- Advanced Persistent Threats (APT) will prompt increasingly sophisticated technology fixes, SEC enforcement actions to force enhanced corporate policies and corporate compliance audits. The ramifications of APTs, having impacted datacenters and the media, will reach Congress and the corporate boardroom. Each board meeting will involve a report of current APT activities and current responses to protect company assets, shareholder value and board member liability.
- Secure cloud computing will become critical and cloud services will become more flexible. There will be substantial growth in the use of private clouds and contracts that contemplate greater client control over security levels and information location.
- Bring Your Own Technology (BYOT) will continue to challenge employers attempting to protect their intellectual property, while employees continue to press for more privacy and social media access.
- HIPAA enforcement will be substantially increased as the Department of Health and Human Services authorizes more audits of healthcare organizations and business associates. Mini-HIPAA enforcement actions will be generated by state attorneys general trained by the Office of Civil Rights, acting on newly enhanced state privacy laws that include medical information as part of the Personally Identifiable Information (PII) definition.
- The definition of PII will expand, enabling state attorneys general to bring enforcement for disclosure of ZIP codes and Domain Name System information. This trend is already taking shape in the FTC’s new December 2012 amendments to the Children’s Online Privacy Protection Act, which expands “personal information” to include geolocation information and photographs, videos and audio files that contain a child’s image or voice, as well as persistent identifiers that can identify users over time across different platforms, such as IP addresses and mobile device IDs. These trends will also appear in other privacy statutes and rules.
- Cyber class action litigation will expand dramatically as the requirement to prove damages becomes increasingly diluted by the federal courts.
- Litigation against banks will increase under the Gramm-Leach-Bliley Act for failure to secure Electronic Funds Transfers and other sensitive materials and information.
- Payment Card Industry (PCI) enforcement will expand into cloud environments. Wireless unencrypted retail transactions will continue to be enforced both on a compliance level as well as after a breach has taken place.
- New EU Data Protection Regulation will develop and will impact organizations offering goods and services to European citizens (whether established in the EU or not). Such regulations will contemplate mandatory breach notifications (within 72 hours), a requirement to have a Data Protection Officer (appointed to the board of directors) and the strengthening of data transfer mechanisms, such as Binding Corporate Rules and the U.S. Safe Harbor Framework.
- The FTC will increase enforcement actions with respect to mobile applications and social media, as companies have difficulty complying with new guidance regarding conspicuous placement of disclosure notices on apps.