Cybersecurity

A recording is now available for “California and Beyond: HR Data Risk Issues for Employers,” a highly relevant webinar covering the rapidly shifting world of HR data, privacy obligations, and AI regulation. Presented by Squire Patton Boggs Partners Alan Friel and Michael Kelly, and Associate Sam Kim, this session will give employers the clarity they need as new rules take effect and enforcement ramps up.Continue Reading A Timely Look at HR Data and AI Regulation Trends: Webinar Recording Available

With the official enactment of the NIS-2 Implementation Act, Germany has taken a major step toward modernizing its cybersecurity framework. Starting from 6 December 2025, stricter requirements will apply to both federal administration and thousands of private companies. This law revises the BSI Act (BSIG) and introduces comprehensive obligations for IT security and risk

Inside AI Policy reports that a survey of U.S. office workers indicates that across industries approximately half of survey respondents said that they do or would use AI contrary to company policy to make their job easier, including 42% of security sector workers.  The study published on August 20, 2025 by CalypsoAI, found that while 87% of respondents indicated that their employers had AI governance policies 52% are not prepared to follow restrictions, and 28% admitted to submitting sensitive or proprietary  data or documents so AI could complete a task; 29% used AI to generate something sent without, or with minimal, review; and 25% used AI without knowing if the use case was permissible.  The results for highly regulated industries are not better, and in some cases worse.  For instance, 60% of employees in financial services and banking indicated that they use AI tools regardless of company policy and 36% “don’t feel guilty about it.”Continue Reading Rogue AI Usage and High-risk Data Processing Runs Rampant

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

CA Legislators Charge That Privacy Agency AI Rulemaking Is Beyond Its Authority

Data Processing Evaluation and Risk Assessment Requirements Under

Summary

On December 27, 2024, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) published its Notice of Proposed Rulemaking (“NPRM”) titled HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information. HHS seeks comments on proposed modifications to the Security Standards for the Protection of Electronic Protected Health Information comprising 45 C.F.R. Parts 160 and 164, Subpart C, commonly known as the “Security Rule”, to address modern breach and cybersecurity risks to electronic protected health information (“ePHI”)[1] and common deficiencies observed by HHS in Security Rule compliance investigations, and to incorporate current industry best practices[2] and court decisions affecting enforcement of the Security Rule[3].[4] As summarized below, the proposed modifications signal HHS’s commitment to aligning the Security Rule requirements with current cybersecurity standards and addressing areas of non-compliance with more prescriptive measures to enhance ePHI security in the face of evolving cyber threats and technological advancements. HHS invites interested parties to submit comments by March 7, 2025.Continue Reading HHS Publishes Notice of Proposed Rulemaking to Amend HIPAA Security Rule Requirements – Comments Due March 7, 2025

On January 29, 2025, the Copyright Office (the “Office”) released its second report in a three-part series on artificial intelligence and copyright. Part 1 was released in July 2024 and addressed digital replicas. Part 2 focuses on the copyrightability of AI-generated work – that is, providing greater detail into what level of human interaction is required for a work containing AI-generated works to rise to the level of copyrightability. The report includes eight conclusions to guide copyright applicants and concludes that existing law is sufficient to address copyrighting AI-generated works.Continue Reading Copyright Office: Copyrighting AI-Generated Works Requires “Sufficient Human Control Over the Expressive Elements” – Prompts Are Not Enough

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Join SPB’s Alan Friel and Lydia de la Torre at the California Lawyers Association Privacy Law Section’s 2025 Annual Privacy

We are pleased to announce that we will be participating in the California Lawyers Association Privacy Law Section’s 2025 Annual Privacy Summit in Los Angeles, CA.

Join Alan Friel for a session on CA Rulemaking: Unpacking the CCPA cybersecurity audit, privacy risk assessment regulations, and ADMT. The panel will review the draft ADMT regulations, interpret

On January 24, 2025, the Supreme Court granted certiorari in Lab. Corp. of Am. Holdings v. Davis, Case No. 24-304, on the question of “[w]hether a federal court may certify a class action pursuant to Federal Rule of Civil Procedure 23(b)(3) when some members of the proposed class lack any Article III injury.” In TransUnion LLC v. Ramirez, 594 U.S. 413, 431 (2021), the Supreme Court made clear that “[e]very class member must have Article III standing in order to recover individual damages,” but the Court did not answer the question of when a class member’s standing must be established and whether a class can be certified if it contains uninjured class members.Continue Reading Supreme Court to Decide Whether Federal Courts May Certify a Class with Uninjured Class Members

Though attempts to pass comprehensive federal consumer privacy legislation again stalled in 2024, efforts targeted at addressing national security-related privacy concerns had more success. Along with the Protecting Americans from Foreign Adversary Controlled Applications Act, Congress passed the Protecting Americans’ Data from Foreign Adversaries Act (“PADFA”) as part of a sweeping foreign aid bill, which was subsequently signed into law by President Biden on April 23, 2024. PADFA, which went into effect on June 24, 2024, followed President Biden’s Feb. 2024 Executive Order 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (“EO”), under which the Department of Justice was directed to establish and implement regulations (initially reported by SPB here). The DOJ’s rulemaking process, which began in late fall of last year, culminated in the issuance of a final rule (“Bulk Data Regs”) on December 27, 2024, and publication of the same in the Federal Register on January 4, 2025. The Bulk Data Regs largely become effective 90 days after publication in the Federal Register, on April 4, with certain provisions going into effect 270 days following publication.Continue Reading Transferring U.S. Data Overseas? Consider Whether the DOJ’s Bulk Data Regulations or PADFA May Apply to Your Organization