Navigating the Latest Developments in Cybersecurity Law in the USA

There have been a few regulatory changes and developments in relation to cybersecurity over the past couple of months. For example, in July 2023, the US Securities and Exchange Commission (SEC) adopted a set of rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. In particular, the new rules require registrants to disclose information about a cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident (and not the date the registrant discovers the incident). The SEC also adopted rules requiring foreign private issuers to make comparable disclosures.

In addition, a few US states have enacted privacy statutes or modified existing statutes to govern privacy. In 2023, privacy laws went into effect in California, Virginia, Utah, Connecticut and Colorado, with more state privacy laws (Montana, Oregon, Texas, etc) to enter into effect over the next couple of months.

On 28 February 2024, the United States issued its first set of limitations on cross-border data transfers through the release by the White House of an Executive Order limiting the transfer of sensitive personal data outside of the United States to “countries of concern”. According to the White House, this is “the most significant executive action any President has ever taken to protect Americans’ data security”. Specifically, the Executive Order indicates that it is the policy of the United States to prohibit or restrict access by “countries of concern” to Americans’ bulk sensitive personal data and US government-related data when such access would pose an unacceptable risk to the national security of the United States.

A few European regulations on cybersecurity are in the pipeline. For example, a revised Network and Information Security Directive (NIS-2 Directive) entered into force on 16 January 2023, requiring European member states to transpose its measures into national law by 17 October 2024. The NIS-2 Directive would strengthen security requirements for covered organisations, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements.

Similarly, the EU Digital Operational Resilience Act (DORA) is a regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and ensuring that the financial sector in Europe stays resilient in the event of a severe operational disruption.

On 4 May 2023, Joseph Sullivan, the former chief security officer of Uber, was sentenced to three years’ probation and 200 hours of community service in a precedent-setting case for the cybersecurity industry.  This follows a jury in the US District Court for the Northern District of California convicting Sullivan on 5 October 2022, on federal charges of obstructing a Federal Trade Commission (FTC) investigation of Uber’s data security practices and failing to report a felony. These charges resulted from Sullivan’s efforts to conceal a data breach that purportedly exposed the personal information of 57 million Uber users. This conviction is particularly significant for all cybersecurity professionals since it has set a strong precedent for cybersecurity officers, who can face criminal liability in extreme cases for their actions, or lack thereof, when responding to a cybersecurity breach.

The significant impact of the Sullivan decision is more than theoretical: in October 2023, the SEC announced charges against software company SolarWinds Corporation and its chief information security officer, Timothy G Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. According to the SEC, SolarWinds and Brown allegedly defrauded investors by disclosing only generic and hypothetical risks, when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time. These charges underline the need for organisations to implement strong controls calibrated to their risk environments and to level with investors about known concerns.

Cybercriminals are constantly evolving their tactics and techniques to exploit new technologies and trends. These days, almost all cybercrime is carried out by organised groups. The solo hacker is essentially a thing of the past. Business email compromise (BEC) – a type of engineering attack that takes place over email – is on the rise: in such, an attacker falsifies an email message to trick the victim into performing some action, most often, transferring money to an account or location the attacker controls. Ransomware attacks have also become increasingly popular among criminals because they offer a quick way to make money. Many ransomware hacking tools have been commercialised and simplified, making it easier for criminals to execute a successful ransomware attack. The shift to remote work during the pandemic has also created a new target for cybercriminals. Finally, cybercriminals have been using AI and machine learning techniques to lure victims into disclosing their personally identifiable information or financial details. This means that everyone needs to be more vigilant than ever before to not fall victim to these attacks.