AI laws, privacy rules, and cybersecurity requirements — tracked for you.

The FTC Safeguards Rule requires covered non-bank financial institutions to maintain a written information security program with risk assessments, qualified oversight, access controls, encryption, and monitoring. Updated requirements also added mandatory breach reporting to the FTC for certain notification events. The rule affects lenders, mortgage brokers, auto dealers, and other financial institutions under FTC jurisdiction.

New York requires covered financial entities to maintain a risk-based cybersecurity program, governance controls, incident reporting, and documented policies. The 2023 amendments strengthened board and senior-governance accountability, privileged-access management, asset inventory, vulnerability management, and incident notice requirements. Larger Class A companies face additional controls such as independent audits and enhanced monitoring.

Virginia requires entities and state agencies that suffer qualifying breaches involving personal information to notify affected residents and, in many cases, the Attorney General. It affects businesses and public bodies that own or license personal information and sets timelines, notice content expectations, and substitute-notice rules.

Texas gives certain businesses a safe harbor from exemplary damages after a breach if they implemented and maintained a qualifying cybersecurity program. It affects Texas businesses that handle sensitive personal information and pushes them toward recognized cybersecurity frameworks and scaled security controls.

Australia's 2024 ERP Act updates the Security of Critical Infrastructure regime with stronger powers to manage consequences of incidents and to address deficient risk management programs. It affects operators of critical infrastructure and critical telecommunications assets, including some data storage systems that hold business-critical data. The reforms are part of the broader cyber legislative package tied to the 2023-2030 Cyber Security Strategy.

NIST CSF 2.0 updates the widely used cybersecurity framework and broadens it beyond critical infrastructure to organizations of any size or sector. It adds the Govern function and refines guidance for identifying, protecting against, detecting, responding to, and recovering from cyber risk. Although voluntary, it is frequently used in procurement, governance, and regulatory crosswalks.

The SEC requires public companies to disclose material cybersecurity incidents on Form 8-K and to describe cybersecurity risk management, strategy, and governance in annual reports. It affects Exchange Act reporting companies and pushes boards and management to formalize oversight and reporting processes. The rules also require Inline XBRL tagging for the new disclosures.

NIS2 expands the EU cybersecurity framework to more sectors and entities and requires management-approved cybersecurity risk management measures and incident reporting. It affects essential and important entities across energy, transport, health, digital infrastructure, public administration, manufacturing, and other critical sectors. The directive also increases supervisory and penalty powers and coordinates cross-border cooperation.

The SHIELD Act broadened New York breach-notification rules and requires reasonable administrative, technical, and physical safeguards for private information.

California requires manufacturers of connected devices sold in the state to equip those devices with reasonable security features suited to the device and the data it handles. It affects IoT manufacturers and is aimed at reducing unauthorized access to devices and the information they collect, transmit, or store.

Florida requires covered entities and government agencies to investigate breaches involving personal information and to notify affected individuals, the Department of Legal Affairs, and sometimes consumer reporting agencies. It affects organizations that maintain electronic personal information and sets breach-notification timelines, reporting thresholds, and recordkeeping duties.