Looking Ahead: What to Expect in 2023
Cybersecurity and data privacy approach the top of the list of concerns for organizations today. Carter Ledyard expects increasingly complex cybersecurity and data privacy challenges to continue in 2023 and beyond. Our Cybersecurity and Data Privacy Group has been engaged in numerous matters in this hot area, advising clients on liability mitigation and best practices, creation and implementation of privacy and cybersecurity policies, compliance with laws and regulations, and incident reporting and management.
Some of the issues and developments we are preparing for in 2023 include the SEC’s proposed cybersecurity disclosure rules, the effectiveness of several state data privacy laws such as California’s Privacy Rights Act, increased enforcement activity by state and federal agencies in connection with data breaches and violations of cybersecurity and data privacy laws and regulations, and continued movement towards a federal data privacy law. 2023 will also likely see an expanded focus on the role of senior executives and corporate boards in cybersecurity and data privacy oversight and governance, precipitated by increased exposure and liability for companies that experience data protection failures and evolving laws and regulations focused on board and executive accountability.
Thought Leadership and Advisories
Throughout the year, our attorneys provide thought leadership on issues involving cybersecurity and data privacy, through the publication of articles and advisories and speaking engagements. Below are some recent examples:
- Best Practices For Boards, Execs After SEC’s Cyber Proposal
Matt Dunn, Chair of Carter Ledyard’s Cybersecurity and Data Privacy Group, detailed the SEC’s long-anticipated proposed new cybersecurity disclosure rules in a salient piece published by Law360. The proposed rules reinforce that cybersecurity oversight is expected to start at the top of organizations—with executives and boards of directors—and would create regulatory standards to implement this approach to cybersecurity by requiring certain cybersecurity-related disclosures in public filings signed by corporate officers on disclosure of cybersecurity expertise held by any members of the board of directors. - U.S.-Israeli Webinar on Legal Implications, Disclosure Issues, and Insurance Aspects of Cyberattack
Guy Ben-Ami participated as a panel member, along with an Israeli lawyer and insurance industry representative, and provided guidance for Israeli companies traded either on NASDAQ or the NYSE regarding the SEC’s views on disclosure of cybersecurity risks and incidents. - New York DFS Proposes Amendments to its Cybersecurity Regulations; What this Means for Companies and their Boards and Executives
Matt Dunn and Brielle Kilmartin discussed the New York State Department of Financial Services proposed amendments to its Cybersecurity Regulations, which include annual audits and heightened requirements for certain large entities and specific oversight and management obligations for directors and senior management. - The Biden Administration’s Executive Order on EU-U.S. Data Transfer Framework: What’s Next?
Sarah Ganley and Joe Basrawi explored President Biden’s Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which reinforced the U.S. commitments to re-establish a legal regime governing data transfers from the EU to the U.S. - Insurance & Cyber Liability Panel at 2022 D&O Insurance ExecuSummit
Matt Dunn served as the featured speaker and moderator of a panel at the D&O Insurance ExecuSummit, which panel was focused on liability and risks for executives and directors relating to cybersecurity and data privacy, trends in cyber-related attacks and incidents, and issues and concerns relating to cybersecurity and D&O insurance. - New SEC-Proposed Rules Emphasizing Cybersecurity Disclosures and Governance
Guy Ben-Ami analyzed the SEC’s proposed rules for cybersecurity risk management and disclosure applicable to investment advisers and public issuers. - Recent SEC Initiatives, Including Cybersecurity Regime
Ron Feiman discussed the SEC’s proposed cybersecurity risk management rules for investment advisers and registered funds to buttress their preparedness for, and resilience in the face of, cybersecurity attacks. - Ransomware Attacks: What You Should Know if You Do Business in the United States
Matt Dunn and Guy Ben-Ami, in an article published in the US-Israel Legal Review, explored the various U.S. government responses to the growing danger of cybersecurity breaches and attacks, and provided Israeli companies with legal and practical considerations for dealing with cybersecurity and the threat of ransomware attacks.
Client Highlights
- Advised an international technology company in connection with a cyber ransomware attack and associated disclosure obligations.
- Prepared and updated privacy policies, terms of use, cookie policies, and notices of consumer rights under the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) for many clients, including for-profit and nonprofit entities across many industries, such as textiles, cosmetics, cannabis, and e-commerce.
- Reviewed privacy policies, terms of use, and other privacy documents of target companies in connection with due diligence efforts for M&A transactions.
- Provided advice to foreign clients on cyber risk disclosures in publicly filed documents, including those filed with the SEC.
- Advised a non-profit in connection with a data breach resulting in the disclosure of personal data, which involved incident response and an assessment of regulatory reporting obligations.
- Responded to a regulatory inquiry on behalf of a broker-dealer in connection with a cyber attack, and advised on the client’s cybersecurity policies, procedures, and incident response plan.