Privacy Insider newsletter:                Feb 23, 2021

Today, The Washington Post reported that the SolarWinds attack impacted at least nine federal agencies, including the National Security Agency and the Federal Aviation Administration, as well as 100 private companies. The Biden administration announced it would sanction Russia within weeks, believing it's the culprit.

I'm a privacy reporter by trade. When I saw that the U.S. Senate Select Intelligence Committee would hold a hearing on this SolarWinds hack. I thought I'd put my reporting skills to use in hopes it's news you can use.

Here's a brief overview of what happened at the hearing today. 

FireEye CEO Kevin Mandia told lawmakers the attack wasn't a "phishing expedition" to grab whatever the hackers could grab; they targeted specific individuals. FireEye was the first company to recognize and report the attack. Mandia said the hackers got so much data out of the grab that they probably could take a few days off afterward.

Solarwinds CEO Sudhakar Ramakrishna reported that some supply-chain attacks resulting from his company's breach have yet to be detected. 

Lawmakers discussed how the government and the private sector might collaborate to help future breach detection and response, especially when state actors are involved.

"The number one thing the federal government can do that private companies can't is bring repercussions" for bad actors, testified FireEye's Mandia. 

He added that the public sector must also be involved in detecting who's behind the threat. "The government is the best place to get attribution the most right," he said. "There are no repercussions if you don't know who did it." 

Ramakrishna suggested a central government agency that could act as a repository for threat information and disseminate it accordingly. "Today, we feel like we have to communicate with multiple agencies in order to get it right," said Ramakrishna. 

Maine Sen. Susan Collins indicated support for imposing mandatory breach reporting at the federal level. 

Could Microsoft's Brad Smith get behind that kind of an idea? 

"Yes," he told lawmakers. "Tailor it, make it confidential. But we will not secure this country without sharing that kind of information."

Enjoy reading, and we'll see you next week!

1. EU says data flows to UK may continue post-Brexit 

   The European Commission released its draft adequacy decision on data flows from the EU to the U.K., The National Law Review reports. After Brexit, the U.K. became a "third country" under EU law. For data to cross EU borders, the country in which it lands must have "adequate" privacy laws. If approved by the European Data Protection Board and EU members of parliament, the Commission's draft decision will allow those data flows to continue. 
   Read Story

   2. Biden administration to sanction Russia over SolarWinds hack

   The Biden administration has announced it will bring sanctions against Russia for the SolarWinds hack within weeks, The Washington Post reports. The administration said it would respond using "a mix of tools seen and unseen." In the meantime, the U.S. Senate Select Intelligence Committee held a hearing with technology company CEOs, including SolarWinds and Microsoft. The hearing aimed to determine how the government might work with private companies on threat detection and mitigation. 
   Read Story

   3. Virginia passes its privacy law

   Last week, Virginia's legislature passed its privacy law. The Consumer Data Protection Act moved swiftly through the legislative process, going from introduced to done deal in two months. The state's governor must now sign or veto the bill, but there is little doubt he will sign it. Oklahoma, New York and Washington state are currently considering bills of their own. This piece explores whether pressure from the states will push the U.S. government to pass a federal privacy law. 
   Read Story

   4. Brazilian lawmaker's bill would push data protection law's enforcement to 2022

   A Brazilian lawmaker has introduced a bill that would push fines over noncompliance with its privacy law, the LGPD, to January 2022. Currently, the National Data Protection Authority will have enforcement abilities beginning in August 2021. The Congressman who introduced the bill said, "We cannot expect that all the companies working with data processing will have managed to adapt to the norms foreseen in the LGPD by August 2021, since they do not even have the economic conditions to stay afloat amid this chaotic scenario of world crisis." 
   Read Story

   5. Florida to consider state privacy bill

   Gov. Ron DeSantis has introduced a privacy bill that looks similar to California's Consumer Privacy Act, StateScoop reports. House Bill 969 would allow Floridians to opt-out of businesses' data collection on them and the sale of that data. It contains a right for individuals to sue companies that violate the rules. But the bill would apply to a wide range of companies, which could make it hard to pass in a state that's typically business-friendly, the report states. 
   Read Story

   6. Former Facebook chief security officer: Clubhouse is not private

   Audio-chatroom Clubhouse has said it's working to protect user data from hackers. Still, cybersecurity experts report a user was "remotely sharing login information, pulling audio and metadata from Clubhouse to an external site." Facebook's former chief security officer, Alex Stamos, said Clubhouse users should assume they're being recorded. "Clubhouse cannot provide any privacy promises for conversations held anywhere around the world," Stamos said.
   Read Story