Insights

Crowell attorneys have closely monitored developments related to the California Invasion of Privacy Act (“CIPA”). In particular, we have watched plaintiffs attempt to extend this wiretapping law to encompass website chatbot communications that are managed by third parties.

The flow of data across borders is essential to our global economy. As companies grow more and more dependent on cross-border data transfers to conduct business, two parallel legal trends have emerged:

Earlier this month the National Cyber Security Centre (“NCSC”) hosted CYBERUK, the UK government’s flagship cybersecurity event. On 7 May the NCSC launched their report “Impact of AI on cyber threat from now to 2027” (“Report”), whilst the Department for Science, Innovation and Technology (“DSIT”) published a new voluntary Software Security Code of Practice, (“Code”). Cybersecurity and AI are under the spotlight in the UK. Eyes are also on the recently unveiled US/UK trade agreement and the possibility of a further transatlantic tech-focused agreement to cement prior Technology and Data Partnership discussions to create a US/UK “digital bridge.”

On May 13, 2025, the Department of Commerce’s Bureau of Industry and Security (BIS) formally rescinded the Framework for Artificial Intelligence Diffusion interim final rule published by the Biden Administration, on the basis that it stifled innovation, was overly complex, and undermined U.S. diplomatic relations.

The Department of Defense (DoD) has released a memorandum establishing the DoD Organization-Defined Parameters (ODPs) for use in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision (Rev) 3. Currently, DoD’s cybersecurity regimes require government contractors to comply with NIST SP 800-171 Rev. 2. However, the release of this memorandum may indicate DoD’s intention to soon incorporate Rev. 3 into DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012) as well as the forthcoming Cybersecurity Maturity Model Certification (CMMC).

On April 11, 2025, the U.S. Department of Justice (DOJ) issued guidance regarding the implementation and enforcement of the newly enacted final rule, “Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons,” now referred to as the Data Security Program (DSP). The release included an Implementation and Enforcement Policy, a Compliance Guide, and Frequently Asked Questions (FAQs). Collectively, these documents are designed to help entities subject to the DSP understand and comply with the obligations set out under the Final Rule.

On April 3, 2025, the United States Department of Justice’ Antitrust Division hosted a forum on “Big-Tech Censorship” in which key Trump Administration Officials announced their desire to reform, or entirely overhaul, Section 230 of the Communications Decency Act. In March 2025, we wrote about the Federal Trade Commission’s (FTC) inquiry into “tech censorship” and its associated request for public comments from those who “may have been harmed by technology platforms that limited their ability to share ideas or affiliations freely and openly.” That RFI remains open, and its deadline is May 21, 2025.

On March 26, 2025, the Department of Justice (DOJ) announced that defense contractor MORSECORP Inc. (MORSE) will pay $4.6 million to settle allegations that MORSE violated the False Claims Act (FCA) by failing to comply with cybersecurity requirements and subsequently submitting false or fraudulent claims for payment in its contracts with the Departments of the Army and Air Force. This is the first FCA settlement that is based on a defense contractor’s failure to reevaluate and promptly update its self-assessment score in the Supplier Performance Risk System (SPRS) after a third-party assessment resulted in a lower score.

On March 12, 2025, the Government of Canada announced plans to launch the Canadian Program for Cyber Security Certification (CPCSC). CPCSC is a cybersecurity compliance verification program that aims to protect sensitive unclassified government information handled by Canadian government contractors and subcontractors within Canada’s defense sector. Canada will roll out CPCSC to contractors in four phases, with the first phase launching this month.

On March 24, 2025, the Federal Risk and Authorization Management Program (FedRAMP) unveiled “FedRAMP 20x,” a proposal to make FedRAMP more efficient by automating FedRAMP security assessments and continuous monitoring, simplifying required technical controls, and leaning on industry to provide tooling and solutions to support automation. 

On March 12, the California Consumer Privacy Protection Agency (“Agency”) announced it had entered into a settlement (“Settlement”) with American Honda Motor Company (“Honda”) to resolve the Agency’s claims that Honda violated the California Consumer Privacy Act (“CCPA”). The total fine to be paid by Honda is $632,500. The investigation came out of the Agency’s Enforcement Division’s focused review of privacy practices of connected vehicles and related technologies announced in July 2023. That review highlighted vehicles with embedded features such as location sharing, smartphone integration, and cameras, and we expect more automotive related Agency settlements to be issued in the near future.

On February 27, 2025, the Court of Justice of the European Union (“CJEU”) issued a ruling about the requirements on data controllers to respond to data access requests regarding an automated decision-making system. In particular, the CJEU interpreted the meaning (under Article 15(1)(h) GDPR) of the phrase “meaningful information about the logic involved” in automated decision-making. Importantly, the ruling also separately addressed how to balance data access rights with the protection of the controller’s trade secrets, when the protection of trade secrets is invoked under Article 15(4) as a reason not to disclose a copy of personal data in an access request.

On February 20, 2025, the Securities and Exchange Commission (SEC) announced the formation of the Cyber and Emerging Technologies Unit, known as “CETU,” which will replace the Crypto Assets and Cyber Unit (“CACU”).

On February 20, 2025, the Federal Trade Commission launched an “inquiry” into “tech censorship” by calling for public comments from those who “may have been harmed by technology platforms that limited their ability to share ideas or affiliations freely and openly.” The deadline for comments is May 21, 2025.

FY 2024 saw continued growth in False Claims Act enforcement, with a record year for new qui tam and government-initiated actions, and the highest total recovery in three years. Enforcement of pandemic-related fraud and cybersecurity noncompliance increased, and health care, procurement, and small business fraud violations were again priority areas. A groundbreaking opinion from the District Court for the Middle District of Florida may have teed up a potentially landscape-shifting decision about the viability of the qui tam mechanism in the not too distant future. And a landmark administrative law decision at the U.S. Supreme Court may impact many FCA cases to come. Significant decisions regarding retaliation, excessive fines, the first-to-file rule, and the public disclosure bar were also handed down by courts of appeals. Crowell attorneys discuss these highlights and others in a “Feature Comment” published in The Government Contractor.

On Friday, February 21, Rep. Brett Guthrie (R-KY) and Rep. John Joyce (R-PA), the Chairman and Vice Chairman of the U.S. House Committee on Energy and Commerce, issued a Request for Information (RFI) inviting stakeholders to provide comment as the Committee explores the development of a federal data privacy and security framework. After efforts to consider a bipartisan and bicameral bill failed last year under former Chair Cathy McMorris Rodgers (R-WA), Chairman Guthrie is starting the effort anew, forming a working group with the goal of developing comprehensive legislation “that can get across the finish line.”

As digitalization has become more ubiquitous and attacks surfaces widened, the number of cyberattacks have correspondingly increased. In 2024, ransomware attacks in particular grew in their frequency and impact. In an effort to enact more stringent policy approaches, governments introduced over 170 data protection laws between 2023 and 2024. With not a single company immune from these regulatory winds, industry must keep a close watch.

Amidst a flurry of executive cost-cutting, the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification program—often known just as “CMMC”— appears to be defying the odds and only picking up steam. Marking the first CMMC developments under the new administration, the DoD has published guidance that previews what to expect once CMMC is finalized. These developments suggest that the current administration intends to pick up where it left off, having first introduced the CMMC program during President Trump’s first term.

On February 18, President Trump issued an Executive Order titled “Ensuring Accountability for All Agencies” that directs independent agencies (as well as Cabinet Departments and their sub-agencies) to route all “proposed and final significant regulatory” and budgetary actions through the White House and the Office of Management and Budget. If implemented to its full extent, this action will significantly strengthen the authority of the White House by weakening the political autonomy of these independent agencies. As an assertion of the President’s inherent powers under Article II of the U.S. Constitution, it also stands to weaken congressional influence over these independent agencies, both through the appropriations and confirmation processes.

Crowell Global Advisors joined the industry delegation to the 5thASEAN Digital Ministers’ Meeting (ADGMIN) hosted by Thailand from January 16-17, 2025. The official theme for this year was “Secure, Innovative, Inclusive: Shaping ASEAN’s Digital Future,” with a focus on promoting safe adoption of emerging technologies by ASEAN Member States (AMS).