Introduction
As we enter 2023, the importance of cybersecurity and data privacy continues to grow. With new laws and regulations being implemented globally, organizations face increasing regulatory expectations and the need to protect and appropriately use data. Additionally, the rise of class action litigation related to tracking and targeting cookies, chatbots, and advanced security features poses additional challenges. In this article, we will explore the key trends and challenges in cybersecurity and data privacy for the year ahead.
Disclosure: Ensuring Transparency and Completeness
The year 2023 brings several new laws and regulations, such as the California Privacy Rights Act (CPRA), that emphasize the importance of transparency and completeness in privacy and cookie policies. Companies will face increased regulatory and litigant scrutiny regarding the collection, use, and disclosure of sensitive personal information, including biometrics and precise geolocations. It is crucial for organizations to understand the expanded scope of employee and business-to-business (B2B) personal information under CPRA, as this will likely lead to an increase in employee privacy rights requests and potential litigation. Human resources teams and in-house lawyers need to quickly familiarize themselves with these new employee rights and their implications.
Consent: Emphasizing Clear and Affirmative Consent
The days of burying consent requests at the end of lengthy disclosures are coming to an end. Clear, unambiguous, and affirmative consent is becoming the preferred approach to reduce regulatory and class action risk. Implementing measures like a “cookie door” and a cookie consent manager, where users must actively opt-in to the collection of non-essential cookies, can greatly reduce the risk of violating state privacy laws. This approach can also help mitigate the need to honor global privacy controls or Do Not Track signals and minimize the likelihood of class action litigation related to wiretapping and eavesdropping statutes. Businesses operating consumer-facing websites that utilize session replay technologies should consider proactive measures to obtain affirmative consent, as failure to do so may lead to legal consequences. Consent is also crucial for companies using technologies like voice authentication, fraud prevention, and virtual try-in features.
Data Protection: Addressing Geopolitical Tensions and Reporting Requirements
Geopolitical tensions continue to heighten cybersecurity threats, prompting the implementation of new regulations to protect data and enhance reporting standards. For instance, New York’s Department of Financial Services (NY DFS) has expanded reporting requirements for cybersecurity incidents, including ransom payments, within tight deadlines. The newly passed US federal law will also require “critical infrastructure” companies to report incidents and ransom payments to the Department of Homeland Security (DHS) within the same timeframe. Regulatory bodies like the Securities and Exchange Commission (SEC) and the Federal Communications Commission (FCC) are proposing stricter regulations on public reporting and breach notification to telecom customers. Additionally, the theft of encrypted data poses a significant risk, especially with the advent of quantum computing. Some countries explicitly require regulatory notification for such data theft. Organizations must adapt to these evolving reporting requirements and explore new cryptographic standards to protect against emerging threats.
Vendor Due Diligence: Managing Third-Party Risks
Regulators now demand greater due diligence regarding third-party vendors. Companies need to document due diligence processes, conduct risk assessments, and establish precise contractual terms in data processing agreements. Compliance with comprehensive state privacy laws may also require annual audits of processors. The National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law, widely adopted in the US, mandates risk management programs for insurers over third-party vendors. Demonstrating how contractual obligations are met is essential. Maintaining strong oversight of third-party relationships and implementing robust risk management practices are vital to comply with regulatory requirements.
Coordination: Streamlining Communication and Compliance
While regulators communicate, coordination among them remains a challenge. With data breach notification requirements becoming more stringent across jurisdictions, consistent and coordinated communication becomes increasingly crucial. Companies must closely monitor developments in this area, ensuring compliance with various reporting timelines.
The Contraction of Cyber Insurance Coverage
Cyber insurance coverage is undergoing changes, with insurers scaling back coverage for state-sponsored attacks due to the high costs involved. As premiums increase and coverage contracts, companies are reevaluating their insurance strategies and investing more in technical and governance measures to improve preparedness. The expanding regulatory landscape further necessitates a comprehensive approach to cybersecurity and data privacy.
The Potential Easing of Cross-Border Data Flows
The executive orders by President Biden and reforms within Executive Order 14086 suggest a potential return of a privacy shield, reducing documented risks of data transfers to the US. However, given the volatility surrounding cross-border data flows from Europe, companies should consider maintaining or entering into new standard contractual clauses. Careful consideration must be given to data that needs to flow to the US and data that can remain within local jurisdictions due to varying global restrictions on cross-border data flows.
The Emerging Opportunities and Risks of New Technologies
Artificial intelligence (AI) is increasingly replacing human operators in data analysis and decision-making processes. However, the responsibility for such acts and decisions remains a critical question. The US government has released guidelines, known as the “Blueprint for an AI Bill of Rights,” encouraging companies to adopt responsible AI practices. Privacy laws, like the CPRA, regulate automated decision-making and profiling, making disclosure, transparency, and clear consent essential. Companies must navigate these challenges and seize the opportunities presented by AI while ensuring compliance with relevant regulations.
Conclusion
As we navigate the complexities of cybersecurity and data privacy in 2023, organizations must strike a balance between compliance, risk management, and effective business operations. With the implementation of new laws and regulations, the increasing threat landscape, and the rise of class action litigation, it is crucial for companies to stay informed, adapt their policies and practices, and prioritize the protection of data and privacy. By proactively addressing these trends and challenges, organizations can build trust with their customers, enhance their cybersecurity posture, and mitigate potential legal and reputational risks.