Earlier this week, the California Privacy Protection Agency (CPPA) and California Attorney General Rob Bonta announced the formation of a new bipartisan coalition called the Consortium of Privacy Regulators. This consortium...more
The Department of Justice’s National Security Division (NSD) released several documents on April 11, 2025, to assist entities that must comply with the Final Rule regulating or prohibiting the transfer of bulk U.S. sensitive...more
Three months into 2025, there appears to be no slowdown in the flood of privacy legislation being considered and enacted by both Congress and state legislatures. Since the California Consumer Privacy Protection Act was passed...more
3/28/2025
/ Biometric Information Privacy Act ,
California Consumer Privacy Act (CCPA) ,
Corporate Counsel ,
Data Privacy ,
Federal Trade Commission (FTC) ,
Health Care Providers ,
Online Safety for Children ,
Privacy Laws ,
Proposed Legislation ,
State Legislatures ,
State Privacy Laws
The Department of Justice (DOJ) released a Final Rule restricting certain transfers of Americans’ sensitive personal data to identified countries of concern or covered individuals. The Final Rule continues to assert the DOJ...more
2/14/2025
/ Cybersecurity ,
Cybersecurity Information Sharing Act (CISA) ,
Data Privacy ,
Data Protection ,
Data Security ,
Department of Justice (DOJ) ,
Executive Orders ,
Export Controls ,
Final Rules ,
Government Agencies ,
National Security ,
Personal Data ,
Regulatory Requirements
Paul Hastings released its SEC Cyber Incident Disclosure Report today, providing a unique look at how public companies have responded to new incident disclosure requirements. The Securities Exchange Commission (SEC) approved...more
12/19/2024
/ Compliance ,
Cyber Attacks ,
Cyber Incident Reporting ,
Cybersecurity ,
Disclosure Requirements ,
Form 10-K ,
Form 10-Q ,
Form 8-K ,
Publicly-Traded Companies ,
Ransomware ,
Risk Management ,
Securities and Exchange Commission (SEC) ,
Whistleblowers
On October 16, 2024, the New York Department of Financial Services (NYDFS) issued an industry letter entitled “Cybersecurity Risks Arising from Artificial Intelligence and Strategies to Combat Related Risks” in response to...more
11/4/2024
/ Artificial Intelligence ,
Covered Entities ,
Cyber Attacks ,
Cybersecurity ,
Data Management ,
Financial Services Industry ,
NYDFS ,
Risk Assessment ,
Risk Management ,
Social Engineering ,
Third-Party Risk
On October 15, 2024, the Department of Defense (“DoD”) published the final version of its rule implementing the Cybersecurity Maturity Model Certification (“CMMC”) Program under Title 32 of the Code of Federal Regulations...more
10/24/2024
/ Controlled Unclassified Information (CUI) ,
Cybersecurity ,
Cybersecurity Maturity Model Certification (CMMC) ,
Defense Contracts ,
Defense Sector ,
Department of Defense (DOD) ,
DFARS ,
Federal Acquisition Regulations (FAR) ,
Federal Contractors ,
NIST ,
Prime Contractor ,
Proposed Rules ,
Subcontractors
As we have previously written, late last year the New York Department of Financial Services (NYDFS) adopted long-awaited amendments to its Part 500 Cybersecurity Regulations (Part 500). These are some of the most significant...more
The Department of Justice (DOJ) recently raised the stakes for businesses under investigation who use artificial intelligence (AI). The Evaluation of Corporate Compliance Program (ECCP) outlines the criteria to be considered...more
On September 13, 2024, the Colorado Attorney General’s Office (AG) published proposed amendments to the Colorado Privacy Act (CPA) Rules that create new requirements for the collection and use of biometric data and children’s...more
On September 4, 2024, the California Privacy Protection Agency (CPPA) issued an Enforcement Advisory on the importance of avoiding dark patterns. As we have previously written, dark patterns were first addressed in detail in...more
On May 15, 2024, the Securities and Exchange Commission (the “SEC”) adopted amendments to Regulation S-P. Originally passed in 2000, Regulation S-P regulates the treatment of non-public personal information of consumers by...more
6/5/2024
/ Broker-Dealer ,
Customer Information ,
Cybersecurity ,
Data Breach ,
Financial Institutions ,
Incident Response Plans ,
Investment Adviser ,
Personal Information ,
Recordkeeping Requirements ,
Registered Investment Companies (RICs) ,
Regulation S-P ,
Reporting Requirements ,
Securities and Exchange Commission (SEC)
In the rapidly evolving landscape of AI, the valuation and viability of AI companies are extensively tied to their intellectual property assets. For AI companies, safeguarding these assets is not just about legal...more
5/30/2024
/ Algorithms ,
Artificial Intelligence ,
California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
Early Stage Companies ,
General Data Protection Regulation (GDPR) ,
Infringement ,
Intellectual Property Protection ,
Investors ,
Open Source Software ,
Patent Examinations ,
Risk Management ,
Startups
On May 16, 2024, the Illinois Legislature passed SB 2979, which amends the Illinois Biometric Information Privacy Act (BIPA) to clarify that any person whose biometric identifier or biometric information is “scanned” by a...more
Paul Hastings attended the spring 2024 Privacy+Security Forum hosted by Professors Daniel Solove and Paul Schwartz, where privacy professionals from all over the world gathered in Washington, D.C. to learn about the latest...more
On March 27, 2024, the Cybersecurity & Infrastructure Security Agency (“CISA”) released proposed regulations requiring expansive new cybersecurity incident and ransomware payment reporting across sixteen “critical...more
4/2/2024
/ Critical Infrastructure Sectors ,
Cyber Attacks ,
Cyber Incident Reporting ,
Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) ,
Cybersecurity ,
Cybersecurity Information Sharing Act (CISA) ,
Data Breach ,
Data Security ,
Department of Defense (DOD) ,
DFARS ,
Federal Information Security Modernization Act (FISMA) ,
Healthcare ,
Information Technology ,
NERC ,
Popular ,
Proposed Regulation ,
Ransomware ,
Reporting Requirements ,
Water
Federal jurisdiction under the Gramm Leach Bliley Act (“GLBA”) is a patchwork, particularly for banks –the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency all...more
On October 3, 2023, the Federal Acquisition Regulatory (“FAR”) Council released two draft rules which would impose new cybersecurity requirements for federal contractors. Comment periods for both proposed rules were slated to...more
The New York Department of Financial Services (NYDFS) adopted a long-expected amendment to its Part 500 Cybersecurity Regulations (Part 500) this week. These are the first significant changes to Part 500 since its inception...more
On October 30, 2023, the Biden-Harris Administration unveiled a sweeping Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI). The Executive Order represents the most...more
11/1/2023
/ Artificial Intelligence ,
Biden Administration ,
Consumer Protection Laws ,
Critical Infrastructure Sectors ,
Cybersecurity ,
Directorate of Defense Trade Controls (DDTC) ,
Executive Orders ,
Healthcare ,
Immigration Procedures ,
National Security ,
NIST ,
Popular ,
Risk Management ,
U.S. Commerce Department
As we enter into the final few months of the year, it is important for companies operating in the United States to not only assess the implementation of the compliance requirements for the four new comprehensive state privacy...more
11/1/2023
/ Consumer Privacy Rights ,
Corporate Counsel ,
Cybersecurity ,
Data Privacy ,
Data Protection ,
Employee Privacy Rights ,
GLBA Privacy ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Opt-Outs ,
Private Right of Action ,
State Privacy Laws
Earlier this month the Federal Acquisition Regulation (“FAR”) Council released two draft rules which would impose new cybersecurity requirements for federal contractors. The proposed rules, Cyber Threat and Incident Reporting...more
10/25/2023
/ Comment Period ,
Controlled Unclassified Information (CUI) ,
Cyber Incident Reporting ,
Cyber Threats ,
Cybersecurity ,
Cybersecurity Information Sharing Act (CISA) ,
Data Preservation ,
Executive Orders ,
Federal Acquisition Regulations (FAR) ,
Federal Contractors ,
Information Technology ,
Popular ,
Proposed Rules ,
Software ,
Subcontractors
The SEC’s Cybersecurity Risk Management Strategy, Governance, and Incident Disclosure Rules were officially published in the Federal Register on August 4, 2023 and go into effect on September 5, 2023....more
On July 26, 2023, the U.S. Securities and Exchange Commission adopted enhanced disclosure requirements regarding cybersecurity risk management, strategy, governance and incident reporting for public companies. The final rules...more
Oregon is the latest state to join the growing patchwork of U.S. state privacy laws. On July 18, 2023, the Oregon Governor signed S.B. 619, enacting what will become the eleventh state privacy law. The Oregon law follows many...more