On January 27, 2025, the Federal Communications Commission’s (FCC) new one-to-one consent requirement will go into effect. For background, the FCC published its final rule targeting and eliminating unlawful text messages under the Telephone Consumer Protection Act (TCPA) on January 26, 2024 (the Final Rule). Among other requirements and purposes, this Final Rule sought to close the “lead generator loophole.” Continue Reading FCC’s 1-to-1 Consent Requirement for Marketing Text Messages
Cyber Security
The EU AI Act – What Businesses Need to Know
Special thanks to Taft summer associate Tanner Wilburn for his significant contributions to this post.
On July 12, 2024, the European Union’s Artificial Intelligence Act (AI Act) was published in the EU Official Journal.
This comprehensive legislation establishes the first risk-based regulatory framework for AI systems, with far-reaching implications for businesses using AI. The AI Act is effective August 2, 2024, with the enforcement of the majority of its provisions commencing on August 2, 2026.
Continue Reading The EU AI Act – What Businesses Need to Know
Not So Fast: Vermont Governor VETOES Private Right of Action for Consumer Privacy Violations
Last week, Vermont Governor Phil Scott vetoed one of the most-watched pieces of privacy legislation in the United States: the Vermont Data Privacy Act (VDPA). Described in H.121 as “an act relating to enhancing consumer privacy and the age-appropriate design code,” was passed by the Vermont legislature in the early morning hours on May 11, 2024. The act represented a seismic change in domestic consumer privacy rights. However, Governor Scott returned H.121 without signature, effectively vetoing the would-be watershed bill.Continue Reading Not So Fast: Vermont Governor VETOES Private Right of Action for Consumer Privacy Violations
Recent Executive Order and DOJ Rulemaking Prioritize the Protection of Sensitive Personal Data from “Countries of Concern”
The U.S. is cracking down on data sharing and export with foreign countries. A clear example of the United States’ position is seen in Executive Order 14117 (EO 14117) issued by President Biden on February 28, 2024.
Titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” EO 14117’s main objective is simple – protect the sensitive personal data of individuals located in the United States. But, the reason for this Executive Order is more nuanced.Continue Reading Recent Executive Order and DOJ Rulemaking Prioritize the Protection of Sensitive Personal Data from “Countries of Concern”
CMMC 2.0 Is Here to Stay: Where Do We Start?
Last December, the Department of Defense (“DoD”) published its proposed rule setting forth cybersecurity requirements for defense contractors and subcontractors. These requirements are designated with a particular Cybersecurity Maturity Model Certification (CMMC) level that is associated with the contractor’s procurement. As the second iteration of CMMC, 2.0 demonstrates an escalating system of maturity using designated levels 1, 2, and 3.
With the proposed rule set to be finalized this year, and implementation set to take place in 2025, now is as good a time as any to understand how contractors are impacted by CMMC 2.0; as well as the requirements, the certification process, and how your organization can best prepare.Continue Reading CMMC 2.0 Is Here to Stay: Where Do We Start?
Webinar: 10 Privacy and Security Resolutions in the New Year
Tuesday, Jan. 30, 2024
11 a.m. – 12 p.m. ET
You read the news every day and maybe even receive notices yourself: data security and privacy compliance is a growing area of concern and risk for businesses. With security incidents on the rise across various industries of all sizes, as well as increased regulation of privacy and security-related issues, evaluating and addressing your current data governance program is a crucial step in protecting your business in the new year. Just…
Continue Reading Webinar: 10 Privacy and Security Resolutions in the New YearSEC Approves Transformative Cybersecurity Disclosure Requirements
Last week, the US Securities and Exchange Commission (SEC) voted 3-2 on a series of rules relating to cybersecurity disclosures, including a new requirement for public companies to publicly disclose “significant impacts” of cyber-attacks within four days. Public companies would be well-served to review the new requirements immediately to form a plan of action to address the newly approved rules.Continue Reading SEC Approves Transformative Cybersecurity Disclosure Requirements
The SEC’S Proposed Cybersecurity Rules: Is Your Company Ready?
Here in the United States, companies face a patchwork of legal obligations that address information security and data privacy. For example, federal laws target certain market segments (such as health care, financial services, and education), state laws target certain types of information (such as personal financial or biometric information), and both state and federal laws target unfair or unreasonable business practices. This patchwork—and the lack of comprehensive nationwide privacy and security standards—can make compliance challenging and frustrating. Security professionals and legal counsel must work hard to keep up.
The Security and Exchange Commission (SEC) will soon add to the patchwork. The SEC’s new rules promise to add significant compliance obligations for public companies, and non-public companies will also want to take note.Continue Reading The SEC’S Proposed Cybersecurity Rules: Is Your Company Ready?
Don’t Call It A Comeback: EU-U.S. Data Privacy Framework Inches Closer to Implementation Following the European Commission’s Draft Adequacy Decision
On December 13, 2022, the European Commission published a draft adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF or DPF”) signaling the potential return of the framework allowing the flow of personal data between the EU and the United States. Although this is a draft decision, if approved, it will ease trans-Atlantic data flow and ease the restrictions that were placed after the 2020 Schrems II decision invalidated the EU-U.S. Privacy Shield framework for cross-border transfers. This draft adequacy decision ultimately concluded that the DPF provides an adequate level of protection of personal data.Continue Reading Don’t Call It A Comeback: EU-U.S. Data Privacy Framework Inches Closer to Implementation Following the European Commission’s Draft Adequacy Decision
2023 Privacy and Data Security Resolutions
As you consider the end of the year and beginning of a new year, we in Taft’s Privacy and Data Security Practice thought to provide you with a simple list of data protection resolutions you might consider, both professionally and personally.
1. Get strong! Now is a good time to make a change in passwords for your accounts, and specifically make them strong passwords (i.e. ten characters or more, including an upper and lower case letter, number, and…
Continue Reading 2023 Privacy and Data Security Resolutions