Data Security

employee-scaled.jpeg

With three new state privacy laws that took effect on January 1, 2026 (Indiana, Kentucky, and Rhode Island), adding to an extensive list of others, many organizations are discovering that their website privacy practices haven’t kept pace. Even those that updated their websites recently are finding hidden gaps, often due to unnoticed changes in technological tools and files, such as first and third-party cookies, third-party analytics software, and/or third-party scripts, tags, and pixels. A website audit can prevent enforcement issues and potential litigation or arbitration demands.

In October 2023, California passed the Delete Act, which, in addition to requiring data brokers to register with the state, directed Cal Privacy (f/k/a the California Privacy Protection Agency or CPPA) to create a data deletion software tool by January 1, 2026. This deletion software tool, now called the Delete Request and Opt-Out Platform (DROP), allows California residents to submit a single request to require all registered data brokers to 1) delete their personal information, and 2) stop selling or sharing that information through one verified, government‑administered process, rather than contacting hundreds of companies individually.

Key point: Historically, civilian‑agency contractors who handled Controlled Unclassified Information (CUI) enjoyed an informal compliance environment, with a requirement to adhere to NIST SP 800‑171 often framed as self‑attestation. That world is now decisively over, with the GSA following a path similar, but not identical, to the DoD’s CMMC requirements.

Key point: Recent legislative efforts in Massachusetts, seeking to add another comprehensive data privacy law to the national patchwork of state laws, and in California enacting a law to regulate AI development, occurred this week when the Massachusetts Senate unanimously sent Senate Bill 2608 to the state House, and California enacted the nation’s second substantive state law regulating AI.

Keypoint: To advance the National Cybersecurity Strategy, the Office of the National Cyber Director is soliciting public comments to harmonize cybersecurity regulations, with comments due by October 31, 2023.

In March 2023, the White House released its National Cybersecurity Strategy (NCS), which envisions two changes in how the United States allocates roles, responsibilities, and resources in cyberspace:

  • Rebalancing the responsibility to defend cyberspace; and
  • Realigning incentives towards long-term investments to reward security and resilience.

This rebalance and realignment explicitly acknowledges that collaboration between private and public sector stakeholders will be necessary.

Keypoint: President Biden shows a strong preference for the cybersecurity expertise of former National Security Agency (NSA) leaders with his choices for significant cyber roles within his administration.

On April 12, 2021, the White House announced that President Biden selected two individuals to join his administration in the area of cybersecurity. Mr. Chris Inglis is nominated to be the first national cyber director, and Ms. Jen Easterly is nominated to serve as the new director of the Cybersecurity and Infrastructure Security Agency (CISA). Both positions require confirmation by the U.S. Senate.

creditcards1iStock_000036595886_Large

Keypoint: April 12, 2021 is the deadline to comment on a proposed rule that would require banking organizations and bank service providers to promptly report computer-security incidents.

The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) (collectively the “agencies”) are requesting public comment on a proposed rule requiring banks to notify the applicable agency within 36 hours when the banks believe in good faith that a significant cybersecurity event has occurred. Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 Fed. Reg. 2399 (Jan. 12, 2021).

Keypoint: As leadership at the CFPB shifts, responses to the CFPB’s Notice of Proposed Rulemaking to implement Section 1033 of the Dodd Frank Act looms.

More than a decade ago, the Dodd Frank Act created the Consumer Financial Protection Bureau (CFPB) and gave it authority to promulgate rules implementing Section 1033 of the Act. Under Section 1033, upon request, a financial services provider “shall make available to a consumer information in its control or possession concerning the product or service that the consumer has obtained, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data. The information shall be made available in an electronic form usable by consumers.”

Key Point: The New York Attorney General’s Office (NYAG) reached a Consent and Stipulation Agreement with Dunkin’ Brands, Inc. (Dunkin), which obligates the company to implement and maintain a comprehensive information security program to protect customers’ private information. The terms of the consent agreement are similar to the terms New York reached with Zoom earlier this year regarding inadequate data security practices, and strongly resemble the reasonable security measures described in the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

Neither agreement mentions the SHIELD Act, but both agreements include promises to comply with key elements contained in it. These agreements, as well as California’s legislative efforts, are creating a baseline for future enforcement cases on the adequacy of information security programs and the promises companies make to protect consumer data.

Resulting in Zoom Promising to Implement an Information Security Program, Resembling the SHIELD Act

Key point: The Letter of Agreement between the New York Attorney General and Zoom Video Communications, Inc. provides insight into what the Attorney General may consider satisfying the Reasonable Safeguards requirement under the SHIELD Act.

On May 7, 2020 Zoom Video Communications, Inc. (Zoom) became the first company to experience one of the new enforcement tools available to the New York Attorney General’s Office (NYAG) under the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

The SHIELD Act took effect on March 21, 2020, and requires any person or business owning or licensing computerized data containing the private information of a New York resident “to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of that private information.” GBL § 899-BB(2).