7 minute read | January.10.2023
In 2022, the stakes for data breaches grew in more ways than one. IBM reported the average cost of a data breach is up to $4.35 million. More importantly, though, regulators have zeroed in on higher-level executives and boards for both their management of cyber risk and their involvement in breach response. All this is flowing from a growing number of breach notifications stemming from a variety of new breach notification requirements and expectations.
Here are the Top 5 cyber law developments in 2022:
And here are the details:
1. FTC and DOJ Target Executives for Cyber-Related Conduct
First, in October, the FTC resolved a data breach-related enforcement action against Drizly, which for the first time in a cybersecurity action individually named a CEO. The FTC alleged he failed to implement, or delegate the implementation of, reasonable security practices. The Complaint specifically called out the lack of a CISO. As a result of the settlement, the CEO is bound to the affirmative security obligations in the resolution agreement even if he leaves Drizly, meaning if he should leave Drizly and be hired at a new company the affirmative obligations will follow him to that company. It also creates the possibility of individual penalties for violations of the order, currently $46,517 per violation.
Second, also in October, the DOJ obtained a conviction of the former Uber CSO for covering up a data breach from an ongoing FTC investigation. The cover-up involved messaging to hide the incident, a payment of $100,000 to a hacker to obtain return of stolen data, and a nondisclosure agreement with false statements. The DOJ’s initial statements regarding the matter suggested that the DOJ may be more aggressively seeking to use criminal laws in cybersecurity matters. However, more recently, a senior DOJ official clarified that “[t]he prosecution of the Uber CSO stemmed from an extreme set of actions that represent an acute outlier from regular compliance practice." He added: "No one should take away from this case that good-faith compliance decisions will be the subject of criminal prosecution." That said, the conviction itself means that companies should be carefully evaluating ongoing disclosure obligations of security issues to regulatory agencies during an investigation.
2. The SEC Proposes Expansive New Rules for Cyber Reporting and Disclosures
In February, the SEC proposed new cyber risk management Rules for Investment Funds and Advisors. The Rules include a 48-hour reporting requirement for certain cyber incidents (it’s a mouthful):
The rules also require the adoption of a comprehensive cybersecurity risk management program that includes risk assessments, secure user access, system protection, vulnerability management, incident preparedness, and board review. The proposed rule updates advisers’ and funds’ disclosure forms to include reportable cyber incidents in the prior two years, as well as cybersecurity risks and in-place mitigations.
In March, the SEC proposed new cybersecurity disclosure rules that include:
3. FTC and EU Expand Notice Expectations
In May, the FTC announced that “[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.” The goal seems to be to push companies to provide notice to individuals where the breach increases the risk of financial fraud, though it could also target other forms of harm as well. The announcement also emphasizes the importance of timely notices that accurately convey the affected information and response efforts.
The move adds new and amorphous analysis to the breach notice process for many U.S. businesses. However, it brings the FTC closer in line with the HIPAA Breach Notification Rule, GDPR, and breach notification requirements around the world, which may simplify the breach notice analysis and decisioning for some businesses.
Speaking of GDPR, the European Data Protection Board published Guidelines on breach notification that clarify that covered businesses that have a personal data breach and are not established in the EU are required to notify the data protection authorities of all member states where affected individuals reside. In the worst-case scenario, this is 42 authorities. In practice, this can require extensive coordination to file or submit notifications according to the varying local requirements or expectations, in the local languages, and of course, within 72 hours. It also means that businesses are more likely to face more scrutiny from more regulators following a data breach. The key here is preparation, and some strategies to consider are here.
4. Prevent, Detect, Respond, and Notify Expectations for Credential Stuffing (and Account Takeovers)
The New York Attorney General (NY AG) kicked off a busy 2022 with a Business Guide for Credential Stuffing Attacks. Credential stuffing is a type of cyberattack that typically involves trying to gain access to or login to an application using credentials stolen from other online services, including brute forcing the application’s authentication features. These kinds of attacks can result in the compromised account access being used for fraudulent transactions or to collect information that can be used for scams or phishing.
5. NYDFS Proposes Significant Amendments to Its Cybersecurity Regulation
In November, the New York Department of Financial Services (NYDFS) published proposed amendments to its already-onerous Part 500 Cybersecurity Regulation. If adopted, the amendments will impose significant new requirements on covered entities, including:
The comment period will close on January 9, 2023. If the amendments are adopted after the 60-day comment period, most of the new provisions will take effect 180 days from the date of adoption.