We are delighted by the positive feedback we have received on our first two issues of Dechert Cyber Bits. Thank you for taking the time to send us your comments. In this issue of Cyber Bits, we discuss key developments from around the globe, including CISA’s patch directive and a recent UK class action decision, among other cutting edge topics. As usual, we provide practical takeaways designed to reduce risk for your organization.

Our top-ranked, global team covers all aspects of privacy and cybersecurity, including class action litigation defense, breach response/ransom negotiation, strategic privacy counseling, transactional diligence and the defense of regulatory actions. Our deep bench spans Dechert’s 22 global offices, and our partners are top-ranked thought leaders and pioneers in the space who bring decades of expertise and experience. We have litigated some of the earliest, landmark privacy litigation matters, handled over a thousand data breach investigations and defended hundreds of regulatory enforcement actions brought by U.S. and global regulators. Our lawyers routinely advise the world’s top companies on cutting-edge and sensitive matters of strategic importance. Many are high profile, but our best work often involves matters that no one ever hears about – such as the regulatory inquiry that quietly goes away, the creative strategic advice that solves a thorny, cross-border data transfer issue, or the use of innovative technology to leverage data holdings.

We hope you will find Dechert Cyber Bits useful and informative. If you have any questions or would like to discuss any of these topics further, please contact any member of our team.

Brenda Sharton and Karen Neuman
Co-Chairs, Privacy & Cybersecurity

UK Supreme Court Puts Brakes on Data Privacy Class Actions in the Uk

An attempted class action against Google has been dismissed by the UK Supreme Court in a landmark ruling that significantly limits the scope for data privacy claims brought by way of class action in the UK. The claim, which was worth more than £3 billion, alleged that between 2011 and 2012 Google secretly tracked the browsing histories of iPhone users to sell their personal data to advertisers. Significantly, the claim was brought on behalf of over four million Apple iPhone users on an “opt out” basis, meaning that all relevant iPhone users were automatically included in the claim unless they expressly requested to be omitted.

Overturning the Court of Appeal’s decision, the Supreme Court decided that actual damage (such as financial loss) or mental distress was required for compensation to be awarded and that "loss of control" of personal data was not sufficient. Secondly, the Supreme Court found that the impact of Google’s unlawful processing would vary for each iPhone user, and damages would depend on factors specific to each individual (such as the period of time over which Google tracked the individual’s browsing history and the sensitivity of the data collected). As individualised assessments would be required, the claim could not be brought by means of an “opt out” class action.

Takeaway: In light of the Supreme Court’s decision, the UK’s “opt out” class action regime will very rarely be available for data protection claims. The UK’s “opt in” class action procedure is also generally not appropriate for data protection claims where each impacted individual has suffered only modest harm. In practice, this means that many potential claims by data subjects will never come to fruition, and enforcement action by the UK Information Commissioner’s Office will remain the principal risk to data controllers when assessing their UK data protection compliance.

CISA Issues Binding Directive to Patch Software Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive (BOD) on November 3, 2021, ordering federal agencies to remediate security vulnerabilities identified in a Known Exploited Vulnerabilities Catalog of Common Vulnerabilities and Exposures (CVEs).

The Catalog is intended to identify and share information about security flaws that present significant risks and that are known to have been exploited by threat actors. There are 291 CVEs listed in this initial publication of the Catalog, and it will be updated with additional exploited vulnerabilities as they become known.

The BOD applies to security flaws in both software and hardware, and requires agencies and private companies hosting agency information to take three steps:

1. Remediate listed vulnerabilities based on timelines set forth in the Catalog: namely, within two weeks for flaws exploited in 2021 and within six months for flaws exploited in 2020;
2. Review and update internal vulnerability management procedures within 60 days of issuance of the BOD; and
3. Provide ongoing quarterly reports on the remediation status of vulnerabilities listed in the Catalog.

Takeaway: While only federal agencies and third parties working on behalf of federal agencies are required to adhere to this BOD, the Catalog will be a helpful resource to private actors as well, since it provides a free and accessible list of vulnerabilities currently being exploited by threat actors (and which have vendor-provided updates or patches).

Decision Against IAB TCF Expected to Increase Pressure on Adtech Industry

The Interactive Advertising Bureau Europe (IAB), the European-level trade association for the digital marketing and advertising industry, is expecting to be censured by Belgium’s data protection authority (DPA) for GDPR violations involving the IAB Europe Transparency and Consent Framework (TCF). The IAB recently revealed that the Belgian DPA is close to finalising a draft ruling that will identify a number of GDPR violations. Significantly, the ruling is expected to find that the TCF (designed by IAB to assist the digital advertising industry in complying with the GDPR) does not satisfy GDPR requirements for data controllers.

The IAB expects the draft ruling to find that the IAB is a controller for “TC Strings” (digital signals that capture website users’ choices and form a fundamental part of the TCF). The IAB had not previously considered itself to be a controller with respect to TC Strings so it had not fulfilled certain obligations of controllers under the GDPR.

Takeaway: In line with the GDPR cooperation procedure, the Belgian DPA’s draft ruling will be shared with other EU DPAs who may provide input before a decision is formally issued. There will almost inevitably be a lengthy appeal process that will limit the immediate practical impact. However, if the Belgian DPA’s final ruling is as expected, it will be a significant blow to the IAB, which worked with stakeholders to develop the TCF, and reverberations will be felt throughout the adtech ecosystem. Those involved in the adtech industry should monitor developments and consider their options for carrying out behavioural advertising in compliance with the GDPR.

Ransomware Actors Target Companies Involved in Major Financial Events and Transactions

The FBI has issued a Notification warning that ransomware actors are apparently leveraging known significant financial events, such as mergers, to pressure victims into making ransomware payments.

The Notification reports that ransomware actors often target companies involved in major transactions such as mergers or acquisitions. The attackers begin by using trojan malware to gather material non-public information about a target, particularly that which could affect stock price. Depending on the information acquired through this initial incursion, the ransomware actors may threaten to release the non-public information and thereby disrupt the upcoming transaction if the victim does not pay a ransom quickly.

Takeaway: Significant financial events come with an increased risk of ransom attacks. Instead of postponing security fixes until after a transaction is complete, companies facing events such as an IPO or a merger should be particularly attentive to potential vulnerabilities, including monitoring underground forums for stolen credentials. The time period after the merger is also a particularly vulnerable time. Be sure to align cybersecurity processes and procedures beforehand to decrease post-merger risk.

FTC Will Increase Enforcement Against “Dark Patterns"

The FTC has issued a new enforcement policy statement warning that companies using tactics known as “dark patterns” to allegedly trick customers into signing up for subscription contracts will face legal action. Dark patterns commonly arise in the context of negative option programs, and may include continuity plans and automatic renewals.

Under the new policy, companies offering subscription programs must:

1. Clearly disclose all material terms of the program, including cost, deadlines for any action required to stop further charges, the anticipated amount and frequency of any such future charges, and how to cancel the subscription;
2. Obtain express informed consumer consent before charging for the subscription, including obtaining the consumer’s acceptance of the negative option feature separately from other portions of the entire transaction, not in a pre-checked box, and avoiding burying information about the program in distracting extraneous content; and
3. Provide cancellation mechanisms at least as easy to use as the method used to sign up for the subscription. Recent News and Publications from Dechert's Privacy & Cybersecurity Practice

Takeaway: Efforts to avoid cancellation of subscriptions by making the cancellation process difficult or unclear will risk attracting FTC enforcement action. Companies should review their negative option subscription programs for compliance with the new policy.

Check out Dechert’s AI Series!
Hot Off the Press: Conducting Conformity Assessments Under the EC’s Proposed
Regulation on AI

Recent News and Publications from Dechert's Privacy & Cybersecurity Practice

Dechert's California Consumer Privacy Act Resource Center

Ranked by The Legal 500 US – Media, Technology and Telecoms: Cyber Law (Including Data Privacy and Data Protection). Brenda Sharton was named a Leading Lawyer and Hilary Bonaccorsi was named a Rising Star.

Brenda Sharton was named to Cybersecurity Docket’s Incident Response 40 2021 list.

Upcoming Webinar: Managing Employee Privacy and Other Key Considerations in the Post-Pandemic Workplace (December 14, 2021 at 12:00 PM ET) Speakers Include: Brenda Sharton, Karen Neuman, Nicolle Jacoby, J. Ian Downes.

Cryptocurrency Stakeholders Should Prepare for Increased Tax Enforcement (Dechert OnPoint published November 16, 2021) By: Andrew Boutros, Timothy Spangler, Joseph Riley, Andrew Schaffer, Claire Hinshaw.

Brenda Sharton quoted in Ignites article, “DOL, SEC, Others Have 2 Weeks to Fix Old Cyber Bugs” (November 4, 2021)

OFAC Issues Sanctions Guidance on Virtual Currencies and Ransomware (Dechert OnPoint published October 28, 2021) By: Darshak Dholakia, Jeremy Zucker, Karen Neuman, Brenda Sharton, Amanda DeBusk, Tim Spangler, Betsy Feuerstein, Andrew Schaffer.

A Practical Approach for Implementing Europe’s New Standard Contractual Clauses in a Post-Schrems II World (Webinar recording from September 30, 2021) By: Olaf Fasshauer, Paul Kavanagh, Karen Neuman, Jeremy Zucker

Dechert’s global Privacy & Cybersecurity team published two articles in The Journal of Robotics, Artificial Intelligence & Law’s November/December 2021 issue on the European Commission’s proposed regulation on artificial intelligence.

Brenda Sharton had an article published in the Harvard Business Review, “Ransomware Attacks Are Spiking. Is Your Company Prepared?” (May 20, 2021)

View Previous Dechert Cyber Bits Issues