Data Dive

On October 29, 2024, the DOJ issued a proposed rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

On June 18, 2024, the United States Securities and Exchange Commission (SEC) announced a settlement with R.R. Donnelley & Sons Company (RRD) for alleged internal control and disclosure failures following a ransomware attack in 2021. Without admitting or denying the SEC’s findings, the business communications and marketing services provider agreed to pay a civil penalty of over $2.1 million to settle charges alleging violations of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (Exchange Act) and Exchange Act Rule 13a-15(a).¹

In May, the National Institute of Standards and Technology (NIST) issued updated recommendations for security controls for controlled unclassified information (CUI) that is processed, stored or transmitted by nonfederal organizations using nonfederal systems, (NIST Special Publication 800-171 (SP 800-171), Revision 3). These security requirements are “intended for use by federal agencies in contractual vehicles or other agreements that are established between those agencies and nonfederal organizations.”¹ While these new controls are only applicable to nonfederal entities that agree to comply with the new issuance, Revision 3 signals the next phase of expected security for government contractors.

In September 2023, Delaware became the seventh state in 2023 to enact comprehensive privacy law with the Delaware Personal Data Privacy Act (DPDPA), joining Indiana, Iowa, Montana, Oregon, Tennessee and Texas. The DPDPA will go into effect on January 1, 2025.

On February 9, 2024, California’s Third District Court of Appeals ruled that the California Privacy Protection Agency (CPPA) may begin enforcing its finalized data privacy regulations immediately, overturning the lower court’s prior ruling that delayed enforcement.

On January 18, 2024, the Federal Trade Commission (FTC) discussed its long-anticipated proposed changes for the Children’s Online Privacy Protection Rule (COPPA) in an open meeting. Released in a notice of proposed rulemaking the month prior, these proposed changes would add new restrictions on using and disclosing children’s personal information, as well as new limitations on access and monetization, in the first changes to COPPA since 2012.¹

In a key move to further expand consumer data rights, California Gov. Gavin Newson signed The Delete Act (S.B. 362) (the Act) into law on October 10, 2023. The Act amends California’s data broker registration law (Cal. Civ. Code 1798.99.80 et. seq) to include new registration requirements and a singular mechanism for consumers to request that data brokers delete their personal information. Below we have outlined key provisions of the Act that data brokers should be aware of.

The Implementing Regulations of the Personal Data Protection Law and the Regulations on Personal Data Transfer outside the Geographical Boundaries of the Kingdom (together, the Regulations) were recently issued by the Saudi Authority for Data and Artificial Intelligence. We set out in this post the key features of the Regulations.