Scarinci Hollenbeck, LLC, LLCScarinci Hollenbeck, LLC, LLC

Firm Insights

Year in Review: Top Cybersecurity Law Developments in 2021

Author: Scarinci Hollenbeck, LLC

Date: February 18, 2022

Key Contacts

Back
Year in Review: Top Cybersecurity Law Developments of 2021

The SolarWinds cyberattack was one of the biggest cybersecurity headlines for 2021...

The SolarWinds cyberattack was one of the biggest cybersecurity headlines for 2021. The breach of SolarWinds’ software, first detected in December 2020, impacted thousands of businesses across the globe, demonstrating how one supply chain attack can wreak havoc on thousands of organizations. The wide-scale cyberattack also revealed how easily an entity’s IT systems can be compromised by vulnerabilities of an entity’s software vendors and third parties. 

On May 6, 2021, the Colonial Pipeline, the largest fuel pipeline in the United States, was the target of a ransomware attack. The company ultimately paid a ransom of $5 million after a serious service disruption.  Financial Institutions and Insurance Carriers were also subjected to ransomware attacks.

According to the Identity Theft Resource Center and other surveys, the number of data breaches through September 30, 2021 exceeded the total number of events in 2020 by 18 percent.  Cybersecurity “spend” surveys indicated that although IT budgets increased 10% during 2020-2021, across various industries spend budgets actually declined 8% in 2021.  COVID-19 pandemic issues certainly had some impact as cybersecurity staffing decreased 12%, whereas the average incident cost is estimated at $5 million. The steady stream of data breaches, ransomware and other cyberattacks has prompted a wide range of legal responses. 

Banking Regulators Made Crypto a Top Priority for 2022

The Presidential Working Group Report on stablecoins, recommended that Congress act promptly to address regulatory gaps with regard to stablecoin and in the absence of such legislative action, recommended that federal banking regulators rely on their existing regulatory authority to regulate the stablecoin market. 

Crypto-Asset Policy Sprint Initiative

The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency subsequently announced a Joint Statement on Crypto-Asset Policy Sprint Initiative, outlining the federal banking regulators’ plan to bring greater regulatory certainty to the emerging crypto-asset sector.

The Joint Statement recognized that the emerging crypto-asset sector presents potential opportunities and risks for banking organizations, their customers, and the overall financial system. To that end, the agencies recently conducted a series of interagency “policy sprints” focused on crypto-assets. “Similar to a ‘tech sprint’ model, agency staff with various backgrounds and relevant subject matter expertise conducted preliminary analysis on various issues regarding crypto-assets,” the Joint Statement explains. The focus of the sprint work included:

  • Developing a commonly understood vocabulary using consistent terms regarding the use of crypto-assets by banking organizations.
  • Identifying and assessing key risks, including those related to safety and soundness, consumer protection, and compliance, and considering legal permissibility related to potential crypto-asset activities conducted by banking organizations.
  • Analyzing the applicability of existing regulations and guidance and identifying areas that may benefit from additional clarification.

This process identified several areas where additional public clarity is warranted, resulting in the agency’s development of a crypto-asset roadmap that will be implemented in 2022. As set forth in the Joint Statement, the agencies plan to provide greater clarity on whether certain activities related to crypto-assets conducted by banking organizations are legally permissible, and expectations for safety and soundness, consumer protection, and compliance with existing laws and regulations related to:

  • Crypto-asset safekeeping and traditional custody services;
  • Ancillary custody services;
  • Facilitation of customer purchases and sales of crypto-assets;
  • Loans collateralized by crypto-assets;
  • Issuance and distribution of stablecoins; and
  • Activities involving the holding of crypto-assets on balance sheet.

Below are some of the key cybersecurity law developments of 2021:

  • Biden Administration Executive Order: On May 12, President Joe Biden issued an Executive Order on Improving the Nation’s Cybersecurity. The Executive Order outlined a wide-range of cybersecurity objectives, which included amending federal contracts to include breach notification and information sharing requirements for government service providers; creating baseline security standards for the development of software sold to the federal government; and establishing minimum cybersecurity requirements for federal agencies.
  • State Data Privacy Laws: With efforts to establish a federal data privacy law failing to advance in Congress, states are increasingly taking the lead. Virginia was one of several states to approve a comprehensive data privacy law in 2021. The Consumer Data Protection Act (CDPA), which incorporates elements of the European Union’s General Data Protection Regulation (GDPR), as well as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), will go into effect on January 1, 2023.
  • Biometric Data Privacy: States continue to enact regulations addressing biometric data privacy. New York City’s biometric privacy ordinance took effect on July 9, 2021. It requires any commercial establishment that collects, retains, converts, stores or shares biometric identifier information of customers must disclose such activity by placing a “clear and conspicuous” sign near all of the commercial establishment’s customer entrances. Under another new law, the New York City Tenant Data Privacy Act (TDPA), owners of multi-family dwellings that utilize keyless entry systems, including but not limited to key fobs, biometric identifiers, and electronic technologies, must provide tenants with a data retention and privacy policy.
  • Data Breach Notification: Failing to report a data breach as required under state or federal law continues to result in costly fines for impacted businesses. In May, a New York mortgage company recently paid a $1.5 million penalty for failing to timely report a data breach to the New York Department of Financial Services (NYDFS).
  • DOJ’s Civil Cyber-Fraud Initiative: In November, the Department of Justice announced new initiative targeting cybersecurity-related fraud by government contractors and grant recipients, which will rely on the DOJ’s existing enforcement authority under the False Claims Act (FCA). According to the DOJ, the goal is to hold entities accountable when they put federal agency information or systems at risk “by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”
  • Everyone Vulnerable to Cyberattacks: The past year confirmed that all public and private entities are vulnerable to cyberattacks, particularly as the reliance on technology increased with more people working and learning from home. In April, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued an Alert regarding an increase in cyberattacks targeting schools. The Joint Cybersecurity Advisory warned that cyberattacks against K-12 educational institutions are on the rise, resulting in the disruption of remote learning, data theft, and ransomware attacks.
  • Common Attacks Will Continue:  Phishing, spear-phishing focused on ‘click and download’ access to enterprise systems reflect lack of security culture integration with IT and cyber policies/procedures.  Many firms have not established “phish alert buttons” (PAB) as part of their IT security capabilities, using employees/vendors as the “human firewall” to potential bad actors.
  • Cybersecurity Financial Resources and Staffing are Critical to Defensive Strategies:  Small firms can utilize the expanding expert consultant sphere and focus IT/cyber luring on experienced/trained personnel in a broadening marketplace.
  • Every firm should have an internal cybersecurity staff responsible for cybersecurity decision-makings, including CISO, COO, CTO, CCO, Legal Appointee and Cybersecurity Committee.
  • Cybersecurity programs/policies must include preparedness through customized cybersecurity self-assessments of both hard and soft resources.  Cybersecurity Action Plan must “mature” with events and regulatory developments to assure that Tabletop Exercises rigorously assess breach incident awareness, recovery responses and remediation (after action) plans.  Firm structure must integrate and update BCP and disaster recovery written plans, as regulators are focused on cybersecurity and whether adequate safeguards and controls were in place. 
  • Third-Party/vendor/contractor due diligence and risk management must be included in firm policy/procedures, with a diligence methodology that is capable of identifying red flags.

Key Takeaways From 2021 for 2022 Cybersecurity Planning are:

Cryptocurrency is a prime example of technological innovation outpacing our existing regulatory frameworks. While banking regulators have borrowed a tech tool to speed up their response, it is unclear how quickly the Policy Sprint Initiative will bring new guidance. Accordingly, we encourage businesses in the crypto sector to closely monitor this rapidly-evolving area of law.

Cybersecurity continues to be a compliance headache for entities of all sizes. Given the ongoing risks, it is imperative to have robust cybersecurity measures, along with a comprehensive cybersecurity incident response plan that takes into account all applicable data breach notification obligations imposed by state and federal regulators. Of course, simply having a plan in place is not enough; it is imperative that all of the necessary compliance steps are taken (and documented) in the event of a cyber incident.

If you have questions, please contact us

If you have any questions or if you would like to discuss these issues further,
please contact Paul A. Lieberman or Maryam M. Meseha, Co-Chairs: Cyber Security & Data Privacy or the Scarinci Hollenbeck attorney with whom you work, at (201) 896-4100.

No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.

Scarinci Hollenbeck, LLC, LLC

Related Posts

See all
Dissolving Your Business: Essential Legal Steps to Protect Your Interests post image

Dissolving Your Business: Essential Legal Steps to Protect Your Interests

If you’re considering closing your business, it’s crucial to understand that simply shutting your doors does not end your legal obligations. Unless you formally dissolve your business, it continues to exist in the eyes of the law—leaving you exposed to ongoing liabilities such as taxes, compliance violations, and potential lawsuits. Dissolving a business can seem […]

Author: Christopher D. Warren

Link to post with title - "Dissolving Your Business: Essential Legal Steps to Protect Your Interests"
The Role of Corporate Restructuring in Mergers & Acquisitions post image

The Role of Corporate Restructuring in Mergers & Acquisitions

Contrary to what many people think, corporate restructuring isn’t all doom and gloom. Revamping a company’s organizational structure, corporate hierarchy, or operations procedures can help keep your business competitive. This is particularly true during challenging times. Corporate restructuring plays a critical role in modern business strategy. It helps companies adapt quickly to market changes. Following […]

Author: Dan Brecher

Link to post with title - "The Role of Corporate Restructuring in Mergers & Acquisitions"
Crypto Enforcement: A Former Prosecutor’s Warning to Criminals and the Public post image

Crypto Enforcement: A Former Prosecutor’s Warning to Criminals and the Public

Cryptocurrency intimidates most people. The reason is straightforward. People fear what they do not understand. When confusion sets in, the common reaction is either to ignore the subject entirely or to mistrust it. For years, that is exactly how most of the public and even many in law enforcement treated cryptocurrency. However, such apprehension changed […]

Author: Bryce S. Robins

Link to post with title - "Crypto Enforcement: A Former Prosecutor’s Warning to Criminals and the Public"
Understanding Chattel Paper: A Key Component in Secured Transactions post image

Understanding Chattel Paper: A Key Component in Secured Transactions

Using chattel paper to obtain a security interest in personal property is a powerful tool. It can ensure lenders have a legal claim on collateral ranging from inventory to intellectual property. To reduce risk and protect your legal rights, businesses and lenders should understand the legal framework. This framework governs the creation, sale, and enforcement […]

Author: Dan Brecher

Link to post with title - "Understanding Chattel Paper: A Key Component in Secured Transactions"
Crypto Compliance: A Comprehensive Guide post image

Crypto Compliance: A Comprehensive Guide

For years, digital assets operated in a legal gray area, a frontier where innovation outpaced the reach of regulators and law enforcement. In this early “Wild West” phase of finance, crypto startups thrived under minimal oversight. That era, however, is coming to an end. The importance of crypto compliance has become paramount as cryptocurrency has […]

Author: Bryce S. Robins

Link to post with title - "Crypto Compliance: A Comprehensive Guide"
Supreme Court and Title VII: Implications for Reverse Discrimination post image

Supreme Court and Title VII: Implications for Reverse Discrimination

Earlier this month, the U.S. Supreme Court issued a decision in Ames v. Ohio Department of Youth Services vitiating the so-called “background circumstances” test required by half of federal circuit courts.1 The background circumstances test required majority group plaintiffs pleading discrimination under Title VII of the Civil Rights Act to meet a heightened pleading standard […]

Author: Matthew F. Mimnaugh

Link to post with title - "Supreme Court and Title VII: Implications for Reverse Discrimination"

No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.

Sign up to get the latest from our attorneys!

Explore What Matters Most to You.

Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.

Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.

Let`s get in touch!

* The use of the Internet or this form for communication with the firm or any individual member of the firm does not establish an attorney-client relationship. Confidential or time-sensitive information should not be sent through this form.

Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!