This article was originally published on October 25, 2024 in Westlaw Today. It is republished here with permission.

Ryan Strasser, Chris Carlson, and Nick Gouverneur of Troutman Pepper Hamilton Sanders LLP discuss how state attorneys general and courts are addressing the question of personal jurisdiction over technology companies.Continue Reading Indiana Appellate Court Grapples With State AGs’ Personal Jurisdiction Over Digital Platforms

1. The Real Risk of Cybersecurity: Choosing to be Unaware

Since 2016, the federal government has implemented numerous procurement regulations and associated contract clauses to address cybersecurity by requiring contractors to adopt various controls and standards to protect sensitive, unclassified information, and to harden information technology (IT) systems to make them more resilient to all manner of cyber hacks. The easy part (not that it was at all easy) was developing the controls and standards – NIST SP 800-171 (currently up to Rev. 3), and contract clauses (most notably, FAR 52.204-21, and DFARS 252.204-7012, 7019, 7020, 7021, and others). The difficult part is getting contractors to take seriously the obligation to invest in cybersecurity.Continue Reading Federal Cybersecurity Requirements Ought Not Be Ignored by Contractors

This article was originally published on October 2, 2024 in Westlaw Today. It is republished here with permission.

Gene Fishel and Whitney Shephard of Troutman Pepper highlight states with established privacy enforcement units, discuss the corresponding privacy acts in those states, and give recommendations for companies to mitigate risk and navigate a rapidly developing patchwork of regulatory standards.Continue Reading The Rise of State Attorney General Privacy Enforcement

Published in Law360 on September 27, 2024. © Copyright 2024, Portfolio Media, Inc., publisher of Law360. Reprinted here with permission.

On Sept. 18, Texas Attorney General Ken Paxton announced a settlement with healthcare technology company Pieces Technology pursuant to the Texas Deceptive Trade Practices-Consumer Protection Act.Continue Reading Takeaways From Texas AG’s Novel AI Health Settlement

Earlier this year, Governor Josh Shapiro signed amendments to Pennsylvania’s Breach of Personal Information Notification Act (BPINA) into law, which go into effect on September 26. As part of the implementation of these requirements, Pennsylvania Attorney General (AG) Michelle Henry announced the launch of an online portal for companies and other entities to report data breaches that impact more than 500 Pennsylvania residents. As with notification to impacted individuals, covered entities must notify the AG “without unreasonable delay.” This new requirement aligns Pennsylvania’s data breach notification law with the 35 states that have existing notice requirements for the applicable state regulator when a threshold number of state residents are impacted. Many of these states utilize a similar portal for submissions for ease of reporting.Continue Reading Amendments Align Pennsylvania’s Breach Notification Law With Majority of States

On September 4, Texas Attorney General (AG) Ken Paxton filed a lawsuit against the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), challenging two key Health Insurance Portability and Accountability Act (HIPAA) rules — the 2000 Privacy Rule and the newly implemented 2024 Privacy Rule. These rules were enacted to protect the privacy of individuals’ protected health information (PHI) under HIPAA. Texas argues that these rules unlawfully limit state investigators’ ability to access PHI, impeding the enforcement of state laws.Continue Reading Texas AG Challenges HHS Privacy Rules

Dear Mary,

I work for a public company that recently experienced a ransomware attack. Fortunately, we were able to restore our business operations quickly by obtaining a decryption key from the threat actor. Given that we managed to get back up and running so swiftly, do we still need to determine whether the incident is material and report it?

Sincerely,

– Concerned ExecutiveContinue Reading SEC Cybersecurity Incidents Disclosures: Materiality, Decryptors, and Ransom Payments

Molecular diagnostics company Enzo Biochem, Inc. has reached settlements resolving investigations in relation to a 2023 data breach by the attorneys general (AG) for Connecticut, New Jersey, and New York. Enzo has agreed to pay the states a total of $4.5 million, as well as institute and maintain new data security protocols.Continue Reading Enzo Biochem Inc. Reaches Settlement With Connecticut, New Jersey, and New York AGs Over 2023 Data Breach

Dear Mary,

I recently experienced a security incident at my company and am considering whether to report it to law enforcement. While I want to cooperate and help catch the cybercriminals responsible, I am worried that law enforcement might come after my company for… I am not exactly sure what.

What should I do?

– Not GuiltyContinue Reading Notifying Law Enforcement of Security Incidents

What’s Happening

Last week, the Maine Public Utilities Commission (the commission) heard an unusual pitch: an electric utility proposed to voluntarily report to law enforcement if residential utility usage suggested illegal marijuana grow enterprises — without the law enforcement agency submitting a subpoena or obtaining a warrant. Although the commission ultimately rejected the proposal, the utility cited its high identification success rate and the burden of responding to subpoenas (sometimes as many 50 for a single location), as its motivation for this proposal.Continue Reading Complying With Information Requests: Utility Makes Novel Proposal to “Snitch” on Suspected Cannabis Growers