California Gov. Gavin Newsom (D) has signed AB 947 and AB 1194 into law.

The United Kingdom has announced its decision to establish the UK-U.S. Data Bridge. The UK-U.S. Data Bridge will allow UK businesses and organizations to transfer personal data to organizations in the United States that have certified compliance with the UK Extension to the EU-U.S. Data Privacy Framework.

On May 22, 2022, Minnesota Gov. Tim Walz (D) signed the Student Data Privacy Act (the “Act”), H.F. No. 2353, into law which amends Minnesota’s Government Data Practices Act. The Act went into effect beginning with the 2022-2023 school year. 

Texas recently amended its breach notification statute to shorten the time businesses have to notify the state Attorney General after a data breach affecting 250 or more Texas residents. As of September 1, businesses must notify the Attorney General within 30 days from when they determine that a breach has occurred. Previously, businesses had up to 60 days.

It’s an understatement to say that companies are excited about Artificial Intelligence. AI has the potential to optimize productivity and improve efficiency in many areas of a business. The potential benefits are undeniable, but there are some uses that present significant risk to businesses. One area that warrants caution is in the context of employment. 

On September 11^th, Gov. John Carney (D) signed the Delaware Personal Data Privacy Act into law. The Act will take effect January 1, 2025. With the DPDPA on the books, the number of states with comprehensive privacy laws increases to twelve.

The new Swiss Federal Act on Data Protection, known by the acronym “nFADP,” took effect on September 1. The law was enacted by the Swiss parliament in 2020.

The law introduces new rights for Swiss citizens, but also corresponding obligations for businesses that process personal data subject to the law. The law is intended to be more closely aligned to the European Union’s General Data Protection Regulation and allows for a free flow of information between EU and Swiss companies.

This summer, Gov. Joe Lombardo (R) signed the Consumer Health Data Privacy Act into law. The Act, which will take effect March 31, 2024, provides protections for consumer health data collected and maintained by regulated entities.

In early August, the National Institute of Standards and Technology released the initial public draft of its Cybersecurity Framework 2.0. The draft is a long-awaited update to a framework that’s been in place for almost 10 years: The Framework for Improving Critical Infrastructure Cybersecurity, first released in 2014 and updated in 2018. 

Boards of Directors for public companies across the country are likely to be taking stock of their companys’ cybersecurity practices and strategies after the Securities and Exchange Commission’s adoption of the Cybersecurity Incident Disclosure Rule on July 26. Although the SEC removed the requirement for corporate boards to include members with cybersecurity expertise, it still intends for the Rule to result in greater transparency of companies’ cybersecurity governance and to aid in investor understanding. The Rule presents additional reasons for companies to determine who, if anyone, on their Boards can help with oversight of cybersecurity governance.