2020 was a year like no other. From an unprecedented “work from home” shift to a blockbuster European court ruling to a mammoth cyber attack, businesses scrambled to adapt to an endless series of cyber challenges. 2021 shows no signs of letting up. Amid the change, here are the top ten changes we have identified.
First, the Court of Justice of the European Union’s Schrems II effectively eviscerated the Privacy Shield program. The decision hampers U.S.-E.U. data transfers. A replacement mechanism will have to be negotiated. Observers will view these negotiations as the first test of the Biden Administration’s diplomatic leverage with Europe.
Second, the Biden-.E.U. negotiations will only be one instance requiring governmental attention. Nations from Canada to Brazil to India to Japan have revised, or suggested their intention to revise data privacy protocols. The United Kingdom will have to negotiate an adequate GDPR compliance regime with Brussels. And businesses will be watching China’s privacy law. Even so, it is unrealistic to expect businesses to navigate these challenges privately. Thus, political and economic pressures will converge to place cybersecurity and privacy concerns on America’s diplomatic agenda.
Third, the challenges of the COVID-19 pandemic and the vaccine rollout will provide fresh impetus for a federal privacy law. Previous iterations of federal privacy legislation have foundered on sharp differences over preemption and an individual right of action. A federal privacy statute, which we judge to be more likely than not, will have to reconcile widely divergent views on these issues.
Fourth, state privacy laws that took a backseat during the pandemic will occupy state legislative agendas again. State laws will gain particular momentum if Congress deadlocks over a federal law. Many states are watching California’s experience with the California Privacy Rights Act (CPRA). The CPRA enumerates specific consumer data rights, establishes a compliance regime, and provides a discrete enforcement network.
Fifth, existing federal laws might be updated. The stakeholder consensus on statutes such as HIPAA, FERPA, and the Gramm-Leach-Bliley Act (GLBA) is that they have done well. That said, they were written decades ago for different needs. It is time to revise them to correspond to today’s environment. For example, there are proposals to update the GLBA Safeguards rule. The updates would require robust financial institution reporting. That, in turn, would require a significant revamp of security programs.
Sixth, as businesses increasingly outsource security, vendor management will come under regulator scrutiny. Businesses will be expected to vet contracts to make sure that appropriate privacy and cybersecurity issues are addressed. Their policies and practices should provide for vendor oversight. Businesses should consider including vendors in tabletop exercises to validate their ability to mount a robust response to an attack.
Seventh, the government’s attitude to ransomware is changing. For many years, the FBI unofficially countenanced ransomware payments. Indeed, police departments regularly paid. That is changing rapidly. Washington’s concern that ransomware payments lead to a flow of funds to proscribed entities has changed thinking. OFAC issued strong warnings against such payments. The government’s position can be expected to harden over 2021.
Eighth, divergent approaches to Artificial Intelligence can be expected. On one hand, AI holds considerable promise for speeding up research and technological development. On the other, its black-box operations can lead to problems. For instance, AI errors have led to the arrests of innocent people. The problem attracted the attention of Congress, which considered prohibiting arrests based on these alone.
Nine, the Supreme Court is expected to define “authorized access” under CFAA. Depending on the holding, privacy attorneys can expect to be working a lot more with their criminal defense colleagues.
Finally, we suspect that the most consequential 2021 event will be unexpected. Call it a Black Swan-the extremely unexpected event with profound consequences. Call it, in Donald Rumsfeld’s memorable words “unknown unknowns.” But 2020 will not be the last year to surprise us. It may be time to call your insurance broker.