Photo of Joseph J. Lazzarotti

Joseph J. Lazzarotti

Subscribe to Joseph J. Lazzarotti's Posts

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Contact:Read more about Joseph J. Lazzarotti

Leaders charged with safeguarding data privacy and cybersecurity often assume that size equates to security—that large, well-resourced organizations must have airtight defenses against cyberattacks and data breaches. It’s a natural assumption: mature enterprises tend to have robust policies, advanced technology, and deep security teams. Yet, as recent events remind us, even the biggest organizations can

Key Takeaways

  • Outlines basic steps to determine whether a business may need to perform a risk assessment under the California Consumer Privacy Act (CCPA) in connection with its use of dashcams
  • Provide a resource for exploring the basic requirements for conducting and reporting risk assessments

If you have not reviewed the recently approved, updated CCPA

As we discussed in Part 1 of this post, the California Privacy Protection Agency (CPPA) has approved significant updates to California Consumer Privacy Act (CCPA) regulations, which were formally approved by the California Office of Administrative Law on September 23, 2025. We began to outline the requirements for a significant new obligation under the

The California Privacy Protection Agency (CPPA) has adopted significant updates to the California Consumer Privacy Act (CCPA) regulations, which were formally approved by the California Office of Administrative Law on September 23, 2025. These comprehensive regulations address automated decision-making technology, cybersecurity audits, and risk assessments, with compliance deadlines beginning in 2026. Among these updates, the

According to Cybersecurity Dive, artificial intelligence is no longer experimental technology as more than 70% of S&P 500 companies now identify AI as a material risk in their public disclosures, according to a recent report from The Conference Board. In 2023, that percentage was 12%.

The article reports that major companies are no longer

Governor Gavin Newsom recently signed SB 446 into law, introducing significant changes to California’s data breach notification requirements. The bill establishes deadlines for notifying consumers and the state’s Attorney General when personal information of California residents has been involved in a data breach.

What’s Changed Under SB 446

Previously, California law required businesses to notify

Businesses across many industries naturally want to showcase their satisfied customers. Whether it’s a university featuring successful graduates, a retailer highlighting happy shoppers, or a healthcare facility showcasing thriving patients, these real-world testimonials can be powerful marketing tools. However, when it comes to healthcare providers subject to HIPAA, using patient images and information for promotional

Recently, California’s Governor signed Assembly Bill (AB) 45, which builds on existing California laws, such as the Confidentiality of Medical Information Act, seeking to protect individuals seeking certain healthcare services. AB 45 takes effect January 1, 2026.

Specifically, the law prohibits the collection, use, disclosure, sale, sharing, or retention of personal information of a

On September 17, 2025, the Florida Agency for Health Care Administration (AHCA) will hold its first public meeting to discuss proposed rules designed to enhance transparency and preparedness around health care information system breaches. AHCA is Florida’s agency responsible for the state’s Medicaid program, the licensure of the state’s health care facilities, and the sharing

The rapid adoption of AI notetaking and transcription tools has transformed how organizations (and individuals) capture, analyze, and share meeting and other content. But as these technologies expand, so too do the legal and compliance risks. A recent putative class action lawsuit filed in federal court in California against Otter.ai, a leading provider of AI