The California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA) took effect on January 1, 2023, establishing some of the most comprehensive consumer privacy rights within the United States. In this post we highlight these changes in law and provide a checklist to help companies comply with these new legal challenges.
Tech & Sourcing @ Morgan Lewis
TECHNOLOGY TRANSACTIONS, OUTSOURCING, AND COMMERCIAL CONTRACTS NEWS FOR LAWYERS AND SOURCING PROFESSIONALS
In our June 2021 blog post, Study Analyzes Costs of a Data Breach, we discussed the Ponemon Institute’s report setting forth a vast dataset that analyzed data breaches at hundreds of organizations to spot trends and developments in security risks and best practices. With the calendar turning to 2023, this blog looks at the increased costs of data breaches in 2022 to anticipate how negotiations for liability caps of such breaches may evolve in the new year.
The New York Department of Financial Services (NYDFS) published its proposed amendment to its 23 NYCRR Part 500 (Cybersecurity Rules) on November 9, 2022, following the release of the draft version on July 29, 2022. The proposed amendments complement the efforts of the US government to further regulate cybersecurity practices pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). If adopted, the proposed amendment, among other things, establishes “Class A” companies, and requires covered entities (i.e., insurance companies, banks and other financial institutions regulated by the NYDFS) to, within 180 days, review their existing policies and procedures and ensure compliance with all applicable requirements of the Cybersecurity Rules.
Despite general awareness regarding phishing (we have written about phishing in a prior post), it still remains one of the most common ways to accomplish cyberattacks. It should be no surprise that cybercriminals are constantly coming up with more elaborate and sophisticated ways to gain access to sensitive systems and data. A recent CIO.com article lists three measures designed to deter phishing and related attacks, which we have summarized below.
The US Treasury Department has issued a request for public comment on a federal cyberinsurance program that would aim to cover the costs associated with severe cyberattacks. The Federal Insurance Office (FIO) and the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) are currently conducting a joint assessment for Congress. Because cyberattacks are occurring at such frequent rates, rates for cyberinsurance coverage have soared, making it difficult for businesses to afford coverage if it is even available. The proposed federal program would focus on critical infrastructure and be used as a backstop.
In a recent LawFlash, a team of Morgan Lewis lawyers reviewed the US Securities and Exchange Commission’s proposal for a new rule and rule amendments that, if adopted as proposed, would require registered investment advisers to meet certain requirements when outsourcing “Covered Services.” The rule includes heightened requirements for due diligence, monitoring, and reporting, including amendments to Form ADV.
In March 2022, President Joseph Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which tasked the Cybersecurity and Infrastructure Security Agency (CISA) with developing and implementing regulations around cyber incident and ransom payment reporting. Under the act, the CISA is to gather the information it receives from covered entities and analyze it to the extent that such information can be used to help identify ways to avoid similar incidents in the future, or minimize the harmful potential impacts.
On September 15, the EU Commission published a proposal for a Cyber Resilience Act (Proposed CRA), which builds on the 2020 EU Cybersecurity Strategy and the 2020 EU Security Union Strategy, with the aim of ensuring the cybersecurity of products with digital elements and the provision of sufficient information to consumers about the cybersecurity of the products they buy and use.
The Department for Digital, Culture, Media & Sports (DCMS) confirmed on August 30, 2022, that it will push forward with tough new regulations and a code of practice to bolster the security and resilience of the United Kingdom’s electronic communications networks and services against current and future cyberthreats.
Contract Corner
With the COVID-19 pandemic, many industries experienced a major shift in how the personnel of key suppliers worked, with “nonessential” personnel in large part working remotely. When this shift to remote work first happened (rather abruptly for many companies), security was a critical consideration, but one that was handled in many instances outside the supplier contract, with both parties focusing on keeping business operations going with must-have data and security safeguards in place.