A new Insight published by our Morgan Lewis colleagues highlights the complex legal landscape data centers face in the United States, particularly concerning cybersecurity, privacy, and national security. Cybersecurity preparedness and data privacy are now a critical focus for data centers. However, unlike Europe, the US lacks a comprehensive data privacy statute, requiring data centers to navigate a patchwork of federal, state, and industry-specific regulations.
At a high level, navigating this framework requires implementing robust administrative, technical, and physical safeguards, executing data processing agreements, and supporting clients in responding to individual privacy requests. However, the legal obligations of applicable law may extend as far down as contractual requirements, adding a level of granularity to cybersecurity and data privacy compliance that extends beyond typical statutory compliance measures. Furthermore, regulatory entities such as the Securities and Exchange Commission have heightened its cybersecurity disclosure expectations, mandating public companies to disclose material cybersecurity incidents and include expanded disclosures in their annual reports.
Additionally, federal authorities are scrutinizing data centers within the scope of national security. New rules promulgated by the US Department of Justice restrict data-related transactions involving foreign entities and expand oversight of the technology supply chain. Data centers must be well-versed in export controls, ownership rules, and national security policies to maintain compliance with these new rules and regulations.
Overall, cybersecurity and privacy have become not only legal requirements but also strategic imperatives for data centers, necessitating that data centers stay informed and proactive to ensure compliance and protect their operations. Tech & Sourcing @ Morgan Lewis will continue to monitor these challenges as they evolve.