You are currently viewing Cybersecurity and Data Privacy Developments |  Bond Schoeneck & King SARL

Cybersecurity and Data Privacy Developments | Bond Schoeneck & King SARL

The legal landscape of cybersecurity and data privacy continues to evolve rapidly. Below is an overview of some of the most important developments from the last quarter.

Federation Legislation:

In June, a bipartisan federal privacy bill, the American Data Privacy and Protection Act (ADDPA), was released for consideration. The law follows the general framework of various national privacy laws, as well as the European Union’s General Data Protection Regulation (GDPR). Notably, unlike state privacy laws, the ADDPA is intended to apply to most entities, including nonprofits and common carriers. Large data holders who meet certain thresholds, as well as service providers who use data on behalf of other covered entities, would face different or additional requirements.

Like other consumer privacy laws, the law grants many individual privacy rights, including the rights to access, delete and correct data, as well as the right to portability. Datas. The ADDPA also broadly defines sensitive data and will require additional protections for that data. In addition, the law calls for transparency of processing, minimum data security requirements and a ban on using covered data in a discriminatory manner on the basis of protected characteristics.

The ADDPA would be enforceable by the Federal Trade Commission (FTC) as well as state attorneys general in civil actions. The bill currently includes a private right of action, but that right would not be effective until at least two years after the bill is passed. The most debated issue concerns ADDPA’s preemption of all state laws by default, with the exception of state data breach laws and other specific laws like the Biometric Information Privacy Act of Illinois.

The bill is before the House of Representatives after the House Committee on Energy and Commerce flagged the document on July 20 and voted 53 to 2 to advance the bill to the whole of the House for review. The committee made significant changes to the original bill, including changing the effective date of the private right of action from four years to two years after passage, expanding the categories of sensitive information, modifying the application and some definition changes.

One of the biggest hurdles to adopting US privacy and data protection law is California. The California Privacy Agency used an emergency meeting to make clear its opposition to federal legislation and any federal framework that overrides California’s strict privacy law. Additionally, the California attorney general led a coalition of nine other state attorneys general (including New York) calling on Congress to respect the states’ role in enforcing and implementing strong privacy laws. consumer privacy. The coalition is concerned about the broad preemption included in the federal bill and calls for legislation to allow states to protect their residents’ information by establishing higher privacy standards. The states point to the Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, which gives state attorneys general concurrent enforcement authority and only prevails over state laws that violate HIPAA.

State Privacy Laws – Who’s Next? :

Utah and Connecticut were the next two states to pass comprehensive data privacy legislation, bringing the total number of states with consumer data privacy laws to five. Utah’s Consumer Privacy Act (UCPA) and Connecticut’s Data Privacy Act (CDPA) are similar to and closely follow Virginia’s Consumer Data Protection Act as well as the Data Privacy Act. Colorado Privacy (CPA). Like VCDPA, UCPA and CDPA include exclusions for nonprofit organizations, government entities, and data about individuals acting in a commercial or employment context.

The UCPA applies to any entity that (1) conducts business in Utah or manufactures a product or service for Utah residents; (2) has an annual income of at least $25 million; and (3) either (a) controls or processes the personal data of 100,000 or more consumers per year or (b) derives more than 50% of its gross revenue from the sale of personal data and controls or processes the data of at least 25,000 consumers. The CDPA will apply to organizations that conduct business in Connecticut or produce products or services for residents of Connecticut and during the preceding calendar year: (1) monitored or processed the personal data of at less than 100,000 consumers, excluding data controlled or processed solely for the purpose of carrying out payment transactions; or (2) controlled or processed the personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

The laws, like their counterparts in Virginia and Colorado, include broad consumer privacy rights, including the right of access, the right to correct, the right to delete, and the right to data portability. The UCPA and CDPA also include categories of sensitive data and also do not include a private right of action. CDPA has an explicit disclaimer of data that is processed solely for payment transactions. This means that if entities only collect personal data to the extent necessary to process debit or credit card transactions in order to complete a sale, they will not be subject to the law.

California will also face substantial changes to its data privacy regime in the coming year. The California Privacy Rights Act (CPRA) will take effect on January 1, 2023 and will amend the California Consumer Privacy Act. Notable changes include the inclusion of employment/HR data in CPRA, new consumer rights including the right to correct and limit the use of sensitive information, and updated rules for policies and privacy notice.

All five state privacy laws (California, Virginia, Colorado, Connecticut, and Utah) have compliance deadlines for covered entities that are fast approaching in 2023. Specifically, California and Virginia will require compliance by by January 1, 2023. Colorado and Connecticut will become effective July 1, 2023 and Utah by December 31, 2023.

Cyber ‚Äč‚Äčinsurance company aggressively denying coverage:

Travelers Insurance has filed a lawsuit asking the U.S. District Court for the Central District of Illinois to void a cybersecurity insurance policy because the insured company misrepresented its use of multi-factor authentication (MFA), which was a condition for receiving coverage. Travelers learned that the insured failed to implement MFA after investigating a data breach suffered by the insured in May 2022. If the court finds for travelers, it could have significant implications on the ability of organizations to receive and be covered by cybersecurity insurance.

Data breach costs increase to $4.4 million:

IBM, in conjunction with the Ponemon Institute, has investigated 550 data breaches that have occurred so far this year. The study found that the average cost of a data breach was $4.4 million. This is an increase of 2.6% over last year and almost 13% since 2020. Stolen or compromised credentials, phishing and cloud misconfiguration were the three types of the most common attacks that led to a breach. Additionally, organizations that have deployed zero trust1 This approach saved an average of $1 million in breach costs compared to those who did not.

The rising costs associated with a breach, along with the Traveler Lawsuit mentioned above, are an important reminder to all businesses that having and maintaining cybersecurity insurance is critical in today’s digital world. today. Companies should review their cybersecurity insurance policies to ensure they can comply with and accurately certify the safeguards required for coverage, which often include MFA and required policies regarding vendor due diligence and risk assessments.

Transatlantic Data Privacy Framework:

In March, President Biden and the President of the European Commission announced that the United States and the EU had reached a new transatlantic agreement on data flows. The history of data flows between the EU and the United States has been volatile, with the EU having invalidated data flow frameworks twice since 2015. The two major obstacles to data transfer since the invalidation of the EU-US Privacy Shield in 2020 include a viable redress mechanism for EU citizens and uncertainty about the ability of the US to meet the necessity and proportionality standards of the Court’s initiative of justice in the processing of data. US officials continue to work on an executive order that would implement the Transatlantic Data Privacy Framework, which is expected to be finalized shortly.

Data privacy and cybersecurity training:

New York has become the first state to mandate continuing legal education in privacy, cybersecurity and data protection for attorneys. Effective July 1, 2023, all practitioners in New York must complete at least 1 credit hour of privacy, cybersecurity, and data protection training per two-year cycle. This training can focus on general legal continuing education or on ethics relating to cybersecurity and data protection.

Other world news:

Canada is currently working on adopting general privacy legislation. The Canadian bill would regulate the private sector and, if passed, would amend and repeal parts of the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s current privacy law .

The Chinese legislature has become more active regarding China’s Personal Information Privacy Law (PIPL), including several new regulations passed in the past two months. In addition, China’s privacy regulator recently fined a Chinese carpooling company $1.2 billion, alleging data security breaches including illegal collection of capture information. screen data, facial recognition data, and demographic and location information. The sanction also includes a personal fine of $147,000 to two people, the CEO as well as the president of the company.


1 Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and requires verifying and authenticating everything that attempts to login or log into the system before granting access.

[View source.]

Leave a Reply