Top Privacy and Cybersecurity Trends of 2021Year in Review: 2021’s Top Privacy and Cybersecurity Trends

Year in Review: 2021’s Top Privacy and Cybersecurity Trends

Despite the ongoing COVID-19 pandemic, 2021 proved to be another incredibly busy year for consumer privacy and cybersecurity. In this blog post, we revisit some of the most important domestic and international privacy and cybersecurity trends of the past year. 

 

New State Consumer Privacy Laws 

On the heels of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), Virginia and Colorado became the next two states to enact comprehensive consumer privacy laws. Signed into law by Governor Ralph Northam back in March, the Virginia Consumer Data Protection Act (VCDPA) becomes effective on January 1, 2023 and applies to all companies who operate a business or produce products or services that are targeted to residents of Virginia and meet certain thresholds. Months later in July, Governor Jared Polis signed the Colorado Privacy Act (CPA) into law. Set to go into effect on July 1, 2023, the CPA applies to controllers that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado and meet certain thresholds. Both the VCDPA and the CPA carve out several exemptions for entities that are already covered under the privacy and security requirements of other federal laws. Unlike the CCPA and the VCDPA, however, the CPA does not provide an exemption for non-profit organizations. Furthermore, neither the VCDPA nor the CPA offer a private right of action. 

Other notable state privacy developments include New York’s new rules on employee electronic monitoring as well as Nevada’s SB260 amendment, which expanded the right to opt-out of sales and created new requirements for “data brokers”. 

As we head into 2022, we anticipate that the patchwork of state consumer privacy laws will continue to grow. Beckage recommends that businesses take proactive steps to first evaluate what laws and regulations apply to their business and then develop a comprehensive roadmap and plan to mature their data privacy and security posture both internally and externally.   

 

Continued Focus on Cybersecurity 

Threat actors in 2021 continued to launch increasingly sophisticated ransomware and cyberattacks against businesses of all sizes and in all industries. In the wake of highly disruptive attacks such as SolarWinds and the Colonial Pipeline ransomware attack, both the federal government and also state governments sought to increase their focus on cybersecurity standards. For example, the New York State Department of Financial Services (NYDFS) issued guidance to cyber insurers in the form of the Cyber Insurance Risk Framework. The Cybersecurity and Infrastructure Security Agency (CISA) also regularly issued advisories informing businesses of vulnerabilities. In an effort to secure critical infrastructure, President Biden signed an Executive Order on “Improving the Nation’s Cybersecurity” in May. The new Civil Cyber-Fraud Initiative announced by the Department of Justice back in October further indicates the increasing importance of developing and maintaining resilient cybersecurity protocols.  

The federal government’s response to this year’s exponential increase in ransomware attacks has led several high-profile threat actors – such as DarkSide, REvil, and Black Matter – to take their dark web platforms offline.  At the same time, however, new variants of ransomware are constantly emerging and there is significant evidence that experienced cyber criminals are rebranding to evade law enforcement rather than shutting down their operations.   

In this complex threat landscape, companies across industries are wisely seeking to secure or renew cyber liability coverage in an increasingly competitive market.  Insurers are asking meaningful questions about applicants’ security programs and expecting strong safeguards in place.  For organizations of all sizes, the past year has shown that cybersecurity incidents are now a question of when rather than if.  

Beckage’s Incident Response Team urges businesses to develop plans and procedures to mitigate cyber and legal risk. Beckage recommends businesses continue to dedicate internal resources to refining compliance programs and testing incident response plans through tabletop training exercises. 

 

Health Privacy and Compliance Challenges 

Our lives have become increasingly digitized, and 2021 was no different – especially with the COVID-19 pandemic. The proliferation of apps and technologies handling personal health data led the FTC to confirm back in September that the requirements contained in the agency’s Health Breach Notification Rule extend to health apps and connected device companies. And as the world continued to operate under the shadow of the COVID-19 pandemic, businesses faced – and will continue to face – uncertainty regarding new federal vaccination and testing policies. Beckage’s Data Security and Privacy Compliance and Health Law Teams recommend businesses take stock of their employee data collection practices in their efforts to prevent the spread of COVID-19. 

 

Biometrics Class Actions, BIPA Claims Accrual, and Statute of Limitations 

In 2021, litigation under Illinois’ Biometric Information Privacy Act (BIPA) remained at the forefront of the data privacy landscape. As we noted back in JanuaryMarch, and April, BIPA’s private right of action has contributed in part to an increase in the number of class actions. In September, the First District of the Illinois Appellate Court found that the statute of limitations period could range from one year to as much as five years depending on the nature of the alleged violation. But as the year closed out, Illinois courts continued to wrestle with the issues of BIPA claims accrual and statute of limitations. As this blog post goes to press, the U.S. Court of Appeals for the Seventh Circuit had just issued its decision in Cothron v. White Castle, certifying the issue of BIPA claims accrual to the Illinois Supreme Court.  

 

Website Accessibility Litigation and What Counts as a Place of Public Accommodation 

The Beckage Accessibility Team continues to see a drastic increase in litigation filed under Title III of the Americans with Disabilities Act (ADA) as well as the rapidly evolving caselaw surrounding website accessibility claims. 2021 is set to be a record-breaking year, with approximately of 4,000 new lawsuits filed this year alone, with most of these cases filed against small to medium sized businesses. The issue of whether websites qualify as places of public accommodates under the ADA continued to take shape in 2021. For example, in May the Eleventh Circuit Court of Appeals held in Gil v. Winn-Dixie Stores that a website is not a “place of public accommodation” under Title III of the ADA, creating a clear conflict with 9th Circuit authority that has held a website is a place of public accommodation if there is a nexus to a brick and mortar location. In September, the United States District Court for the Eastern District of New York issued a decision in Winegard v Newsday LLC, which also concluded that a website is not a “place of public accommodation” under Title III of the ADA. Despite this unsettled landscape, we anticipate more litigation to come around the specific statutory definition of what constitutes a “public accommodation.” 

Nevertheless, there is no end in sight for companies facing lawsuits under the ADA. Accordingly, Beckage recommends that businesses with any online presence or mobile application take proactive steps and prioritize accessibility internally. Minimizing legal risk through a digital accessibility compliance buildout that includes both a full scale audit of digital assets and internal and external policy development is recommended for all businesses looking ahead in to 2022.  

 

Telephone Consumer Protection Act (TCPA) 

TCPA class actions are numerous. Beckage’s TCPA team has charted the complex legal landscape surrounding text message marketing and telemarketing throughout the course of 2021. In April, we covered the decision by the Supreme Court of the United States in Facebook v. Duguid et al., which narrowed the scope of the TCPA down to systems that utilize random number generators. In November, we covered Florida’s new telemarketer requirements. As we head into 2022, TCPA compliance will continue to be an important area of focus for businesses. Businesses that leverage text messaging marketing as part of their consumer outreach should evaluate compliance initiatives and stay up to date on this fast moving area of the law. 

 

More Global Privacy and Cybersecurity Developments 

Privacy and cybersecurity continued to be areas of significant focus on an international scale. For example, China’s new Data Security Law (DSL) and new Personal Information Protection Law (PIPL) became effective on September 1 and November 1, respectively. Along with the Cybersecurity Law (CSL) of 2017, these two new laws have added a set of new cross-border requirements for international companies seeking to do business in China. Furthermore, following the Schrems II decision, which invalidated the EU-US Privacy Shield, the EU Commission released new standard contractual clauses (SCCs) intended to provide more flexibility and options for cross-border data exchange. The new SCCs are applicable for all new contracts entered into as of September 27, and businesses have until December 27, 2022 to transition all contracts using the older SCCs to ones with the new SCCs. Additionally, Québec’s Bill 64, which received royal assent a few months ago, has a series of new requirements coming into effect within the next couple of years for businesses both within and outside the province. 

On the global data privacy class action front, the UK Supreme Court’s recent decision in Lloyd v. Google suggests that opt-out class action cases for data privacy claims will be very difficult to bring. 

 

Conclusion and Key Takeaways 

In the midst of the ongoing COVID-19 pandemic and a rise in sophisticated cyberattacks, 2021 saw many privacy and cybersecurity trends and developments. There were new laws and regulations on both a domestic and an international scale. Case law in relevant areas developed rapidly, with some issues still unresolved as we embark on 2022. Things do not seem to be slowing down at all in the realm of privacy and cybersecurity. Beckage’s team of attorneys and technologists work with businesses of all sizes and industries to develop comprehensive scalable data security and privacy infrastructures to navigate this fast moving area. 

*Attorney Advertising. Prior results do not guarantee similar outcomes. 

Subscribe to our newsletter. 

RansomwareRansomware Activity Targeting the Healthcare and Public Health Sector

Ransomware Activity Targeting the Healthcare and Public Health Sector

Beckage is notifying organizations in the healthcare sector of a potential threat that may occur this weekend. We will continue to monitor this situation and provide updates as they occur.

Late last night the Federal Bureau of Investigations (FBI), Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about an imminent cybercrime threat to hospitals and healthcare providers. These organizations have credible information to suggest that there will be a widespread Ryuk ransomware attack this weekend. The threat is currently being investigated by the FBI, DHS and the NSA’s Cybersecurity Threat Operations Center.

What We Know

The cybercrime organization Ryuk is targeting the Healthcare and Public Health sector with Trickbot malware that may lead to ransomware attacks, data theft, and the disruption of healthcare services, a particularly concerning possibility considering the nation is still grappling with the COVID-19 pandemic.

Based on what we know about Ryuk, it is possible that the targeted healthcare entities have already implemented the encryption malware on healthcare organizations’ systems and the threat actors just have not commanded it to activate.  Given the threat, we urge all healthcare organizations to review the measures recommended by the FBI as consider some practical incident response measures.

What To Do Next

Beckage recommends that hospitals and healthcare providers implement several preventative steps to safeguard their organization including of the following measures: reviewing current incident response protocols and processes within the next 24 hours, and carefully crafting internal drafting internal and external messaging and FAQs with an experienced data breach attorney to help minimize legal risk as well as making sure employees know who to contact if they have reason to believe there is suspicious activity.

Beckage is available to discuss additional best practices that should be taken over the next 24 to 72 hours. Our team will continue to monitor this for new developments and provides updates as appropriate.  If an attack is detected and additional resources are needed, Beckage can be reached using our 24/7 Data Breach Hotline at 844-502-9363.

*Attorney advertising. Past outcomes do not predict future results.

Subscribe to our Newsletter.

ransomwareWhat To Do If A Ransomware Incident Means Your Business Cannot Avoid Paying Ransom: OFAC Weighs In

What To Do If A Ransomware Incident Means Your Business Cannot Avoid Paying Ransom: OFAC Weighs In

While ransomware was already a growing global issue before the pandemic, COVID-19 has thrown jet-fuel on that fire.  As a result, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory statement on October 1, 2020.  The advisory specifically details the risk of sanctions related to paying a ransom and reflects the greater reality that as new wrinkles in attacks become common, including exfiltration of data for later extortion or deletion back up files, more businesses than ever are considering ransom payment.  OFAC wants your business to remember that paying ransom to certain groups is a sanctionable event.  

Beckage is very familiar with many ways to avoid paying ransom, but we remain informed of all the regulations and advisory guidance related to ransom payment.

A high-level review of a ransomware event can provide perspective on what role OFAC and its advisory mean to your business:

The Incident

Ransomware is a type of malicious software that infiltrates computer networks, locking and blocking access unless a ransom is paid.  When your business encounters ransomware, your Incident Response Plan (IRP) should direct leadership to immediately initiate contact with previously identified parties whose work is focused on just this sort of matter, including counsel such as Beckage, and your cybersecurity insurance carrier.

Common Questions

In the first minutes and hours after ransomware is detected, we hear common questions, such as: Is paying ransom a viable path forward?  Is it allowed?  And if there are no other options for remediation and restoring from backups, how is it done?

The Response to Ransom Demands

Depending on the situation, ransoms are sometimes paid.  This is not a default position, but can be the necessary and most logical step in response to a ransomware incident.  Your business does not suddenly have to figure out how to pay an unknown party the ransom; your tech lawyers will be familiar with third parties that specialize in incident response, including investigating the background of the threat actor and exploring payment.  Such a third-party will take steps to secure cryptocurrency, such as Bitcoin, for paying a ransom, work with counsel to understand how anti-money laundering laws apply to a transaction, and gauge whether the actor behind the ransomware is a sanctioned group or tied to a sanctioned group. 

OFAC’s Impact

The OFAC advisory reminds us that the U.S. Government does not qualify ransom payment as illegal, but ransom payments are not favored resolutions.  The advisory serves as a reminder of existing practices and policies:

  • Fines can follow any violation of the International Emergency Economic Powers Act (IEEPA), Trading with the Enemy Act (TWEA), Specially Designated Nationals and Blocked Persons List (SDN List) or embargoes with jurisdictions such as Iran, North Korea, and Syria. Your counsel, insurers and third parties involved in ransom. payment should all be familiar with the requirements therein.
  • Businesses are encouraged to implement and maintain a compliance program to avoid sanction-related violations, which can help mitigate civil monetary penalties in the event of a sanctions-related violation.
  • Businesses should routinely review with their insurers and brokers if and how the ransom payment process is impacted by this and any future advisory.
  • Sharing ransomware incident information with relevant government agencies, including OFAC and the FBI, is highly encouraged but not required.  Cooperation is critical to not only threat actor identification efforts, but, like a formal compliance program, can mitigate penalty in the event of an enforcement action for a sanctions-related violation.

The Result

OFAC’s advisory continues an established narrative of best practices for any company affected by ransomware, and those are the practices of our firm.  If your company finds itself under attack, look to experienced incident response lawyers, like Beckage, to help.  As noted in the advisory, “there was a 37 percent annual increase in reported ransomware cases [from 2018 to 2019] and a 147 percent annual increase in associated losses from 2018 to 2019,” and these numbers are expected to continue to rise.  By looking to experienced tech lawyers in incident response, you help your business mitigate risks associated with ransomware, including business interruption, reputational harm, and non-compliance with government standards for ransom payment.

Have your technology and incident response lawyers help establish, formalize, and update your corporate Information Security Practices and Incident Response Plan, to address legal requirements and changes in the law and to help your business avoid ransomware, or at least be fully prepared to respond to an incident.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.