This year saw a number of significant changes on both the state and federal levels with regard to data privacy and data security. These changes reflect the increasing focus on the digital landscape to which the global economy has shifted and emphasized a much sharper focus on protecting sensitive information. Indeed, the significance of having strong cybersecurity regulations was emphasized from the top down in the United States, including an emphasis on improving and updating cybersecurity defenses and protections for federal government networks, as outlined in President Biden's May 12, 2021 Executive Order on Improving the Nation's Cybersecurity. This article highlights the legislative and litigation developments in 2021 and discusses what may lie ahead in 2022 for businesses that collect, process, and store sensitive information.

Individuals’ use of insecure cybersecurity behaviors, including the use of weak passwords, is a leading contributor to cybersecurity breaches.

The U.S. Securities and Exchange Commission (SEC) is sending a clear message to all its regulated companies. The days of complacency, shoddy follow-through and minimal investment into cybersecurity compliance programs are over.

What You Need to Know

• Of the 6.3 billion global web attacks in 2020, 736 million targeted the financial services business.

• The most likely cybersecurity threats for a small office are manageable, even for a non-technical employee.

• Beware of non-computer items that offer gateways to your network, like coffee makers.

Companies of all sizes have adapted to remote and hybrid models for the workplace, and many are making the changes permanent as employees grow accustomed to this new environment. Today’s digital economy presents unique opportunities for small and medium-sized businesses (SMBs) to connect with employees and customers in new and efficient ways but comes with considerable cyber risk.

Connecticut has become the third state to pass a “Safe Harbor” statute offering protection to businesses who face civil lawsuits based on data breaches.

On October 29, 2021, Commissioner Elad L. Roisman spoke to the Los Angeles County Bar Association and discussed the challenges SEC registrants face when dealing with cyber threats. In addition to articulating the current obligations of Registered Investment Advisors (“RIAs”) regarding cybersecurity, Roisman expressed his belief that further rulemaking is necessary to clarify advisors’ obligations. His speech can be reviewed at https://www.sec.gov/news/speech/roisman-cybersecurity-102921.

A hacker exposed personal information for millions of Robinhood users.

Popular stock trading app Robinhood recently experienced a security breach that exposed the personal information of millions of users. While most Robinhood users—and their investments—are safe, there are still important steps you should take to keep your accounts and personal data secure.

What was stolen in the Robinhood security breach?

The Securities and Exchange Commission’s current rules relating to cybersecurity need to be enhanced with a new one specifically addressing reporting of cybersecurity breaches by registered investment advisors and broker-dealers, according to one of its commissioners.

The SEC has some general rules relating to cybersecurity already in place, Commissioner Elad Roisman, a Republican appointee, said in prepared remarks for his speech at the Los Angeles County Bar Association last week. The Safeguards Rule, implemented in 2000, for example, requires broker-dealers to implement policies and procedures to protect client records and ensure confidentiality of customer information as well as protect against unauthorized access, he said. The SEC also adopted a rule in 2013 requiring certain SEC-regulated entities to have policies and procedures aimed at preventing identify theft, according to Roisman.

Earlier this year, Utah joined Ohio to become the second state to enact legislation creating an affirmative defense to certain causes of action arising out of a cybersecurity breach. Though not identical, both Utah’s Cybersecurity Affirmative Defense Act (“CADA”) and Ohio’s Data Protection Act (“ODPA”) primarily underscore the importance for organizations to be proactive in assessing their cybersecurity risk landscape and to then adequately address those risks. What makes these two new laws unique is that the affirmative defenses apply across all U.S. jurisdictions and give organizations an opportunity to mitigate against breach-related litigation, including class actions, unless and until a court decides otherwise. To benefit, organizations should ensure they (1) comply with the law and (2) update the choice of law clause in their website terms and conditions.