On October 11th, our Data, Privacy and Security team hosted the 10th Annual Cybersecurity & Privacy Summit. We were delighted to be joined by about 100 clients, colleagues, and friends in-person at our Atlanta office, with more than 150 participating virtually around the globe.
The Summit featured eight cutting-edge sessions presented by more than 20 data, privacy and security lawyers, in-house counsel, and government officials from across the country, sharing perspectives and legal insights focused on emerging global risks. Please see the full agenda for more information.
In this milestone year, we reflected on how much the data privacy and cybersecurity landscape has dramatically evolved over the last 10 years.
In 2013, global privacy was not highly regulated. Then in 2016, we saw the introduction of the EU General Data Protection Regulation (GDPR) which marked a new generation of data protection legislation, opening the gates to a growing regulatory landscape and new privacy laws around the world. From 2021 to 2023 17 new countries enacted data privacy laws, bringing the total to more than 160 globally, and counting.
“Global Privacy Laws: A New Direction of Travel” examined new laws and their impact on multi-national businesses and discussed how to navigate the ever-increasing complexities for businesses trying to achieve compliance around the world.
In 2013, the SEC was not recognized as a significant player in the privacy space but that has since changed. In 2023, the SEC is playing a prominent role, using both enforcement actions and new regulations to promote procedures for effective management and disclosure of cybersecurity risks and incidents, including the introduction of the new SEC cybersecurity disclosure rules adopted in July of this year.
“SEC Cybersecurity Disclosure Rules: Is Your Company Prepared?” provided a playbook of practical action items and advice for implementing and addressing the SEC’s new rules.
In 2013, the FBI Internet Crime Complaint Center (IC3) Report showed around 260,000 complaints and, in its latest report, we saw roughly three times that many complaints to law enforcement at just over 800,000. The reported monetary loss was also significantly lower in 2013 at losses of $780,000,000 compared to a more than 1,000% increase in 2022 with losses at more than $10 billon.
“Coordination Perspectives and Expectations: Law Enforcement Engagement in Incident Response” explored the factors that every organization should consider prior to engaging or cooperating with law enforcement.
In 2013, there were only a handful of privacy laws in the U.S., but following the influence of the GDPR, there has been an increase in privacy laws at the state level, with the California Consumer Privacy Act (CCPA) being one of the first signed into law in 2018. As of September 2023, there are now 13 states with privacy laws enacted to increase protections for consumers' personal data. With the development of these state laws, state attorneys general are required to play a heighted role to enforce these laws which focus on how companies are using and collecting consumer data.
“State Attorneys General: The Growing Role in Privacy and Cybersecurity Enforcement” involved a lively discussion with Arkansas Attorney General Tim Griffin on how mutual data security and privacy efforts might preserve online safety, protect consumers, and ensure the rule of law while also respecting the roles of states to regulate such efforts.
In 2013, we did not have privacy or data breach related MDL class actions in the way we see today. In 2023, Corporate Counsel magazine named data privacy litigation as the number-one class action trend to watch as we continue to see an increase in litigation across this space, including class actions following data security incidents as well as emerging avenues for privacy litigation by the plaintiff’s bar involving both old and new federal and state statutes like the Video Privacy Protection Act (VPPA).
“Privacy and Breach Class Actions: The Expanding Risk” discussed the evolution of privacy and breach related claims, including the expanding litigation surrounding the use of biometrics, application of old statutes and more traditional privacy theories and statutes to new technology, and the use of developing state privacy statutes in breach and privacy related cases.
In 2013, artificial intelligence was a term shared loosely and it felt far off on the horizon. As so many of us know, AI now consumes and creates data at scales that 10 years ago would have been unheard of and consumers and companies are facing uncharted waters with topics such as economic dislocation caused by AI. We are even seeing lawyers making mistakes using AI in their legal practice to generate briefs and other privileged and confidential work product.
“Artificial Intelligence Legal Risk Management: Use Case Development Strategies to Minimize Risk” covered updates on recent AI-related laws, regulations, and guidance, to include practical large language model risk-mitigation techniques from governance to technical controls.
In 2013, CFIUS and cybersecurity were becoming more relevant as investments increasingly began to cross borders with national security becoming a growing consideration for companies that have an online presence.
CFIUS has recently focused its efforts on business transactions involving cybersecurity and sensitive personal data, and similar review regimes are proliferating both inside and outside of the United States.
“Cybersecurity and Data Privacy: The Impact of Foreign Investment” explained which transactions are most likely to be reviewed, how cyber and data risks are analyzed, and offered insights into how such cyber and data risks can be mitigated, as well as best practices for compliance.
In 2013, there were no playbooks to guide privacy and cybersecurity considerations when it came to M&A transactions and due diligence. Fast forward to 2023, these playbooks are now an essential part of the diligence process as we have seen lack of compliance with applicable regulations become a deal breaker for certain transactions.
“M&A Data Security and Privacy Deal Due Diligence: What, Why, and How?” examined recent developments including current regulatory and third-party expectations and discussed how data security and privacy diligence can be efficiently integrated into the acquisition process.
Thank you to our clients, colleagues, and guests for another successful Summit and we look forward to next year. We would also like to thank our event sponsor, FTI Consulting.
