Privacy & Information Security Law Blog

During the week of January 6, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights entered into resolution agreements and corrective action plans with Elgon Information Systems, Virtual Private Network Solutions, LLC and USR Holdings, LLC for violations of the Health Insurance Portability and Accountability Act of 1996 Security Rule.

The New York Department of Financial Services (“NYDFS”) recently cautioned regulated entities to be aware of individuals applying for remote technology-related positions due to an increase in reported threats from North Korea. Threat actors have repeatedly attempted to access company systems and illegally generate revenue for North Korea under the guise of seeking remote Information Technology jobs at U.S. companies.

On December 24, 2024, the Oregon Attorney General published AI guidance, “What you should know about how Oregon’s laws may affect your company’s use of Artificial Intelligence,” (the “Guidance”) that clarifies how existing Oregon consumer protection, privacy and anti-discrimination laws apply to AI tools. Through various examples, the Guidance highlights key themes such as privacy, accountability and transparency, and provides insight into “core concerns,” including bias and discrimination.

The Equal Employment Opportunity Commission recently issued a fact sheet addressing the application of employment discrimination laws to the use of wearable technologies in U.S. workplaces.

On January 6, 2025, the New Jersey Division of Consumer Affairs Cyber Fraud Unit published a set of frequently asked questions and answers on the New Jersey Data Privacy Law.

On December 27, 2024, the U.S. Department of Justice issued a comprehensive final rule implementing Executive Order 14117, Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. The Final Rule will go into effect on April 8, 2025, with the exception of certain due diligence, audit and reporting obligations, which will become effective on October 5, 2025.

On January 7, 2025, the U.S. Food and Drug Administration (“FDA”) issued draft guidance, titled “Artificial Intelligence-Enabled Device Software Functions: Lifecycle Management and Marketing Submission Recommendations” (the “Guidance”), that addresses management of cybersecurity risks affecting AI-enabled devices.

On December 30, 2024, the Connecticut Attorney General issued an advisory to consumers and businesses that new opt-out rights under the Connecticut Data Privacy Act are effective as of January 1, 2025.

On December 27, 2024, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) announced a Notice of Proposed Rulemaking (“NPRM”) to update the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule.  The NPRM is intended to strengthen cybersecurity protections for electronic protected health information (“ePHI”) in light of increasing cybersecurity threats to the health care sector.

On December 17, 2024, the European Data Protection Board adopted an opinion on the processing of personal data in the context of AI models. This blog entry provides a summary of the opinion.