Extract from Heather K. Hatfield, R. Blake Runions, and Jamie L. Godsey’s article “Best Practices to Ensure Compliance with Upcoming Data Protection Regulations”
The Department of Justice (“DOJ”) is wasting no time in implementing the new cyber-security Executive Order (the EO), signed on February 28, 2024. As explained in our April 2024 blog post, the EO aims to portect Americans’ data security and is set to take effect next year. Within a week after it was signed, the DOJ (1) initiated the notice and comment process by issuing an Advance Notice of Proposed Rulemaking, (2) began developing an enforcement and compliance regulations, and (3) started ramping up staffing and resources to include dozens of new attorneys and non-attorneys, a larger FIR Compliance and Enforcement Unit, and a new Deputy Chief for National Security Data Risks.
According to Assistant Attorney General, Matthew G. Olsen, the enforcement and compliance regulations will have “real teeth” and be backed by a “full suite” of civil, criminal, investigatory, and subpoena authorities. Like other anti-corruption and compliance initiatives, the DOJ intends to focus on voluntary compliance and expects companies to develop risk-based compliance programs. Each company’s compliance program should be tailored to its individual risk profile based on the company’s size and sophistication, products and services, customer base, and business location.
So what can companies do now to be prepared when the regulations take effect next year?
