FEATURED STORY January 26, 2023

5 Trends to Watch: 2023 Data Privacy & Cybersecurity

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now
  1. An Increase in Extortion-Only Cyber Attacks - While ransomware attacks have been on the rise since 2020, a recent trend has emerged where threat actors are bypassing ransomware malware and encryption tactics and going straight to data theft. If a victim company does not pay the extortion demand, the threat actors engage in increasingly aggressive tactics, like publicly posting the stolen data for sale on a shame site and contacting employees and customers of the victim company to apply external pressure on the victim to make the payment.

  2. Continued Increase in Legal Requirements for Company-Held Data - An increasing number of proposed data security laws and regulations, such as the FTC Safeguards Rule and the EU NIS2 Directive that came into force in 2023, are mandating specific data security measures for companies regulated by those laws, in particular, financial institutions and other highly-regulated industries. These granular laws are leaving behind the more general requirements of the past, which required companies to implement and maintain more vague "reasonable and appropriate" security standards, in favor of requirements that more closely align with recognized data security standards (e.g., NIST, ISO). The laws prescribe not only security measures, but also policies and procedures, incident response plans, and accountability.

  3. Increasing Vendor Due Diligence - Conducting diligence on vendor data security practices has arguably risen to the level of industry standard and practice. Conducting due diligence on vendor data privacy practices, including such things as how they handle law enforcement requests, the countries to which they transfer personal information, and their relationships with subprocessors, is less common. Facing increasing scrutiny (and significant fines for breaches) from regulators in the United States and in the European Union regarding the use of processors, controllers are increasingly demanding more information about their vendors' data privacy practices including requesting that vendors substantiate that they have "flowed down" privacy-related provisions found in their data processing agreements (DPA) to subprocessors. For a guide on how to apply the new European Standard Contractual Clauses to all contracts, see Greenberg Traurig's Complete Handbook for Cross Border Transfers of Personal Information.

  4. Enforcement of California's Privacy Law -In August 2022, the California Attorney General's office published its first enforcement action and imposed its first fine in relation to an eCommerce website's use of targeted advertising technology. Although enforcement of the California Privacy Rights Act (CPRA) is not permitted until July of 2023, the California Attorney General may attempt to ramp up its enforcement of the California Consumer Privacy Act (CCPA) until that date. After July, it is likely the California Privacy Protection Agency will try to make its mark by initiating enforcement actions and warnings to companies that have not updated their compliance programs to account for the new law.

  5. More Privacy Class Action Litigation Based on Wiretapping Laws - "Session replay" refers to a tool that records and analyzes customers' interactions with a business's website or phone application to improve functionality and user experience. Over the last few years, a trend has emerged of plaintiffs alleging the use of session replay software violates anti-wiretapping laws which were intended to prevent eavesdropping and secret recordings. It is likely that plaintiffs will continue to assert these arguments in an attempt to impose statutory damages through litigation by shoehorning AdTech tools into violations of wiretapping statutes.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

International Entrepreneur Parole Program: USCIS Issues Policy Guidance

By Linnea Porter Greenberg Traurig March 22 , 2023

On March 10, U.S. Citizenship and Immigration Service (USCIS) issued an announcement with comprehensive guidance on parole for international entrepreneurs.

New UK Sanctions Package Would Target Russia's Arms Exports, Front-Line Resources

By Annabel Thomas Greenberg Traurig March 22 , 2023

The UK announced a further round of sanctions and trade measures on 24 February 2023 to coincide with the first anniversary of Russia’s invasion of Ukraine.

PFAS in Drinking Water: EPA Proposes Historic New Regulation

By Bernadette M. Rappold Greenberg Traurig March 17 , 2023

On March 14, 2023, the U.S. Environmental Protection Agency (EPA) issued a proposed National Primary Drinking Water Regulation (NPDWR) which, if finalized, would set enforceable limits, known as Maximum Contaminant Levels (MCLs), for six Per- and Polyfluoroalkyl Substances (PFAS).

More From Cybersecurity

Is a business required to include an 'opt out of targeted advertising' link on its homepage (i.e., a Do Not Share link) if it recognizes opt-out preference signals?

By David A. Zetoony Greenberg Traurig March 13 , 2023

Three modern privacy statutes incorporate the concept that individuals should be able to broadcast a signal from their browser or device that directs an organization to cease providing their personal information to third parties for the purposes of targeted advertising.

Trade Associations Urge Illinois High Court to Reconsider BIPA Decision in Cothron

By Nadine C. Abrahams Jackson Lewis P.C. March 13 , 2023

The Illinois Supreme Court’s decision that a separate claim under Illinois’ Biometric Information Privacy Act (BIPA) accrues each time an entity scans or transmits an individual’s biometric identifier or biometric information will lead to absurd and unjust results not intended by the Illinois General Assembly, Jackson Lewis argued in a friend-of-the-court brief filed on behalf of a coalition of trade associations representing the interests of thousands of Illinois businesses employing approximately 2.9 million individuals in Illinois.

EU-US Transatlantic Data Flows Framework: EU Supervisors Shine Light at the End of the Tunnel

By Rosa Barcelo McDermott Will & Emery March 09 , 2023

In a recent non-binding opinion, EU regulators expressed timid positivity about the European Commission’s draft adequacy decision on the EU-US transatlantic data flows framework (Data Privacy Framework or DPF).

Featured Stories