The U.S. Department of Justice (DOJ) announced last Wednesday that settlements and judgments under the False Claims Act (FCA) exceeded $2.9 billion in fiscal year 2024—up approximately 5% from last year. DOJ’s announcement underscores its commitment to FCA enforcement, particularly in the healthcare industry and now with increased activity in the areas of pandemic

As a recent DataPhiles post explored, the threat to telecommunications infrastructure and private call records posed by foreign threat actors only continues to grow. In fact, at least one U.S. government agency has urged employees to avoid using mobile communications for any work-related activity. This has led private entities to wonder how they might protect the sensitive mobile communications of officers and employees.Continue Reading New Year, New Threats: Practical Tips for Secure Communications after Salt Typhoon

After its election to power in July 2024, the newly formed Labour government wasted little time in announcing its legislative priorities for the coming year. Unsurprisingly, these priorities included several proposed Bills relating to data protection, cybersecurity and digital regulation. At the time of writing, only one of these Bills—the Data (Use and Access) Bill (“DUAB”)—has been introduced to Parliament, with the others expected to follow in early 2025.Continue Reading Meet the In-Laws: the UK’s Digital Legislative Agenda for 2025

Cybersecurity and national security collided in significant ways in 2024, with governments and private-sector entities grappling with the legal, technical, and policy challenges of a rapidly evolving cyber landscape. Offensive cyber operations, questions of foreign ownership of social media companies, and the balance of power between the Executive and Legislative branches are just a few of the pressing issues shaping the modern landscape. OAs governments and private entities grapple with these challenges, the legal frameworks governing cybersecurity are evolving rapidly, offering both opportunities and risks for practitioners.Continue Reading Deck the Halls with Cyber Walls: Navigating National Security in the Digital Age

2024 was a record year for cyberattacks in the healthcare sector. According to the Breach Portal maintained by the U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”), to date this year, there have been more than 530 breaches of protected health information (“PHI”) affecting 500 or more individuals. 2024 also the saw the largest known breach of PHI at a HIPAA-regulated entity: Russia-linked cybercrime organization, BlackCat/ALPHV executed a ransomware attack on Change Healthcare, Inc., the payment processor owned by UnitedHealth, which affected the records of more than 100 million individuals.Continue Reading A Flurry of Healthcare Sector Cybersecurity Regulatory Developments in 2024

While students are about to embark on their holiday break, there is no such luck for educational technology (“EdTech”) providers. Privacy, cybersecurity, and artificial intelligence compliance obligations have proliferated over the past year, with no signs of slowing down. While it is hard to keep track of the numerous regulations and proposals on the state and federal level, below, I have highlighted a few issues for EdTech providers to monitor in the coming year.Continue Reading No Holiday Break for EdTech Compliance

Although 2024 saw several states enact comprehensive privacy legislation, another year is nearly gone, and we still do not have a comprehensive federal privacy law to resolve the rapidly evolving patchworks of state laws. Despite the lack of comprehensive privacy legislation, privacy and cybersecurity were hot button issues across key federal agencies, such as the FTC and FCC, with significant enforcement activity throughout the year. In this edition of our Twelve Days of Data series, we highlight key developments across a few key federal agencies.

To no surprise, the Federal Trade Commission (FTC) was intensely focused on privacy and cybersecurity throughout 2024. We also saw important activity out of the Federal Communications Commission (FCC), which, among other things, issued guidance regarding the Telephone Consumer Protection Act (TCPA).Continue Reading Key Privacy and Cybersecurity Watchdogs Make Their Naughty Lists

The National Institute of Standards and Technology (NIST) has been a leading voice in cybersecurity standards since 2013, when President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity tasked NIST, which is embedded within the Department of Commerce, with developing and updating a cybersecurity framework for reducing cyber risks to critical infrastructure. The first iteration of that framework was released in 2014, and Versions 1.1 and 2.0 followed in 2018 and 2024. NIST guidance has also expanded to include a privacy framework, released in 2020, and an AI risk management framework, released in 2023. This year, NIST made updates to both its cybersecurity and AI risk management frameworks and created a holistic data governance model that aims to provide a comprehensive approach for entities to address issues like data quality, privacy, security, and compliance, leveraging the various NIST frameworks under a unified data governance structure to help framework users address broader organizational risks. A retrospective of these developments and predictions for 2025 are detailed in this post.Continue Reading A Very Merry NISTmas: 2024 Updates to the Cybersecurity and AI Framework

On October 22, 2024, the Securities and Exchange Commission (“SEC”) filed settled enforcement orders involving four current and former public companies – Unisys Corp., Avaya Holdings Corp., Check Point Software Ltd, and Mimecast Limited. The settlements concern the issuers’ disclosures relating to cybersecurity risks and intrusions following the December 2020 SUNBURST cybersecurity incident, which affected

On October 2, 2024, the New York State Department of Health (“NYSDOH”) finalized and adopted new hospital cybersecurity regulations. Effective immediately, hospitals in New York State are required to report to NYSDOH as promptly as possible, but not later than 72 hours after, determining that a cybersecurity incident has occurred. A cybersecurity incident is an