Litigation

Summary

On December 27, 2024, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) published its Notice of Proposed Rulemaking (“NPRM”) titled HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information. HHS seeks comments on proposed modifications to the Security Standards for the Protection of Electronic Protected Health Information comprising 45 C.F.R. Parts 160 and 164, Subpart C, commonly known as the “Security Rule”, to address modern breach and cybersecurity risks to electronic protected health information (“ePHI”)[1] and common deficiencies observed by HHS in Security Rule compliance investigations, and to incorporate current industry best practices[2] and court decisions affecting enforcement of the Security Rule[3].[4] As summarized below, the proposed modifications signal HHS’s commitment to aligning the Security Rule requirements with current cybersecurity standards and addressing areas of non-compliance with more prescriptive measures to enhance ePHI security in the face of evolving cyber threats and technological advancements. HHS invites interested parties to submit comments by March 7, 2025.Continue Reading HHS Publishes Notice of Proposed Rulemaking to Amend HIPAA Security Rule Requirements – Comments Due March 7, 2025

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Join SPB’s Alan Friel and Lydia de la Torre at the California Lawyers Association Privacy Law Section’s 2025 Annual Privacy

We are pleased to announce that we will be participating in the California Lawyers Association Privacy Law Section’s 2025 Annual Privacy Summit in Los Angeles, CA.

Join Alan Friel for a session on CA Rulemaking: Unpacking the CCPA cybersecurity audit, privacy risk assessment regulations, and ADMT. The panel will review the draft ADMT regulations, interpret

In December 2023, Privacy World reported on an order from the Federal Communications Commission’s (“FCC”) designed in part to close the “lead generator loophole” in the agency’s Telephone Consumer Protection Act (“TCPA”) consent rules. Now, just over a year later, on January 24, 2025, the United States Court of Appeals for the Eleventh Circuit (“11th Circuit” or “Court”) resoundingly rejected the FCC’s closure efforts, finding that the agency exceeded its statutory authority under the TCPA.Continue Reading Circuit Court Employs Loper Bright to Knock Out the FCC’s TCPA One-to-One Consent Rule

On January 24, 2025, the Supreme Court granted certiorari in Lab. Corp. of Am. Holdings v. Davis, Case No. 24-304, on the question of “[w]hether a federal court may certify a class action pursuant to Federal Rule of Civil Procedure 23(b)(3) when some members of the proposed class lack any Article III injury.” In TransUnion LLC v. Ramirez, 594 U.S. 413, 431 (2021), the Supreme Court made clear that “[e]very class member must have Article III standing in order to recover individual damages,” but the Court did not answer the question of when a class member’s standing must be established and whether a class can be certified if it contains uninjured class members.Continue Reading Supreme Court to Decide Whether Federal Courts May Certify a Class with Uninjured Class Members

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Transferring U.S. Data Overseas? Consider Whether the DOJ’s Bulk Data Regulations or PADFA May Apply to Your Organization

CPPA Extends

In two recent proposed consent orders by the Federal Trade Commission (FTC or Commission), the agency has emphasized critical data governance practices that all data controllers should carefully consider. These cases, Gravy Analytics/Venntel and Mobilewalla, primarily focus on issues related to the brokerage of consumer mobile device location data and other adtech and data broker practices. However, the settlements, and the learnings that can be gleaned from them, are relevant beyond location data and these specific industries. Indeed, the data governance measures required of the respondents by the FTC signal the FTC’s thinking around what it considers proper data governance and privacy compliance programs, and can be used as a guide as to how companies in all industries should be framing such programs to both avoid FTC scrutiny and address compliance with the patchwork of state consumer privacy laws.Continue Reading What Should Data Controllers Take Away From Recent FTC Privacy Case Settlements?

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Balancing the Scales: How to Use “Legitimate Interest” to Process Personal Data “Fairly”

Court Ruling in China on Personal Data

On October 9, 2024, the European Data Protection Board (EDPB) unveiled its much-anticipated Guidelines on using legitimate interest (Article 6.1(f) of the GDPR) as a lawful basis for processing personal data. These guidelines set out clear criteria for data controllers, and will therefore be most welcome.

For years, legitimate interest has been among the go-to option for organizations, with the idea that it offers more flexibility (as long as you comply with the inherent requirements of its use). High-profile cases, like the Court of Justice of the European Union’s (CJEU) decision in Royal Dutch Tennis Association (KNLTB), acknowledged that commercial interests may qualify as legitimate, but also crystalized the tension on its uses from supervisory authorities and privacy advocates.Continue Reading Balancing the Scales: How to Use “Legitimate Interest” to Process Personal Data “Fairly”