Executive summary
Boards will need to steel themselves for a new raft of state data protection laws, heightened regulatory scrutiny of privacy and cyber security practices – and ever-increasing business and legal risks posed by ransomware and other cyber attacks in 2022. In particular, directors will need to partner with executives to confirm that privacy compliance infrastructure complies with the more complex state requirements, disclosure control policies and procedures are in place to properly identify and escalate privacy or security events, and materiality protocols are established to aid in determining the significance and potential reportability of events.
State data protection laws coming into force will have significant impact
As 2022 dawns, companies have less than a year remaining to implement compliance with the substantial new obligations under the California Privacy Rights Act (which expands the existing California Consumer Privacy Act), Virginia’s Consumer Data Protection Act, and the Colorado Privacy Act. These state laws, which become operative in January 2023, will require fundamental changes in how companies handle personal data, including new limitations on the use and retention of such information. Additional states have been considering comprehensive data protection laws of their own.
Will these state laws finally create sufficient momentum for a comprehensive federal data protection law? And perhaps more importantly, would such a law be drafted to preempt more restrictive state privacy laws to create a uniform nationwide privacy regime – or would it merely create a minimum baseline level of data protection while still allowing states to implement more stringent rules on top? This preemption issue should be a key focus for companies hoping that a comprehensive federal data protection law might alleviate the burden of complying with multiple differing state data protection regimes.
Regulatory scrutiny – particularly of data-driven businesses – is set to intensify
Tech companies and other data-driven businesses may feel they are under challenge from all sides, with privacy regulators questioning data sharing and competition authorities questioning “walled gardens” of data that may impede competition. Over the course of 2022, we can expect to see the SEC and other regulators asserting or reasserting their oversight roles in the data arena while pursuing differing agendas, with some – like the New York Department of Financial Services – seizing the opportunity to lead.
Expanding global data protection laws
Beyond US privacy developments, multinational companies will be awaiting much-needed guidance under new data protection laws from Brazil to China. Cross-border data transfers will be under pressure, ranging from the EU’s heightened obligations for moving data outside the Union (including both under the new standard contractual clauses and guidance following the Schrems II decision), to more countries implementing their own restrictions, and even stricter data localization laws in key markets such as China.
Increasing focus on cyber security
The SEC is zeroing in on companies’ cyber hygiene and incident reporting, with SEC chair Gary Gensler tweeting that “cyber security is at the heart of investor protection” and laying the groundwork to challenge businesses about how they protect their data. In particular, it will be evaluating companies’ disclosure control and procedures as they pertain to identifying and escalating cyber events and the protocols in place for assessing the potential materiality of cyber incidents. The SEC has also placed general cyber security disclosure requirements on its rule-making agenda, and companies can anticipate more detailed requirements about the information they are required to regularly disclose.
Key takeaways for boards
-
Heightened regulatory scrutiny, particularly of data-driven businesses, means preparing for potential probing by regulators of processes and procedures relating to the governance of data compliance practices. Boards may also wish to consider working toward establishing a regular record for the oversight of such practices.
-
Expanding US state and global data protection laws suggests that the time may be right to review privacy compliance policies, procedures, personnel and resourcing to ensure the ability to meet increasingly complex multijurisdictional obligations.
-
Increasing focus on cyber security from the SEC and others suggests the prudence of considering: (i) establishing, reviewing or strengthening disclosure controls and procedures; and (ii) establishing protocols for assessing the significance and potential reportability of events.