On March 20, 2026, the White House released its National Policy Framework for Artificial Intelligence (“Framework”), outlining legislative recommendations for Congress to establish a unified federal approach to AI regulation. The Framework builds on prior executive actions, including the December 2025 Executive Order (the “Executive Order”) and the Trump administration’s “America’s AI Action Plan,” and it proposes that Congress adopt legislation broadly preempting state AI laws deemed to impose “undue burdens.” This alert summarizes the Framework’s key provisions, analyzes their potential impact on state laws, and highlights considerations for healthcare and life sciences stakeholders navigating the evolving regulatory landscape. While the Framework does not itself change the current legal status of the Executive Order, it signals increased policy focus and may prompt further agency action.
Continue Reading The White House Legislative Recommendations: National Policy Framework for Artificial Intelligence and Federal Preemption of State AI LawsWhen Cyberwar Hits the Corporate Home Front
As recent events indicate, American companies may be the subject of destructive data “wiper” attacks and potential data theft by Iran-linked hackers. Ongoing tensions in the Middle East underscore the stark and evolving cyberthreat landscape facing companies. These types of cyberattacks blend the regulatory and litigation exposure of a traditional data breach with the extreme business risks associated with near total operational disruption. This alert highlights potential legal implications and outlines practical steps companies should consider to strengthen preparedness.
Continue Reading When Cyberwar Hits the Corporate Home FrontHHS OCR Announces Civil Enforcement Program for Confidentiality of Substance Use Disorder Patient Records
On February 13, 2026, the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced its civil enforcement program to implement the updates to the Substance Use Disorder (“SUD”) confidentiality provisions of the regulation at 42 CFR Part 2 (“Part 2”).1 The new enforcement program became effective February 16, 2026, in accordance with the deadline set by the 2024 Final Rule modifying Part 2 (“2024 Final Rule”).
Continue Reading HHS OCR Announces Civil Enforcement Program for Confidentiality of Substance Use Disorder Patient Records
Supreme Court to Consider the Video Privacy Protection Act
Last week, the U.S. Supreme Court agreed to hear a case that is expected to resolve a long-developing split among federal courts of appeals over the scope of the Video Privacy Protection Act of 1988 (“VPPA”), 18 U.S.C. § 2710. In granting certiorari in Salazar v. Paramount Global, the Court will address a question that has increasingly shaped VPPA class action litigation in recent years: who qualifies as a “consumer” protected by the statute.
Continue Reading Supreme Court to Consider the Video Privacy Protection ActResponding to the SitusAMC Data Breach
Recently, major media reported that a key financial services provider, SitusAMC, suffered a substantial data security incident. This Alert summarizes what we know so far, the possible legal implications, and some action items for the corporate clients of SitusAMC.
Continue Reading Responding to the SitusAMC Data BreachPixel Litigation Risk at Financial Institutions
An increasingly aggressive plaintiffs’ bar has brought purported class action suits based on the nearly ubiquitous use of tracking technologies used for website analytics. Although any actual harm to the plaintiffs is difficult to articulate, the health care industry has been plagued by a series of these cases. Now the plaintiffs may be moving to financial services with the potential for statutory penalties of hundreds of dollars per user when a duty of confidentiality can be credibly implicated.
The tracking tags, pixels and similar website analytics technologies are nothing new. Rather, the technologies at issue in such complaints are widely used on websites and mobile applications across industries, including by government entities, to collect information about user behaviors and interactions with the online platform where they are embedded. That information is then sent to a third party for analytics used to enhance user experience on the platform. Many of these technologies are integral to an organization’s ability to ensure its websites and applications are functioning properly, among other things providing crash reports when users encounter issues. Additionally, many consumer-facing businesses contract with third parties to provide session replay scripts, a software that monitors and records web-user activity such as keystrokes, clicks, and scrolling. Despite the pervasiveness of these technologies, plaintiffs have seized on ambiguities in the California state wiretap act, known as the California Information Privacy Act, as well as federal wiretap law as the basis for exceptionally large damage demands.
Continue Reading Pixel Litigation Risk at Financial InstitutionsIn Bloomberg Law, David Peloquin Discusses Bulk Data Transfer Rule Enforcement
Ropes & Gray’s health care partner, David Peloquin, spoke with Bloomberg Law on the additional DOJ instructions regarding the Biden-era Executive Order 14117. DOJ has provided clarity surrounding the effective date for enforcement, with a promise to delay any enforcement efforts until July 8 for companies that show “good faith efforts to comply.” David
DOJ Releases FAQs and Compliance Guidance for Final Rule Restricting Flow of Bulk Sensitive Personal Data to China and other Countries of Concern
On April 11, 2025, the Department of Justice (“DOJ”) released additional detail regarding the Final Rule implementing former President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”), which went into effect on April 8, 2025. The release included additional
DOJ Bulk Data Final Rule Update
Today, the Department of Justice’s (“DOJ”) Final Rule implementing former President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”) took effect.
Earlier this year, Ropes & Gray published an alert providing an overview of the Final Rule, material changes
In IAPP Article, David Peloquin and Jake Barr Discuss DOJ Rule Limiting Sensitive Data Transfers
In an International Association of Privacy Professionals (IAPP) article, health care partner David Peloquin and data, privacy and cybersecurity associate Jake Barr along with Legend Biotech Chief Privacy Officer and Assistant General Counsel Corey Dennis discuss the landmark rule limiting sensitive data transfers to “countries of concern.” The article reviews key aspects for health care