On August 15, 2024, the Department of Defense (DoD) published a proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the Cybersecurity Maturity Model Certification (CMMC) 2.0 program rule. The CMMC 2.0 program provides a framework for assessing contractor implementation of cybersecurity requirements and enhancing the protection
United States
White House Releases National Cybersecurity Strategy Implementation Plan, Version 2
On May 7, 2024, the Biden Administration released the second version of the National Cybersecurity Strategy Implementation Plan as well as the first Report on the Cybersecurity Posture of the United States. These actions reflect the Administration’s continued focus on enhancing the cybersecurity of critical infrastructure and software as well as its work to…
US DOD Issues Class Deviation Delaying DFARS Implementation of Upcoming NIST SP 800-171, Revision 3
On May 2, 2024, the Department of Defense (DoD) issued a class deviation to DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
The deviation relates to contractors’ compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which is currently undergoing a revision. The deviation changes the requirement that contractors…
Chairs of House and Senate Commerce Committees Announce Consumer Privacy Legislation
Last month, two key members of Congress released a draft of the American Privacy Rights Act (“APRA”), comprehensive legislation that would change the landscape of consumer privacy law in the United States. If passed, APRA would create a national standard governing the collection, use, and disclosure of consumer personal information. It would also preempt a…
Proposed Rule Issued to Implement Cyber Incident Reporting for Critical Infrastructure Act
On March 27, 2024, the Cybersecurity & Infrastructure Security Agency (CISA) within the US Department of Homeland Security released a much-anticipated notice of proposed rulemaking (NPRM) to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Under the proposed rule, covered entities will have 72 hours to report to CISA a “covered…
NEW HAMPSHIRE ENACTS PRIVACY LAW
On March 6, 2024, New Hampshire Governor Chris Sununu signed SB 255 into law, making the Granite State the latest to enact a comprehensive privacy law—the 15th state, if you count Florida’s privacy law of narrower applicability.
New Hampshire’s privacy law goes into effect January 1, 2025 and applies to persons that conduct business in…
PRESIDENT BIDEN ISSUES EXECUTIVE ORDER EMPOWERING DOJ TO REGULATE THE EXPORT OF SENSITIVE PERSONAL DATA
On February 28, 2024, President Joe Biden issued Executive Order (“EO”) 14117, empowering the Department of Justice (DOJ) to regulate the export of certain consumer data, in order to prevent certain countries’ governments from obtaining bulk sets of especially sensitive personal data. The EO, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United…
New Jersey Enacts Privacy Law
On January 16, 2024, Governor Philip D. Murphy signed into law the New Jersey Data Privacy Act (the “Privacy Act”), which goes into effect on January 15, 2025.
More Than a Ban on Facial Recognition Use: The US FTC’s Rite-Aid Action and Proposed Stipulated Order
As we previewed in our prior Legal Update, the Federal Trade Commission (“FTC”) warned businesses of its stance on the use and collection of biometric information in a May 2023 policy statement. Now, an enforcement action filed earlier this week offers insight into the potential consequences for businesses that do not comply with the…
Federal Trade Commission Proposes Rule Changes to Address Children’s Online Privacy
On December 20, 2023, the Federal Trade Commission (“FTC”) issued a Notice of Proposed Rulemaking (“NPRM”) that would make significant changes to the Children’s Online Privacy Protection Rule (“COPPA Rule”), which implements the Children’s Online Privacy Protection Act of 1998 (“COPPA”). The proposed rule would make a number of changes intended to expand the COPPA…