Cybersecurity and Data Privacy – What to expect in 2022 | McGuireWoods LLP
Threats to cybersecurity and data privacy are constantly increasing both in volume and complexity. This trend is expected to continue in 2022. In a bid to protect cybersecurity and ensure data is properly safeguarded, countries around the world are introducing new laws focused on cybersecurity and data protection. Armed with new legal frameworks, regulators and law enforcement are placing onerous obligations on organisations who fall victim to cybersecurity breaches. There are shorter deadlines in which to notify the authorities of data breaches and ever increasing fines and penalties for businesses that fail to respond swiftly and appropriately to a cyberattack.
In this ever-changing area what is on the horizon for 2022?
The United Kingdom, fresh from leaving the European Union has already indicated that there will be data privacy law changes. Chancellor Rishi Sunak has said that the General Data Protection Rules (GDPR) are not necessary and pointed to what he called “sensible countries” such as Japan, Switzerland and Canada who have established and respected data rules. The Chancellor has explained that the UK Government wants to “protect individual data but we don’t want to hinder innovation, and the whole view is that there are things that we can change that will be pro-innovation whilst protecting rights and getting rid of some of the box-ticking and ending up in a good place that is net positive for the UK”.
In the US, following on from the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) other States are enacting their own privacy legislation. The Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (ColoPA), and A.430/S.2628 in New York; will be effective 1st January 2023, 1st July 2023, and May 2022 respectively. Many other States have active bills working their way through legislature, with at least 45 states and Puerto Rico having introduced or considered more than 250 bills or resolutions through 2021 that deal with cybersecurity.
In the last few months China’s new data protection law, the Personal Information Protection Law (PIPL) took effect. Broadly, it is similar to the GDPR in a number of key aspects. It has extra-territorial reach. In some areas it introduces more stringent requirements than under the GDPR. Organisations who transfer or gather data that comes within the scope of PIPL need to take steps urgently to ensure they are complying.
The United Arab Emirates have introduced data protection legislation this month, Federal Decree Law on the Protection of Personal Data. It has notable similarities to the GDPR. It also has extra-territorial reach. The law is so new that it is not yet known how it will be applied by the UAE authorities.
Cyber Attack Trends
As a result of the pandemic the number of connected devices is forecast to reach 18 billion this year. This is a vast number of potential access devices for cybercriminals looking to access secure data.
Supply chains are likely to be key targets for cyber criminals. A whole supply chain is likely to have multiple weak spots where it can be attacked with the repercussions being felt along the whole supply chain. Ransomware attacks are a likely source of disruption.
State sponsored attacks are likely to continue to be a key feature of cybercrime this coming year.
Expectations of Law Enforcement & Regulators
It is expected that regulators and law enforcement across the world will have high expectations.
The UK published a new National Cyber Strategy in December 2021. This builds on the creation of the National Cyber Force which is a significant step-up in its offensive cyber capability.
In the US, 2021 saw some significant enforcement activity, including for example the Department of Justice investigating and indicting individuals for carrying out and facilitating cyber hacks, and the New York Department of Financial Services levying its first penalties against companies in respect of cybersecurity breaches. The Financial Crimes Enforcement Network (FinCEN) also identified cybercrime as a top priority for anti-money laundering and countering terrorism financing.
Regulators want to see that organisations are taking cybersecurity seriously and have suitable data security policies in place.
How to Protect Your Organisation?
Organisations need to be proactive in tackling the threats faced and ensuring they are up-to-date with the laws applicable to the data they process.
Policies should be in place which are regularly reviewed (many organisations now review their policies every quarter such is the pace of change in this area) and updated as part of a regular cybersecurity audit. Depending on the characteristics of the business, third parties such as businesses in its supply chain, may need to form part of the audit and assessment process.
Good cybersecurity relies on education and awareness. Regular training of staff is key and should include temporary and contract staff.
Physical security also needs to be addressed which is concerned with access to premises and equipment. All organisations need to consider storage arrangements and secure disposal of records no longer required.
There need to be protocols to cover password use, firewalls, regular updates for software, backup and restoration of electronic information and monitoring to detect breaches.
Organisations should consider having a cyber-breach response plan to assist in the detection of cybercrime and ensure incidents are responded to swiftly and in an efficient and comprehensive way. There should be a clear structure of responsibility to allow for accountability.