With the new year, there is a lot to be excited and concerned about in the area of cybersecurity and data privacy. This alert identifies some key issues that should be top of mind in this area and thoughts on how they may affect the retail sector this year.
Continued escalation of cybersecurity incidents
The increase in the frequency and severity of cybersecurity incidents continues unabated. While threat actors in Ukraine and Russia have been otherwise engaged in other activities, the value of cybersecurity incidents continues to draw others to the market. Supplementing these activities is the involvement of state-sponsored activities, particularly from Iran and China, which continue to attack key areas of infrastructure and commerce.
On the ransomware front, we are seeing an increase in deletion and removal or just removal of key data without the malicious encryption of systems. With these new ransomware tactics, data is often taken and held for ransom. If payment is not made, threat actors will post the data publicly, but not before contacting clients, customers, partners, the press, and anyone else to put pressure on the victim to make the payment. Threat actors may skip the encryption part of the process used in the past (which often could hang up and not fully execute) and just simply steal data. In the most egregious of circumstances, they will also delete all data from their victim’s system (and backups if they can get access).
With business email compromises, the techniques used by the threat actors to entice clicks on malicious attachments and links are becoming more convincing and effective.
These events are of particular concern to those in the retail and hospitality industry as both tend to collect and retain large volumes of personal data—making them targets.
Increased data privacy regulation
We are also seeing increased activity in the area of data privacy legislation and regulation and do not expect this trend to slow in the new year. In 2023, the California Privacy Rights Act (CPRA) takes effect, further strengthening and broadening the privacy protections afforded to California residents. Of particular note, the latest generation of California privacy regulation includes the creation of an enforcement agency funded by fines issued by that agency—likely heralding aggressive enforcement of California’s regulations.
This new round of California regulations joins similar state privacy regulations that have been enacted in Utah, Colorado, Virginia, and Connecticut that require disclosures of data collection and data privacy practices and processes and allow consumers increased rights to request information about data collected about them and to restrict how that data is used. These statutes join existing privacy regulations in Vermont, New York, Massachusetts, and Nevada, and existing industry-specific regulatory schemes for healthcare, finance, and defense industry businesses. With several other states considering new privacy regulations, coupled with the inability of Congress to agree on any meaningful nationwide privacy regulatory schemes, the regulatory landscape in the United States, not to mention increasing regulations in Canada, Europe, Brazil, and other countries around the world, is growing increasingly complex and complicated.
For the same reasons that retail and hospitality businesses are targets for cybersecurity crime, they are also subject to regulations. They collect and retain large volumes of personal information and, particularly with hospitality businesses, tend to have customers from areas outside of their own geographic location (where they may be less familiar with applicable law).
Rising cyber insurance rates and increased table stakes to obtain cyber insurance
With the cost of cybersecurity incidents increasing and the myriad of new regulatory requirements being levied and opening the possibility of fines and enforcement actions, the need for cybersecurity insurance is heightened. But that need carries with it increased scrutiny from insurance companies who are seeing claims and payouts increase each year.
As a result, we are seeing requirements from insurance companies that businesses actively address cybersecurity risks before insurance policies can be purchased. These “table stakes” include requiring businesses to implement basic technological controls to prevent cybersecurity incidents (like the implementation of multi-factor authentication across a business’ IT systems). Carriers may also require businesses to have policies and procedures in place to monitor and review business risks on a recurring basis.
In addition to requiring businesses to address cybersecurity risks, we are seeing insurance companies look harder at coverage than in the past. One particular issue that may cause a denial of coverage is where a business disclosed certain levels of activity when the policy was purchased, but, subsequently, saw significant changes in that activity which differed from the disclosure made when the insurance was purchased. However, the company did not update insurance on the new activity. This highlights the need for businesses to continually monitor their activity for additional risks and to update insurance accordingly because a failure to update disclosures made when acquiring insurance may lead to a denial of coverage.
Cybersecurity and data privacy are fast becoming significant sources of liability. Failure to review, plan for, and protect against cybersecurity incidents is a recipe for failure. And with the increase in data privacy regulations, failure to comply with the ever-growing list of regulations in the United States and abroad adds more exposure to the cybersecurity incident. Recognizing this dynamic, insurance companies are pushing risk management back on their customers in an attempt to stem the flow of some of this liability. Consequently, now, more than ever, it is imperative that businesses actively prepare and work to prevent risk in this area.
The professionals at Clark Hill PLC can help. If you have questions about your cyber risks or requirements, need help getting started with a compliance program or just want to make sure your program stays up to date, let the professionals at Clark Hill PLC help you assess your situation and prioritize your actions to maximize effectiveness.