What cybersecurity and data privacy regulations to expect in 2022?

Privacy has long been a human rights issue, enshrined into law across most of the world to protect citizens from fraud, corruption and potential misuse of power. However, privacy laws have needed to be updated to be fit for the digital world, including to secure the most sensitive data. In 2022 we will increasingly see data protection laws being adopted, revised or enforced, which will bring more and more challenges for organizations to comply with a patchwork of legislations and implementation guidelines worldwide.

In an act of uniformity, the European Union (EU) brought in the General Data Protection Law (GDPR), to enhance individuals’ control and rights over their personal data across the European Union. 2022 might see increasing discussions on whether the law needs to be revised, in particular to ensure more uniform implementation across the Union.

The US has no general data privacy law at federal level that acts in the same way as GDPR although there are many data specific laws in place to protect personal data[1]. Attempts to improve consumer privacy protection with a law on a federal level have not succeeded yet due to debate over what should be included. Instead, an ever-growing assortment of state regulations have begun to spring up to compensate for the lack of federal law, adding further complexity.

Asia-Pacific does not have a comprehensive data protection law that covers the region. Countries have different regulations with occasional agreements driven by economic unions. Efforts are being made to update these, driven by the needs of global businesses to be able to interact with international regulations. Japan, for example, continually updates their privacy law and their data protection system is assessed as adequate by the EU regardless of the differences between the two. It’s achieved by the substantial rationalizations agreed including the regular updates taking in the supplementary rules bridging the gaps with GDPR. This has led to an adequacy decision from the EU, creating the world’s largest area of safe data flows.

Japan is not alone in tackling privacy and data protection demands that would not have been so obvious nor urgent a decade ago. Personal Information Protection Law (PIPL), which just came into effect in People’s Republic of China this year is one of the recent highlights, particularly from the viewpoint of the volume of privacy data in scope and the impact for business, especially in the international supply chain. More and more countries in the region are urged to update or reshape their respective laws.

Within this context and increasingly complexity, Data classification and management is key here as every regulatory body uses Personal Identifiable Information, PII, as the basis for their data controls. Understanding the differences in reporting, disclosure and security controls on top of this is required for each region. All in all, international cooperation and data adequacy decisions will be essential to help companies comply with different data protection regulations around the world.

¹The US relies on a patchwork of regulations that cover specific areas of personal data, such as the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act (GLBA), regarding financial information and institutions, the Health Insurance Portability and Accountability Act (HIPAA) for health data and the Children’s Online Privacy Protection Act (COPPA) to keep children safe online.

The Colonial Pipeline attack in the US is being seen as one of the most significant attacks on critical national infrastructure in history. It has acted as a catalyst for further regulations and state control, which will continue to intensify in 2022.

The Biden Administration have asked critical infrastructure owners to follow voluntary guidance around protection against cyber threats by signing a National Security Memorandum on “Improving Cybersecurity for Critical Infrastructure Control Systems”. This directs the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) and the Department of Commerce’s National Institute of Standards and Technology (NIST), in collaboration with other agencies, to develop cybersecurity performance goals for critical infrastructure. It also formally establishes the President’s Industrial Control System Cybersecurity (ICS) Initiative – a voluntary collaboration between the federal government and the critical infrastructure community to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections, and warnings. More will be announced on this in the year ahead.

The European Commission has tackled the issue of critical infrastructure protection as part of the NIS Directive, which aims at enhancing cybersecurity across the EU through mandatory cybersecurity requirements for critical market operators, including incident notification obligation, building of cybersecurity capacities in Member states, through the establishment of national cybersecurity strategies and entities such as CSIRT’s (Computer Security Incident Response teams) as well as strengthening European cooperation. This directive is being reviewed to adapt to the development of cyberthreats and strengthens the effectiveness of its implementation Europe-wide. It should be subject to an agreement between lawmakers in the European Union within the first quarter of 2022.

Some of the issues surfacing around the protection of critical infrastructure is the definition of what’s included. The scope of regulation continues to be debated with new sectors added to the list including Managed Security service providers. This, alongside the interlink between horizontal legislations such as the NIS directive and the development of sectorial legislations such as the DORA legislation (Digital Operations Resilience Act) is likely to be an area of debate in the beginning of the year.

It is certain that more robust security measures and regulatory control is necessary in this area. OT security has around ten-times less protection than classical IT security and remains in its infancy. This leaves critical infrastructures at high risk with, arguably, more vectors for attack than traditional IT. Public sector is right to be involved here. Attacks on critical infrastructure are increasing and have been used as part of cyber warfare between states.

A helpful approach here is risk-based – with identification of the main risks to sensitive data and systems and which areas need to be focused on. Here sharing of information across private sector could be usefully facilitated by Government enabling a faster learning curve across sectors as they share and learn from each other’s experiences. National cybersecurity agencies can also drive improvements by sharing their knowledge of cybercriminals and attack vectors across borders. We are likely to see far more public / private cooperation in this area, particularly if threats continue.

This remains an emerging topic for security and extremely complex. The movement of IoT devices across the globe means that regulatory controls for personal devices – phones, watches, digihealth devices and even appliances – need robust control in place across both their manufacturing and sales.

The US Congress recently passed the IoT Cybersecurity Improvement Act of 2020, which provides minimum security standards for Internet of Things devices owned or controlled by the federal government. This is just the beginning for further safety and regulation across IoT, which will start with Government devices and move forwards to consumer devices in the next year or so.

Japan continues work in this area with its agency, the National Institute of Information and Communications Technology (NICT), conducting a sanctioned “hack” of both industrial and consumer IoT devices in order to establish the level of risk they pose and serve notice on manufacturers to improve security.

In the EU, with the adoption of the delegated act the radio equipment directive, Europe is taking steps to raise the cybersecurity levels of smartphones, wireless and IoT devices. More will be done in 2022 as the recently announced Cyber Resilience Act might constitute a horizontal regulation to increase cybersecurity of all IoT devices put on the European market. Making sure that no IoT device is put on the market without being secured by design could become a key European differentiator worldwide.

For organizations dealing with the free flow of data cross borders – and the need to secure such data flows – knowledge is vital in the management of this level of complexity.

We also see the interplay with increasing numbers of sectorial regulations, which will have to be consistent and complementary to horizontal legislations or they will create contradictions, and difficulties for organizations to comply. Different sectors have different levels of maturity here with banking at the mature end and manufacturing lagging behind. This layering of state, sectorial and organizational regulations can make for huge complexity.

Agreeing to a set of international standards and supporting frameworks upon different industry contexts which will be respected worldwide, is also a vital step.

What’s clear is that the level of threat and therefore the level of regulation is not going to reduce and there will be more and more challenges for organizations to contend with in the year ahead.