Top 4 Cybersecurity Takeaways from 2023


9 minute read | January.24.2024

The average cost of a data breach has reached an all-time high of $4.45 million, according to IBM. Regulatory requirements, scrutiny, and enforcement have continued to expand. As we kick off 2024, here are the key action items from the cybersecurity legal landscape in 2023, as well as details of recent activity from the SEC, FTC, HHS/OCR, and NYDFS.

Action Items: What Companies Should Do

  • Heed recent enforcement activity and its focus on strengthening authentication and monitoring, as well as timely and accurate notices.
  • Consider the impact of new notice requirements in the healthcare and financial spaces.
  • Public companies should update their disclosures in response to new SEC cybersecurity rules. They also should more closely scrutinize those disclosures against the current state of their cybersecurity programs.
  • Companies in the healthcare sector should prepare for new cybersecurity standards and increased enforcement, including those arising out of cyberattacks.

2023 in Review: 4 Cybersecurity Takeaways

1. The SEC is all in on cyber.
2. The FTC has ramped up enforcement and rulemaking.
3. Regulators want to improve cybersecurity for health data.
4. The New York Department of Financial Services has amended its cybersecurity regulations.

The 4 Cybersecurity Takeaways in More Detail

1. The SEC is all in on cyber.

New SEC Cybersecurity Rules

As of December 18, 2023, most public companies are subject to the Securities and Exchange Commission’s (“SEC”) new rules on cybersecurity risk management, strategy, governance, and cybersecurity incident disclosures.

  • Cybersecurity Risk Management Disclosures: The rules require entities that register with the SEC to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats and the material effects, or reasonably likely material effects, of risks from current or previous cybersecurity threats. The rules also require registrants to describe the company board of directors' oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material cybersecurity risks.
  • Disclosure of Material Cybersecurity Incidents: The rules require registrants to disclose any cybersecurity incident they determine to be material. They must describe the material aspects of the incident's nature, scope, and timing, and the material impact, or reasonably likely material impact, on the registrant. With limited exceptions, a form is due four business days after a registrant determines that a cybersecurity incident is material.

In addition, new FBI and DOJ guidance strongly encourages companies to contact the FBI directly or through the U.S. Secret Service, another federal law enforcement or risk management agency, or the Cybersecurity and Infrastructure Security Agency “soon after” a business concludes a newly discovered cybersecurity incident may pose a substantial risk to national security or public safety. The FBI also recommends that all publicly traded companies establish a relationship with the cyber squad at their local FBI office.

Enforcement

The SEC has continued to focus on disclosures made by public companies related to their cybersecurity practices and the materiality of cybersecurity incidents.

Notably, in October 2023, the SEC announced a fraud suit against SolarWinds and its CISO. The SEC alleged that SolarWinds made false statements in public filings regarding its cybersecurity practices for years, including misrepresentations regarding NIST compliance, a secure development lifecycle, and the company’s password practices. Based on the SEC’s suit, companies should:

  • Consider reviewing existing disclosures and public statements regarding cybersecurity practices. Focus on any recent internal and external executive cybersecurity updates to identify statements that may be overbroad, unnecessary, or out-of-date.
  • Carefully balance the value and necessity of additional disclosures against any potentially added risk of liability. The SEC’s Cybersecurity Disclosures Rules require companies to provide more detailed cybersecurity disclosures, making the process of carefully scrutinizing security statements more crucial.
  • Continue to update incident response plans and disclosure controls. All SEC cybersecurity actions, including the SolarWinds litigation, include claims related to inadequate disclosure controls and procedures.

In March 2023, the SEC announced that Blackbaud, Inc., a software company that helps non-profits manage data, agreed to pay $3 million to settle allegations of misleading statements around a 2020 ransomware attack that impacted more than 13,000 customers. In July 2020, Blackbaud released public statements about the incident stating the threat actor did not access donors’ bank account information or Social Security numbers. However, shortly after these statements, Blackbaud employees learned that the threat actor had accessed and exfiltrated sensitive information, but employees did not communicate this discovery to senior management, which the SEC attributed to a failure to maintain disclosure controls and procedures.

2. The FTC has ramped up enforcement and rulemaking.

Enforcement for User Account Security and the Cloud

In May 2023, the Federal Trade Commission (“FTC”) settled with Ring LLC for $5.8 million to resolve claims that the company failed to implement reasonable privacy and security protections. The FTC claimed that the lack of reasonable privacy and security protections allowed any employee or contractor to access consumers’ private videos and that the company failed to implement adequate controls against credential stuffing and brute force attacks, enabling threat actors to take control of consumers’ accounts, cameras, and videos. The FTC identified these preventive actions as low-cost and easy to implement:

  • Requiring strong, complex, unique (i.e., not previously used) passwords.
  • Notifying users of logins from new devices or concurrent sessions.
  • Limiting login attempts on accounts or from IP addresses.
  • Comparing passwords to lists of passwords known to be compromised in other breaches.
  • Implementing multifactor authentication.

In November 2023, the FTC also resolved an action against Global Tel*Link Corp and its subsidiaries claiming they failed to properly secure the sensitive data of hundreds of thousands of users in the cloud environment and did not timely notify approximately 650,000 individuals of the incident. The incident stemmed from the inadvertent misconfiguration of a cloud resource that made personal information publicly accessible for two days. Forensic evidence allegedly showed data in the resource had been downloaded multiple times without authorization. The FTC alleged the company did not implement adequate encryption, firewalls, log monitoring, intrusion prevention, vendor supervision processes, secure development training, and data inventories.

FTC’s Amended Breach Notice Rule for Financial Institutions

The FTC has approved an amendment to the Safeguards Rule that would require non-banking institutions to report certain data breaches and other security events to the agency. Starting May 13, 2024, financial institutions subject to the FTC’s Safeguards Rule will be required to notify the FTC “as soon as possible, and no later than 30 days after discovery” of a notification event, defined as the unauthorized acquisition of unencrypted customer information involving at least 500 consumers.

Companies must notify the agency electronically via a form that will be posted on the FTC’s website. The form must include:

  • The name and contact information of the reporting financial institution.
  • The description of the types of information involved.
  • The date range of the event (if possible to be determined).
  • The number of consumers affected or potentially affected.
  • A general description of the event.
  • Whether any law enforcement official has provided the reporting entity with a written determination that notifying the public of the breach would impede a criminal investigation or damage national security.

FTC’s Health Breach Notice Rule Proposed Amendments

In the wake of several enforcement actions in 2023 against health technology companies for failing to comply with the FTC’s Health Breach Notification Rule (“HBNR”), the FTC proposed amendments to the HBNR that include clarifying the rule’s applicability to health apps and similar technologies. The HBNR requires vendors of personal health records, related entities, and their contractors that are not covered by HIPAA to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured personally identifiable health data. We expect the FTC to continue to use the HBNR in its enforcement actions against companies processing non-HIPAA consumer health data.

3. Regulators want to improve cybersecurity for health data.

The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”), responsible for enforcing HIPAA, has also turned its attention to enforcement actions against covered entities and business associates that experience cyberattacks. At the end of 2023, OCR announced two settlements with Doctor’s Management Services and Lafourche Medical Group arising out of ransomware and phishing, respectively. These landmark settlements indicate that OCR is increasing its scrutiny of cybersecurity incidents.

In line with this enforcement trend, HHS announced in December that the agency would focus on enhancing cybersecurity resiliency for the healthcare sector. HHS:

  • Plans to establish voluntary cybersecurity performance goals, prioritizing high-impact practices for healthcare organizations.
  • Will work to obtain new funding to support hospital investment in cybersecurity.
  • Expects to propose new cybersecurity standards for hospitals through the regulation of Medicare and Medicaid and, in the spring, propose new cybersecurity requirements under the HIPAA Security Rule.

This focus on cybersecurity and health data extends beyond the federal regulators. New York has proposed regulations that, if finalized, would impose additional cybersecurity requirements on New York hospitals. Similarly, several states have passed new consumer health data privacy laws that require businesses to implement reasonable security measures on a broad swath of non-HIPAA consumer health data. Orrick has written about these new requirements in Washington, Nevada, and Connecticut.

Altogether, this suggests 2024 will usher in a new sense of urgency among regulators and organizations in healthcare. Companies should be aware of the threat landscape and implement enhanced cybersecurity protections for health data.

4. The New York Department of Financial Services has amended its cybersecurity regulations.

As we detailed, the New York Department of Financial Services (“NYDFS”) has amended its cybersecurity regulations, generally applicable to banks, insurance companies, and financial services companies licensed to operate in New York, to establish additional notification, administrative, training, and technical requirements. Some aspects will codify existing regulatory expectations.

The amendments: 

  • Expand NYDFS’s scope to cover all ransomware events.
    • Within 24 hours, companies subject to the cybersecurity regulations must report any ransomware or extortion payment made in connection with a cybersecurity event.
    • Within 30 days, companies must provide a written description of the reason payment was necessary, alternatives considered, diligence to find alternatives, and diligence performed to ensure compliance with applicable laws and regulations.
  • Increase the duties and obligations of company leadership (e.g., the board of directors or senior governing body) to exercise proper oversight and control over a company’s cybersecurity program, such as ensuring company leadership understands, participates in, and receives timely information about cybersecurity issues and the company’s cybersecurity program.
  • Enumerate additional requirements for companies to maintain robust vulnerability management procedures, privilege management, asset management, training, and business continuity and disaster recovery.

++++

The Orrick team is available to support your organization’s cybersecurity needs. We can help build or enhance a cybersecurity program and respond to and manage an incident, from discovery through notification and post-incident regulatory inquiries. We also have experience creating tailored programs based on the risks to your company associated with processing personal information, including data subject to heightened restrictions under HIPAA, GLBA, or other regulations. If you have questions, reach out to our authors (Thora Johnson, Joseph Santiesteban, Kathryn Boyle, Michaela Frai) or other members of the Orrick team.