Jason Chipman is a WilmerHale partner that advises companies on complex regulatory issues related to data security, cyber incident response, the United States Foreign Investment Committee and related export controls. He has assisted companies in most industries with data security best practices and frequently assists with corporate due diligence. Mr. Chipman is currently a Non-Resident Fellow at the National Security Institute.
Benjamin Powell is a WilmerHale partner who has advised on major cybersecurity incidents and preparedness to companies in virtually every sector including banking, investment management, retail, defense and intelligence. He is recognized as a leading advocate for international investments and mergers, including the Committee on Foreign Investments and the Defense Security Service.
Arianna Evers is a WilmerHale Special Counsel who advises clients on complex privacy, data security and consumer protection issues arising from rapidly evolving federal and state requirements. She regularly assists clients on data protection-related issues, including legal requirements and best practices in emerging and changing legal areas, and also represents them in regulatory investigations.
Shannon Togawa Mercer is a Senior Associate at WilmerHale, advising clients on cybersecurity, privacy and data protection issues in the US and Europe. She joined WilmerHale from the London office of a large global law firm, where her practice focused on transactional work, including the cybersecurity and privacy aspects of capital markets transactions and mergers and acquisitions.
Cyber security continues to pose a growing risk to businesses around the world as cyber threats from nation states, commercial competitors, corporate insiders, transnational organized crime and “hacktivists” continue to proliferate worldwide. The Covid-19 pandemic has made this trend particularly acute as companies around the world work to deal with a more distributed workforce and potentially more vectors for cyberattacks. Well-known ransomware attacks have also raised new concerns about destructive cybersecurity events that are having an immediate impact on affected organizations. The ongoing conflict in Ukraine has also increased concerns about cyber risk.
In this environment, maintaining an effective enterprise cybersecurity program is the standard expectation for all organizations. The ability to efficiently and effectively respond to data security emergencies will be important to avoid potentially disruptive cybersecurity incidents in the future and to manage related regulatory actions. In the United States, law enforcement agencies are devoting increasing resources to countering cyber threats. For example, in October 2020, the Office of Financial Assets Controls (OFAC) issued a policy providing guidance specifically for handling ransomware incidents, warning potential victims that ransom payments could violate US sanctions laws and regulations, and in September 2021 issued an updated recommendation. OFAC has also started enforcing sanctions against cryptocurrency exchanges that facilitate ransomware payments. Governments in Europe, Asia and North America have also responded to these trends, with particular attention to privacy and security controls for companies that hold large amounts of personal data.
Jurisdictions around the world continue to refine regulatory requirements for organizations that hold critical data. While data security in the United States continues to be managed by sector-specific regulations and by state laws, there is increasing pressure to create privacy laws that may have a similar scope to the EU General Data Protection Regulation (GDPR). Many states in the United States are considering creating new privacy regulations that would include basic privacy requirements, and California, Colorado, Virginia, Utah, and Connecticut have all enacted laws requiring new privacy controls. Attorneys General continue to devote significant resources to monitoring compliance with data breaches in the private sector.
At the federal level, regulatory data security requirements are most onerous for certain economic sectors that are believed to hold higher-risk data, such as: B. Defense contractors of the federal government, banks and health care companies. For example, on March 15, 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 came into force, creating new reporting obligations for critical infrastructure companies. Earlier, on May 12, 2021, President Joe Biden issued an executive order focused on countering threats to US computer systems. The executive order to enhance the nation’s cybersecurity (Cybersecurity EO) aims to improve cybersecurity, particularly as it relates to federal government systems, and follows several high-profile cyber incidents in 2020 and 2021. President Biden also issued an executive order, with which the US federal government has been tasked with creating new cybersecurity standards for all contractors. The Office of Management and Budget (OMB) published Cybersecurity EO guidance on software supply chain security aimed at federal agencies, and in May 2022, the National Institute of Standards and Technology (NIST) issued guidance on cyber risk to the federal government Supply chain ready for organizations. While many standards released in 2021 relate to federal agency security, companies operating in the United States face a patchwork of state and federal regulatory policies and requirements that may impact their data security obligations, with trends result in increased oversight and potentially extensive federal data protection legislation for privacy controls.
In Europe, the regulatory environment remains in flux. In June 2021, the European Commission published new Standard Contractual Clauses (SCCs) for cross-border data transfers. These are the first new SCCs in more than a decade. Businesses and regulators are still navigating the landmark European Union Court of Justice ruling invalidating the EU-US Privacy Shield framework as they eagerly await the outcome of negotiations on its successor. At the same time, companies in the European Union continue to grapple with compliance with the 2018 Network and Information Security (NIS) Directive and the GDPR, both of which introduced major regulatory changes in the area of data security for certain companies operating in the EU and caused a wave of company activities to update privacy policies and establish appropriate compliance controls. Enforcement has increased in recent years. European regulators fined over $1 billion in 2021 (up from around $180 million in 2020). In addition, on January 1, 2021, the UK officially left the EU (Brexit) and created a UK-specific data protection regime (the UK Data Protection Action 2018 and the UK GDPR), including new contractual terms to protect data transfers from the EU the United Kingdom.
In China, the Personal Data Protection Act (PIPL) came into force on November 1, 2021. The law provides parameters within which cross-border data transfers of personal data can occur for business and other reasons, including consent or security assessment required to complete the transfer. Violations of the PIPL can result in fines of up to $150,000 (or $1,500 to $15,000 for direct supervisors or individuals) or, in serious cases, $7.7 million, or up to 5 percent of a company’s business revenue lead in the previous year. In addition, it is possible that, in the case of particularly serious violations, companies or their employees or both may be held criminally responsible. In particular, the PIPL applies not only to personal processing activities within China, but also to the processing of personal data of individuals located in China outside of China where the processing is for the purpose of providing products or services to individuals within China that require analysis or to evaluate conduct of individuals within China or for other circumstances required by law or regulation. In 2021, China also released draft regulations on managing network data security, detailing the implementation of China’s Cybersecurity Law, Data Security Law and PIPL.
Other Asian and African countries have also been active in enacting privacy laws, with Thailand, Sri Lanka, Uganda and South Africa all passing comprehensive legislation, and Japan and South Korea amending their existing privacy laws.
It seems likely that data security requirements will continue to increase worldwide in the near future. For international companies, changing and growing cybersecurity standards will further complicate the security operations of corporate networks, as special handling rules apply to the hosting and processing of sensitive data, such as e.g. B. personal data of consumers, data of critical infrastructure and data of the financial sector. Cybersecurity will remain an important issue for these organizations and will continue to require technical, legal and communications professionals to work together to manage the risk of data security incidents.