Data breach notification
Data breach notification obligations for Technology, AI and Competition companies are tightening on multiple fronts simultaneously. The Federal Trade Commission has expanded its Safeguards Rule breach reporting requirements, the European Data Protection Board continues issuing binding guidance on 72-hour notification timelines under GDPR Article 33, and the Cybersecurity and Infrastructure Security Agency is pressing sector operators under new CIRCIA incident reporting rules that carry their own separate clock. Compliance teams are currently reconciling at least three overlapping notification windows across jurisdictions, each with different triggering thresholds and recipient lists.
Watch
- CIRCIA proposed rules: final rulemaking timeline and covered entity scope for tech firms
- FTC Safeguards Rule: which non-banking tech companies now fall under its breach notice trigger
- EDPB enforcement pattern on 72-hour GDPR notifications when AI systems are the breach vector
- State AG activity: California, New York breach notice laws diverging from federal floors
Recent material activity in Technology, AI & Competition
-
NIST releases updated AI Risk Management Framework companion guide for critical infrastructure
NIST published AI RMF 1.1 companion guidance specifically addressing AI deployment in critical infrastructure sectors including energy, financial services, and healthcare. The guide introduces mandatory risk assessment c…
Read a full sample brief →