In this month’s Privacy & Cybersecurity Update, we examine President Biden’s executive order to implement an EU-U.S. data privacy framework, the European Commission’s draft Cyber Resilience Act, the U.S. Treasury’s request for public comments on a federal cyber insurance program and New York state’s data breach settlement with a health insurer.
President Joe Biden has signed an executive order regulating how U.S. intelligence agencies collect and use personal data, in an effort to reestablish a legal regime for transfers of personal data from the EU to the U.S.
On October 7, 2022, President Biden signed an executive order on “Enhancing Safeguards for the United States Signals Intelligence Activities,” which establishes new regulations for the collection and use of personal data by U.S. intelligence agencies.1 The executive order is intended to provide greater privacy protection to help reestablish an EU-U.S. framework for the legal export of personal data from the EU to the U.S. under EU laws, following the 2020 Schrems II decision that invalidated the prior privacy framework (Privacy Shield) between the two jurisdictions.2 The executive order implements into U.S. law the agreement in principle on a new EU-U.S. Data Privacy Framework, which was announced by President Biden and European Commission (EC) President Ursula von der Leyen on March 25, 2022. Shortly after President Biden signed the executive order, the EC announced its intention to prepare a draft adequacy decision in favor of the U.S.
In Schrems II, the Court of Justice of the EU (CJEU) invalidated the EU’s Privacy Shield decision (Decision 2016/1250 on the adequacy of the protection provided by the Privacy Shield), citing concerns over U.S. public authorities’ access to and use of EU personal data, and the lack of adequate redress mechanism available to EU data subjects against such public authorities. As a result of the decision, transfers of personal data from the EU to the U.S. on the basis of the Privacy Shield framework became illegal immediately. Companies were therefore obliged to implement a valid data transfer mechanism (such as the European Commission’s Standard Contractual Clauses (SCCs)) for the transfer of personal data from the EU to the U.S. and to conduct a transfer impact assessment (TIA) for each transfer. The decision equally applied to the transfer of personal data from the U.K. to the U.S., as the CJEU decision was made during the Brexit transition period and the U.K. GDPR is materially aligned with the EU GDPR.
Enhanced Privacy and Civil Liberties
The executive order introduces a series of reforms to U.S. privacy laws and practices that seek to address the concerns regarding individuals’ privacy and civil liberties raised by the CJEU in Schrems II. These include both specific limitations and requirements imposed on the intelligence community (as defined below) and a two-step process through which data subjects in a “qualifying state” (as discussed below) can seek legal redress for violations.
Requirements for the Intelligence Community
The executive order’s reforms of intelligence community actions include the following:
Two-Tier Redress Mechanism
The executive order introduces a new two-tier redress mechanism for privacy violations. This mechanism replaces the U.S. data ombudsman redress mechanism under the Privacy Shield framework, which was criticized for its lack of independence, investigative powers and binding authority.
Under the first tier of the redress mechanism, individuals — through the appropriate public authority from a “qualifying state” — will be able to lodge a complaint with the CLPO (the EU is intended to be a “qualifying state” and therefore EU data subjects will be able to utilize this new two-tier redress mechanism). The CLPO will conduct an initial investigation to determine whether the executive order’s enhanced safeguards or other applicable U.S. laws have been violated and to determine an appropriate remediation.
If dissatisfied with the outcome, the complainant or element of the intelligence community can appeal the decision by the CLPO to a Data Protection Review Court (DPRC) under the second tier of the redress mechanism. The DPRC is a new court under which the attorney general, as directed under the executive order, is responsible for establishing under new regulations. These regulations, which were published on the same date as the executive order, require a three-panel judge to review applications to the DPRC. These judges must not be members of the U.S. government, must have relevant experience in data privacy and national security law, and must be protected against removal (except where there is a serious cause for dismissal such as a conviction of a criminal offence). In addition, the DPRC must appoint a “special advocate” to represent the complainant at the court. However, while judges at the DPRC are supposed to provide “independent and impartial review[s] of applications,” the regulations note that the attorney general is responsible for appointing judges to the DPRC (although such judges will not work under the supervision of the attorney general) and the DPRC will be established within the Department of Justice. Though similar to the status of a special counsel (who operates independently but is appointed and can be dismissed by the attorney general), the level of involvement of the attorney general and the Department of Justice has led some to express skepticism as to whether the DPRC will be truly independent.
Additionally, the Privacy and Civil Liberties Oversight Board (PCLOB), a bipartisan, five-member board that is appointed by the president and confirmed by the Senate and which sits within the executive branch, will have a right to review this two-tier redress mechanism on an annual basis, including whether the intelligence community has complied with decisions made by the CLPO and DPRC. However, the executive order notes that such annual reviews by the PCLOB are “encouraged,” but not mandatory.
In response to the executive order, the EC announced that it would prepare a draft adequacy decision that, if adopted, would allow personal data to flow freely between the EU and U.S. companies that have been certified by the Department of Commerce under the EU-U.S. Data Privacy Framework. The adoption procedure, which the EC has launched, could take up to six months and involves various stages. These steps include the European Data Protection Board (EDPB) issuing a non-binding opinion and a committee of representatives from EU member states approving the adequacy decision. In addition, the European Parliament may exercise its right of scrutiny over the draft decision and issue a nonbinding resolution. Following this review procedure, the EC can adopt a final adequacy decision in favor of the U.S. for businesses that are certified under the EU-U.S. Data Privacy Framework. Such organizations would no longer have to rely on a separate valid data transfer mechanism (e.g., SCCs) for the transfer of personal data from the EU to the U.S. The European Commission has said that companies will be able to join the EU-U.S. Data Privacy Framework by committing to comply with a set of privacy obligations.
Separately, the U.K. government has said that it is working “expeditiously” to review the enhanced safeguards and redress mechanism in the executive order as part of its assessment of U.S. data protection laws and practices. The U.K. government has said that it intends to lay adequacy regulations in Parliament in early 2023 to restore the free flow of personal data between the two jurisdictions. Meanwhile, the U.S. government has said that it intends to designate the U.K. as a “qualifying state” under the executive order, which would mean that U.K. data subjects could also utilize the enhanced privacy and civil liberties outlined in the executive order (e.g., the multi-layered redress mechanism).
Max Schrems, who brought the Schrems II case before the CJEU, has said that, at first sight, the executive order does not address the concerns of the court’s decision in that case. In particular, Mr. Schrems has criticized the independence of the DPRC, which, according to him, will not be a court within the legal meaning of Article 47 of the EU’s Charter of Fundamental Rights or the U.S. Constitution. Mr. Schrems has further said that NOYB – European Center for Digital Rights, a nonprofit organization of which he is the chair, will review the executive order and publish a detailed legal analysis with a view to potentially bringing another legal challenge before the CJEU.
The EC has published a draft law establishing cybersecurity requirements for products with digital elements.
On September 15, 2022, the EC published its proposal for a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act). The EC describes the act as “the first regulation of its kind,” and the draft will now be examined by the European Parliament and the European Council, a process which could take up to two years.
The act was first announced by EC President Ursula von der Leyen during her State of the EU address on September 15, 2022, and builds on the EU Cybersecurity Strategy and EU Security Union Strategy. Since the act would be an EU regulation and not a directive, if the EC implements it, the act will automatically be enforceable and applicable in all EU member states, ensuring the uniformity of cybersecurity requirements across all represented jurisdictions.
Rules and Requirements
The proposed act notes the global cost of cybercrime in 2021 as €5.5 trillion and attributes this to the fact that (1) hardware and software products suffer from a low level of cybersecurity and (2) individuals lack an understanding of the cybersecurity properties of such products. To address these concerns, the act outlines:
The act would apply to manufacturers, importers and distributors of products with digital elements with intended or reasonably foreseeable use that includes a direct or indirect link to a device or network. “Products with digital elements” are broadly defined to include any software or hardware and their associated remote data processing operations. There is a carve-out for certain products with digital elements, including medical products and devices that are subject to Regulation (EU) 2017/745 and Regulation (EU) 2017/746.
Under the act, before introducing a product with digital elements on the EU market, manufacturers would have to perform a two-fold “conformity assessment.” Under this requirement, the manufacturer would have to:
Where the conformity assessment demonstrates compliance with the requirements in Section 1, Annex 1 and Section 2, Annex 1 of the act, the manufacturer would have to then draw up an EU declaration of conformity that notes the fulfilment of the applicable essential requirements in accordance with Article 20 of the act and affix the “CE” marking to the declaration in accordance with Article 22 of the act (this marking indicates that the product has been assessed by the manufacturer and deemed to meet EU safety, health and environmental protection requirements). By making such a declaration and affixing the CE marking, the manufacturer would assume responsibility for conformity with the a. Manufacturers also would have to provide the EU declaration of conformity packaged along with the product, or instead include a website address where the EU declaration of conformity could be accessed in the instructions and/or other printed information provided to users. Lack of compliance with these requirements could result in enforcement actions from market surveillance authorities (defined below).
‘Critical’ Products With Digital Elements
Annex III of the act contains a list of “critical” products with digital elements that are divided into two classes:
As part of the act’s requirements, manufacturers would have to satisfy stricter conformity assessments before placing these critical products with digital elements on the EU market. For instance, Class II critical products manufacturers would have to engage a third party as part of the conformity assessment discussed above.
In addition to the conformity assessment (discussed above), manufacturers would be required to notify the European Union Agency for Cybersecurity (ENISA) within 24 hours of becoming aware of (1) any actively exploited vulnerability contained in products with digital elements, and (2) any incident having an impact on the security of products with digital elements. Manufacturers also would have to inform users about any such incidents without undue delay and, where necessary, what actions they can take to mitigate the impact of such incidents.
The act also would require importers and distributors to (1) inform manufacturers without undue delay of any vulnerability in such products, and (2) immediately notify market surveillance authorities in member states where such products present a “significant” cybersecurity risk. A significant cybersecurity risk is defined as one that, based on its technical characteristics, can be assumed to have a high likelihood of an incident that could result in a severe negative impact, such as causing considerable material or non-material loss or disruption.
The act includes a 24-month grace period for compliance with the requirements starting from the date of implementation. However, there is a shorter 12-month grace period for manufacturers for compliance with their respective reporting obligations discussed earlier.
Enforcement and Penalties
The act would require each member state to designate an existing or new authority to act as a market surveillance authority. Such authorities would be required to cooperate with other surveillance authorities, including ENISA and data protection authorities.
In cases where market surveillance authorities would have sufficient reasons to believe a product with digital elements presents a significant cybersecurity risk (as described above), the act grants authorities the power to conduct evaluations of the product and, in the case of a finding of noncompliance with the act, to take all corrective action necessary to ensure compliance, to withdraw the product from the market or to recall the product within a reasonable period of time. The act also would grant market surveillance authorities the power to conduct simultaneous “sweeps” of products with digital elements to check for compliance with the act (e.g., an EU declaration of conformity has not been drawn up or the CE marking has not been affixed to the EU declaration of conformity (as discussed above)). The results of the sweep could be made public, which could have significant reputational implications for companies that are subject to such sweeps.
The act sets out administrative fines for noncompliance; the highest level of administrative fine would be at €15 million or 2.5% of worldwide annual turnover for the previous financial year, whichever is higher. However, similar to the General Data Protection Regulation (GDPR), the method for imposition of administrative fines is left to the discretion of each member state, which could result in a lack of harmonization across each country. On May 12, 2022, the EDPB adopted guidelines for the calculation of administrative fines under the GDPR in an attempt to harmonize the methodology that supervisory authorities use when calculating administrative fines. It remains to be seen whether similar guidelines will be published for the Cyber Resilience Act.
Parallel Effort in the UK
Separately, the U.K. government also is focusing on cybersecurity requirements for connectable products (e.g., smartphones, connected cameras, smart home assistants), as set out in the Product Security and Telecommunications Infrastructure Bill. As in the act, the bill, once passed, would place duties on manufacturers, importers and distributers; however, the scope of the products, duties, enforcement powers and penalties outlined in the bill differs from those in the act. For instance, the bill is limited to connectable products and the administrative fines for noncompliance are set at £10 million or 4% of worldwide revenue, whichever is higher. However, manufacturers, importers and distributors would be given a grace period of at least 12 months before the legislative framework fully comes into force.
The bill is currently at the final stage in the Houses of Parliament (consideration of amendments) before receiving Royal Asset. We are closing monitoring future developments.
The U.S. Treasury Department’s Federal Insurance Office (FIO) and the Cybersecurity and Infrastructure Security Agency (CISA) are soliciting feedback from the public on the need for a potential federal cyber insurance program.
On September 29, 2022, the FIO issued a request for comment in the Federal Register to solicit public comments on whether to implement a federal insurance program for responding to catastrophic cyber incidents and, if desired, how to structure such a program.3 The regulator will be seeking public comments until November 14, 2022.
The FIO is an office housed within the U.S. Department of the Treasury that provides expertise on insurance matters to the Treasury and other federal agencies, in addition to engaging in international discussions relating to insurance. CISA is an agency of the U.S. Department of Homeland Security that is responsible for strengthening cybersecurity and infrastructure protection, coordinating cybersecurity programs with U.S. states and improving the government’s cybersecurity protections against private and nation-state hackers. In September 2022, CISA released its 2023-2025 Strategic Plan, which was issued as a response to the increasing vulnerability of U.S. infrastructure to cyberattacks. In light of their efforts to define and manage the government’s role in mitigating cyber threats, CISA and the FIO have agreed to provide Congress with a joint assessment of whether a federal insurance response to catastrophic cyber incidents is warranted.
In May 2021, following a steady stream of cyberattacks in recent years, the Government Accountability Office (GAO) began reviewing how well-suited the government’s Terrorism Risk Insurance Program (TRIP) was for dealing with these incidents. The GAO had previously issued a report the previous year that cited a 2020 CISA study that included an analysis of scenario-based estimates of potential losses from severe cyber incidents that ranged from $2.8 billion to $1 trillion per event for the U.S.4 Following the 2020 report, the GAO issued a second report in 2022 that recommended the FIO and CISA jointly assess the issue, secure public comments related to catastrophic cyber incidents and discuss a potential federal cyber insurance program.5
The FIO’s Request for Comment
In its request for comment, the FIO noted that cyber insurance is a significant risk-transfer mechanism for businesses, and that the insurance industry has an important role to play in strengthening cyber hygiene and building resiliency. The request also acknowledged that most insurance in the U.S. is regulated at a state level but noted that there are programs where policymakers and regulators saw a need for federal programs to supplement the commercial market and existing state requirements. Examples of such programs include TRIP, the National Flood Insurance Program and the Federal Crop Insurance Program.
In their request, the regulators are specifically seeking comments on:
The request for comments is open until November 14, 2022. Those seeking to submit comments can do so at the government’s website at regulations.gov.
The FIO and CISA’s request for comment signals a potentially significant shift in the insurance landscape surrounding cybersecurity incidents. One outcome of the shift could be that federal financial support for certain cyber risks could protect insurers against certain catastrophic losses, and thereby encourage them to make cybersecurity insurance more widely available. We will monitor further developments on this topic.
The New York Department of Financial Services (DFS) ordered EyeMed Vision Care LLC, a licensed health insurance company for vision services, to pay a $4.5 million penalty following a data breach that exposed more than six years’ of consumers’ sensitive nonpublic information.
On October 18, 2022, the New York DFS announced that the agency had settled with EyeMed Vision Care LLC (EyeMed) to end an investigation into the company’s violation of New York data protection regulations.6 Under the settlement, EyeMed agreed to pay DFS a $4.5 million penalty and to undertake significant remedial measures to better secure its data.
On October 9, 2020, EyeMed reported to DFS that an individual gained unauthorized accessed to its enrollment processing email mailbox, which both EyeMed and certain of its external clients used to communicate enrollment updates. Lasting from June 24 to July 1, 2020, the breach allowed the intruder to access emails and attachments dating back six years before the attack. The attackers were found to have accessed information on over 2 million customers, including children, and the information included names, Social Security numbers and sensitive nonpublic health data such as medical diagnoses and conditions. DFS could not determine how the intruder secured access to the mailbox, but EyeMed suggested that it was likely the result of a successful phishing scheme.
The DFS investigated EyeMed to determine whether the company had violated Cybersecurity Regulation 23 NYCRR Part 500, a New York state regulation that became effective on March 1, 2017, and was designed to promote the protection of customer information and information technology systems of financial service companies.
DFS Consent Order
The DFS investigation, as set forth in its Consent Order, determined that EyeMed committed the following violations7 of the Cybersecurity Regulation:
The order further noted that EyeMed violated 23 NYCRR § 500.17(b), which requires regulated entities to annually certify compliance with the Cybersecurity Regulation. Although EyeMed timely certified its compliance with the regulation from 2017-20, DFS concluded through its investigation that the company’s certifications were based on inadequate risk assessments. Consequently, DFS found that EyeMed’s certification filings for 2017-20 were improper.
In addition to the monetary penalty, EyeMed agreed to conduct a comprehensive cybersecurity risk assessment consistent with the requirements of 23 NYCRR § 500.09, submit the results of the assessment to DFS and present a detailed action plan describing the steps EyeMed will take to address any risks identified in the assessment. The company further agreed that its action plan is subject to DFS review and approval.
The fine paid to DFS was the second fine EyeMed paid in connection with the data breach. The company had previously paid a $600,000 fine to the New York attorney general in connection with a separate inquiry into the incident.
The order highlights the continued focus from regulators on cybersecurity precautions, as well as the need for companies that handle sensitive consumer information to ensure that their cybersecurity measures and assessments align with applicable laws and regulations.
1 The executive order can be accessed here.
2 Skadden’s analysis of Schrems II is available here.
3 The request for comment is available here.
4 The GAO’s 2020 report is available here.
5 The GAO’s 2022 report is available here.
6 The DFS announcement is available here.
7 The Consent Order is available here.
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Skadden, Arps, Slate, Meagher & Flom LLP | Attorney Advertising
Refine your interests »
Back to Top
Explore 2022 Readers’ Choice Awards
Copyright © JD Supra, LLC