Photo of Erik Dullea

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before returning to the firm in 2023.

Keypoint: President Biden shows a strong preference for the cybersecurity expertise of former National Security Agency (NSA) leaders with his choices for significant cyber roles within his administration.

On April 12, 2021, the White House announced that President Biden selected two individuals to join his administration in the area of cybersecurity. Mr. Chris Inglis is nominated to be the first national cyber director, and Ms. Jen Easterly is nominated to serve as the new director of the Cybersecurity and Infrastructure Security Agency (CISA). Both positions require confirmation by the U.S. Senate.

Keypoint: New Utah law creates incentive for businesses to develop and implement a written cybersecurity program to protect themselves against data breach lawsuits.

On March 11, 2021, Utah governor Spencer Cox signed the Cybersecurity Affirmative Defense Act, which creates affirmative defenses to certain causes of action arising out of a breach of system security.

Health Insurance Portability and accountability act HIPAA and stethoscopeAs an update to our previous post, HHS announced that the deadline to submit comments on their proposed rule to revise HIPAA regulations was extended until May 6, 2021. Changes contemplated by the proposed rule involve relaxing certain privacy standards, strengthening individuals’ rights to access their protected health information (PHI) and other initiatives that

Keypoint: New York’s Division of Financial Services (DFS) now requires Property and Casualty Insurers writing cyber insurance to comply with the Division’s Cyber Insurance Risk Framework to manage their risk.

In her letter introducing the Cyber Insurance Risk Framework, DFS Superintendent Linda Lacewell states that the increase in frequency and cost of ransomware has not only shown that cybersecurity is of critical importance to modern life, but also that cyber insurance plays a vital role in the mitigation and reduction of risk from ransomware.

According to its 2020 survey, DFS found a 180% increase in the number of ransomware claims between 2018 and 2019, with an increase of 150% on average for the costs associated with those claims. The problem continued in 2020, where DFS received nearly double the number of reports of ransomware attacks from the year prior. Not only are these trends a concern for consumer protection and infrastructure security, the escalating costs pressure the cyber insurance industry to raise prices, tighten its underwriting standards, and issue sweepingly broad exclusions.

Keypoint: April 12, 2021 is the deadline to comment on a proposed rule that would require banking organizations and bank service providers to promptly report computer-security incidents.

The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) (collectively the “agencies”) are requesting public comment on a proposed rule requiring banks to notify the applicable agency within 36 hours when the banks believe in good faith that a significant cybersecurity event has occurred. Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 Fed. Reg. 2399 (Jan. 12, 2021).

On January 28, 2021, privacy professionals around the world will celebrate Data Privacy Day. This year, we decided to mark the occasion by gathering our team’s thoughts and expectations on what we expect to be the biggest privacy law stories in 2021 and beyond.

Last year we wrote a similar article, attempting to predict how the privacy landscape would unfold in 2020. We got some things right (e.g., the emergence of CCPA 2.0). But, let’s be honest, in March everything changed, including privacy law. As spring turned into summer our writing focused on the privacy law implications of COVID-19, including contact tracing, no contact temperature taking, and the unanticipated collection of heath information, among other unexpected topics. We also took note of developments overseas, including the Court of Justice of the European Union’s Schrems II decision and the emergence of Brazil’s federal privacy law, LGPD.

If there was one takeaway from 2020 from a privacy law perspective it was this – while it is impossible to predict its path, privacy law is rapidly growing and evolving, almost on a daily basis, and in nearly every corner of the world. With that, we turn to our 2021 predictions.

On December 4, 2020 the President signed into law the IoT Cybersecurity Improvement Act of 2020, Pub. L. No. 116-207 (the “IoT Act”). The legislative purpose behind the new law is to ensure the highest level of cybersecurity at federal agencies by working collaboratively within government, industry and academia. Pub. L. No. 116-207 § 2.

The IoT Act mandates specific actions by the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) regarding: (i) standards and guidelines for IoT devices, (ii) determining whether federal agencies adhere to those standards, (iii)implementing guidelines to disclose security vulnerabilities to contractors and report the resolution of those vulnerabilities.

Key Point: California AG Becerra’s investigation into security flaws in the Glow fertility app results in a settlement agreement that resembles recent enforcement agreements in New York but is also unique in requiring the app’s developer to consider gender-specific concerns within its privacy-by-design principles.

“When you meet with your doctor or healthcare provider in person, you know that your sensitive information is protected. It should be no different when you use healthcare apps over the internet,” according to California’s Attorney General Becerra. The consequences of not having the appropriate data protections? It means “a digital disclosure of your private medical records is instantaneously and eternally available to the world” per Becerra.

For these reasons, especially in the new era of telemedicine, developers of medical applications (health app) understand that consumers’ privacy and security must be protected. “Excuses are not an option,” Becerra warns. California’s settlement agreement with Upward Labs Holdings, Inc. (Upward Labs) and its subsidiary Glow, Inc. (Glow), is an example that Becerra’s warning should not be ignored.

Key Point: The New York Attorney General’s Office (NYAG) reached a Consent and Stipulation Agreement with Dunkin’ Brands, Inc. (Dunkin), which obligates the company to implement and maintain a comprehensive information security program to protect customers’ private information. The terms of the consent agreement are similar to the terms New York reached with Zoom earlier this year regarding inadequate data security practices, and strongly resemble the reasonable security measures described in the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

Neither agreement mentions the SHIELD Act, but both agreements include promises to comply with key elements contained in it. These agreements, as well as California’s legislative efforts, are creating a baseline for future enforcement cases on the adequacy of information security programs and the promises companies make to protect consumer data.

Resulting in Zoom Promising to Implement an Information Security Program, Resembling the SHIELD Act

Key point: The Letter of Agreement between the New York Attorney General and Zoom Video Communications, Inc. provides insight into what the Attorney General may consider satisfying the Reasonable Safeguards requirement under the SHIELD Act.

On May 7, 2020 Zoom Video Communications, Inc. (Zoom) became the first company to experience one of the new enforcement tools available to the New York Attorney General’s Office (NYAG) under the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

The SHIELD Act took effect on March 21, 2020, and requires any person or business owning or licensing computerized data containing the private information of a New York resident “to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of that private information.” GBL § 899-BB(2).