In 2021, the Health Information Technology for Economic and Clinical Health Act (HITECH) was amended to add “recognized cybersecurity practices” as a mitigating factor when determining fines, audits and remedies against covered entities and business associates for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Department of Health and Human Services now seeks public comment on what should be considered a recognized cybersecurity practice.

Covered entities and business associates should update their HIPAA compliance plans to incorporate the recognized cybersecurity practices, implement the identified security practices and ensure they have been actively and consistently used over the prior 12-month period of time to reduce the risk of HIPAA audits and fines.

See our recent alert for more details about this request for public comments, which are due June 6.

On May 25, the Federal Trade Commission announced that it, along with the Department of Justice, fined Twitter $150 million for violating a 2011 agreement with the FTC in which Twitter promised to protect the integrity of nonpublic consumer information, including users’ phone numbers and email addresses.

Read on for details about the alleged violations and the corrective actions required in the FTC’s new order.

Reflecting its determination to monitor the crypto markets, the U.S. Securities and Exchange Commission announced today that it was renaming the Cyber Unit the “Crypto Assets and Cyber Unit” and nearly doubling its size, from 30 to 50 members. The additional permanent positions will include investigative staff attorneys, trial lawyers and fraud analysts, who will target the full panoply of hot topics in the crypto world.

Read on for details about this development and implications for crypto market participants.

Federal courts in recent Telephone Consumer Protection Act cases served up two victories and one disappointment for the defense. Siding with the defense, the 7th U.S. Circuit Court of Appeals ruled that defendants do not carry the burden of proof at class certification, and the 8th Circuit joined other courts in maintaining a narrow autodialer definition. Defendants were less pleased when the U.S. Supreme Court denied a petition that would have resolved the enforceability of the autodialer prohibitions.

Read our alert to learn more about these developments and their implications for businesses defending against TCPA claims and class actions.

The Utah Consumer Privacy Act (“UCPA”) passed by the Utah legislature was signed into law by Governor Spencer Cox on March 24, 2022 and becomes effective December 31, 2023. While companies conducting business in Utah will need to familiarize themselves with the law in order to become complaint if they are covered by the statute, the good news is that the UCPA creates only marginally different obligations than those found in California, Colorado, and Virginia’s data privacy laws. Continue Reading New Utah Privacy Law Largely Overlaps with Existing State Statutes

On Feb. 9, U.S. Senators Bill Cassidy and Tammy Baldwin introduced a bill that would create a Commission on Health Data Use and Privacy Protection to study the potential modernization of HIPAA. Introduction of the bill follows a recent trend of increased attention to data privacy at the federal level, both for covered entities and for non-covered entities, including the Department of Health and Human Services’ proposed modifications to HIPAA and HITECH and the Federal Trade Commission’s Health Breach Notification Rule.

Read on to learn more about the proposed commission.

In February, the Financial Industry Regulatory Authority released the 2022 Report on FINRA’s Examinations and Risk Monitoring Program, providing guidance to the broker-dealer industry.

Read on for a discussion of key topics addressed in this year’s report.

On March 9, the U.S. Securities and Exchange Commission proposed new rules that would fundamentally change how public companies treat the reporting and management of cybersecurity incidents and risk.

Read on for details about these proposed rules, which build significantly upon prior guidance by creating express, mandatory disclosure obligations.

On March 8, the U.S. Department of Justice announced a $930,000 settlement with Comprehensive Health Services, LLC for alleged violations of the False Claims Act. As DOJ’s first resolution of a False Claims Act enforcement action involving cyber fraud since launching its Civil Cyber-Fraud Initiative in October 2021, this settlement signals the DOJ’s eagerness to combat cybersecurity violations and misrepresentations.

Read on for analysis of this case and implications for government contractors.

The Securities and Exchange Commission continues to propose rules at a rapid pace. Three of the most recent proposed rules would significantly impact investment advisers by:

  1. Requiring documentation of registered investment adviser compliance reviews;
  2. Establishing cybersecurity risk management and reporting requirements for investment advisers, investment companies and business development companies;
  3. Updating and accelerating beneficial ownership reporting requirements.

Read our alert to learn more about the proposed rules and their potential impacts on investment advisers.