate this constantly evolving space.
*Attorney Advertising: Prior results do not guarantee future outcomes.