Cybersecurity

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

CA Legislators Charge That Privacy Agency AI Rulemaking Is Beyond Its Authority

Data Processing Evaluation and Risk Assessment Requirements Under

Summary

On December 27, 2024, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) published its Notice of Proposed Rulemaking (“NPRM”) titled HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information. HHS seeks comments on proposed modifications to the Security Standards for the Protection of Electronic Protected Health Information comprising 45 C.F.R. Parts 160 and 164, Subpart C, commonly known as the “Security Rule”, to address modern breach and cybersecurity risks to electronic protected health information (“ePHI”)[1] and common deficiencies observed by HHS in Security Rule compliance investigations, and to incorporate current industry best practices[2] and court decisions affecting enforcement of the Security Rule[3].[4] As summarized below, the proposed modifications signal HHS’s commitment to aligning the Security Rule requirements with current cybersecurity standards and addressing areas of non-compliance with more prescriptive measures to enhance ePHI security in the face of evolving cyber threats and technological advancements. HHS invites interested parties to submit comments by March 7, 2025.Continue Reading HHS Publishes Notice of Proposed Rulemaking to Amend HIPAA Security Rule Requirements – Comments Due March 7, 2025

On January 29, 2025, the Copyright Office (the “Office”) released its second report in a three-part series on artificial intelligence and copyright. Part 1 was released in July 2024 and addressed digital replicas. Part 2 focuses on the copyrightability of AI-generated work – that is, providing greater detail into what level of human interaction is required for a work containing AI-generated works to rise to the level of copyrightability. The report includes eight conclusions to guide copyright applicants and concludes that existing law is sufficient to address copyrighting AI-generated works.Continue Reading Copyright Office: Copyrighting AI-Generated Works Requires “Sufficient Human Control Over the Expressive Elements” – Prompts Are Not Enough

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Join SPB’s Alan Friel and Lydia de la Torre at the California Lawyers Association Privacy Law Section’s 2025 Annual Privacy

We are pleased to announce that we will be participating in the California Lawyers Association Privacy Law Section’s 2025 Annual Privacy Summit in Los Angeles, CA.

Join Alan Friel for a session on CA Rulemaking: Unpacking the CCPA cybersecurity audit, privacy risk assessment regulations, and ADMT. The panel will review the draft ADMT regulations, interpret

On January 24, 2025, the Supreme Court granted certiorari in Lab. Corp. of Am. Holdings v. Davis, Case No. 24-304, on the question of “[w]hether a federal court may certify a class action pursuant to Federal Rule of Civil Procedure 23(b)(3) when some members of the proposed class lack any Article III injury.” In TransUnion LLC v. Ramirez, 594 U.S. 413, 431 (2021), the Supreme Court made clear that “[e]very class member must have Article III standing in order to recover individual damages,” but the Court did not answer the question of when a class member’s standing must be established and whether a class can be certified if it contains uninjured class members.Continue Reading Supreme Court to Decide Whether Federal Courts May Certify a Class with Uninjured Class Members

Though attempts to pass comprehensive federal consumer privacy legislation again stalled in 2024, efforts targeted at addressing national security-related privacy concerns had more success. Along with the Protecting Americans from Foreign Adversary Controlled Applications Act, Congress passed the Protecting Americans’ Data from Foreign Adversaries Act (“PADFA”) as part of a sweeping foreign aid bill, which was subsequently signed into law by President Biden on April 23, 2024. PADFA, which went into effect on June 24, 2024, followed President Biden’s Feb. 2024 Executive Order 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (“EO”), under which the Department of Justice was directed to establish and implement regulations (initially reported by SPB here). The DOJ’s rulemaking process, which began in late fall of last year, culminated in the issuance of a final rule (“Bulk Data Regs”) on December 27, 2024, and publication of the same in the Federal Register on January 4, 2025. The Bulk Data Regs largely become effective 90 days after publication in the Federal Register, on April 4, with certain provisions going into effect 270 days following publication.Continue Reading Transferring U.S. Data Overseas? Consider Whether the DOJ’s Bulk Data Regulations or PADFA May Apply to Your Organization

The Office of the Attorney General of Texas (“OAG”) announced a “first-of-its-kind healthcare generative AI” settlement with Pieces Technology, Inc. (“Pieces”). The settlement related to the Texas OAG allegations that Piece’s advertising and marketing claims about the accuracy of its generative artificial intelligence (GenAI) products in violation of the Texas Deceptive Trade Practices – Consumer Protection Act (“DTPA”), Tex. Bus. & Com. Code Ann. § 17.58. The Texas OAG states in its press release that the Piece’s investigation is a “First-of-its-Kind Healthcare Generative AI Investigation.”Continue Reading Texas Attorney General Settles with Healthcare AI Firm Over False Claims on Product Accuracy and Safety

SPB’s The Trade Practitioner blog recently featured a piece on the newly proposed amendments to the Defense Federal Acquisition Regulation Supplement (DFARS). Check out the full post for an in-depth discussion on the key takeaways of the proposed rule and an explanation of the phased rollout of the Cybersecurity Maturity Model Certification (CMMC): DoD Advances

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Never Beyond the Law – the Spanish AEPD’s Position on the Processing of Whistleblower Data | Privacy World

Singapore to