Cybersecurity: Legal implications and risk management
In an increasingly interconnected world, cyber risk is firmly at the top of the boardroom agenda, and having an effective data breach response programme is no longer optional.
Cybersecurity crisis management
The internet knows no borders, neither do we. Our global team of cybersecurity response experts work across borders, combining data protection, privacy, regulatory, white collar and litigation expertise in order to deliver seamless crisis management and legal advice, whenever and wherever needed.
The digitalization and free flow of information has transformed global business. However, with increased opportunities have come new and increased risks, together with complex legislative regimes that can vary significantly by jurisdiction, and are constantly evolving. Even the most conscientious company can become the victim of a cybersecurity incident, such as the stealing of client or company information, or a ransomware attack. We work with a wide range of multinational companies to manage their cybersecurity risks, developing rapid response plans, providing time-critical crisis management advice, and working with clients to manage any resulting legal issues that may arise.
Breach of contract
M&A due diligence
Business Continuity Plan
Requests for data
Data Protection Authority Complaints
Group litigation orders
Data Protection Authority
Privacy & data protection
Law Enforcement Involvement
Preservation of Evidence
Legal (internal and external)
Work with forensic investigators to:
Identify and contain breach
Maximise legal privilege coverage
Contact crisis team
Bring in external partners
Identify key risks and priorities based on nature of breach
Assess notification requirements
Directors face personal liability over cybersecurity failures
In an article for The Times, White & Case partner Lawson Caisley discusses why it could become increasingly common for UK directors to "face personal liability and regulatory censure as a result of their company suffering or mishandling a cyberbreach".
Director liability for cyber breaches: transatlantic warning signs?
Two legal cases in the US in the past month suggest that regulators and prosecutors are becoming more determined to take personal action against directors and senior executives who fail to deal adequately with cyber security breaches.
AAA plc & ors v Persons Unknown: Cyber Activism or Blackmail?
In recent years, demands for payments in cryptocurrencies have become the ransom of choice for cyber extortionists and other online frauds. As a result, the English Court's powers are increasingly being called upon.
Cybersecurity Enforcement: New York Department of Financial Services issues first penalty under Cybersecurity Regulation
Consistent with its increasing activity in the cybersecurity enforcement space, in March 2021, the NYDFS issued its first penalty under the Cybersecurity Regulation. This client alert explores the settlement and offers takeaways on the areas of focus by the NYDFS in enforcement actions under the Cybersecurity Regulation.
Before the Dust Settles: The California Privacy Rights Act Ballot Initiative Modifies and Expands California Privacy Law
Hot on the heels of the California Attorney General's rulemaking process for the California Consumer Privacy Act ("CCPA"), California voters have passed a ballot initiative to expand and create new privacy rights for consumers.
Recovering the ransom: High Court confirms Bitcoin status as property
The High Court has determined that Bitcoin (and other similar cryptocurrencies) can be considered property under English law, and could be the subject of a proprietary injunction. The Court granted the injunction to assist an insurance company to recover Bitcoin that it had transferred in order to satisfy a malware ransom demand.
Navigating Privacy and Cyber Incident Notification and Disclosure Requirements
Organisations are facing increasing uncertainty in assessing global notification and disclosure obligations and making a determination of whether to notify or disclose a privacy violation or security incident in today's complex regulatory environment. This article offers six steps companies should consider when navigating this complex process.
Proposal on the Application of the NIS Regulations post-Brexit
This article examines the impact of the UK Network and Information Systems Regulations 2018 (SI 2018/506) (NIS Regulations) on organisations post Brexit and their obligations under applicable cybersecurity law.
Hot on the heels of the California Attorney General's rulemaking process for the California Consumer Privacy Act ("CCPA"), California voters have passed a ballot initiative to expand and create new privacy rights for consumers. Most of the California Privacy Rights Act ("CPRA") will not take effect until January 1, 2023, giving weary businesses some lead time for their compliance efforts. In this client alert, we set out the key changes for businesses to be aware of as they look forward to meeting their obligations under the CPRA.
Background on the CPRA
Describing the CCPA as a great baseline, one of the CCPA's original proponents filed the CPRA ballot initiative (or Proposition 24) to further enhance consumer privacy in California. To preserve the full strength of the CPRA, the ballot initiative included a provision limiting legislative amendments that might weaken its provisions. California voters elected to pass Proposition 24 at the ballot, paving the way for the CPRA to become effective on January 1, 2023. In the meantime, only the administrative provisions of the CPRA, which establish the California Privacy Protection Agency and call for new regulations, will become immediately effective.
The CPRA contains a detailed rulemaking process, which directs the California Attorney General to begin issuing regulations until the California Privacy Protection Agency is established and is able to assume rulemaking responsibility. Much like the CCPA, the CPRA leaves the determination of many of its definitional and procedural nuances to a long rulemaking process. With final regulations required under the CPRA by July 1, 2022, many specificities will be left in flux until then. While businesses will not need to start from scratch to comply with the CPRA, more granular data-mapping will likely be required and businesses may need to reassess a number of choices made in their initial CCPA compliance efforts.
CPRA's Changes to the CCPA
In its 52 pages, the CPRA makes significant changes to the compliance burden imposed on businesses by the CCPA. We set out below a summary of the key additions and modifications to the CCPA's existing requirements.
Establishes the California Privacy Protection Agency. The CPRA establishes the California Privacy Protection Agency (the "Agency") to take responsibility for promulgating rules and enforcing the amended CCPA via administrative proceedings and fines of between $2,500 and $7,500 per violation. Once it has been stood-up, but by no later than July 1, 2021, the Agency must assume the rulemaking responsibilities under the CPRA. Notably, the Agency will have the power to conduct audits of businesses to ensure compliance with the CPRA.
Eliminates the 30-Day Cure Period for Violations of the CPRA. Under the CCPA, businesses were given 30 days to cure alleged violations before any administrative enforcement by the California Attorney General. The CPRA eliminates that 30-day cure period permitted under the CCPA. Now, at most, the Agency has the discretionary power to provide the business with a time period to cure. However, it must do so with an eye to the intent of the business to violate the title and voluntary efforts it took to cure the alleged violation. In addition, the CPRA clarifies the scope of the right to cure available for personal information security breaches, noting, "implementation and maintenance of reasonable security . . . following a breach does not constitute a cure with respect to that breach."
Requires the Implementation of Reasonable Security Procedures & Practices. The CPRA includes an affirmative requirement for businesses that collect consumers' personal information to implement reasonable security procedures and practices. Businesses must identify and implement procedures and practices that are appropriate to the nature of the personal information processed and the potential risks. Importantly, this affirmative obligation means businesses may face administrative fines (even in the absence of a data breach) where they fail to maintain reasonable security to protect consumers' personal information.
Limits the Scope of the CCPA. The CPRA increases one of the threshold requirements to qualify as a "business" under the CCPA. To fall within the scope of the title, for-profit entities must process the personal information of 100,000 or more consumers or households, rather than 50,000 or more, as was the case under the CCPA.
Imposes Data Minimization & Storage Limitation Requirements. The CPRA limits the collection, use, retention and sharing of personal information to that which is "reasonably necessary" to achieve the specified purposes of processing. Businesses will likely need to revisit their data-retention policies to ensure compliance with this addition.
Requiring Businesses to Perform Cybersecurity Audits and Risk Assessments. Subject to the eventual regulations issued under the CPRA, businesses "whose processing of consumers' personal information presents a significant risk to consumers' privacy or security," must perform annual cybersecurity audits and submit risk assessments to the Agency on a regular basis. The CPRA does not define processing that may result in a significant risk to the consumer, but requires a consideration of the size and complexity of the business and the nature and scope of the processing. Risk assessments will require businesses to weigh the benefits of the processing activities against the potential risk to consumers' rights associated with such processing. The goal of these risk assessments is to restrict or prohibit certain processing activities—where the risks of those activities outweigh the benefits to the business, consumers and other stakeholders.
Enhanced Requirements for Vendor Agreements. The CCPA identified specific requirements and limitations that should be present in an agreement between a business and its service provider in order for transfers of personal information required under that contract to be excluded from the broad definition of "sale." The CPRA formalizes these relationships by mandating agreements when a business sells personal information to, or shares it with, third parties, contractors and service providers. As such, businesses may need to conduct a full audit and review of their data-sharing agreements to ensure they contain the provisions required under the CPRA. Additionally, service providers, contractors and third parties will also need to ensure they have adequate processes in place to comply with these required provisions.
Creates a New Category of Sensitive Personal Information. The CPRA adds a new category of personal information, termed "sensitive personal information," and imposes additional restrictions on its collection, use and disclosure. Sensitive personal information includes data elements, such as government identification numbers, financial information, precise geolocation, racial and ethnic origin, the contents of certain communications and genetic data.
Expands Consumer Rights. The CPRA expands the Consumer Rights provided by the CCPA in a number of ways. These include:
Right to Correction. The CPRA adds a new consumer right by requiring businesses to use all commercially reasonable efforts to correct inaccurate personal information in response to a verifiable consumer request.
Right of Deletion. The CPRA modifies the deletion right by requiring service providers, contractors and third parties to cooperate with the business to delete personal information pursuant to a consumer request.
Right to Opt Out of Sharing for Cross-Contextual Behavioral Advertising. The CPRA expands the right to opt out by requiring businesses to provide consumers with the ability to opt out of sharing personal information for the purposes of cross-contextual behavioral advertising. This change aims to ensure that consumers can opt out of this sharing even where it is not in exchange for valuable consideration.
Right to Limit the Use & Disclosure of Sensitive Personal Information. The CPRA adds a new consumer right that allows a consumer to direct a business to limit its use and disclosure of the consumer's sensitive personal information for purposes other than those that are commercially necessary or as otherwise authorized by the CPRA.
Although the new and modified obligations under the CPRA will not enter into force until January 1, 2023, businesses will need to be in a position to comply with obligations relating to personal information collected by businesses on or after January 1, 2022. Given the limitation on the power of the legislature to amend the ballot initiative, in all likelihood, today's language will be that which becomes enforceable in 2023. Despite the long lead time, businesses would be well-advised to begin the more detailed data-mapping processes, evaluations and establishment of cybersecurity programs and vendor agreement reviews that will be required by the CPRA at their earliest convenience to ensure they are not caught out once the deadline arrives. We will continue to provide updates and analysis of the CPRA's detailed requirements. Please do not hesitate to reach out, as our Data, Privacy & Cybersecurity Practice group is happy to take any questions about the new requirements under the CPRA and to assist your business in revisiting or implementing your compliance plans as January 1, 2023, approaches.