On March 20, the U.S. House of Representatives passed House Resolution 7520, the Protecting Americans’ Data from Foreign Adversaries Act of 2024, targeting companies that sell sensitive information to “foreign adversaries.”  H.R. 7520 comes on the heels of two other major developments. First, House Resolution 7521 would require TikTok to divest from its Chinese parent company. Second, President Biden’s Executive Order 14117, requires, among other things, that the Attorney General make rules restricting data brokers from selling bulk sensitive personal data to “countries of concern.” The two resolutions and the E.O. are part of a growing, bipartisan trend to restrict access to sensitive information by foreign adversaries.

Yesterday, March 27, the U.S. Cybersecurity and Infrastructure Security Agency published the Notice of Proposed Rulemaking under the Cyber Incident Reporting for Critical Infrastructure Act of 2022. It is important to note that these are draft rules and do not, on their own, require organizations to report any incidents until after a Final Rule is published. CISA expects to publish the Final Rule in late 2025 with an effective date at least 60 days after publication. This is likely to push the effective date into 2026.

On Monday, the U.S. Department of Health and Human Services Office for Civil Rights issued updated guidance on the use of online tracking technologies by covered entities and business associates (here, referred to as “regulated entities”) under the Health Insurance Portability and Accountability Act Privacy Rule. The intent of the guidance is to provide regulated entities with considerations when using tracking technologies on their websites and mobile applications.

On December 20, the Federal Trade Commission released a notice of proposed rulemaking to update the Children’s Online Privacy Protection Rule, known as the “COPPA Rule.” (We are linking to the official version of the proposed rule that was published in the Federal Register on January 11.) In a press release published on December 20, the FTC announced that the proposed amendments “would place new restrictions on the use and disclosure of children’s personal information and further limit the ability of companies to condition access to services on monetizing children’s data.”

As we near the end of another year, it is time to look ahead to developments in the information security and privacy landscape. One area of particular importance is the development of regulations implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022.

Texas recently amended its breach notification statute to shorten the time businesses have to notify the state Attorney General after a data breach affecting 250 or more Texas residents. As of September 1, businesses must notify the Attorney General within 30 days from when they determine that a breach has occurred. Previously, businesses had up to 60 days.

It’s an understatement to say that companies are excited about Artificial Intelligence. AI has the potential to optimize productivity and improve efficiency in many areas of a business. The potential benefits are undeniable, but there are some uses that present significant risk to businesses. One area that warrants caution is in the context of employment. 

In early August, the National Institute of Standards and Technology released the initial public draft of its Cybersecurity Framework 2.0. The draft is a long-awaited update to a framework that’s been in place for almost 10 years: The Framework for Improving Critical Infrastructure Cybersecurity, first released in 2014 and updated in 2018. 

EDITOR’S NOTE: This is part two of “Cyber AI Chronicles” – written by lawyers and named by ChatGPT.  This series will highlight key legal, privacy, and technical issues associated with the continued development, regulation, and application of artificial intelligence.

Recent developments in Artificial Intelligence have opened the door to exciting possibilities for innovation. From helping doctors communicate better with their patients to drafting a travel itinerary as you explore new locales (best to verify that all the recommendations are still open!), AI is beginning to demonstrate that it can positively affect our lives. 

However, these exciting possibilities also allow malicious actors to abuse the systems and introduce new or “improved” cyber threats.