Posted In: Cybersecurity & Data Privacy
By Jarman J. Smith on January 5, 2022
As we say farewell to the year 2021, we can recount some of the largest occurrences in data privacy and cybersecurity from the past year and look ahead to anticipated trends for the new year. Organizations in the United States and all around the world can prepare for the year ahead by reviewing prominent events that occurred in 2021 related to cybersecurity attacks, data breach incidents, and consumer privacy legislation. With a well-developed understanding of data privacy patterns from the past, businesses can adequately prepare for anticipated legal obligations related to cybersecurity and consumer privacy in addition to establishing improvements in their own data protection measures.
Frequency of Cybersecurity Attacks Trend Upward in 2021; Likely to Continue in 2022
Cybercriminals were very busy in 2021, as demonstrated through the alarming number of ransomware attacks throughout the past year that wreaked havoc on individuals and organizations around the world. According to the International Data Corporation’s 2021 Ransomware Study, approximately 37% of global organizations said they were the victim of some form of ransomware attack in 2021.1 The financial effects of ransomware became particularly pronounced in 2021 as well, as attacks hit supply chains and critical infrastructure. National and state governments, food producers, energy suppliers, schools, and many other essential organizations were all targets of ransomware attacks. Moreover, the COVID-19 pandemic may have fueled a surge in ransomware attacks with remote workforces increasing vulnerability levels for many organizations.
The threat of cybersecurity attacks and data breach incidents remains real in 2022. Over the next five years, acting National Security Agency Director, Paul Nakasone, expects the frequency of ransomware attacks to remain constant, if not increase.2 Furthermore, Nakasone anticipates that at least one business or organization in the United States will face a ransomware attack “every single day” throughout the new year.3 As remote work arrangements seem likely to persist into 2022 and beyond, businesses need to ensure that their employees are trained to spot and avoid common forms of ransomware attacks such as phishing attempts. Organizations should also review security protocols on a regular basis to prepare for increasingly sophisticated methods of cybersecurity attacks that are likely to be developed in the near future.
New Data Privacy Laws Enacted in 2021; More Legislation and Compliance Efforts to Follow in 2022
In the past year, we saw a substantial increase in proposed privacy legislation at the state level in the United States. Many, if not all of the proposed data privacy bills largely mirrored the California Consumer Privacy Act (CCPA). In addition to the CCPA and Ohio’s Data Protection Act, two more states—Virginia and Colorado— passed their own consumer privacy laws that will go into effect in 2023. The Virginia and Colorado data privacy laws will provide consumers with certain rights regarding their data, such as the right to opt out of the processing of their personal data for targeted advertising and sales, a right to access their data, a right to correct inaccurate data, and a right to have their data deleted, among several other rights as well. However, it is important to note that, except for data breaches under the CCPA, these laws do not currently provide for a private right of action.
Beyond Virginia and Colorado, nearly 30 other states have had consumer privacy bills introduced in their legislatures in 2021.4 Although not all of these bills have been successfully enacted, it is telling that they are beginning to appear in legislative chambers across the countrymore frequently. In 2022, we can expect more states to enact their own consumer privacy laws. As more state laws on the subject are established, pressure will build upon the national legislature to enact a federal standard regarding data privacy. Several high-profile members of Congress have called for bipartisan action to protect consumer information and several data privacy laws were introduced in the Senate as well. One potential issue to look for is whether a federal data privacy bill would preempt states from providing further protection, although it is reasonable to suggest that the federal law would establish a minimum level of security standards to which the states could build upon. Pressure on the U.S. to enact a federal data privacy standard is even coming from foreign actors, as the European Union’s Justice Commissioner has stated that the U.S. passing federal privacy legislation would be an “important element” in moving forward on restoring a European-U.S. data transfer agreement.5 Such a data transfer agreement would once again allow for transatlantic data flows between the U.S. and the European Union (EU). For the foregoing reasons, you can expect a federal bill to at least gain traction in 2022.
Summation of Anticipated Data Privacy Trends for 2022
An analysis of the past year’s data privacy events can help us generate a list of anticipated trends for the new year. In 2022, we can expect that:
- Cybercriminals will remain at large in the new year.
o There is a lack of information available to suggest that cybersecurity attacks will slow down in 2022. To the contrary, we can expect the frequency of cybersecurity incidents to increase as cybercriminals continue to exploit vulnerabilities in remote work arrangements and because of the increased popularity of Ransomware-as-a-Service platforms.
- More data privacy legislation will be enacted.
o There will be increased efforts to introduce and enact data privacy legislation at both the state and federal levels. California, Virginia, and Colorado have set the pace for data privacy in the U.S. and many other states are likely to follow suit. As more states pass their own data privacy laws, we can anticipate the federal legislature to at least make some form of substantial progress toward establishing a federal standard for data privacy and cybersecurity.
- Businesses will increase data privacy compliance efforts.
o There will be increased efforts amongst organizations and businesses to become compliant with applicable data privacy laws. Organizations that have global reach have already begun setting the groundwork to become compliant with the EU’s General Data Protection Regulation. However, even organizations that do not handle the personal data of EU residents must become compliant with applicable data privacy regulations in the U.S. Since Virginia and Colorado’s data privacy laws take effect in 2023, organizations should use 2022 as a year of preparation so that they are not blindsided by any applicable regulations and penalties that may follow for non-compliance.
How Brouse Can Help
The new year should be taken as an opportunity to prioritize data privacy. Throughout 2021, we have seen the prominence of cybercriminals and witnessed an increase of data privacy regulations as a result. Therefore, in 2022 we must increase our cybersecurity protocols and adhere to applicable data processing requirements. Brouse McDowell’s Cybersecurity and Data Privacy team can provide the guidance and tools you need to defend against cyberattacks, protect consumer information, and become compliant with applicable data privacy regulations. Our cybersecurity team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.
1 See https://www.techtarget.com/searchsecurity/feature/Ransomware-trends-statistics-and-facts, citing https://www.idc.com/about.
2 See https://www.jdsupra.com/legalnews/a-look-back-at-the-year-in-data-1782903/.
4 See https://www.jdsupra.com/legalnews/a-look-back-at-the-year-in-data-1782903/.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2022 Brouse McDowell. All rights reserved.