On April 26, 2024, the Federal Trade Commission (FTC) announced that it had finalized changes to the Health Breach Notification Rule (HBNR). These changes, which go into effect on June 25, 2024, are intended to modernize aspects of the HBNR such that the HBNR applies to entities not covered under the Health Insurance Portability and Accountability Act (HIPAA). The updated HBNR follows the FTC’s previously stated intention in a 2021 policy statement to broaden the interpretation of the HBNR to address the growing number of digital health applications, websites, and consumer-facing technology that were not subject to HIPAA. The scope of the finalized rule therefore aims to apply the HBNR to health care technology and digital health companies that obtain personal health records (PHR) and PHR identifiable health information.

Continue Reading FTC Finalizes Broader Changes to the Health Breach Notification Rule

In a welcome change for defendants, a recent amendment to the Biometric Information Privacy Act (“BIPA”) is expected to significantly curtail potential damages under the statute. SB 2979, which passed the General Assembly on May 16, 2024, clarifies that damages are per individual, rather than per violation, for violations of the collection provision under Section 15(b) and the disclosure provision under Section 15(d).

Continue Reading BIPA Bellwether: General Assembly provides relief from “per scan” damages

Last week, the U.S. Securities and Exchange Commission (“SEC”) became the latest federal regulator to implement a data breach notification law. The commissioners unanimously voted to approve amendments to Regulation S-P (the “Final Rule”)—the regulation governing the use of consumers’ personal information and records—to require certain financial institutions to adopt and maintain data incident response procedures and to require notification to consumers of the potential compromise of their data within 30 days of discovery.

Continue Reading SEC Joins Chorus of Regulators Requiring Data Breach Notifications

For years, we were able to tell most clients experiencing a potential data security incident that they likely had at least 30 days to notify any third parties about the incident – if they concluded it was a breach.  There were, of course, exceptions in certain regulated industries, but most companies fell within the scope of the general state data breach notification statutes, none of which required a response sooner than 30 days. And for many years, we didn’t have to worry about more urgent deadlines created by federal authorities.

Continue Reading Breach Response: Is 72 hours the new 30 days?

Back in July, we shared some good news out of California when a state court judge ruled that the newest regulations under the California Consumer Privacy Act (“CCPA”) could not be enforced until March 2024.  But last week, the agency charged with enforcing the CCPA – the California Privacy Protection Agency (with the confusingly similar abbreviation of the “CPPA”) – won reversal of that opinion on appeal.  The ruling now gives the CPPA the authority to begin enforcing immediately the regulations that it enacted in March 2023.

Continue Reading Delay Lifted in CCPA Regulations Enforcement

On November 30, 2023, the Illinois Supreme Court issued a much-anticipated decision in Mosby v. The Ingalls Memorial Hospital, answering a certified question about whether biometric information collected from health care workers is protected by the Illinois Biometric Information Privacy Act (BIPA) if that information is used for purposes related to health care treatment, payment, or operations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Court ruled that when health care worker data is collected for purposes of health care treatment, payment, or operations under HIPAA, the information is excluded from protection under BIPA.

Mosby involved a putative class action claim brought by nurses whose biometric information allegedly was collected to identify them before dispensing medication to patients.  The trial court and Illinois Appellate Court had ruled that these collections were covered by BIPA because BIPA’s exclusions for “health care treatment, payment, or operations under HIPAA” were directed at protecting patient data, not health care worker data.

Continue Reading Illinois Supreme Court: Collection of Biometric Data for Health Care Treatment, Payment, or Operations Is Exempt from BIPA

President Biden issued an Executive Order on October 30, 2023 designed to place the United States at the forefront of law and regulation of Artificial Intelligence (AI). The Executive Order on the “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence” creates binding disclosure requirements for companies that are either developing certain large language AI models or acquiring or possess sufficient computing power to run such AI implementations (as described below). The Order also establishes, and directs several federal agencies to establish, industry benchmarks for ensuring robust, reliable, repeatable and standardized testing and evaluations of AI systems, create new standards for AI safety and security.

The Order contains a lot of detailed provisions and initiatives involving nearly every government agency and calling for wide-ranging studies and recommendations on nearly every facet of AI, significant provisions of which are described below.

Of particular note, however, the President invoked the Defense Production Act to impose certain requirements that will go into effect 90 days after the issuance of the Order. There are two significant requirements going into effect affecting companies that employ AI models and companies that employ or provide large computing capacity that can be used for AI.

Continue Reading President Biden Issues Far-Reaching Executive Order on Artificial Intelligence

In one of the first lawsuits to allege that generative AI companies violate the U.S. Copyright Act by using copyrighted works to train machine learning models, Judge Stephanos Bibas of the Delaware Circuit Court recently denied the majority of issues raised in cross motions for summary judgment filed by plaintiff Thomson Reuters and defendant Ross Intelligence Inc.  The court declined to issue a dispositive ruling on the hot-button question of whether the fair use doctrine protects generative AI companies that use copyrighted materials to train their programs.

Thomson Reuters (owner of Westlaw) sued Ross Intelligence, a legal-research generative AI startup, in May 2020, alleging that Ross was liable for both copyright infringement and tortious interference with contract.  The allegations against Ross stem from its endeavor to create a search engine that uses machine learning and artificial intelligence to provide answers to commonly asked legal questions.

In need of material to train its generative AI, Ross attempted to obtain a license to use Westlaw.  When Westlaw turned Ross away, it asked third-party legal research companies to provide it with legal material — much of which those legal research companies obtained from Westlaw.  Thomson Reuters contends that Ross copied large portions of Westlaw’s Headnotes and Key Number System.

Continue Reading AI Versus Westlaw Copyright Bellwether Hurtles Toward Jury as Summary Judgment Largely Denied

In a recent decision in a defamation case filed against a Gannett-owned publication and the Associated Press, the Seventh Circuit rejected what it dubbed a “novel interpretation” of an established legal principle, instead upholding the doctrine known as the “single publication rule.”

The U.S. Court of Appeals for the Seventh Circuit in an opinion published August 31 affirmed the United States District Court for the Southern District of Indiana’s dismissal of the libel suit that the plaintiff, the National Police Association (“NPA”), brought against the media outlets. The Court ultimately noted that there was “no basis for the NPA’s theory of liability.”

The case originated in 2019 when the Indianapolis Star and the Associated Press published articles about police departments across the country warning via social media constituents about fundraising “scams” claiming to raise money for the departments. The posts referred to NPA solicitations, and the articles featured statements from officials characterizing the NPA’s efforts as misleading to the public.

Continue Reading 7th Circuit Rejects “Novel Interpretation” of Restatement, Upholds Single Publication Rule

Under UK data protection legislation, individuals, also called “data subjects”, have the right to make a data subject access request (DSAR) to organisations that “process” their personal data.  Similar rights are required by both the EU’s General Data Protection Regulation and the California Consumer Privacy Act.  Amongst other things, as part of a DSAR, data subjects can expect to receive a copy of their personal data.

Continue Reading A Rise in DSARs: Why Can Data Subject Access Requests Be Such a Burden?