As we previewed in our prior Legal Update, the Federal Trade Commission (“FTC”) warned businesses of its stance on the use and collection of biometric information in a May 2023 policy statement. Now, an enforcement action filed earlier this week offers insight into the potential consequences for businesses that do not comply with the

On December 20, 2023, the Federal Trade Commission (“FTC”) issued a Notice of Proposed Rulemaking (“NPRM”) that would make significant changes to the Children’s Online Privacy Protection Rule (“COPPA Rule”), which implements the Children’s Online Privacy Protection Act of 1998 (“COPPA”). The proposed rule would make a number of changes intended to expand the COPPA

On December 12, 2023, the Department of Justice (DOJ) issued guidelines for companies to follow in requesting that the Attorney General authorize delays of cyber incident disclosures required by the U.S. Securities and Exchange Commission (“SEC”) pursuant to Form 8-K Item 1.05.

In July, the SEC finalized a rule (the “Final Rule”), which comes

On November 1, 2023, the New York Department of Financial Services (“NYDFS”) finalized the amendment to its cybersecurity regulation (the “Amendment”). The Amendment expands cybersecurity requirements across many areas—from governance to incident response to access controls.

The Amendment follows the three published drafts: two proposals published for formal notice and comment in November 2022 and

On October 30, 2023, President Joe Biden issued an Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intellence (the “AI EO”). Directing numerous actions by federal agencies, the AI EO reflects the Biden Administration’s intent to employ a range of legal and policy tools to promote US leadership on artificial

The Second Amendment to the New York Department of Financial Services’ (“NYDFS”) Cybersecurity Requirements for Financial Services Companies (the “NYDFS Requirements”) is expected to be published in final form in the next two weeks. The Second Amendment will follow updated proposed amendments to the NYDFS Requirements published on June 28, 2023 (the “2023 Proposal”),1

On 13 September 2023, negotiations began between European institutions to adopt the text of the EU Cyber Resilience Act (the “CRA”). If adopted, the CRA will impose a set of software security, cybersecurity, and vulnerability management requirements on products with digital elements (i.e., software or hardware products and their remote data processing solutions) placed on

On September 25, 2023, the Consumer Financial Protection Bureau (“CFPB”) began its most substantial Fair Credit Reporting Act (“FCRA”) rulemaking yet with an outline of proposed changes to Regulation V, which implements FCRA, ahead of the Bureau’s Small Business Advisory Review Panel.1  The proposals under consideration could have a substantial impact on the data

Cybersecurity Awareness Month is a good time to highlight one trend in federal efforts to address cyber risk: proscriptive regulation of the information and communications technology and services (“ICTS”) supply chain.

Supply chain risk management is a broad field encompassing, among other things, federal efforts to improve software security, and proposals to revise the FAR