04.05.2022 Data & Security Legal Update: Russian Cyber-Attacks, and More By: Kevin D. Pomfret

Activity in the cybersecurity and data protection space continues to pick up as new laws and regulations are enacted in the U.S. and overseas. Highlighted below are five recent developments that could impact your business.

President Biden Issues Warning of Potential Russian Cyber-Attacks

On March 21, 2022, the White House recommended that U.S. businesses take measures to protect against potential cyberattacks initiated by and/or from Russia. Recommended measures include:

  • Mandating multi-factor authentication;
  • Deploying modern security tools on computers and devices;
  • Making sure that systems are patched and protected against all known vulnerabilities;
  • Backing up and encrypting data; and,
  • Educating employees on common tactics that attackers use.

While many of these recommendations are good practice at all times, the Administration believes they are particularly important to emphasize now given the increased risks.

U.S. and EU Announce High Level Agreement to Replace Privacy Shield

In a joint press release, President Biden and European Commission President Ursula von der Leyen announced that an agreement in principle had been reached to replace Privacy Shield – a mechanism by which personal data of European citizens could be transferred from the European Union to the United States. A new mechanism has been required since July 2020, when the European Union Court of Justice ruled - in a landmark decision that is commonly referred to as Schrems II – that Privacy Shield did not adequately protect the rights of EU citizens. While the details of the high-level agreement will need to be fleshed out, the announcement was a positive sign for many businesses that have been waiting for greater clarity on how such data transfers could be lawful under the General Data Protection Regulation (GDPR). 

Utah is Fourth State to Enact Consumer Data Protection Law.

Utah recently became the fourth states to enact a comprehensive consumer data protection law. The Utah Consumer Privacy Act has a number of similarities to laws in California, Virginia and Colorado – the other three states that have passed consumer data protection laws. However, companies doing business in Utah should carefully assess whether these differences in the law could have an impact on their operations. The law goes into effect on December 31, 2023.

Data Transfers from United Kingdom

On March 21, the International Data Transfer Agreement (IDTA) and an Addendum, which organizations can use to transfer personal information from the United Kingdom (UK) to the United States, came into force. The IDTA was published by the UK’s Information Commissioner’s Office (ICO) and is the UK’s equivalent of the EU’s Standard Contractual Clauses (SCCs). The Addendum can be used in conjunction with the EU’s SCCs so as to satisfy the UK’s General Data Protection Regulation. These documents were needed as post-Brexit companies could no longer rely on the new SCCs for personal data transfers.

NIST Publishes Artificial Intelligence Guidelines

On March 17, the National Institute of Standards and Technology (NIST) issued draft voluntary guidance to address risks in the design, development, use, and evaluation of Artificial Intelligence (AI) products, services, and systems. NIST has requested public comments on the draft by April 29, 2022. The plan is to incorporate these comments in a second draft of the document. In addition, NIST held a workshop on AI and bias on March 29-31, 2022. The guidance and workshop reflects the Administration’s efforts to get ahead of the growing adoption of AI in a variety of industries.

Stay tuned for more legal developments related to data management, including privacy and data protection, cybersecurity, intellectual property rights and data quality. Please contact Kevin Pomfret (703.760.5204 | with any questions.