On 3 February 2025, the European Commission (“EC”) published an updated version of its frequently asked questions (“FAQs”) on the EU Data Act.[1] The Data Act, which is intended to make data more accessible to users of IoT devices in the EU, entered into force on 11 January 2024 and will become generally applicable as of 12 September 2025.Continue Reading Data Act FAQs – Key Takeaways for Manufacturers and Data Holders
Enforcement
New York Legislature Passes Health Data Privacy Bill
By Daniel Ilan, Melissa Faragasso & Lara Castellino on
Last week, the New York legislature passed the New York Health Information Privacy Act (S929) (“NYHIPA” or the “Act”)[1]. The Act, which is currently awaiting the Governor’s signature, seeks to regulate the collection, sale and processing of healthcare information, akin to Washington’s My Health My Data Act.Continue Reading New York Legislature Passes Health Data Privacy Bill
Cybersecurity Disclosure and Enforcement Developments and Predictions
Posted in Cybersecurity, Enforcement
The following is part of our annual publication Selected Issues for Boards of Directors in 2025. Explore all topics or download the PDF.
The SEC pursued multiple high profile enforcement actions in 2024, alongside issuing additional guidance around compliance with the new cybersecurity disclosure rules. Together these developments demonstrate a continued focus by the SEC on robust disclosure frameworks for cybersecurity incidents. Public companies will need to bear these developments in mind as they continue to grapple with cybersecurity disclosure requirements going into 2025.Continue Reading Cybersecurity Disclosure and Enforcement Developments and Predictions
SEC Charges Four Companies Impacted by Data Breach with Misleading Cyber Disclosures
By Rahul Mukhi, Francesca L. Odell, Helena K. Grannis, Lillian Tsu, Tom Bednar & Ryken Kreps on
On October 22, 2024, the SEC announced settled enforcement actions charging four companies with making materially misleading disclosures regarding cybersecurity risks and intrusions. These cases mark the first to bring charges against companies who were downstream victims of the well-known cyber-attack on software company SolarWinds. The four companies were providers of IT services and digital communications products and settled the charges for amounts ranging from $990,000 to $4 million.Continue Reading SEC Charges Four Companies Impacted by Data Breach with Misleading Cyber Disclosures
DOJ Brings Lawsuit Against TikTok Over Alleged Violations of the Children’s Online Privacy Protection Act
By Daniel Ilan, Marcela Robledo & Melissa Faragasso on
Following on the heels of major developments coming out of the Senate last week to advance privacy protections for children online, the Department of Justice (“DOJ”) officially filed a lawsuit on Friday against TikTok, Inc., its parent company, ByteDance, and certain affiliates (collectively, “TikTok”), over alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) and its implementing rule (the “COPPA Rule”) as well as an existing FTC 2019 consent order (the “2019 Order”) alleging violations of the same.[1]Continue Reading DOJ Brings Lawsuit Against TikTok Over Alleged Violations of the Children’s Online Privacy Protection Act
Cybersecurity Law Enters Into Force
By Giuseppe Scassellati-Sforzolini, Andrea Mantovani, Bernardo Massella Ducci Teri, Federica Mammì Borruto, Marco Accorroni, Paola Maria Onorato, Giulia Checcacci & Elena Galimberti on
On July 17, 2024, Law No. 90/2024 containing provisions for strengthening national cybersecurity and addressing cybercrime (the “Cybersecurity Law”) entered into force.Continue Reading Cybersecurity Law Enters Into Force
EU Court of Justice confirms earlier case law on broad interpretation of “personal data” and offers extensive interpretation of “joint controllership”, with possible broad ramifications in the AdTech industry and beyond
On March 7, 2024, the Court of Justice of the European Union (the “CJEU”) handed down its judgment in the IAB Europe case, answering a request for a preliminary ruling under Article 267 TFEU from the Brussels Market Court.[1] The case revolves around IAB Europe’s Transparency and Consent Framework (“TCF”) and has been closely monitored by the AdTech industry ever since the Belgian DPA investigated and subsequently imposed a 250,000 euro fine on IAB Europe for alleged breaches of GDPR and e-Privacy rules back in 2022.[2]Continue Reading EU Court of Justice confirms earlier case law on broad interpretation of “personal data” and offers extensive interpretation of “joint controllership”, with possible broad ramifications in the AdTech industry and beyond
Biden Administration Executive Order Targets Bulk Data Transactions
The Biden administration recently issued Executive Order 14117 (the “Order”) on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” Building upon earlier Executive Orders[1], the Order was motivated by growing fears that “countries of concern” may use artificial intelligence and other advanced technologies to analyze and manipulate bulk sensitive personal data for nefarious purposes. In particular, the Order notes that unfettered access to American’s bulk sensitive personal data and United States governmental data by countries of concern, whether via data brokers, third-party vendor agreements or otherwise, may pose heightened national security risks. To address these possibilities, the Order directs the Attorney General to issue regulations prohibiting or restricting U.S. persons from entering into certain transactions that pose an unacceptable risk to the national security of the United States. Last week, the Department of Justice (“DOJ”) issued an Advance Notice of Proposed Rulemaking, outlining its preliminary approach to the rulemaking and seeking comments on dozens of issues ranging from the definition of bulk U.S. sensitive personal data to mitigation of compliance costs. Continue Reading Biden Administration Executive Order Targets Bulk Data Transactions
New Privacy Laws Enacted in New Jersey and New Hampshire
On January 16, 2024, New Jersey officially became one of a growing number states with comprehensive privacy laws, as Governor Phil Murphy signed Senate Bill 332 (the “New Jersey Privacy Act”) into law.[1] New Hampshire followed closely behind, with its own comprehensive privacy law, Senate Bill 255 (the “New Hampshire Privacy Act” and, together with the New Jersey Privacy Act, the “Acts”), signed into law by Governor Chris Sununu on March 6, 2024.[2] Continue Reading New Privacy Laws Enacted in New Jersey and New Hampshire
Proposed Rulemaking by U.S. Department of Commerce Introduces New Obligations on U.S. IaaS Providers and Foreign Resellers to Curb Malicious Cyber-Enabled Activities
By Lindsay Harris, Daniel Ilan, Chase D. Kaniecki & Yulia A. Solomakhina on
Posted in Cybersecurity, Enforcement
On January 29, 2024, the U.S. Department of Commerce (“Commerce”) published a notice of proposed rulemaking (the “Notice”) seeking comments on proposed rules promulgated by Commerce’s Bureau of Industry and Security (“BIS”) and newly-created Office of Information and Communications Technology and Services to implement Executive Order 14110, the Biden Administration’s October 2023 executive order on artificial intelligence (“AI”) (“E.O. 14110”, see our prior alert here)[1]. The Notice also implements Executive Order 13984, a 2021 executive order relating to malicious cyber-enabled activities (“E.O. 13984”) (with respect to which Commerce had already issued an advanced notice of proposed rulemaking)[2]. Continue Reading Proposed Rulemaking by U.S. Department of Commerce Introduces New Obligations on U.S. IaaS Providers and Foreign Resellers to Curb Malicious Cyber-Enabled Activities