Cyber, privacy, and technology regulation in 2024

What a year 2023 was. I could say that for a lot of reasons. But today I’m reflecting on what changed in cyber, privacy, and technology law and looking at what it may bring in 2024.

Let’s jump in!

On December 18, 2023 the new SEC regulations on publicly traded companies went into effect, requiring organizations to periodically disclose details about cyber risk management as well as compelling organizations to disclose material breaches.

The regulation is a good step in adding transparency into how organizations are protecting the sensitive information entrusted to them, but I think we will need some strong cases to gain a better understanding of the material standard dictating what constitutes a breach. The standard is stated as so in the final rule:

“Information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.”

The average and reasonable investor likely doesn’t understand the nuance of a given breach’s impact on long-term business strategies well enough to make an informed decision, and this means the materiality standard is higher than what I would like to see. It can be hard to determine the extent of damages at the time of breach, in fact it can take months. There are some cases in which it is clear, for instance, an impact that causes manufacturing outages leading to productivity outages that reduce product availability and in turn revenue.

One thing to remember is that this law is not intended to protect individuals’ rights directly, but to protect the interests of investors.

I’ll be watching closely in 2024 to see what happens.

The most talked about event of last year in the cyber leadership community may well have been the civil suit the SEC filed against Tim Bown of SolarWinds fame.

I don’t think I can say anything new here that hasn’t been said, but I will say I agree with many opinions that the SEC’s lack of understanding of cyber security is evident in the filing and evidence being used in the suit.

If there is evidence that Tim Brown intentionally mis-led investors to maintain or increase the stock price, and sold stock intentionally benefiting from the misrepresentation, it makes sense that he should be held accountable for those actions.

But using internal slack messages of people complaining about work (as the SEC’s filing shows) is not evidence of how a reasonable risk-based decision is made and represented to the business, and in turn shareholders.

Let’s cross the pond to our friends and champions of privacy in the European Union. As of the beginning of December, the final proposal for the EU Cyber resiliency act has been completed and will slowly go into effect over the next few years.

This will require products with a digital component to be certified against standard cyber security processes and maintained from a vulnerability perspective.

There is a lot left for the EU council to hash out and decide, but keep a close eye if you have digital products in the EU market.

https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

Also in Europe we have a new regulation focused on AI.

The AI Act intends to harmonize AI regulations across the EU, focusing on promoting AI while safeguarding fundamental rights, health, safety, and the environment. It aims to prevent Member States from imposing restrictive measures on AI development, ensuring free movement of AI-based services.

AI, in this case, is defined as systems that can, for set human-defined objectives, generate outputs like content, predictions, recommendations, or decisions, impacting the environment they interact with. These systems can have varying autonomy levels and are based on key characteristics like learning, reasoning, or modeling.

For businesses, the Act introduces uniform legal requirements, particularly for high-risk AI systems, to ensure safety and compliance with fundamental rights. It affects both EU and non-EU based businesses operating in the EU, potentially impacting legal certainty, market access, and innovation strategies.

With any new regulation, how it is enforced will help us better understand the expectations in the gray areas. Another area to watch in 2024.

After looking at the EU and US-based regulations, let’s look at US state regulations starting with Maine.

Maine might be small, but the state has been pushing for stricter control over personal data, ensuring that your digital footprint is as protected as your physical one.

Maine’s ongoing privacy legislation debate illustrates a broader national struggle: finding the right balance between industry-friendly and consumer-focused data privacy laws. While tech giants and some businesses support a model that offers more flexibility in data use, consumer advocates and lawmakers push for tighter restrictions to better protect personal information. This tug-of-war mirrors a wider trend across the United States, where states are grappling with how to effectively regulate data privacy in a way that balances commercial interests with individual rights.

We will see in 2024 what model wins out in Maine.

https://www.politico.com/news/2023/12/18/ll-bean-joins-the-national-privacy-wars-00132120

Now, let’s talk about some familiar acronyms: CCPA (California Consumer Privacy Act) and NYDFS (New York Department of Financial Services). Both have seen updates in 2023, keeping businesses on their toes. The changes mainly revolve around tightening data privacy and security measures. It’s like upgrading your home security system, but for your digital home.

8 states joined the 5 existing ones with privacy protections bringing the total to 13 states with unique (but similar) legislations.

This year, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee and Texas have passed new privacy laws. These laws generally enhance consumer privacy rights and set standards for data handling.

• Delaware (H 154): Enhances consumer privacy rights and data handling standards.
• Florida (FDBR): Focuses on improving consumer data protection and privacy. Signed into law, will be effective mid 2024.
• Indiana (SB0005): Establishes new consumer data protection rights, including data access, correction, deletion, and opt-out options.
• Iowa (ICDPA): Signed into law and addresses consumer data privacy and handling protocols. Will not be effective until 2025.
• Montana (SB 384): Tweaks existing consumer privacy laws, with a focus on personal data usage.
• Oregon (SB 619): Modifies consumer privacy laws, emphasizing personal data usage.
• Tennessee (HB 1181): Introduces the “Tennessee Information Protection Act,” amending the code to strengthen data protection.
• Texas (HB4): Regulates personal data collection and imposes penalties for data mishandling.

https://www.ncsl.org/technology-and-communication/2023-consumer-data-privacy-legislation

Lastly, Rhode Island changed their breach reporting requirements. Now, they’re requiring better support for individuals impacted by data breaches related to state-held data and any breach affecting more than 500 RI residents.

In conclusion, 2023 was a pivotal year in shaping the landscape of cyber, privacy, and technology law. The introduction of new regulations, both in the U.S. and the EU, signals a global shift towards greater transparency, security, and accountability in the digital world. As we move into 2024, it’s crucial to monitor the implementation and impact of these laws, especially in terms of their effectiveness in protecting consumer rights and shaping corporate practices. The evolving nature of these regulations will undoubtedly pose challenges but also presents opportunities for innovation and enhanced security in our increasingly digital lives.

Here are a few things you can do to help stay ahead of the new and upcoming regulations:

• Have your privacy counsel ensure your privacy policies and other customer legal documents meet all new state requirements
• If you’re looking to develop generative AI-based technologies, or already use ML, ensure you’re ready for the EU AI ACT
• Write to your local representatives on how you would like to see next year’s batch of new privacy laws be drafted