2022 is finally upon us! And with the new year comes new laws, risks, data breaches, and security tactics around personal information. Before looking ahead, we should look back and see what transpired during 2021 that’ll help shape what 2022 will look like.

2021 Year-in-Review

1. On March 2, the Virginia Consumer Data Protection Act (VCDPA) was signed into law by Governor Ralph Northam.
2. On April 21, the Justice Department forms the ransomware task force, focused on preventing attacks and risks to the technology that supports the US economy and targetting the technology and financial ecosystem that supports cyber-criminals. Eight days later, the US Government would label ransomware a threat to national security.
3. On May 7, Colonial Pipeline was hit with a ransomware attack, disrupting gasoline pipelines across the southeastern United States. The pipeline was shut down for six days, causing a six-year price hike in fuel and shortages in some East Coast states. The company paid nearly $5 million to hackers in attempts to unlock its systems. According to NPR, the US Government had recovered a “majority” of the money paid to hackers as of June 7.
4. During May 28-29, hackers misused leaked data from the Cognyte cybersurity analytics firm. The exposed database was indexed by search engines and attackers had access to over five billion data records. The database was secured on June 2.
5. On May 31, meatpacker JBA SA was hit by a ransomware attack, causing the company to cease operations for one day. The company paid $11 million in cryptocurrency to hackers to reduce the impact to the US food supply chain.
6. On June 7, the Colorado Privacy Act was voted into law by the Colorado House 57-7. This will go into effect on July 1, 2023.
7. On July 2, another ransomware attack hits Kaseya, a technology provider that affected hundreds of its clients. Systems were encrypted and millions of dollars were demanded in payment by hackers.
8. In July 2021, Amazon was hit with the largest GDPR fine ever recorded. The company was fined approximately $880 million for issues regarding cookie consent when users visit the website. This is also not the first time Amazon was found guilty of cookie consent.
9. Broward Health had a data breach involving the personal information of 1.35 million individuals. This occured on October 15, 2021 when hackers gained access to the comapny’s network through a third-party medical provider. This third-party had legitimate access to the network, but the hackers did not and were able to exflitrate millions of users’ data.
10. On November 3, the fintech company Robinhood experienced a data breach where an unauthorized third-party obtained access to personal data of customers. It is believed that no bank account numbers, SSNs, or debit card numbers were exposed. Approximately five million email addresses were obtained, along with full names of a different group of to million people. Robinhood is still investigating this breach.

2021 was filled with many highs and lows that will shape what ends up happening in 2022. Here are my boldest predictions for this year (and let’s all remember, these are predictions).

2022 Bold Predictions

1. The topic of “Data Privacy” will enter into the same phase as cybersecurity did around 10-15 years ago. Believe it or not, cybersecurity wasn’t top of mind for many board members about a decade ago. Now, cybersecurity is included in public company reports and board discussions. Cybersecurity is now seen as an asset in almost all organizations, and data privacy will take its place as the “trendy” topic for discussion in board meetings. Of course, this will only be measured by what we see in 10-K reports and earings calls once they happen.
2. Cybersecurity insurance premiums will begin creeping up as cyber attacks begin ramping up across the world. This last year, we saw some massive system breaches that resulted in the disruptions of some of our daily lives. in 2021 the average cost of recovery to be around $1.85 million and the average ransom paid was $170,404. Because of this, we will start seeing cyber insurance premiums creep up even more than they have been, costing companies around 50%-100% more than they were paying one year ago. in 2021, premiums were approximately $1,500 for small businesses, and we could see these tip over $2,000 in 2022. That price is for $1 million of coverage.
3. Two or three more states will pass privacy legislation beyond their reveiw committees. In 2020 and 2021, we watched California, Colorado, and Virgina pass privacy laws that will go into effect over the next few years. On 10/13/2021, the Massachusetts Joint Committee for Advanced Information Technology met to discuss S.46, as well as a few other privacy acts, and this act is currently in committee to be voted on soon. As of April 7, 2021, Pennsylvania’s HB 1174 was referred to the Consumer Affairs Committee and this bill could be voted on in 2022, but it would be unlikely due to the various reviews that will need to be made. Lastly, New York has several bills in the pipeline (A 680, S 6701, A 6042, S 567) that are all currently in committee and not on the floor’s calendar. Fortunately, the New York politicians will be in session until June 3rd, meaning the bills should be put on the calendar for a vote at a later date. With that said, the bills won’t come into play in 2022, but they will all pass through the committee and potentially be on Governor Hochul’s desk by 2023 for her signature.
4. The global supply chain will be the main target for attackers in 2022. We saw Colonial Pipeline get hacked, disrupting fuel supplies to the eastern and southeastern United States for some time. Also, we watched JBS get hit by a ransomware attack, causing operations to cease for a single day. Even a single day of disrupted operations can be detrimental for a comapny as large as JBS. Based on this, we will see more global supply chain atacks in 2022.
5. Federal legislation will be created to force comapnies to share threat intelligence information with the government. If not voted on, then definitely drafted due to the increase in cyber attacks year over year. According to the 2021 Verizon Breach Report, social engineering attacks have increased by 200% since 2018 while the conversion rate of all cyber attacks (percent chance an incident will become a breach) settled around 65%.
6. A new role will begin appearing across organizations that deals specifically with data privacy initiatives. This includes handling data subject requests, enforcing privacy controls in the organization, and reporting on data privacy statistics to the board. Currently, most organizations have one, or a few, individuals fulfilling this role, but there isn’t an individual in this dedicated role as of yet. This is due to the difficulty in defining the role responsibilities and organizations not seeing the immidiate value in a position such as this.
7. Privacy technology, as well as employee activity tracking software, will be a booming business. If effective software can be brought into an organization that “patches a hole” in their privacy posture, they’ll bring it in. And although this might be a violation of basic ethics, it also will help an organization understand where it needs to consider consolidating resources and sliming down other areas.
8. Wearable devices will become the latest privacy concerns. Most individuals have one of these on their person and the device is constantly monitoring their health data. Because of this, the individual’s data is being captured by the company, stored, and processed. Since most of this data is very personal, these devices will be the latest in an ongoing effort to enforce tighter restrictions around data collection. However, this initiative won’t completely come into fruition in 2022, but more conversations will be had around these devices.

What do you think? Do you have other bold predictions? Let me know in the comments!

---

See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.

Once you understand how valuable your information is, then you can begin taking steps to keep it private.