2023 saw cybersecurity and privacy law arrive at a crossroads, especially with regard to the regulatory landscape.
This is the time of year when it is traditional to look back at the past year and extrapolate forward to make predictions for the year ahead. In the areas of data privacy law and regulation and cybersecurity law and regulation, the focus seems to be on low-hanging fruit. In privacy, data breach notification laws have long taken the place of actual civil liability for failure to protect privacy, and courts continue to hold that victims of data breach often suffer no “actual harm” when their personal information is exposed publicly. As a result, many data breach victims may continue to find themselves shut out of court because they fail to have a “concrete injury in fact” as a result of a privacy breach. In the area of cybersecurity, we see the rise of the machines—more specifically, the rise of AI-based threats, as well as the rise of AI-based defenses against those threats—and yet, the steady drumbeat of data breaches—most recently from a series of healthcare companies—continue to dominate the news.
2023 has been a pivotal year for both cybersecurity and privacy law, witnessing a dynamic interplay of evolving threats, innovative solutions and a flurry of regulatory activity. From landmark data privacy laws emerging in the U.S. to global efforts to combat cybercrime, the legal landscape has undergone a significant transformation, impacting organizations and individuals alike. As we stand at the threshold of 2024, taking stock of these top trends is crucial to understanding the current state of play and anticipating the direction of future developments.
2023 saw a marked increase in the adoption of data breach notification laws and comprehensive data privacy laws – some modeled after the EU’s GDRP laws. These laws mandate organizations inform individuals and relevant authorities in a timely manner when their personal data is compromised.
For example, the California Privacy Rights Act (CPRA): The CPRA, which went into effect in July 2023, expanded upon the existing California Consumer Privacy Act (CCPA) by introducing stricter notification requirements for data breaches. This set a precedent for stricter data breach notification standards across the U.S. The law also gives consumers a right to know what data is being collected and how it is being used and shared and to see some of their own personal information. In some circumstances, they have a right to delete information and to opt out of the sale (or limit the use) of information collected.
EU Cybersecurity Act: The EU Cybersecurity Act, adopted in 2023, also strengthened data breach notification requirements for entities operating within the European Union. This further emphasized the importance of transparency and accountability in the event of cyberattacks.
The SUNBURST supply chain attack of 2020 served as a stark wake-up call, highlighting the vulnerabilities present within software supply chains. In response, numerous regulations were implemented to enhance supply chain security:
Defense Industrial Base (DIB) Cybersecurity Maturity Model Certification (CMMC): The U.S. Department of Defense implemented the CMMC program in 2020, mandating specific cybersecurity controls and incident reporting protocols for its suppliers. This raised the bar for cybersecurity best practices across the defense industry. In 2023, it continued to roll out the certification practices for CMMC compliance.
Executive Order 14028: Signed in 2023, this executive order directed federal agencies to establish secure software supply chains by prioritizing secure software development practices and risk management activities. This initiative underscored the government’s commitment to protecting critical infrastructure from cyberattacks.
Recognizing the importance of timely reporting to mitigate cyber threats, governments implemented regulations mandating incident reporting in specific sectors:
Cybersecurity and Infrastructure Security Agency (CISA) Cyber Incident Reporting: In 2023, CISA expanded its mandatory reporting requirements for cyberattacks affecting critical infrastructure. This requirement provided CISA with valuable data to analyze and respond to cyber incidents more effectively.
EU NIS 2 Directive: The revised NIS 2 Directive, adopted in 2023, broadened the scope of entities subject to mandatory incident reporting within the EU. This directive included online marketplaces, financial institutions and waste management operators, among others, creating a more comprehensive cybersecurity reporting framework.
2023 witnessed the emergence of several comprehensive data privacy laws, granting individuals greater control over their personal data and imposing stricter obligations on organizations:
Colorado Privacy Act (CPA): The law took effect in July 2023, and granted Colorado residents similar data rights as their Californian counterparts under the CPRA. This marked a significant expansion of data privacy protections beyond California.
Virginia Consumer Data Protection Act (VCDPA): Coming into effect in January 2023, the VCDPA established data privacy rights for Virginia residents, including access, deletion, and correction rights, as well as limitations on data collection and use.
Utah Consumer Privacy Act (UCPA): Enacted in March 2023, the UCPA adopted an “opt-in” approach to data collection and use, granting individuals greater control over how their data is marketed and sold.
Concerns about the potential for bias and discrimination embedded in algorithms used for profiling, hiring and credit scoring led to increased regulatory scrutiny:
EU Artificial Intelligence Act (AI Act): The proposed AI Act, currently under negotiation, aims to regulate the development and use of AI systems, including addressing issues of bias and transparency in algorithmic decision-making.
U.S. Algorithmic Justice League (AJL): The AJL, a coalition of advocacy groups, promotes responsible development and deployment of algorithms, advocating for transparency, accountability and fairness in algorithmic decision-making processes.
On October 30, 2023, President Biden signed the “Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” marking a significant milestone in U.S. policy toward artificial intelligence (AI). This order outlines a comprehensive strategy for responsible AI development and deployment, emphasizing safety, security, equity and public trust. Its key areas of focus are safety and security; the order calls for the development of robust measures to ensure AI systems are safe, secure and reliable. This includes addressing issues like bias, explainability and potential vulnerabilities.
The order also emphasizes the importance of equity and civil rights.
Equity & Civil Rights: The order stresses the importance of preventing AI from exacerbating existing inequalities and discrimination. It directs agencies to consider the potential discriminatory impacts of AI systems and promote fair and equitable outcomes.
Privacy: The order recognizes the privacy concerns associated with AI, particularly data collection and use. It directs agencies to prioritize data privacy while utilizing AI, including exploring privacy-enhancing technologies like differential privacy.
Consumer and Worker Protection: The order aims to protect consumers and workers from potential harm caused by AI systems. This includes ensuring transparency in AI decision-making and mitigating job displacement through workforce training and reskilling initiatives.
Innovation and Competition: The order seeks to foster a vibrant and competitive AI ecosystem in the U.S. It encourages international collaboration and promotes the development of responsible AI standards and best practices.
A growing emphasis on data minimization and transparency principles was evident in several regulatory initiatives:
CPRA & CPA: Both California and Colorado data privacy laws emphasize data minimization principles, encouraging organizations to collect and retain only the data necessary to perform functions
The threat landscape knows no borders, and 2023 saw increased efforts for international collaboration and agreements to combat cybercrime and protect privacy:
Cybersecurity Framework (CSF): The U.S. NIST Cybersecurity Framework gained traction internationally, offering standardized cybersecurity best practices that countries can adapt and localize. This fosters collaboration and knowledge sharing, strengthening global cybersecurity posture.
International Agreements on Ransomware: Recognizing the transnational nature of ransomware attacks, countries like the U.S. and Russia signed agreements pledging cooperation in disrupting ransomware operations and bringing perpetrators to justice.
The regulatory landscape remains dynamic, and several trends hold the potential to significantly impact cybersecurity and privacy in the coming years:
The Rise of AI-powered Regulation: As AI becomes increasingly integrated into legal and regulatory processes, expect to see AI-powered tools used for compliance monitoring, anomaly detection and even automated case processing. This raises ethical concerns about algorithmic bias and transparency, requiring careful consideration and human oversight.
Zero-Trust Principles Take Center Stage: Moving beyond perimeter-based security models, the zero-trust approach emphasizing continuous verification and least privilege access is expected to gain wider adoption. This shift will necessitate changes in organizational workflows and security practices.
Biometric Data Privacy Concerns: The increasing use of biometric technologies like facial recognition for authentication and surveillance raises concerns about individual privacy and potential misuse. Expect to see regulations and frameworks emerging to address these concerns and establish responsible biometric data practices.
Navigating the complex interplay of cybersecurity and privacy laws requires a delicate balance between security, individual rights and innovation. As we move forward, continuous dialogue and collaboration between stakeholders, including governments, businesses and civil society, is crucial to develop effective regulatory frameworks that foster a secure and privacy-conscious digital future. While 2023 has set a significant stage for future developments, staying informed and adapting to the evolving legal landscape will be key for organizations and individuals alike to thrive in the digital age. And we can keep our fingers crossed that our robot overlords don’t decide to kill us in 2024.
Recent Articles By Author