In today’s regulatory and economic environment, organizations need to keep pace with constantly shifting cybersecurity and data privacy threats. Below is an outline of current best practices to provide the following (non-exhaustive) guidance for Chief Information Security Officers (“CISOs”), and other compliance professionals tasked with cybersecurity and data protection.

On March 18, 2022, Eric Holcomb, the Indiana governor, signed HB 1351 into law, which places disclosure or notice requirements on persons who have suffered a data breach.

On March 25, 2022, the European Commissioner for Justice, Didier Reynders, and U.S. Secretary of Commerce, Gina Raimondo issued a joint statement announcing a preliminary replacement for the Privacy Shield framework.

On March 15, 2022, the Attorney General of the United States issued a guidance memorandum for the heads of executive departments and agencies to consider when responding to a Freedom of Information Act (“FOIA”) request.

On March 21, 2022, the White House issued a fact sheet calling upon all businesses in the United States to take key steps to prevent cybersecurity incidents in light of recent increased sanctions being imposed on Russia by the U.S. and its allies.

On February 22, 2022, the National Institute of Standards and Technology (“NIST”) published a request for comments and information (“RFI”) on how to improve NIST Cybersecurity Resources: The Cybersecurity Framework (“CSF”).

On March 10, 2022, the California Office of the Attorney General (“CA AG”) issued an opinion (20-303) that the California Consumer Privacy Act’s (“CCPA”) provision mandating that consumers be informed, upon request, regarding the specifics of the personal information collected and stored by an organization applies to “internally generated inferences” that the business holds from internal or external information sources.

On March 8, 2022, Wyoming Governor Mark Gordon signed the Wyoming Genetic Data Privacy Act (“HB 0086” or “Act”) into law.

On March 3, 2022, the FTC entered into a settlement agreement with a WW International Inc. (“WW”) mandating algorithm destruction and data deletion after the agency determined that WW and a subsidiary company called Kurbo Inc. (“Kurbo”) had improperly collected and stored the data of children.

On February 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) announced a proposed rule for Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies.

On March 9, 2022, the Securities and Exchange Commission (“SEC”) issued a proposed rule on cybersecurity risk management, strategy, governance, and incident disclosure by public companies. The SEC will likely vote to finalize the rule before the summer.

On March 3, 2022, the Utah House of Representatives unanimously approved Senate Bill 227, known as the Utah Consumer Privacy Act (UCPA or S.B. 227), after a 28-0 vote by the Utah Senate. The provisions of the UCPA are intended to impose consumer data protection rights and obligations on those who collect or process this data for Utah residents.

On February 17, 2022, California State Senator Bob Wieckowski introduced Senate Bill 1189 (SB 1189 or “bill”), which aims to expand the privacy rights and protections afforded under the California Privacy Rights Act (“CPRA”)

On March 9, 2022, President Biden issued an Executive Order on Ensuring Responsible Development of Digital Assets (“Executive Order”) which outlined the federal government’s comprehensive strategy for the treatment of cryptocurrency. In this order, the White House stated that in November 2021, the “non‑state issued digital assets reached a combined market capitalization of $3 trillion,” as compared to the $14 billion that is approximated to have existed in early November 2016.

On February 23, 2022, the Wisconsin Assembly passed Assembly Bill 957 (“AB957” or the “Bill”), which establishes requirements for controllers and processors who collect, maintain, or utilize consumer “personal data.”

On February 26, 2022, the United States Cybersecurity and Infrastructure Agency (“CISA”) issued an alert warning organizations of the potential impacts that the events in Ukraine may have on the cyber security of the United States and the risks that threat poses to the continued operations of United States critical infrastructure organizations.

On Wednesday, March 2, 2022, the U.S. Senate passed the Strengthening American Cybersecurity Act of 2022 ("Act" or "Bill"). Introduced less than one month ago by Sens. Gary Peters (D-MI) and Rob Portman (R-OH), the spending Bill combines three bills introduced in late 2021—the Cyber Incident Reporting for Critical Infrastructure Act ("CIR"), the Federal Information Security Modernization Act ("FISMA"), and the Federal Risk and Authorization Management Program (FedRAMP) Authorization Act ("FedRAMPAA").

When the European Union ("EU") enacted the General Data Protection Regulation (“GDPR”) on May 2, 2018, the world was introduced to the concept of data minimization. According to Article 5 of the GDPR, data minimization means “personal data shall be . . . adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’).”

In this article, we will analyze the concept of “data minimization” in the United States and provide organizations with the information needed to better understand the practice so that they may implement it in their own business.

On January 11, 2022, National Security Agency (“NSA”), Cybersecurity and Infrastructure Security Agency (“CISA”), and the Federal Bureau of Investigation (“FBI”) issued a Joint Cybersecurity Advisory (“CSA”) to assist the cybersecurity community in understanding and mitigating Russian state-sponsored cyber threats to critical U.S. infrastructure.

As previously reported, the California Privacy Protection Agency (“CPPA”) is seeking to enact the California Privacy Rights Act (“CPRA”) to amend the California Consumer Privacy Act (“CCPA”).

According to the provisions of the CPRA, the regulation was supposed to be finalized by July 1, 2022. However, during a public board meeting held on February 17, 2022, the CPPA indicated it would not be meeting its July 1 deadline.

On February 14, 2022, the Massachusetts Information Privacy and Security Act (“Bill S.46” or "Act") advanced to the committee on Advanced Information Technology, the Internet, and Cybersecurity, accompanied by a new draft bill, Bill S.2687.