Skip to content
  1. An Increase in Extortion-Only Cyber Attacks – While ransomware attacks have been on the rise since 2020, a recent trend has emerged where threat actors are bypassing ransomware malware and encryption tactics and going straight to data theft. If a victim company does not pay the extortion demand, the threat actors engage in increasingly aggressive tactics, like publicly posting the stolen data for sale on a shame site and contacting employees and customers of the victim company to apply external pressure on the victim to make the payment.
  2. Continued Increase in Legal Requirements for Company-Held Data – An increasing number of proposed data security laws and regulations, such as the FTC Safeguards Rule and the EU NIS2 Directive that came into force in 2023, are mandating specific data security measures for companies regulated by those laws, in particular, financial institutions and other highly-regulated industries. These granular laws are leaving behind the more general requirements of the past, which required companies to implement and maintain more vague “reasonable and appropriate” security standards, in favor of requirements that more closely align with recognized data security standards (e.g., NIST, ISO). The laws prescribe not only security measures, but also policies and procedures, incident response plans, and accountability.
  3. Increasing Vendor Due Diligence – Conducting diligence on vendor data security practices has arguably risen to the level of industry standard and practice. Conducting due diligence on vendor data privacy practices, including such things as how they handle law enforcement requests, the countries to which they transfer personal information, and their relationships with subprocessors, is less common. Facing increasing scrutiny (and significant fines for breaches) from regulators in the United States and in the European Union regarding the use of processors, controllers are increasingly demanding more information about their vendors’ data privacy practices including requesting that vendors substantiate that they have “flowed down” privacy-related provisions found in their data processing agreements (DPA) to subprocessors. For a guide on how to apply the new European Standard Contractual Clauses to all contracts, see Greenberg Traurig’s Complete Handbook for Cross Border Transfers of Personal Information.
  4. Enforcement of California’s Privacy Law –In August 2022, the California Attorney General’s office published its first enforcement action and imposed its first fine in relation to an eCommerce website’s use of targeted advertising technology. Although enforcement of the California Privacy Rights Act (CPRA) is not permitted until July of 2023, the California Attorney General may attempt to ramp up its enforcement of the California Consumer Privacy Act (CCPA) until that date. After July, it is likely the California Privacy Protection Agency will try to make its mark by initiating enforcement actions and warnings to companies that have not updated their compliance programs to account for the new law.
  5. More Privacy Class Action Litigation Based on Wiretapping Laws – “Session replay” refers to a tool that records and analyzes customers’ interactions with a business’s website or phone application to improve functionality and user experience. Over the last few years, a trend has emerged of plaintiffs alleging the use of session replay software violates anti-wiretapping laws which were intended to prevent eavesdropping and secret recordings. It is likely that plaintiffs will continue to assert these arguments in an attempt to impose statutory damages through litigation by shoehorning AdTech tools into violations of wiretapping statutes.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Gretchen A. Ramos Gretchen A. Ramos

Gretchen A. Ramos is Global Co-Chair of the Data, Privacy & Cybersecurity Practice. Gretchen is a creative problem-solver that various large tech clients rely on to handle their most challenging data protection issues. Clients appreciate not only her legal skills, but also her

Gretchen A. Ramos is Global Co-Chair of the Data, Privacy & Cybersecurity Practice. Gretchen is a creative problem-solver that various large tech clients rely on to handle their most challenging data protection issues. Clients appreciate not only her legal skills, but also her direct, no-nonsense approach in providing advice. She works closely with her clients to manage data and leverage its value in ways to meet compliance obligations, as well as deliver value to the business and instill consumer trust.

Photo of Dr. Viola Bensinger Dr. Viola Bensinger

Viola Bensinger is Global Co-Chair of the Greenberg Traurig’s IP & Technology Practice Group and the Global Data Privacy & Cybersecurity Practice, and also chairs the Technology Practice in Germany. She advises clients from the technology, media, health care, automotive and other industries.

Photo of Jena M. Valdetero Jena M. Valdetero

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice where she advises clients on complex data privacy and security issues. She has led more than 1,000 data breach investigations. A litigator by background, Jena defends companies against…

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice where she advises clients on complex data privacy and security issues. She has led more than 1,000 data breach investigations. A litigator by background, Jena defends companies against privacy and data breach litigation, with an emphasis on class action lawsuits. She has designed and conducted dozens of data breach tabletop exercises to empower clients to respond effectively to a data security incident. She also counsels companies on data privacy and security compliance programs and advises on privacy and cyber risks associated with mergers and acquisitions, venture capital, and securities. Jena also advises a diverse array of clients on compliance with existing and emerging privacy laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Gramm Leach Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA). She is a certified privacy professional through the International Association of Privacy Professionals (CIPP/US), for which she is a former KnowledgeNet Co-Chair.

Photo of David A. Zetoony David A. Zetoony

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.