Takeaways From Top 5 Cyber Law Developments in 2022

7 minute read
January.10.2023

In 2022, the stakes for data breaches grew in more ways than one. IBM reported the average cost of a data breach is up to $4.35 million. More importantly, though, regulators have zeroed in on higher-level executives and boards for both their management of cyber risk and their involvement in breach response. All this is flowing from a growing number of breach notifications stemming from a variety of new breach notification requirements and expectations.

Here are the Top 5 cyber law developments in 2022:

FTC and DOJ Target Executives for Cyber-Related Conduct
The SEC Proposes Expansive New Rules for Cyber Reporting and Disclosures
FTC and EU Expand Notice Expectations
Prevent, Detect, Respond, and Notify Expectations for Credential Stuffing (and Account Takeovers)
NYDFS Proposes Significant Amendments to Its Cybersecurity Regulation

And here are the details:

1. FTC and DOJ Target Executives for Cyber-Related Conduct

First, in October, the FTC resolved a data breach-related enforcement action against Drizly, which for the first time in a cybersecurity action individually named a CEO. The FTC alleged he failed to implement, or delegate the implementation of, reasonable security practices. The Complaint specifically called out the lack of a CISO. As a result of the settlement, the CEO is bound to the affirmative security obligations in the resolution agreement even if he leaves Drizly, meaning if he should leave Drizly and be hired at a new company the affirmative obligations will follow him to that company. It also creates the possibility of individual penalties for violations of the order, currently $46,517 per violation.

Second, also in October, the DOJ obtained a conviction of the former Uber CSO for covering up a data breach from an ongoing FTC investigation. The cover-up involved messaging to hide the incident, a payment of $100,000 to a hacker to obtain return of stolen data, and a nondisclosure agreement with false statements. The DOJ’s initial statements regarding the matter suggested that the DOJ may be more aggressively seeking to use criminal laws in cybersecurity matters. However, more recently, a senior DOJ official clarified that “[t]he prosecution of the Uber CSO stemmed from an extreme set of actions that represent an acute outlier from regular compliance practice." He added: "No one should take away from this case that good-faith compliance decisions will be the subject of criminal prosecution." That said, the conviction itself means that companies should be carefully evaluating ongoing disclosure obligations of security issues to regulatory agencies during an investigation.

2. The SEC Proposes Expansive New Rules for Cyber Reporting and Disclosures

In February, the SEC proposed new cyber risk management Rules for Investment Funds and Advisors. The Rules include a 48-hour reporting requirement for certain cyber incidents (it’s a mouthful):

Incidents that significantly disrupt or degrade the adviser’s or its fund’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or that leads to the unauthorized access or use of the adviser’s or its fund’s information, where the unauthorized access or use of such information results in (a) substantial harm to the adviser or its fund, or (b) substantial harm to a client, or an investor whose information was accessed.

The rules also require the adoption of a comprehensive cybersecurity risk management program that includes risk assessments, secure user access, system protection, vulnerability management, incident preparedness, and board review. The proposed rule updates advisers’ and funds’ disclosure forms to include reportable cyber incidents in the prior two years, as well as cybersecurity risks and in-place mitigations.

In March, the SEC proposed new cybersecurity disclosure rules that include:

A requirement to disclose material cybersecurity incidents on a Form 8-K within four business days of determining the event is material
Periodic disclosures of cybersecurity risk management, strategy, and governance, including
- The policies and procedures used to identify and manage cybersecurity risks, including details about board oversight.
- Cybersecurity's role in company strategy, financial planning, and capital allocations.
- Management and director oversight and expertise in cybersecurity.
- The rules are on the agenda and expected to be finalized in April 2023.

3. FTC and EU Expand Notice Expectations

In May, the FTC announced that “[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.” The goal seems to be to push companies to provide notice to individuals where the breach increases the risk of financial fraud, though it could also target other forms of harm as well. The announcement also emphasizes the importance of timely notices that accurately convey the affected information and response efforts.

The move adds new and amorphous analysis to the breach notice process for many U.S. businesses. However, it brings the FTC closer in line with the HIPAA Breach Notification Rule, GDPR, and breach notification requirements around the world, which may simplify the breach notice analysis and decisioning for some businesses.

Speaking of GDPR, the European Data Protection Board published Guidelines on breach notification that clarify that covered businesses that have a personal data breach and are not established in the EU are required to notify the data protection authorities of all member states where affected individuals reside. In the worst-case scenario, this is 42 authorities. In practice, this can require extensive coordination to file or submit notifications according to the varying local requirements or expectations, in the local languages, and of course, within 72 hours. It also means that businesses are more likely to face more scrutiny from more regulators following a data breach. The key here is preparation, and some strategies to consider are here.

4. Prevent, Detect, Respond, and Notify Expectations for Credential Stuffing (and Account Takeovers)

The New York Attorney General (NY AG) kicked off a busy 2022 with a Business Guide for Credential Stuffing Attacks. Credential stuffing is a type of cyberattack that typically involves trying to gain access to or login to an application using credentials stolen from other online services, including brute forcing the application’s authentication features. These kinds of attacks can result in the compromised account access being used for fraudulent transactions or to collect information that can be used for scams or phishing.

For preventing and detecting credential stuffing and resulting fraud, the Guide recommends implementation of bot detection, a web application firewall, and multifactor or passwordless authentication, reauthenticating for in-app purchases, and use of fraud detection software.
For responding, the Guide includes blocking the access, resetting the password, and investigating for any suspicious account activity.
For notifying, the Guide notably expects individual notices to compromised account holders even where the notice may not be required under state breach notices laws. This is important for many businesses whose strategy to mitigate this kind of risk has involved masking or obfuscating information that if breached could trigger a state law notice requirement. The Guide and the NY AG’s prior enforcement history indicate this may not be enough.

5. NYDFS Proposes Significant Amendments to Its Cybersecurity Regulation

In November, the New York Department of Financial Services (NYDFS) published proposed amendments to its already-onerous Part 500 Cybersecurity Regulation. If adopted, the amendments will impose significant new requirements on covered entities, including:

Additional Reporting Obligations. The amendments significantly expand the circumstances under which a covered entity must notify NYDFS of a cybersecurity event to include events where: (1) an unauthorized user gained access to a privileged account; (2) the cybersecurity event resulted in the deployment of ransomware within a material part of the covered entity’s information system; or (3) a covered entity is affected by a cybersecurity incident at a third-party service provider. Significantly, covered entities are also required to notify NYDFS within 24 hours of making an extortion payment in connection with a cybersecurity event.
Governance. The amendments require covered entities to ensure that their CISO can appropriately manage cybersecurity risks, including by having the ability to “direct sufficient resources to implement and maintain a cybersecurity program.” The board of directors is also required to have sufficient expertise or knowledge to exercise effective oversight of cybersecurity risk or be advised by individuals that do.
Access Control. The amendments clarify that multifactor authentication must be used for remote access to both the covered entity’s information systems and third-party applications, including cloud-based applications, as well as for privileged accounts. Covered entities must periodically review user access privileges, and there are additional restrictions on the use of privileged accounts.
Policies and Procedures. The amendments introduce a slew of new required policies and procedures, including written policies related to asset inventories, business continuity and disaster recovery (BCDR) plans, and password and encryption policies.

The comment period will close on January 9, 2023. If the amendments are adopted after the 60-day comment period, most of the new provisions will take effect 180 days from the date of adoption.

Authors

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Behördliche Untersuchungen und Vollstreckungsmaßnahmen
(Schieds ) Gerichtsverfahren
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.

Joseph C Santiesteban Partner, Cyber, Privacy & Data Innovation, California Consumer Privacy Act

Seattle

See my bio

D:+1 206 839 4352
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
California Consumer Privacy Act
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Joseph C Santiesteban Partner

Seattle

He brings significant experience advising companies – from one of the largest telecommunications providers to leading entertainment companies to startups on the cutting-edge of AI and more – on the full cycle of an incident. He also advises clients regarding regulatory investigations, class actions, and contract disputes that frequently flow from privacy and cybersecurity incidents.

His goal is to help clients respond quickly and with integrity to protect their brand, build trust and mitigate legal risk. He is highly adept at directing incident investigations, analyzing potential claims and defenses, examining potential notification obligations and advising on communications strategies that build trust and engagement.

Joe is committed to using these experiences to finding creative and engaging strategies to help companies proactively prepare for an incident and mitigate cybersecurity legal risk. This includes helping to build and improve incident response programs through incident response plans, simulated incidents, threat workshops, and training. It also includes assisting clients to practically evaluate legal risk of security decisions in a variety of transactions and across the product lifecycle. He is driven by a desire to evolve what it means to be a cybersecurity lawyer in the face of rapidly evolving technologies and laws. As a leader, he strives to create spaces where people are valued and solve problems creatively and collaboratively.

He also provides strategic advice to cybersecurity companies, including those looking to push technological and defense boundaries in cyber defense, incident response, and threat intelligence. This includes helping companies maximize their security offerings by navigating the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and the Federal Wiretap Act, as well as state law analogs.

Joe serves on the Orrick’s Finance and Audit Committee and Pro Bono Committee. A leader and advocate for diversity and inclusion initiatives, Joseph is the co-head of the Latinx affinity group at Orrick and served as a fellow for the Leadership Counsel on Legal Diversity. He is also a member of the Washington Latino Bar Association and the Hispanic National Bar Association.

Alyssa Wolfington Managing Associate, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

New York

See my bio

D:+1 212 506 5000
E: [email protected]

Practice:

Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Alyssa Wolfington Managing Associate

New York

Alyssa navigates clients through privacy programs and policy creation, and provides guidance on compliance with federal, state and international laws and regulations, including the California Consumer Privacy Act (CCPA), the Children’s Online Privacy Protection Act (COPPA), the General Data Protection Regulation (GDPR), the Federal Trade Commission Act (FTC Act), the Health Insurance Portability and Accountability Act (HIPAA) and state data breach notification laws. She advises clients on security incident response and federal and state investigations related to privacy and data security. She also provides assessments of privacy and security practices for companies carrying out due diligence in the context of corporate transactions.