On January 6, 2025, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) published a Notice of Proposed Rulemaking (“NPRM”) to amend the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule. The proposed changes, if enacted, would represent the first update
On November 21, the Federal Trade Commission (“FTC”) approved in a 3-0 vote a resolution authorizing the use of compulsory process in nonpublic investigations involving products and services that involve or claim to involve Artificial Intelligence (AI).
Compulsory process is akin to a subpoena, and it allows the FTC to request the production of information
On October 27, the Federal Trade Commission (“FTC”) unanimously voted to amend the Safeguards Rule to require non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to report data breaches and security events to the Agency. This amendment will become effective 180 days after its publication in the Federal Register.
Under
On May 28, Texas became the sixth state this year to pass a comprehensive data protection law. Although the Texas Data Privacy and Security Act (“TDPSA”) is largely in line with the Virginia Consumer Data Protection Act and other recently passed state privacy laws, it has a few key distinctions that may cause
On April 24, the Governor of Kansas signed into law Kansas Senate Bill 44, which enacts the Financial Institutions Information Security Act (the “Act”). The Act requires credit services organizations, mortgage companies, supervised lenders, money transmitters, trust companies, and technology-enabled fiduciary financial institutions to comply with the requirements of the GLBA’s Safeguards Rule, as
On December 22, 2022, France’s National Commission for Technology and Freedoms (“CNIL”) fined Microsoft’s Irish subsidiary 60 million euro for failure to comply with Article 82 of the French Data Protection Law (known as the “Loi Informatique et Libertés”). Article 82 is France’s implementation of the EU’s ePrivacy Directive, and it generally requires that any
In early November, Pennsylvania amended its data breach notification law broadening the definition of personal information. The amendment adds “health insurance information” and “medical information” as data elements that could trigger breach notification requirements. Coupled with this addition is a breach notification exception for businesses that are (1) subject to and (2) in compliance with
On November 15, 2022, the FTC announced that it was extending by six months the deadline for companies to comply with some portions of the updated Safeguards Rule. The extension comes as a welcome relief to companies racing to meet the rapidly nearing effective date.
The FTC approved changes to the longstanding Safeguards Rule in
The jury returned a verdict in favor of the plaintiffs in the first trial for violations of the Illinois Biometric Privacy Act (“BIPA”), which was conducted in the District Court for the Northern District of Illinois. Rogers v. BNSF Ry. Co., No. 1:19-cv-03083. A jury found that BNSF Railway violated BIPA by maintaining an
The FTC recently reported that over $650 mm worth of cryptocurrency was stolen by hackers last year. Thus far, over $320 mm in cryptocurrency has been stolen by hackers this year. Not surprisingly, this surge in crypto breaches has led to litigation. In our monthly webcast series, Ballard partners Phil Yannella, Greg Szewczyk and