On December 24, 2024, New York Governor Kathy Hochul signed into law an amendment to New York General Business Law § 899-aa modifying the state’s data breach notification requirements. The amended law, which is effective immediately, imposes new requirements businesses must follow when providing notifications following a data breach
Continue Reading New York Adopts Amendment to the State Data Breach Notification LawPresident Biden signs the National Defense Authorization Act for Fiscal Year 2025
This is the first blog in a series covering the Fiscal Year 2025 National Defense Authorization Act (“FY 2025 NDAA”). This first blog will cover: (1) NDAA sections affecting acquisition policy and contract administration that may be of greatest interest to government contractors; (2) initiatives that underscore Congress’s commitment to strengthening cybersecurity, both domestically and internationally; and (3) NDAA provisions that aim to accelerate the Department of Defense’s adoption of AI and Autonomous Systems and counter efforts by U.S. adversaries to subvert them.
Future posts in this series will address NDAA provisions targeting China, supply chain and stockpile security, the revitalized Administrative False Claims Act, and Congress’s effort to mature the Office of Strategic Capital and leverage private investment to accelerate the development of critical technologies and strengthen the defense industrial base. Subscribe to our blog here so that you do not miss these updates.
FY 2025 NDAA Overview
On December 23, 2025, President Biden signed the FY 2025 NDAA into law. The FY 2025 NDAA authorizes $895.2 billion in funding for the Department of Defense (“DoD”) and Department of Energy national security programs—a $9 billion or 1 percent increase over 2024. NDAA authorizations have traditionally served as a reliable indicator of congressional sentiment on final defense appropriations.
FY 2025 marks the 64th consecutive year in which an NDAA has been enacted, reflecting its status as “must-pass” legislation. As in prior years, the NDAA has been used as a legislative vehicle to incorporate other measures, including the FY 2025 Department of State and Intelligence Authorization Acts, as well as provisions related to the Departments of Justice, Homeland Security, and Veterans Affairs, among others.
Below are select provisions of interest to companies across industries that engage in U.S. Government contracting, including defense contractors, technology providers, life sciences firms, and commercial-item suppliers.Continue Reading President Biden signs the National Defense Authorization Act for Fiscal Year 2025
FEC Year in Review 2024
With a game-changing advisory opinion (AO 2024-01), 2024 started out with a bang at the Federal Election Commission (“FEC”). Other consequential opinions, enforcement actions, and regulations continued in the following months, challenging the notion that the divided Commission cannot find consensus.
In this alert, we highlight the FEC’s major…
Continue Reading FEC Year in Review 2024State Attorneys General Issue Guidance On Privacy & Artificial Intelligence
Attorneys General in Oregon and Connecticut issued guidance over the holiday interpreting their authority under their state comprehensive privacy statutes and related authorities. Specifically, the Oregon Attorney General’s guidance focuses on laws relevant for artificial intelligence (“AI”), and the Connecticut Attorney General’s guidance focuses on opt-out preference signals that go…
Continue Reading State Attorneys General Issue Guidance On Privacy & Artificial IntelligenceUK Government Proposes Copyright & AI Reform
In case you missed it before the holidays: on 17 December 2024, the UK Government published a consultation on “Copyright and Artificial Intelligence” in which it examines proposals to change the UK’s copyright framework in light of the growth of the artificial intelligence (“AI”) sector.
The Government sets out the following core objectives for a new copyright and AI framework:
- Support right holders’ control of their content and, specifically, their ability to be remunerated when AI developers use that content, such as via licensing regimes;
- Support the development of world-leading AI models in the UK, including by facilitating AI developers’ ability to access and use large volumes of online content to train their models; and
- Promote greater trust between the creative and AI sectors (and among consumers) by introducing transparency requirements on AI developers about the works they are using to train AI models, and potentially requiring AI-generated outputs to be labelled.
In this post, we consider some of the most noteworthy aspects of the Government’s proposal.
- The proposed regime would include a new text and data mining (TDM) exception
First and foremost, the Government is contemplating the introduction of a new TDM exception that would apply to TDM conducted for any purpose, including commercial purposes. The Government does not set out how it would define TDM, but refers to data mining as “the use of automated techniques to analyse large amounts of information (for AI training or other purposes)”. This new exception would apply where:Continue Reading UK Government Proposes Copyright & AI Reform
November 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy
This is part of a series of Covington blogs on the implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through October 2024. This blog describes key actions taken to implement the Cyber EO, the U.S. National Cybersecurity Strategy, and other actions taken that support their general principles during November 2024.
National Institute of Standards and Technology (“NIST”) Publishes Draft “Enhanced Security Requirements for Protecting Controlled Unclassified Information”
On November 13, 2024, NIST published a draft of Special Publication (“SP”) 800-172 Rev. 3 that “provides recommended security requirements to protect the confidentiality, integrity, and availability of [Controlled Unclassified Information] when it is resident in a nonfederal system and organization and is associated with a high value asset or critical program.” In particular, the draft requirements “give organizations the capability to achieve a multidimensional, defense-in-depth protection strategy against advanced persistent threats . . . and help to ensure the resiliency of systems and organizations.” The draft requirements “are intended for use by federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations.” In the publication, NIST stated that it does not expect that all requirements are needed “universally.” Instead, the draft requirements are intended to be “selected by federal agencies based on specific mission needs and risks.”
These requirements serve as a supplement to NIST SP 800-171, and apply to particular high-risk entities. To that end, the current version of this NIST SP 800-172 (i.e., Rev. 2) is used by the U.S. Department of Defense (“DoD”) for its forthcoming Cybersecurity Maturity Model Certification (“CMMC”) program, which we discussed in more detail here. Specifically, contractors must implement twenty-four controls that DoD selected from SP 800-172 Rev. 2 in order to obtain the highest level of certification – Level 3. Just as the CMMC Final Rule incorporated Rev. 2 of SP 800-171 (rather than Rev. 3), the CMMC program will not immediately incorporate SP 800-172 Rev. 3 requirements. However, the draft requirements provide insight into how CMMC could evolve.Continue Reading November 2024 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy
ICO Audit on AI Recruitment Tools
On November 6, 2024, the UK Information Commissioner’s Office (ICO) released its AI Tools in recruitment audit outcomes report (“Report”). This Report documents the ICO’s findings from a series of consensual audit engagements conducted with AI tool developers and providers. The goal of this process was to assess compliance with data protection law, identify any risks or room for improvement, and provide recommendations for AI providers and recruiters. The audits ran across sourcing, screening, and selection processes in recruitment, but did not include AI tools used to process biometric data, or generative AI. This work follows the publication of the Responsible AI in Recruitment guide by the Department for Science, Innovation, and Technology (DSIT) in March 2024.
Background
The ICO conducted a series of voluntary audits from August 2023 to May 2024. During the audits, the ICO made 296 recommendations, all of which were accepted or partially accepted by the organisations involved. These recommendations address areas such as:
- Fair processing of personal data,
- Data minimisation and lawful retention of data, and
- Transparency in explaining AI logic.
Areas for Improvement
Based on its findings during the audits, the ICO identified several areas for improvement for both AI recruiters and AI providers. The key areas for improvement across both were:Continue Reading ICO Audit on AI Recruitment Tools
Section 301 Tariffs and Proceedings: Recent and Potential Developments
Alert December 19, 2024
As discussed in our prior client alert, President-elect Trump’s second term is expected to bring important changes to U.S. trade policy, including with respect to U.S. tariffs. Among the tools Trump may use to modify existing U.S. tariffs is Section 301 of the Trade Act of 1974 (“Section 301”), which provided the vehicle for imposition of tariffs against China under the first Trump administration. More recently, the Biden administration has initiated new proceedings under Section 301, while also modifying existing Section 301 tariffs against China. This alert provides an overview of Section 301, explores how Section 301 has been used by recent administrations to increase tariffs on imports from China, and surveys other Section 301 actions, including currently pending investigations. This alert also examines how a second Trump administration could reactivate or modify Section 301 tariffs that were previously announced, but have been suspended or terminated.
Overview of Section 301
Section 301 is an investigative tool under U.S. trade law that allows the Office of the U.S. Trade Representative (“USTR”) to pursue unilateral trade retaliation against countries that impose unfair trade barriers against the United States. USTR may launch Section 301 investigations in response to the filing of a petition submitted by an “interested party,” or upon USTR’s own initiative. Once a Section 301 investigation is launched, the statutory deadline for completion is typically between 12 and 18 months. Under the first Trump administration, USTR often did not use the full period provided under the statute, instead completing certain investigations several months before the statutory deadline.
As part of the investigative process, USTR must request consultations with the foreign government whose conduct is at issue, and it will generally also solicit public comments and hold a hearing as part of its investigation. At the end of the investigation, USTR is authorized to impose duties or other trade restrictions where it has determined:
- that the rights of the United States under any trade agreement are being denied;
- that an act, policy, or practice of a foreign country violates, is inconsistent with, or otherwise denies the United States the benefits of any trade agreement; or
- that an act, policy, or practice of a foreign country is unjustifiable and burdens or restricts U.S. commerce.
Once imposed, Section 301 tariffs must be terminated after four years unless an extension is requested. As explained below, USTR under certain conditions can also modify existing Section 301 duties or reinstitute previously suspended or terminated Section 301 actions.Continue Reading Section 301 Tariffs and Proceedings: Recent and Potential Developments
Long-Awaited POPIA Guidance on Direct Marketing Published by South Africa’s Information Regulator
The Information Regulator recently published its Guidance Note on Direct Marketing (“Guidance Note”), providing clarity on how personal information can be lawfully processed under the Protection of Personal Information Act (“POPIA”). The Guidance Note offers actionable steps for organizations to align their marketing practices with these principles, fostering responsible marketing that complies with both the letter and spirit of the law.
In this blog, we briefly examine POPIA’s rules on direct marketing, and some of the key highlights from the Guidance Note.
How Direct Marketing is Regulated under POPIA
POPIA regulates direct marketing by establishing strict conditions for the lawful processing of personal information. It requires “responsible parties” (more commonly known as ‘controllers’) to ensure that personal data is collected and used transparently, fairly, and only for a specific, legitimate purpose.
For direct marketing:
- Consent is the default requirement for unsolicited electronic communications (e.g., emails, SMSs, and automated calls). Section 69 of POPIA explicitly prohibits such communications unless the data subject has given prior consent or is an existing customer under specific conditions.
- Legitimate interests may only serve as a justification for non-electronic direct marketing (e.g., postal mail or in-person promotions) under section 11, provided the responsible party conducts a legitimate interest assessment and complies with all conditions for lawful processing.
These rules emphasize data subjects’ control over their personal information, highlighting the importance of consent and the right to object.Continue Reading Long-Awaited POPIA Guidance on Direct Marketing Published by South Africa’s Information Regulator
NHTSA Publishes Whistleblower Program Final Rule
On December 12, 2024, the U.S. Department of Transportation’s National Highway Traffic Safety Administration (“NHTSA”) announced the publication of a final rule formalizing its whistleblower program. The Final Rule was officially published in the Federal Register on December 17, fulfilling an obligation established by Congress in 2015 under the Motor Vehicle Safety Whistleblower Act (“MVSWA”).
The program provides for awards to current and former industry employees and contractors who report “original information” that leads to a successful resolution in which the federal government collects sanctions from automotive companies exceeding $1 million. Whistleblower awards can range from 10% to 30% of the collected sanctions. See 49 U.S.C. § 30172.
Whistleblower awards are limited to recoveries for certain types of monetary sanctions. Notably, the relevant action must be brought by the “Secretary [of the Department of Transportation], NHTSA, or the U.S. Attorney General” under 49 U.S.C. Chapter 301, the part of the Motor Vehicle Safety Act (“MVSA”) containing defect and noncompliance reporting and recall provisions. 89 Fed. Reg. 101,952, 101,955 (Dec. 17, 2024) (to be codified at 49 C.F.R. § 513). Recoveries for other types of civil or criminal violations are excluded, “even if [they] involve vehicle safety issues and/or are based on facts common to an action taken under 49 U.S.C. Chapter 301.” 89 Fed. Reg. at 101,956. Actions brought by “other agencies” or “by the U.S. Department of Justice under any statute other [than] 49 U.S.C. Chapter 301” are, therefore, not covered. Although Chapter 301’s requirements are substantial, this limitation is likely to have significant implications. Companies that are involved in parallel-track or sequential enforcement actions will not face a potential NHTSA whistleblower award based on other types of alleged violations and enforcement actions. For example, any recoveries by the DOJ based on allegations of conspiracy, fraud, fraudulent statements or related violations, even if they “are based on” facts in common with a Chapter 301 violation, will not provide the basis for a MVSWA whistleblower award.
The Final Rule’s publication follows NHTSA’s earlier publication of a Notice of Proposed Rulemaking (“NPRM”) in April 2023. NHTSA noted in the Final Rule that it “adopted the proposed rule without significant changes,” despite numerous comments on the NPRM.
A number of the Final Rule’s features merit consideration by automotive companies. Of particular interest are (1) the Final Rule’s definition of “independent knowledge;” (2) NHTSA’s decision not to expand the internal reporting prerequisite; (3) NHTSA’s decision not to exclude directors, officers, and compliance function employees from whistleblower eligibility; (4) NHTSA’s decision not to render persons convicted of a related crime by a foreign tribunal ineligible as whistleblowers; and (5) NHTSA’s decision not to exclude information obtained by unlawful conduct subject to civil liability.Continue Reading NHTSA Publishes Whistleblower Program Final Rule