Data Dive

On March 12, 2024, the Department of Defense (DoD) finalized a rule to open its Defense Industrial Base (DIB) Cybersecurity (CS) Program to all defense contractors who own or operate an unclassified information system that processes, stores or transmits covered defense information.^[1]This will allow said contractors to benefit from the DIB CS Program bilateral information sharing arrangement to keep informed about impending cyberthreats.

On October 30, 2023, the Biden administration released a far-reaching executive order (EO) on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI). The EO issues directives related to the use of AI across several areas, with special attention paid to the critical areas of cybersecurity and data privacy. Here, we discuss the EO directives pertaining to data privacy and cybersecurity. For a general overview of the EO, Akin’s coverage is available here.

On 7 November 2023, in the King’s Speech, the UK government announced three draft laws aimed at supporting tech companies’ growth and competitiveness: the Automated Vehicles Bill (AV Bill), the Digital Markets, Competition and Consumers Bill (DMCC Bill), and the Data Protection and Digital Information Bill (DP Bill). Expected to be passed in the next 12 months, these laws, as the government says, are focused on modernising regulation so that innovative firms can thrive in the United Kingdom, while at the same time protecting consumers and enhancing users’ trust in new technologies. The proposed comprehensive legal frameworks aspire to position the UK as one of the global leaders on the tech regulation scene, ostensibly more business friendly than the European Union. As anticipated, and in contrast to the EU, there is no immediate plan to adopt a new wide-ranging Artificial Intelligence law, with existing laws continuing to operate as applicable. Firms that want to invest in, deal with or deploy new technologies across the globe should be aware of the UK legal landscape in order to assess and explore opportunities. We highlight a few pertinent points of the three laws in this alert.

SolarWinds, an Austin-based technology company that provides customers with network monitoring software, and Timothy Brown, SolarWinds’ Chief Information Security Officer (CISO), were charged by the Securities and Exchange Commission (SEC) alleging fraud and internal control failures relating to known cybersecurity risks that culminated in a nearly two-year long cyberattack against SolarWinds and some of its customers.

A recent uptick in enforcement and regulatory activity related to cybersecurity is reshaping the landscape. The Federal Acquisition Regulatory Council’s proposed rules increasing cybersecurity requirements for government contractors could open your business up to new or increased FCA liability. Amid this rising cyber-related FCA activity, government-contracted tech companies and other organizations receiving government funds must understand how regulators and private whistleblowers alike are using the FCA to enforce required cybersecurity standards.

The Implementing Regulations of the Personal Data Protection Law and the Regulations on Personal Data Transfer outside the Geographical Boundaries of the Kingdom (together, the Regulations) were recently issued by the Saudi Authority for Data and Artificial Intelligence. We set out in this post the key features of the Regulations.

The Information Commissioner’s Office (ICO), the personal data protection authority in the United Kingdom (UK), is running a public consultation on its draft guidance on biometric data which covers the requirements under the UK General Data Protection Regulation (GDPR) (similar to the EU GDPR, with extraterritorial reach) for such data. Vendors or users of biometric recognition systems, including both controllers and processors, would be required to comply with the guidance once finalized. As the definition of biometric data is relatively broad and includes, for example, a person’s voice or face that have been analysed using technology for the purposes of identifying such person, the draft guidance is likely to apply to a wide range of companies across all industry sectors in and outside the UK. The consultation includes 20 questions and we encourage participation, via completing the survey, or by downloading the word document through this link and forwarding the response to biometrics@ico.org.uk. The ICO will close the consultation on 20 October 2023.

On October 8, 2023, Gov. Gavin Newsom (D-CA) signed Assembly Bill 947 (AB 947) into law, adding citizenship and immigration status to the California Consumer Privacy Act’s (CCPA) definition of “sensitive personal information.” AB 947 was first introduced in February 2023 but amended in March 2023 to focus on amendments to expand the definition of “sensitive personal information.”