2018 was another busy year for lawyers in the privacy/cybersecurity world – GDPR, CCPA, Marriott, New York Department of Financial Service’s cybersecurity rule deadlines, increased SEC enforcement, more data breach lawsuits, more companies doing table top exercises and risk assessments, etc. But 2019 is looking to be even busier. Below are our predictions for the Top 10 things that will keep us busy in 2019, and what companies should be preparing for:
1. Consumer Consent
Figuring out what kind of consent is needed from clients and customers in order to use or sell their personal data for commercial purposes is going to be increasingly important in 2019. In 2018, consumers and politicians voiced serious concern over how personal information is collected, used and shared. In response, European regulators have used their new powers under the GDPR to sanction companies for failing to obtain proper consent for data processing, as in the case of the ICO’s October 2018 enforcement notice to a Canadian data analytics company. Private actions are also being brought under the GDPR alleging that the form of consent being obtained by tech companies is inadequate. In the U.S., the California Consumer Privacy Act (“CCPA”), effective January 1, 2020, grants a limited opt-out right to consumers for the sale of personal information to third parties. Similarly, a number of proposed federal privacy laws would mandate disclosure of the categories of personal information stored and shared by companies, and provide for either opt-in or opt-out consent regimes. We expect that 2019 will see state and federal governments increasing the requirements for, and the scrutiny of, consent to collect and use consumer data.
2. Data Breach Shareholder Class Actions
The number of class action securities cases arising out of data breaches, and the costs to resolve them, rose dramatically in 2018 and will continue to rise in 2019. In 2018, several cyber-related class action securities cases made their way through federal courts, including against Marriott, Equifax, Intel, Chegg and Huazhu. One factor in this heightened activity is that large cyber breaches are increasingly resulting in significant stock declines. Equifax, for example, lost more than 25% of its market capitalization following announcement of its data breach. Another factor is the increase in perceived viability of these cases following Yahoo’s settlement with investors for $80 million over claims that the company failed to disclose prior data breaches. We expect this trend to continue in 2019, with even more cases being filed.
3. Expanding Notions of Harm
In 2019, we expect to see courts and regulators expand what constitutes harm in connection with a data breach beyond concrete economic injury. In 2018, we covered the different approaches being taken by various United States Courts of Appeal on what kind of injury is required for standing under Article III in a class action data breach case. After previously declining to revisit the issue, the Supreme Court seems poised to tackle the topic in 2019. Appellants in Zappos.com, Inc. v. Stephens filed a petition for a writ of Certiorari in September 2018 to settle the circuit split. That petition went to conference on December 7, 2018. Whatever the outcome in the Supreme Court, we are also expecting new federal and state laws to provide statutory damages for individuals whose personal data has been accessed without authorization, like those implemented under the CCPA. The increasing public outcry over large-scale data breaches has resulted in regulators, politicians, and consumers calling for more accountability from companies that have experienced major hacks, and in 2019, either the courts or the legislators (or both) will respond by expanding what is recoverable in cyber breach cases beyond concrete economic harm.
4. Cybersecurity Negligence Claims
In 2019, we will see an increase in ordinary negligence actions brought by individuals whose data has been accessed because of businesses’ poor data privacy or security measures. In November, the Pennsylvania Supreme Court ruled that a hospital had a legal duty to use reasonable care to protect personal information it collected from workers in the course of their employment. The court permitted recovery for purely economic damages under a negligence theory. By recognizing a common law duty to protect data, it seems that, at least in Pennsylvania, employers can be sued for purely pecuniary loss arising from failure to protect employee data. The justices explained that protecting personal data is not a new affirmative duty but rather an existing duty applied to a “novel factual scenario.” Accordingly, we expect that in 2019 plaintiffs will increasingly bring negligence causes of action in cyber cases to expand this ruling beyond employees to customers, and beyond Pennsylvania.
5. Targeted Cyberattacks Will Increase
An uneasy international political climate in 2019 likely means more cyber activity by nation states and affiliated actors. And with all the personal data that was leaked in 2018, hackers have a lot to work with in 2019. Threat actors can take information available from other cyber attacks, combine it with publicly available data on company webpages and other public sites, and use that data for attacks like credential stuffing and help desk fraud, also known as “vishing” (voice phishing). In vishing scams, a person calls a company support phone number for HR or IT, with enough personal information about an employee to successfully impersonate them in order to (1) obtain even more information (such as an Employee ID number) to be used later, (2) have a sensitive document or an email password mailed to a non-work email address controlled by the hacker, or (3) change the wire instruction for the employee’s paycheck to the hacker’s account. This kind of information is also being used to craft very credible targeted phishing emails to specific VIP targets (“whaling”). As the sophistication of targeted attacks increase, it will be even more important for organizations to conduct regular employee training on how to detect them.
6. Vendor Risk Management
In 2019, regulators will get serious about vendor cybersecurity risk management. The NYDFS cybersecurity rules require its regulated entities, by March 1, 2019, to have a vendor diligence program that includes (1) procedures to identify and assess vendor risks, (2) policies outlining the “minimum cybersecurity practices” and cooperation obligations required of vendors, (3) due diligence procedures to evaluate the vendor’s cybersecurity practices and (4) procedures to complete periodic tests of the risks and cybersecurity practices of vendors. As the NYDFS acknowledges in its FAQ on third-party cybersecurity due diligence, there is no “one-size-fits-all solution,” and companies need to take a risk-based approach to figuring out what obligations they will impose on their vendors to ensure that all their efforts to secure their data won’t be undone by their vendors’ failure to follow suit. Additionally, under the GDPR, companies may only use vendors that provide sufficient guarantees that they will implement appropriate measures to protect the personal data such vendors are processing on behalf of companies. The GDPR also imposes an obligation on companies to enter into written agreements with their vendors with respect to any processing of personal data on their behalf, which must include specific requirements regarding, among other things, data security obligations, the use of sub-processors, data breach notification obligations and cooperation regarding data subject requests. We have previously discussed some tips for what companies can do to manage their vendor cybersecurity risk. The OCC, FINRA, and the NFA have all emphasized the importance of vendor cybersecurity diligence, and the SEC Office of Compliance Inspections and Examinations has listed vendor management as one of its main focus areas for 2019.
7. Regulation of the Internet of Things (“IoT”)
As 2018 saw an explosion of Internet-connectivity incorporated into everyday objects, in 2019, we expect to see an increase in both exploitation and regulation in this space. IoT devices have long been a prime target for threat actors, including, notably, the Mirai Botnet prosecuted by the Department of Justice in 2017. Despite a history of exploitation, and various attempts by lawmakers in 2017 and 2018, Congress has passed no federal legislation governing IoT devices. The FTC has brought enforcement actions against IoT companies for unfair trade practices and held recent public hearings covering the topic. But FTC Commissioner Slaughter has noted that her agency continues to see organizations failing to (1) consider security during the design of IoT devices, (2) have processes to identify and address potential vulnerabilities and (3) properly update and patch deployed products and services. California did pass legislation in August 2018, SB-327, effective January 1, 2020, that will mandate “reasonable security features” for Internet-connected devices that are “designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.” Just as states have led the way on data breach notification in the United States, we can expect states to lead on IoT regulation absent federal preemption.
8. Serious Federal Privacy and Data Security Legislation Proposals
Speaking of preemption, states continued their active legislative agenda for data security in 2018, including establishing data breach notification requirements in all 50 states, South Carolina adopting a model 72-hour breach notification rule for insurers, and California passing the CCPA. We expect these development to create serious momentum for federal privacy legislation in 2019. Facing an increasing number of potentially onerous and inconsistent legislative regimes, businesses and industry groups will aggressively push for preemptive federal regulatory frameworks, with some draft legislation already circulating. Several public interest and consumer groups have also become involved, generally inviting federal privacy legislation but expressing their opposition to the exclusion of protective state laws. The need for federal privacy legislation has been a theme in hearings before Congress and at the FTC. We have previously discussed what the expected legislation might include, and predict that in the coming months, proposals addressing some of these big issues—preemptive effect, transparency, a private right of action, the scope of consent and enforcement methods—will be vigorously debated.
9. NYDFS Enforcement to Increase
NYDFS Superintendent Maria T. Vullo will be leaving the department on February 1, 2019. Upon announcing her departure, Superintendent Vullo stated that she is “especially proud to have led the DFS in cybersecurity.” In 2019, we expect the DFS’s prominence in cybersecurity supervision to grow. As noted in the Department’s recent memorandum, “DFS examiners have been including cybersecurity in all regular examinations” (emphasis added). The final compliance phase-in date under the DFS’s regulations is March 1, 2019, which as noted above, includes requirements for vendor diligence. With the full set of its cyber rules in effect, and examinations well underway, 2019 will be the year that the DFS becomes a big player in cybersecurity supervision.
10. SEC Cyber Enforcement Goes Beyond Disclosure
Recent developments at the SEC portend greater cyber enforcement in 2019. The SEC named cybersecurity as one of five topics in its 2018 National Exam Program Examination Priorities, placing companies on notice that it will substantively monitor cyber security practices and bring enforcement actions following cybersecurity incidents. In its October 2018 21(a) Report on Cyber-Related Frauds, the SEC emphasized a company’s obligation to account for cyber-related threats when designing internal accounting controls, and indicated that failure to take appropriate steps could result in an enforcement action. The same month, the SEC announced a $1 million settlement with Voya Financial Advisors Inc. for failure to implement reasonably designed cybersecurity policies to detect identity theft risks or respond to cybersecurity attacks. In short, expect the SEC to bring cyber-related enforcement actions in 2019, both for disclosure issues, and for companies that fail to have reasonable policies and procedures.
We will be monitoring these issues here at the Davis Polk Cyber Blog and will post regularly on any significant developments.
The Davis Polk Cyber Portal provides dozens of resources to help our clients comply with their cybersecurity and privacy regulatory obligations.
The authors gratefully acknowledge the assistance of law clerks Sam Pfotenhauer and Brett Workman in preparing this entry.
This article has also been posted at the Compliance & Enforcement blog sponsored by NYU Law’s Program on Corporate Compliance and Enforcement.