In honor of International Data Privacy Day, on January 28, 2020, we present our predictions for developments in privacy, technology, and cybersecurity that we believe will impact in-house compliance and regulatory frameworks:
New Consumer Data Privacy Legislation and Regulation
Consumer-facing retailers, and service providers in the multiple industries that partner with them, will face exponential compliance obligations that are being considered and potentially will be enacted by state legislatures in 2020. Consequently, compliance programs will need to be updated to meet the requirements of a patchwork of laws. Bills are pending in Massachusetts, Washington, Pennsylvania, New Jersey, and New York, among other states.
At the federal level, a comprehensive law is unlikely to pass in 2020 as Congress continues to debate over critical issues: for instance, whether consumers should have a private cause of action and federal preemption. However, businesses will need compliance counseling for direction about FTC privacy and cybersecurity enforcement actions using “reasonable security” as the standard for whether or not a violation of Section 5 of the FTC Act has occurred.
Stricter Federal and State Regulation of IoT Devices
Throughout 2020, there will be exponential growth in the number connected devices in the manufacturing and health care industries. To minimize the potential damages that can arise due to security flaws in the devices – like home hacks – regulators are stepping up efforts to increase privacy and security standards. On January 1, California’s and Oregon’s IoT laws went into effect and several other states are developing their own legislation. There have also been a number of federal congressional proposals, pushing for baseline IoT security measures, as well as increased scrutiny by the Federal Trade Commission. Businesses in all industries should prepare for these increased standards for privacy and security in connected devices in 2020 and beyond.
Increasingly Sophisticated and Targeted Ransomware Attacks
The prime targets of ransomware attacks will continue to be businesses that provide critical services to citizens and are, thus, likely to face greater pressure to pay the ransom. The challenges faced by these targets, in 2020, are that the ransomware attacks are being deployed with customized malware that target specific vulnerabilities and data sets. Under legislation introduced by both the House and Senate in 2019, and likely to be enacted in 2020, businesses operating in the critical infrastructure industries can seek technical assistance after a ransomware attack.
Regulatory Frameworks for Innovations In Digital Technology
Regulators and legislators are increasingly focusing on the application of machine learning and artificial intelligence (AI) based technologies across industries. In healthcare, for example, the U.S. Food and Drug Administration is considering a new regulatory framework for the use of AI in medical devices to ensure that safety and efficacy is maintained. Likewise, facial recognition technology is experiencing increased scrutiny by a growing number of state legislatures. Further, several local and state government agencies refuse to or do not allow the use of facial recognition technology based on flawed algorithms. For companies intending to deploy machine learning or AI-based technologies in 2020, a review of applicable bans and laws is strongly suggested as this trend will only continue.
Increased Cybersecurity Regulation Across the Critical Infrastructure Industries and the Public Sector
In 2020, the trend of more targeted and destructive cyber-attacks against public hospitals, local government, and private sector businesses in the energy, utilities, and agribusiness critical infrastructure industries will become ever more sophisticated. In anticipation of increased cybercrimes, and as a precaution to reinforce the reliability of critical services for citizens, federal regulatory agencies are issuing cybersecurity regulations that focus not only on the requirement for enhanced security technology but also on supply chain risk management. Critical infrastructure businesses, as well as the contractors who do business for them, will need to update compliance programs to meet these new standards in order to avoid potentially hefty penalties and fines.
All of Michael Best’s Privacy and Cybersecurity attorneys are former in-house privacy counsel and have first-hand experience with developing enterprise-wide regulatory and compliance frameworks and keeping them up to date. If you need assistance with creating or updating your program to align with anticipated developments in 2020, we encourage you to call any of us to help you to scope your project.