Cybersecurity and Data Privacy

Subscribe to Cybersecurity and Data Privacy via RSS

On September 4, Texas Attorney General (AG) Ken Paxton filed a lawsuit against the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), challenging two key Health Insurance Portability and Accountability Act (HIPAA) rules — the 2000 Privacy Rule and the newly implemented 2024 Privacy Rule. These rules were enacted to protect the privacy of individuals’ protected health information (PHI) under HIPAA. Texas argues that these rules unlawfully limit state investigators’ ability to access PHI, impeding the enforcement of state laws.

Dear Mary,

I work for a public company that recently experienced a ransomware attack. Fortunately, we were able to restore our business operations quickly by obtaining a decryption key from the threat actor. Given that we managed to get back up and running so swiftly, do we still need to determine whether the incident is material and report it?

Sincerely,

– Concerned Executive

Molecular diagnostics company Enzo Biochem, Inc. has reached settlements resolving investigations in relation to a 2023 data breach by the attorneys general (AG) for Connecticut, New Jersey, and New York. Enzo has agreed to pay the states a total of $4.5 million, as well as institute and maintain new data security protocols.

What’s Happening

Last week, the Maine Public Utilities Commission (the commission) heard an unusual pitch: an electric utility proposed to voluntarily report to law enforcement if residential utility usage suggested illegal marijuana grow enterprises — without the law enforcement agency submitting a subpoena or obtaining a warrant. Although the commission ultimately rejected the proposal, the utility cited its high identification success rate and the burden of responding to subpoenas (sometimes as many 50 for a single location), as its motivation for this proposal.

Dear Mary,

I’m the general counsel of an organization and have recently started getting involved in the cybersecurity side of things. As I’m getting my bearings, I’ve noticed that our security team doesn’t always involve the legal department when an incident is suspected. While I understand that not every incident requires our involvement, I’m concerned that we’re being left out of matters that do need legal oversight, and when we are involved, it’s often too late. What can I do to help address this?

– Living in FOMO

In 2024, the landscape of state attorneys general (AGs) is poised for significant change, with numerous elections and regulatory actions reshaping priorities and enforcement strategies. This dynamic environment reflects the critical role AGs play in addressing key issues across various sectors, from environmental regulations and consumer protection to health care and privacy. As state AGs continue to influence policy and legal frameworks, their actions will have far-reaching implications for businesses and consumers alike. Troutman Pepper’s State AG team is pleased to provide you with this mid-year review summarizing the activities in this regulatory space over the past six months.

In an unusual move, attorneys general (AG) from 30 states and the District of Columbia filed a bipartisan amicus brief in the Ninth Circuit supporting efforts to revive a proposed class action against payment processor Shopify. The amici back plaintiff-appellant Brandon Briskin in his effort to convince the Ninth Circuit to overturn en banc a three-judge panel decision affirming the dismissal of his data privacy suit for lack of personal jurisdiction.

Dear Mary,

I am the privacy compliance officer at a cloud-based software company. We recently experienced an incident where, although none of our client’s data was compromised, it appears that our employees’ information may have been copied and removed from our environment. This information includes employees’ full names, salaries, and salary schedules. All of our employees reside in California, and given the CCPA’s broad definition of personal information, I am assuming notification will be required?

– Frowning in Fresno