Happy New Year! Dechert’s Privacy & Cybersecurity team is excited to kick off 2022 with this issue of Cyber Bits. Be sure to check out our predictions for 2022 – Dechert’s Privacy & Cybersecurity Extended Forecast for 2022: Hot Today. Hotter Tomorrow!
FTC Announces Regulatory Priorities for 2022
On December 10, 2021, the Federal Trade Commission (“FTC”) published its Statement of Regulatory Priorities (“Announcement”) for 2022. The FTC’s priorities for the coming year include the following relating to privacy and data security:
- New Privacy Rulemaking: The FTC is considering promulgating rules to address “abuses stemming from surveillance-based business models” and whether rulemaking would be effective in curbing “lax” security practices, limiting “intrusive surveillance,” and “ensur[ing] that algorithmic decision-making does not result in unlawful discrimination.” The FTC’s Advanced Notice of Proposed Rulemaking is available here. Public comment closes February 2022.
- Children’s Online Privacy Protection Rule (COPPA): In July 2019 the FTC issued a request for public comment on all major provisions of COPPA, the federal law that regulates how operators of online websites or services collect, use and share the personal information of children under 13. The public comment period closed in December 2019; however, the Announcement indicates that the FTC staff is still analyzing and reviewing public comments that were received.
- Health Breach Notification Rule: In May 2020 the FTC initiated a periodic review of the Health Breach Notification Rule, which requires vendors of personal health records (“PHR”) and PHR-related entities to notify consumers and the FTC of a breach of unsecured personally identifiable health information. The public comment period closed in August 2020. The Announcement indicates that the FTC staff intends to submit a recommendation to the FTC by January 2022.
- Identity Theft Rules: In December 2018 the FTC initiated a periodic review of the Identity Theft Rules (“Rules”), including the Red Flags Rule (which requires financial institutions and creditors subject to the FTC’s jurisdiction to develop and implement a written identity theft prevention program) and Card Issuer Rule (which requires credit and debit card issuers to implement reasonable policies and procedures to assess the validity of a change of address in certain circumstances). The Announcement indicates that FTC staff is reviewing public comments on the Rules and intends to submit a recommendation to the FTC by January 2022.
- Gramm-Leach-Bliley Act (GLBA) Safeguards Rule: In October 2021 the FTC announced updates to the GLBA Safeguards Rule (which requires financial institutions subject to the FTC’s authority to safeguard customer records and information). See here for our Dechert OnPoint. The FTC also announced the issuance of a Supplemental Notice of Proposed Rulemaking that proposes to further amend the Safeguards Rule to require reporting to the FTC in the event of certain security events. This comment period closes on February 7, 2022.
Takeaway: Despite Republican Commissioners’ opposition to the proposed rulemakings, the FTC appears poised to use available means to align its powers with rapidly evolving data driven technologies, uses and sharing. We anticipate that Republican members of Congress and industry trade groups will challenge the rulemakings as exceeding the FTC’s authority. Nonetheless, given Washington’s and the public’s “anti-tech” sentiments, companies subject to FTC jurisdiction should monitor developments – particularly those in the affected sectors highlighted in the Announcement and elsewhere (e.g., the FTC’s guidance on the use of artificial intelligence in April 2021 found here).
The FTC Warns About Log4j Flaws, Citing the Possibility of Legal Action for Failure to Remediate
The Federal Trade Commission (“FTC” or “Commission”) is warning affected businesses and other organizations to patch their systems against the Log4j vulnerability or risk suffering legal sanctions.
The FTC’s notification describes Log4j as “a ubiquitous piece of software used to record activities in a wide range of systems found in consumer-facing products and services.” Noting that a “serious” vulnerability had been found in the software, and that “a growing set of attackers” already were exploiting the flaw, the Commission warned that failure to take reasonable steps to remediate the vulnerability could lead to federal liability, including under the FTC Act and the Gramm Leach Bliley Act. “It is critical,” the advisory explains, “that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”
The FTC’s advisory goes on to identify resources, including CISA’s Log4j guidance, that can be used to mitigate the threat.
The FTC’s warning appears at a time when additional information continues to emerge about the actual extent of Log4j attacks. According to news reports on a recent press briefing, CISA Director Jen Easterly said that, “At this time, we have not seen the use of Log4Shell resulting in significant intrusions.” Easterly reportedly suggested that the lack of more visibly destructive attacks in the US so far could be attributable to adversaries who already may have used the vulnerability “to exploit targets and are just waiting to leverage their new access until network defenders are on a lower alert.” She also suggested that attacks may have been thwarted in part by “the urgent actions taken by defenders … to rapidly mitigate the most easily exploitable devices, such as those accessible directly from the internet.”
CISA predicts that Log4Shell will be “used in intrusions well into the future.” Private cybersecurity companies are reporting that there have been “millions” of attempts to exploit the vulnerability and have attributed some of these attacks to state-sponsored actors.
Takeaway: The key words in the FTC warning are “take reasonable steps.” Companies with Log4Shell in their environment need to take reasonable steps to patch the vulnerability. It is rare for the FTC to issue such a specific warning regarding a patch, but it shows the level of seriousness with which they will meet a company that turns a blind eye to the need for this patch.
On a separate note, the FBI reportedly has warned that cybercriminals have been sending malicious USB drives through the mail to US companies in the transportation, insurance and defense industries with the goal of infecting their systems with malware as preparation for future attacks. The thumb drives are being mailed as part of fraudulent communications attributed to either federal agencies or private companies.
Court Adviser Reconfirms Illegality of Broad Retention Requirements for Mobile and Electronic Communication and Location Data
The European Court of Justice (“ECJ”) recently received requests from several national courts to guide them as to whether domestic legislation requiring retention of and access to personal mobile/electronic data is in compliance with the European Directive on privacy and electronic communications. These cases arise from legal requirements imposed on internet access providers in Germany regarding storage of historic traffic data, from rules regarding retention of and access to personal data for criminal investigations in Ireland, and from rules related to French insider dealing investigations.
On November 18, 2021, the Advocate General issued its advisory opinion. It reconfirmed that general and indiscriminate storage obligations imposed on operators can only be justified by national security reasons. The opinion concluded that national security does not include the prosecution of criminal offences, even if the offenses are serious, and time limitations are insufficient to remedy a retention obligation that applies to a wide range of traffic and location data. The opinion found that these principles also apply if access to data retained in existing records is authorized by any European legislation other than the Directive on privacy and electronic communications (and including secondary national rules based on European legislation).
Takeaway: While the ECJ’s judgement remains pending, the Advocate General’s advisory opinion is a clear and influential affirmation of the consistent line taken by the ECJ that the fundamental rights of EU citizens trump any general communication/traffic and location data retention obligations imposed on telecom and internet operators. Member States continue to resist this approach and have sought to revive the ability to retain mobile and electronic personal data for use in various situations. Even if the ECJ sides with the Advocate General in the final judgment (which is not expected to be issued for several months), Member States will no doubt continue to try to find ways to impose broad(er) digital data retention obligations on telecom and internet operators as evidenced by a leaked working paper from June 2021. That paper was prepared for national government representatives and discusses possible approaches for data retention options in light of ECJ’s case law.
FTC Settles with Online Advertising Platform for Alleged COPPA Violations
December 15, 2021, the FTC announced a settlement with OpenX Technologies, Inc. (“OpenX”), a real-time bidding platform that sells advertising space to websites and mobile apps. The FTC alleged that OpenX violated the Children’s Online Privacy Protection Act (“COPPA”) and the FTC Act, by knowingly collecting, using and disclosing personal information from children under 13 without obtaining prior parental consent. The FTC also alleged that OpenX collected geolocation data from users after they had opted out of such data collection.
Despite having policies and procedures to flag child-directed online properties, the FTC alleged that OpenX failed to flag hundreds of child-directed apps, including those with terms such as “for toddlers,” “for kids,” “kids games,” “preschool learning,” and “kindergarten;” apps with store page descriptions and graphics suggesting they were designed for kids; and apps with age ratings indicating they were directed to young children. As a result, the FTC alleged that OpenX violated COPPA by knowingly collecting personal information from children under 13 and passing this information to third parties who served targeted ads to users of these apps.
The settlement requires OpenX to pay a civil penalty of US$2 million. Among other requirements, the settlement also requires OpenX to: delete any data that was collected to serve targeted ads; implement a comprehensive program to protect the privacy of data collected from consumers and their devices; and review and track apps that participate in its ad exchange on a periodic basis to identify additional child-directed apps and ban them from participating in the exchange.
Takeaway: The settlement is a warning to companies in the ad tech ecosystem that the FTC remains closely focused on the industry’s privacy practices relating to young children. Companies will want to closely monitor the data practices of partners and ensure that adequate measures are in place, including contractually, to reduce COPPA risk.
CISA Report Warns of Increased Cyber Threats to Manufacturing Sector Resulting From Pandemic
On December 29, 2021, the Cybersecurity and Infrastructure Security Agency (“CISA”) released a report on increased cyber threats to the critical manufacturing sector. The report, which was tweeted out by CISA Director Jen Easterly, states that businesses in the critical manufacturing sector are at risk of cyberattacks, particularly ransomware attacks, due to “increased cyber-attack surface areas” and reduced workforces resulting from the COVID-19 pandemic.
The report identifies areas of concern resulting from the shift to remote work during the pandemic, including potential operational vulnerabilities in control systems that manage industrial processes such as expanded cyberattack surfaces (i.e., an increase in the number of access points where threat actors could potentially attack), reduced network segmentation and securitization, and unauthorized physical and online access. In addition, the report notes that due to the increased automation of critical manufacturing production during the pandemic, and the shortage of qualified cybersecurity professionals in this sector, these businesses have increased security risks.
The report recommends that critical manufacturing businesses develop a “long-term and multi-faceted” risk mitigation strategy, including investing in cybersecurity training for analysts and increasing cybersecurity awareness “within the shop floor environment.”
Takeaway: Ransomware and other types of cyberattacks continue to be a threat to businesses of all kinds. Businesses in this space – which may have a false sense of security by thinking that they don’t hold much personal or sensitive data – still need to be vigilant and take steps now to invest in their cybersecurity programs to reduce the risk of cyberattacks.