2023 is almost here! And with the new year comes a look back and a look forward.

2022 Year-in-Review

1. Two states passed state-level data privacy legislation this year. These states are Connecticut and Utah. Connecticut’s goes into effect on July 1, 2023, and Utah’s on December 31, 2023.
2. The most comprehensive federal-level data privacy bill, with bi-partisan support, was introduced to the US Congress. If passed, the bill, the American Data Privacy and Protection Act, would be the first of its kind and give America a GDPR equivalent. It is currently in review by the House of Energy and Commerce.
3. Although not data privacy related, the popular crypto exchange, FTX, filed for Chapter 111 bankruptcy, and the former CEO, Sam Bankman-Fried, resigned from the company. At one point in time, FTX was the third-largest crypto exchange.
4. Uber was the victim of a hack where an adverse party accessed its internal network, including its Slack channel, and downloaded information from a financial tool. It was reported that the hacker purchased a password from a dark web market.
5. In January, the popular crypto exchange, Crypto.com, was the victim of a hack that saw more than $30 million in cryptocurrency stolen from users’ wallets. This affected nearly 500 customers and hackers circumvented the MFA feature of the application.
6. Microsoft‘s servers were hit by an attack in March 2022, in part of a larger social engineering and extortion campaign believed to be undertaken by the hacker collective known as Lapsus$. Some of Microsoft’s source code was exfiltrated, but the company claims no customer data was accessed. Classic social engineering techniques were used to retrieve user credentials by the hacker group.
7. Meta, formerly known as Facebook, was hit with the second and third-largest GDPR fines in history (Amazon sits at the top). On September 5, 2022, Meta was fined EUR 405,000,000 for allowing the business accounts of minors, their cell phone numbers, and email addresses to be publicly displayed and the view of “public” was set by default. Additionally, on November 25, 2022, Meta was fined EUR 265,000,000 for allowing a dataset of personal data to be made available on a hacking platform. This data leak affected up to 533 million individuals’ phone numbers and email addresses.
8. Back in June, the US Supreme Court overturned Roe v. Wade. This allowed the decision-making around handling abortion to become a state-level issue instead of a federal-level issue. Despite anyone’s personal stance, this decision actually removes privacy from women since, depending on what state they live in, their access to that component of healthcare may become difficult to obtain.
9. The EU and US agreed to develop a fresh data transfer framework to allow for the sharing of data between the regions. The Court of Justice of the EU will decide if the proposed protections fill the gaps left by the predecessor framework.

Much more happened that was noteworthy in 2022, but I am limiting this to what you see above. We have more state-level privacy laws, a federal-level privacy law in motion, and a few more data breaches in 2022.

2023 Predictions

1. State-level privacy laws will begin to slow down. Since the introduction of the ADPPA, which may not be passed until 2024, would cause many state-level legislatures to hold off on pushing for state laws if the possibility of a federal bill is in play. I wouldn’t be surprised if one state enacts privacy legislation, but I would be surprised if two states did this since the only states with bills in motion are Pennsylvania, Michigan, New Jersey, and Ohio.
2. Although anyone “in-the-know” reading this next prediction may think “of course, this has been happening for years.” However, several smaller clients I serve are beginning to implement data governance programs and appoint data governance officers. I believe these types of roles will become more prevalent throughout the marketplace. Large organizations have things like this in place already, and the headcount to assign responsibilities. Smaller organizations, however, don’t have the resources, and sometimes expertise, to implement these types of projects. But regardless, additional responsibilities over data management will become more centralized and taken out of the hands of individual line managers and into the hands of a dedicated, centralized data governance division.
3. Cyber insurance premiums will continue to rise, again. In the 2022 recap, several large data breaches occurred and these companies need insurance to cover the losses of that data. In Q4 2022, average premiums were up from Q4 2021 by a little more than 25%. These will continue to increase as attackers continue to persist and target data. And that data is being targeted by attackers is possibly going to be newly covered data by privacy legislation, potentially increasing the penalties for security breaches.
4. Data transfers between the EU and US will get better. A framework is in development that will impose restrictions on access and provide for improved legal redress for individuals in applicable jurisdictions. The executive order to accomplish those objectives was signed on October 7, 2022. How much better? That remains to be determined since we don’t really have any easily accessible data we can manipulate to predict, with a reasonable degree of error, how secure data transfers between the EU and the US have been in the past.
5. Privacy as a service (PraaS) will become more popular for companies. This encompasses anything from privacy audits to augmented data privacy staff capabilities. We’ve seen privacy become a more important topic to policing organizations, such as the PCAOB, in 2022 and this trend won’t slow down. For example, I serve as an augmented data privacy team member for one of my clients until we find someone more permanent for them to fill the role. This role didn’t exist for my client in 2021 and responsibilities were handled by in-house counsel. Although it won’t look as cut-and-dry as SaaS products, in a general sense, it will become more mainstream for organizations looking to button up their privacy posture.
6. We will see more websites making customers aware of their privacy notices. The privacy notice will be the organziation/s external facing all-encompassing document that explains the necessary information points for consumers. Information such as the controller’s contact information, categories of data processed, and how data gets collected will all be included for the consumer in the privacy notice. I say this because we’ve started seeing more emphasis placed on informing customers about the website’s use of cookies, so the next step in this process will be what and how data collection is happening and by whom.

This list isn’t exhaustive and more things will undoubtedly happen in 2023 related to data privacy. From new legislation to deal-making, privacy will begin to pick up more steam into 2023 after garnering a bigger supporting cast in 2022 than in previous years. I want to put the items that will be more transparent for my readers and listeners in here and help you prepare for what may happen in 2023.

If you have some thoughts, let me know what you think! And feel free to reach out any time for any other data privacy questions you may have.

---

See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.

Once you understand how valuable your information is, then you can begin taking steps to keep it private.