As we noted in our previous blog here, on January 6, 2025, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) published a Notice of Proposed Rulemaking (NPRM) proposing substantial revisions...more
The HIPAA Security Rule was originally promulgated over 20 years ago.
While it historically provided an important regulatory floor for securing electronic protected health information, the Security Rule’s lack of...more
1/31/2025
/ Cybersecurity ,
Data Privacy ,
Data Protection ,
Data Security ,
Electronic Protected Health Information (ePHI) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Security Rule ,
NIST ,
Patient Privacy Rights ,
PHI ,
Proposed Rules ,
Risk Management
As Cyberattacks targeting the health care sector have continued to intensify over the past year, including ransomware attacks that have resulted in major data breaches impacting health care organizations, the protection of...more
1/16/2025
/ Compliance ,
Covered Entities ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
OCR ,
OIG ,
Regulatory Requirements ,
Risk Management
This week, we’re interpreting the U.S. Department of Labor’s (DOL’s) recently updated cybersecurity guidance for all employee benefit plans covered under the Employee Retirement Income Security Act (ERISA):
The DOL recently...more
The widespread availability of Artificial Intelligence (AI) tools has enabled the growing use of “deepfakes,” whereby the human voice and likeness can be replicated seamlessly such that impersonations are impossible to detect...more
9/24/2024
/ Artificial Intelligence ,
CEOs ,
Cyber Threats ,
Cybersecurity ,
Cybersecurity Information Sharing Act (CISA) ,
Data Protection ,
Deep Fake ,
FBI ,
Fraud ,
National Security Agency (NSA) ,
NIST ,
Risk Mitigation ,
Sensitive Business Information
The widespread availability of Artificial Intelligence (AI) tools has enabled the growing use of “deepfakes,” whereby the human voice and likeness can be replicated seamlessly such that impersonations are impossible to detect...more
9/23/2024
/ Artificial Intelligence ,
CEOs ,
Cyber Crimes ,
Cyber Threats ,
Cybersecurity ,
Cybersecurity Information Sharing Act (CISA) ,
Data Protection ,
Deep Fake ,
FBI ,
Fraud ,
Machine Learning ,
National Security Agency (NSA) ,
NIST ,
Regulatory Agenda ,
Risk Mitigation ,
Sensitive Business Information
On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill No. 332, “An Act concerning online services, consumers, and personal data” (“SB 332”). New Jersey is the fourteenth state to pass a...more
1/24/2024
/ Consumer Privacy Rights ,
Cybersecurity ,
Data Collection ,
Data Management ,
Data Privacy ,
Data Processors ,
Data Protection ,
Data Security ,
Information Technology ,
New Jersey ,
New Legislation ,
New Regulations ,
State Data Privacy Laws ,
State Privacy Laws
On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill No. 332, “An Act concerning online services, consumers, and personal data” (“SB 332”). New Jersey is the fourteenth state to pass a...more
1/23/2024
/ Consumer Privacy Rights ,
Cybersecurity ,
Data Controller ,
Data Management ,
Data Privacy ,
Data Processors ,
Data Protection ,
Data Security ,
New Jersey ,
New Legislation ,
Personal Data ,
Popular ,
Regulatory Reform ,
State Data Privacy Laws
This week, we’re breaking down the California Privacy Protection Agency (CPPA) Board’s new regulations impacting employers:
Last month, the CPPA Board met to discuss several new regulations that could impact employers in...more
On December 8, 2023, the California Privacy Protection Agency (“CPPA”) Board (the “Board”) held a public meeting to discuss, among other things, regulations addressing: (1) cybersecurity audits; (2) risk assessments; and (3)...more
12/27/2023
/ Artificial Intelligence ,
Automation Systems ,
California ,
California Consumer Privacy Act (CCPA) ,
California Privacy Protection Agency (CPPA) ,
Consumer Privacy Rights ,
Cybersecurity ,
Data Management ,
Data Protection ,
Machine Learning ,
Regulatory Requirements ,
State Privacy Laws
New York Governor, Kathy Hochul, recently announced proposed cybersecurity rules for New York hospitals, which are due to be imminently published in the State Register on December 6, 2023, subject to approval by the Public...more
11/30/2023
/ Cybersecurity ,
Data Protection ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Healthcare ,
New York ,
Patient Privacy Rights ,
PHI ,
Popular ,
Proposed Rules ,
Regulatory Agenda ,
Regulatory Reform
On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted its long-anticipated cybersecurity reporting rule (the “Final Rule”). The Final Rule applies to public companies subject to the reporting requirements...more
7/28/2023
/ Cyber Incident Reporting ,
Cybersecurity ,
Data Breach ,
Disclosure Requirements ,
Final Rules ,
Form 10-K ,
Form 8-K ,
Publicly-Traded Companies ,
Regulation S-K ,
Regulatory Reform ,
Securities and Exchange Commission (SEC) ,
Securities Regulation
California businesses, including employers, who have not already complied with their statutory data privacy obligations under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA),...more
7/27/2023
/ California ,
California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
Consumer Privacy Rights ,
Cybersecurity ,
Data Collection ,
Data Management ,
Data Privacy ,
Data Protection ,
Information Governance ,
Personally Identifiable Information ,
State Privacy Laws
On July 13, 2023, the White House issued the first iteration of its National Cybersecurity Strategy Implementation Plan (the “Implementation Plan”), which will be updated annually. The two overarching goals of the...more
The California Privacy Protection Agency Board (the “Board”) held a public meeting on February 3, 2023, adopting and approving the current set of draft rules (the “Draft Rules”), which implement and clarify the California...more
On February 1, 2023, the FTC announced a proposed $1.5 million settlement with GoodRx Holdings, based on alleged violations of the Federal Trade Commission Act (“FTC Act”) and Health Breach Notification Rule (“HBNR”) for...more
2/7/2023
/ Advertising ,
Breach Notification Rule ,
Cybersecurity ,
Data Collection ,
Data Protection ,
Department of Health and Human Services (HHS) ,
Department of Justice (DOJ) ,
Enforcement Actions ,
Federal Trade Commission (FTC) ,
FTC Act ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Breach ,
PHI ,
Popular ,
Settlement Agreements ,
Social Media ,
Targeted Digital Advertising ,
Tracking Systems
California’s Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) give consumers substantial rights regarding the disclosure and use of their personal information collected by businesses subject to the...more
The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) gives consumers increasingly more control over their personal information when collected by businesses subject to the law. We have...more
As reported in a June 3, 2022 press release from the House Committee on Energy and Commerce, U.S. Representatives Frank Pallone, Cathy McMorris Rodgers, and Senator Roger Wicker released a “discussion draft” of a federal data...more
On March 15, 2022, President Biden signed into law the 2022 Consolidated Appropriations Act containing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Cyber Incident Reporting Act”). While President...more
On March 15, 2022, President Biden signed into law the 2022 Consolidated Appropriations Act containing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Cyber Incident Reporting Act”). While President...more
Recent decisions from the European Union (EU) have placed renewed focus on the use of common cookies used on ecommerce and other websites used by consumers and employees and transfers of personal data collected through...more
3/1/2022
/ Cookies ,
Corporate Counsel ,
Cybersecurity ,
Data Protection ,
Data Protection Authority ,
EDPS ,
EU ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Popular ,
Schrems I & Schrems II
The U.S. Cybersecurity and Infrastructure Agency (CISA) has urged a “Shields Up” defense in depth approach, as Russian use of wiper malware in the Ukrainian war escalates. The Russian malware “HermeticWiper” and “Whispergate”...more
The Federal Trade Commission (“FTC”) recently issued guidance clarifying protections applicable to consumers’ sensitive personal data increasingly collected by so-called “health apps.” The FTC press release indicated it has...more
As businesses find useful new ways to harness the evolving technology that captures and analyzes human biometric data, legal regulation of such technology’s usage is also developing, responding to concerns about personal...more
8/20/2021
/ Consumer Privacy Rights ,
Cybersecurity ,
Data Collection ,
Data Privacy ,
Data Protection ,
New York ,
Personal Data ,
Personally Identifiable Information ,
Privacy Laws ,
SHIELD Act ,
State and Local Government