On November 8, 2021, law enforcement agencies in both the United States and European Union announced that a series of actions, including a number of arrests, were taken against the Russia-linked ransomware group, “REvil.” The U.S. Department of Justice (the “DOJ”) unsealed documents relating to an August indictment against two individuals in Dallas for alleged involvement in REvil ransomware attacks against several U.S. businesses. The European authorities, Europol, also announced that police in Romania and South Korea had arrested five people alleged to be REvil affiliates.

Continue Reading Russia-Linked REvil Hackers and Their Affiliates Hit with Arrests by the U.S. and International Allies

On November 3, 2021, the Cybersecurity and Infrastructure Security Agency (“CISA”) announced Directive 22-01 – Reducing the Significant Risk of Known Exploited Vulnerabilities (the “Directive”), establishing a CISA-managed catalog of vulnerabilities and compelling federal agencies to remediate such vulnerabilities on government information systems. The Directive targets vulnerabilities that pose a significant risk to the federal government and applies to all software and hardware found on federal information systems, including those managed on an agency’s premises, as well as those hosted by third parties on an agency’s behalf. The Directive is the latest in a series of executive branch efforts to address U.S. cybersecurity in the public and private sectors.

Continue Reading CISA Issues New Cybersecurity Directive for Federal Agencies

On November 2, 2021, Facebook parent Meta Platforms Inc. announced in a blog post that it will shut down its “Face Recognition” system in coming weeks as part of a company-wide move to limit the use of facial recognition in its products. The company cited the need to “weigh the positive use cases for facial recognition against growing societal concerns, especially as regulators have yet to provide clear rules.”

Continue Reading Facebook to End Use of Its Facial Recognition System

Beginning in 2022, Apple and Google will impose new privacy requirements on mobile apps available for download in the Apple App Store and Google Play Store, respectively. As described further below, Apple’s new account deletion requirement will apply to all mobile app submissions to the Apple App Store beginning January 31, 2022. Similarly, Google’s new Data Safety section will launch in February 2022, and app developers will be required to submit to the Google Play Store Data Safety forms and Privacy Policies by April 2022.

Continue Reading Apple and Google Announce Effective Dates of New Mobile App Privacy Requirements

On October 21, 2021, the Consumer Financial Protection Bureau (“CFPB”) issued orders to Google, Apple, Facebook, Amazon, Square and PayPal requesting detailed information about their business practices in relation to payment systems they operate. The CFPB issued the orders pursuant to its statutory authority under the Consumer Financial Protection Act.

Continue Reading CFPB Orders Six Tech Companies to Provide Information on Payment Systems Data Practices

On October 28, 2021, the European Parliament’s Committee on Industry, Research and Energy adopted a draft directive on cybersecurity (“NIS2 Directive”). The NIS2 Directive will broaden the scope of the existing NIS Directive to apply to “important sectors,” such as waste management, postal services, chemicals, food, medical device manufacturers, digital providers and producers of electronics, in addition to “essential sectors.” The NIS2 Directive imposes specific cybersecurity requirements relating to incident response, supply chain security, encryption and vulnerability disclosure obligations. The NIS2 Directive also aims to establish better cooperation and information sharing between EU Member States, and create a common European vulnerability database.

Continue Reading European Parliament Adopts Draft Cybersecurity Directive

On October 27, 2021, the Federal Trade Commission announced significant amendments to the agency’s Safeguards Rule (the “Final Rule”). Promulgated in 2002 pursuant to the Gramm-Leach-Bliley Act, the Safeguards Rule obligates covered financial institutions to develop, implement and maintain a comprehensive information security program that complies with the Rule’s requirements.

Continue Reading FTC Announces Significant Updates to GLB Safeguards Rule

On October 28, 2021, the Federal Trade Commission announced the issuance of a new enforcement policy statement warning companies against using dark patterns that trick consumers into subscription services. The policy statement comes in response to rising complaints about deceptive sign-up tactics like unauthorized charges or impossible-to-cancel billing.

Continue Reading New FTC Policy Statement Targets Dark Patterns

On October 29, 2021, the Cyberspace Administration of China (“CAC”) released for public comment “Draft Measures on Security Assessment of Cross-border Data Transfer” (“Draft Measures”). The CAC, in its third legislative attempt to build a cross-border data transfer mechanism in China, issued the Draft Measures three days before the November 1, 2021 effective date of the Personal Information Protection Law (“PIPL”).

Continue Reading China Issues Draft Measures on Security Assessment of Cross-border Data Transfer

On October 13, 2021, the European Data Protection Board (“EDPB”) adopted Guidelines 10/2020 on restrictions under Article 23 of the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”) following public consultation. Article 23 of the GDPR permits EU Member States to impose restrictions on data subject rights as long as the restrictions respect the essence of the fundamental rights and freedoms of individuals, and are necessary and proportionate measures in a democratic society to safeguard, for example, national security, defense or public security. The data subject rights to which the restrictions may apply are those set out in Articles 12-22 (e.g., rights of access, erasure), Article 34 (communication of a data breach to individuals) and Article 5 (the data processing principles) to the extent that its provisions correspond to data subject rights.

Continue Reading EDPB Adopts Guidelines on Restrictions on Data Subject Rights Under GDPR