Year in Review: Top Cybersecurity Law Developments in 2021

The SolarWinds cyberattack was one of the biggest cybersecurity headlines for 2021...

The SolarWinds cyberattack was one of the biggest cybersecurity headlines for 2021. The breach of SolarWinds’ software, first detected in December 2020, impacted thousands of businesses across the globe, demonstrating how one supply chain attack can wreak havoc on thousands of organizations. The wide-scale cyberattack also revealed how easily an entity’s IT systems can be compromised by vulnerabilities of an entity’s software vendors and third parties. 

On May 6, 2021, the Colonial Pipeline, the largest fuel pipeline in the United States, was the target of a ransomware attack. The company ultimately paid a ransom of $5 million after a serious service disruption.  Financial Institutions and Insurance Carriers were also subjected to ransomware attacks.

According to the Identity Theft Resource Center and other surveys, the number of data breaches through September 30, 2021 exceeded the total number of events in 2020 by 18 percent.  Cybersecurity “spend” surveys indicated that although IT budgets increased 10% during 2020-2021, across various industries spend budgets actually declined 8% in 2021.  COVID-19 pandemic issues certainly had some impact as cybersecurity staffing decreased 12%, whereas the average incident cost is estimated at $5 million. The steady stream of data breaches, ransomware and other cyberattacks has prompted a wide range of legal responses. 

Banking Regulators Made Crypto a Top Priority for 2022

The Presidential Working Group Report on stablecoins, recommended that Congress act promptly to address regulatory gaps with regard to stablecoin and in the absence of such legislative action, recommended that federal banking regulators rely on their existing regulatory authority to regulate the stablecoin market. 

Crypto-Asset Policy Sprint Initiative

The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency subsequently announced a Joint Statement on Crypto-Asset Policy Sprint Initiative, outlining the federal banking regulators’ plan to bring greater regulatory certainty to the emerging crypto-asset sector.

The Joint Statement recognized that the emerging crypto-asset sector presents potential opportunities and risks for banking organizations, their customers, and the overall financial system. To that end, the agencies recently conducted a series of interagency “policy sprints” focused on crypto-assets. “Similar to a ‘tech sprint’ model, agency staff with various backgrounds and relevant subject matter expertise conducted preliminary analysis on various issues regarding crypto-assets,” the Joint Statement explains. The focus of the sprint work included:

• Developing a commonly understood vocabulary using consistent terms regarding the use of crypto-assets by banking organizations.
• Identifying and assessing key risks, including those related to safety and soundness, consumer protection, and compliance, and considering legal permissibility related to potential crypto-asset activities conducted by banking organizations.
• Analyzing the applicability of existing regulations and guidance and identifying areas that may benefit from additional clarification.

This process identified several areas where additional public clarity is warranted, resulting in the agency’s development of a crypto-asset roadmap that will be implemented in 2022. As set forth in the Joint Statement, the agencies plan to provide greater clarity on whether certain activities related to crypto-assets conducted by banking organizations are legally permissible, and expectations for safety and soundness, consumer protection, and compliance with existing laws and regulations related to:

• Crypto-asset safekeeping and traditional custody services;
• Ancillary custody services;
• Facilitation of customer purchases and sales of crypto-assets;
• Loans collateralized by crypto-assets;
• Issuance and distribution of stablecoins; and
• Activities involving the holding of crypto-assets on balance sheet.

Below are some of the key cybersecurity law developments of 2021:

• Biden Administration Executive Order: On May 12, President Joe Biden issued an Executive Order on Improving the Nation’s Cybersecurity. The Executive Order outlined a wide-range of cybersecurity objectives, which included amending federal contracts to include breach notification and information sharing requirements for government service providers; creating baseline security standards for the development of software sold to the federal government; and establishing minimum cybersecurity requirements for federal agencies.
• State Data Privacy Laws: With efforts to establish a federal data privacy law failing to advance in Congress, states are increasingly taking the lead. Virginia was one of several states to approve a comprehensive data privacy law in 2021. The Consumer Data Protection Act (CDPA), which incorporates elements of the European Union’s General Data Protection Regulation (GDPR), as well as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), will go into effect on January 1, 2023.
• Biometric Data Privacy: States continue to enact regulations addressing biometric data privacy. New York City’s biometric privacy ordinance took effect on July 9, 2021. It requires any commercial establishment that collects, retains, converts, stores or shares biometric identifier information of customers must disclose such activity by placing a “clear and conspicuous” sign near all of the commercial establishment’s customer entrances. Under another new law, the New York City Tenant Data Privacy Act (TDPA), owners of multi-family dwellings that utilize keyless entry systems, including but not limited to key fobs, biometric identifiers, and electronic technologies, must provide tenants with a data retention and privacy policy.
• Data Breach Notification: Failing to report a data breach as required under state or federal law continues to result in costly fines for impacted businesses. In May, a New York mortgage company recently paid a $1.5 million penalty for failing to timely report a data breach to the New York Department of Financial Services (NYDFS).
• DOJ’s Civil Cyber-Fraud Initiative: In November, the Department of Justice announced new initiative targeting cybersecurity-related fraud by government contractors and grant recipients, which will rely on the DOJ’s existing enforcement authority under the False Claims Act (FCA). According to the DOJ, the goal is to hold entities accountable when they put federal agency information or systems at risk “by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
• Everyone Vulnerable to Cyberattacks: The past year confirmed that all public and private entities are vulnerable to cyberattacks, particularly as the reliance on technology increased with more people working and learning from home. In April, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued an Alert regarding an increase in cyberattacks targeting schools. The Joint Cybersecurity Advisory warned that cyberattacks against K-12 educational institutions are on the rise, resulting in the disruption of remote learning, data theft, and ransomware attacks.
• Common Attacks Will Continue:  Phishing, spear-phishing focused on ‘click and download’ access to enterprise systems reflect lack of security culture integration with IT and cyber policies/procedures.  Many firms have not established “phish alert buttons” (PAB) as part of their IT security capabilities, using employees/vendors as the “human firewall” to potential bad actors.
• Cybersecurity Financial Resources and Staffing are Critical to Defensive Strategies:  Small firms can utilize the expanding expert consultant sphere and focus IT/cyber luring on experienced/trained personnel in a broadening marketplace.
• Every firm should have an internal cybersecurity staff responsible for cybersecurity decision-makings, including CISO, COO, CTO, CCO, Legal Appointee and Cybersecurity Committee.
• Cybersecurity programs/policies must include preparedness through customized cybersecurity self-assessments of both hard and soft resources.  Cybersecurity Action Plan must “mature” with events and regulatory developments to assure that Tabletop Exercises rigorously assess breach incident awareness, recovery responses and remediation (after action) plans.  Firm structure must integrate and update BCP and disaster recovery written plans, as regulators are focused on cybersecurity and whether adequate safeguards and controls were in place. 
• Third-Party/vendor/contractor due diligence and risk management must be included in firm policy/procedures, with a diligence methodology that is capable of identifying red flags.

Key Takeaways From 2021 for 2022 Cybersecurity Planning are:

Cryptocurrency is a prime example of technological innovation outpacing our existing regulatory frameworks. While banking regulators have borrowed a tech tool to speed up their response, it is unclear how quickly the Policy Sprint Initiative will bring new guidance. Accordingly, we encourage businesses in the crypto sector to closely monitor this rapidly-evolving area of law.

Cybersecurity continues to be a compliance headache for entities of all sizes. Given the ongoing risks, it is imperative to have robust cybersecurity measures, along with a comprehensive cybersecurity incident response plan that takes into account all applicable data breach notification obligations imposed by state and federal regulators. Of course, simply having a plan in place is not enough; it is imperative that all of the necessary compliance steps are taken (and documented) in the event of a cyber incident.

If you have questions, please contact us

If you have any questions or if you would like to discuss these issues further,
please contact Paul A. Lieberman or Maryam M. Meseha, Co-Chairs: Cyber Security & Data Privacy or the Scarinci Hollenbeck attorney with whom you work, at (201) 896-4100.