On 3 February 2025, the European Commission (“EC”) published an updated version of its frequently asked questions (“FAQs”) on the EU Data Act.[1]  The Data Act, which is intended to make data more accessible to users of IoT devices in the EU, entered into force on 11 January 2024 and will become generally applicable as of 12 September 2025.

Continue Reading Data Act FAQs – Key Takeaways for Manufacturers and Data Holders

Last week, the New York legislature passed the New York Health Information Privacy Act (S929) (“NYHIPA” or the “Act”)[1]. The Act, which is currently awaiting the Governor’s signature, seeks to regulate the collection, sale and processing of healthcare information, akin to Washington’s My Health My Data Act.

Continue Reading New York Legislature Passes Health Data Privacy Bill

The following is part of our annual publication Selected Issues for Boards of Directors in 2025Explore all topics or download the PDF.

The SEC pursued multiple high profile enforcement actions in 2024, alongside issuing additional guidance around compliance with the new cybersecurity disclosure rules. Together these developments demonstrate a continued focus by the SEC on robust disclosure frameworks for cybersecurity incidents. Public companies will need to bear these developments in mind as they continue to grapple with cybersecurity disclosure requirements going into 2025.

Continue Reading Cybersecurity Disclosure and Enforcement Developments and Predictions

On October 22, 2024, the SEC announced settled enforcement actions charging four companies with making materially misleading disclosures regarding cybersecurity risks and intrusions. These cases mark the first to bring charges against companies who were downstream victims of the well-known cyber-attack on software company SolarWinds. The four companies were providers of IT services and digital communications products and settled the charges for amounts ranging from $990,000 to $4 million.

Continue Reading SEC Charges Four Companies Impacted by Data Breach with Misleading Cyber Disclosures

Last week, the New York Department of Financial Services (“DFS”) issued guidance addressed to executives and information security personnel of entities regulated by DFS to assist them in understanding and assessing cybersecurity risks associated with the use of artificial intelligence (“AI”), and implementing appropriate controls to mitigate such risks (the “Guidance”).[1] In particular, and to address inquiries received by DFS regarding AI’s impact on cyber risk, the Guidance is intended is to explain how the framework set forth in DFS’ Cybersecurity Regulation (23 NYCRR Part 500) should be used to assess and address such risks.

Continue Reading New York Department of Financial Services Issues Guidance on Cybersecurity Risks Arising from Artificial Intelligence

Following on the heels of major developments coming out of the Senate last week to advance privacy protections for children online, the Department of Justice (“DOJ”) officially filed a lawsuit on Friday against TikTok, Inc., its parent company, ByteDance, and certain affiliates (collectively, “TikTok”), over alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) and its implementing rule (the “COPPA Rule”) as well as an existing FTC 2019 consent order (the “2019 Order”) alleging violations of the same.[1]

Continue Reading DOJ Brings Lawsuit Against TikTok Over Alleged Violations of the Children’s Online Privacy Protection Act

On July 17, 2024, Law No. 90/2024 containing provisions for strengthening national cybersecurity and addressing cybercrime (the “Cybersecurity Law”) entered into force.

Continue Reading Cybersecurity Law Enters Into Force

On April 26, 2024, the Federal Trade Commission (“FTC” or the “Commission”) announced changes to the Health Breach Notification Rule (“HBNR”), which requires certain entities not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) to notify consumers, the FTC, and, in some cases, the media of breaches of unsecured personally identifiable health data.[1]  The final rule seeks to address technological and industry advancements since the original HBNR was adopted in 2009 by clarifying the rule’s applicability to direct-to-consumer health technologies (such as fitness trackers) which have proliferated in recent years.  The final rule also expands the information that covered entities must provide to consumers when notifying individuals of a data breach.

Continue Reading FTC Announces Reforms to the Health Breach Notification Rule

In our Alert Memorandum of 19 July 2022 (available here), we outlined the European Commission’s (the “Commission”) proposal for a regulation on the “European Health Data Space” (the “Regulation” or the “EHDS”). The proposal, which was published in May 2022, is the first of nine European sector- and domain-specific data spaces set out by the Commission in 2020 in the context of its “European strategy for data”.

Continue Reading EHDS – The EU Parliament formally adopts the Provisional Agreement: Key Takeaways and Next Steps

After years of fits and starts—including failed attempts to pass the American Data Privacy and Protection Act in 2022—Congress has renewed its attempt to nationalize privacy protections for American consumers with introduction of the American Privacy Rights Act (the “APRA” or “Act”).[1]  The APRA, a new bipartisan, bicameral proposal for comprehensive data protection legislation introduced by the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science and Transportation in early April, is a direct response to a flurry of activity at the state level over the past few years and attempts to harmonize the resulting patchwork of privacy legislation that has created a burdensome and costly labyrinth of shifting compliance obligations for covered organizations that collect and process personal data.

Continue Reading Congress Releases American Privacy Rights Act Discussion Draft