Privacy & Information Security Law Blog

On March 27, 2024, the National Telecommunications and Information Administration (“NTIA”) issued its AI Accountability Report, and, on March 28, 2024, the White House announced the Office of Budget and Management’s (“OMB’s”) government-wide policy on AI risk management.

Hunton Andrews Kurth released a client alert on the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) settlement with EFG International AG. On March 14, 2024, OFAC announced a settlement (the “Settlement”) with EFG International AG, a global private banking group based in Switzerland with many global subsidiaries (collectively, the “Manager”) regarding violations of OFAC rules alleged to have occurred as a result of the Manager’s buying, selling and, in many cases, merely holding, U.S. securities on behalf of persons sanctioned by OFAC. 

On March 20, 2024, the U.S. House of Representatives passed legislation that will prohibit data brokers from transferring U.S. residents’ sensitive personal data to foreign adversaries, including China and Russia. The House bill HR 7520 (the “Bill”), also known as the Protecting Americans’ Data from Foreign Adversaries Act of 2024, marks a significant development in executive and legislative action related to foreign access to U.S. data. The Bill follows a similarly groundbreaking Executive Order and Department of Justice Notice of Proposed Rulemaking issued at the end of February that will establish strict protective measures against data exploitation by countries considered national security threats for U.S. sensitive personal data and U.S. government-related data. The Bill also comes after the House overwhelmingly passed HR 7521, (the Protecting Americans from Foreign Adversary Controlled Applications Act) resulting from concerns that the Chinese government would compel TikTok (or other foreign adversary-controlled apps) to turn over U.S. data. HR 7521 would effectively require TikTok to divest from parent company ByteDance in order to avoid a ban in the U.S.

Bloomberg Law reported that the Federal Communications Commission adopted rules creating a voluntary cybersecurity labeling program for wireless consumer Internet of Things products, as well as a further notice of proposed rulemaking that seeks comments addressing additional disclosure requirements for program participants with respect to national security.

On February 28, 2024, President Biden released an Executive Order (“EO”) “addressing the extraordinary and unusual national security threat posed by the continued effort of certain countries of concern to access Americans’ bulk sensitive personal data and certain U.S. Government-related data.” In tandem with the EO, the Department of Justice’s (“DOJ’s”) National Security Division is set to issue an advance notice of proposed rulemaking (“ANPRM”) pursuant to the EO, which directs the DOJ to “establish, implement and administer new and targeted national security programming” to address the threat. The DOJ regulations will identify specific categories of “data transactions” that are prohibited or restricted due to their “unacceptable risk to national security.” 

On February 26, 2024, the National Institute of Standards and Technology (“NIST”) announced the release of Version 2.0 of its voluntary Cybersecurity Framework (“CSF”).

The first iteration of the CSF was released in 2014 as a result of an Executive Order, to help organizations understand, manage, and reduce their cybersecurity risks. The original CSF was developed for organizations in the critical infrastructure sector, such as hospitals and power plants, but has since been voluntarily implemented across various sectors and industries, including throughout schools and local governments.

On February 15, 2024, the Federal Trade Commission proposed a rule that would ban the use of AI to impersonate individuals, which would extend protections of a recently finalized FTC rule against government and business impersonation.  The FTC announced a public comment period for a supplemental Notice of Proposed Rulemaking (“NPR”) regarding the proposed rule that ends 60 days after being published in the Federal Register. The FTC’s swift action is in response to an AI-generated robocall mimicking President Biden that encouraged voters not to vote in the New Hampshire primary. FTC Chair Lina Khan described the FTC’s supplemental NPR as a key step in “strengthening the FTC’s toolkit to address AI-enabled scams impersonating individuals,” as malicious actors “us[e] AI tools to impersonate individuals with eerie precision and at a much wider scale.”

On February 15, 2024, Senators Edward J. Markey (D-Mass.) and Bill Cassidy (R-La.) announced the addition of co-sponsors Senators Ted Cruz (R-Texas) Chair and Ranking Member of the Commerce, Science, and Transportation Committee, and Maria Cantwell (D-Wash.) to an updated version of the proposed Children and Teens’ Online Privacy Protection Act (“COPPA 2.0”) bill. The bill contains what the sponsors call “small modifications based on conversations with stakeholders and additional technical corrections.”

As reported on Hunton’s Employment & Labor Perspectives blog, on October 30, 2023, President Biden issued a wide-ranging Executive Order to address the development of artificial intelligence (“AI”) in the United States. Entitled the Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (the “Executive Order”), the Executive Order seeks to address both the “myriad benefits” as well as what it calls the “substantial risks” that AI poses to the country. It caps off a busy year for the Executive Branch in the AI space. In February 2023, the Equal Employment Opportunity Commission published its Strategic Enforcement Plan, which highlighted AI as a chief concern, and in April 2023, the White House released an AI Bill of Rights. The Executive Order, described as a “Federal Government-wide” effort, charges a number of federal agencies, notably including the Department of Labor (“DOL”), with addressing the impacts of employers’ use of AI on job security and workers’ rights. 

On October 30, 2023, U.S. President Biden issued an Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence. It marks the Biden Administration’s most comprehensive action on artificial intelligence policy, building upon the Administration’s Blueprint for an AI Bill of Rights (issued in October 2022) and its announcement (in July 2023) of securing voluntary commitments from 15 leading AI companies to manage AI risks.

On May 4, 2023, the Biden-Harris Administration announced new actions to promote responsible American innovation in artificial intelligence (“AI”). The Administration also met with the CEOs of Alphabet, Anthropic, Microsoft and OpenAI as part of the Administration’s broader, ongoing effort to engage with advocates, companies, researchers, civil right organizations, not-for-profit organizations, communities, international partners, and others on critical AI issues. These efforts build upon the steps the Administration has taken so far, including the Blueprint for an AI Bill of Rights issued by the White House Office of Science and Technology Policy (“OSTP”) and the  AI Risk Management Framework released by the National Institute of Standards and Technology (“NIST”). The Administration is also actively working to address national security concerns raised by AI, especially in critical areas like cybersecurity, biosecurity and safety. 

On March 7, 2023, the Transportation Security Administration (“TSA”) announced the issuance on an emergency basis of a cybersecurity amendment to the security programs of certain TSA-regulated airport and aircraft operators, as part of the U.S. Department of Homeland Security’s initiatives to improve the cybersecurity of U.S. critical infrastructure. 

On March 6, 2023 the Centre for Information Policy Leadership (CIPL) at Hunton Andrews Kurth filed a response to the National Telecommunications and Information Administration’s request for comment on issues at the intersection of privacy, equity and civil rights.  

On March 2, 2023, the Biden-Harris Administration announced the release of the National Cybersecurity Strategy.

On February 14, 2023, the U.S. Senate Committee on the Judiciary held a hearing titled, “Protecting Our Children Online.” Chaired by Sen. Durbin, the hearing examined the potentially harmful effects of social media use on young people, and represented a renewal of the Committee’s efforts to pass legislation to protect children and teenagers online. In 2022, the Senate Judiciary Committee approved several bills designed to enhance the online safety and wellbeing of children and teenagers, among them the Kids Online Protection Act (“KOSA”), but the bills did not receive a floor vote. During the hearing, Democratic and Republican senators expressed their commitment to pass bills that would limit the immunity of social media companies under Section 230 of the Communications Decency Act, and would require website and app developers to design products that protect young people from cyberbullying, online sexual exploitation, social media addiction, and other harms. 

On December 16, 2022, the California Privacy Protection Agency (“CPPA”) Board held a public meeting regarding the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process and other topics, such as the CPPA’s advocacy regarding proposed federal and state privacy legislation.

On December 13, 2022, the European Commission launched the process for the adoption of an adequacy decision for the EU-U.S. Data Privacy Framework. If adopted, the long-awaited adequacy decision will provide EU companies transferring personal data to the U.S. with an additional mechanism to legitimize their transfers.

An adequacy decision would foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union (“CJEU”) judgment in the Schrems II case.

On December 12, 2022, at the “POLITICO Live” event presented in cooperation with Hunton Andrews Kurth LLP’s Centre for Information Policy Leadership ("CIPL")—titled “EU-U.S. Data Flows: Game Changer or More Legal Uncertainty?”—featured speakers from both sides of the Atlantic optimistic that the new EU-U.S. Data Privacy Framework will withstand an anticipated legal challenge.

The Cybersecurity and Infrastructure Security Agency (“CISA”) recently released a draft of the agency’s Cross-Sector Cybersecurity Performance Goals (“CPGs”) for critical infrastructure in the United States. The CPGs provide a common set of fundamental cybersecurity practices to guide critical infrastructure entities in measuring and improving their cybersecurity maturity.  

On October 18, 2022, the Transportation Security Administration (“TSA”) issued a new cybersecurity directive requiring passenger and freight railroad carriers to create plans for responding to cybersecurity incidents. The new directive is one of many actions taken by the Biden Administration to strengthen the cybersecurity posture of the U.S.’s critical infrastructure following a significant ransomware attack on a major U.S. pipeline in 2021.

On October 19, 2022, Bloomberg Law reported that the White House is planning to introduce a system to label Internet of Things (“IoT”) devices with information related to the devices’ cybersecurity risk.

On October 14, 2022, the Federal Trade Commission announced it is extending the deadline by one month to submit comments on its Advance Notice of Proposed Rulemaking (“ANPR”) on commercial surveillance and lax data security practices.

The FTC launched the ANPR in August and has sought public comment on it, including through a virtual public forum held in September.

Comments now must be filed by November 21, 2022.

On October 11, 2022, the Biden-Harris Administration released an informational statement about the current Administrations’ progress in strengthening America’s national cybersecurity. The statement provides detail into several new initiatives and sets goals for America’s future in cybersecurity:

On October 7, 2022, President Biden signed Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which provides a new framework for legal data transfers between the European Union and the United States. The legal basis for transatlantic data transfers has been uncertain since 2020, when the European Court of Justice (“ECJ”) declared the previous framework, the EU-U.S. Privacy Shield, invalid under EU law. 

On September 12, 2022, the Cybersecurity and Infrastructure Security Agency (“CISA”) released a Request for Information (“RFI”) seeking public input regarding the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The public comment period will close on November 14th, 2022. The RFI provides a “non-exhaustive” list of topics on which CISA seeks public input, including:

On August 8, 2022, Commissioner Noah Joshua Phillips announced that he plans to resign from the Federal Trade Commission in the fall after serving four years with the agency. Phillips was appointed by former President Donald Trump in May 2018 and is one of the two Republican commissioners on the FTC alongside Commissioner Christine S. Wilson. Commissioner Phillips had served as chief counsel to Sen. John Cornyn (R-Texas) before joining the FTC.

On August 11, 2022, the Federal Trade Commission announced it is seeking public comment regarding its advance notice of proposed rulemaking (“ANPR”) on commercial surveillance and data security, on which we previously reported. The FTC defines “commercial surveillance” as the business of collecting, analyzing and profiting from consumer data.

On July 28, 2022, the California Privacy Protection Agency (“CPPA”) Board held a special public meeting to discuss agency staff’s recommendations that the Board formally oppose the draft federal American Data Privacy and Protection Act (“ADPPA”). The latest version of the ADPPA recently was voted out of the U.S. House Energy and Commerce Committee, and is set to advance to the House Floor.

On July 1, 2022, the California Privacy Protection Agency (“CPPA”) sent U.S. House of Representatives Speaker Nancy Pelosi a memo outlining how H.R. 8152, the bipartisan American Data Privacy and Protection Act (“ADPPA” or the “Act”), would lessen privacy protections for Californians, and California Democrats have joined the cause.

The CPPA’s memo asserts that the ADPPA, by preempting the California Privacy Rights Act (“CPRA”) and other state privacy laws, proposes to eliminate:

On July 8, 2022, President Biden issued an Executive Order titled, “Protecting Access to Reproductive Health Care Services,” in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization that overturned Roe v. Wade. The Executive Order aims, in part, to “ [p]rotect[] the privacy of patients and their access to accurate information” regarding reproductive health care services. It directs the Department of Health and Human Services (“HHS”) and the Federal Trade Commission to take certain steps to address the potential threat to patient privacy caused by the transfer and sale of sensitive health-related data, and by digital surveillance related to reproductive health care services from fraudulent schemes or deceptive practices.

On June 21, 2022, President Biden signed into law, the State and Local Government Cybersecurity Act of 2021 (S. 2520) (the “Cybersecurity Act”) and the Federal Rotational Cyber Workforce Program Act (S. 1097) (the “Cyber Workforce Program Act”), two bipartisan bills aimed at enhancing the cybersecurity postures of the federal, state and local governments.

On June 3, 2022, House Energy and Commerce Chair Rep. Frank Pallone (D-NJ), Ranking Member Rep. Cathy McMorris Rodgers (R-WA) and Senate Commerce, Science and Transportation Committee Ranking Member Sen. Roger Wicker (R-MS) released a new comprehensive federal privacy bill, the American Data Privacy and Protection Act (“ADPPA”).

On April 5, 2022, North Carolina became the first state in the U.S. to prohibit state agencies and local government entities from paying a ransom following a ransomware attack.

North Carolina’s new law, which was passed as part of the state’s 2021-2022 budget appropriations, prohibits government entities from paying a ransom to an attacker who has encrypted their IT systems and subsequently offers to decrypt that data in exchange for payment. The law prohibits government entities from even communicating with the attacker, instead directing them to report the ransomware attack to the North Carolina Department of Information Technology in accordance with G.S. 143B‑1379.

On April 21, 2022, the United States, Canada, Japan, Singapore, the Philippines, the Republic of Korea and Chinese Taipei published a declaration (the “Declaration”) establishing the Global Cross-Border Privacy Rules Forum (the “Global CBPR Forum”). The Global CBPR Forum will establish an international certification system based on the existing APEC Cross-Border Privacy Rules (“CBPR”) and Privacy Recognition for Processors (“PRP”) Systems, enabling participation beyond APEC member economies. The Global CBPR and PRP Systems, as they will be known, are designed to support the free flow of data and effective data protection, and enable interoperability with other privacy frameworks.

On March 25, 2022, the European Commission and United States issued a joint statement announcing an agreement in principle on a new Trans-Atlantic Data Privacy Framework (the “Joint Statement”).

On March 9, 2022, the Biden Administration released its much-anticipated “Executive Order on Ensuring Responsible Development of Digital Assets” (“Executive Order”). The White House describes the Executive Order as the “first whole-of-government strategy” on digital assets and attempts to strike a balance between encouraging innovation and U.S. leadership in the digital asset space, while signaling an appetite to protect against a variety of stated risks through additional regulation and legislation.

On March 11, 2022, the U.S. Senate passed an omnibus spending bill that includes language which would require certain critical infrastructure owners and operators to notify the federal government of cybersecurity incidents in specified circumstances. The bill  previously was passed by the House of Representatives on March 9, 2022. President Biden is expected to sign the bill and has until March 15, 2022, to do so before the current spending authorization expires.

On March 1, 2022, President Biden, in his first State of the Union address, called on Congress to strengthen privacy protections for children, including by banning online platforms from excessive data collection and targeted advertising for children and young people. President Biden called for these heightened protections as part of his unity agenda to address the nation’s mental health crisis, especially the growing concern about the harms of digital technologies, particularly social media, to the mental health and well-being of children and young people. President Biden not only urged for stronger protections for children’s data and privacy, but also for interactive digital service providers to prioritize safety-by-design standards and practices. In his address, President Biden called on online platforms to “prioritize and ensure the health, safety and well-being of children and young people above profit and revenue in the design of their products and services.” President Biden also called for a stop to “discriminatory algorithmic decision-making that limits opportunities” and impacts the mental well-being of children and young people.

On March 2, 2022, the Senate unanimously passed the Strengthening American Cybersecurity Act of 2022 (“SACA” or the “Bill”). The Bill is now with the House of Representatives for a vote and, if passed, will be sent to President Biden’s desk for signature.

On December 27, 2021, the Federal Trade Commission sought public comment on a petition filed by Accountable Tech calling on the FTC to use its rulemaking authority to prohibit “surveillance advertising” as an “unfair method of competition” (“UMC”). Accountable Tech is a non-profit organization that advocates for social media companies to strengthen the integrity of their platforms.

On November 3, 2021, the Cybersecurity and Infrastructure Security Agency (“CISA”) announced Directive 22-01 - Reducing the Significant Risk of Known Exploited Vulnerabilities (the “Directive”), establishing a CISA-managed catalog of vulnerabilities and compelling federal agencies to remediate such vulnerabilities on government information systems. The Directive targets vulnerabilities that pose a significant risk to the federal government and applies to all software and hardware found on federal information systems, including those managed on an agency’s premises, as well as those hosted by third parties on an agency’s behalf. The Directive is the latest in a series of executive branch efforts to address U.S. cybersecurity in the public and private sectors.

On November 8, 2021, law enforcement agencies in both the United States and European Union announced that a series of actions, including a number of arrests, were taken against the Russia-linked ransomware group, “REvil.” The U.S. Department of Justice (the “DOJ”) unsealed documents relating to an August indictment against two individuals in Dallas for alleged involvement in REvil ransomware attacks against several U.S. businesses. The European authorities, Europol, also announced that police in Romania and South Korea had arrested five people alleged to be REvil affiliates.

On September 28, 2021, Senators Gary Peters (D-MI) and Rob Portman (R-OH), Chairman and Ranking Member of the Homeland Security and Government Affairs Committee, respectively, introduced a bipartisan bill (the “Bill”) that would require owners and operators of critical infrastructure to notify the Director of the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours of having a reasonable belief that a covered cyber incident has occurred. Additionally, the Bill would require most entities (including businesses with 50 or more employees) that make ransom payments following ransomware attacks to report those payments to the CISA within 24 hours of payment. Notably, any entity required to submit a ransom payment report would first be required to conduct a due diligence review of alternatives to paying ransom, including an analysis of whether recovery from the ransomware attack is possible through other means, before making such a ransom payment. Critical infrastructure owners and operators also would be required to provide supplemental reports to the CISA in light of new or different information becoming available. All entities subject to these requirements would face data preservation obligations.

On September 29 and 30, 2021, the U.S. Senate Committee on Commerce, Science and Transportation convened hearings on how to better protect consumer and children’s privacy.

On September 22, 2021, Secretary of Homeland Security Alejandro N. Mayorkas and Secretary of Commerce Gina Raimondo released a joint statement on the Department of Homeland Security’s (“DHS’s”) issuance of preliminary Critical Infrastructure Control Systems Cybersecurity Performance Goals and Objectives (the “Preliminary Goals”). As we previously reported, on July 28, 2021, the Biden Administration signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (the “Memo”), which instructed DHS to lead the development of cybersecurity performance goals for critical infrastructure firms. The Memo described the initiative as “a voluntary, collaborative effort between the Federal Government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems.”

On September 14 and 15, 2021, the National Institute of Standards and Technology (“NIST”) held a public workshop, as part of its effort to create a consumer labeling program to communicate the security capabilities of consumer Internet of Things (“IoT”) devices and software development practices, as mandated by the Biden administration’s May 2021 Executive Order on Improving the Nation’s Cybersecurity. NIST, in coordination with the Federal Trade Commission  and other agencies, must identify the criteria and components of such a labeling program by February 6, 2022.

On September 14, 2021, the U.S. House Committee on Energy and Commerce (“E&C Committee”) voted in favor of a legislative recommendation that would create a new Federal Trade Commission privacy bureau as part of the proposed $3.5 trillion federal budget reconciliation package.

On September 13, 2021, President Biden is expected to nominate Alvaro Bedoya to the Federal Trade Commission. Bedoya would replace FTC Commissioner Rohit Chopra, who was earlier nominated, but has not yet been confirmed, as Director of the Consumer Financial Protection Bureau.

On July 21, 2021, a bipartisan group of Senators introduced the Cyber Incident Notification Act of 2021 (the “Act”). The Act would require federal government agencies, federal contractors and operators of critical infrastructure to notify the federal government in the event of a cybersecurity incident.

On July 20, 2021, the U.S. Department of Homeland Security’s (“DHS’s”) Transportation Security Administration (“TSA”) announced a new Security Directive (the “Second Directive”) requiring owners and operators of certain critical pipelines transporting hazardous liquids and natural gas to implement specific cybersecurity measures. This Second Directive builds on the TSA’s earlier directive of May 27, 2021, on which we previously reported.

On July 28, 2021, President Biden signed a National Security Memorandum entitled “Improving Cybersecurity for Critical Infrastructure Control Systems” (the “Memorandum”). The Memorandum formally establishes an Industrial Control Systems Cybersecurity Initiative and directs the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) and the Department of Commerce’s National Institute of Standards and Technology (“NIST”), in collaboration with other agencies, to develop and issue cybersecurity performance goals for critical infrastructure. The Memorandum follows recent high-profile attacks on U.S. critical infrastructure, including ransomware attacks on Colonial Pipeline and JBS Foods.

On July 9, 2021, President Biden signed the Executive Order on Promoting Competition in the American Economy (the “Executive Order”). The stated goal of the Executive Order is to increase competition in the United States and resolve issues related to monopolistic behaviors, including with respect to privacy and data protection.

On July 12, 2021, Chris Inglis was formally sworn in as the first White House National Cyber Director. The newly established position, as well as the Office of the National Cyber Director, was created as part of the 2021 National Defense Authorization Act. Inglis, who previously served as the National Security Agency Deputy Director, was unanimously confirmed to the position by the Senate on June 17, 2021.

Read more on the Office of the National Cyber Director.

On July 8, 2021, Colorado Governor Jared Polis signed SB21-190, the Colorado Privacy Act (“the Act”), into law, making Colorado the third state to have a comprehensive data privacy law on the books, following California and Virginia. The Colorado House voted 57-7 in favor of the Act on June 7 after it had previously passed the Senate unanimously on May 26. The Senate voted unanimously to adopt the House’s amendments to the Act on June 8. The Act will go into effect on July 1, 2023, with some specific provisions going into effect at later dates.

On June 17, 2021, Senator Kirsten Gillibrand (D-NY) announced the reintroduction of the Data Protection Act of 2021 (the “bill”), which would create an independent federal agency, the Data Protection Agency, to “regulate high-risk data practices and the collection, processing, and sharing of personal data.” The bill was first introduced in 2020 and has since been revised to include updated provisions intended to protect against privacy harms, oversee the use of “high-risk data practices” and examine the social, ethical, and economic impacts of data collection.

On June 15, 2021, the U.S. Senate confirmed Lina Khan to the Federal Trade Commission by a vote of 69-28. Khan will fill the vacancy left by former Chairman Joseph Simons (R) who resigned from the FTC in January 2021.

On June 9, 2021, President Biden signed an Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries (the “EO” or “Biden EO”). The Biden EO elaborates on measures to address the national emergency regarding the information technology supply chain declared in 2019 by the Trump administration in Executive Order 13873. Simultaneously, the Biden EO also revokes three Trump administration orders (Executive Orders 13942, 13943 and 13971) that sought to prohibit transactions with TikTok, WeChat, their parent companies and certain other “Chinese connected software applications.” In their place, the Biden EO provides for (1) cabinet-level assessments and future recommendations to protect against risks from foreign adversaries’ (a) access to U.S. persons’ sensitive data and (b) involvement in software application supply and development; and (2) the continuing evaluation of transactions involving connected software applications that threaten U.S. national security.

On May 27, 2021, the U.S. Department of Homeland Security’s (“DHS”) Transportation Security Administration (“TSA”) announced a Security Directive (the “Directive”) that will impose new cybersecurity requirements on critical pipeline owners and operators.

On May 20, 2021, the U.S. Department of the Treasury announced a proposal that would require any cryptocurrency transaction of $10,000 or more to be reported to the Internal Review Service (“IRS”). As a supplement to President Biden’s American Families Plan, which focuses on investments in American children and families, the Treasury detailed the cryptocurrency reporting requirement and other tax compliance initiatives in a new report titled The American Families Plan Tax Compliance Agenda (the “Report”).

On April 12, 2021, the Biden administration announced it intends to nominate Chris Inglis, a former Deputy Director of the National Security Agency, to be the first U.S. National Cyber Director (“NCD”), subject to Senate confirmation. The newly established NCD position, which will serve as the President’s principal cybersecurity policy and strategy advisor, and the Office of the National Cyber Director (the “ONCD”) were created under the National Defense Authorization Act for Fiscal Year 2021 (the “NDAA”), which became law on January 1, 2021.

On January 21, 2021, President Biden designated Rebecca Kelly Slaughter as Acting Chair of the Federal Trade Commission.