Compliance and risk management

The Transportation Security Administration (“TSA”) announced on July 21, 2022 that it is transitioning to a less prescriptive and more result-based approach in its revised emergency cybersecurity directive for critical gas and liquid pipeline companies.  The Security Directive Pipeline-2021-02C (“SD02C”), effective July 27, 2022, represents a significant departure from the highly prescriptive requirements set forth in its predecessor directives (SD 2021-02A and SD 2021-02B) issued by the TSA last year. 

A third regulator has recently entered into a proposed consent that includes a $500,000 fine based in part on a company’s over-retention of personal data for longer than it was needed.  The first regulator was the French data protection authority, the CNIL, in 2021, which we wrote about here.  The second regulator was the New York Attorney General in January of 2022, which we described here.  And the third is the U.S. Federal Trade Commission, which issued a proposed consent with the current and former owners of CafePress on March 15.