As the nation grappled with a global pandemic, the consumer data protection and cybersecurity landscape continued to evolve in 2020. Although multiple states introduced and passed comprehensive privacy laws, the federal government declined to pass similar legislation at the national level. However, various federal departments and agencies did publish guidance, alerts and advisories for dealing with or preventing cybersecurity threats such as ransomware attacks, especially as the world moved online during the COVID-19 pandemic.

Here is a high-level lookback at the federal cybersecurity and privacy activity in 2020.

No GDPR In the U.S. (Yet)
Despite California passing major amendments to its comprehensive consumer privacy law[1], Congress declined to pass data protection legislation at the federal level.

The two federal proposals that received the most coverage were the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (SAFE DATA Act) from the Senate and, on the House side, the Digital Accountability and Transparency to Advance Privacy Act (DATA Privacy Act).

Both required covered entities to be more transparent with their data practices and sought to give consumers more choice or control over their data. Both proposals deferred to state attorneys general and the Federal Trade Commission (FTC) for enforcement.

Given the flurry of state action, with no laws passed at the federal level, businesses and other entities remain subject to voluminous state-based compliance regimes if they collect or use protected information.

Federal Guidance Focus on Ransomware
Ransomware attacks reached their highest levels yet in 2020. In response, many federal departments and agencies published guidance to help companies prevent and navigate through such attacks.

The “One-Stop” Shop Approach
The Cybersecurity and Infrastructure Security Agency’s (CISA) “Ransomware Guide” provides best practices and ways to prevent, protect and/or respond to a ransomware attack.

According to CISA, best practices include: (1) having offline, encrypted backups of your data; (2) having an incident response plan in place; (3) regular vulnerability testing and scanning of security features; (4) continuous organizational-wide security awareness training; and (5) ensuring third-party vendors and managed service providers meet, and comply with, the applicable federal, state and industry cybersecurity rules and regulations. Companies should consult this relatively rudimentary checklist.

The Industry-Specific Approach
Piggybacking off of an earlier version CISA’s Ransomware Guide, the Securities and Exchange Commission (SEC) issued a “Cybersecurity: Ransomware Alert” warning SEC registrants[2] about an increase in sophisticated phishing attacks designed to access internal resources and deploy ransomware.

The Financial Crimes Enforcement Network (FinCEN) also issued an advisory, alerting financial institutions about “predominant trends, typologies, and potential indicators of ransomware and associated money laundering activities.” It provided financial red flag indicators of ransomware and associated payments and reminded U.S.-based financial institutions about their regulatory obligations regarding Suspicious Activity Reporting (SAR) involving ransomware.

The Law Enforcement Approach
On October 1, 2020, the Department of Treasury’s Office of Foreign Asset Control (OFAC) alerted companies of potential sanction risks associated with facilitating ransomware payments and reiterated the need to ensure payments are compliant; It strongly encouraged cooperation with law enforcement. On October 8, 2020, former Attorney General William Barr announced the Cryptocurrency Enforcement Framework, which identifies key legal authorities and partnerships OFAC relies upon to combat criminal and national security threats involving cryptocurrency.

Lessons Learned from Federal Enforcement Actions
In 2020, the FTC and Department of Health and Human Services (HHS) continued its enforcement actions against organizations who suffered data privacy and security events. Some takeaways, albeit loaded with subjectivity, based on the FTC’s 2020 enforcement actions include:

• Take “reasonable” measures to secure sensitive consumer data.
• Make sure your vendors are adequately protecting consumer data.
• Do not mislead or deceive consumers about data security practices.
• Realize that modifications and amendments to privacy compliance are expected.
• Remember that the Federal Communications Commission (FCC) is not the only agency to enforce against illegal telemarketing robocalls.

Some takeaways from HHS’ enforcement actions include:

• Unencrypted stolen laptops can lead to seven figure fines.
• Small rural hospitals must still comply with the HIPAA Security Rule or face fines and sanctions.
• Business associates who fail to comply with HIPAA can face staggering fines.
• Patients’ health data is a tempting target for hackers. Failure to conduct risk analyses, implement risk management plans, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates and provide HIPAA Privacy Rule training to workforce members will lead to punishment by OCR. In other words, entities must be able to show that they take data privacy and security seriously.

Part two of this three-part series will look back at the various state laws and related guidance and enforcement in 2020.

If you have further questions or would like additional information about U.S. privacy and cybersecurity developments in 2020 or pending federal legislation, regulatory guidance or enforcement, please contact Jeff Boogay (; 267.930.4784) or Melissa J. Sachs (; 267.930.4747).

[1] See, “Newly Amended CCPA Creates New Enforcement Agency and Increases Liability for Non-Compliant Businesses,” February 12, 2021

[2] These include broker-dealers, investment advisors, investment companies and relevant service providers.