Cybersecurity & Privacy Policy to Watch in 2024

Cybersecurity & Privacy Policy to Watch in 2024

January 1, 2024, Law360

Micaela McMurrough, Caleb Skeath, Mark Young, and Lindsey Tonsager’s commentary was included in a Law360 article looking ahead to major developments in cybersecurity and privacy policy in 2024.

Lindsey commented on a case involving California's Age-Appropriate Design Code Act and a similar dispute over an Arkansas law aimed at limiting children' social media access. She discusses how these sorts of cases are likely to continue as a focal point in the field, saying, "That's something to watch in 2024, because these efforts to regulate children's privacy aren't going away.”

Caleb took a look at legal activity in the broader cybersecurity landscape, saying that “overall, 2023 met if not exceeded our expectations for the evolution of the cybersecurity regulatory space. Agencies continued to exercise their authority on cybersecurity issues, and we're anticipating a continued drive along the same lines in 2024.”

Micaela and Mark provided insight on how actions by the FTC and EU, respectively, would affect the privacy and data security space. Micaela said that “in the absence of activity in Congress on a federal cybersecurity law, we're seeing the executive branch come out and take a whole-of-government approach to regulation, with multiple agencies moving forward with cybersecurity initiatives in their own sectors. As these efforts continue into 2024, they will create an increasingly complicated regulatory environment where companies that operate in multiple sectors are likely to face overlapping and conflicting requirements from various regulators.”

Mark added that companies would have to pay attention to EU actions, saying that “European Union member states will be busy drafting regulations to implement the NIS 2 Directive that sets heightened rules for banks, energy suppliers, medical device makers, digital services and a wide range of other critical infrastructure providers to secure their systems and report cyberattacks.”

“Cybersecurity laws in the EU have been developing slowly but surely," Mark added. “It's becoming a complex web and companies will have to work out what laws they're subject to and, if they're ever impacted by a cyber incident, what rules apply to them and how long they have to respond.”