Since the start of 2021, cyber-attacks have dominated headlines across every industry. From governments and government organizations, healthcare companies, and banks, to gaming companies and oil pipelines, ransomware has impacted organizations of all types and sizes. The scale and scope of these attacks have continued to grow and have far reaching consequences. Despite current agency attempts to strengthen cybersecurity through regulation, individual users continue to pose a serious threat due to insufficient security education.
On July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued its deafening decision that summarily and immediately invalidated the EU-US Privacy Shield. The regulatory program established between the European Council and the U.S. Dept. of Commerce allowed for the transfer of personal data of EU residents to be sent from the EU to the US without violating the data transfer restrictions of the General Data Protection Regulation (“GDPR”). The decision went on to cast serious doubt on the sufficiency of standard contractual clauses to adequately protect data transferred to any third country, not just the US. Several months later, data exporters in the EU are still sorting through the wreckage of their privacy programs and waiting for practical advice on the way forward.
On December 12, 2020, the European Commission (the “EC”) issued a highly anticipated draft of newly revised standard contractual clauses (“new SCCs”) that may be used by European Union-based companies to safeguard data transfers of personal data to third countries, such as the US, in compliance with GDPR Art. 46(1). The release comes at a decidedly inopportune time as it follows on the heels of the Court of Justice of the European Union’s (CJEU) Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (“Schrems II”) decision which casts serious doubt on the adequacy of SCCs alone to safeguard against the “high-risks” involved in EU to US data transfers. And for many data protection experts, the language of the revised SCCs only adds to the confusion, raising even more questions. But one question in particular seems to be prominent among others—for transfers to importers, directly subject to GDPR, are SCCs really necessary?
President Joe Biden has issued a number of Executive Orders, many of which address the ongoing COVID-19 public health emergency. On January 21, 2021, President Biden released another pillar of his Administration’s long-term plan to direct the United States out of the throes of the pandemic. The twelfth Executive Order titled, “Ensuring a Data-Driven Response to COVID-19 and Future High-Consequence Public Health Threats” orders the Department of Health and Human Services (“HHS”) Secretary Alex Azar to conduct a nationwide review of the interoperability of public health data systems in an effort to enhance the collection, sharing, analysis, and collaboration of de-identified patient data.
It cannot be denied that the COVID-19 pandemic has led to many novel legal and regulatory issues. One topic of major concern both domestically and abroad is how to manage the massive amounts of consumer data being collected in the attempt to quell the spread of the virus. This issue is especially complicated to address in the United States, where a convoluted patchwork of state and federal laws interact to create a relentlessly fragmented data regulation system. Now, as state and local governments, along with tech giants like Apple and Google, continue to roll out contact tracing applications, the need for comprehensive data privacy regulation is more pressing than ever.
There seems to be no end in sight to the various concerns associated with COVID-19, and experts are hesitant to say when and if life as we knew it will ever return to “normal.” As the pandemic persisted, companies large and small quickly realized that jobs we all assumed had to be done in an office, can in fact be done from the comfort of one’s home. #WFH is a trending social media hashtag standing for “work from home,” and posts using this hashtag range anywhere from how to dress comfortably while remaining professional when working from home to setting up the perfect home office. #WFH, however, is not just a social media trend, but a new normal for many Americans as employers were forced to allow their employees to work from home due to health concerns related to COVID-19. This gives rise to questions such as, what about safety and security concerns related to employer data? And, where do employees draw the line between work and home when working from home? While this may be uncharted territory, top researchers say that #WFH may be the next big thing for companies worldwide.
Within the last decade, data has surpassed oil as the world’s most valuable commodity. Earlier this year the Securities and Exchange Commission (SEC) released its observations made during audits that detailed the methods used by corporations to secure their data. This included the kinds of cybersecurity practices employed by companies as well as advice on how to better deal with sensitive data and protect against potential cyberattacks. The SEC’s observations coincide with a recent announcement from the National Security Agency (NSA) that showcases an increased concern surrounding cybersecurity in the corporate world.
The Children’s Online Privacy Protection Act (“COPPA”) prohibits unfair or deceptive collection, use, and disclosure of the personal information of children on the internet. COPPA covers both website operators and app developers, and prevents collection of personal information without verified, written consent of parents. On February 27, 2019, the Federal Trade Commission (“FTC”) filed a complaint in U.S. District Court against TikTok, previously known as Music.ly. The complaint alleged that Music.ly knowingly violated COPPA when it collected data from children without written consent of parents. Music.ly settled for $5,700,000.00, the largest civil penalty obtained by the FTC for violations of COPPA.
In the age of digitization, data seems less secure than ever. Public companies constantly attempt to safeguard both personal and financial data, yet their efforts fail due to new outbreaks of malicious encryption viruses and persistent email phishing attempts. Data breaches and cyber fraud carry severe financial implications for public companies who fall victim to these types of attacks. But a new Securities and Exchange Commission (SEC) report says that public companies that are easy targets of cyber scams could also be in violation of federal securities laws and accounting regulations that call for firms to safeguard their assets. Although the SEC has issued its warning to public companies about the compliance and financial risks posed by cyber fraud, many companies are still struggling to implement effective protections against newly-evolved forms of cyber-attacks.
While the legal community has spent much of the last year exhaustively dissecting the European Union’s new General Data Protection Regulation (GDPR), nearly half of businesses in the United States are still not compliant with standards governing the collection, storage, and disposal of payment (credit/debit) card data. Businesses of all sizes should work to ensure that they understand and are in compliance with these standards, or risk significant exposure in the event of a payment card data breach traced back to their organization.