On May 3, 2022, the European Commission published its proposal for a regulation on the “European Health Data Space”.

The EHDS is a talismanic European healthtech initiative that could revolutionize access to a deeper pool of EU-wide health data and unlock significant tech, AI and data analytics innovation.  As a core part of the Commission’s European Data Strategy, the EHDS seeks to tackle legacy systemic issues that have hindered lawful access to electronic health data.  The Regulation strives to create a “European Health Union” by strengthening individuals’ access to and portability of their electronic health data and allowing innovators and researchers to process this data through reliable and secure mechanisms.  It is worth noting that the EHDS proposal does not to create (nor could it feasibly do so) a unitary central EU database of electronic health data, but seeks to facilitate multilateral exchange of such health data from decentralized databases through the EHDS’s regulatory infrastructure.

The EHDS proposal builds upon other recent and contemporaneous EU data and healthcare reforms, such as Regulation (EU) 2017/745 on medical devices, the proposed AI Act, the Data Governance Act, and the proposed Data Act.  It presents a welcome opportunity to resolve areas of uncertainty as to the lawful bases for health data processing under Regulation (EU) 2016/679 and fragmented Member State national laws that might otherwise inhibit “big data” innovation in the European healthcare sector.  However, work remains to be done to reconcile areas of legislative interplay and ensure that data subjects’ GDPR rights remain protected.

Please click here to read the full alert memorandum.

After a failed attempt in 2021, Connecticut has become the fifth U.S. state to enact comprehensive data privacy legislation with the passing of “An Act Concerning Personal Data Privacy and Online Monitoring” or the Connecticut Data Privacy Act (the “CDPA” or the “Act”). The Act will take effect July 1, 2023 giving covered organizations about 14 months to become compliant. Continue Reading New England’s New Privacy Act: Connecticut Becomes the Fifth State To Enact Comprehensive Data Privacy Act

On May 3, 2022, the SEC announced that it was renaming the Division of Enforcement’s Cyber Unit as the Crypto Assets and Cyber Unit, and significantly increasing its size with the addition of 20 new positions.[1]  In the same announcement, the SEC articulated specific areas of focus within the digital assets space, including:  (i) crypto asset offerings; (ii) crypto asset exchanges; (iii) crypto asset lending and staking products; (iv) decentralized finance (“DeFi”) platforms; (v) non-fungible tokens (“NFTs”); and (vi) stablecoins. Continue Reading SEC Nearly Doubles Size of Digital Asset Enforcement Team

The SEC published in March 2022 a dauntingly complex proposal to require public companies to provide climate-related disclosures.[1]  The period for public comment on the proposal is very short, and it seems clear that a majority of the Commission is determined to proceed quickly. Continue Reading The SEC’s Climate Proposal – Top Points for Comment

Last month, the U.S. Securities and Exchange Commission issued a proposal to enhance and standardize disclosure requirements related to cybersecurity incident reporting and cybersecurity risk management, strategy, and governance. Among other changes, the SEC’s proposal would require disclosure about material cybersecurity incidents within four business days and require annual disclosure regarding a registrant’s policies and procedures for identifying and managing cybersecurity risks. The proposal, which has a short window for public comment, requires close consideration by public companies and other SEC registrants.

Please click here to read the full alert memorandum.

After nearly two years of detailed negotiations, on March 25, 2022, U.S. President Joe Biden and European Commission President Ursula von der Leyen announced an “agreement in principle” on a new Trans-Atlantic Data Privacy Framework (the “Framework”) to re-establish an important legal mechanism to effectuate cross-border transfers of personal data from the EU to the U.S. The Framework is hoped to address concerns raised by the decision of the Court of Justice of the European Union (the “CJEU”) in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (2020) (“Schrems II”). Continue Reading Schrems III? The European Commission and U.S. Government Announce New Trans-Atlantic Data Privacy Framework

Following the lead of California, Virginia and Colorado (as previously discussed here, here and here respectively), on March 24, 2022, Utah became the fourth state to enact an omnibus privacy law, creating compliance obligations for businesses that collect and process personal data of Utah residents and providing such residents more control over their data.
Continue Reading Businesses Buzzing With News of Utah’s New Comprehensive Privacy Law

On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which imposes federal reporting requirements for cyber incidents and ransomware attack payments.  The legislation will require covered critical infrastructure entities to report to the Cybersecurity and Infrastructure Security Agency within 72 hours of forming a reasonable belief that a substantial cyber incident has occurred and within 24 hours of making a ransom payment following a ransomware attack.  The reporting requirements will not take effect until implementing regulations are enacted by CISA, which will take time to navigate the rulemaking process.

Please click here to read the full alert memorandum.

In October 2021, the U.S. Department of Justice announced the launch of its new Civil Cyber-Fraud Initiative, which aims to hold government contractors and grant recipients accountable for cyber-related fraud under the False Claims Act.

Two recent developments provide insight into how the Justice Department will pursue cases under this new initiative, and reveal the broad conception of cyber fraud the Department is advocating in such cases.

  • Comprehensive Health Services LLC: On March 8, 2022, the Justice Department announced its first settlement under the Civil Cyber-Fraud Initiative.  Comprehensive Health Services, LLC, a global medical services provider, agreed to pay $930,000 to resolve allegations that it falsely represented to the federal government that it had consistently stored patient records on a secure electronic system.  The Justice Department intervened in the matter, which was brought originally by private whistleblowers, despite the fact that no breach of data was alleged to have occurred.
  • Aerojet RocketDyne Holdings, Inc.: On February 1, 2022, a federal court in the Eastern District of California mostly denied summary judgment to Aerojet Rocketdyne Holdings Inc., a defense and aerospace company that is alleged to have falsely represented its compliance with cybersecurity standards for government contractors.  The Justice Department filed a Statement of Interest that was largely adopted by the district court to reject Aerojet’s arguments that its alleged non-compliance was immaterial and did not harm the government.

Please click here to read the full alert memorandum.

On March 9, 2022, President Biden signed a wide-ranging Executive Order on Ensuring Responsible Development of Digital Assets (the “Order”).  While the Order does not mandate any particular regulatory prescriptions, it lays out key policy goals for a whole-of-government approach to digital asset regulation and directs the U.S. Government to assess the potential for a U.S. Central Bank Digital Currency (“CBDC”).  Reflecting the rapid growth and adoption of digital assets, the Order identifies potential benefits and risks while signifying that digital assets will be an important focus of U.S. financial regulatory efforts for the Biden Administration.

The Order emphasizes the link between federal action and national security – both in terms of ensuring appropriate regulation and in staking out a U.S. leadership role in developing digital asset technology.  Notably, in an area where some federal agencies have been criticized for moving slowly or failing to coordinate with each other, the Order mandates interagency cooperation on a series of reports, with most to be finished during 2022.  The Order sets the stage for an active and potentially transformative year for U.S. regulation of digital assets.

Please click here to read the full alert memorandum.