An interview with Lowenstein Sandler LLP discussing digital transformation in USA

Questions

Q&A

What are the key features of the main laws and regulations governing digital transformation in your jurisdiction?

In the United States, digital transformation is governed by a sector-specific legal framework operating across both federal and state levels. Core regulatory pillars include privacy and data security, protections for children and vulnerable populations, subpoena and government request protocols, and risk management and governance expectations. The following overview outlines the principal legal contours that businesses must navigate, with obligations that vary significantly by sector, spanning financial services, health and health technology, education and edtech, telecommunications and technology platforms, media and adtech, critical infrastructure and public companies. Each of these domains constitutes a distinct legal discipline, often requiring specialised compliance strategies.

Federal regulatory landscape: general and sectoral obligations

Federal data security laws encompass both general industry enforcement mechanisms and sector-specific mandates:

• General Industry Enforcement: The Federal Trade Commission (FTC), under section 5 of the FTC Act, establishes the baseline for data security and privacy. This includes requirements for reasonable security practices, true and non-deceptive privacy representations, operational alignment with published policies, vendor oversight, data minimisation and retention protocols, and effective incident response capabilities.
• Public company obligations: The Securities and Exchange Commission (SEC) imposes cybersecurity disclosure requirements on public companies, including governance and strategy narratives in periodic filings, prompt reporting of material incidents, and scrutiny of consistency between operational controls and public disclosures.
• Sector-specific regime examples:
  • Financial institutions: Must comply with the Gramm-Leach-Bliley Act (GLBA) Privacy and Safeguards Rules, which mandates privacy compliance, as well as security risk-based controls, encryption (where feasible), multi-factor authentication, secure development practices, incident response planning, and vendor oversight. There are also specialty laws such as the Fair Credit Reporting Act for use of credit reporting data.
  • Health and healthTech entities: Are subject to the Health Insurance Portability and Accountability Act of 1996’s (HIPAA) Privacy, Security, and Breach Notification Rules, requiring administrative, physical and technical safeguards, along with defined breach notification timelines.
  • Education providers and EdTech vendors: Must adhere to the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment, which restrict the use and disclosure of education records as well as provide notice and opt-out opportunities for sensitive topics.
  • Telecom providers: Are governed by Customer Proprietary Network Information (CPNI) rules and breach reporting obligations.
  • Technology platforms: Encounter the Electronic Communications Privacy Act (ECPA) and Stored Communications Act (SCA), which delineate rules for handling content versus non-content data and responding to government access requests.
  • Media and streaming services: Often fall under the Video Privacy Protection Act (VPPA), which imposes consent and retention requirements for viewing data.
  • Federal procurement and defence: Entities operating in these contexts must comply with narrower but impactful rules, including the Defense Federal Acquisition Regulation Supplement (DFARS), NIST SP 800-171 for Controlled Unclassified Information (CUI), and the Cybersecurity Maturity Model Certification (CMMC) program.

We could have other specialty privacy areas such as licence/motor vehicle data, employment privacy, public official/judicial data and marketing, but this is just a taste of federal privacy laws where the sector of use and data context is dictates regulatory treatment.

State-level regulation: recently expanding privacy and security mandates

State privacy laws increasingly resemble GDPR-style frameworks, extending across broad segments of the US economy as a privacy rights framework (with some exemptions where federal sector-specific laws exist):

• California’s CCPA/CPRA: Establishes expansive consumer rights (access, deletion, correction, portability), opt-outs for targeted advertising and data 'sale' or sharing, sensitive data protections, data minimisation and purpose limitation, recognition of universal opt-out signals, rulemaking for automated decision-making technologies, and mandatory processor contract terms.
• Other states: Jurisdictions such as Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana and Delaware have adopted similar frameworks, with variations in applicability thresholds, sensitive data treatment, profiling opt-outs and requirements for data protection assessments.
• Data broker regulation: States such as Vermont and California have implemented registration and transparency regimes for data brokers, with Oregon recently joining this trend.
• Specialised state laws: Include Illinois’ Biometric Information Privacy Act (BIPA) and emerging consumer health data laws (eg, Washington), which regulate health inferences, geofencing, consent and deletion outside the scope of HIPAA. There are also specialty covered person (judicial officer, law enforcement, other public official) privacy protection laws at the state level causing class action activity.
• General state laws used to enforce privacy rights: Several states have creatively applied existing legal doctrines to protect consumer privacy, such as trespass, intrusion upon seclusion and wiretap statutes. These traditional laws are being repurposed to address modern digital harms, allowing courts to recognise unauthorised data collection, surveillance and behavioural tracking as invasions of privacy.

Emerging legislation: artificial intelligence and automated decision-making

Legislative and regulatory attention is increasingly focused on artificial intelligence (AI) and automated decision-making technologies (ADMTs):

• Key regulatory features: Include data minimisation, purpose limitation, opt-outs for profiling with legal or similarly significant effects, impact and risk assessments for high-risk processing, enhanced obligations for sensitive data, retention and use policies with permissioned access, and chain-of-custody controls for training and fine-tuning datasets.
• Regulatory principles: Emphasise consumer protection, including non-discrimination, transparency, accuracy, human oversight and safe-by-design practices.
• State and federal activity: California’s ADMT proposals and Colorado’s forthcoming high-risk AI duties complement federal frameworks such as the NIST AI Risk Management Framework (AI RMF) and sector-specific rules like New York City’s automated employment decision tool regulations.
• Traditional privacy and data security laws also apply to AI and industry remains concerned with protecting consumer privacy and data integrity on these platforms.

Protections for children and vulnerable populations

Safeguards for vulnerable individuals are integral to the US digital regulatory landscape:

• Children’s privacy: The Children’s Online Privacy Protection Act (COPPA) requires verifiable parental consent for data collection from children under 13 and restricts behavioural advertising without consent. State student privacy laws further limit profiling and targeted advertising in K-12 settings.
• Minors’ online safety: Emerging statutes - some subject to ongoing litigation - signal a shift toward design-for-safety obligations (considering harmful content and behaviours such as, trafficking, bullying, disordered eating, suicide ideation), as well as obligations to protect teens that fall outside of COPPA protection (the 13-17 age block).
• Elder Protection: Financial institutions in many states are authorised to delay transactions and report suspected elder exploitation. Health and education sectors maintain tailored disclosure pathways for law enforcement and emergency scenarios.

Subpoena and government request handling

Legal obligations for responding to government requests are highly context-dependent and must be considered when digitising platforms (given that an organisation is often generating new data for law enforcement/legal requests):

• Federal statutes: ECPA/SCA strictly regulate provider disclosures of content versus non-content data and establish procedural requirements for government demands. The Right to Financial Privacy Act governs federal access to customer financial records.
• Sector-specific pathways: HIPAA and FERPA prescribe structured protocols for subpoenas, court orders and law enforcement disclosures.
• State E-Privacy laws: May impose additional warrant requirements or restrict compliance with out-of-state legal process.
• Cloud and platform providers: Must implement disciplined request-handling programs that classify data types, authenticate requestors, scope productions, document legal bases and manage emergency disclosures within narrowly defined parameters.

Risk management and governance expectations is an increased focus in the US

Regulatory expectations for risk management and governance are increasingly harmonised across sectors:

• Core requirements: Include system and data inventorying, privacy-by-design principles, data protection impact assessments for high-risk processing, and third-party risk management (including sub-processor oversight and audit rights).
• Cybersecurity programs: Should align with frameworks such as the NIST Cybersecurity Framework, encompassing identity and access management, encryption, vulnerability management, secure software development life cycles (SDLC), logging and detection, incident response planning and resilience measures.
• Board, executive and management oversight: Regulators expect clear reporting lines, board and C-suite governance and ongoing training. Public company disclosures must accurately reflect operational practices, and concentration risk - including fourth-party dependencies - is subject to increasing scrutiny.

What are the most noteworthy recent developments affecting organisations’ digital transformation plans and projects in your jurisdiction, including any government policy or regulatory initiatives?

Recent regulatory developments shaping digital transformation

The US regulatory landscape is rapidly changing, marked by the continued proliferation of state-level privacy statutes that are steadily establishing a de facto '50-state' framework. This emerging mosaic mirrors the structure of existing breach notification regimes and reflects a growing consensus around baseline consumer data rights. Given the national reach of digital platforms, where websites and services are deployed instantaneously across jurisdictions, organisations are increasingly defaulting to the most stringent regulatory standard, typically California, and incrementally adapting their privacy programs to accommodate novel state-specific requirements as they arise.

California continues to lead in regulatory innovation, particularly in its refinement of rules governing automated decision-making and consent architecture. Concurrently, a growing number of states have enacted comprehensive privacy laws with divergent applicability thresholds, rights frameworks and compliance obligations. This regulatory patchwork necessitates the development of scalable, jurisdiction-agnostic governance models capable of supporting consistent rights fulfillment, opt-out mechanisms, recognition of universal opt-out signals, sensitive data classification and handling, and robust data protection assessments.

Sector-specific regulatory updates are equally consequential. The Securities and Exchange Commission (SEC) has introduced cybersecurity disclosure rules that require public companies to demonstrate disciplined governance, risk management and incident reporting. The New York Department of Financial Services (NYDFS) has revised its Cybersecurity Regulation, enhancing expectations for risk assessments and board oversight. Enforcement of the GLBA Safeguards Rule has matured, with regulators emphasising encryption, multi-factor authentication, and vendor oversight. HIPAA and HITECH breach enforcement remains active, and Washington State’s Consumer Health Data Act has expanded the scope of regulated health inferences beyond HIPAA, introducing consent and geofencing restrictions that directly impact adtech and analytics ecosystems.

Acceleration of AI-focused regulatory initiatives

Artificial intelligence (AI) and automated decision-making technologies (ADMTs) are receiving heightened legislative and regulatory attention. Federal guidance - including the National Institute of Standards and Technology’s AI Risk Management Framework (NIST AI RMF) and Office of Management and Budget directives for federal agencies - alongside state-level initiatives such as California’s proposed ADMT regulations and Colorado’s duties for high-risk AI systems, collectively emphasise the need for effective governance. Key regulatory principles include risk assessments, transparency, bias mitigation, human oversight, and accountability in training data governance. Agencies across jurisdictions have reiterated that existing consumer protection, anti-discrimination and sectoral laws apply to AI use, reinforcing the imperative for organisations to develop integrated AI governance programs that align privacy, security, safety and compliance across product and data life cycles.

Vendor and concentration risk in the spotlight

Recent high-profile outages and supply chain disruptions have elevated vendor and concentration risk as a critical governance concern. Boards, Chief Information Security Officers (CISOs) and risk committees are reassessing third-party risk management strategies, contractual safeguards, business continuity planning, telemetry and observability capabilities, and exit protocols. The increasing reliance on hyperscale cloud providers, endpoint protection platforms and identity infrastructure has underscored the potential for systemic exposure, prompting a shift toward more resilient and diversified operational architectures.

What are the key legal and practical factors that organisations should consider for a successful cloud and data centre strategy?

A successful cloud and data centre strategy requires strategic alignment between legal obligations and technical execution. Organisations must integrate compliance, resilience and operational efficiency into every layer of their cloud architecture. Key legal and practical factors include:

Governance and privacy foundations

• Begin with accurate data mapping and classification, ensuring visibility into data types and flows.
• Establish documented processing purposes and retention schedules.
• Embed privacy-by-design principles into migration planning, infrastructure architecture and day-to-day operations.

Data protection and security controls

• Implement encryption at rest and in transit, supported by strong key management (eg, BYOK/HYOK).
• Enforce identity and access management using least privilege, multi-factor authentication and role-based access.
• Apply network segmentation, logging and monitoring, vulnerability management and an SDLC with change control.
• Maintain incident response plans with tested playbooks that reflect sectoral and state-specific notification requirements.

Access management

• Address privileged access, just-in-time elevation, session monitoring and regular access reviews to reduce risk and ensure accountability.

Threat detection and endpoint protection

• Combine intrusion prevention with multilayered detection and response capabilities (what the industry is calling XDR), system hardening and continuous monitoring.

Recovery and resilience planning

• Define and document Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) in a business impact analysis in addition to a basic disaster recovery and business continuity plan.
• Maintain immutable backups, offline or segmented snapshots, and conduct disaster recovery testing and tabletop exercises.

Regulatory alignment

For regulated sectors, ensure compliance with applicable law, to name a few of these:

• FedRAMP or Government Cloud for federal data;
• CJIS for law enforcement data;
• IRS Publication 1075 for federal tax information;
• DFARS/CMMC and NIST SP 800-171 for CUI; and
• HIPAA BAAs and segmentation protocols for Protected Health Information (PHI).

Legal readiness and data governance

• Integrate subpoena and government request playbooks into cloud architecture to prevent overcollection and overproduction.
• Consider workload portability, exit strategies and multi-region deployments to mitigate concentration risk and support business continuity.