Takeaways From Top 5 Cyber Law Developments in 2022

7 minute read

In 2022, the stakes for data breaches grew in more ways than one. IBM reported the average cost of a data breach is up to $4.35 million. More importantly, though, regulators have zeroed in on higher-level executives and boards for both their management of cyber risk and their involvement in breach response. All this is flowing from a growing number of breach notifications stemming from a variety of new breach notification requirements and expectations.

Here are the Top 5 cyber law developments in 2022:

  1. FTC and DOJ Target Executives for Cyber-Related Conduct
  2. The SEC Proposes Expansive New Rules for Cyber Reporting and Disclosures
  3. FTC and EU Expand Notice Expectations
  4. Prevent, Detect, Respond, and Notify Expectations for Credential Stuffing (and Account Takeovers)
  5. NYDFS Proposes Significant Amendments to Its Cybersecurity Regulation

And here are the details:

1. FTC and DOJ Target Executives for Cyber-Related Conduct

First, in October, the FTC resolved a data breach-related enforcement action against Drizly, which for the first time in a cybersecurity action individually named a CEO. The FTC alleged he failed to implement, or delegate the implementation of, reasonable security practices. The Complaint specifically called out the lack of a CISO. As a result of the settlement, the CEO is bound to the affirmative security obligations in the resolution agreement even if he leaves Drizly, meaning if he should leave Drizly and be hired at a new company the affirmative obligations will follow him to that company. It also creates the possibility of individual penalties for violations of the order, currently $46,517 per violation.

Second, also in October, the DOJ obtained a conviction of the former Uber CSO for covering up a data breach from an ongoing FTC investigation. The cover-up involved messaging to hide the incident, a payment of $100,000 to a hacker to obtain return of stolen data, and a nondisclosure agreement with false statements. The DOJ’s initial statements regarding the matter suggested that the DOJ may be more aggressively seeking to use criminal laws in cybersecurity matters. However, more recently, a senior DOJ official clarified that “[t]he prosecution of the Uber CSO stemmed from an extreme set of actions that represent an acute outlier from regular compliance practice." He added: "No one should take away from this case that good-faith compliance decisions will be the subject of criminal prosecution." That said, the conviction itself means that companies should be carefully evaluating ongoing disclosure obligations of security issues to regulatory agencies during an investigation.

2. The SEC Proposes Expansive New Rules for Cyber Reporting and Disclosures

In February, the SEC proposed new cyber risk management Rules for Investment Funds and Advisors. The Rules include a 48-hour reporting requirement for certain cyber incidents (it’s a mouthful):

  • Incidents that significantly disrupt or degrade the adviser’s or its fund’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or that leads to the unauthorized access or use of the adviser’s or its fund’s information, where the unauthorized access or use of such information results in (a) substantial harm to the adviser or its fund, or (b) substantial harm to a client, or an investor whose information was accessed.

The rules also require the adoption of a comprehensive cybersecurity risk management program that includes risk assessments, secure user access, system protection, vulnerability management, incident preparedness, and board review. The proposed rule updates advisers’ and funds’ disclosure forms to include reportable cyber incidents in the prior two years, as well as cybersecurity risks and in-place mitigations.

In March, the SEC proposed new cybersecurity disclosure rules that include:

  • A requirement to disclose material cybersecurity incidents on a Form 8-K within four business days of determining the event is material
  • Periodic disclosures of cybersecurity risk management, strategy, and governance, including
    • The policies and procedures used to identify and manage cybersecurity risks, including details about board oversight.
    • Cybersecurity's role in company strategy, financial planning, and capital allocations.
    • Management and director oversight and expertise in cybersecurity.
    • The rules are on the agenda and expected to be finalized in April 2023.

3. FTC and EU Expand Notice Expectations

In May, the FTC announced that “[r]egardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.” The goal seems to be to push companies to provide notice to individuals where the breach increases the risk of financial fraud, though it could also target other forms of harm as well. The announcement also emphasizes the importance of timely notices that accurately convey the affected information and response efforts.

The move adds new and amorphous analysis to the breach notice process for many U.S. businesses. However, it brings the FTC closer in line with the HIPAA Breach Notification Rule, GDPR, and breach notification requirements around the world, which may simplify the breach notice analysis and decisioning for some businesses.

Speaking of GDPR, the European Data Protection Board published Guidelines on breach notification that clarify that covered businesses that have a personal data breach and are not established in the EU are required to notify the data protection authorities of all member states where affected individuals reside. In the worst-case scenario, this is 42 authorities. In practice, this can require extensive coordination to file or submit notifications according to the varying local requirements or expectations, in the local languages, and of course, within 72 hours. It also means that businesses are more likely to face more scrutiny from more regulators following a data breach. The key here is preparation, and some strategies to consider are here.

4. Prevent, Detect, Respond, and Notify Expectations for Credential Stuffing (and Account Takeovers)

The New York Attorney General (NY AG) kicked off a busy 2022 with a Business Guide for Credential Stuffing Attacks. Credential stuffing is a type of cyberattack that typically involves trying to gain access to or login to an application using credentials stolen from other online services, including brute forcing the application’s authentication features. These kinds of attacks can result in the compromised account access being used for fraudulent transactions or to collect information that can be used for scams or phishing.

  • For preventing and detecting credential stuffing and resulting fraud, the Guide recommends implementation of bot detection, a web application firewall, and multifactor or passwordless authentication, reauthenticating for in-app purchases, and use of fraud detection software.
  • For responding, the Guide includes blocking the access, resetting the password, and investigating for any suspicious account activity.
  • For notifying, the Guide notably expects individual notices to compromised account holders even where the notice may not be required under state breach notices laws. This is important for many businesses whose strategy to mitigate this kind of risk has involved masking or obfuscating information that if breached could trigger a state law notice requirement. The Guide and the NY AG’s prior enforcement history indicate this may not be enough.

5. NYDFS Proposes Significant Amendments to Its Cybersecurity Regulation

In November, the New York Department of Financial Services (NYDFS) published proposed amendments to its already-onerous Part 500 Cybersecurity Regulation. If adopted, the amendments will impose significant new requirements on covered entities, including:

  • Additional Reporting Obligations. The amendments significantly expand the circumstances under which a covered entity must notify NYDFS of a cybersecurity event to include events where: (1) an unauthorized user gained access to a privileged account; (2) the cybersecurity event resulted in the deployment of ransomware within a material part of the covered entity’s information system; or (3) a covered entity is affected by a cybersecurity incident at a third-party service provider. Significantly, covered entities are also required to notify NYDFS within 24 hours of making an extortion payment in connection with a cybersecurity event.
  • Governance. The amendments require covered entities to ensure that their CISO can appropriately manage cybersecurity risks, including by having the ability to “direct sufficient resources to implement and maintain a cybersecurity program.” The board of directors is also required to have sufficient expertise or knowledge to exercise effective oversight of cybersecurity risk or be advised by individuals that do.
  • Access Control. The amendments clarify that multifactor authentication must be used for remote access to both the covered entity’s information systems and third-party applications, including cloud-based applications, as well as for privileged accounts. Covered entities must periodically review user access privileges, and there are additional restrictions on the use of privileged accounts.
  • Policies and Procedures. The amendments introduce a slew of new required policies and procedures, including written policies related to asset inventories, business continuity and disaster recovery (BCDR) plans, and password and encryption policies.

The comment period will close on January 9, 2023. If the amendments are adopted after the 60-day comment period, most of the new provisions will take effect 180 days from the date of adoption.