It started out as a hushed rumor in the ring, then became known fact to those who would go on to join the administration. And now we all know: the Biden administration has brought with it a renewed focus on data privacy and cybersecurity.
Businesses across the United States are weary of the campaign of fear that has accompanied new privacy enforcement regimes; first the General Data Protection Regulation (GDPR) for many, then California’s Consumer Privacy Act (CCPA), and now, so many more. So the federal government making noise about privacy enforcement and cybersecurity may just elicit a shrug of the shoulders. But allow this article to displace that complacency. The fact that the federal government is jumping with both feet into the arena of privacy and cybersecurity enforcement is an event worth watching and taking into account.
Perhaps the most disturbing part of this renewed emphasis on privacy is that once a government investigation into a company begins, you never know where the investigation will lead. Because federal agencies have broad powers to investigate and coordinate with each other on a regular basis, an investigation that you thought had nothing to do with privacy can suddenly examine your practices in matters of confidentiality. The federal government can show up at your door at any time and in any setting, and the resulting investigation could lead anywhere.
Ultimately, the ramifications of any government action on law enforcement can be immense. Since any civil enforcement action can turn into a criminal investigation, defense costs are extremely high and can result in significant business disruption. When wrongdoing has occurred, companies often pay tens or even hundreds of millions to settle or resolve enforcement actions. And if a corporate executive were to face criminal charges, the DOJ’s conviction rate remains astronomically high. Furthermore, none of these costs take into account the potential damage to a company’s reputation or the possibility that government action could lead to civil lawsuits.
The past 12 months have seen a steady pace of action by federal law enforcement and regulatory agencies, which in-house counsel should take note. Whether it’s new guidance, regulations, investigations or enforcement activities, the message is clear: the federal government is paying close attention to how businesses handle and protect their data. , in particular consumer data and sensitive data.
• Department of Justice (MJ): In October 2021, the DOJ launched its Civil Cyber-Fraud initiative, which will focus on prosecuting fraud cases involving cybersecurity under the False Claims Act (FCA). Under this initiative, any company that receives federal funding could be held liable for providing deficient cybersecurity products, misrepresenting its cybersecurity protocols, or violating its duty to report cybersecurity breaches. FCA claims are often particularly problematic because they can be initiated via qui tam whistleblower complaints and, if successful, result in treble damages. Additionally, D.OJ recently announced that it will more aggressively pursue corporate criminal prosecutions and that it’s about “growing resources” for white-collar prosecutors. A company’s misrepresentations about its cybersecurity protocols or data breaches could also lead to charges of wire fraud or securities fraud.
• Securities and Exchange Commission (SEC): The SEC is also ramping up its cybersecurity enforcement activity, with greater emphasis on cybersecurity controls at regulated entities and disclosure of cybersecurity incidents and risks. For example, in August 2021, the SEC sanctioned eight companies because their cybersecurity policies and procedures failed to protect their customer information, resulting in fines totaling $750,000. These enforcement actions will encourage the SEC to pursue more complex cybersecurity cases and encourage company insiders to report similar violations through the SEC’s robust whistleblower program. And once the SEC’s Division of Enforcement opens an investigation, a DOJ criminal investigation often follows.
• Treasury Department (Treasury): In September 2021, the Treasury’s Office of Foreign Asset Control (OFAC) sanctioned cryptocurrency exchange SUEX for laundering the proceeds of ransomware attacks, noting that at least 40% of its transactions were associated to illicit activities. The SEUX sanctions were the first such action taken by OFAC and are consistent with the Treasury’s growing focus on cybersecurity issues. Along with the SUEX sanctions, OFAC updated its ransomware advisory, again encouraging companies to report ransomware and cybersecurity incidents. Similarly, FinCEN’s June 2021 National Anti-Money Laundering Priorities identified cybercrime and ransomware attacks as a new and evolving threat. Financial institutions will soon be required to integrate cybersecurity risks into their BSA and AML compliance programs. And increased BSA and anti-money laundering compliance will in turn lead to additional reporting to FinCEN and federal law enforcement agencies about cybersecurity incidents.
• Banking regulators: In November 2021, federal banking regulators – the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency announced the approval of a new security incident notification rule. Effective May 1, 2022, regulated banking organizations must notify their primary federal regulator of any significant IT security incident within 36 hours of discovery. This deadline applies to any security incident that has or is reasonably likely to have a material impact on the banking operations of the regulated entity.
• Federal Trade Commission (FTC): Over the past two years, the FTC has launched more than 20 privacy and cybersecurity enforcement actions. Additionally, last month the FTC updated its Safeguard Rule to set specific criteria for how financial institutions must protect customer data. The FTC is also considering other updates to the safeguard rule that would require financial institutions and others to report cybersecurity violations to the FTC.
Now, many may be wondering if this is all just a fear campaign; another press of the panic button. But what recent executive branch moves demonstrate is that privacy and cyber are no longer seen as “must haves” or “add-ons” to a business; these are business imperatives.
So what should companies do to deal with this heightened risk of law enforcement? The answer is simple: highly regulated companies in particular need to ensure that their privacy and cybersecurity are in order. That doesn’t mean every company should drop everything and spend all of their budget on upgrading their privacy and cybersecurity practices (although some in-house lawyers would be grateful). There is also no need to disrupt ongoing business activities. But that means making sure your business at least passes the sight test.
A robust compliance program and comprehensive policies and practices will always be the best way for companies to avoid being trapped in a costly government investigation. As the federal government increasingly treats cybersecurity and data privacy like it treats other traditional priority application areas, companies should follow suit and take proactive steps to mitigate their risks.
David Saunders (CIPP/US, CIPM), a partner in McDermott Will & Emery’s Global Data Privacy and Cybersecurity Group, is a litigator who focuses his practice on privacy and cybersecurity issues. Julian L. AndréFirm partner and former federal prosecutor, focuses his practice on government prosecutions and enforcement actions, internal investigations and complex civil litigation.