For too long organizations have taken a reactive approach to dealing with threats and breaches. Incident reporting and incident response have been slack. But as the volume and sophistication of attacks have increased, it is time for organizations to take a more proactive approach. So among my three predictions, I mention proactive cybersecurity. Federal agencies will institute more aggressive and proactive requirements for operations and resources under their direction.
By Christina M. Gagnier, Shareholder, Carlton Fields
Here are my three key things that policy makers and organizations need to do in 2022.
Implementation of new requirements from government agencies on cybersecurity. Federal agencies will institute more aggressive and proactive requirements for operations and resources under their direction. The Transportation Security Administration is a prime example, as in December it announced requirements for passenger and freight rail operators to conduct vulnerability assessments, create incident response plans, and institute recovery mechanisms to avoid disruptions in operations in the wake of potential security breaches. Agencies will further prioritize reporting and oversight, creating focal points and coordination for data security incident reporting. The White House has announced programs to bolster the protection of the United States’ water supply, instituting cybersecurity measures to close the vulnerability gaps that exist due to the multiplicity of organizations that have a hand in the stewardship of this critical national resource.
Regulation of consumer data privacy and security at the device and product level. The privacy and security conversation surrounding the Internet of Things has centrally developed around the applications that leverage these advancing technologies, with much focus on companies creating applications that can be applied to certain devices or products rather than evaluating the devices and products themselves. In the United Kingdom, newly introduced legislation, the Product Security and Telecommunications Infrastructure bill, aims to share the cybersecurity burden with manufacturers and distributors of IoT devices, ranging from smartphones and tablets to smart home appliances. The change is a reflection of the identification of these devices and products as a point of vulnerability and target for hackers. A whole new sector of businesses will need to turn their attention to implementing robust privacy and security programs.
Incentives for businesses to develop cybersecurity infrastructure: Across the United States in recent years, state legislatures considered a variety of bills that would have created incentives for businesses that invest in cybersecurity. In Connecticut, H.B. 6161 was introduced, which had it been adopted, would have created a safe harbor tax incentive for any business that had a cybersecurity plan reflecting industry best practices. In Hawaii, H.B. 454 would establish an income tax credit centered on businesses that innovate in the fields of cybersecurity and artificial intelligence. This “carrot versus stick” approach has traction, and the 2022 state legislative cycle will likely see more bills of this nature.
Read more predictions from experts in our January 2022 issue.
About the Author
Christina Gagnier, a shareholder in Carlton Fields’ Los Angeles office, is an experienced technology lawyer whose practice focuses on cybersecurity and privacy, blockchain technology, international regulatory affairs, technology transactions, and intellectual property. She advises clients on digital strategy to help them navigate uncharted legal territory, and guides a variety of technology companies and consumer brands through emerging legal and policy issues such as digital currency, the sharing economy, network neutrality, and the ever-changing area of consumer privacy law.