Modernizing National Security: The Urgent Need to Revamp EO 13549 in 2025

 

Adapting Classified Information Sharing for a New Era of Threats and Technology

In 2010, Executive Order 13549, signed by President Obama and published in the Federal Register on August 23, 2010 (source), established a framework for sharing classified national security information with state, local, tribal, and private sector (SLTPS) entities. Designed to unify policies under the Department of Homeland Security (DHS), it aimed to strengthen post-9/11 collaboration against terrorism and other threats. As of April 10, 2025, however, the landscape of national security has shifted dramatically—from quantum computing breakthroughs to state-sponsored cyberattacks—rendering this framework outdated. This article argues that EO 13549 requires a comprehensive overhaul to align with contemporary technological advancements, evolving threats, and new legal mandates, ensuring SLTPS entities can effectively safeguard classified information. Below, I outline key reasons for this necessity, supported by credible sources, with proper citations to acknowledge the foundational work of others.

Why EO 13549 Needs a Comprehensive Overhaul

• Technological Advancements Outstrip 2010 Protocols
  The digital world of 2010 pales in comparison to 2025’s ecosystem, where cloud computing, IoT devices, and quantum computing dominate. Statista reports over 15 billion IoT devices globally in 2025 (Statista, “IoT Connected Devices Worldwide,” 2025). EO 13549’s directive for DHS to enforce “uniform policies” lacks guidance on modern security measures like post-quantum cryptography or zero-trust architectures, detailed in NIST’s Special Publication 800-207 (National Institute of Standards and Technology, 2020). Without updates, SLTPS entities risk using obsolete encryption, exposing classified data to breaches, as highlighted by CISA’s 2024 quantum threat assessments (Cybersecurity and Infrastructure Security Agency, “Preparing for Post-Quantum Cryptography,” 2024).
• Sophisticated Cyber Threats Require Dynamic Sharing
  Threats have escalated since 2010, with state actors like Russia and China employing AI-driven cyberattacks—evidenced by CISA’s 2024 alerts on grid vulnerabilities (CISA, “2024 Threat Assessment,” 2024). EO 13549 prioritizes procedural consistency over real-time threat intelligence sharing. The 2021 Colonial Pipeline ransomware attack, costing $4.4 million in ransom (U.S. Department of Justice, “Colonial Pipeline Recovery,” June 7, 2021), exposed federal-local coordination gaps. An overhaul could mandate instantaneous data exchange, drawing from CISA’s Automated Indicator Sharing model (CISA, “AIS Overview,” 2025), to counter threats more effectively.
• Misalignment with Contemporary Legal Frameworks
  The 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) mandates 72-hour cyber incident reporting to CISA (Public Law 117-103, March 15, 2022), overlapping with EO 13549’s DHS-centric structure. The 2018 Cybersecurity and Infrastructure Security Agency Act further elevated CISA’s role (Public Law 115-278, November 16, 2018), yet EO 13549 remains unchanged since 2010. This misalignment confuses SLTPS entities, as noted in a 2023 GAO report on overlapping federal directives (Government Accountability Office, “Cybersecurity Coordination Gaps,” 2023). An update could harmonize these frameworks, clarifying compliance and leveraging CISA’s authority.
• Globalized Security Demands Broader Coordination
  National security in 2025 is global, with attacks like SolarWinds (FireEye, “SolarWinds Supply Chain Attack,” December 13, 2020) showing international vulnerabilities. EO 13549’s domestic focus omits protocols for collaboration with allies, such as the EU’s NIS2 Directive, effective 2024 (European Union, “Directive 2022/2555,” October 27, 2022). Updating the order to align with global standards would bolster SLTPS defenses against cross-border threats, a gap unaddressed in its original text.
• Workforce and Training Gaps Hinder Implementation
  EO 13549 relies on DHS for uniform training, but a 2023 DHS report cites persistent cybersecurity skill shortages among local governments (DHS, “State and Local Cybersecurity Grant Program Report,” 2023). Phishing attacks, up 30% since 2022 per Verizon’s Data Breach Investigations Report (Verizon, “2024 DBIR,” 2024), exploit these gaps. An updated order could mandate tailored training, integrating CISA resources and NIST’s Cybersecurity Framework (NIST, “Cybersecurity Framework 2.0,” 2024), to ensure SLTPS personnel can protect classified data.

The Case for Action in 2025

EO 13549 bridged federal-SLTPS collaboration in 2010, but its rigidity is now a vulnerability. Cybersecurity Ventures forecasts $10.5 trillion in global cybercrime losses for 2025 (Cybersecurity Ventures, “2025 Cybercrime Report,” 2025), and national security demands agility against threats unimaginable in 2010. SLTPS entities need modernized rules to handle classified data amid quantum risks and AI attacks. Recent federal actions, like Trump’s January 2025 EO rescissions, show willingness to adapt (White House, “Executive Actions,” January 20, 2025). An overhauled EO 13549 could unify CISA’s leadership, NIST’s standards, and breach lessons, creating a 2025-ready strategy. Ohio AG Dave Yost’s 2025 crypto scam recoveries (Ohio Attorney General, “Crypto Fraud Recovery,” April 10, 2025) exemplify state-level vigilance—imagine that amplified federally. Inaction isn’t an option; our nation’s security depends on it.

Sources

• CISA. “2024 Threat Assessment.” 2024.
• CISA. “Automated Indicator Sharing Overview.” 2025.
• CISA. “Preparing for Post-Quantum Cryptography.” 2024.
• Cybersecurity Ventures. “2025 Cybercrime Report.” 2025.
• DHS. “State and Local Cybersecurity Grant Program Report.” 2023.
• European Union. “Directive 2022/2555 (NIS2).” October 27, 2022.
• FireEye. “SolarWinds Supply Chain Attack.” December 13, 2020.
• Government Accountability Office. “Cybersecurity Coordination Gaps.” 2023.
• National Institute of Standards and Technology. “SP 800-207: Zero Trust Architecture.” 2020.
• NIST. “Cybersecurity Framework 2.0.” 2024.
• Ohio Attorney General. “Crypto Fraud Recovery.” April 10, 2025. ohioattorneygeneral.gov.
• Public Law 115-278. “Cybersecurity and Infrastructure Security Agency Act.” November 16, 2018.
• Public Law 117-103. “Cyber Incident Reporting for Critical Infrastructure Act.” March 15, 2022.
• Statista. “IoT Connected Devices Worldwide.” 2025.
• U.S. Department of Justice. “Colonial Pipeline Recovery.” June 7, 2021.
• Verizon. “2024 Data Breach Investigations Report.” 2024.
• White House. “Executive Actions.” January 20, 2025.

18,000 New Jersey Law Enforcement Class Action Against LexisNexis: A Battle Over Privacy and Retaliation

How LexisNexis’s Alleged Retaliation Against Law Enforcement Exposed a Clash Between Data Practices and Privacy Rights

In March 2024, a significant legal battle emerged in New Jersey as over 18,000 law enforcement personnel, including active and retired officers, prosecutors, and judges, filed a class-action lawsuit against LexisNexis Risk Data Management, LLC. The plaintiffs accused the data analytics giant of retaliating against their attempts to protect their personal information under New Jersey’s Daniel’s Law by imposing unauthorized credit freezes and falsely reporting them as identity theft victims. This case, while not stemming from a traditional data breach, has raised serious questions about LexisNexis’s handling of sensitive data and its compliance with state privacy laws, potentially exposing vulnerable individuals to further risks.

Background: Daniel’s Law and Privacy Rights

Daniel’s Law, enacted in New Jersey in November 2020 (P.L. 2020, c. 125) and later amended in 2023 (P.L. 2023, c. 113), was a response to the tragic murder of Daniel Anderl, the son of U.S. District Judge Esther Salas, by a gunman who targeted her family using publicly available personal data. The law prohibits the disclosure of home addresses and unpublished telephone numbers of “covered persons”—active or retired judicial officers, law enforcement officers, prosecutors, and their immediate family members—upon their written request. It mandates that data brokers like LexisNexis remove such information within 10 business days of receiving a takedown request, with penalties including damages of at least $1,000 per violation, plus punitive damages and attorney fees.

The plaintiffs, many of whom had invoked their rights under Daniel’s Law between December 2023 and January 2024, sought to shield their personal details from public exposure, citing safety concerns inherent to their professions. However, instead of complying fully, LexisNexis allegedly took punitive actions that disrupted their financial lives.

Details of the Allegations

According to the lawsuit filed on March 4, 2024, in Bergen County Superior Court (Case No. BER-L-001424-24), LexisNexis retaliated against the plaintiffs’ data removal requests in two major ways:

1. Unauthorized Credit Freezes: LexisNexis allegedly placed security freezes on the plaintiffs’ credit reports without their consent. These freezes, intended to prevent identity theft by blocking access to credit files, were not requested by the plaintiffs and were unrelated to Daniel’s Law compliance. The company reportedly informed the affected individuals via letters that these freezes could “delay, interfere with, or prohibit the timely approval of applications” for credit, insurance, or other services—consequences the plaintiffs argue were retaliatory and harmful.
2. False Identity Theft Reports: In addition to the freezes, LexisNexis is accused of falsely reporting the plaintiffs as victims of identity theft to credit bureaus. This misrepresentation allegedly tarnished their credit histories, potentially affecting their ability to secure loans, mortgages, or employment. The lawsuit claims these reports were “complete fabrications” designed to punish the plaintiffs for exercising their legal rights.

The complaint further alleges that LexisNexis failed to remove the requested personal information—such as names, home addresses, and detailed family reports, including data on minor children as young as 13—from its databases. Instead, it continued to make this information available to subscribers, violating Daniel’s Law. When plaintiffs contacted LexisNexis to lift the freezes or correct the false reports, the company reportedly acknowledged the potential adverse impacts but refused to act promptly, engaging in what the lawsuit calls “a prolonged effort to thwart Plaintiffs’ efforts to lift these credit freezes.”

Implications of the Case

This incident, while not a data breach in the conventional sense, suggests a mishandling of sensitive data that could amplify privacy risks. By freezing credit and misreporting identity theft, LexisNexis allegedly created new vulnerabilities—such as financial instability or exposure to creditors—while failing to address the original safety concerns prompting the takedown requests. The case also highlights a broader tension between data brokers’ business models, which rely on aggregating and selling personal information, and growing legal protections for individual privacy.

The plaintiffs, represented by the Newark-based law firm Genova Burns, seek damages under Daniel’s Law, including statutory awards, punitive damages, and attorney fees, as well as court orders compelling LexisNexis to comply with the law and reverse its retaliatory actions. The class includes a diverse group of law enforcement personnel, with two pseudonymous lead plaintiffs—an active police officer and a retired officer—symbolizing the broader affected community.

LexisNexis’s Response

LexisNexis has not commented extensively on the litigation due to its pending status. However, a company spokeswoman, Kara Grady, told Asbury Park Press in March 2024, “We care deeply about the safety of judges, police and all covered persons under the federal and New Jersey’s Daniel’s Law and we act at all times to protect the dissemination of protected information.” The company’s website notes that opt-out requests under privacy laws may result in security freezes to limit data availability for fraud prevention—a policy the plaintiffs argue was misapplied as retaliation rather than protection.

Current Updates on the Case (as of March 23, 2025)

As of March 23, 2025, the case remains active in Bergen County Superior Court, with several developments:

• Initial Filings and Motions: The lawsuit was filed on March 4, 2024, and served on LexisNexis shortly thereafter. Early proceedings have focused on jurisdictional matters and the certification of the class, given the large number of plaintiffs (over 18,000). No public rulings on class certification have been reported by this date.
• Public and Legislative Attention: The case has drawn significant attention, with U.S. Representative Josh Gottheimer (D-NJ) citing it in a May 2024 ROI-NJ opinion piece as evidence of data brokers undermining public safety. He called for federal action to bolster privacy protections, suggesting the lawsuit could influence broader policy debates.
• Related Litigation: A separate February 2024 class action by Atlas Data Privacy Corporation against LexisNexis and 117 other data brokers, representing 20,000 law enforcement officials for noncompliance with Daniel’s Law, remains ongoing. The March lawsuit builds on this earlier effort, focusing specifically on retaliation rather than just noncompliance.
• Discovery Phase: Legal analysts on ClassAction.org suggest the case is likely in the discovery phase as of early 2025, with both sides exchanging evidence. No trial date has been publicly set, and settlement discussions, if any, remain confidential.
• Lack of Major Rulings: No significant court decisions—such as dismissals, summary judgments, or injunctions—have been reported by March 23, 2025, per accessible news and legal databases like Bloomberg Law and Courthouse News Service. The case’s complexity, involving thousands of plaintiffs and nuanced statutory interpretation, may delay resolution.

The case’s outcome could set a precedent for how data brokers handle privacy requests under similar state laws, with potential ramifications for LexisNexis’s operations nationwide.

Follow me on X All truths are easy to understand once they are discovered; the point is to discover them.-Galileo

Disclaimer, rights of logos placed here are for recognition for the blind or eyesight problems on this blog. 😎 Be sure to click on all the Blue Links.

If you find any errors please let me know. I am not funded by anyone for any opinions I may have. You can buy me a coffee here and it's very much appreciated. Thank you!

Image: "NJSDA Police Patch V05 (002)" by -NJSD111- is licensed under CC BY-SA 4.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/4.0/?ref=openverse.

Disclaimer & Sources