By: Zachary A. Myers and Erin M. Prest
The data organizations collect and transmit continues to expand at a seemingly exponential rate. At the same time, the road to protect themselves and their stakeholders is constantly growing more difficult to navigate.
They must work to comply with a growing array of state, federal, and international laws, rules, and policies, creating unseen obstacles to avoid damaging missteps. The first step
is knowing what data you have. The next is to understand what you’re doing with your data. Only then can you fully assess what legal requirements might apply and how to stay in compliance.
Federal laws and regulations are littered with various overlapping definitions of categories of information that may be subject to data security and privacy regulations. Does
your business collect or transmit Personally Identifiable Information? Sensitive Financial Data? Protected Health Information? Educational Records? Children’s Personal
Information? Depending on whose data you have and where you are engaged in business your data may fall within the scope of one or more of the many different definitions set forth by the nearly 20 states that have their own data privacy laws–and as of June 2025, Connecticut is one of them. These state-specific data privacy rules are in addition to the data security and breach laws in force in every U.S. state and territory.
Evolving federal requirements include the Department of Justice’s (DOJ) Data Security Program and the expiration of the Cybersecurity Information Sharing Act of 2015. The Data Security Program applies broadly to any U.S. companies, citizens, or organizations that engage in certain transactions with countries of concern or covered persons involving bulk U.S. sensitive personal or government-related data. As the DOJ itself explains, the National Security Division “expects U.S. persons to know their transactions and data. Specifically, U.S. persons should have awareness of the type and volume of their data and whether they maintain or deal in government-related data and bulk U.S. sensitive personal data.”
The definitions of sensitive data and government-related data are expansive under the rule and include bulk sensitive data that is anonymized, pseudonymized, de-identified, or encrypted in ways that might exempt that data from the application of other existing laws and regulations. The Program prohibits or restricts certain data transactions involving foreign data brokers as well as “countries of concern” and persons or entities controlled by them. As of now, these countries are China, Cuba, Iran, North Korea, Russia, and Venezuela.
In order to make sure they are in compliance, companies need to understand their data, their transactions, and their business partners. While the DOJ’s Data Security Program creates new obligations, they relate to those first steps that apply to every entity: know your data and know your transactions.
The same imperative to understand your data and how it is shared applies to how businesses share data with each other for the purposes of cybersecurity and threat detection. Until the end of September 2025, private sector entities had specific legal protections that encouraged sharing of cyber threat information within the private sector and with the federal government. The Cybersecurity Information Sharing Act of 2015 (CISA 2015) created a legal framework for multilateral information sharing that allowed entities to learn from the lessons of others and be on the lookout for threats and indicators of compromise. It also provided an antitrust safe harbor for companies to share cybersecurity information directly with each other, and authorized companies to take defensive measures to detect, prevent, and mitigate cybersecurity threats. These protections expired on September 30, 2025, and were not renewed by Congress. During this period of lapse, companies need to return to the basics, making sure they review and, if needed, update log-on banners, employee policies, and privacy notices to ensure that they have consent to monitor and/or share the information they collect.
The road to comply with cybersecurity and data privacy obligations continues to wind, with new hills to climb and obstacles to avoid. To travel successfully, know what data you have, how to protect it, what data transactions you are engaging in, and what laws, policies, and regulations might apply.
