Cybersecurity and Data Privacy

Subscribe to Cybersecurity and Data Privacy via RSS

State attorneys general (AGs) continue to play a pivotal role as innovators, shaping the regulatory environment by leveraging their expertise and resources to influence policy and practice. The public-facing nature of AG offices across the U.S. compels them to respond to constituent concerns on abbreviated timetables. This political sensitivity, combined with the AGs’ authority to address both local and national issues, underscores their significant influence in the current regulatory environment.

Published in Law360 on January 22, 2025. © Copyright 2025, Portfolio Media, Inc., publisher of Law360. Reprinted here with permission.

In the first installment of this two-part article, state attorneys general across the U.S. took bold action in 2024 to address what they perceived as unlawful activities by corporations in several areas, including privacy and data security, financial transparency, children’s internet safety, and other overall consumer protection claims.

On January 6, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published significant proposed amendments (proposed rule) to the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Key drivers for the proposed rule include the dramatic increase in cyberattacks, including ransomware, the rapid adoption of cloud computing, mobile devices, and other technologies, and inconsistent compliance with the existing Security Rule identified by the OCR’s investigations.

On November 21, the Supreme Court of Virginia entered a published order reversing a 14-3 en banc decision of the Court of Appeals of Virginia addressing the applicability of Virginia’s criminal laws regulating cybercrime. The decision in Commonwealth v. Wallace is the latest example of courts testing regulatory reach in the cybercrime arena.

New York Attorney General (AG) Letitia James and global movie theater operator National Amusements, Inc. (National) settled a lawsuit stemming from a 2022 data breach reported by National, which affected 82,128 National employees. As part of its settlement, National agreed to pay $250,000 in penalties to the state and to “improve existing cybersecurity infrastructure to prevent future data breaches.”

1. The Real Risk of Cybersecurity: Choosing to be Unaware

Since 2016, the federal government has implemented numerous procurement regulations and associated contract clauses to address cybersecurity by requiring contractors to adopt various controls and standards to protect sensitive, unclassified information, and to harden information technology (IT) systems to make them more resilient to all manner of cyber hacks. The easy part (not that it was at all easy) was developing the controls and standards – NIST SP 800-171 (currently up to Rev. 3), and contract clauses (most notably, FAR 52.204-21, and DFARS 252.204-7012, 7019, 7020, 7021, and others). The difficult part is getting contractors to take seriously the obligation to invest in cybersecurity.

This article was originally published on October 2, 2024 in Westlaw Today. It is republished here with permission.

Gene Fishel and Whitney Shephard of Troutman Pepper highlight states with established privacy enforcement units, discuss the corresponding privacy acts in those states, and give recommendations for companies to mitigate risk and navigate a rapidly developing patchwork of regulatory standards.

Published in Law360 on September 27, 2024. © Copyright 2024, Portfolio Media, Inc., publisher of Law360. Reprinted here with permission.

On Sept. 18, Texas Attorney General Ken Paxton announced a settlement with healthcare technology company Pieces Technology pursuant to the Texas Deceptive Trade Practices-Consumer Protection Act.

Earlier this year, Governor Josh Shapiro signed amendments to Pennsylvania’s Breach of Personal Information Notification Act (BPINA) into law, which go into effect on September 26. As part of the implementation of these requirements, Pennsylvania Attorney General (AG) Michelle Henry announced the launch of an online portal for companies and other entities to report data breaches that impact more than 500 Pennsylvania residents. As with notification to impacted individuals, covered entities must notify the AG “without unreasonable delay.” This new requirement aligns Pennsylvania’s data breach notification law with the 35 states that have existing notice requirements for the applicable state regulator when a threshold number of state residents are impacted. Many of these states utilize a similar portal for submissions for ease of reporting.