• |

    May 14, 2025

“Everyone Wants to Speak to the CISO” and Other Realities of Addressing Vendor Breaches

Breaches at technology vendors are distressingly common. A recent study of 2000 top-ranked companies revealed that 80 percent of them used multiple vendors that suffered a breach. Vendor and supply chain cyber incidents pose many challenges, but common practices have emerged for navigating third-party breaches in recent years. This article examines practical goals for vendors’ breach communications in the first 72 hours and beyond, as well as handling notifications and recommended contract provisions, with insights from experts at Cooley, FTI Consulting, Holland & Knight, Morgan Lewis and Ropes & Gray. See “Ransomware and Incident Response Considerations for Global Companies” (Nov. 29, 2023).

State Privacy Regulators Share Enforcement Agenda and How to Ensure a Smoother Investigation

Five U.S. state privacy regulators took a momentary break from their many active investigations to provide updates about their expectations for regulated organizations during recent conferences. They discussed raised expectations for privacy policies, how companies respond to inquiries and tips for navigating investigations, including some recommended wording for responses. Regulators from Connecticut, Colorado, California and Oregon spoke at the IAPP Global Privacy Summit, and a Maryland Assistant AG spoke at the Privacy + Security Forum. This article distills their comments and suggestions. See “Connecticut AG’s Report Reveals Privacy Enforcers Reaching Deeper Into Their State Laws” (Apr. 30, 2025).

DOJ Guidance on Bulk Sensitive Data Rules: Compliance Program, Recordkeeping and Reporting

To assist companies in complying with its final rules implementing the executive order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, the DOJ recently released three new guidance documents. The final rules, which the National Security Division of the DOJ refers to as the Data Security Program (DSP), took effect in substantial part on April 8, 2025. With commentary from Edward McNicholas, a partner at Ropes & Gray, this two-part article series highlights the key elements of the guidance. This second installment distills guidance on DSP requirements around the data compliance program, recordkeeping, reporting, licenses and advisory opinions. Part one covered the enforcement grace period, definitions of bulk data and covered persons, and prohibited transactions. See “Examining DOJ’s Final Rules on Access to Government and Sensitive U.S. Personal Data” (Jan. 29, 2025).

Former White House NSC Emerging Technologies Director and Special Advisor Joins Jenner & Block in D.C.

Matt Pearl, former Director for Emerging Technologies and Special Advisor to the Deputy National Security Advisor at the White House National Security Council, has joined Jenner & Block as of counsel in Washington, D.C. He will be a member of the communications, internet, and technology practice as well as the critical and emerging technologies practice. For insights from Jenner & Block, see our two-part series on the SolarWinds Decision: “Court Narrows Case, but SEC’s Surviving Claims Alarm CISOs” (Aug. 7, 2024), and “Practical Takeaways for Cyber Communications” (Aug. 14, 2024).

Most-Read Articles

Women to Watch: Contributions, Achievements and Observations of Outstanding Female Professionals

To mark International Women’s Day, women editors and reporters at ION Analytics interviewed outstanding women in the industries and jurisdictions we cover. In this part, Law Report Group editors Jill Abitbol, Robin L. Barton and Megan Zwiebel profile notable women in data privacy, cybersecurity, private funds and anti-corruption law, including Anne-Gabrielle Haie, Jessica Lee, Micaela McMurrough, Laura Perkins, Amanda Raad, Madelyn Calabrese, Ranah Esmaili and Genna Garver. Enjoy reading their inspiring remarks here.

Celebrating Data Privacy Day 2025

Read the full brief here.

Cybersecurity Awareness Month

Read the full brief here.