Activity in the cybersecurity and data protection space continues to increase as new laws and regulations are enacted in the US and abroad. Here are five recent developments that could affect your business.
President Biden issues warning about possible Russian cyberattacks
On March 21, 2022, the White House recommended that US companies take steps to protect themselves against potential cyberattacks initiated by and/or from Russia. Recommended measures include:
- Mandatory multi-factor authentication;
- Implementation of modern security tools on computers and devices;
- Ensuring systems are patched and protected against all known vulnerabilities;
- Data backup and encryption; and,
- Educate employees on common tactics used by attackers.
While many of these recommendations are good practices at all times, Management believes it is particularly important to emphasize them now given the heightened risks.
US and EU Announce High-Level Agreement to Replace Privacy Shield
in a joint press release, President Biden and the President of the European Commission, Ursula von der Leyen, announced that an agreement had been reached in principle to replace the Privacy Shield, a mechanism through which the personal data of European citizens could be transferred from the European Union to the United States. A new mechanism has been required since July 2020, when the European Court of Justice ruled, in a landmark decision commonly known as Schrems II, that the Privacy Shield did not adequately protect the rights of EU citizens. While the details of the high-level agreement will need to be fleshed out, the announcement was a positive sign for many companies that have been waiting for more clarity on how such data transfers might be legal under the General Data Protection Regulation (GDPR).
Utah is the fourth state to enact the Consumer Data Protection Act.
Utah recently became the fourth state to enact a comprehensive consumer data protection law. the Utah Consumer Privacy Act it has a number of similarities to the laws in California, Virginia and Colorado, the other three states that have passed consumer data protection laws. However, companies doing business in Utah must carefully assess whether these differences in law could impact their operations. The law takes effect on December 31, 2023.
Data transfers from the UK
On March 21, the International Data Transfer Agreement (IDTA) and an Annex, which organizations can use to transfer personal information from the United Kingdom (UK) to the United States, went into effect. The IDTA was published by the UK Information Commissioner’s Office (ICO) and is the UK equivalent of the EU’s Standard Contractual Clauses (SCC). The Addendum may be used in conjunction with the EU SCCs to comply with the UK General Data Protection Regulation. These documents were necessary as post-Brexit companies could no longer rely on the new SCCs for personal data transfers.
NIST publishes artificial intelligence guidelines
On March 17, the National Institute of Standards and Technology (NIST) issued a voluntary draft guide to address risks in the design, development, use, and evaluation of artificial intelligence (AI) products, services, and systems. NIST has requested public comments on the draft by April 29, 2022. The plan is to incorporate these comments into a second draft of the document. In addition, NIST held a workshop on AI and bias from March 29-31, 2022. The guidance and workshop reflect the Administration’s efforts to stay ahead of the growing adoption of AI in a variety of industries.
Stay tuned for more legal developments related to data management, including privacy and data protection, cybersecurity, intellectual property rights, and data quality.