The Authors
The authors are all attorneys with the Kennedys law firm (kennedyslaw.com). Joshua Mooney (joshua.mooney@kennedyslaw) and Judy Selby (judy.selby@kennedyslaw.com) are partners. Tracey Kline (tracey.kline@kennedyslaw.com) and Alexis Childs (alexis.childs@kennedyslaw.com) are associates. Bridget Mead, associate, and Javier Vijil, senior associate, also contributed to this article.
Judy Selby is also a member of the Editorial Board of Advisors for the Journal on Emerging Issues in Litigation.
Cybersecurity and Data Privacy 2021 in Review
By Joshua Mooney, Judy Selby, Tracey Kline, and Alexis Childs
Abstract:
As the world emerged from lockdown, it should come as no surprise that cybersecurity and data privacy remained dominant topics in the media and legal industry. Some of 2021 was much like 2020—ransomware attacks continued to fill the headlines, and in the aggregate, constituted significant loss paid under cyber insurance policies. OFAC reminded victim companies and incident response firms (and cyber carriers) that it remains unlawful to pay ransom payments to designated organizations. Comprehensive federal legislation addressing cyber defenses and notification requirements never materialized. Yet in 2021, we saw new and significant developments. U.S. law continued its drift toward comprehensive privacy regulation with two new significant pieces of privacy legislation and California’s enforcement of the California Consumer Privacy Act. In the absence of federal legislation, federal agencies either stepped up enforcement actions or signaled that they intend to do so within their realms of governance. Litigation under the Illinois Biometric Information Privacy Act continued its surge while the Illinois high courts rendered two impactful decisions and a circuit court punted to Illinois’s highest court. This review provides a brief synopsis of many events and developments that made the authors’ list. Â
Perhaps one of the most significant developments in U.S. privacy law for 2021 was the enactment of comprehensive data privacy laws in Virginia and Colorado. Both pieces of legislation, which go into effect in 2023, adopt frameworks resembling those in the EU General Data Protection Regulation 2016/679 (GDPR) and the California Consumer Privacy Act (CCPA). Both laws also grant consumers significant rights with respect to their personal data, but neither contains a private right of action.Â