As our world becomes increasingly digital, the importance of cybersecurity has never been more critical.
In the first blog post in our series for Cybersecurity Awareness Month, we explored the cybersecurity regulatory efforts in Europe, looking at the Digital Operational Resilience Act (DORA), the Network and Information Security Directive (NIS2) and the Cyber Resilience Act (CRA). In this second post in the series, we discuss major trends in cybersecurity law and policy in the US. In particular, we examine recent US enforcement trends, the increasing prevalence of cybersecurity requirements within state privacy laws, and the future outlook for legislation and enforcement.
Enforcement trends
The US Federal Trade Commission (FTC) has asserted that data security falls under its Section 5 authority over unfair and deceptive practices, dating back to its enforcement action against Eli Lilly and Company in 2002.
As evidence of its continuing focus on data security issues, in a May 2022 policy statement on education technology and the Children’s Online Privacy Protection Act (COPPA), the FTC said, “Even absent a breach, COPPA-covered ed tech providers violate COPPA if they lack reasonable security.”
Earlier this year, the FTC settled several significant cybersecurity enforcement actions against Blackbaud and Global Tel Link, both of which focused on allegations that the companies’ security failures resulted in disclosure of sensitive consumer information.
The scope of the FTC’s investigations frequently intertwine both privacy- and cybersecurity-related issues. For example, in its investigation of and action against MoviePass, relating primarily to privacy practices and consumer fraud allegations, the FTC investigation extended into the company’s data security practices. Conversely, when examining a data security issue with CafePress, the FTC also examined the company’s privacy practices.
These actions highlight the FTC’s continuing trend of viewing privacy and cybersecurity issues as interrelated and are evidence of the FTC’s view that lax data security practices are within its purview of protecting against unfair and deceptive consumer practices.
Securities and Exchange Commission (SEC)
In July 2023, the SEC adopted rules on cybersecurity risk management, strategy, governance and incident disclosure that require public companies to disclose material cybersecurity incidents they experience, and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy and governance. The rules went into effect in December 2023, just in time for 10K season in the first quarter of 2024.
These rules add Regulation S-K Item 106, which requires companies to describe their processes for assessing, identifying and managing material risks from cybersecurity threats, as well as material effects, or reasonably likely material effects, of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 also requires companies to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures are required to be included in companies’ annual Form 10-K reporting.
In addition, these rules require registrants to disclose any cybersecurity incident they determine to be “material,” and to describe the incident’s nature, scope and timing, as well as its material impact or reasonably likely material impact on the registrant, on a Form 8-K. This filing will generally be due four business days after a company determines that a cybersecurity incident is material, and companies also are required to file periodic updates as further material information becomes available. The obligation applies not only to breaches of customer data, but also to any cyber incident that could affect a company’s operations, revenue or reputation, along with other business impacts.
The SEC brought a notable enforcement action against SolarWinds even before the new rule went into effect. The action related to a two-year-long cyberattack, and the complaint alleged that the company and its chief information security officer (CISO) defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks. The SEC claimed that SolarWinds misled investors by disclosing only generic and hypothetical risks at a time when the company and its CISO knew of specific deficiencies in SolarWinds’ cybersecurity practices, as well as the increasingly elevated risks the company faced at the same time. Although this enforcement action did not relate specifically to the SEC rules, the SEC did allege that SolarWinds violated Exchange Act Rule 13a-15, which requires companies to maintain “disclosure controls and procedures” to ensure that information required to be disclosed is escalated within the company to allow for timely disclosure decisions. Ultimately, the US District Court for the Southern District of New York dismissed most of the SEC’s case.
Earlier this year, the SEC brought an enforcement action against R.R. Donnelley & Sons Company (RRD), alleging that the company’s controls for elevating cybersecurity incidents to its management and protecting company assets from cyberattacks were insufficient. Similar to the SolarWinds allegations, the SEC alleged that RRD failed to design effective disclosure controls and procedures to report relevant cybersecurity information to management, failed to carefully assess and respond to alerts of unusual activity in a timely manner, and failed to maintain controls sufficient to restrict access to its information technology systems and networks. RRD settled the SEC charges in June 2024.
New state privacy law requirements
The trend of passing new state consumer privacy laws continued in 2024, with seven new states enacting consumer privacy laws, bringing the current total to 19 states. While these laws are generally considered to be comprehensive privacy laws, many of these laws include cybersecurity requirements as well. These laws typically require that companies establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data.
These state laws also make clear that data security is a shared responsibility of the company that owns the data and the vendors used to process that data on the company’s behalf. For example, the New Jersey Data Privacy Act provides that, “the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures.”
Between these new state consumer privacy laws and existing state data security-specific laws, there are now nearly 30 state laws that require companies to maintain “reasonable” security measures for personal information.
Future outlook
We expect that cybersecurity will remain a central issue at the federal and state levels into 2025 and beyond, particularly with respect to data considered to be more sensitive in nature – including health-related information, biometric information and information about children.
Within the federal government in particular, there is – and will continue to be – a focus on taking steps to enhance the nation’s cybersecurity posture. In its 2024 Report on the Cybersecurity Posture of the United States, the Office of the National Cyber Director outlined several key actions and areas of focus that involve collaborations between the government and the private sector, such as:
- Establishing and using cyber requirements to protect critical infrastructure – including through the development and harmonization of regulatory requirements in multiple critical infrastructure sectors.
- Enhancing federal cooperation and partnerships to better support cyber defenders –including by increasing operational collaboration, improving Sector Risk Management Agency (SRMA) capacity and integrating federal cyber defense capabilities.
- Advancing software security to produce safer products and services – including by advancing Secure by Design principles, software bills of material (SBOMs) and memory-safe programming languages.
- Enabling a digital economy that empowers and protects consumers – including by launching a US Cyber Trust Mark certification and labeling program and by promoting competition and accountability across the technology industry.
- Enhancing resilience across the globe – including by building coalitions to provide support to victims of ransomware and other cyberattacks, aligning national policy, and promoting secure and resilient global supply chains.
In addition, we expect the FTC and SEC to continue to emphasize cybersecurity in their investigations and enforcement activity. Furthermore, as the new state consumer privacy laws come into force and their respective enforcement bodies become more active, we anticipate that both privacy and cybersecurity will be areas of focus.