The May Regulatory Roundup



2022 is well underway and regulatory changes are moving right along as well! So, let’s take a look at some recent regulatory changes.


What Happened?

  • In light of substantial increased cybersecurity risk in the wake of Russia's invasion of Ukraine, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) on March 15, 2022. CISA will have 2 years after the passage of the bill to create a proposed rule and another 18 months after the proposed rule's publication to create a final rule. This means it could take up to 3 years for the law to go into effect.

What Does This Mean?

  • CIRCIA requires owners and operators of critical infrastructure to report cyber incidents within 72 hours and ransom payments within 24 hours to the CISA. The passage of CIRCIA continues a growing trend towards faster reporting obligations to federal regulators.

What Should My Organization Be Doing?

  • The new reporting requirements will affect several sectors of the economy, including the chemical industry, commercial facilities, communications, manufacturing, financial services, food and agriculture, healthcare, information technology, energy, and transportation.  Therefore, organizations in regulated fields should be proactively ensuring that they are not only prepared to report, but that their cybersecurity programs are properly documented and will hold up to higher levels of scrutiny.

Human Rights

What Happened?

  • On February 23, 2022, the European Commission issued its long-awaited Proposal for a Directive on Corporate Sustainability Due Diligence (“the Proposed Directive”) to tackle human rights and environmental impacts across global supply chains.

What Does This Mean?

  • If passed, the Proposed Directive would impose a corporate due diligence duty on large EU companies and subsidiaries—as well as smaller companies in certain "high risk" areas—to identify and take steps to prevent and remediate any actual or potential adverse human rights or environmental impacts within their operations or supply chains.

Is My Organization Affected?

  • If passed, the Proposed Directive will apply to both EU organizations as well as non-EU organizations, including US organizations, if that organization makes 150 million Euros or more in the EU (or 40 million Euros or more in EU if operating in certain high-risk sectors). Moreover, organizations who don’t directly operate in the EU may still see increased scrutiny in their supply chain and business practices if doing business with an organization that must adhere to the Proposed Directive.

What Should My Organization Be Doing?

  • While the Proposed Directive has not yet been passed, now would be the perfect time for organizations to start analyzing their supply chains and those of their subsidiaries to ensure they're free from human rights and environmental concerns. Additionally, organizations should review their policies and integrate human rights and environmental due diligence processes and procedures where necessary.

Employment Law Changes to Watch Out For

As more people begin to return to the physical workplace, we’re seeing more and more legislation aimed at protecting workers on both a Federal and state level. Here’s a piece of legislation that has recently passed:


  • On March 3, 2022, the Ending Forced Arbitration of Sexual Assault and Sexual Harassment Act (the “Act”) was signed into law. The Act applies to all claims after March 3, 2022, regardless of the date of the arbitration/employment agreement. It does not, however, affect any claim that arose or accrued before March 3, 2022.
  • Organizations should take note of the new law and ensure that employment agreements are drafted and interpreted accordingly. Additionally, organizations should review their employee handbooks and other policies around harassment, discrimination, and sexual harassment and ensure that proper reporting, investigation, and non-retaliation protocols are in place. Finally, organizations should communicate their values and policies around preventing discrimination and harassment to their employees and empower them to reach out to their managers or other appropriate internal resources about any improper behavior that they witness, suspect, or learn about.

New York

  • Last year, the New York City Council passed the New York City Pay Transparency Law (the “Law”). The Law requires NYC organizations with four or more employees to include the salary range for positions in job postings.
  • Within their organizations, NYC employers should update their postings for jobs, promotions, or transfer opportunities to include the necessary salary information. Additionally, be sure to review any related documents (e.g., compensation policies) to make sure that salary representations are consistent with those ranges listed in the postings. Finally, hiring managers, recruiters, and employees in Human Resources should be made aware of and, if necessary, be trained to ensure they're complying with the new law.

US Data Privacy Laws - Update

As we continue to monitor pending or soon-to-be-filed data privacy legislation, like the CCPA/CPRA (California), we have other data privacy bills that are moving right along:


  • On April 20, 2022, Connecticut moved one step closer to enacting consumer data privacy legislation with a bill generally modeled on the Colorado privacy act. The bill now moves to the house floor.


  • The Virginia Consumer Data Protection Act (VCDPA) is now finalized ahead of its January 1, 2023, effective date. On April 11, 2022, the Virginia Governor signed three VCDPA amendments into law. These amendments did the following three things:
    • Added a new exemption to the VCDPA’s right to delete
    • Redirected penalties, fines, and fees resulting from noncompliance
    • Changed the VCDPA’s definition of nonprofit
      • These three additions will go into effect July 1, 2022. The VDCPA will still go into effect January 23, 2023.

We will continue to keep an eye on these bills—as well as other states' proposed data privacy legislation—and will update you with new developments.

As regulatory changes pick up speed as the year continues on, we at True Office Learning are committed to helping you stay on top of regulatory movement and changes that could affect your organization. Till next time!


Take the Compliance Maturity Assessment


Subscribe Here!