On March 7, 2025, the California Privacy Protection Agency (“CPPA”), which is tasked with enforcing the California Consumer Privacy Act (“CCPA”) entered a Stipulated Final Order (“Order”) with American Honda Motor Co., Inc. (“Honda”), fining Honda $632,500.  This Order is instructive as to CPPA’s views on various topics covered by the CCPA.  Among other things, the Order makes clear that:

Continue Reading Businesses Beware:  The California Privacy Protection Agency Is Taking a Strict View on CCPA Compliance and Seeking to Impose Maximum Fines for Non-Compliance

On January 10, 2025, in the waning days of the Biden Administration, the Consumer Financial Protection Bureau issued a Request for Information Regarding the Collection, Use, and Monetization of Consumer Payment and Other Personal Financial Data. The Request signals the Bureau’s strong concern with the ways financial institutions, and particularly new financial tools like widespread use of mobile banking, collect and use sensitive consumer-financial data. The Request was motivated by the results from the data that the Bureau collected in developing its Personal Financial Data Rights Rule, finding that “actual business practices show significant deviation from longstanding consumer expectations when it comes to the collection, use, and monetization of data harvested from payment transactions.” Among the Bureau’s chief concerns was consumers’ general ignorance about financial data that Americans believe “is kept private just because it is sensitive.” On the contrary, the Bureau found that not only is consumers’ sensitive financial information monetized, but also that it is commingled with consumer attributes like geographic location, social-media habits, and even individual voices. Such advancements, the Bureau worries, could lead to “dynamic pricing algorithms” that show different pricing for different users, based on their harvested personal data.  

Continue Reading CFPB Explores the Need for Greater Financial Privacy

The Federal Communications Commission (FCC) announced on Jan. 24, 2025, that its highly anticipated one-to-one consent rule was postponed by at least one year. This is big news for companies that were gearing up for the implementation of the rule, which would have significantly altered the requirements for obtaining consent to place calls or text messages under the Telephone Consumer Protection Act (TCPA).

Companies should keep an eye on another FCC rule that will change the requirements regarding consumers’ ability to revoke consent, scheduled to take effect on April 11, 2025. Meanwhile the U.S. Supreme Court will decide to what extent courts must defer to the FCC’s interpretation of the TCPA.

Read on to learn how ongoing changes in the regulatory landscape for the TCPA stress the importance of reviewing and prioritizing TCPA compliance in 2025.

Read more

In response to increased cybersecurity threats and significant regulatory enforcement actions, on Dec. 27, 2024, the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking seeking to enhance cybersecurity protections under the Security Rule implemented pursuant to the Health Insurance Portability and Accountability Act of 1996. While the proposed rule is an important component of HHS’ ongoing effort to enhance cybersecurity requirements, many of the proposals raise new questions regarding HHS’ expectations. If adopted, the sweeping changes could have a major impact on the way covered entities and business associates conduct business, including with each other.

Read on for further details on the proposed rule and its implications for regulated entities.

Read More

As public companies’ reliance on remote work, cloud computing and digital payments increases, so too does the cybersecurity risk. Recognizing this, the SEC finalized rules and regulations in September 2023 requiring new cybersecurity-related disclosures from public companies. In prior efforts to improve consistency and accuracy of public company cybersecurity risk disclosures, the SEC issued interpretive guidance explaining how cybersecurity risk and incidents should be communicated based on longstanding requirements to disclose material information periodically to shareholders. But in the SEC’s view, corporate disclosure practices were inconsistent. Under-disclosure persisted and investors lacked consistent information by which they could evaluate public companies’ cybersecurity risk.    

The SEC now requires enhanced and standardized cybersecurity risk disclosures for all periodic SEC filers, including foreign private issuers and smaller reporting companies. Public companies must disclose certain cybersecurity incidents, as well as information about cybersecurity risk management, strategy and governance.

Read on to learn about the potential exposure public companies face and how this exposure risk fits within the framework of a company’s D&O and cyber insurance programs. How can a company ensure its insurance policies will appropriately protect its balance sheet and its directors and officers from potential SEC investigations and shareholder litigation?

Read more

On Oct. 22, 2024, the Securities and Exchange Commission (SEC) announced settled charges against four current and former public companies, Unisys, Avaya Holdings, Check Point Software Technologies and Mimecast, for allegedly making materially misleading statements in their public disclosures regarding cybersecurity intrusions and risks following the SolarWinds Corporation software hack. This wave of enforcement actions signals the SEC’s continued focus on the content and completeness of public disclosures following cyber incidents. In a press release, the SEC summarized its position that the settling issuers each “negligently minimized its [SolarWinds] cybersecurity incident,” which served to “further victimize their shareholders or other members of the investing public” and left “investors in the dark about the true scope of the incidents.”

Read on to learn more about the settlements and the takeaways worth considering.

Read more

After a nearly five-year rulemaking process, the U.S. Department of Defense (DoD) published the Final Cybersecurity Maturity Model Certification 2.0 (CMMC) program rule in the Federal Register on Oct. 15, 2024, codified at 32 CFR Part 170. Contract clauses implementing the CMMC program rule will be issued as part of the Defense Federal Acquisition Supplement, and DoD expects to require CMMC certifications as a condition of award beginning in 2025 as part of a phased-in approach.

The final CMMC program rule is the culmination of a lengthy rulemaking process to implement third-party certified cybersecurity program standards for the Defense Industrial Base. The DoD significantly revised CMMC program requirements since the inception of CMMC 1.0 in 2020. At its most basic level, the CMMC program is a transition from a self-certification model for cybersecurity compliance, to a third-party verification process contemplated by the CMMC program rule.

Read on to learn more about the final rule and its implications for contractors and subcontractors.

Read more

When dealing with a cybersecurity incident response, nonprofit healthcare systems have different constituents to consider. Patients and staff who risk having personal information exposed or procedures postponed are the most important, but bondholders of a system’s debt also will want to know about the incident. The Securities and Exchange Commission recently updated its Compliance and Disclosure Interpretations related to cybersecurity incidents for public reporting companies. Read on to learn more about how this guidance, which is not binding on nonprofit healthcare systems that issue bonds, still provides helpful insights.

Read more
Applicable Provider Types: All

Is Your Entity in Compliance?

The Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA) requires Covered Entities (CEs), Business Associates (BAs) and Business Associate subcontractors to enter into written agreements governing each party’s rights and obligations with respect to the privacy and security of patient Protected Health Information (PHI). Most healthcare providers will qualify as a CE. CEs must obtain “adequate written assurances” from their BAs that the PHI will only be used or disclosed as permitted by law and as instructed by the CE, and BAs must impose these obligations and limitations on their subcontractors. These written assurances typically take the form of a Business Associate Agreement (BAA).

Read more

Applicable Provider Types: All

Is Your Entity in Compliance?

The Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA) requires covered entities and their business associates to implement policies and procedures to prevent, detect, contain and correct security violations. Under the HIPAA Security Rule, entities must “periodically” perform a security risk assessment, which can be adapted to the size and sophistication of the entity. While the general approach is to perform one annually, some organizations may do so bi-annually and others every three years.

Read more