The SolarWinds cyberattack was one of the biggest cybersecurity headlines for 2021...
The SolarWinds cyberattack was one of the biggest cybersecurity headlines for 2021. The breach of SolarWinds’ software, first detected in December 2020, impacted thousands of businesses across the globe, demonstrating how one supply chain attack can wreak havoc on thousands of organizations. The wide-scale cyberattack also revealed how easily an entity’s IT systems can be compromised by vulnerabilities of an entity’s software vendors and third parties.
On May 6, 2021, the Colonial Pipeline, the largest fuel pipeline in the United States, was the target of a ransomware attack. The company ultimately paid a ransom of $5 million after a serious service disruption. Financial Institutions and Insurance Carriers were also subjected to ransomware attacks.
According to the Identity Theft Resource Center and other surveys, the number of data breaches through September 30, 2021 exceeded the total number of events in 2020 by 18 percent. Cybersecurity “spend” surveys indicated that although IT budgets increased 10% during 2020-2021, across various industries spend budgets actually declined 8% in 2021. COVID-19 pandemic issues certainly had some impact as cybersecurity staffing decreased 12%, whereas the average incident cost is estimated at $5 million. The steady stream of data breaches, ransomware and other cyberattacks has prompted a wide range of legal responses.
Banking Regulators Made Crypto a Top Priority for 2022
The Presidential Working Group Report on stablecoins, recommended that Congress act promptly to address regulatory gaps with regard to stablecoin and in the absence of such legislative action, recommended that federal banking regulators rely on their existing regulatory authority to regulate the stablecoin market.
Crypto-Asset Policy Sprint Initiative
The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency subsequently announced a Joint Statement on Crypto-Asset Policy Sprint Initiative, outlining the federal banking regulators’ plan to bring greater regulatory certainty to the emerging crypto-asset sector.
The Joint Statement recognized that the emerging crypto-asset sector presents potential opportunities and risks for banking organizations, their customers, and the overall financial system. To that end, the agencies recently conducted a series of interagency “policy sprints” focused on crypto-assets. “Similar to a ‘tech sprint’ model, agency staff with various backgrounds and relevant subject matter expertise conducted preliminary analysis on various issues regarding crypto-assets,” the Joint Statement explains. The focus of the sprint work included:
Developing a commonly understood vocabulary using consistent terms regarding the use of crypto-assets by banking organizations.
Identifying and assessing key risks, including those related to safety and soundness, consumer protection, and compliance, and considering legal permissibility related to potential crypto-asset activities conducted by banking organizations.
Analyzing the applicability of existing regulations and guidance and identifying areas that may benefit from additional clarification.
This process identified several areas where additional public clarity is warranted, resulting in the agency’s development of a crypto-asset roadmap that will be implemented in 2022. As set forth in the Joint Statement, the agencies plan to provide greater clarity on whether certain activities related to crypto-assets conducted by banking organizations are legally permissible, and expectations for safety and soundness, consumer protection, and compliance with existing laws and regulations related to:
Crypto-asset safekeeping and traditional custody services;
Ancillary custody services;
Facilitation of customer purchases and sales of crypto-assets;
Loans collateralized by crypto-assets;
Issuance and distribution of stablecoins; and
Activities involving the holding of crypto-assets on balance sheet.
Below are some of the key cybersecurity law developments of 2021:
Biden Administration Executive Order: On May 12, President Joe Biden issued an Executive Order on Improving the Nation’s Cybersecurity. The Executive Order outlined a wide-range of cybersecurity objectives, which included amending federal contracts to include breach notification and information sharing requirements for government service providers; creating baseline security standards for the development of software sold to the federal government; and establishing minimum cybersecurity requirements for federal agencies.
State Data Privacy Laws: With efforts to establish a federal data privacy law failing to advance in Congress, states are increasingly taking the lead. Virginia was one of several states to approve a comprehensive data privacy law in 2021. The Consumer Data Protection Act (CDPA), which incorporates elements of the European Union’s General Data Protection Regulation (GDPR), as well as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), will go into effect on January 1, 2023.
Biometric Data Privacy: States continue to enact regulations addressing biometric data privacy. New York City’s biometric privacy ordinance took effect on July 9, 2021. It requires any commercial establishment that collects, retains, converts, stores or shares biometric identifier information of customers must disclose such activity by placing a “clear and conspicuous” sign near all of the commercial establishment’s customer entrances. Under another new law, the New York City Tenant Data Privacy Act (TDPA), owners of multi-family dwellings that utilize keyless entry systems, including but not limited to key fobs, biometric identifiers, and electronic technologies, must provide tenants with a data retention and privacy policy.
Data Breach Notification: Failing to report a data breach as required under state or federal law continues to result in costly fines for impacted businesses. In May, a New York mortgage company recently paid a $1.5 million penalty for failing to timely report a data breach to the New York Department of Financial Services (NYDFS).
DOJ’s Civil Cyber-Fraud Initiative: In November, the Department of Justice announced new initiative targeting cybersecurity-related fraud by government contractors and grant recipients, which will rely on the DOJ’s existing enforcement authority under the False Claims Act (FCA). According to the DOJ, the goal is to hold entities accountable when they put federal agency information or systems at risk “by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
Everyone Vulnerable to Cyberattacks: The past year confirmed that all public and private entities are vulnerable to cyberattacks, particularly as the reliance on technology increased with more people working and learning from home. In April, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued an Alert regarding an increase in cyberattacks targeting schools. The Joint Cybersecurity Advisory warned that cyberattacks against K-12 educational institutions are on the rise, resulting in the disruption of remote learning, data theft, and ransomware attacks.
Common Attacks Will Continue: Phishing, spear-phishing focused on ‘click and download’ access to enterprise systems reflect lack of security culture integration with IT and cyber policies/procedures. Many firms have not established “phish alert buttons” (PAB) as part of their IT security capabilities, using employees/vendors as the “human firewall” to potential bad actors.
Cybersecurity Financial Resources and Staffing are Critical to Defensive Strategies: Small firms can utilize the expanding expert consultant sphere and focus IT/cyber luring on experienced/trained personnel in a broadening marketplace.
Every firm should have an internal cybersecurity staff responsible for cybersecurity decision-makings, including CISO, COO, CTO, CCO, Legal Appointee and Cybersecurity Committee.
Cybersecurity programs/policies must include preparedness through customized cybersecurity self-assessments of both hard and soft resources. Cybersecurity Action Plan must “mature” with events and regulatory developments to assure that Tabletop Exercises rigorously assess breach incident awareness, recovery responses and remediation (after action) plans. Firm structure must integrate and update BCP and disaster recovery written plans, as regulators are focused on cybersecurity and whether adequate safeguards and controls were in place.
Third-Party/vendor/contractor due diligence and risk management must be included in firm policy/procedures, with a diligence methodology that is capable of identifying red flags.
Key Takeaways From 2021 for 2022 Cybersecurity Planning are:
Cryptocurrency is a prime example of technological innovation outpacing our existing regulatory frameworks. While banking regulators have borrowed a tech tool to speed up their response, it is unclear how quickly the Policy Sprint Initiative will bring new guidance. Accordingly, we encourage businesses in the crypto sector to closely monitor this rapidly-evolving area of law.
Cybersecurity continues to be a compliance headache for entities of all sizes. Given the ongoing risks, it is imperative to have robust cybersecurity measures, along with a comprehensive cybersecurity incident response plan that takes into account all applicable data breach notification obligations imposed by state and federal regulators. Of course, simply having a plan in place is not enough; it is imperative that all of the necessary compliance steps are taken (and documented) in the event of a cyber incident.
If you have questions, please contact us
If you have any questions or if you would like to discuss these issues further, please contact Paul A. Lieberman or Maryam M. Meseha, Co-Chairs: Cyber Security & Data Privacy or the Scarinci Hollenbeck attorney with whom you work, at (201) 896-4100.
You Just Received a Federal Grand Jury Subpoena in New Jersey: Now What?
Receiving a federal grand jury subpoena is not something most businesses or individuals anticipate. While it can be concerning, a federal grand jury subpoena does not necessarily mean that you are being accused of wrongdoing. It does, however, mean that a federal criminal investigation is underway and that federal prosecutors believe you may possess information […]
Why Every Business Should Conduct an Annual Insurance Coverage Review
Most New Jersey business owners purchase insurance policies, file them away, and assume they are protected if a claim arises. Without a regular insurance coverage review, many companies discover gaps only after a lawsuit, cyberattack, property loss, or other significant event occurs. An annual insurance coverage review can help businesses identify potential risks, ensure their […]
Demand Letters & Cease and Desist Letters: When to Send One (and When Not To)
Businesses and individuals often encounter situations where another party breaches a contract, fails to pay a debt, or continues harmful conduct. In many such disputes, a precisely drafted demand letter or cease-and-desist letter serves as a powerful legal tool. It can frequently resolve the dispute and avoid litigation. While demand or cease-and-desist letters can resolve […]
Key provisions in your contracts, including those relating to indemnification, insurance, and defense, are essential to contract risk management. While sometimes considered “boilerplate,” these provisions play a pivotal role when determining which party is responsible for certain costs and liabilities. They must always be negotiated and drafted carefully. Indemnification Clauses Businesses should never overlook the […]
Portability of estate and gift tax enables a surviving spouse to inherit any unused portion of their deceased spouse’s federal estate and gift tax exemption. So, if one spouse doesn’t utilize their full exemption, the surviving spouse can effectively double their exemption amount with regard to estate tax liability. For married couples, portability offers a […]
Pet Trusts in New Jersey and New York: A Practical Estate Planning Tool
For many of us, pets are more than companions—they are members of the family. Yet they are often overlooked or inadequately provided for when it comes to estate planning. A pet trust offers a legally enforceable way to ensure that your animal continues to receive proper care if you become incapacitated or pass away. As […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
