Cybersecurity Compliance in the New Administration

Last month, Paul Hastings sponsored the Cybersecurity Law Workshop at the Spring Privacy & Security Forum held at George Washington University in Washington, D.C. The Cybersecurity Law Workshop featured three panels of experts from both the public and private sectors who offered insight into the various cybersecurity issues businesses face on a day-to-day basis.

The second panel, “The Rulebook Reloaded: Tackling Cybersecurity Compliance in a New Administration,” was moderated by Jeremy Berkowitz, senior director and deputy chief privacy officer at Paul Hastings, and featured panelists Jason Sarfati, chief privacy officer and legal VP at Unacast, and Emily Coyle, president of the Cyber Governance Alliance.

Noting the strong shift towards a focus on national security, which appears to have both bipartisan and state-level support, the panelists highlighted three areas of cybersecurity regulation to watch in the coming months.

CISA Cybersecurity Incident Reporting Rulemaking Likely at Risk

In April 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released proposed regulations for expansive new cybersecurity incident and ransomware payment reporting across sixteen “critical infrastructure sectors,” including financial services, information technology, transportation, and energy and water utilities, among others. CISA has 18 months from that date to publish a final rule.

While a final rule would help provide a guidepost for the current patchwork of incident response reporting requirements, it is unclear whether the new administration will continue to advance the proposed regulations. According to the panelists, there is some feeling that the proposed regulations go too far and apply too broadly — if everything is considered critical infrastructure, then nothing is critical infrastructure. There is also a strong push from the new administration for the states to individually update or enact their own data breach reporting laws. This is something to watch over the next six months.

Bulk Data Transfers Rule Advances Goal of National Security for New Administration

On the other hand, the Department of Justice (DOJ) and CISA Final Rule for regulating the export of bulk sensitive data did go into effect on April 8, 2025, and the DOJ shortly after offered guidance and FAQs regarding implementation. The Final Rule does align with the administration’s focus on national security and regulates certain categories of prohibited and restricted transactions involving bulk sensitive personal data between U.S. persons and persons/entities with a nexus to specified countries of concern (namely China — including Hong Kong and Macau — Cuba, Iran, North Korea, Russia and Venezuela). “Bulk sensitive personal data” covers a broad range of sensitive personal data categories that meet established threshold amounts, such as precise geolocation, personal health data, biometric identifiers, human ‘omic data, personal financial data and covered personal identifiers.

The panelists emphasized the need for businesses to always know where their data is being transferred and to implement contractual requirements or to receive declarations from the vendor about their headquarters, their operations and their own vendors. Time will tell, however, whether enforcement will be easy or practical given the broad exchange of information in support of an international economy and relations with the countries of concern.

HIPAA Privacy and Security Notice of Proposed Rulemaking — ‘Wait and See’

Finally, the panelists briefly discussed the likelihood that the HIPAA Security Notice of Proposed Rulemaking (NPRM) proposed late last year will move forward. The proposed rules would significantly modify the current the HIPAA Security Rule by making controls that are “addressable” required, forcing compliance audits every 12 months and the development of an asset inventory of ePHI, and imposing new requirements for security risk assessments. However, according to the panelists, because the proposed rules do not significantly impact national security, it seems likely to be a lower priority for the new administration. Particularly given the administration’s focus on healthcare, revisions to the HIPAA Privacy Rule may come first.

Key Takeaway — Plan for Compliance Assessments and Reporting Obligations Now

In an effort to help streamline compliance with the various cybersecurity and privacy laws and regulations, the panelists advised businesses to (i) focus their assessment processes to a single quarter of the year, every year; (ii) ensure that the assessment is broad enough to cover all of the business’ requirements (and expand to include requirements from federal, state, local or sector-specific laws and regulations); and finally, (iii) carefully monitor the reporting made to regulatory authorities — only give them what is required to meet the reporting obligations.

Our Privacy and Cybersecurity practice regularly advises companies on key cybersecurity and privacy assessment processes and regulatory reporting obligations. If you have any questions concerning these issues or any other data privacy or cybersecurity developments, please do not hesitate to contact any member of our team.