Wat te verwachten in 2023: Trends in cyberbeveiliging en gegevensprivacy

The New Year is in full swing and it’s time to consider the top trends in cybersecurity & data privacy our team expects to see throughout 2023. It will be an exciting year due to the myriad of new laws coming into effect, and organizations will need to update their global cybersecurity & data privacy programs accordingly. Whether at a state, federal, or international level, these developments are likely to impact businesses in every industry over the coming months:

State Consumer Privacy Laws

California, Virginia, Colorado, Connecticut, and Utah are the five states that have enacted comprehensive consumer privacy laws. The California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA) went into effect January 1, and Colorado, Connecticut, and Utah go into effect later this year.

Although the CPRA is already in effect, the initial set of its regulations are not set to be finalized until April 2023. Further, the current regulations do not include regulations related to artificial intelligence (AI), cybersecurity audits, or privacy risk assessments, and the California Privacy Protection Agency (CPPA) recently commenced the rulemaking process on these topics. Additionally, the CPRA is currently the only law that applies to employment and business-to-business information as the CPPA has not indicated that it plans to extend the partial and temporary exception from the California Consumer Privacy Act (CCPA).

Colorado is the only other state to issue regulations related to its consumer privacy law. The Colorado Attorney General recently issued proposed regulations on the Consumer Privacy Act (CPA) and will begin holding stakeholder sessions in 2023. Although the CPA does not go into effect until July 1, organizations should begin assessing how the CPA and the proposed regulations will affect their overall privacy program.

Many other states are also considering adopting comprehensive consumer privacy laws so organizations will need to continually adapt their data privacy programs. Namely, organizations should map out what personal data they use, how they collect it, who has access to it, and where it is stored. In particular, organizations will need to assess if their use of data and advertising practices meet these new requirements. Organizations should also review privacy policies and related notice at collection to ensure the necessary information is disclosed to consumers, employees/applicants, and business-to-business contacts, if applicable. Due to the fact the laws are in flux, organizations should also monitor developments in state legislatures and other applicable global jurisdictions.

Regulations Related to AI and Automated Processing

In 2023, organizations will be subject to new AI and automated processing related obligations under four new state consumer privacy laws. While organizations subject to the General Data Protection Regulation (GDPR) are likely familiar with the law’s requirements related to AI and automated processing, the regulatory landscape in the U.S. remains uncertain and it is unclear whether there will be meaningful overlap between GDPR and state privacy laws. New consumer privacy laws in California, Colorado, Connecticut, and Virginia have AI/automated processing-related requirements, such as impact assessments on high-risk processing and opt-out rights, but questions remain on how states will address consumer harms and right to delete requests, and what type of information organizations should provide to consumers related to automated processing. Over the course of the year, organizations that use AI or automated processing technology should be mindful that new requirements are likely to emerge as California’s rulemaking process is in progress and Colorado has issued proposed regulations.

Children’s Privacy

The government remains focused on children’s privacy. California recently enacted the California Age-Appropriate Design Code Act (CAADCA), which takes effect July 1, 2024. The CAADCA intends to protect the wellbeing, data, and privacy of children using online platforms and is modeled after the Age Appropriate Design Code recently enacted in the United Kingdom. On the federal level, the Federal Trade Commission (FTC) continues to aggressively enforce the Children’s Online Privacy Protection Act (COPPA) by issuing hefty fines. Companies with online services directed to children or that have reason to know that children under the age of 13 use their services should ensure compliance with COPPA and state laws.

EU-U.S. Data Privacy Framework

The EU and the U.S. agreed on a data transfer regime last year and the EU recently issued its draft adequacy decision on the EU-U.S. Data Privacy Framework (DPF). The draft adequacy decision, if adopted, establishes that the U.S. offers appropriate safeguards to EU consumers and ensures the adequate level of protection for personal data transferred from the EU to organizations in the U.S. Although the DPF has been praised by EU and U.S. officials, EU regulators are already planning a challenge as they believe it falls short of the level of protection required by the GDPR.

Escalated Enforcement Actions and Litigation

2022 marked the first enforcement of the California Consumer Privacy Act (CCPA), and the expectation is that both domestic and international regulators will be increasing their efforts to identify and bring enforcement actions against entities they perceive as violating data privacy and security laws.

At the same time, the EU Advocate General provided guidance that data subjects are not automatically owed compensation for technical violations of the GDPR without material or non-material damage, and instead can only be compensated for actual harm. This may reduce private claims under the GDPR.

Cybersecurity Programs and Incident Response Plans

Cybersecurity remains a top priority for organizations as cyberattacks, including ransomware and cyber extortion, continue to increase year-over-year. According to the Verizon Data Breach Investigation Report, ransomware attacks increased 13% last year and will likely increase in 2023. Even the largest, most sophisticated organizations can be victims of data breaches as a result of cyberattacks. As such, organizations should proactively monitor risks and update their cybersecurity programs and incident response plans to defend against and efficiently respond to cyberattacks.

There is a myriad of new proposed laws on the horizon for this year, such as the New York Department of Financial Services (NYDFS) cybersecurity regulation, the Securities and Exchange Commission (SEC) cybersecurity disclosure requirements for public companies, and the Cybersecurity Incident Reporting for Critical Infrastructure Act (CISA) that could come into effect. As such, organizations should keep their eyes on these developments as they build their cybersecurity programs and incident response plans.

Wetten voor het melden van inbreuken op gegevens

In addition, state data breach notification laws are continually evolving with new and different requirements. Organizations must make it a priority to monitor these changes to understand their obligations in the event of a data breach and update their incident response plans accordingly. To learn more about state data breach notification laws and developments, please access Foley’s state data breach notification chart here.

For more information about complying with cybersecurity & data privacy laws and building an effective program, please contact any Partner or Senior Counsel in Foley’s Cybersecurity and Data Privacy Team.

Disclaimer

Deze blog wordt ter beschikking gesteld door Foley & Lardner LLP ("Foley" of "het kantoor") voor informatieve doeleinden. Het is niet bedoeld om het juridische standpunt van het kantoor namens een cliënt over te brengen, noch is het bedoeld om specifiek juridisch advies te geven. Eventuele meningen in dit artikel weerspiegelen niet noodzakelijkerwijs de standpunten van Foley & Lardner LLP, haar partners of haar cliënten. Handel daarom niet op basis van deze informatie zonder advies te vragen aan een bevoegde advocaat. Deze blog is niet bedoeld om een advocaat-cliënt relatie te creëren en de ontvangst ervan vormt geen advocaat-cliënt relatie. Communicatie met Foley via deze website per e-mail, blogbericht of anderszins creëert geen advocaat-cliënt relatie voor welke juridische kwestie dan ook. Daarom wordt communicatie of materiaal dat u via deze blog naar Foley verzendt, hetzij via e-mail, blogpost of op een andere manier, niet behandeld als vertrouwelijk of als eigendom. De informatie op deze blog wordt gepubliceerd "AS IS" en is niet gegarandeerd volledig, nauwkeurig en/of up-to-date. Foley geeft geen verklaringen of garanties van welke aard dan ook, expliciet of impliciet, met betrekking tot de werking of inhoud van de site. Foley wijst uitdrukkelijk alle andere garanties, waarborgen, voorwaarden en verklaringen van welke aard dan ook af, hetzij uitdrukkelijk of impliciet, hetzij voortvloeiend uit een wet, wet, commercieel gebruik of anderszins, met inbegrip van impliciete garanties van verkoopbaarheid, geschiktheid voor een bepaald doel, titel en niet-inbreuk. In geen geval zal Foley of een van haar partners, functionarissen, werknemers, agenten of filialen aansprakelijk zijn, direct of indirect, onder welke rechtsleer dan ook (contract, onrechtmatige daad, nalatigheid of anderszins), jegens u of iemand anders, voor claims, verliezen of schade, direct, indirect speciaal, incidenteel, bestraffend of gevolgschade, voortvloeiend uit of veroorzaakt door de creatie, het gebruik van of het vertrouwen op deze site (inclusief informatie en andere inhoud) of websites van derden of de informatie, middelen of het materiaal waartoe toegang wordt verkregen via dergelijke websites. In sommige rechtsgebieden kan de inhoud van deze blog worden beschouwd als advocaatreclame. Houd er, indien van toepassing, rekening mee dat eerdere resultaten geen garantie bieden voor een vergelijkbaar resultaat. Foto's zijn alleen voor dramaturgische doeleinden en kunnen modellen bevatten. Afbeeldingen impliceren niet noodzakelijkerwijs een huidige status als cliënt, partner of werknemer.