Cybersecurity Legal Trends for 2023

As the world becomes increasingly reliant on technology and the internet, cybersecurity legal trends continue to evolve and shape the way we approach data protection. So what can we expect in terms of legal changes for 2023 in the United States? Let’s get out that old crystal ball and see what we can see.

Increased regulation of AI and machine learning. According to a report by McKinsey, the global market for AI applications is expected to reach $190 billion by 2025. With the widespread adoption of these technologies, there is likely to be an increase in the regulation of AI and machine learning. For example, the European Union is currently considering the development of a set of guidelines for the ethical use of AI, which may include provisions related to transparency, accountability and fairness. AI is increasingly being used in cybersecurity applications and elsewhere and is essentially unregulated in the United States. Applications like the one that drafted this article (chat.ai) raise concerns about inherent bias, accuracy, ownership and reliance on AI programs, each of which need to be regulated.

Heightened scrutiny of data privacy practices. Data privacy has been a hot topic in recent years, and this trend is likely to continue in 2023. A survey by Accenture found that 90% of consumers are concerned about how their personal data is being used by companies. In response to these concerns, regulations such as the GDPR and CCPA have implemented stricter data privacy requirements for companies operating in their jurisdictions. In the United States, there have also been proposals for federal data privacy legislation, such as the Consumer Online Privacy Rights Act (COPRA). This is particularly true for things like the use of biometrics, facial recognition, location privacy and the sharing and deep analytics of “publicly accessible” information.

Greater focus on cybersecurity in the health care industry. The health care industry has been a prime target for cyberattacks in recent years, and this trend is likely to continue in 2023. According to the Department of Health and Human Services, there were over 400 data breaches affecting the health care sector in 2020, resulting in the exposure of over 27 million patient records. To address this issue, there may be an increased focus on cybersecurity in the health care sector, including the implementation of stricter regulations and the adoption of advanced technologies to protect against cybersecurity threats. The healthcare sector is particularly vulnerable to ransomware, DDoS and other assaults on the availability of information and continues to be vulnerable to privacy attacks. With embedded software in medical devices increasingly creating data streams or providing for internet accessibility, data security practices in health care need to be improved.

Changes to cybersecurity insurance policies. As cybersecurity threats become more sophisticated, insurance companies are likely to revise their cybersecurity insurance policies to better protect against these risks. For example, insurance companies may start requiring policyholders to implement certain cybersecurity measures to qualify for coverage. In addition, there may be changes to the types of cybersecurity threats that are covered by insurance policies, with an emphasis on emerging threats such as ransomware attacks. Other types of losses, like cryptocurrency thefts, business email compromises, losses due to false personation, credential theft and the related costs of investigation and recovery may not be covered. At the same time, the losses incurred in the insurance industry are causing the industry to reexamine its pricing and underwriting policies.

Increased attention on cybercrime in the criminal justice system. As the impact of cyberattacks becomes more widespread and severe, there is likely to be an increase in the prosecution of cybercriminals. According to the FBI’s Internet Crime Complaint Center, the number of reported cyberattacks increased by 20% in 2020, with nearly 800,000 complaints filed. In response to this trend, there may be the development of specialized cybersecurity units within law enforcement agencies and the establishment of stronger international cooperation in the fight against cybercrime. Cybercriminals are international in scope and effect, while domestic law enforcement agencies typically have jurisdiction that stops at the border. Major revisions in the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, the Wiretap Act and other statutes meant to help combat cybercrime are long overdue.

Greater emphasis on cybersecurity in supply chain management. As companies become more reliant on third-party vendors and contractors, there is likely to be an increased focus on supply chain security. According to a report by the Center for Strategic and International Studies, supply chain attacks have caused significant disruptions and financial losses for companies in various industries. In 2023, there may be the implementation of stringent cybersecurity protocols and the use of advanced technologies to protect against supply chain attacks. In considering the supply chain and resilience, companies not only need to consider the cybersecurity impacts on the supply chain but also the supply chain impacts on cybersecurity. In addition, cybersecurity is not just about security hardware and software—it’s also about data and the supply chain of data itself.

Expansion of data breach notification laws. In the wake of high-profile data breaches, there is likely to be an expansion of data breach notification laws. These laws may require companies to promptly notify affected individuals and regulators in the event of a data breach and may impose stricter penalties for noncompliance. In the United States, for example, there have been proposals for a national data breach notification law that would standardize the notification process across all states. Companies seeking to comply with data breach notification laws currently have to negotiate more than 60 different data breach notification regulations, which provide different definitions of the kind of information that is subject to notification, the timing and nature of the information that must be disclosed, the entities to which notification must be made and the nature of remediation efforts required. Congress has long considered a single federal data breach law that would supersede state laws. The industry supports such a move, provided that the federal laws don’t impose more stringent requirements than current law requires.

Changes to cybersecurity regulations in the financial sector. The financial sector has long been a target for cyberattacks, and this trend will likely continue in 2023. As a result, there may be changes to cybersecurity regulations in the financial industry, including the implementation of stricter requirements for data protection and the adoption of advanced technologies to prevent cyberthreats. This is particularly true as it applies to cryptocurrencies in general and the interface between cryptocurrencies and traditional financial instruments.

Greater emphasis on cybersecurity in the automotive industry. As connected and autonomous vehicles become more prevalent, there is likely to be an increased focus on cybersecurity in the automotive industry. This may involve the implementation of stricter regulations and the adoption of advanced technologies to protect against cyberthreats to vehicles and their systems.

Changes to cybersecurity regulations in the energy sector. The energy sector is critical to the functioning of modern society and, as such, it is a prime target for cyberattacks. In 2023, there is likely to be an increased focus on cybersecurity in the energy sector, including implementing stricter regulations and adopting advanced technologies to protect against cyberthreats. Such regulation may include requirements for cybersecurity, cyberresilience, disaster recovery and similar requirements.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark