On Episode 16 of Covington’s Inside Privacy Audiocast, Dan CooperYan Luo and Zhijing Yu discuss the implications of China’s Personal Information Protection Law (PIPL) for companies with data or doing business in China. The law, which entered into force on November 1, is the first comprehensive personal information protection law in China and

This is the sixth in the series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the second, third, fourth, and fifth blogs described the actions taken by various federal agencies to implement the EO during June, July, August, and September 2021, respectively.  This blog summarizes key actions taken to implement the Cyber EO during October 2021.

Although the recent developments this month are directly applicable to the U.S. Government, the standards being established for U.S. Government agencies could be adopted as industry standards for all organizations that develop or acquire software similar to various industries adopting the NIST Cybersecurity Framework as a security controls baseline.
Continue Reading October 2021 Developments Under President Biden’s Cybersecurity Executive Order

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” (the “Updated Advisory”).  The Updated Advisory updates and supersedes an earlier OFAC Advisory released on October 1, 2020, and is directed toward not only organizations victimized by ransomware attacks, but also financial institutions, cyber insurance firms, and forensic and incident-response firms that assist organizations victimized by ransomware attacks.

The Updated Advisory is largely consistent with the previous version released in October 2020, restating the U.S. government’s opposition to ransomware victims making payments to cyber threat actors and making clear OFAC’s commitment to bringing enforcement actions in connection with such payments when they constitute U.S. sanctions violations.  However, the Updated Advisory adds important new guidance on “the proactive steps companies can take to mitigate [sanctions enforcement] risks,” including implementing strong cybersecurity practices before an attack; and promptly reporting a ransomware attack to, and engaging in timely and ongoing cooperation with, law enforcement or other relevant agencies.  Taking these steps would constitute “mitigating factors” in any OFAC enforcement action resulting from sanctions violations in connection with ransomware payments.

In conjunction with the new Advisory, OFAC for the first time designated for sanctions a Russian cryptocurrency exchange, SUEX OTC, that OFAC alleges has been involved in facilitating numerous ransomware payments for malicious cyber actors.  As a result of this designation, U.S. persons (that is, all individual U.S. citizens and permanent residents, U.S.-incorporated entities and their branch offices, and anyone physically within the United States) are now prohibited from engaging in or facilitating virtually all transactions with or involving SUEX OTC.


Continue Reading OFAC Issues Updated Guidance on Ransomware Payments

There have been many headlines today about the UK Government’s plans to reform UK data protection law. We are still reviewing the (near 150-page) consultation document, but set out below a dozen proposals that we thought might pique the interest of readers of our blog.
Continue Reading 12 Eye-Catching Proposals In The UK Government’s Plan To Reform UK Data Protection Law

On Aug. 20, 2021, the Standing Committee of China’s National People’s Congress promulgated China’s Personal Information Protection Law, which will take effect Nov. 1, 2021. Serving as China’s first comprehensive law in the personal information protection area and based on China’s Constitution, the PIPL aims to “protect the rights and interests of individuals,” “regulate personal information processing activities,” and “facilitate reasonable use of personal information” (Article 1).
Continue Reading Analyzing China’s PIPL and How It Compares to the EU’s GDPR

On July 2 and July 5, 2021, China’s Cybersecurity Review Office (“CRO”), an office established under the Cyberspace Administration of China (“CAC”) responsible for coordinating the implementation of China’s Cybersecurity Review framework (more details about this framework can be found in our previous blogpost, available here), announced that it had initiated cybersecurity reviews against four mobile applications operated by three Chinese companies:  Didi Chuxing (“Didi”), Yunmanman, Huochebang and BOSS Zhipin (announcements are available here and here).

According to CRO’s announcements, these cybersecurity reviews were initiated based on requirements under the National Security Law (“NSL”), the Cybersecurity Law (“CSL”) and the Measures on Cybersecurity Review (“Measures”) and are aimed at “preventing national data security risks, maintaining national security and safeguarding public interests.”  This is the first time that CRO publically announced the initiation of cybersecurity reviews against companies after the Measures took effect on June 1, 2020.  Per the announcements, these apps are prohibited from registering new user accounts during the review period.

Separately, on July 4, CAC ordered the Didi app to be removed from Chinese app stores on the ground that the app seriously violated Chinese laws and regulations by “illegally collecting and using personal information” (the announcement is available here).  It is unclear whether this “take down” order is related to CRO’s ongoing cybersecurity review of Didi.

This post explains the requirements and procedures of cybersecurity review under the Measures, analyzes the focus of the current review against these three companies, and provides more background on recent enforcement actions against apps illegally collecting and processing personal information.
Continue Reading China Initiates Cybersecurity Review of Didi ChuXing and Three Other Chinese Mobile Applications

On June 10, 2021, the Standing Committee of China’s National People’s Congress (“NPC”) enacted the Data Security Law (“DSL”), which will take effect on September 1, 2021 (the official Chinese version is available here and Covington’s unofficial English translation is available here). This law creates a framework for the protection of broadly defined “data security” from a national security perspective.
Continue Reading China Enacts Data Security Law

Yesterday the Supreme Court issued a decision in Van Buren v. United States, No. 19-783, ruling that a police officer did not violate the Computer Fraud and Abuse Act (“CFAA”) when he obtained information from a law enforcement database that he was permitted to access, but did so for an improper purpose.  In so ruling, the Court adopted a relatively narrow reading of the CFAA, and partially resolved a years-long debate concerning the scope of liability under the CFAA.

The CFAA prohibits, inter alia, “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] information from any protected computer.”  18 U.S.C. § 1030(a)(2).  What it means to “exceed authorized access” has been the subject of disagreement among lower courts:  Some have concluded that this term refers to accessing areas of a computer that the user is not permitted to access under any circumstances—e.g., a student accessing her university’s database of grades that is restricted to only administrator use.  Others have concluded that this term also encompasses individuals who are permitted to access an area of a computer for certain purposes, but they do so for an improper purpose—e.g., an administrator accessing the university’s database of grades that she is generally permitted to use, but she does so for the improper purpose of blackmailing a student.
Continue Reading Supreme Court Adopts Narrow Reading of the CFAA in Van Buren v. United States

On May 12, the Biden Administration issued an “Executive Order on Improving the Nation’s Cybersecurity.”  The Order seeks to strengthen the federal government’s ability to respond to and prevent cybersecurity threats, including by modernizing federal networks, enhancing the federal government’s software supply chain security, implementing enhanced cybersecurity practices and procedures in the federal government, and creating government-wide plans for incident response.  The Order covers a wide array of issues and processes, setting numerous deadlines for recommendations and actions by federal agencies, and focusing on enhancing the protection of federal networks in partnership with the service providers on which federal agencies rely.  Private sector entities, including federal contractors and service providers, will have opportunities to provide input to some of these actions.
Continue Reading President Biden Signs Executive Order Aimed at Improving Government Cybersecurity