Given that cyberattacks continue to be sophisticated and severe, and cybersecurity continues to be a top concern for regulators, consumers, business partners, and investors, companies should be proactive and devote adequate resources to their security practices and incident response. In addition to the litigation and reputational risks that companies face if they are perceived as having inadequate security practices, regulators are imposing significant fines for data breaches, increasingly calling for greater board oversight of cybersecurity and holding top officials personally liable for allegedly lax security practices. So, based on regulator activities from 2022, what are the top considerations for board members and businesses when it comes to cybersecurity in 2023?
- Notify appropriate parties of breaches. In its 2022 case against CafePress, the FTC took issue with the company for allegedly covering up a data breach. The FTC’s complaint alleged that the company did not properly investigate the breach for months although it had been notified consumers’ personal information was posted for sale online, and that, while the company asked customers to reset passwords, it only stated it was doing so as part of an updated password policy. According to the complaint, the company did not inform consumers or regulators of the breach in a timely manner. It wasn’t until six months after being notified of the breach that the company sent breach notifications to government agencies and affected consumers. A key message from this case is that companies need to respond to security incidents truthfully, transparently, and quickly.
- Devote adequate resources and senior staffing to cybersecurity issues. In November 2022, the FTC found Drizly’s CEO, James Cory Rellas, personally liable for failing to hire a senior executive to oversee the company’s security practice. The complaint noted that “the CEO hired senior executives dedicated to finance, legal, marketing, retail, human resources, product, and analytics, but failed to hire a senior executive responsible for the security of consumers’ personal information…” We anticipate an increase in enforcement actions personally naming executives for failures in a company’s security practices in 2023.
- Consider new and upcoming sector-specific legislation that may apply to your business.
- Critical infrastructure: In March 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) into law and would require the Cybersecurity and Infrastructure Security Agency (CISA) to create rules around critical infrastructure providers disclosing "substantial" cyber incidents and making ransom payments. CISA is required to propose a rule no later than March 2024, but the rule will require a “covered entity” to report a “covered cyber incident” within 72 hours and to report a ransom payment in response to a ransomware attack within 24 hours. As “covered entities” will consist of public and private sector entities that fit into one of the 16 critical infrastructure sectors defined in Presidential Policy Directive 211 and will be defined in the final regulations promulgated by CISA, an outstanding question is the breadth of the applicability of the final rule, as well as whether supply-chain vendors and providers of cloud services, managed services, or third-party hosting will incur reporting requirements, either to CISA or to clients who are covered entities.
- Financial Services: The updated Safeguards Rule of the Gramm-Leach-Bliley Act will be effective on June 9, 2023. The Rule creates certain prescriptive requirements for financial institutions, including requirements to encrypt data and implement multi-factor authentication. Additionally, the New York Department of Financial Services (NYDFS) proposed amendments to its Cybersecurity Regulation, 23 NYCRR Part 500, which includes requirements for covered entities to maintain a complete and accurate asset inventory, use industry-standard encryption, conduct annual penetration tests, and notify NYDFS within 24 hours of any extortion payment and within 72 hours of a cybersecurity event involving a third-party service provider. Public comments on the latest proposed amendments are due by January 9, 2023.
- Investment Advisors: In February 2022, the Securities and Exchange Commission (SEC) proposed rules related to cybersecurity risk management for registered investment advisers, investment companies and funds, as well as amendments to rules that govern investment adviser and fund disclosures. The proposed rules have not yet been adopted, but would require advisers and funds to, among other things, implement written cybersecurity policies and procedures and report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the SEC on a new confidential form.
- Get ready for new SEC cybersecurity rules for public companies: In March 2022, the SEC proposed amendments to its rules on disclosures that would, among other things, require companies to file a Form 8-K disclosing “material” cybersecurity incidents within four business days, disclose a series of previously undisclosed and individually immaterial cybersecurity incidents once they become material in the aggregate in a Form 10-Q or 10-K, and provide information about a company’s cyber risk, data security management systems and leadership roles, and changes in their cybersecurity implementation procedures in a Form 10-K. Although there is no date for a final rule yet, companies should consider identifying what “materiality” means in the context of their company, updating internal cybersecurity and risk management documents, and review incident response plans so that covered cyber incidents can sufficiently be disclosed in a timely manner.
- Minimize the consumer data you maintain. In its two most recent data security enforcement actions, against ed-tech provider Chegg and alcohol-delivery service Drizly, the FTC alleged that the companies failed to have policies and procedures in place to inventory and delete consumers’ personal information that was no longer necessary. The orders in both cases included data deletion requirements. Companies can mitigate their risks by periodically deleting data that is no longer necessary for their business. Relatedly, companies should take steps to properly dispose of personal information, as well as devices that contain that information. In September 2022, the SEC announced charges against Morgan Stanley for failing to properly dispose of devices containing personal information. The SEC alleged that the company hired a moving and storage company with no experience in data destruction and failed to monitor its work, resulting in the unauthorized sale of devices containing personal information.
Wilson Sonsini Goodrich & Rosati routinely advises clients on privacy and cybersecurity issues. See here for our companion post here on privacy predictions. For more information about the developments mentioned in this post, or any other information advice concerning U.S. privacy and cybersecurity regulation, please contact Demian Ahn, Megan Kayo, Maneesha Mithal, or another member of the firm’s privacy and cybersecurity practice.
Stacy Okoro contributed to the preparation of this Wilson Sonsini Alert.
[1]Those sectors include: 1) chemical, 2) commercial facilities, 3) communications, 4) critical manufacturing, 5) dams, 6) defense industrial base, 7) emergency services, 8) energy, 9) financial services, 10) food and agriculture, 11) government facilities, 12) healthcare and public health, 13) information technology, 14) nuclear reactors, 15) materials and waste transportation systems, and 16) waste and wastewater systems.
