Cybersecurity & Data Privacy

Subscribe to Cybersecurity & Data Privacy via RSS

The US Department of Justice’s (DOJ) new Data Security Program (DSP), designed to protect sensitive information and national security-related data from misuse by foreign actors, took full effect on October 6, 2025. The program introduces new restrictions on how companies handle and share sensitive US personal data and government-related data, especially when certain foreign entities are involved. With enforcement underway, companies should understand who is covered, what activities are restricted, and what compliance measures are required. Failure to comply with the rules can result in civil or criminal penalties.Continue Reading DOJ Launches New Data Security Program—What Your Company Needs to Know

The DoD has finally crossed the CMMC finish line, but for contractors, the race is just beginning. With the Final Rule effective Nov. 10, award eligibility will hinge on a “current” CMMC status in SPRS, backed by annual affirmations and strict compliance. The next two months are critical for getting race-ready. In this Featured Comment

July’s “Winning the Race: America’s AI Action Plan,” released by the White House, contains helpful recommendations for the energy sector as the use of AI becomes more prevalent and, with it, the need for more energy. The plan recommends the use of an existing consultation and coordination process for expediting the federal permitting and review of large infrastructure projects to cover all eligible data center and data center energy projects. It also recommends optimizing existing grid resources, prioritizing the interconnection of reliable power sources, ensuring sufficient generation exists to support data centers, and embracing new technology and sources of energy.Continue Reading Power Up: What the AI Action Plan Means for the Energy Sector

On June 6, 2025, President Trump issued a new executive order, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144” (EO), signaling the construction of a fortified cyber defense across federal operations. This directive updates the nation’s digital stronghold, modernizing risk management, defending against quantum and artificial intelligence (AI) threats, and drawing sharper lines in the battle against foreign cyber adversaries. For technology companies and federal suppliers, this is a clarion call to reinforce their digital walls and sharpen their defenses. Agencies will soon build these secure-by-design principles into every contract and procurement decision. In this era of fortress-building, failing to meet these standards not only will leave your gates unguarded but also could bar you from the entire federal marketplace. The EO may read like ordinary policy, but don’t be misled: It’s a direct command for companies to strengthen their cyber defenses or be locked out of federal opportunities altogether.Continue Reading Building the Cyber Fortress: New Cybersecurity Executive Order Targets Quantum, AI, and Supply Chain Security

The Department of Defense (DoD) is revving its engines again—this time to rocket past its own software acquisition drag. Launched via an April 24 memo from Acting DoD CIO Katie Arrington, the DoD’s Software Fast Track (SWFT) Initiative entered a 90‑day sprint to redefine Accelerating the Authority to Operate (ATOs), aiming to replace the outdated Risk Management Framework (RMF) with AI‑enabled, continuous compliance workflows. Officially live on June 1, 2025, SWFT isn’t a fully cleared runway—it’s a mission in motion, with Requests for Information (RFIs) out and industry poised to respond. But the real turbulence won’t be technical—it’ll be cultural: Can Pentagon policy and personnel move at Top Gun pace?Continue Reading The Need for Speed: DoD’s “Software Fast Track” Targets Bureaucracy at Mach 2

The California Privacy Protection Agency (CPPA) recently fined clothing retailer Todd Snyder almost $350,000 for two types of consumer privacy errors. Due to technical errors during a 40-day period, it was impossible for Todd Snyder website users to request to opt out of having their information sold or shared. When users clicked the button for the Cookie Preferences Center, the consent banner would appear but instantly disappear, thus making it impossible for anyone to actually opt out. For those who were able to actually access the preferences center, Todd Snyder over-collected information from its users who wanted to opt out of having their information sold or shared. Todd Snyder’s data request form required users to verify their identity by submitting a photograph of themselves holding their identity document, even when they wanted to opt out.Continue Reading Check Your Process or Pay Your Fine: Recent 6-Figure Fines from the California Privacy Protection Agency

Zachary Myers, the former United States Attorney for the Southern District of Indiana, has officially joined McCarter & English’s Indianapolis office as a partner in the Business Litigation group. He will also serve as a co-leader of the firm’s multidisciplinary Cybersecurity & Data Privacy team. Zach brings extensive experience in high-stakes litigation and cybersecurity. As part of his practice, he will counsel clients in navigating federal government issues, including congressional inquiries and regulatory matters.Continue Reading Former US Attorney Zach Myers Joins McCarter & English

On April 15, 2025, the Department of Defense (DoD) released official guidance on Organizationally Defined Parameters (ODPs) appearing in the newly published NIST SP 800-171 Revision 3. At the same time, the DoD reaffirmed that contractors must continue complying with Revision 2 thanks to a previously issued class deviation. What does this mean in plain terms? The DoD is slowly pulling back the curtain on the next major shift in cybersecurity compliance. Still, the full prestige hasn’t happened yet.Continue Reading The “Prestige”: DoD Unveils NIST SP 800-171 Revision 3, Organizationally Defined Parameters

New Hart-Scott-Rodino premerger notification rules, which took effect in February, require that companies now provide more information than ever before about their prospective mergers. Meanwhile, both federal and state antitrust enforcers continue to step up scrutiny of data-related antitrust harms such as information sharing, monopolization, and price coordination, and private litigants are also filing claims. Data has long been used by companies to benchmark performance metrics, from pricing to inventory levels, and to manage revenue. But as data volume has increased, so too has the risk of violating antitrust laws through higher levels of interconnection. Big data could facilitate price coordination, potentially rising to the level of price fixing, and could thus entrench the market power of companies that have amassed data critical to the ability to compete.Continue Reading Mo’ Data, Mo’ Problems: Antitrust Risk in the Age of Big Data

23andMe, a pioneer in the DNA testing kit industry, announced that it has filed for Chapter 11 bankruptcy protection and recently asked to select an independent customer data representative regarding any sale of user data. Its bankruptcy raises issues about data privacy and what companies must do to protect that data for the benefit of their customers and to protect themselves from litigation or violations of US and international privacy laws.Continue Reading Follow the Breadcrumbs: Where Does Consumer Data Go as 23andMe Goes Bankrupt?