Regulatory Playbook | Pillsbury Law | Cybersecurity, Privacy & Data Protection | Insights
Regulatory Playbook
Inside analysis direct from Washington, DC
This links to the home page

Cybersecurity, Privacy & Data Protection

  • Cross-Border Data Transfer Mechanisms and Requirements in China

    In recent years, alongside the rapid development of the digital economy and the concomitant increase in data generation, collection, processing and monitoring in the People’s Republic of China (PRC or China), the Chinese government has accelerated efforts to establish a robust legal framework for data protection. Over the past five years, China has promulgated several major data protection laws, including the Cybersecurity Law (CSL) (effective from June 1, 2017), the Personal Information Protection Law (PIPL) (effective from November 1, 2021) and the Data Security Law (DSL) (effective from September 1, 2021), together with a series of implementation regulations and administrative guidance. These laws and regulations, particularly with respect to requirements on the processing of personal information and cross-border data transfer, pose significant challenges and compliance obligations for multinational companies when conducting business in and with China. This article outlines our observations of the mechanisms and practice of cross-border transfer of personal information under China’s current legal framework.

  • New Biden Administration Cyber Strategy Proposes Dramatic Shift in Order to Hold Software Developers Liable for “Insecure” Software

    On March 2, 2023, the Biden administration released its National Cyber Security ("Strategy") to create a more defensible, resilient and value-aligned digital ecosystem which includes, among other priorities, the administration’s efforts to make software firms liable for system insecurities.

  • China Publishes Measures on Standard Contract for Cross-border Transfer of Personal Information

    The Cyberspace Administration of China (CAC) issued the final version of the Measures on the Standard Contract for the Cross-border Transfer of Personal Information (Standard Contract Measures) on February 24, 2023, which includes a template standard contract (Standard Contract). The Measures will take effect on June 1, 2023, but set forth a six-month grace period until December 1, 2023, to provide companies with time to take actions for compliance.

  • New UK GDPR Reform Bill Published

    Businesses already face an uphill struggle keeping pace with fast changing and numerous new data laws being passed in multiple U.S. states as well as countries around the world. The one silver lining has been the emergence of a recent trend of basing, to some extent, many of these new laws on the GDPR. This means that one way forward has been to look to build upon effort already expended on creating and administering GDPR compliance frameworks, albeit with updating needed for relevant recent changes or enforcement. The UK government changes therefore may well leave some feeling nervous. The changes to the UK GDPR will have to be scrutinized after the post-parliamentary readings to assess final impact of the Data Protection & Digital Information (No.2) Bill (DPDI2) (e.g., regarding fines, AI, cookies, transfers, legitimate interests, records of processing activities (ROPA), data protection officers (DPOs), Data Protection Impact Assessments (DPIAs), etc.). We will also have to see how the EU responds, as any removal of adequacy status will add further complications to EU-UK data transfers. Any business with UK operations, customers, suppliers or partners will need to freshly review and consider changes to its policies, documents and procedures to account for DPDI2.

  • New UK GDPR Proposals Incoming

    Businesses already face an uphill struggle keeping pace with fast changing and multiple new data laws being passed in multiple U.S. states as well as numerous countries around the world. The one silver lining has been the emergence of a recent trend of basing, to some extent, many of these new laws on the GDPR. This means that one way forward has been to look to build upon effort already expended on creating and administering GDPR compliance frameworks, albeit with updating needed for relevant recent changes or enforcement. The current efforts of the UK government therefore may well leave some feeling nervous. The details of any proposed changes to the UK GDPR will have to be scrutinized to assess impact (and to see if Data Protection & Digital Information Bill (DPDI) proposals regarding fines, cookies, data protection officers (DPOs), Data Protection Impact Assessments (DPIAs), etc. survive). We will also have to keep an eye on how the EU responds, as any removal of adequacy status will add further complications to EU-UK data transfers. One thing that is for certain is that any business with UK operations, customers, suppliers or partners will need to freshly review and likely make changes to its policies, documents and procedures to account for any changes this year.

  • The SEC’s Fast-Approaching Cybersecurity Overhaul for Public Companies and Regulated Entities

    In remarks last year, Gary Gensler, Chair of the Securities and Exchange Commission (SEC) made clear that the SEC “has a role to play” in regulating cybersecurity in the name of “maintaining orderly markets.” That role cannot be overstated.

  • FCC Proposes Updates to Customer Proprietary Network Information Breach Reporting Requirements

    The Federal Communications Commission (FCC) has proposed to update its data breach reporting requirements to address increasing security breaches in the telecommunications industry. In December 2022, the FCC released a Notice of Proposed Rulemaking (NPRM) launching a proceeding to improve the process for notifying customers and federal law enforcement of breaches that may have exposed customer proprietary network information (CPNI). In the NPRM, the FCC proposed several revisions to its data breach rules (which have not been updated since 2007) and seeks comment on those proposals.

  • Businesses Should Consider the SAFETY Act a Core Part of Their Ransomware Defense Program

    The SAFETY Act, a liability management program managed by the Department of Homeland Security, can be used by businesses to limit or eliminate potential liability associated with ransomware attacks.

  • DHS to Boost State and Local Cybersecurity Programs with $1 Billion in Grant Funding
    09.27/Alert | dhs-state-local-cybersecurity-programs-grants

    On September 16, 2022, the Department of Homeland Security (DHS) announced a Notice of Funding Opportunity (Notice) for a “first-of its-kind” program providing cybersecurity grants for state, local and territorial governments across the country through the State and Local Cybersecurity Grant Program (SLCGP). The agency is poised to provide similar assistance to tribal governments through the Tribal Cybersecurity Grant Program (TCGP), which is expected to be announced in the coming months.

  • China Passes Long-Awaited Measures on Security Assessment for Data Export

    On July 7, 2022, the Cyberspace Administration of China (CAC) of the People’s Republic of China (PRC or China) released the final version of the long-awaited Measures on Security Assessment for Data Export (Measures, “《数据出境安全评估办法》” in Chinese). The Measures specify the thresholds of data and information, the export of which is subject to CAC’s security assessment.

  • Landmark Federal Privacy Bill Clears First Congressional Hurdle

    In early June, Rep. Frank Pallone (D-NJ-6) and Rep. Cathy McMorris Rodgers (R-WA-5), the Chair and Ranking Member of the House Energy & Commerce Committee, along with Senator Roger Wicker (R-MS), Ranking Member of the Senate Science, Commerce & Transportation Committee, unveiled a draft federal privacy bill known as the “American Data Privacy and Protection Act.” The proposal—the first to garner bipartisan, bicameral support in Congress—would establish a national framework to protect consumer data privacy and security and bolster individual privacy rights.

  • Contractor Settles Cybersecurity-Related False Claims Act Suit for $9 Million

    A seven-year long False Claims Act suit comes to an end after Aerojet Rocketdyne reaches a $9 million settlement agreement for its alleged false certification of compliance with cybersecurity requirements.

  • DoD Increases Focus on Cybersecurity Compliance

    A recent DoD memorandum should serve as a warning to contractors that they need to focus on cybersecurity compliance now or risk serious consequences.

  • Staff Accounting Bulletin No. 121: Guidance for Entities Safeguarding Crypto-Assets Issued

    On March 31, 2022, the Division of Corporation Finance and the Office of the Chief Accountant (staff) of the U.S. Securities and Exchange Commission (SEC) issued Staff Accounting Bulletin No. 121 (SAB 121), which “adds interpretive guidance for entities to consider when they have obligations to safeguard crypto-assets held for their platform users.”

  • Bipartisan Cyber Incident Reporting for Critical Infrastructure Act of 2022 Signed into Law

    The new law arrives during a notably troublesome cybersecurity environment, in which the United States’ most crucial commercial sectors could be vulnerable to cyber intrusions and demands for ransomware payments.

  • Twelve Hours to Get It Right: The SEC Intensifies Its Focuses on Cybersecurity

    On the morning of May 24, 2019, a cybersecurity journalist notified First American Financial Corporation (First American) that one of its key applications had a serious vulnerability. First American, a publicly traded company that provides real estate settlement services, utilized the application Eagle Pro to share images of legal and financial documents used in real estate closings. According to an anonymous source, the vulnerability allowed unauthorized users to access over 800 million documents that had been shared with First American. Many of these documents contained sensitive data, such as social security numbers, financial records and driver’s licenses, which the journalist who published the article later that day described as “a virtual gold mine for phishers and scammers.”

  • DOJ Announces Civil Cyber-Fraud Initiative to Combat Cybersecurity Threats

    DOJ launches new initiative that promises to use the False Claims Act to combat cybersecurity threats by targeting government contractors who knowingly fail to comply with cybersecurity protocols.

  • Bipartisan Senators Introduce the Cyber Incident Notification Act of 2021

    On July 21, 2021, Senator Mark Warner (D-VA), chair of the Senate Intelligence Committee, and a bipartisan group of co-sponsors including Senator Marco Rubio (R-FL) and Senator Susan Collins (R-ME), formally introduced the Cyber Incident Notification Act of 2021. In light of high-profile cybersecurity incidents such as the Colonial Pipeline attack, the Act aims to require companies and federal agencies to quickly report cybersecurity intrusions to the Federal Government.

  • Colorado’s Emergent Consumer Privacy Bill Introduces Chance to Opt Out of Data Processing

    On June 8, 2021, the Colorado Senate passed SB 21-190, a comprehensive consumer privacy bill. Signed into law on July 7, 2021. the bill gives consumers the right to opt out of the processing of their personal data and to request that personal data be corrected or deleted.

  • China Publishes New Draft Regulations on Data Security Management of Automobile Operators to Protect Privacy

    On May 12, 2021, the Cyberspace Administration of China (CAC) published the Several Regulations on the Management of Automobile Data Security (Draft for Comment) (Draft Regulations). The Draft Regulations are open for public comment until June 11, 2021.  According to the CAC’s statement, due to growing concerns over personal data security and privacy protection in the People’s Republic of China (PRC), the Draft Regulations aim to strengthen protection of personal information and important data in automobile-related activities, as well as safeguard national security and the public interest. Below is our summary of the highlights of the Draft Regulations.

  • Cybersecurity Executive Order Will Impact Government Contractors

    President Biden’s new Executive Order to improve cybersecurity involves a particular focus on federal government and contractor systems.

  • COVID-19 Business Interruption Losses: Time is of the Essence to Pursue Coverage

    The United States declared a national emergency in response to COVID-19 on March 13, 2020, and states quickly followed with stay-at-home orders that impacted businesses and institutions nationwide. More than 10 months have passed since the COVID-19 pandemic emerged in the United States and the prevalence of the virus has had significant impacts, not only with respect to the number of people infected and lives lost, but also to the widespread physical damages and economic losses suffered by businesses.

  • Copyright Small-Claims Court Established by Congress in the CASE Act

    According to Register of Copyrights in its 2013 Report on Copyright Small Claims, “small claims issues are anything but small. On the contrary, they present a range of complex considerations, from constitutional constraints to procedural concerns to questions of what claims should be eligible for alternative treatment.” Before the recently enacted CASE Act, there had not been a small-claims court with jurisdiction to hear copyright claims.

  • Congressional and Government Investigations in 2021: What to Expect from the Biden-Harris Administration and How to Prepare

    Government investigations pose many risk management challenges. They are unpredictable, political and often public. If handled incorrectly, they can last for many years, spiral into multiple Congressional, criminal, and/or regulatory investigations at the state and federal levels, and generate serious reputational harm. Potential targets can take proactive steps to mitigate their risks.

  • China Publishes Import License List and Export Control List for Commercial Encryption

    One day after China’s new Export Control Law took effect, on December 2, 2020, China’s Ministry of Commerce (MOFCOM), the State Cryptography Administration (SCA) and the General Administration of Customs (GAC) jointly issued an Announcement on the Issuance of Import Licensing List, Export Control List and Related Administrative Measures for Commercial Encryption (Encryption Announcement) to restrict commercial encryption products and related technology. The Encryption Announcement takes effect on January 1, 2021, and includes: (1) a list of commercial encryption items subject to import licensing requirement (Encryption Import List); (2) a list of commercial encryption items subject to export control (Encryption Export List); and (3) procedures for the application of import and export licensing of commercial encryption (Encryption Licensing Procedures).

  • Cookies and Tracking Under Increased Scrutiny as Irish Data Regulator Issues New Enforcement Guidance

    Businesses tracking website visitors and customers via cookies and other techniques are reminded that this is an area of increased scrutiny and many prior practices won’t be acceptable. Regulators have signalled changes need to be made to comply and they will increase enforcement.

  • New York Expands Cybersecurity and Data Breach Law

    On July 25, 2019, Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), which broadens the scope of existing New York breach notification and data protection laws that trigger notification to affected consumers. The New York Attorney General will enforce the SHIELD Act (S.5575B/A.5635), which extends the reach of New York law breach notification requirements to any person or entity with private information of a New York resident, regardless of whether the breached company conducts business in New York State. This provision could significantly extend the reach of those companies that will be subject to New York reporting requirements. The law also broadens the definition of breach, expanding a data breach to any situation involving unauthorized “access” to confidential information regardless of whether such data is “acquired.” The SHIELD Act does not create a private cause of action; however, the New York Attorney General may bring an action for civil penalties or to enjoin unlawful practices. The SHIELD Act also expands the time period within which the New York Attorney General may bring an action from two to three years. Penalties for violation of the data breach provisions can be imposed in the amount of the greater or $5,000 or up to $20 per instance of a failed notification, up to $250,000. Penalties for failing to adopt reasonable safeguards can be imposed up to $5,000 per violation.

  • Countdown to CCPA #2: GDPR Compliance Does Not Equal CCPA Compliance

    The California Consumer Privacy Act of 2018 (CCPA) goes into effect on January 1, 2020. The Act grants “consumers” (any California resident regardless of whether there is a customer or any other relationship with the covered business) five new rights respecting their personal information.1

  • Countdown to CCPA: Do You Know Where Your Data Is?

    It’s January 2, 2020, and you just received 25 requests asking for disclosure about your data collection, use and sharing practices and for a copy of the specific pieces of personal information you collected about the requesting individuals during the last 12 months. You have 45 days to respond. What do you do? Close down the business so you can find the information? By being prepared you can avoid a crisis.

  • The Deadline Looms for New York Cybersecurity Regulations Vendor Compliance Requirements

    Financial institutions regulated by the New York Department of Financial Services (DFS)—referred to in this post as “Covered Entities”—should by now be well familiar with the department’s sweeping cybersecurity regulation, 23 NYCRR 500, that became effective on March 1, 2017. The regulation delves into a level of detail (e.g., multi-factor authentication and encryption requirements) and requires a level of senior level attention (e.g., annual attestation of compliance, signed by the Board of Directors or a Senior Officer) heretofore unseen in U.S. federal or state regulations.

  • Pillsbury's Post-Election Outlook

    The 2018 Midterm Election played out as most poll forecasters speculated. Although several races have yet to be decided, Republicans have retained control of the Senate, but lost at least 29 seats, allowing the Democrats to wrest back control of the House for the first time since 2010.

  • 2018 Election Night Guide

    Pillsbury’s Political Law and Public Policy groups break down the need-to-know numbers for this year’s election. Pillsbury’s biennial Election Night Guide examines the potential outcomes for the 2018 Congressional and Governor’s races. Our Public Policy team is also preparing a post-election guide that will be useful in navigating potential changes in Congress.

  • New EU Data Laws—What Nonprofit Organizations Need To Know

    Nonprofit organizations can often handle large amounts of data originating in the EU. Though it is a common misconception that nonprofits are exempt from GDPR compliance, the fact is they are not.

  • Blockchain and the Legal Landscape

    In this video, Pillsbury partner Mercedes Tunstall discusses some of the important legal issues to consider when exploring a blockchain solution.

  • Oh No, Mr. Robot Just Hacked Our Smart Building…

    Despite some very real-world examples, such as a 2017 breach of Dallas' emergency siren system, there seems to be little recognition of the security risk that connected buildings and smart cities entail.

  • Top Ten Emerging Trends in Pay Ratio Disclosure

    Preliminary trends are emerging from the pay ratio disclosures filed by U.S. public companies in 2018.

  • Court of Appeals Rolls Back Portions of the FCC’s 2015 Robocall and Text Ruling

    A recent Court of Appeals decision will rescind some aspects of the Telephone Consumer Protection Act and have significant implications for businesses contacting consumers by telephone or text.

  • Safety from Hackers—and Trial Lawyers

    A simple legislative fix would shield cybersecurity innovators from costly nuisance lawsuits.

  • European Businesses Offering Payment Services Told How to Manage Operational and Security Risks

    The European Banking Authority has unveiled nine operational and risk management guidelines with which all payment services providers are expected to comply.

  • December 31, 2017 Deadline for Cybersecurity under DFARS 252.204-7012 Re-Interpreted

    With the December 31 deadline for cybersecurity compliance just around the corner, the Department of Defense has clarified some of its expectations.

  • Time Is of the Essence: Multinational Companies Must Respond to Cyber Regulation

    Cyberinsurance could help mitigate risk for companies impacted by the new EU General Data Protection Regulation when it takes effect in May.

  • EU Data Transfer Solutions Under Further Judicial Scrutiny – What Next For Model Contract Clauses?

    Many organizations rely on MCCs to transfer personal data worldwide. That's why data exporters await an EU ruling on the issue with bated breath.

  • The ICO’s Draft Guidance Leaves Unanswered Questions on Processor Obligation to Notify Infringing Instructions

    One GDPR requirement has been a particular source of angst for commercial and data protection professionals--especially those acting for processors and sub-processors.

  • Cyberattacks Are the New Norm

    Attorneys general are increasingly launching investigations and filing lawsuits against companies whose customer databases have been stolen. Because of the significant possibility of government action, companies should fully understand their liability insurance policies, obligations and risks.

  • Disclose or Else: FTC Steps Up Prosecution of Social Media Influencers

    In September 2017, the Federal Trade Commission brought its first-ever action against a social media influencer for failing to make appropriate disclosures on sponsored posts. Going forward, anyone who posts sponsored material or even tags a brand in a post should seriously consider the possibility of FTC prosecution.

  • The Internet Stole My Face: New Advances in Technology Could Make Everyone a Digital Video Puppet

    Visual effects artists can create realistic digital replicas of actors that can be manipulated like puppets, and new developments in software technology could soon make digital puppetry accessible to the masses. Protections against unauthorized use of digital replicas can involve copyright or traditional tort claims, but if this technology continues to spread, the difficulty in controlling one’s own likeness will probably increase.

  • Keeping up with Cayla: Concerns over Interactive Toys Spur an FTC Update of COPPA Guidelines

    Consumer groups have filed a complaint alleging that My Friend Cayla, an internet-connected doll, violates the Children’s Online Privacy Protection Act (COPPA) by facilitating the collection of children’s communications and uploading them for commercial use without verifiable parental consent. The Federal Trade Commission’s June 2017 update to COPPA added internet-connected toys, children’s products that collect personal information, and voice-activated devices to the products and services covered.

  • Executive Order on Cybersecurity: Considerations for Business

    The long-awaited Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure represents the Trump Administration’s first significant action to support cybersecurity and protect critical infrastructure, and the initial days after its release generated a flurry of questions on the specifics of the White House’s cyber agenda.

  • With GDPR, Companies Must Act Now

    Pillsbury’s European Data Privacy & Cybersecurity practice leader Rafi Azim-Khan talks to Bloomberg BNA about the global impact of the EU General Data Protection Regulation. The interview explores expanded monetary risk and accountability under the GDPR, and what companies should—and should not—do to become GDPR-ready.

  • Don’t Rock the Vote: Helping State and Local Governments Fend Off Cyber Attacks

    Voting in local, state and national elections could be viewed as a rudimentary form of social media, by which voters share their views and preferences via selection of a candidate or party platform. The distance between this “old school” social media and its multi-headed modern form has shrunk thanks to the advent of electronic voting machines and online voting. But, as always, with the implementation of new technologies comes new risks.

  • Managing the Cybersecurity Risks of the Medical Internet of Things

    The cybersecurity ramifications of the Internet of Things (IoT) are perhaps nowhere more crucial--potentially a matter of life and death, in fact--than in the realm of medical devices. Until recent times, a potential hack of the data-sharing that is a hallmark of the IoT raised far more privacy concerns than actual health risks. However, as medical devices begin to evolve and make use of the connectivity of the IoT, this balance may change.