Unsurprisingly, the cybersecurity and data privacy legal and technical landscapes continued to expand and evolve in 2022 with the introduction of new laws and technologies, the increased sophistication of threat actors, and added guidance from domestic and international governing bodies.
In this blog post, Octillo provides a breakdown of some of its team’s top data security and privacy compliance, incident response, and litigation stories that helped shape the space over past year and will continue to drive trends in 2023 and beyond.
Organizations prepare for numerous upcoming U.S. state privacy laws.
Following a trend we noted in 2021, two new states enacted comprehensive consumer privacy laws in 2022 – Connecticut and Utah. Both regulations will go into effect in 2023, alongside California’s CPRA, Virginia’s VCDPA, and Colorado’s CPA. In the absence of a federal privacy scheme, organizations are continuing to face multiple different requirements and working to update their forward-facing policies and data collection procedures. As we prepare for these laws to take effect in 2023, companies are anticipating further guidance from state enforcement agencies and courts as to how these new laws will be enforced and key interpretations of the regulatory impacts.
In 2023, this complicated patchwork of state privacy laws is likely to get even more complex as numerous other states, including New York, Pennsylvania, and Massachusetts, consider enacting their own privacy regulations.
Plaintiffs’ lawyers continue to invent new ways to leverage old laws to seek privacy redress.
In addition to new regulations, we also saw a trend of litigation based on alleged violations of decades old laws that are being reinvented to address privacy. In 2022, plaintiffs’ firms hit companies with a new wave of class action lawsuits alleging that embedded ad targeting tools, such as Facebook’s Pixel, violate data privacy laws, specifically, the Video Privacy Protection Act of 1988. While VPPA website litigation has been around for some time, the new wave of lawsuits regarding Facebook’s Pixel found more traction with judges, who were inclined to find that Pixel disclosed sufficiently specific personal information to trigger the VPPA’s protections, as opposed to other technologies. New applications for older laws driven by changes in technology may continue to be a pain point for companies in 2023 and beyond.
The European Union and the United States take steps towards adopting a mechanism for cross-border data transfers.
In 2022, crossing borders with personal data was more cumbersome than ever before. The fallout from the Schrems II decision continued to impact businesses as they grappled with cross-border data flows. However, we did see some movement between the EU and the U.S. to re-negotiate an agreement to allow for the free flow of Personal Data between the jurisdictions once again. In October, President Biden signed an executive order outlining specific steps that the United States will take to fulfill its commitments under a new EU-U.S. Data Privacy Framework and in December, the European Commission submitted a draft decision for review before moving forward with adoption. As we move into 2023, cross-border data transfers will continue to be an area to watch.
Companies and executives face increased scrutiny for post-breach actions.
In 2022, we witnessed the expansion of accountability measures in response to data breaches and other cybersecurity incidents, notably in October when Uber Chief Security Officer, Joseph Sullivan, was prosecuted for his role in responding to a 2016 data breach impacting 57 million Uber users. While this case may not represent a practical expectation of post-data breach implications for companies and executives, some may see precedent in how Sullivan’s decisions were treated. In 2023, we are watching for the expansion of enforcement to more garden-variety decisions made in response to a breach, including paying ransomware actors, as Sullivan did. At the same time, with the expansion of a private right of action under the California Privacy Rights Act, executives may feel additional pressure in the civil courts as plaintiffs’ attorneys bring claims that scrutinize a company’s data security and data breach preparedness. The squeeze may be slowly or quickly developing, but we are keeping a close eye on incident response and data breach management.
New York adds cybersecurity and data protection CLE requirement.
In June, New York became the first state to require cybersecurity, data privacy, and data protection training for attorneys as part of their biennial CLE requirement. This change reflects a drastic rise in cybersecurity incidents and data privacy regulations over the past several years. With this space becoming more complex year over year, it is more important than ever that attorneys understand their legal and ethical obligations concerning the protection of client and organizational data. The requirement will take effect on July 1, 2023, and CLE providers, including Octillo, may begin offering the credit on January 1, 2023.
Looking Ahead to 2023 and Beyond
As we enter 2023, one thing remains clear – the cybersecurity and data privacy spaces show no signs of slowing down, making prioritizing data protection and information security initiatives more crucial than ever. Next year, we anticipate new state, federal, and global regulations, further evolution of cyber threat actors, an influx of enforcement actions, data breach litigation and consumer class actions, and further guidance on new and existing information security requirements.
Octillo will continue to monitor new developments and provide updates, trainings, and practical solutions for organizations navigating whatever data protection challenges 2023 will bring. Subscribe to our newsletter to stay up to date on our blogs, CLE webinars, and other Firm announcements.
*Attorney Advertising. Prior results do not guarantee similar outcomes.