2020 Predictions for Cybersecurity Legislation, Privacy and Compliance

This is our first annual roundup of expert predictions for the coming year. Here’s what leading industry figures have to say about likely legislation for cybersecurity as well as privacy and compliance trends coming in 2020.

• More and more personally identifiable information going into the databases of governments and commercial businesses. First was medical history, ID cards, banking details… now? Biometrics, autonomous vehicles, smart home/office/city, 23&Me. Some we choose to offer (such as our DNA to learn about our lineage), some taken by virtue of interacting with the world around us (the image of our face as we walk down a city street). Once stolen (and there is no reason to think is hasn’t been or won’t be), this will only make it easier for the bad guys to impersonate us, steal our identity, or hijack our credentials to gain access to our employers’ network. – Anthony Di Bello, Vice President, Strategic Development, OpenText

• Keep Your Coins, We Want Change: In 2019, over 50 tech CEOs came together urging S. lawmakers to create a federal data privacy legislation. Why? Because of the continued regulatory sprawl across international, national and state standards. Managing cybersecurity should not be as complicated as adhering to the IRS tax code. Breaches continue to be a pervasive problem, and the complexities of applying various and overlapping regulations in a globally-connected world are not helping. To this end, we’ll see some consolidation of regulatory requirements and standards in 2020. – Christopher Kennedy, CISO and VP of Customer Success at AttackIQ

• Public perception of data breaches and use of personal data will cause reactionary legislation to pass. These overly restrictive covenants will stall business growth, andwill cause companies in those markets to be disadvantaged to global competitors who have access to less restricted data.  – ARM Insight

• There have been few violations with associated large fines with GDPR. We will see the same with CCPA, but only because of massive failure to comply, everywhere. The problem of noncompliance will compound as multiple states pass further legislation.– ARM Insight

• Like past banking requirements, companies will have to spend more money for security and compliance. Thus, these regulations will benefit large companies and will disadvantage small businesses.– ARM Insight

• The Fight for an Encryption Backdoor. Every so often, law enforcement and politicians start a campaign to build a “backdoor” into encryption (for example, in Australia or even here in the S.). Fights over encryption backdoors will intensify every time that there is a terrorism incident. I expect an aggressive fight over this as time goes on. The well-informed bureaucrats and politicians know that a “backdoor” will only make the “good guys” more vulnerable and will not deter the “bad guys.” – Ameesh Divatia, co-founder and CEO of Baffle

• Jail Time for Data Breaches? Companies are already preparing for GDPR, CCPA and other proposed or upcoming privacy regulations. I expect a national data privacy law in the U.S. in the coming couple of years. Interestingly, the Cayman Islands Data Protection Law (which went into effect on September 30, 2019) and a bill written by U.S. Senator Ron Wyden (D-OR) both carry the possibility of jail time for executives who were found to be negligent with consumer data. This will begin a debate: should the punishment for data breaches go beyond financial measures? – Ameesh Divatia, co-founder and CEO of Baffle

• The federal government will continue to evolve mechanisms for evaluating the cyber postures of departments, agencies, and government contractors. As part of this, Federal Information Technology Acquisition Reform Act (FITARA) will phase out to Agency-Wide Adaptive Risk Enumeration (AWARE) and NIST 800-171 will phase out to Cybersecurity Maturity Model Certification (CMMC). The federal government will also continue to mature its capabilities to provide guidance and assistance to key sectors, especially the power sector, through programs from the Department of Energy/ Office of Cybersecurity, Energy Security, and Emergency Response (DOE/CESER) and Department of Homeland Security (DHS). Through this, it will put pressure on the power and health care sectors to improve, with calls for more robust regulation of health delivery organizations and calls for North American Electric Reliability Corporation critical infrastructure protection (NERC CIP) to be reimagined. – Rob McNutt, CTO at Forescout

• Regulations must advance past addressing the authenticity of the online users to stop the growing fraud epidemic: S. organizations spent the better part of 2019 preparing for the implementation of the California Consumer Privacy Act, the strictest data privacy law in the U.S., which will go into effect Jan. 1, 2020. And in 2020 we will see the regulatory environment continue to shift to address aspects of the growing fraud and data breach epidemic. Specifically, taking aim at the authenticity of the internet and the ability to discern if someone is real, and/or who they say they are when operating online in a variety of use cases  – from shopping, to tweeting, to sharing videos. But these laws have significant shortcomings for protecting online digital identity. Last year California implemented the BOT Disclosure Law, making it illegal for a bot to operate as a human, specifying it “unlawful for any person to use a bot to communicate or interact with another person in California online with the intent to mislead the other person with its artificial identity.” In June 2019, the DEEPFAKES Accountability Act was introduced. If passed, it would require that creators of false videos to label them as such or face up to five years in prison. While both the BOT Disclosure Law and DEEPFAKES Accountability Act acknowledge that bots and deepfakes pose serious threats to democracy and can be used for digital propaganda, they don’t acknowledge or penalize the other underlying fraud concerns. For example, the biggest problem with the DEEPFAKES Accountability Act is that it doesn’t address scenarios where the cybercriminal is creating deepfakes to perpetrate identity theft or bypass traditional biometric authentication. In these scenarios,  a cybercriminal isn’t going to divulge that he is about to perpetrate a crime by being re-encoded for distribution on Instagram or YouTube (e.g., assuming the identity of a legitimate user) to the very organization they’re looking to defraud. While regulations are continuing to move in the right direction, they are still behind the pace of innovation and aren’t properly capturing how these emerging technologies can be used for online fraud. – Robert Prigge, President of Jumio

• Federal data privacy law on the horizon. With the enactment of CCPA and the introduction of additional ideas for state-regulated data privacy laws across the U.S., all roads point towards the creation of a federal data privacy law. It is highly unlikely that a federal law will be passed in 2020, but it will be likely that Congress prioritizes the idea and begins discussing criteria for such a law. A patchwork of slightly differing data privacy laws in each state would discourage businesses (especially SMBs) from operating across state borders. Multiple, varying data privacy laws is a thorn in the side for large companies, but devastating for SMBs, and is a turn off for international corporations that have to comply with other mandates such as GDPR as well. CEOs of Amazon, AT&T, Dell, IBM and other companies that comprise the Business Roundtable have already sent an open-letter to Congress asking for a federal data privacy law, and the Internet Association, which boasts Dropbox, Facebook, Reddit, Snap and Uber as members, has also made a push toward a federal law. – Chris DeRamus, CTO and co-founder, DivvyCloud

• CCPA fines will exceed $200M in its first year of existence. January 1, 2020, will be the first official day that the California Consumer Privacy Act (CCPA) will go into effect. However, the way the regulation is outlined, lawsuits can be filed for privacy violations occurring in 2019. It is my estimate that very few companies are prepared to meet the guidelines outlined in CCPA. Further, unlike the General Data Protection Regulation (GDPR) which went into effect in May 2018, there are no maximum limits capping how large the fines could be for CCPA violations. The first CCPA rulings served by the courts will no doubt create big headlines, and put added pressure on companies to be proactive about protecting the data privacy of their customers. – Doug Dooley, COO of Data Theorem

• Organizations will need to meet the demands of the continuously evolving omnichannel customer – Organizations will increasingly invest in omnichannel payment technologies to keep pace with upcoming legislation policies like the California Consumer Privacy Act (CCPA), advanced hackers, and the need to create a frictionless customer experience across every buying channel. In doing so, they will also continue to outsource operations to third-party service providers who must meet their convenience, compliance, security and data privacy needs seamlessly. – Gary E. Barnett, CEO of Semafone

• Organizations will increase their risk visibility to ensure compliance. With increased network visibility, organizations will have full insight into security risks and what’s needed to comply with regulations. In our recent report, we found that less than 5 percent of respondents were 100 percent prepared for a compliance audit. Automation would dramatically increase compliance success for today’s enterprises. – Tim Woods, FireMon VP of Technology Alliances

• Privacy legislation changes on a global scale – The European Union’s General Data Protection Regulation (GDPR) will have a ripple effect and consumers in other countries will expect their government to update existing and antiquated privacy laws. As such, there will be an increase in legislation and potentially new senate bills implemented that can jail CEOs for violations.  – Gary E. Barnett, CEO of Semafone

• The California Consumer Privacy Act will spark a federal consumer privacy policy and data protection law. The CCPA has caught the attention of policymakers in the other 49 states and the U.S. Congress. As a result, the CCPA has been the catalyst for other privacy bills at the state level and there have been several privacy-related bills introduced in Congress including the “Consumer Online Privacy Rights Act” introduced in late November. As one can imagine, having 50 state consumer privacy laws on the books will create a compliance nightmare for organizations of all sizes. There needs to be a comprehensive federal consumer privacy and data protection law to address the compliance issue and the legislation should also incorporate minimum security requirements for organizations to deploy to protect consumer data. It would be surprising if the “Consumer Online Privacy Rights Act” becomes federal law in 2020, but it should generate some interesting debates and lawmakers can expect pressure from the business community especially after the CCPA’s enforcement begins in July. – OneSpan

• Ambiguity around CCPA will cause a slow start to enforcement in early 2020; this is made more likely by the fact that several groups are still suggesting changes to the original version of the regulation. In other words, California legislators are not prepared to adequately and consistently enforce the new law. Additionally, many businesses are still unsure about its specific requirements, and are not ready to be in compliance when the regulation goes into effect in January. This is particularly true of small and medium sized businesses that don’t have the same amount of resources as larger corporations – it is more challenging for them to discern what they need to do in order to be in compliance. As a result, we will most likely need to wait some extended period of time before we see the first significant fine under the new law; much like GDPR. In fact, it took nearly a year for British Airways to be fined $250 million under GDPR – its breach was reported in September 2018 and the company was not fined until July 2019. Similarly, once the initial lull period that will follow the enactment of CCPA comes to a close, we will see similar, significant fines being given to companies that fail to meet the requirements demanded by the new law. – Anurag Kahol, CTO and co-founder, Bitglass

• In 2020, we will see a U.S. federal data privacy law be drafted and considered. This is needed to avoid a patchwork of differing data privacy laws from each state, to facilitate more nationwide business, and to enable international commerce – facing numerous regulations can be a barrier that keeps foreign businesses from entering a market. Complying with data privacy laws can be a top challenge, particularly for small and medium-sized businesses that lack the same resources as larger companies that are better equipped to navigate all of the regulations with which they are faced. Some of the largest tech firms in the U.S. as well as a group of 51 CEOs have already asked U.S. lawmakers for a federal privacy law. – Anurag Kahol, CTO and co-founder, Bitglass

 Photo by Vincent M.A. Janssen from Pexels