Arecent report put the odds of an asteroid hitting the earth in December 2032 at 3.1%—which is 3,100 times more likely than an organization resolving an enforcement action with the U.S. Department of Health and Human...more
3/4/2025
/ Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Security ,
Electronic Protected Health Information (ePHI) ,
Enforcement Actions ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Medical Records ,
OCR ,
Patient Privacy Rights ,
Ransomware ,
Risk Assessment ,
Risk Management ,
Settlement
Déjà vu all over again: after Colorado and Virginia established competing standards for comprehensive privacy laws in 2021, history appears to be repeating itself in the artificial intelligence (AI) space. Virginia’s...more
2/27/2025
/ Algorithms ,
Artificial Intelligence ,
Automation Systems ,
Bias ,
Corporate Counsel ,
Data Privacy ,
Discrimination ,
Enforcement ,
Innovative Technology ,
Machine Learning ,
Regulatory Agenda ,
Regulatory Requirements ,
Risk Management ,
State Privacy Laws ,
Transparency ,
Virginia
2025 has all the ingredients for a critical year in privacy: new laws coupled with active regulators and legislators—both of whom are likely eager to get onto artificial intelligence (AI). As a companion piece to our 2024...more
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) delivered a late-December surprise: a draft overhaul of the Health Insurance Portability and Accountability Act of 1996’s (HIPAA) Security Rule....more
1/3/2025
/ Data Privacy ,
Data Security ,
Department of Health and Human Services (HHS) ,
Electronic Protected Health Information (ePHI) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Security Rule ,
NPRM ,
OCR ,
Patient Privacy Rights ,
PHI
With 2024 coming to an end, it is time to dust off the quill and ink to put together a recap on privacy and artificial intelligence (AI) developments....more
12/18/2024
/ Artificial Intelligence ,
Cookies ,
Corporate Counsel ,
Data Privacy ,
Data Protection ,
Enforcement Priorities ,
Machine Learning ,
Personally Identifiable Information ,
Regulatory Agenda ,
Rulemaking Process ,
State Data Privacy Laws
The California Privacy Protection Agency (CPPA) is starting formal rulemaking (again) as they move beyond the pre-rulemaking drafts that were debated for a little over a year. During their November 8, 2024, board meeting, the...more
11/15/2024
/ California ,
California Privacy Protection Agency (CPPA) ,
Consumer Privacy Rights ,
Corporate Counsel ,
Cybersecurity ,
Data Management ,
Data Privacy ,
Data Protection ,
Office of Administrative Law Judges (OALJ) ,
Regulatory Agenda ,
Regulatory Requirements ,
Rulemaking Process ,
State Privacy Laws
Pennsylvania recently amended their data breach notification law in a way that turns the status quo on its head. The law, Senate Bill 824, adds an obligation to provide regulatory notice and tweaks the definition of personal...more
Pennsylvania's Amended Data Breach Law Upends Standard Framework -
Pennsylvania recently amended their data breach notification law in a way that turns the status quo on its head. The law, Senate Bill 824, adds an...more
On June 20, 2024, a federal court vacated key portions of regulatory guidance on the treatment of information collected by online tracking tools. At issue was the U.S. Department of Health and Human Services Office for Civil...more
Colorado became the first state to adopt a comprehensive AI framework when Gov. Jared Polis signed Senate Bill 205. The law, unlike the EU AI Act, does not ban certain uses of AI. Instead, Colorado focused on accountability;...more
Over the weekend, a bipartisan and bicameral group in Congress unveiled a privacy proposal—The American Privacy Rights Act of 2024 (APRA)—along with a brief summary. The APRA builds on existing privacy frameworks at the state...more
On March 18, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) revised its December 1, 2022 Bulletin on website tracking tools....more
The Florida legislature passed a bill that provides immunity to companies that suffer a data breach. The immunity is conditioned on the company: (1) complying with the notice requirements of Florida’s data breach notification...more
On November 27, California’s dedicated privacy law enforcement agency, the California Privacy Protection Agency (CPPA), released a draft of new rules covering automated decisionmaking (yes, they made “decisionmaking” one...more
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced its first settlement agreement related to a ransomware attack. But it was not the ransomware that triggered OCR’s enforcement...more
The New York Department of Financial Services (NYDFS) released the final amendments to its cybersecurity rules for financial, banking and insurance companies. The changes add obligations for accountability, incident...more
On July 26, the Securities and Exchange Commission (SEC) issued new rules adding cybersecurity disclosures for public companies in three areas: cybersecurity incidents, governance, and risk management and strategy. The new...more
Artificial intelligence (AI) is top of mind for companies, and while early adoption of this technology has strategic value, companies that do so with an eye on regulation will be better positioned to defend their use of AI....more
On April 27th, Washington State’s governor signed the Washington State My Health My Data Act—a law the legislature nominally designed to increase healthcare privacy. But it does more than that. The law uses sweeping...more
Do you use Google Analytics? Do you tell consumers that you do not sell personal information? If you answered yes to both of those questions, then this alert is for you! The California attorney general recently took the...more
California’s legislature overwhelmingly passed (with veto-proof majorities) the California Age-Appropriate Design Code Act (AB 2273) to—at least in theory—regulate companies’ processing of children’s personal information. In...more
Let’s face it: CCPA compliance is not easy. And a recent study provides additional evidence for the commonsense conjecture that companies trying to just “follow the law” often do more or less than is required. In this alert,...more