Privacy/Data Protection

In December 2024, New York Governor Kathy Hochul signed into law two bills (A8872A and S2376B; collectively, the “Bills”) that amend New York’s Data Breach Notification Law.1 The Bills introduce a maximum thirty-day timeframe for notifying affected New York residents of a reportable “breach of the security of the system”2 under

In December 2024, the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (“ASTP/ONC”) within the U.S. Department of Health and Human Services (“HHS”) published two final rules that establish health data interoperability and information blocking regulations (the “New HTI Final Rules”).

The New HTI Final Rules will affect Trusted Exchange

On January 8, 2025, the Department of Justice (“DOJ”) published its Final Rule to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”). This follows the DOJ’s publication of its Notice of Proposed Rulemaking (“NPRM”) in October 2024

After its election to power in July 2024, the newly formed Labour government wasted little time in announcing its legislative priorities for the coming year. Unsurprisingly, these priorities included several proposed Bills relating to data protection, cybersecurity and digital regulation. At the time of writing, only one of these Bills—the Data (Use and Access) Bill (“DUAB”)—has been introduced to Parliament, with the others expected to follow in early 2025.Continue Reading Meet the In-Laws: the UK’s Digital Legislative Agenda for 2025

While there are many significant federal laws and regulations related to cybersecurity, states have led the way in regulating this area on a general, sector-agnostic basis, with the most notable and widely acknowledged state cybersecurity provisions being state data breach notification laws.  However, more recently, states have focused on passing comprehensive privacy, rather than security, laws, and 2025 promises to be a continuation of this trend, with eight additional comprehensive state privacy laws coming into effect next year.  Continue Reading Making a List and Checking it Twice:  Navigating State Privacy and Security Regulations This Year

In the six years since the EU’s General Data Protection Regulation (“GDPR”) took effect, governments around the world have updated their data protection laws to reflect the seismic changes in data processing that were created with the introduction of the smartphone. Having been in place for nearly 40 years, Australia’s Privacy Act (1988) has been a notable outlier – but that is now changing, with significant reforms to the country’s data protection regime being introduced in the latter half of 2024.Continue Reading Australia’s Privacy Reforms: Claus for Concern?

On October 29, 2024, the Department of Justice (“DOJ”) published its Notice of Proposed Rulemaking (“NPRM”) to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This follows the DOJ’s publication of its Advance Notice of Proposed Rulemaking earlier this year. 

On June 28, 2024, Pennsylvania enacted amendments to its Breach of Personal Information Notification Act (“BPINA”). These amendments contain a number of significant changes, including clarifying a key definition, adding a new notification obligation to the Attorney General, requiring organizations to provide credit monitoring services, and reducing the threshold to notify consumer reporting agencies. These amendments—which take effect today, September 26, 2024—bring Pennsylvania in line with many other states that have taken steps to strengthen their respective data breach notification laws.Continue Reading Pennsylvania Strengthens Data Breach Notification Law

On Friday, August 2, Governor J.B. Pritzker of Illinois signed into law SB2979, an amendment to the state’s landmark biometric privacy law. The amendment offers a welcome step forward to correcting the rapid overexpansion of potential damages associated with violations of the law without curbing any of its privacy protections. The measure amends the state’s Biometric Information Privacy Act (“BIPA”) in two significant ways. First, the law, as amended now expressly includes electronic signatures as a form of “written release.” Second, the amendment limits actions for recovery to a maximum of one violation per plaintiff, rather than one violation per instance of collection or transmission of biometric information. This post examines the amendment and its impacts on businesses collecting biometric information in the state. We also highlight notable biometric privacy developments in Texas.Continue Reading Biometric Privacy Update: Illinois Legislature Balances BIPA, but Don’t Mess with Texas