In this issue, we highlight the new standard contractual clauses, discuss the European Commission’s new assessment requirement, a Transfer Impact Assessment, and outline considerations for companies when undertaking their own GDPR assessments. On the cyber side, ransomware attacks are on the rise. We review recent trends and developments in these devastating attacks, and the steps you can take to prepare now. FTC practitioners have likely noticed the FTC’s new modus operandi. We examine the new Chair’s priorities and recent agency events.
Transfer Impact Assessments and Standard Contractual Clauses: Issues and Trends
The European Commission’s recent release of new standard contractual clauses (SCCs) brought with it an additional requirement for companies that transfer data to countries outside of the European Economic Area and Switzerland: a Transfer Impact Assessment (TIA). Below we provide background on the Schrems II decision that laid the groundwork for the new assessment requirement. We also catalog requirements for such TIAs, and we discuss issues and trends companies may consider when conducting their own assessments for General Data Protection Regulation (GDPR) compliance.
I. Background on Schrems II and New Standard Contractual Clauses
Pursuant to Articles 44-50 of the General Data Protection Regulation (GDPR), company transfers of personal data to third countries outside of the European Economic Area and Switzerland, if not subject to an exemption or “derogation,” must meet one of three requirements: (1) the data recipient country must maintain laws that reflect an adequate level of protection for personal data commensurate with GDPR standards, as assessed by the European Commission (“adequacy decision”); (2) the parties to the data transfer must enter into standardized provisions that govern the terms of the data transfer via contract (the “standard contractual clauses”); or (3) the data recipient must submit its internal data protection policies to a competent data authority in the EU for approval (“binding corporate rules”).
In July 2020, the Court of Justice of the European Union (CJEU) issued a decision in Data Protection Commission v. Facebook Ireland and Maximilian Schrems (Schrems II) that invalidated the adequacy decision the United States had maintained for transfers of personal data from the EU, known as the Privacy Shield. In the wake of that decision, questions arose surrounding U.S. government surveillance laws, as the CJEU raised concerns about the sweeping nature of U.S. surveillance programs and noting that they do not provide adequate avenues for judicial redress for EU citizens. Without an adequacy decision for the United States, Schrems II resulted in companies becoming increasingly reliant on the standard contractual clauses, or SCCs, to comply with data transfer requirements under GDPR.
Although Schrems II confirmed the soundness of the SCCs as a data transfer mechanism, the CJEU added a requirement for companies using the SCCs to verify, on a case-by-case basis, whether the laws of the country receiving personal data provide adequate protections for transferred personal data. In light of this requirement, as well as a number of other factors indicating the SCCs required updates, the European Commission decided to develop new SCCs to modernize them, to provide greater flexibility for complex processing arrangements, and to cover additional data transfer scenarios that were not contemplated by the original SCCs.
In June 2021, the European Commission published new SCCs. At a high level, the new SCCs adopt a flexible format setting forth general clauses that apply in all transfer scenarios and more specific “modules” that can be chosen based on the relationship between the parties. The old SCCs, for example, did not contemplate processor-to-processor data transfers, which created confusion for companies with transatlantic business that considered themselves data processors under the GDPR. The new SCCs contain a processor-to-processor module, thereby filling a gap that had confounded many under the original SCCs.
The new SCCs went into effect on June 27, 2021. However, companies were granted a grace period to continue to use the old SCCs for new data transfers during a three-month transition that expired on September 27, 2021. Existing contracts that rely on the old SCCs, including those executed during the three-month grace period, may continue to be used until December 27, 2022, after which all data transfers must be governed by the new SCCs. These timelines essentially boil down to giving companies until December 27, 2022 to overhaul contracting arrangements to replace the old ones and conform with the new SCCs.
II. SCCs and Transfer Impact Assessments
In direct response to Schrems II, the new SCCs also require the laws of the data importer’s jurisdiction to be assessed before personal data may be transferred to that jurisdiction. Specifically, the SCCs require the parties to warrant that there is “no reason to believe that the laws and practices in the third country of destination [of the data] … prevent the data importer from fulfilling its obligations under these Clauses.” To make this representation, the parties must evaluate the laws of the country data will be transferred to—these evaluations are known as Transfer Impact Assessments (TIAs) or Transfer Risk Assessments (TRAs). All organizations relying on the SCCs as a cross-border data transfer mechanism, therefore, must conduct a TIA prior to entering into the SCCs.
The SCCs outline basic requirements for the content and form of TIAs. Based on the requirements in Clause 14 of the SCCs, TIAs must:
- Take into consideration the specific circumstances of the data transfer contemplated, including the length of the processing chain, the number of actors involved, and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; and the storage location of the data transferred;
- Address the laws and practices of the country the data will be transferred to, including relevant laws that require or authorize disclosure of data to public authorities;
- Identify relevant safeguards the data importer has put in place to supplement the safeguards established in the SCCs;
- Be documented; and
- Be made available to the competent supervisory authority upon request.
III. Spotlight on U.S. Transfers—FISA Section 702 and E.O. 12333
While TIAs will vary in the way in which they address the specific data transfer contemplated under the SCCs, the Schrems II decision and statements by European regulators indicate that all TIAs for transfers to the United States should focus on U.S. government surveillance laws. Specifically, in deeming the Privacy Shield an inadequate data transfer mechanism, the Schrems II court focused on the seemingly sweeping surveillance authority given to the U.S. intelligence and law enforcement agencies under Section 702 of the Foreign Intelligence Surveillance Act (FISA Section 702) and Executive Order (E.O.) 12333. Additionally, the European Parliament Committee on Civil Liberties, Justice and Home Affairs identified concerns with FISA in the context of data transfers to the United States earlier this year.
At a high level, FISA Section 702 permits the U.S. government to acquire the communications data of non-U.S. persons abroad for defined foreign intelligence purposes from electronic communication service providers (ECSPs). In order to acquire this data, the Foreign Intelligence Surveillance Court (FISC), an independent judiciary, must approve a written certification submitted by various government officials that authorizes the requested collection activities. If a request is approved by the FISC, the U.S. government may compel ECSPs to provide the U.S. government with specific information.
Unlike FISA Section 702, E.O. 12333 does not authorize the U.S. government to compel or require ECSPs or other private entities to disclose or provide access to data. Instead, E.O. 12333 provides a framework that governs the surveillance activities of U.S. intelligence agencies and permits the collection, retention, and dissemination of certain foreign intelligence, narcotics, or terrorism-related information. E.O. 12333 has reportedly been used as a basis for the “bulk” collection of communications data overseas, such as information associated with telephone calls to map communications between members of terrorist groups.
Although both FISA Section 702 and E.O. 12333 have potentially broad applicability to many U.S. companies, to address potential concerns of data exporters with regard to these regimes, companies conducting TIAs should consider not only evaluating how FISA Section 702 and E.O. 12333 theoretically apply to the contemplated transfer, but also how the regimes may apply in practice. For instance, the U.S. Department of Commerce released a white paper in 2020 explaining that “the overwhelming majority of companies have never received orders to disclose data under FISA 702 and have never otherwise provided personal data to U.S. intelligence agencies.” Similarly, the types of information targeted under FISA Section 702 and E.O. 12333 may not be processed by all companies.
IV. TIA Takeaways
Companies engaging in cross-border data transfers from the European Economic Area to the U.S. in reliance on the SCCs should be prepared to develop TIAs that meet the criteria articulated in conjunction with the new SCCs’ requirements. Even if companies are able to rely exclusively on the old SCCs—which do not expressly require TIAs to be conducted—until these SCCs sunset in December 2022, it is likely that TIAs will quickly become a standard market practice and commercial requirement as the new SCCs become widely used. Though TIAs can vary significantly in complexity based on the specific data transfer contemplated, and a formal TIA may take some time to complete, companies should begin developing standard responses to commonly asked questions around their relationship to U.S. surveillance regimes.
An Update on the Ransomware Epidemic: An Overview of Key Ransomware Trends, and Considerations for Preparation and Response
With ransomware attacks on the rise, no organization can afford to be caught unprepared. Ransomware’s resilience stems primarily from its ease of use, its profitability, and the general lack of repercussions for the ransomware operators who employ it. Barring significant shifts in technology or policy, such as unanimous international agreement to prosecute ransomware operators in territories where they currently enjoy safe harbor, ransomware attacks will likely remain common.
Government approaches to disincentivizing and degrading ransomware operations will continue to be multifaceted but are likely to remain uneven and only moderately effective at best. Therefore, it remains vital for individual organizations to bolster their awareness of, and resilience to, the evolving ransomware landscape.
I. Ransomware Trends and Developments
Ransomware is a dynamic threat. Effective mitigation and response requires an understanding of recent trends and developments.
Tactics and Techniques: Not Just Encryption and Exfiltration, but Now Double Extortion. Ransomware tactics and techniques have become increasingly sophisticated over the past few years and have moved beyond encrypting files and demanding a ransom to unlock them. Current ransomware attacks commonly incorporate data exfiltration (theft) to commit what is known as double extortion attacks. In these attacks, victims are prompted to pay an additional fee for the promise that exfiltrated data will be deleted or will not be publicly leaked.
Additionally, some ransomware operators have been known to contact a victim’s clients or customers directly, and others have publicly claimed that they target entities that hold cyber insurance coverage, using client lists stolen from insurers, in the belief that a payout is more likely if a target is insured. Variations of these methods provide leverage in ransom negotiations by creating additional pressure on, and risk for, the victim, while also providing alternative opportunities for perpetrators to profit. Depending on the tactics and techniques used, legal and regulatory responsibilities may vary by incident.
Ransomware Families. Ransomware variants are typically categorized into families of malware that share common elements or are evolutions of a prior variant. While there are numerous families, only a handful of them typically make up the majority of infections at any one time. However, focusing on a particular variant may not be a prudent long-term strategy, because ransomware tends to evolve quickly as attackers add new capabilities, alter tactics, and look to stay ahead of defenses.
Ransomware-as-a-Service (RaaS): Licensing the Tools for a Share of Profits. It has become a growing trend for some ransomware groups to provide ransomware tools, services, and even highly detailed playbooks to less sophisticated entities in exchange for a portion of their illicit profits. These RaaS operators significantly lower the barrier to entry for would-be cyber criminals and make it easier for them to successfully compromise targets. Increasing numbers of novice cyber criminals with access to sophisticated tools may raise the risk of indiscriminate attacks with unintended and outsized secondary effects.
Sector- and Industry-Specific Impacts. Ransomware attacks affect entities of all sizes in all sectors. However, ransomware actors are pragmatic and adaptable. They will look for victims for whom service disruptions are especially damaging (e.g., critical infrastructure, local government, and healthcare), as they are deemed more likely to pay and pay quickly. Additionally, current events that heighten the criticality of specific sectors or industries, such as geopolitical conflict or pandemics, often influence ransomware threat actor behavior.
Cyber Insurance Trends: More Demand, Higher Premiums, Less Coverage. The cyber insurance market has seen a number of ransomware-driven trends accelerate in the last two years. The U.S. Government Accountability Office (GAO) published a report that identified several trends in the cyber insurance industry, many of which are in response to the increased frequency and severity of ransomware attacks. Entities looking to purchase or maintain cyber insurance coverages should consider the following key findings from this report when evaluating coverages:
- More Demand for Cyber Coverage. The number of cyber policies in force has increased by about 60% from 2016 to 2019. One global insurance broker indicated that the proportion of its existing clients electing cyber coverage increased from 26% in 2017 to 47% in 2020. The increase in cyberattacks, including ransomware, was cited as a factor in this growth.
- Premiums Went Up. Cyber premiums held relatively steady in 2017 and 2018, but increased significantly in 2020. GAO found that more than half of insureds saw prices for cyber insurance coverage increase by 10–30% between Q3 and Q4 2020. GAO noted that ransomware was a key factor in premium increases.
- Reduced Coverage Limits for Targeted Industries. In addition to the increase in prices, the increased frequency and severity of cyberattacks, and especially ransomware attacks, has led insurers to reduce coverage limits for certain industries, including healthcare, education, and public/government entities.
- Ransomware-Specific Limits. In addition to reducing coverage for certain industries, insurers have begun to institute specific limits on ransomware coverages.
Administrative Policy and Legislation. The Biden administration has increasingly adopted a multifaceted whole-of-government approach to mitigating the threat ransomware poses to both the public and private sectors. A recent White House FACT SHEET succinctly categorized the administration’s public actions into buckets of resilience, disruption, international engagement, and curbing virtual currency abuse.
Major ransomware incidents such as those affecting Colonial Pipeline and Kaseya have also generated significant interest from members of Congress. In recent months, bills that would require cyber incident reporting and ransom payment reporting have garnered bipartisan support as a means of gaining a clearer picture of the ransomware environment. This interest increases the likelihood that mandatory cybersecurity incident/ransomware reporting will pass into law. The scope of such legislation is still being debated, but critical infrastructure entities will likely be subject to new requirements.
II. Ransomware Preparation and Response
Organizations can mitigate the threat ransomware poses through investment in cybersecurity and incident response preparation.
Ransomware-Related Cybersecurity Guidance. Despite the variety of ransomware tactics and tools, cybersecurity best practices, such as those outlined in the Cybersecurity and Infrastructure Security Agency’s (CISA) Ransomware Guide, remain effective at mitigating ransomware risk when properly implemented. Organizations should also consider adopting a risk-based cybersecurity approach using tools such as the NIST Cybersecurity Framework and its associated ransomware profile to strengthen their cybersecurity program.
Third-Party Services. Few organizations possess comprehensive in-house ransomware expertise, and it is often valuable to retain third-party services that provide some combination of cyber threat intelligence, security risk assessments, ransomware negotiation assistance, incident response and recovery assistance, and outside legal counsel.
In particular, the threat of litigation and regulatory enforcement actions arising from ransomware incidents makes it important for organizations to consider the attorney work product doctrine in conducting ransomware investigation activities. The work product doctrine and attorney-client privilege make it harder for opposing parties to obtain in discovery materials prepared in anticipation of litigation or contained in communications with outside counsel for purposes of obtaining legal advice, which can include the results of forensic investigations following a security breach or ransomware infection.
However, courts have begun to look more critically at the work product doctrine in the data breach context. While this scrutiny creates uncertainty regarding discoverability of investigation materials, there is often even more skepticism about assertions of privilege regarding materials relating to remediation processes, ransomware negotiation activities, and certain aspects of the decision regarding whether to pay a ransom. That does not mean that it is impossible to assert work product protection over such materials in every case, but it is likely more challenging, and engaging knowledgeable outside counsel early in the process and appropriately structuring relationships with third-party service providers are crucial to maximizing such protections.
Government Notification. In the event of a ransomware incident, an organization may be required to contact certain government entities, while contacting other government entities on a voluntary basis may be advisable. The determination to contact government entities will be influenced by the unique nature of the ransomware incident as well as general and sector-specific rules and regulations. Organizations should endeavor to understand which government entities can or must be contacted (e.g., the Federal Bureau of Investigation or the Cybersecurity and Infrastructure Security Agency), how and when they should be contacted, and what can be expected from them in return.
Risk of OFAC Violations for Ransomware Payments. The Treasury Department’s Office of Foreign Assets Control (OFAC) has continued to warn of the sanctions risks associated with ransomware payments. These risks include enforcement actions that could lead to significant civil and criminal penalties. It is crucial to recognize that paying a ransom may risk OFAC sanctions, even if you are unaware that you are violating the law at the time.
Furthermore, if the decision is made to pay a ransom, is important to stay abreast of OFAC lists of designated actors, as the lists change frequently. There is a risk that a ransomware operator may be designated by OFAC or traced to a sanctioned jurisdiction during the time period between the decision to pay the ransom and the time the payment is actually made. This not only risks OFAC enforcement actions, but can also cause a cyber insurance provider to exclude or deny reimbursement for the ransom payment.
FTC Enforcement Trends Underscore Focus on Privacy
With new FTC leadership materializing under the Biden administration, a new agenda has begun to take shape, offering a glimpse into the agency’s enforcement priorities. Below follows an examination of the Commission’s stated priorities for enforcement and trends in recent enforcement actions.
I. FTC Enforcement Priorities
The confirmation of FTC Chair Lina Khan in June 2021 marked the beginning of a transformative period for the Commission. In the ensuing months, the Commission has held multiple open meetings and implemented modifications to its investigative processes and even to its own rulemaking authority. Chair Khan emphasized the likelihood of new rulemakings in the appointment of Olivier Sylvain as a senior advisor on rulemaking and emerging technology on October 7, 2021. A few weeks later, a group of more than 40 civil rights and privacy organizations sent a letter to the FTC urging that draft rules that address “the entire life cycle” of data crack down on discriminatory and abusive data practices and establish “clear rules against discriminatory and abusive data practices.”
At its first open meeting in July 2021, the Commission approved a series of changes to FTC procedures, including omnibus resolutions directing FTC staff to use “compulsory processes,” such as civil investigative demands and subpoenas to investigate key enforcement priorities without obtaining additional approval from the Commission. According to the resolutions, industries of interest include technology platforms, healthcare, and pharmaceuticals. Chair Khan and Commissioner Slaughter explained in a joint statement that the resolutions focus on unlawful conduct targeted at children, bias in algorithms and biometrics, and dark patterns, which “are being used to manipulate and lure users into making unwanted purchases.”
While the FTC’s dual mandate to protect consumers and promote competition has historically resulted in separate enforcement of privacy and antitrust matters, Chair Khan announced the Commission’s plans to take a more “holistic approach” to identifying harms, paying special attention to “next-generation technologies, innovations, and nascent industries across sectors.” In detailing her strategic approach, Chair Khan emphasized the need to view the Commission’s mandates as integrated goals rather than as two distinct siloes. Chair Khan’s vision for the Commission aligns with President Biden’s July 2021 Executive Order on Promoting Competition in the American Economy. The Executive Order specifically encourages the FTC Chair to exercise rulemaking authority to address “recurrent practices that inhibit competition,” including “unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy.” This convergence of privacy and competition enforcement is further exemplified in a recent staff report on the privacy practices of internet service providers. Chair Khan identified a need for a new paradigm to evaluate anticompetitive behavior that moves beyond procedural requirements and instead considers substantive limits. To that end, Chair Khan has expressed a desire for the Commission to consider how deals may “enable the degradation of user privacy” during the merger review process.
Similarly, in a recent report to Congress, the FTC highlighted the potential impact this integration of privacy and antitrust may have on privacy enforcement, emphasizing a focus on four areas: integrating competition concerns, advancing remedies, focusing on digital platforms, and expanding guidance on and an understanding of consumer protection and competition implications of algorithms. According to the Commission, integrating privacy and competition is both necessary and appropriate, because the largest players in digital markets gain power through access to and control over user data. Chair Khan believes that it can address the intersection of these two issues and, through competition-based remedies, curtail the competitive advantage of unfair or deceptive practices related to privacy. Chair Khan underscored that there is a “growing recognition [at the FTC] that persistent commercial data collection implicates competition as well as privacy.”
II. Trends in Recent Enforcement Actions
Recent FTC cases reveal a heightened focus on privacy, advertising, and surveillance matters. By a 3-2 vote during one of its open meetings, the Commission signaled an interest in combating secretive data practices that it has said are unlikely to be expected by reasonable consumers under the circumstances, such as unexpected secondary uses of data and deceptive communications, particularly as they relate to consumer privacy, artificial intelligence, and facial recognition. The Commission has previously brought actions with allegations including the secret harvesting of data on individuals’ physical movements, phone use, and online activities; deceptive advertising of a service and failure to protect personal data about subscribers; and deception regarding use of facial recognition technology. This trend is likely to continue after the FTC approved resolutions prioritizing (1) unfair, deceptive, anticompetitive, collusive, coercive, predatory, exploitative, or exclusionary acts or practices relating to algorithms and biometrics and (2) unfair, deceptive, anticompetitive, collusive, coercive, predatory, exploitative, or exclusionary acts or practices relating to the marketing of goods and services online, the manipulation of user interfaces, or the use of e-mail, metatags, computer code or programs. The resolutions expand investigations in both areas.
The FTC has also adjusted its enforcement strategies in response to court rulings and new priorities. In AMG Capital Management, LLC v. Federal Trade Commission, a U.S. Supreme Court case decided two months before Chair Khan was confirmed as a commissioner, the Court rejected the FTC’s argument that Section 13(b) authorized it to obtain monetary relief in enforcement actions in District Court. This change did not affect the FTC’s ability to seek monetary penalties for rules such as those issued under Section 18 of the FTC Act defining unfair and deceptive practices, however, and the FTC subsequently approved modifications to streamline the process for issuing such rules.
Notice of Penalty Offense letters may also become a new tactic for obtaining civil penalties. Under Section 45 of the FTC Act, the Commission may notify companies via Notice of Penalty Offense letters that it has determined certain acts or practices to be unfair or deceptive. A company that receives such notice is then presumed to have “actual knowledge” that the practice in question violates the law under Section 5(m)(1)(B)(2) of the FTC Act, and the FTC may file a lawsuit against the company in Federal District Court if it finds that a recipient of a Notice of Penalty Offense Letter engaged in the conduct addressed in the letter. The Penalty Offense authority has recently garnered more attention, owing in part to a law review article co-written by former FTC commissioner Rohit Chopra in 2020 and his then attorney advisor, now Director of the Bureau of Consumer Protection, Sam Levine. The article suggests several areas in which the FTC could use its Penalty Offense authority, including for-profit college fraud, false earnings claims in the gig economy, and deceptive reviews. Since the article’s publication, the FTC has sent letters to hundreds of companies regarding all three practices.
These changes to the way the FTC is now exercising its authority under Section 19 of the FTC Act and Chair Khan’s desire for a new enforcement framework provide context as the Commission more frequently seeks certain types of remedies, including high monetary penalties and more extensive injunctive remedies. For example, under former Chair Simons, the FTC increasingly mandated comprehensive privacy and information security programs and more commonly required notice to consumers. Other cases before and after Chair Khan’s appointment underscored the Commission’s willingness to impose higher fines and stricter requirements, with FTC orders mandating deletion of data, models, or algorithms derived from consumer content, including instructing third parties that received such data to destroy it. Hinting at an even stronger measure the Commission may be willing to take, the agency banned a company from the surveillance business in 2021. The then-acting director, and now current director, of the FTC’s Bureau of Consumer Protection stated that the FTC will be “aggressive about seeking surveillance bans” when it finds egregious invasions of privacy, and the current Commission is likely to continue seeking larger fines and stricter injunctions.
With the implementation of major changes and FTC activity ramping up, privacy is expected to play a more central role in the Commission’s actions than it has in the past. Recent actions and stated priorities demonstrate that the current Commission is seeking to use its existing authority and explore new methods to investigate and address alleged privacy harms, particularly where they intersect with the Commission’s competition authority or emerging technology issues.