Regulatory Playbook | Pillsbury Law | Cybersecurity, Privacy & Data Protection | Insights
Regulatory Playbook
Inside analysis direct from Washington, DC
This links to the home page

Cybersecurity, Privacy & Data Protection

  • New CISA Rule Would Require Widespread Cyber Incident Reporting, Updated Timelines and Penalties for Critical Infrastructure Sector

    At the end of March 2024, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released the long-anticipated Notice of Proposed Rule Making (NPRM) detailing how companies will have to comply with the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The draft CIRCIA Rule (the Proposed Rule) will require virtually every owner/operator entity within one of 16 identified Critical Infrastructure sectors to report a cybersecurity incident within 72 hours and/or report within 24 hours a ransomware payment. Public comments about the Proposed Rule are due by June 3, 2024, and CISA expects to publish the Final Rule no later than October 4, 2025.

  • China Issues Rules to Clarify and Relax Cross-Border Data Transfer Controls

    On March 22, 2024, the Cyberspace Administration of China (CAC) published the final version of the Provisions on Promoting and Regulating Cross-Border Data Transfers (Provisions), aiming to provide more clarity on the implementation of the Measures on Security Assessment for Data Export (Security Assessment Measures), effective beginning September 1, 2022, and the Measures on the Standard Contract for the Cross-border Transfer of Personal Information (SC Measures), effective on June 1, 2023, and other cross-border data transfer issues. As described in more detail below, the Provisions, among other things, set forth certain scenarios where the procedural regulatory requirements for data export are exempted, and clarify the identification of “important data” (Important Data) and thresholds for mandatory security assessment.

  • FCC Announces Consumer IoT Cybersecurity Labeling Program

    Reflecting the growing concern with cybersecurity threats associated with Internet of Things (IoT) products, the Federal Communications Commission (FCC) adopted rules at its March 2024 meeting to implement a new Voluntary Cybersecurity Labeling Program. The new label— “U.S. Cyber Trust Mark”—will be affixed on wireless consumer IoT products that go through the voluntary review program to ensure that the products comply with baseline cybersecurity criteria established in the September 2022 NIST Report 8425.

  • Congress Sets Its Sights on Limiting Access to Chinese Biotech Companies

    The BIOSECURE Act would prohibit federal agencies from contracting with, extending loans to, or awarding grants to, any company with existing or pending agreements with identified biotechnology companies. This limits funding to both the procurement of biotechnology companies and funding flowing to any entity using these technologies.

  • Four New State Consumer Privacy Laws Are Slated to Take Effect in 2024

    Despite growing momentum, the United States remains one of the largest nations without a comprehensive federal privacy law. This has led to a significant uptick in state-level privacy legislation since the 2018 enactment of the California Consumer Privacy Act. In 2023, alone, four consumer privacy laws went into effect in Colorado, Connecticut, Virginia and Utah and eight new states enacted similar laws.

  • Congress and the FCC Seek to Protect Americans from Robocalls and Robotexts Using AI-Generated Content

    The federal government in recent weeks has taken steps to protect Americans from robocalls and robotexts that use artificial intelligence (AI)-generated content. Bad actors are increasingly using AI to fool consumers into thinking that the caller or texter is a real person, and certain AI technologies have become sophisticated enough to hold a conversation with the caller. To this end, the Federal Communications Commission (FCC) issued a Notice of Inquiry in an effort to better understand how AI technologies are currently being used in robocalling and robotexting and how they might be used in the future. In the most recent high-profile example of using AI-generated content in a robocall, New Hampshire residents received a call purportedly from President Joe Biden telling them to stay home and not vote in the state’s primary election. The call was not authorized by President Biden or his campaign, nor did it include a legitimate message from the president but instead was a so-called deepfake using the president’s voice. The FCC acted swiftly in the wake of the New Hampshire incident by issuing a cease-and desist letter to the company that it suspected of originating the illegal calls and by adopting a Declaratory Ruling to clarify the applicability of certain of its rules to robocalls and robotexts that use AI-generated content. U.S. Rep. Frank Pallone, Jr. (D-NJ), ranking member of the U.S. House Committee on Energy and Commerce, which has jurisdiction over the FCC and telecommunications issues, introduced legislation that seeks to require a disclosure for any robocall that uses AI to emulate a human.

  • AI and the “G” in ESG

    We recently waved goodbye to 2023, and we remember many things from last year (besides Taylor Swift), including two important letters—A.I. These two letters arguably received more attention than any others, ranging from companies developing and implementing breakthrough AI technology, to government regulators expressing caution and high school students becoming best friends with ChatGPT. As AI expands into virtually every industry—whether cutting edge technology and financial companies or “old school” industries, such as construction and transportation—another letter merits our attention: the letter G.

  • Department of Defense Delivers Highly Anticipated CMMC Proposed Rule

    On December 26, 2023, the Department of Defense (DoD) issued the long-awaited Cybersecurity Maturity Model Certification (CMMC) proposed rule and related guidance. As we have previously reported, CMMC is a program developed by the DoD to protect the Defense Industrial Base from cyber threats. Under this program, nearly all DoD contractors and subcontractors would be required to achieve certain levels of cybersecurity maturity. The DoD first announced the CMMC program in 2019, then issued an initial version of the program (CMMC 1.0) in November 2020. In November 2021, the DoD announced that it would be overhauling the CMMC Program and replacing it with CMMC 2.0. The purpose of CMMC 2.0 was to restructure the CMMC Program and to reduce the cost and administrative burden of achieving cybersecurity compliance. The newly released proposed rule implements many aspects of CMMC 2.0 and introduces additional requirements. Below is a summary of some of the key aspects of the new rule. If implemented, the proposed rule would represent the DoD’s first implementation of the much-debated CMMC Program. Comments on the proposed rule are due on February 26, 2024.

  • Artificial Intelligence-Generated Content in Political Ads Raises New Concerns for Broadcasters

    With the Iowa Republican Caucus happening in mid-January and dozens of additional primaries and caucuses to follow before the 2024 general election, broadcasters need to be aware of the use of artificial intelligence (AI), deepfakes and synthetic media in political advertising and the various laws at play when such content is used. These laws seek to ensure that viewers and listeners are made aware that the person they are seeing or the voice they are hearing in political advertising may not be who it looks like or sounds like. Campaigns, political committees, super PACs, special interest groups and other political advertisers are using AI, deepfakes and synthetic media in advertisements, making it easier to mislead and misinform viewers and listeners.

  • International Counter Ransomware Initiative Pledges to Halt Government Ransom Payments, but with Exceptions

    The Annual Meeting
    The International Counter Ransomware Initiative (CRI) is an international initiative comprising 48 countries, the European Union and INTERPOL. The United States is a prominent member of this group, not only in hosting this annual meeting but also by serving as the CRI Secretariat. The CRI aims to “undercut the viability of ransomware, pursue threat actors, counter illicit finance underpinning ransomware ecosystem, collaborate with the private sector to defend against ransomware attacks, and cooperate internationally to address all elements of the ransomware threats.” The CRI focuses on partnerships and information sharing to bolster collective security against ransomware threats.

  • President Biden Issues Long-Awaited Executive Order on Safe, Secure and Trustworthy Artificial Intelligence

    On October 30, President Biden issued the long-awaited Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI), the first order to navigate AI’s impact across sectors and to help agencies and consumers harness the benefits of AI while mitigating risks.

  • The Legal Impact of AI on Associations

    There has been a rush of news and debate around Artificial Intelligence (AI) since the launch of ChatGPT in late 2022. AI is nothing new; you likely interact with it every day via spellcheck, virtual assistants and email spam filters. Generative AI, however, and its mass adoption for both personal and professional use, is a more recent phenomenon, and you may not have considered the legal implications and potential impact on your association.

  • Recent Updates on Foreign Investment Restrictions and Export Controls Governing Semiconductors, Quantum Computing and Artificial Intelligence (AI)

    From August 27 to August 30, U.S. Secretary of Commerce Gina Raimondo visited China, marking the first trip to China by a U.S. commerce chief in five years. The trip, which came amid growing tensions between China and the United States, sought to open dialogue on crucial matters, including export controls, investment restrictions and national security. One reported success from Raimondo’s trip was the creation of a commercial working group which will meet twice a year at the vice minister level. While Raimondo stressed that this group will not “solve everything overnight,” it has been hailed as a welcome step towards transparency between either country.

  • Administration Poised to Act on “Internet of Things” Devices

    The Federal Communications Commission (FCC or Commission) has issued a Notice of Proposed Rulemaking (NPRM) to create a labeling program for Internet of Things (IoT) devices with comments due September 25, 2023, and reply comments due October 10, 2023.

  • Unleashing the AI Imagination: A Global Overview of Generative AI Regulations

    This article discusses the latest developments of legislations on Generative AI in the United States (U.S.), Europe (EU), the United Kingdom (UK) and the People’s Republic of China (China or the PRC).

  • Federal Communications Commission Acts to Prevent Unwanted and Illegal Phone Calls and Text Messages

    With an estimated four billion robocalls per month, it’s not surprising that unwanted and illegal robocalls are the Federal Communications Commission’s (FCC) top consumer-protection priority, generating about 119,000 complaints in 2022 alone. Unwanted and illegal text messages—estimated at 225 billion in 2022—are increasingly prevalent and uniquely harmful to consumers by including legitimate-looking links designed to fool the recipient into providing personal and financial information. All of us experience on a daily basis the awkwardness of receiving a phone call or text message from an unknown telephone number and deciding whether to answer or reply. Unfortunately, some of these calls and texts are from bad actors and will result in fraud costing consumers billions of dollars.

  • Leading Generative AI Companies Commit to Voluntary White House Guidelines

    On July 21, 2023, the White House announced the voluntary commitment of seven companies to high-level principles concerning safety, security and public trust with respect to their generative artificial intelligence (AI) technologies. These voluntary principles will serve as a guidepost for the industry until Congress develops and passes legislation for AI development.

  • SEC Finalizes Long-Awaited Public Company Cybersecurity Disclosure Rules

    On July 26, the U.S. Securities and Exchange Commission (SEC) adopted Final Rules that require public companies (registrants) and foreign private issuers to disclose material cybersecurity incidents promptly and to make periodic disclosures of their cybersecurity risk management, strategy and governance in annual reports. As we previously noted, the Final Rules add powerful arrows in the quivers of SEC Chair Gary Gensler and the SEC’s Enforcement Division to regulate cybersecurity as part of its mission of maintaining orderly markets. With their adoption, the Final Rules further bolster the SEC’s attempts to serve as the “cyber cop” on the Wall Street beat.

  • China Finalizes Its First Administrative Measures Governing Generative AI

    On July 13, 2023, the Cyberspace Administration of China (CAC), China’s main regulator for cybersecurity and data privacy, issued its final version of the Interim Administrative Measures for Generative Artificial Intelligence Service (Generative AI Measures), which will come into effect on August 15, 2023. Compared to the draft regulations (Draft Regulations) published by the CAC in April for public comments, the Generative AI Measures have relaxed several requirements on the providers offering generative AI services and placed more emphasis on encouraging technological development and innovation.


  • The EU-U.S. “Data Privacy Framework”: A New Solution for the Free Flow of Personal Data
    07.25/ Alert

    Under the General Data Protection Regulation (GDPR), personal data can only be transferred to a “third country” outside of the European Economic Area (EEA) (e.g., the United States) if: (i) there has been an “adequacy decision” issued by the European Commission (Commission) in respect of that country; (ii) “appropriate safeguards” are in place (such as standard contractual clauses (SCCs) or binding corporate rules (BCRs)); or (iii) a derogation applies. Similar rules apply in relation to transfers of personal data from the UK or Switzerland.

  • One to Watch: Has the Ninth Circuit Turned on Section 230?

    On June 21, 2023, the Ninth Circuit decided in a class action suit, Vargas, et al., v. Facebook, Inc., that Section 230 of the Communications Decency Act (Section 230) did not immunize Facebook from claims arising from allegedly discriminatory conduct by housing advertisers using the defendant’s Ad Platform. Ad Platform provides advertising users with the ability to select from among thousands of user attributes, including protected characteristics like sex, disability and familial status (e.g., whether a person has children), to target ads to advertisers’ preferred audiences on Facebook. Facebook is not alleged either to have contributed actual content to the housing ads or to have directed, induced or required advertisers to select particular audience attributes, whether or not protected under federal housing law. Nevertheless, the Ninth Circuit denied Facebook’s motion to dismiss, holding that Section 230 immunity did not apply.

  • Upcoming EU Rules on Digital Operational Resilience

    The new DORA seeks to strengthen the resilience of financial entities against cyber threats posed by information and communication technologies (ICT). DORA’s scope is broad, applying to “financial entities,” such as credit, payment and e-money institutions, account information and crypto-asset service providers, investment firms, central securities depositories, managers of alternative investment funds, management companies, insurance and reinsurance undertakings, and credit rating agencies. Non-EU entities should assess their activities to identify whether they undertake covered activities within the EU and are in scope of DORA.

  • DHS Implements New Security and Privacy Measures for Controlled Unclassified Information

    On June 21, 2023, the Department of Homeland Security (DHS or Department) issued a final rule amending the Homeland Security Acquisition Regulation (HSAR) to add requirements for DHS contractors to protect Controlled Unclassified Information (CUI) and to report cyber incidents. The final rule follows a 2017 proposed rule and builds on existing DHS security policy by updating an existing HSAR clause and creating two new HSAR clauses. The final rule imposes significant new obligations on DHS contractors that extend beyond the obligations imposed by the Department of Defense (DOD) and other agencies. In addition, the clause requires DHS contractors to protect CUI using different security controls than those required by the DOD.

  • Data Privacy: What Nonprofits Need to Know in the United States, EU and UK, and China

    Laws are evolving worldwide as data privacy and cybersecurity issues move to the forefront of policy-making discussions. The United States continues to work within a layered regulatory system that utilizes laws at both state and federal levels, while the EU and UK are largely guided by overarching legislation that bears strong consequences if breached. In China, regulations are a bit more complex. Nonprofit organizations doing business in these regions will want to take note of the latest privacy-related developments, along with regulations that have existed for a long time, all outlined ahead.

  • Will Generative AI Create a Break in the Impenetrable Wall That Is Section 230?

    As people increasingly experiment with ChatGPT, Google Bard, and other generative AI systems, even using these tools in the course of their daily lives and work, the legal hot topic of the day concerns liability for the content produced by generative AI. For the last 25 years, cases addressing, arguing and deciding the application of Section 230 of the Communications Decency Act (“Section 230”) have provided clear signposts offering reliable legal guidance about responsibility for most content we see on the Internet. But when applying these precedents to generative AI products, we are in unchartered territory.

  • AI Users Beware: Federal, State and Local Legislators and Regulators to Crack Down on AI-Related Employment Discrimination

    According to a 2022 survey from the Society for Human Resource Management, approximately one in four organizations use automation and/or AI to support employment-related activities, such as recruitment and hiring. AI tools used in employment decision-making include chatbots that guide applicants through the application process, algorithms that screen resumes and predict job performance, and even facial recognition tools used in interviews to evaluate a candidate’s attention span. For employers, these tools may offer an efficient and effective way to recruit promising talent, but federal, state and local governments are increasingly focused on the potential for discrimination.

  • Congress Contemplates Creating a New Federal AI Regulatory Agency

    In a hearing of the Senate Judiciary Subcommittee on Privacy, Technology and the Law on May 16, multiple U.S. senators—including Senators Richard Durbin (D-IL), Lindsey Graham (R-SC), Peter Welch (D-VT) and Cory Booker (D-NJ)—supported the idea of a federal artificial intelligence (AI) agency to regulate the transformative technology.

  • Outlook on AI and Civil Rights Law and Policy

    The Administration’s October 2022 launch of the AI Bill of Rights: A Vision for Protecting Our Civil Rights was the first step toward cementing equity and civil rights with respect to artificial intelligence (AI) as core values upon which the Administration has built a series of guidance documents and executive actions.

  • Florida Legislature Reins in Florida Telephone Solicitation Act

    Like the Telephone Consumer Protection Act (TCPA), navigating the Florida Telephone Solicitation Act (FTSA) can be a minefield for businesses engaging in telemarketing and text marketing to Florida residents and those that conduct business in the state. The FTSA, commonly dubbed the mini-TCPA, prohibits using certain automated dialers to call (or text) consumers without their consent and enables consumers to recover $500 per call. The FTSA also provides for up to $1,500 in treble damages for willful or knowing violations, plus reasonable attorney’s fees and costs. In July of 2021, the Florida legislature enacted language that broadened the language in the statute, distinguishing it from its federal counterpart, which resulted in a floodgate of litigation. As a result, FTSA violations have the potential to be financially devastating, especially for businesses underinsured against exposure.

  • Joint Statement by Federal Agencies Marks Heightened Enforcement Attention on Potential Bias in AI Systems

    On April 25, 2023, the Consumer Financial Protection Bureau (CFPB), Department of Justice (DOJ) Civil Rights Division, the Equal Employment Opportunity Commission (EEOC) and the Federal Trade Commission (FTC) issued a joint statement affirming that they will be working collaboratively to enforce existing laws and regulations as applied to potential discrimination and bias in artificial intelligence (AI) systems. Companies that use AI and other automated systems should prepare for greater scrutiny from these agencies.

  • Congressional Action on AI Takes Major Step Forward

    Congressional leaders are intensifying efforts to legislate and regulate artificial intelligence (AI) technology. On April 13, Senate Majority Leader Chuck Schumer (D-NY) publicly announced a framework on artificial intelligence (AI) regulation. The announcement came in response to the Chinese Communist Party’s release of their own AI regulatory framework. Schumer revealed his framework as part of the United States’ duty to “lead and shape the rules governing such a transformative technology” rather than allow China to “write the rules of the road.”

  • FCC Adopts International Section 214 Authorization Order and Notice of Proposed Rulemaking to Address National Security Concerns Posed by Foreign Ownership

    The Federal Communications Commission (FCC), on April 25, 2023, released an Order and Notice of Proposed Rulemaking (NPRM) relating to international Section 214 authorizations, in response to recent concerns regarding national security, law enforcement and foreign ownership of telecommunications services. International Section 214 authorizations are issued to telecommunications providers that seek to offer international services originating or terminating in the United States.

  • Follow the Money: AI Winners in President Biden’s FY 2024 Budget Request

    The artificial intelligence (AI) revolution is rapidly transforming industries and reshaping our world as we know it. With advances in machine learning, natural language processing and computer vision, AI has moved beyond the realm of science fiction and become a driving force of innovation and productivity. This disruptive technology is creating new opportunities, challenges and implications for society at large. The Biden Administration is taking notice—here is a look at new AI programs and funding proposed in President Biden’s fiscal year 2024 budget proposal released on March 9, 2023.

  • China Issues Proposed Regulations on Generative AI

    With OpenAI’s introduction of ChatGPT into the market, Generative Artificial Intelligence (Generative AI) has dominated the headlines across the globe. Many technology companies have followed suit and released their Generative AI tools and services. Generative AI is widely expected to empower and change business models across industries and has immediately improved efficiency in many sectors. Pillsbury has been closely monitoring and advising our clients on these fast-changing AI technologies. (See our website at Artificial Intelligence (AI) Law | Pillsbury Law.)

  • AI Warning: ChatGPT Blocked for Data Laws Breach

    Wherever you are located, you need to be mindful of various laws around the world that may apply to your development and use of AI. Recent laws proposed in Europe (e.g., the AI Act) have attracted a lot of attention, but it can often be a mistake to overlook other laws that can apply and are currently in force, such as the General Data Protection Regulation (GDPR). The Italian data regulator’s enforcement action against OpenAI and ChatGPT this past week reminded everyone that laws such as GDPR do indeed impact the creation, development and use of AI.

  • Cross-Border Data Transfer Mechanisms and Requirements in China

    In recent years, alongside the rapid development of the digital economy and the concomitant increase in data generation, collection, processing and monitoring in the People’s Republic of China (PRC or China), the Chinese government has accelerated efforts to establish a robust legal framework for data protection. Over the past five years, China has promulgated several major data protection laws, including the Cybersecurity Law (CSL) (effective from June 1, 2017), the Personal Information Protection Law (PIPL) (effective from November 1, 2021) and the Data Security Law (DSL) (effective from September 1, 2021), together with a series of implementation regulations and administrative guidance. These laws and regulations, particularly with respect to requirements on the processing of personal information and cross-border data transfer, pose significant challenges and compliance obligations for multinational companies when conducting business in and with China. This article outlines our observations of the mechanisms and practice of cross-border transfer of personal information under China’s current legal framework.

  • New Biden Administration Cyber Strategy Proposes Dramatic Shift in Order to Hold Software Developers Liable for “Insecure” Software

    On March 2, 2023, the Biden administration released its National Cyber Security ("Strategy") to create a more defensible, resilient and value-aligned digital ecosystem which includes, among other priorities, the administration’s efforts to make software firms liable for system insecurities.

  • China Publishes Measures on Standard Contract for Cross-border Transfer of Personal Information

    The Cyberspace Administration of China (CAC) issued the final version of the Measures on the Standard Contract for the Cross-border Transfer of Personal Information (Standard Contract Measures) on February 24, 2023, which includes a template standard contract (Standard Contract). The Measures will take effect on June 1, 2023, but set forth a six-month grace period until December 1, 2023, to provide companies with time to take actions for compliance.

  • New UK GDPR Reform Bill Published

    Businesses already face an uphill struggle keeping pace with fast changing and numerous new data laws being passed in multiple U.S. states as well as countries around the world. The one silver lining has been the emergence of a recent trend of basing, to some extent, many of these new laws on the GDPR. This means that one way forward has been to look to build upon effort already expended on creating and administering GDPR compliance frameworks, albeit with updating needed for relevant recent changes or enforcement. The UK government changes therefore may well leave some feeling nervous. The changes to the UK GDPR will have to be scrutinized after the post-parliamentary readings to assess final impact of the Data Protection & Digital Information (No.2) Bill (DPDI2) (e.g., regarding fines, AI, cookies, transfers, legitimate interests, records of processing activities (ROPA), data protection officers (DPOs), Data Protection Impact Assessments (DPIAs), etc.). We will also have to see how the EU responds, as any removal of adequacy status will add further complications to EU-UK data transfers. Any business with UK operations, customers, suppliers or partners will need to freshly review and consider changes to its policies, documents and procedures to account for DPDI2.

  • New UK GDPR Proposals Incoming

    Businesses already face an uphill struggle keeping pace with fast changing and multiple new data laws being passed in multiple U.S. states as well as numerous countries around the world. The one silver lining has been the emergence of a recent trend of basing, to some extent, many of these new laws on the GDPR. This means that one way forward has been to look to build upon effort already expended on creating and administering GDPR compliance frameworks, albeit with updating needed for relevant recent changes or enforcement. The current efforts of the UK government therefore may well leave some feeling nervous. The details of any proposed changes to the UK GDPR will have to be scrutinized to assess impact (and to see if Data Protection & Digital Information Bill (DPDI) proposals regarding fines, cookies, data protection officers (DPOs), Data Protection Impact Assessments (DPIAs), etc. survive). We will also have to keep an eye on how the EU responds, as any removal of adequacy status will add further complications to EU-UK data transfers. One thing that is for certain is that any business with UK operations, customers, suppliers or partners will need to freshly review and likely make changes to its policies, documents and procedures to account for any changes this year.

  • The SEC’s Fast-Approaching Cybersecurity Overhaul for Public Companies and Regulated Entities

    In remarks last year, Gary Gensler, Chair of the Securities and Exchange Commission (SEC) made clear that the SEC “has a role to play” in regulating cybersecurity in the name of “maintaining orderly markets.” That role cannot be overstated.

  • FCC Proposes Updates to Customer Proprietary Network Information Breach Reporting Requirements

    The Federal Communications Commission (FCC) has proposed to update its data breach reporting requirements to address increasing security breaches in the telecommunications industry. In December 2022, the FCC released a Notice of Proposed Rulemaking (NPRM) launching a proceeding to improve the process for notifying customers and federal law enforcement of breaches that may have exposed customer proprietary network information (CPNI). In the NPRM, the FCC proposed several revisions to its data breach rules (which have not been updated since 2007) and seeks comment on those proposals.

  • Businesses Should Consider the SAFETY Act a Core Part of Their Ransomware Defense Program

    The SAFETY Act, a liability management program managed by the Department of Homeland Security, can be used by businesses to limit or eliminate potential liability associated with ransomware attacks.

  • DHS to Boost State and Local Cybersecurity Programs with $1 Billion in Grant Funding
    09.27/Alert | dhs-state-local-cybersecurity-programs-grants

    On September 16, 2022, the Department of Homeland Security (DHS) announced a Notice of Funding Opportunity (Notice) for a “first-of its-kind” program providing cybersecurity grants for state, local and territorial governments across the country through the State and Local Cybersecurity Grant Program (SLCGP). The agency is poised to provide similar assistance to tribal governments through the Tribal Cybersecurity Grant Program (TCGP), which is expected to be announced in the coming months.

  • China Passes Long-Awaited Measures on Security Assessment for Data Export

    On July 7, 2022, the Cyberspace Administration of China (CAC) of the People’s Republic of China (PRC or China) released the final version of the long-awaited Measures on Security Assessment for Data Export (Measures, “《数据出境安全评估办法》” in Chinese). The Measures specify the thresholds of data and information, the export of which is subject to CAC’s security assessment.

  • Landmark Federal Privacy Bill Clears First Congressional Hurdle

    In early June, Rep. Frank Pallone (D-NJ-6) and Rep. Cathy McMorris Rodgers (R-WA-5), the Chair and Ranking Member of the House Energy & Commerce Committee, along with Senator Roger Wicker (R-MS), Ranking Member of the Senate Science, Commerce & Transportation Committee, unveiled a draft federal privacy bill known as the “American Data Privacy and Protection Act.” The proposal—the first to garner bipartisan, bicameral support in Congress—would establish a national framework to protect consumer data privacy and security and bolster individual privacy rights.

  • Contractor Settles Cybersecurity-Related False Claims Act Suit for $9 Million

    A seven-year long False Claims Act suit comes to an end after Aerojet Rocketdyne reaches a $9 million settlement agreement for its alleged false certification of compliance with cybersecurity requirements.

  • DoD Increases Focus on Cybersecurity Compliance

    A recent DoD memorandum should serve as a warning to contractors that they need to focus on cybersecurity compliance now or risk serious consequences.

  • Staff Accounting Bulletin No. 121: Guidance for Entities Safeguarding Crypto-Assets Issued

    On March 31, 2022, the Division of Corporation Finance and the Office of the Chief Accountant (staff) of the U.S. Securities and Exchange Commission (SEC) issued Staff Accounting Bulletin No. 121 (SAB 121), which “adds interpretive guidance for entities to consider when they have obligations to safeguard crypto-assets held for their platform users.”

  • Bipartisan Cyber Incident Reporting for Critical Infrastructure Act of 2022 Signed into Law

    The new law arrives during a notably troublesome cybersecurity environment, in which the United States’ most crucial commercial sectors could be vulnerable to cyber intrusions and demands for ransomware payments.

  • Twelve Hours to Get It Right: The SEC Intensifies Its Focuses on Cybersecurity

    On the morning of May 24, 2019, a cybersecurity journalist notified First American Financial Corporation (First American) that one of its key applications had a serious vulnerability. First American, a publicly traded company that provides real estate settlement services, utilized the application Eagle Pro to share images of legal and financial documents used in real estate closings. According to an anonymous source, the vulnerability allowed unauthorized users to access over 800 million documents that had been shared with First American. Many of these documents contained sensitive data, such as social security numbers, financial records and driver’s licenses, which the journalist who published the article later that day described as “a virtual gold mine for phishers and scammers.”

  • DOJ Announces Civil Cyber-Fraud Initiative to Combat Cybersecurity Threats

    DOJ launches new initiative that promises to use the False Claims Act to combat cybersecurity threats by targeting government contractors who knowingly fail to comply with cybersecurity protocols.

  • Bipartisan Senators Introduce the Cyber Incident Notification Act of 2021

    On July 21, 2021, Senator Mark Warner (D-VA), chair of the Senate Intelligence Committee, and a bipartisan group of co-sponsors including Senator Marco Rubio (R-FL) and Senator Susan Collins (R-ME), formally introduced the Cyber Incident Notification Act of 2021. In light of high-profile cybersecurity incidents such as the Colonial Pipeline attack, the Act aims to require companies and federal agencies to quickly report cybersecurity intrusions to the Federal Government.

  • Colorado’s Emergent Consumer Privacy Bill Introduces Chance to Opt Out of Data Processing

    On June 8, 2021, the Colorado Senate passed SB 21-190, a comprehensive consumer privacy bill. Signed into law on July 7, 2021. the bill gives consumers the right to opt out of the processing of their personal data and to request that personal data be corrected or deleted.

  • China Publishes New Draft Regulations on Data Security Management of Automobile Operators to Protect Privacy

    On May 12, 2021, the Cyberspace Administration of China (CAC) published the Several Regulations on the Management of Automobile Data Security (Draft for Comment) (Draft Regulations). The Draft Regulations are open for public comment until June 11, 2021.  According to the CAC’s statement, due to growing concerns over personal data security and privacy protection in the People’s Republic of China (PRC), the Draft Regulations aim to strengthen protection of personal information and important data in automobile-related activities, as well as safeguard national security and the public interest. Below is our summary of the highlights of the Draft Regulations.

  • Cybersecurity Executive Order Will Impact Government Contractors

    President Biden’s new Executive Order to improve cybersecurity involves a particular focus on federal government and contractor systems.

  • COVID-19 Business Interruption Losses: Time is of the Essence to Pursue Coverage

    The United States declared a national emergency in response to COVID-19 on March 13, 2020, and states quickly followed with stay-at-home orders that impacted businesses and institutions nationwide. More than 10 months have passed since the COVID-19 pandemic emerged in the United States and the prevalence of the virus has had significant impacts, not only with respect to the number of people infected and lives lost, but also to the widespread physical damages and economic losses suffered by businesses.

  • Copyright Small-Claims Court Established by Congress in the CASE Act

    According to Register of Copyrights in its 2013 Report on Copyright Small Claims, “small claims issues are anything but small. On the contrary, they present a range of complex considerations, from constitutional constraints to procedural concerns to questions of what claims should be eligible for alternative treatment.” Before the recently enacted CASE Act, there had not been a small-claims court with jurisdiction to hear copyright claims.

  • Congressional and Government Investigations in 2021: What to Expect from the Biden-Harris Administration and How to Prepare

    Government investigations pose many risk management challenges. They are unpredictable, political and often public. If handled incorrectly, they can last for many years, spiral into multiple Congressional, criminal, and/or regulatory investigations at the state and federal levels, and generate serious reputational harm. Potential targets can take proactive steps to mitigate their risks.

  • China Publishes Import License List and Export Control List for Commercial Encryption

    One day after China’s new Export Control Law took effect, on December 2, 2020, China’s Ministry of Commerce (MOFCOM), the State Cryptography Administration (SCA) and the General Administration of Customs (GAC) jointly issued an Announcement on the Issuance of Import Licensing List, Export Control List and Related Administrative Measures for Commercial Encryption (Encryption Announcement) to restrict commercial encryption products and related technology. The Encryption Announcement takes effect on January 1, 2021, and includes: (1) a list of commercial encryption items subject to import licensing requirement (Encryption Import List); (2) a list of commercial encryption items subject to export control (Encryption Export List); and (3) procedures for the application of import and export licensing of commercial encryption (Encryption Licensing Procedures).

  • Cookies and Tracking Under Increased Scrutiny as Irish Data Regulator Issues New Enforcement Guidance

    Businesses tracking website visitors and customers via cookies and other techniques are reminded that this is an area of increased scrutiny and many prior practices won’t be acceptable. Regulators have signalled changes need to be made to comply and they will increase enforcement.

  • New York Expands Cybersecurity and Data Breach Law

    On July 25, 2019, Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act), which broadens the scope of existing New York breach notification and data protection laws that trigger notification to affected consumers. The New York Attorney General will enforce the SHIELD Act (S.5575B/A.5635), which extends the reach of New York law breach notification requirements to any person or entity with private information of a New York resident, regardless of whether the breached company conducts business in New York State. This provision could significantly extend the reach of those companies that will be subject to New York reporting requirements. The law also broadens the definition of breach, expanding a data breach to any situation involving unauthorized “access” to confidential information regardless of whether such data is “acquired.” The SHIELD Act does not create a private cause of action; however, the New York Attorney General may bring an action for civil penalties or to enjoin unlawful practices. The SHIELD Act also expands the time period within which the New York Attorney General may bring an action from two to three years. Penalties for violation of the data breach provisions can be imposed in the amount of the greater or $5,000 or up to $20 per instance of a failed notification, up to $250,000. Penalties for failing to adopt reasonable safeguards can be imposed up to $5,000 per violation.

  • Countdown to CCPA #2: GDPR Compliance Does Not Equal CCPA Compliance

    The California Consumer Privacy Act of 2018 (CCPA) goes into effect on January 1, 2020. The Act grants “consumers” (any California resident regardless of whether there is a customer or any other relationship with the covered business) five new rights respecting their personal information.1

  • Countdown to CCPA: Do You Know Where Your Data Is?

    It’s January 2, 2020, and you just received 25 requests asking for disclosure about your data collection, use and sharing practices and for a copy of the specific pieces of personal information you collected about the requesting individuals during the last 12 months. You have 45 days to respond. What do you do? Close down the business so you can find the information? By being prepared you can avoid a crisis.

  • The Deadline Looms for New York Cybersecurity Regulations Vendor Compliance Requirements

    Financial institutions regulated by the New York Department of Financial Services (DFS)—referred to in this post as “Covered Entities”—should by now be well familiar with the department’s sweeping cybersecurity regulation, 23 NYCRR 500, that became effective on March 1, 2017. The regulation delves into a level of detail (e.g., multi-factor authentication and encryption requirements) and requires a level of senior level attention (e.g., annual attestation of compliance, signed by the Board of Directors or a Senior Officer) heretofore unseen in U.S. federal or state regulations.

  • Pillsbury's Post-Election Outlook

    The 2018 Midterm Election played out as most poll forecasters speculated. Although several races have yet to be decided, Republicans have retained control of the Senate, but lost at least 29 seats, allowing the Democrats to wrest back control of the House for the first time since 2010.

  • 2018 Election Night Guide

    Pillsbury’s Political Law and Government Law & Strategies groups break down the need-to-know numbers for this year’s election. Pillsbury’s biennial Election Night Guide examines the potential outcomes for the 2018 Congressional and Governor’s races. Our Public Policy team is also preparing a post-election guide that will be useful in navigating potential changes in Congress.

  • New EU Data Laws—What Nonprofit Organizations Need To Know

    Nonprofit organizations can often handle large amounts of data originating in the EU. Though it is a common misconception that nonprofits are exempt from GDPR compliance, the fact is they are not.

  • Blockchain and the Legal Landscape

    In this video, Pillsbury partner Mercedes Tunstall discusses some of the important legal issues to consider when exploring a blockchain solution.

  • Oh No, Mr. Robot Just Hacked Our Smart Building…

    Despite some very real-world examples, such as a 2017 breach of Dallas' emergency siren system, there seems to be little recognition of the security risk that connected buildings and smart cities entail.

  • Top Ten Emerging Trends in Pay Ratio Disclosure

    Preliminary trends are emerging from the pay ratio disclosures filed by U.S. public companies in 2018.

  • Court of Appeals Rolls Back Portions of the FCC’s 2015 Robocall and Text Ruling

    A recent Court of Appeals decision will rescind some aspects of the Telephone Consumer Protection Act and have significant implications for businesses contacting consumers by telephone or text.

  • Safety from Hackers—and Trial Lawyers

    A simple legislative fix would shield cybersecurity innovators from costly nuisance lawsuits.

  • European Businesses Offering Payment Services Told How to Manage Operational and Security Risks

    The European Banking Authority has unveiled nine operational and risk management guidelines with which all payment services providers are expected to comply.

  • December 31, 2017 Deadline for Cybersecurity under DFARS 252.204-7012 Re-Interpreted

    With the December 31 deadline for cybersecurity compliance just around the corner, the Department of Defense has clarified some of its expectations.

  • Time Is of the Essence: Multinational Companies Must Respond to Cyber Regulation

    Cyberinsurance could help mitigate risk for companies impacted by the new EU General Data Protection Regulation when it takes effect in May.

  • EU Data Transfer Solutions Under Further Judicial Scrutiny – What Next For Model Contract Clauses?

    Many organizations rely on MCCs to transfer personal data worldwide. That's why data exporters await an EU ruling on the issue with bated breath.

  • The ICO’s Draft Guidance Leaves Unanswered Questions on Processor Obligation to Notify Infringing Instructions

    One GDPR requirement has been a particular source of angst for commercial and data protection professionals--especially those acting for processors and sub-processors.

  • Cyberattacks Are the New Norm

    Attorneys general are increasingly launching investigations and filing lawsuits against companies whose customer databases have been stolen. Because of the significant possibility of government action, companies should fully understand their liability insurance policies, obligations and risks.

  • Disclose or Else: FTC Steps Up Prosecution of Social Media Influencers

    In September 2017, the Federal Trade Commission brought its first-ever action against a social media influencer for failing to make appropriate disclosures on sponsored posts. Going forward, anyone who posts sponsored material or even tags a brand in a post should seriously consider the possibility of FTC prosecution.

  • The Internet Stole My Face: New Advances in Technology Could Make Everyone a Digital Video Puppet

    Visual effects artists can create realistic digital replicas of actors that can be manipulated like puppets, and new developments in software technology could soon make digital puppetry accessible to the masses. Protections against unauthorized use of digital replicas can involve copyright or traditional tort claims, but if this technology continues to spread, the difficulty in controlling one’s own likeness will probably increase.

  • Keeping up with Cayla: Concerns over Interactive Toys Spur an FTC Update of COPPA Guidelines

    Consumer groups have filed a complaint alleging that My Friend Cayla, an internet-connected doll, violates the Children’s Online Privacy Protection Act (COPPA) by facilitating the collection of children’s communications and uploading them for commercial use without verifiable parental consent. The Federal Trade Commission’s June 2017 update to COPPA added internet-connected toys, children’s products that collect personal information, and voice-activated devices to the products and services covered.

  • Executive Order on Cybersecurity: Considerations for Business

    The long-awaited Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure represents the Trump Administration’s first significant action to support cybersecurity and protect critical infrastructure, and the initial days after its release generated a flurry of questions on the specifics of the White House’s cyber agenda.

  • With GDPR, Companies Must Act Now

    Pillsbury’s European Data Privacy & Cybersecurity practice leader Rafi Azim-Khan talks to Bloomberg BNA about the global impact of the EU General Data Protection Regulation. The interview explores expanded monetary risk and accountability under the GDPR, and what companies should—and should not—do to become GDPR-ready.

  • Don’t Rock the Vote: Helping State and Local Governments Fend Off Cyber Attacks

    Voting in local, state and national elections could be viewed as a rudimentary form of social media, by which voters share their views and preferences via selection of a candidate or party platform. The distance between this “old school” social media and its multi-headed modern form has shrunk thanks to the advent of electronic voting machines and online voting. But, as always, with the implementation of new technologies comes new risks.

  • Managing the Cybersecurity Risks of the Medical Internet of Things

    The cybersecurity ramifications of the Internet of Things (IoT) are perhaps nowhere more crucial--potentially a matter of life and death, in fact--than in the realm of medical devices. Until recent times, a potential hack of the data-sharing that is a hallmark of the IoT raised far more privacy concerns than actual health risks. However, as medical devices begin to evolve and make use of the connectivity of the IoT, this balance may change.