Issue link: https://nebusinessmedia.uberflip.com/i/1540922
8 HARTFORDBUSINESS.COM | NOVEMBER 3, 2025 Cybersecurity & Data Privacy: Sector-Specific Laws, the DOJ's Data Security Program, and the Lapse of CISA 2015 – Oh My! The data organizations collect and transmit continues to expand at a seemingly exponential rate. At the same time, the road to protect themselves and their stakeholders is constantly growing more difficult to navigate. T hey must work to comply with a growing array of state, federal, and international laws, rules, and policies, creating unseen obstacles to avoid damaging missteps. The first step is knowing what data you have. The next is to understand what you're doing with your data. Only then can you fully assess what legal requirements might apply and how to stay in compliance. Federal laws and regulations are littered with various overlapping definitions of cate- gories of information that may be subject to data security and privacy regulations. Does your business collect or transmit Personally Identifiable Information? Sensitive Finan- cial Data? Protected Health Information? Educational Records? Children's Personal Information? Depending on whose data you have and where you are engaged in business your data may fall within the scope of one or more of the many different defi- nitions set forth by the nearly 20 states that have their own data privacy laws--and as of June 2025, Connecticut is one of them. These state-specific data privacy rules are in addition to the data security and breach laws in force in every U.S. state and territory. Evolving federal requirements include the Department of Justice's (DOJ) Data Security Program and the expiration of the Cyber- security Information Sharing Act of 2015. The Data Security Program applies broadly to any U.S. companies, citizens, or organi- zations that engage in certain transactions with countries of concern or covered per- sons involving bulk U.S. sensitive personal or government-related data. As the DOJ itself explains, the National Security Division "expects U.S. persons to know their trans- actions and data. Specifically, U.S. persons should have awareness of the type and vol- ume of their data and whether they main- tain or deal in government-related data and bulk U.S. sensitive personal data." The definitions of sensitive data and government-related data are expansive under the rule and include bulk sensitive data that is anonymized, pseudonymized, de-identified, or encrypted in ways that might exempt that data from the applica- tion of other existing laws and regulations. The Program prohibits or restricts certain data transactions involving foreign data brokers as well as "countries of concern" and persons or entities controlled by them. As of now, these countries are China, Cuba, Iran, North Korea, Russia, and Venezuela. In order to make sure they are in compli- ance, companies need to understand their data, their transactions, and their business partners. While the DOJ's Data Security Pro- By Zachary A. Myers and Erin M. Prest Sponsored Content gram creates new obligations, they relate to those first steps that apply to every entity: know your data and know your transactions. The same imperative to understand your data and how it is shared applies to how businesses share data with each other for the purposes of cybersecurity and threat detection. Until the end of September 2025, private sector entities had specific legal protections that encouraged shar- ing of cyber threat information within the private sector and with the federal gov- ernment. The Cybersecurity Information Sharing Act of 2015 (CISA 2015) created a legal framework for multilateral informa- tion sharing that allowed entities to learn from the lessons of others and be on the lookout for threats and indicators of com- promise. It also provided an antitrust safe harbor for companies to share cybersecuri- ty information directly with each other, and authorized companies to take defensive measures to detect, prevent, and mitigate cybersecurity threats. These protections expired on September 30, 2025, and were not renewed by Congress. During this pe- riod of lapse, companies need to return to the basics, making sure they review and, if needed, update log-on banners, employee policies, and privacy notices to ensure that they have consent to monitor and/or share the information they collect. The road to comply with cybersecurity and data privacy obligations continues to wind, with new hills to climb and obstacles to avoid. To travel successfully, know what data you have, how to protect it, what data transactions you are engaging in, and what laws, policies, and regulations might apply. ERIN M. PREST Partner eprest@mccarter.com www.mccarter.com zmyers@mccarter.com ZACHARY A. MYERS Partner