On August 15, 2024, the Department of Defense (DoD) published a proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the Cybersecurity Maturity Model Certification (CMMC) 2.0 program rule. The CMMC 2.0 program provides a framework for assessing contractor implementation of cybersecurity requirements and enhancing the protection of unclassified information within the DoD supply chain.

Comments on this proposed rule can be submitted within a 60-day comment period, which ends on October 15, 2024.

Continue reading.

The Network and Information Security 2 Directive (EU) 2022/2555 (“NIS2”) entered into force on 16 January 2023. NIS2 sets cyber rules for organizations whose services are considered essential or important for maintaining critical societal and economic activities, such as ensuring the flow of energy or financial transactions. As a Directive, NIS2 must be transposed into the national laws of the EU Member States before it can take direct effect. NIS2 generally requires Member States to adopt national implementing measures by 17 October 2024 and apply such measures from 18 October 2024.

This Legal Update provides a brief overview of the key points of NIS2 and shows the current status of implementation in the EU Member States.

Continue reading.

The rapid development of Artificial Intelligence (AI) has generated much excitement over the past two years. Since the public launch of Open AI’s ChatGPT on 30 November 2022, generative AI and its capabilities have been at the forefront of the public consciousness, with AI making headlines on a daily basis.

However, the advancement and increased adoption of AI has also brought about unprecedented challenges for businesses and regulators, particularly in relation to personal data. A number of regulators in Asia have issued guidance on AI1, and on 11 June 2024, the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) joined them by issuing the “Artificial Intelligence: Model Personal Data Protection Framework” (Model Framework).2 The release of the Model Framework follows the PCPD’s previous Guidance Note titled “Guidance on the Ethical Development and Use of Artificial Intelligence” (Ethical AI Guidance Note) issued in August 2021;3 and the Office of the Government Chief Information Officer’s “Ethical Artificial Intelligence Framework”, first released in September 2022 and last updated in August 2023.4

Continue reading.

With the announcement of UK General Election for Thursday 4 July 2024, the Data Protection and Digital Information Bill has not completed the legislative process before the end of the current parliamentary session and will therefore not become law.

The Bill would reform the UK’s data protection regime reducing some of the regulatory burden on UK businesses. Our Legal Update has more information about the changes the Bill would introduce.

Continue reading.

On May 7, 2024, the Biden Administration released the second version of the National Cybersecurity Strategy Implementation Plan as well as the first Report on the Cybersecurity Posture of the United States. These actions reflect the Administration’s continued focus on enhancing the cybersecurity of critical infrastructure and software as well as its work to counter both established threats like ransomware and emerging threats from artificial intelligence. Companies across sectors should continue to monitor how implementation of the National Cybersecurity Strategy and evolving risks affect how best to respond to cyber threats and manage associated legal risks.

Continue reading.

On May 2, 2024, the Department of Defense (DoD) issued a class deviation to DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.

The deviation relates to contractors’ compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which is currently undergoing a revision. The deviation changes the requirement that contractors must comply with the version of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 that is in effect at the time the government issues a solicitation. Instead, under the deviation, contractors are specifically directed to comply with NIST SP 800-171, Revision 2 (i.e., the current version) until the deviation is rescinded. The deviation is effective immediately.

Continue reading.

Last month, two key members of Congress released a draft of the American Privacy Rights Act (“APRA”), comprehensive legislation that would change the landscape of consumer privacy law in the United States. If passed, APRA would create a national standard governing the collection, use, and disclosure of consumer personal information. It would also preempt a number of state laws, notably including the Illinois Biometric Information Privacy Act (“BIPA”) and Genetic Information Privacy Act (“GIPA”)—although the act includes Illinois-specific provisions that parallel those statutes in part, and allow enforcement under those laws to continue in certain situations. The draft bill has been proposed by Rep. Cathy McMorris Rodgers (R-WA), the chair of the House Committee on Energy and Commerce, and Sen. Maria Cantwell (D-WA), the chair of the Senate Committee on Commerce, Science and Transportation.

Continue reading.

The Information Commissioner’s Office (the “ICO”) has clarified the methods it will use to calculate the fines it will issue for breaches of data privacy law in the UK by publishing its latest Data Protection Fining Guidance (the “Guidance“) on 18 March 2024.

The ICO oversees compliance with the UK data protection law, including the Data Protection Act 2018 (the “Act”) and the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (the “UK GDPR”) (together, the “UK Data Protection Law”). The Act empowers the ICO to issue penalty notices for breaches of the UK Data Protection Law, with the maximum amount being the higher of £17,500,000 or 4% of the concerned undertaking’s total worldwide turnover.

Continue reading.

On March 27, 2024, the Cybersecurity & Infrastructure Security Agency (CISA) within the US Department of Homeland Security released a much-anticipated notice of proposed rulemaking (NPRM) to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Under the proposed rule, covered entities will have 72 hours to report to CISA a “covered cyber incident” and 24 hours to report a ransom payment (even if it is not a payment associated with a covered incident). The proposed rule, if adopted in its current form, will substantially expand on existing US cyber incident reporting requirements and have important implications for how relevant companies respond to cyber incidents. CISA expects to publish a final rule by late 2025, with reporting likely beginning in 2026.

Continue reading.

When the UK Online Safety Act (the “Act“) became law on 26 October 2023, it had established one of the most comprehensive online safety regulatory frameworks in the world. The Act’s intention is to make the use of online services for individuals in the United Kingdom, especially children, safer. It introduces a long list of new duties on providers of online services. For example, providers will have to conduct appropriate risk assessments and implement “proportionate systems and processes” in relation to illegal content and content that is harmful to children. However, the exact scope of these duties will depend on the size of the service, its risk category, and the likelihood of the service being accessed by children.

Continue reading.