Listen to this post

On October 11, 2024, the United States Department of Defense (DOD) published a final rule implementing its Cybersecurity Maturity Model Certification (CMMC) program, which is designed to verify that defense contractors are adequately protecting sensitive information from cybersecurity threats. The CMMC applies to contractors who process, store, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), which is most DOD contractors. The final rule is the culmination of a half-decade long process and part of the federal government’s response to recurrent and increasingly sophisticated cyberattacks targeting the defense industrial base. 

A Risk-Based, Three-Tiered System

The CMMC program identifies three levels of progressively more rigorous cybersecurity standards based on the criticality of the information handled by the contractor.  Each level is keyed to security requirements published by the National Institute of Standards and Technology (NIST) and permits either self-assessment, an assessment by a “Third-Party Assessor Organization” (C3PAO), or an assessment conducted by the DOD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). 

  • Level-1: For defense contractors who process, store, or transfer FCI only, they can secure the most basic certification by complying with the 15 NIST cybersecurity standards in the Federal Acquisition Regulation’s (FAR) existing “Basic Safeguarding of Covered Contractor Information Systems” clause (see FAR 52.204-21). The contractor may conduct a self-assessment to achieve CMMC Level-1 certification. 
  • Level-2: For those defense contractors who handle CUI, the CMMC will require that they comply with the 110 controls in NIST Special Publication 800-171. Depending on certain factors, contractors requiring Level-2 certification will require either a self-assessment annually or a C3PAO assessment every three years. 
  • Level-3: For defense contractors who handle CUI associated with a “critical program or high value asset,” they will need to meet all the requirements of Level-2 certification plus an additional 24 security requirements from NIST’s more advanced Special Publication 800-172. Instead of outsourcing assessments to C3PAOs, all Level-3 certification requires assessments conducted every three years by the DIBCAC. 

Timing and Implementation

Although the DOD published the final rule describing the CMMC, the program won’t take effect likely until mid-2025 when a related Defense Federal Acquisition Regulation Supplement (DFARS) rule is finalized. The related DFARS rule will set out how the CMMC requirements will be incorporated into contracts and contract solicitations and, once final, will trigger a four-phased progressive implementation schedule over the course of three years. That said, the publication of the final rule gives defense contractors a head start developing and implementing CMMC-compliant programs.  

Notable Takeaways

  • A Disproportionate Impact to Small Business – Although arguably less complicated than previously proposed versions, industry groups are already highlighting the potential negative impact to small businesses in complying with the final rule. Approximately 70% of the defense industrial base are small businesses who do not have the same resources or expertise as prime contractors and large integrators but will still be required to meet the same cybersecurity standards depending on the nature of the contract. The final rule states that a lower CMMC level may apply to a subcontractor if the prime only flows down limited information. However, if a prime contractor requires a Level-3 certification, then every subcontractor must achieve at least a Level-2 certification. 
  • Contractors Need to Flip on a Light Switch to Their Data – As CMMC requirements are keyed to the category of data handled by the contractor, it is imperative that companies understand the nature and extent of the CUI and FCI in their holdings. Subcontractors should start communicating immediately with their prime contractors to assess the information category requirements of current and likely future DOD contracts to prepare for CMMC implementation. 
  • Begin Developing or Revising Corporate Cybersecurity Policies – Now is the time to begin preparing for the CMMC, not mid-2025. Defense contractors should be developing or revising internal cybersecurity policies to align with CMMC requirements, set forth clear roles and responsibilities within their organizations, and test incident response plans. Contractors subject to Level-2 certification should begin working with C3POAs to be postured to bid on CMMC-compliant contracts as soon as possible. 
  • Consider Privileged Assessments of Existing Cybersecurity Programs – By engaging with qualified legal counsel to assess cybersecurity policies and programs, companies can rely on the protection of attorney-client privilege to mitigate the risks of disclosing negative assessment results. 
  • Take Advantage of Government Resources – The DOD has a vested national interest in ensuring the defense industrial base is adequately protected from cyberattack. Federal agencies such as the Cybersecurity & Infrastructure Security Agency (CISA) offer free training and resources. Even the National Security Agency (NSA), known best for collecting foreign signals intelligence, offers free cybersecurity services, including Protective Domain Name Systems (PDNS) and Attack Surface Management, to any DOD contractor.
Listen to this post

October is Cybersecurity Awareness Month, making it an ideal time to revisit the most impactful and widely-read blog posts on our Cybersecurity & Privacy blog from the past year. As cyber threats become more sophisticated and widespread, staying informed is crucial. Our top five blog posts cover a range of vital issues: the alarming rise in healthcare data breaches and their impacts (Alexis Buese, Eric Setterlund), the new era of mandatory cybersecurity incident reporting (Sinan Pismisoglu), the significant legislative changes addressing ransomware (Sinan Pismisoglu, Eric Setterlund), essential immediate steps to take following a data breach (Erin Jane Illman, Brett Lawrence), and how a recent, $4.1 million FCA settlement underscores the importance of cybersecurity compliance (Daniel Fortune, Lyndsay Medlin). Take a moment to explore these articles and stay ahead in the ever-evolving cybersecurity landscape.

Rise in Healthcare Data Breaches & the Impact for Healthcare Providers in 2024 by Alexis Buese, Eric Setterlund

The healthcare sector is increasingly facing cyber-threats with ransomware and hacking at the forefront. In the last five years, there has been a staggering 256% rise in significant hacking-related breaches and a 264% surge in ransomware incidents reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Hacking alone was responsible for 79% of the major breaches reported to OCR in 2023. These breaches have had a profound impact, affecting over 134 million individuals in 2023 alone, marking a 141% increase from the previous year.  In response to rise in cyber-threats within the healthcare industry covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) should be proactive in aiming to mitigate or prevent the growing menace of cyber-attacks. This article will delve into OCR’s guidance, exploring the practical steps and measures that organizations can implement to bolster their cybersecurity defenses.

Read the full article here: Rise in Healthcare Data Breaches & the Impact for Healthcare Providers in 2024

Mandatory Cybersecurity Incident Reporting: The Dawn of a New Era for Businesses by Sinan Pismisoglu

A significant shift in cybersecurity compliance is on the horizon, and businesses need to prepare. Starting in 2024, organizations will face new requirements to report cybersecurity incidents and ransomware payments to the federal government. This change stems from the U.S. Department of Homeland Security’s (DHS) Cybersecurity Infrastructure and Security Agency (CISA) issuing a Notice of Proposed Rulemaking (NPRM) on April 4, 2024. This notice aims to enforce the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Essentially, this means that “covered entities” must report specific cyber incidents and ransom payments to CISA within defined timeframes.

Read the full article here: Mandatory Cybersecurity Incident Reporting: The Dawn of a New Era for Businesses

Ransomware Reckoning – The New Bill Changes the Game by Sinan Pismisoglu, Eric Setterlund

The Intelligence Authorization Act for Fiscal Year 2025 (S.4443) is a bold legislative step in addressing ransomware as a critical threat. The act’s provisions, from elevating ransomware to a national intelligence priority to establishing an AI Security Center, illustrate the U.S.’s comprehensive approach to tackling this complex issue. The act sets the stage for a resilient defense against ransomware by fostering public-private partnerships and maintaining accountability. In this post, we explore the act’s critical cybersecurity and ransomware-related provisions and their implications for enhancing the nation’s security posture.

Read the full article here: Ransomware Reckoning – The New Bill Changes the Game

Data Breach 911: Five Immediate Steps to Take by Erin Jane Illman, Brett Lawrence

For many, responding to an incident feels chaotic — questions swirling, uncertainties piling up, and no clear direction. Even when prepared with a well-rehearsed incident response plan, a data security incident places a company’s response team in a precarious situation of juggling numerous variables at once. In the chaos of determining whether a breach has occurred, companies may forget to think through the most important issues. For example, restoring network access and network security is typically the response team’s primary objective, while legal obligations and strategies are often forgotten. Though business continuity is a crucial step in the process, failure to prioritize the following critical aspects in responding to a breach could have consequences later.

Read the full article here: Data Breach 911: Five Immediate Steps to Take

Cybersecurity Compliance Issues with Verizon FCA Settlement Provides Helpful Suggestions on How to Reduce Liabilities or Mitigate Damages by Daniel Fortune, Lyndsay E. Medlin

Unfortunately, but as predicted earlier this year, the Department of Justice (DOJ) has shown no signs of pausing use of the False Claims Act (FCA) as a tool to enforce cybersecurity compliance. On September 5, 2023, DOJ announced an FCA settlement with Verizon Business Network Services LLC based on Verizon’s failure to comply with cybersecurity requirements with respect to services provided to federal agencies. Verizon contracted with the government to provide secure internet connections but fell short of certain Trusted Internet Connections (TIC) requirements.

Compared to the approximate $9 million Aerojet settlement in 2022, Verizon’s approximately $4.1 million settlement appears to provide helpful suggestions on how to reduce liabilities or mitigate damages. For example, Verizon cooperated and self-disclosed its shortcomings, and the government emphasized the company’s level of cooperation and self-disclosure in their press release. Even as cybersecurity requirements become more complex, tried and true compliance strategies remain key to mitigating damages. Companies should encourage a culture of self-reporting and agency.

Read the full article here: Cybersecurity Compliance Issues with Verizon FCA Settlement Provides Helpful Suggestions on How to Reduce Liabilities or Mitigate Damages

Listen to this post

Today, encountering a cookie banner is a common experience for most individuals who peruse the internet. These banners inform website users of the presence of cookies or other tracking technologies through language such as, “This website uses cookies. By clicking ‘accept,’ you consent to the use of all cookies.” Many states require companies to provide consumers with certain disclosures regarding tracking technologies, and some require that users are provided an opportunity to opt-out of tracking. However, even in states without specific disclosure or opt-out requirements, businesses may still be at risk. In July 2024, the Office of the New York State Attorney General (OAG) published guidance that provides some clear examples of what is acceptable and what is considered misleading in the flow, language, and design of cookie banners.

New York’s OAG Investigation

New York does not yet have a comprehensive set of privacy regulations, so there is no requirement that websites give users the opportunity to opt-out of tracking. However, the NY OAG guidance states that if a business makes inaccurate or misleading representations about tracking on their website, they are at risk of violating New York’s consumer protection laws. Thus, if a website displays a cookie banner that is faulty, that business can be prosecuted under New York law despite the lack of a specific privacy regulation. Even more concerning is that New York’s Unfair, Deceptive, or Abusive Acts or Practices (UDAP) provides for a private right of action with an attorney’s fees provision, increasing the likelihood and incentive for future litigation (N.Y. Gen. Bus. Law § 349(h)).

The New York OAG analyzed several popular websites and found that many continued to track users after they had opted out of tracking. The investigation identified several causes of this defect. For example, many websites separate tags or cookies based on categories (such as marketing or fraud detection). Websites often give users the option to disable tracking for certain categories. However, if tags are miscategorized or uncategorized, tracking can remain active after a user attempted to disable a specific category.

Additionally, the investigation found that some websites may be mistakenly relying on “limited data use” features offered by third-party cookie providers. While certain companies provide businesses with the option to have more control over data use, many such features are only available in states with comprehensive privacy laws. In states without such regulations, providers may continue to collect and use consumer data.

Further examples of potential pitfalls identified by the OAG investigation include misconfigured cookie consent tools that fail to adhere to consumers’ chosen privacy settings; tags and cookies that are not configured to a website’s specific privacy controls; and websites only applying privacy choices to third-party cookies while continuing to use other tracking technologies.

The New York OAG guidance provides very clear examples of what is not allowed in cookie banners, such as hidden “save” features, accept only options, or confusing accept buttons. The guidance also provides some recommendations for businesses to prevent potential legal violations. These recommended processes include designating a specific individual to manage tracking technology, investigating new technology before it is used, and conducting appropriate testing and review of tracking tools.

Key Takeaway

 Companies should regularly audit and assess their use of tracking technologies and the disclosure and opt-out functionality in their cookie banners, and they should refer to the “dos and don’ts” published by the New York OAG, in conjunction with the regulatory, legislative, and litigation developments in this area.

For more information and other updates regarding privacy law developments, subscribe to Bradley’s privacy blog Online and On Point or reach out to one of our authors.

Listen to this post

Bradley’s Government Enforcement and Investigations team keeps a close eye on the different ways the government is using the False Claims Act (FCA) to seek redress for cybersecurity deficiencies and force companies into a new technological era. Check out this blog post by Brad Robertson and Cara Rice, two members of Bradley’s Government Enforcement and Investigations Practice Group, about the U.S. Department of Justice’s first major complaint-in-intervention accusing a government contractor of violating the FCA through cybersecurity deficiencies.

Listen to this post

The Intelligence Authorization Act for Fiscal Year 2025 (S.4443) is a bold legislative step in addressing ransomware as a critical threat. The act’s provisions, from elevating ransomware to a national intelligence priority to establishing an AI Security Center, illustrate the U.S.’s comprehensive approach to tackling this complex issue. The act sets the stage for a resilient defense against ransomware by fostering public-private partnerships and maintaining accountability. In this post, we explore the act’s critical cybersecurity and ransomware-related provisions and their implications for enhancing the nation’s security posture.

Deeming Ransomware Threats to Critical Infrastructure a National Intelligence Priority

The act elevates ransomware to a national intelligence priority, underscoring its grave potential to disrupt critical infrastructure and destabilize the economy. By prioritizing ransomware, the act allocates substantial intelligence resources toward understanding, mitigating, and preventing these attacks. The act empowers the director of National Intelligence to proactively identify and track the perpetrators behind these attacks and develop effective countermeasures based on the attackers’ tactics, techniques, and infrastructure.

Mandating a Report on Ransomware Threats

The act requires the director of National Intelligence to submit a comprehensive report to Congress detailing the national security implications of ransomware threats. This report equips policymakers with critical insights to develop more informed and effective legislative and policy responses. Undoubtedly, by requiring regular assessments, the act ensures that the intelligence community remains agile and adaptive in safeguarding national interests.

Establishing a Process for Designating State Sponsors of Ransomware

The act introduces a novel process for designating nations that support ransomware activities as “state sponsors of ransomware.” This provision mirrors the established framework for designating state sponsors of terrorism, enabling the application of similar diplomatic and economic pressures to countries. This designation aims to hold accountable those nations that actively support or provide safe havens for cybercriminals engaged in ransomware activities.

By labeling certain countries as state sponsors of ransomware, the U.S. acquires the authority to impose sanctions and penalties, thus creating a strong disincentive for nations to harbor or support ransomware groups.

Sense of Congress on Hostile Foreign Cyber Actors

The act further solidifies Congress’ stance against ransomware actors by expressing its view that foreign ransomware organizations and their affiliates should be considered hostile foreign cyber actors. This designation can pave the way for more aggressive legal and policy actions against these groups.

Moreover, the act takes a proactive approach by explicitly naming specific ransomware groups, such as DarkSide and Black Basta, and categorizing them as “hostile foreign cyber actors.” This label sends a clear message that their activities will not be tolerated and that the U.S. intelligence community is committed to countering their operations. However, the fluid nature of the cybercriminal underground poses a challenge. Ransomware groups often rebrand and reorganize to evade law enforcement. While naming specific groups highlights immediate threats, the legislation’s adaptability is crucial to address the ever-evolving cyber threat landscape.

Enhancing Public-Private Partnerships

The act recognizes a simple truth: We can’t fight cybercrime alone. It calls for a united front, bringing together the public and private sectors to combat the ever-evolving ransomware threat.  By encouraging collaboration, the act aims to facilitate sharing critical information – threat intelligence, best practices, and technological breakthroughs. The private sector, particularly those companies operating within critical infrastructure and the cybersecurity industry, plays an indispensable role in this collective defense effort.

Establishing the Artificial Intelligence Security Center

The act acknowledges the double-edged sword of emerging technologies. While new technologies may present new vulnerabilities, they also can be powerful tools in the fight against ransomware. That’s where the new Artificial Intelligence (AI) Security Center comes in. Its mission is to strengthen our ability to detect and counteract AI-related threats, including those posed by ransomware.

The AI Security Center will focus on developing and deploying AI-powered tools to identify patterns in ransomware attacks, predict potential targets, and even automate responses. By harnessing AI’s power, the center aims to stay one step ahead of cybercriminals who are increasingly using sophisticated technology in their attacks. 

Reporting and Accountability

The act strongly emphasizes transparency and accountability in the fight against ransomware. It mandates regular reporting to Congress on the progress and efficacy of measures implemented to combat this threat. These reports will offer valuable insights into the evolving ransomware landscape, the successes and challenges of current strategies, and areas requiring further attention.

Furthermore, the act mandates the prompt reporting of ransomware attacks, particularly those impacting critical infrastructure, aiming to get the intelligence community and other relevant agencies to respond swiftly and effectively.

Conclusion

The Intelligence Authorization Act for Fiscal Year 2025 marks a watershed moment in the U.S. government’s battle against ransomware. It’s not just another piece of legislation; it’s a clear statement that we’re taking this threat seriously. In essence, this act represents a bold step forward, highlighting a comprehensive and multi-faceted approach to tackling the complex ransomware issue.

Listen to this post

Privacy issues are inherent in almost all facets of a business — from operations, employment, and technology to customer service, contracts, legal and compliance — all with varying degrees of risk. Most companies mitigate risk by standardizing processes and procedures to handle certain common or low-risk situations. This is helpful in streamlining repetitive inquiries that typically have the same or similar answers or action items.

One such area is a company’s response to validly issued subpoenas and warrants. When a U.S. company receives a court-issued subpoena or valid warrant, the process for responding is relatively clear and the risk of disclosing personal information is mitigated by the legal process involved (and further bolstered by the fact that most privacy laws provide exceptions to disclosure of personal information to law enforcement).

However, this process assumes that the law enforcement, or their subpoena or warrant, has valid authority. A new lawsuit against Verizon Communications, Inc. alleges in a North Carolina federal court complaint that the company violated federal privacy law by giving plaintiff’s personal information to an individual she met online and who later stalked and threatened to kill her, arriving at her house with a knife. The complaint alleges that the perpetrator pretended to be a police detective and provided Verizon with a fake search warrant. Although damages, cognizable injury, and even legal standing to bring a claim can be difficult to prove in privacy cases, this case presents unique facts where the victim was at risk of physical harm, and accordingly, could be rewarded significant, tangible damages. M.D., the victim, has brought claims alleging violations of the federal Stored Communications Act, as well as state tort causes of action for intentional and negligent infliction of emotional distress.

The Stored Communications Act prohibits Verizon from “knowingly divulg[ing]” the contents of communications to any person, or “a record or other information pertaining to a subscriber to or customer … to any governmental entity,” subject to certain exceptions, which include validly issued criminal subpoenas (18 U.S.C. § 2702). The harm that allegedly befell M.D. was purportedly caused by the disclosure of her personal information, not necessarily the “contents” of her communications, which might provide Verizon with a defense to the federal charge. It’s not clear on the face of the complaint that the “contents” of any communications were provided, and Verizon did not, in fact, disclose subscriber/customer information to a governmental entity — it disclosed M.D.’s information to her civilian stalker.

M.D.’s negligence claim, on the other hand, might cause Verizon more trouble. Similar to other types of fraud or online scams, the perpetrator’s email did not match any official government email, the “search warrant” was full of misspellings, typos, or other errors, and the judge that presumably signed the warrant was not even a judge in the county in which the “search warrant” was issued — according to the complaint. Damages may be different in this case, but the legal analysis could be analogous to email spoofing/phishing cases: Was Verizon negligent in failing to notice these common hallmarks of a fraud?

Few cases reach the point where courts or fact finders weigh in on the reasonableness of how a business handled spoofed/phishing communications because in the banking context, where these claims most commonly arise, state versions of the Uniform Commercial Code often displace traditional negligence principles. Given the facts and potential damages at issue here, Verizon may settle before the issue is resolved, but the mere filing of the complaint serves to put businesses on notice of yet another avenue by which they might be subject to attack — the phishing subpoena. Businesses should confirm that their policies and procedures are up to date to handle everything criminals throw at them. An ounce of prevention and training, in this case recognition of common fraud signs and verification with law enforcement regarding the subpoena’s validity, might save a business hundreds and thousands of dollars in litigation costs.

Listen to this post

In Part I, we discussed the European Commission’s (“Commission”) disapproval of Meta’s “pay or consent” subscription model. In Part II, we delve into the European Commission’s findings, prior findings by the European Data Protection Board (EDPB), and how those findings may affect future models where privacy is considered “for sale.”

The European Commission’s Findings Against Meta

The Commission’s preliminary view is that Meta’s model does not comply with Article 5(2) of the Digital Markets Act (DMA), which requires that users who do not consent to data combination must still have access to an equivalent service that uses less of their personal data. The investigation, which began in March 2024, highlighted that Meta’s model does not provide an equivalent service that uses less personal data for users who refuse consent. In other words, the model coerces users into consenting to personalized ads to avoid paying a fee, undermining their rights to freely consent to the use and processing of their personal data.

The Commission emphasized that compliance with the DMA means offering users an equivalent alternative that respects their data privacy choices without forcing them into consent through financial penalties.

Non-compliance with the DMA can lead to fines of up to 10% of a gatekeeper’s total worldwide turnover, increasing to 20% for repeated infringements. Additionally, the Commission  can impose operational remedies, such as compelling Meta to divest parts of its business or restricting future acquisitions. Meta now has the opportunity to respond to these preliminary findings by examining the investigation documents and submitting a written defense. The investigation will conclude within 12 months from the opening of proceedings on March 25, 2024.

The EDPB’s Opinion on “Consent or Pay” Models

Earlier this year, the EDPB adopted Opinion 08/2024 in response to a request from the Dutch, Norwegian, and Hamburg data protection authorities. The opinion addresses the validity of consent to process personal data for behavioral advertising in “consent or pay” models implemented by large online platforms.

The EDPB defines “consent or pay” models as scenarios where users must either consent to the processing of their personal data (typically for behavioral advertising) or pay a fee to access the service without such data processing. The EDPB’s opinion specifically targets large online platforms, which, due to their significant user base and influence, require a consistent regulatory approach across the European Economic Area (EEA). This uniformity is crucial given the widespread impact on data subjects.

EDPB Chair Anu Talus highlighted the need for online platforms to provide users with a real choice, noting that current models often force users to either give away all their data or pay a fee. The EDPB considers that in most cases, such models do not comply with the GDPR’s requirements for valid consent, which must be freely given, informed, specific, and unambiguous.

The EDPB’s opinion stressed that consent must be given without any form of coercion or significant negative consequences for the user. A “pay or consent” model can only satisfy this requirement if the fee is not prohibitively high, ensuring that users have a genuine choice. The fee should not exclude users from essential services, especially those crucial for social or professional engagement. Users must fully understand what they are consenting to, including clear information on the nature and purpose of data processing and the consequences of giving or withholding consent. The EDPB stresses the importance of transparency and cautions against complex or deceptive designs that could mislead users, similar to the prohibition on “dark patterns” under U.S. state privacy laws.

Consent must be specific to distinct processing activities. Users should have the option to consent to various data processing purposes separately. The practice of bundling multiple purposes into a single consent request undermines the specificity required by the GDPR. The process for obtaining consent must be straightforward and clearly indicate the user’s intentions without any ambiguity. Users should be able to give their consent through clear, affirmative actions.

The Commission’s preliminary findings against Meta align closely with the EDPB’s Opinion 08/2024. Both regulatory bodies emphasize that Meta’s “pay or consent” model fails to provide users with a genuinely equivalent alternative to consent for data processing. The EDPB’s opinion highlights that such models often do not meet GDPR standards for valid consent, while the Commission’s findings indicate that Meta’s model violates the DMA by coercing users into consenting to certain data processing.

The EDPB recommends that platforms should provide an equivalent alternative that does not involve behavioral advertising and does not require a fee. This alternative should ensure that all users can access the service without being forced into a binary choice. If behavioral advertising is necessary, platforms should consider using less intrusive forms of advertising that do not rely on extensive data processing. This approach aligns with the GDPR’s data minimization principle, which mandates that only data necessary for the intended purpose should be processed. This is also in alignment with U.S. state privacy law requirements to only process “relevant and reasonably necessary” data.

Platforms must provide clear and comprehensive information about data processing activities, including detailed explanations of what data will be collected, how it will be used, and the potential impacts on users’ privacy. Transparency is crucial to ensure that users can make informed decisions.

The EDPB highlights challenges in balancing business models that rely heavily on advertising revenue with compliance requirements. Platforms must implement mechanisms that genuinely offer users a choice without coercion or undue influence. This includes setting appropriate fee levels and providing clear, understandable information about data processing practices. Platforms must continuously adapt their practices to meet evolving regulatory expectations, ensuring that user rights are consistently upheld.

Conclusion

The EDPB’s opinion underscores the importance of adhering to fundamental GDPR principles in the context of “consent or pay” models. It calls for large online platforms to ensure that their consent mechanisms are designed to offer real, uncoerced choices to users, maintaining the integrity of data protection rights. Compliance with these guidelines is crucial not only for legal adherence but also for fostering trust and transparency with users. Further, these concepts are present under U.S. law and there is a growing cooperation between U.S. privacy regulators and EU data protection authorities to address issues such as consent, targeting advertising, data minimization, and transparency.

The outcome of this investigation will have far-reaching implications for many businesses, setting a precedent for the enforcement of gatekeeper practices and the promotion of a fair and competitive digital market. This case exemplifies the EU’s commitment to regulating the power of large digital companies and fostering an open digital landscape. This case also provides insight into U.S. regulatory priorities and previews how privacy issues could be addressed under U.S. state privacy laws. Our team at Bradley will continue to monitor these developments.

For more information and other updates regarding privacy law developments, subscribe to Bradley’s privacy blog Online and On Point or reach out to one of our authors.

Listen to this post

In November of 2023, Meta launched a service in the European Union that allowed users to utilize the Facebook and Instagram platforms “ad free” for a monthly fee. The subscription service was meant to address regulatory concerns about Meta’s vast data collection and surveillance-based advertising system that tracks consumers across websites. The concept introduced a binary choice: Either subscribe to an ad-free version of these social networks for a monthly fee or use a free version that includes personalized ads.

On July 1, 2024, the European Commission announced its disapproval of this model and preliminary findings against Meta’s “pay or consent” process, stating that it violates the Digital Markets Act (DMA). In fact, the European Commission posted the following on its own Facebook account:

The “Pay or Consent” advertising model of Meta fails to comply with the Digital Markets Act. Our preliminary findings show that this choice forces users to consent to the combination of their personal data and fails to provide them a less personalized but equivalent version of Meta’s social networks.

The DMA is the EU’s legislation aimed at ensuring fairer and more contestable markets in the digital sector. It establishes clear criteria to identify “gatekeepers” — large digital platforms providing core platform services like online search engines, app stores, and messenger services. These gatekeepers must comply with a set of obligations and prohibitions to ensure an open and competitive digital market. The DMA complements existing EU competition rules without altering them.

Gatekeepers under the DMA must allow third parties to interoperate with their services, grant business users access to data generated on their platform, and provide transparency in advertising. They are prohibited from favoring their own services over those of competitors, preventing users from uninstalling pre-installed software, and tracking users for targeted advertising without effective consent.

The DMA’s findings focused on two issues. First, that the service effectively required an individual to relinquish all rights to their personal data unless they were willing to pay for an equivalent service. Second, the binary options provided were an illusion in choice and failed to meet the requirements for freely given consent.

These are also issues that reverberate outside of the EU. U.S. state regulators, as well as the Federal Trade Commission (FTC), have been focused on similar concerns – namely, whether companies can require personal information as part of a financial incentive without a discriminatory effect and what constitutes freely given, informed consent to process personal information.

In Part II of this discussion, we will take a deeper dive into the European Commission’s findings against Meta and how those findings may influence privacy law and enforcement more broadly, including here in the United States.

Our team at Bradley will continue to monitor these developments. For more information and other updates regarding privacy law developments, subscribe to Bradley’s privacy blog Online and On Point or reach out to one of our authors.

Listen to this post

As discussed in our previous blog post, the Cybersecurity and Infrastructure Security Agency (CISA) is proposing a significant new rule to bolster the nation’s cyber defenses through mandatory incident reporting. While designed to enhance CISA’s ability to monitor and respond to cyber threats, the rule has ignited a contentious debate. The concerns raised highlight the delicate balance between strengthening national security and avoiding undue burdens on businesses.

Broad Concerns and Overreporting Fears

A key concern across various industries is that the rule’s broad scope could capture over 300,000 entities, many not traditionally considered critical infrastructure. This could lead to overreporting, overwhelming CISA with low-value data, and potentially diverting resources from addressing significant threats. Critics, including Sen. Gary Peters, advocate for a more targeted approach, focusing on incidents with genuine national security implications.

Furthermore, the existing patchwork of over 50 federal breach reporting rules across various agencies raises concerns about redundancy and increased compliance burdens for businesses. The proposed rule could add another layer of complexity without necessarily enhancing cybersecurity outcomes.

Manufacturing Sector’s Alarm Bells

The National Association of Manufacturers (NAM) is particularly worried about the rule’s potential impact on its members. The NAM argues that the broad definition of “covered entities” could ensnare numerous manufacturers operating outside traditional critical infrastructure, burdening them with complex and costly reporting requirements they may not be equipped to handle. The NAM also criticizes the expansive definition of reportable incidents, advocating for a more targeted approach focused on incidents that genuinely impact critical infrastructure and national security.

Healthcare’s Unique Challenges

Healthcare and hospital groups raise unique concerns due to their sector’s interconnected nature. They argue for the inclusion of insurers and third-party vendors under the rule, as the exclusion of key entities like health IT providers and labs could lead to significant disruptions if they are targeted by cyberattacks. The strict 24- and 72-hour reporting deadlines are also a concern, as they could divert resources from patient care during a crisis and impose financial burdens on under-resourced hospitals and providers. These groups have requested financial support and technical assistance to help comply with new requirements without compromising patient care.

Finding a Middle Ground

To address these concerns, several recommendations have been proposed:

  1. Reconsider the Scope – Focus on those entities and reportable incidents with significant impact on critical infrastructure and national security.
  2. Streamline Reporting – Develop a unified reporting mechanism that harmonizes with existing regulations.
  3. Provide Support – Offer technical and financial assistance to smaller entities.
  4. Clarify Definitions – Clearly define key terms to prevent overreporting and ensure consistent interpretation.
  5. Flexibility – Tailor reporting requirements to specific industry needs, such as healthcare’s need for immediate incident response.

Balancing Security and Practicality

The debate surrounding CISA’s proposed rule underscores the challenge of balancing robust cybersecurity measures with practical, feasible compliance for businesses. Open dialogue and collaboration between CISA and industry stakeholders are crucial to finding a middle ground that strengthens national security without imposing undue burdens. By addressing industry concerns and refining the rule, CISA can create a framework that effectively protects critical infrastructure while fostering a collaborative approach to cybersecurity.

For more information and other updates regarding privacy law developments, subscribe to Bradley’s privacy blog Online and On Point or reach out to one of our authors.

Listen to this post

A significant shift in cybersecurity compliance is on the horizon, and businesses need to prepare. Starting in 2024, organizations will face new requirements to report cybersecurity incidents and ransomware payments to the federal government. This change stems from the U.S. Department of Homeland Security’s (DHS) Cybersecurity Infrastructure and Security Agency (CISA) issuing a Notice of Proposed Rulemaking (NPRM) on April 4, 2024. This notice aims to enforce the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Essentially, this means that “covered entities” must report specific cyber incidents and ransom payments to CISA within defined timeframes.

Background

Back in March 2022, President Joe Biden signed CIRCIA into law. This was a big step towards improving America’s cybersecurity. The law requires CISA to create and enforce regulations mandating that covered entities report cyber incidents and ransom payments. The goal is to help CISA quickly assist victims, analyze trends across different sectors, and share crucial information with network defenders to prevent other potential attacks.

The proposed rule is open for public comments until July 3, 2024. After this period, CISA has 18 months to finalize the rule, with an expected implementation date around October 4, 2025. The rule should be effective in early 2026. This document provides an overview of the NPRM, highlighting its key points from the detailed Federal Register notice.

Cyber Incident Reporting Initiatives

CIRCIA includes several key requirements for mandatory cyber incident reporting:

  • Cyber Incident Reporting Requirements – CIRCIA mandates that CISA develop regulations requiring covered entities to report any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred.
  • Federal Incident Report Sharing – Any federal entity receiving a report on a cyber incident after the final rule’s effective date must share that report with CISA within 24 hours. CISA will also need to make information received under CIRCIA available to certain federal agencies within the same timeframe.
  • Cyber Incident Reporting Council – The Department of Homeland Security (DHS) must establish and chair an intergovernmental Cyber Incident Reporting Council to coordinate, deconflict, and harmonize federal incident reporting requirements.

Ransomware Initiatives

CIRCIA also authorizes or mandates several initiatives to combat ransomware:

  • Ransom Payment Reporting Requirements – CISA must develop regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments due to a ransomware attack. These reports must be shared with federal agencies similarly to cyber incident reports.
  • Ransomware Vulnerability Warning Pilot Program – CISA must establish a pilot program to identify systems vulnerable to ransomware attacks and may notify the owners of these systems.
  • Joint Ransomware Task Force – CISA has announced the launch of the Joint Ransomware Task Force to build on existing efforts to coordinate a nationwide campaign against ransomware attacks. This task force will work closely with the Federal Bureau of Investigation and the Office of the National Cyber Director.

Scope of Applicability

The regulation targets many “covered entities” within critical infrastructure sectors. CISA clarifies that “covered entities” encompass more than just owners and operators of critical infrastructure systems and assets. Entities actively participating in these sectors might be considered “in the sector,” even if they are not critical infrastructure themselves. Entities uncertain about their status are encouraged to contact CISA.

Critical Infrastructure Sectors

CISA’s interpretation includes entities within one of the 16 sectors defined by Presidential Policy Directive 21 (PPD 21). These sectors include Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems, Water and Wastewater Systems.

Covered Entities

CISA aims to include small businesses that own and operate critical infrastructure by setting additional sector-based criteria. The proposed rule applies to organizations falling into one of two categories:

  1. Entities operating within critical infrastructure sectors, except small businesses
  2. Entities in critical infrastructure sectors that meet sector-based criteria, even if they are small businesses

Size-Based Criteria

The size-based criteria use Small Business Administration (SBA) standards, which vary by industry and are based on annual revenue and number of employees. Entities in critical infrastructure sectors exceeding these thresholds are “covered entities.” The SBA standards are updated periodically, so organizations must stay informed about the current thresholds applicable to their industry.

Sector-Based Criteria

The sector-based criteria target essential entities within a sector, regardless of size, based on the potential consequences of disruption. The proposed rule outlines specific criteria for nearly all 16 critical infrastructure sectors. For instance, in the information technology sector, the criteria include:

  • Entities providing IT services for the federal government
  • Entities developing, licensing, or maintaining critical software
  • Manufacturers, vendors, or integrators of operational technology hardware or software
  • Entities involved in election-related information and communications technology

In the healthcare and public health sector, the criteria include:

  • Hospitals with 100 or more beds
  • Critical access hospitals
  • Manufacturers of certain drugs or medical devices

Covered Cyber Incidents

Covered entities must report “covered cyber incidents,” which include significant loss of confidentiality, integrity, or availability of an information system, serious impacts on operational system safety and resiliency, disruption of business or industrial operations, and unauthorized access due to third-party service provider compromises or supply chain breaches.

Significant Incidents

This definition covers substantial cyber incidents regardless of their cause, such as third-party compromises, denial-of-service attacks, and vulnerabilities in open-source code. However, threats or activities responding to owner/operator requests are not included. Substantial incidents include encryption of core systems, exploitation causing extended downtime, and ransomware attacks on industrial control systems.

Reporting Requirements

Covered entities must report cyber incidents to CISA within 72 hours of reasonably believing an incident has occurred. Reports must be submitted via a web-based “CIRCIA Incident Reporting Form” on CISA’s website and include extensive details about the incident and ransom payments.

Report Types and Timelines

  • Covered Cyber Incident Reports within 72 hours of identifying an incident
  • Ransom Payment Reports due to a ransomware attack within 24 hours of payment
  • Joint Covered Cyber Incident and Ransom Payment Reports within 72 hours for ransom payment incidents
  • Supplemental Reports within 24 hours if new information or additional payments arise

Entities must retain data used for reports for at least two years. They can authorize a third party to submit reports on their behalf but remain responsible for compliance.

Exemptions for Similar Reporting

Covered entities may be exempt from CIRCIA reporting if they have already reported to another federal agency, provided an agreement exists between CISA and that agency. This agreement must ensure the reporting requirements are substantially similar, and the agency must share information with CISA. Federal agencies that report to CISA under the Federal Information Security Modernization Act (FISMA) are exempt from CIRCIA reporting.

These agreements are still being developed. Entities reporting to other federal agencies should stay informed about their progress to understand how they will impact their reporting obligations under CIRCIA.

Enforcement and Penalties

The CISA director can make a request for information (RFI) if an entity fails to submit a required report. Non-compliance can lead to civil action or court orders, including penalties such as disbarment and restrictions on future government contracts. False statements in reports may result in criminal penalties.

Information Protection

CIRCIA protects reports and RFI responses, including immunity from enforcement actions based solely on report submissions and protections against legal discovery and use in proceedings. Reports are exempt from Freedom of Information Act (FOIA) disclosures, and entities can designate reports as “commercial, financial, and proprietary information.” Information can be shared with federal agencies for cybersecurity purposes or specific threats.

Business Takeaways

Although the rule will not be effective until late 2025, companies should begin preparing now. Entities should review the proposed rule to determine if they qualify as covered entities and understand the reporting requirements, then adjust their security programs and incident response plans accordingly. Creating a regulatory notification chart can help track various incident reporting obligations. Proactive measures and potential formal comments on the proposed rule can aid in compliance once the rules are finalized.

These steps are designed to guide companies in preparing for CIRCIA, though each company must assess its own needs and procedures within its specific operational, business, and regulatory context.