Search right to access

If you are looking for a high-level summary of California laws regulating artificial intelligence (AI), check out the two legal advisories issued by California Attorney General Rob Bonta. The first advisory is directed at consumers and entities about their rights and obligations under the state’s consumer protection, civil rights, competition, and data privacy laws. The second advisory focuses on healthcare entities.

“AI might be changing, innovating, and evolving quickly, but the fifth largest economy in the world is not the wild west; existing California laws apply to both the development and use of AI.” Attorney General Bonta

The advisories summarize existing California laws that may apply to entities who develop, sell, or use AI. They also address several new California AI laws that went into effect on January 1, 2025.

The first advisory points to several existing laws, such as California’s Unfair Competition Law and Civil Rights Laws, designed to protect consumers from unfair and fraudulent business practices, anticompetitive harm, discrimination and bias, and abuse of their data.

California’s Unfair Competition Law, for example, protects the state’s residents against unlawful, unfair, or fraudulent business acts or practices. The advisory notes that “AI provides new tools for businesses and consumers alike, and also creates new opportunity to deceive Californians.” Under a similar federal law, the Federal Trade Commission (FTC) recently ordered an online marketer to pay $1 million resulting from allegations concerning deceptive claims that the company’s AI product could make websites compliant with accessibility guidelines. Considering the explosive growth of AI products and services, organizations should be revisiting their procurement and vendor assessment practices to be sure they are appropriately vetting vendors of AI systems.

Additionally, the California Fair Employment and Housing Act (FEHA) protects Californians from harassment or discrimination in employment or housing based on a number of protected characteristics, including sex, race, disability, age, criminal history, and veteran or military status. These FEHA protections extend to uses of AI systems when developed for and used in the workplace. Expect new regulations soon as the California Civil Rights Counsel continues to mull proposed AI regulations under the FEHA.

Recognizing that “data is the bedrock underlying the massive growth in AI,” the advisory points to the state’s constitutional right to privacy, applicable to both government and private entities, as well as to the California Consumer Privacy Act (CCPA). Of course, California has several other privacy laws that may need to be considered when developing and deploying AI systems – the California Invasion of Privacy Act (CIPA), the Student Online Personal Information Protection Act (SOPIPA), and the Confidentiality of Medical Information Act (CMIA).

Beyond these existing laws, the advisory also summarizes new laws in California directed at AI, including:

  • Disclosure Requirements for Businesses
  • Unauthorized Use of Likeness
  • Use of AI in Election and Campaign Materials
  • Prohibition and Reporting of Exploitative Uses of AI

The second advisory recounts many of the same risks and concerns about AI as relevant to the healthcare sector. Consumer protection, anti-discrimination, patient privacy and other concerns all are challenges entities in the healthcare sector face when developing or deploying AI. The advisory provides examples of applications of AI systems in healthcare that may be unlawful, here are a couple:

  • Denying health insurance claims using AI or other automated decisionmaking systems in a manner that overrides doctors’ views about necessary treatment.
  • Use generative AI or other automated decisionmaking tools to draft patient notes, communications, or medical orders that include erroneous or misleading information, including information based on stereotypes relating to race or other protected classifications.

The advisory also addresses data privacy, reminding readers that the state’s CMIA may be more protective in some respects than the popular federal healthcare privacy law, HIPAA. It also discusses recent changes to the CMIA that require providers and electronic health records (EHR) and digital health companies enable patients to keep their reproductive and sexual health information confidential and separate from the rest of their medical records. These and other requirements need to be taken into account when incorporating AI into EHRs and related applications.

In both advisories, the Attorney General makes clear that in addition to the laws referenced above, other California laws—including tort, public nuisance, environmental and business regulation, and criminal law—apply to AI. In short:  

Conduct that is illegal if engaged in without the involvement of AI is equally unlawful if AI is involved, and the fact that AI is involved is not a defense to liability under any law.

Both advisories provide a helpful summary of laws potentially applicable to AI systems, and can be useful resources when building policies and procedures around the development and/or deployment of AI systems.  

A massive data breach hit one of the country’s largest education software providers. According to EducationWeek, PowerSchool provides school software products to more than 16,000 customers, largely K-12 schools, that serve 50 million students in the United States. According to reports, PowerSchool informed customers that, on December 28, 2024, PowerSchool became aware of a cybersecurity incident involving unauthorized access to certain information through one of its community-focused customer support portals, PowerSource. The unauthorized access affected PowerSchool’s Student Information System (“SIS”).

According to one of its communications to customers, PowerSchool stated:

While we are unaware of and do not expect any actual or attempted misuse of personal information or any financial harm to impacted individuals as a result of this incident, PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations. The particular information compromised will vary by impacted customer. We anticipate that only a subset of impacted customers will have notification obligations.

Needless to say, PowerSchool customers likely have lots of questions and concerns about next steps. The Q and A below are intended to help school communities and other affected entities strategize about next steps.

Is this just a PowerSchool problem?

There certainly are steps PowerSchool should be taking. As a service provider that processes the personal information of its customers, conducting a prompt investigation and informing data owners of critical information relating to the breach top the list. Additionally, each customer’s service agreement with PowerSchool may include broader obligations for the vendor. Providing ongoing support and mitigating potential harm also can reasonably be expected. But, schools and other PowerSchool customers may have obligations of their own.  

What should potentially affected PowerSchool customers be doing?

There are several items to consider:

Look at your incident response plan. If you have an incident response plan, it may provide steps to help keep your team organized and focused. If you do not have one, consider developing one in the future.

Gather information. As noted above, PowerSchool has already put out information concerning the breach, and more is likely to come. But there may be other helpful information for you online from trusted sources. For example a bleepingcomputer article provides information on (i) determining whether your school district was affected, and (ii) a link to a “detailed guide written by Romy Backus, SIS Specialist at the American School of Dubai, [that] explains how to check the PowerSchool SIS logs to determine if data was stolen.”

Be ready to communicate with your school community. Teachers, parents, students, former students, and others will have a lot of questions about the incident. According to a report by Infosecurity Magazine,

A message to parents by the Howard-Suamico School District in Wisconsin, US, seen by news outlet NBC 26, read: “PowerSchool confirmed that this was not a ransomware attack but it did pay a ransom to prevent the data from being released.

If a ransom was paid to a threat actor, there is no way to confirm that the data has not or will not be released or used for an impermissible purpose. For this and other reasons, it will be critical to have a plan for delivering prompt, consistent, and accurate messaging about the breach as soon as possible. Having a limited number of persons responsible for responding to questions can help to avoid misinformation and maintain consistent messaging.

As the investigation proceeds, PowerSchool likely will be providing more information about notifications, ID theft and credit monitoring services, and other information concerning the continued response to the incident. Affected schools and other PowerSchool customers will need to be ready to receive that information and decide how best to convey that information to their community. In the event decisions need to be made by a school’s Board, start thinking ahead to taking all the necessary steps to arrange for those meetings so decisions can be made appropriately, thoughtfully, and timely. Feel free to contact our incident response attorneys as we have helped many schools and school districts navigate challenging communications in similar incidents.

Get a handle on your legal and contractual rights and obligations. State breach notification laws generally place the obligation to notify affected persons and others on the owner of the personal information compromised in the breach, not the service provider that had the breach. In many cases, however, a vendor causing a data breach may take on the obligation to provide such notifications, but the owner of the data still will be on the hook if that process if not performed in a compliant manner.

Of course, state notification laws vary state to state. Examples of these variations include the definition of personal information, exceptions to the notification requirement, timeframes for notification, and requirements for ID theft and credit monitoring services. Reports noted above indicate that PowerSchool may be supporting the notification process. However, because the breach is affecting customers differently (e.g., different personal information affected, different state laws), PowerSchool may rely on instructions from customers about whether and how to comply with certain aspects of the notification requirements.

Note also that some states may have issued specific regulatory requirements for school districts and their vendors. For example, in New York, regulations issued by the New York State Department of Education and adopted by its Board of Regents in 2020 require school districts and state-supported schools to develop and implement robust data security and privacy programs to protect any personally identifiable information (“PII”) relating to students, teachers and principals. Among other things, the NY regulations require vendors that suffer a breach to notify the affected schools within seven (7) calendar days. The schools must in turn notify SED within ten (10) calendar days of receipt of notification of a breach from the vendor; and the schools must notify the affected individuals of the breach without unreasonable delay but in no case later than sixty (60) days of discovery or receipt of breach notification from the vendor.

Just as the law varies, the services agreement a school negotiated with PowerSchool may vary from PowerSchool’s standard form. Affected PowerSchool customers should be reviewing those agreements to assess their rights and obligations in areas such as information security, data breach response, and indemnity.

Evaluate insurance protections. Some organizations may have purchased “cyber” or “breach response” insurance which could cover some of the costs related to responding to the breach or defending litigation that may follow. PowerSchool should review their policy(ies) with their brokers to understand the potential coverage and what steps, if any, they need to take to confirm coverage.

What can individuals potentially affected by the PowerSchool breach do now?

It may take some time before notifications are sent to individuals affected by the breach. However, there are some resources that individuals could examine to consider their options now. Databreaches.net pulled together some helpful resources for potentially affected individuals, such as teachers, parents, and former students. Access that here.

When the dust clears from the PowerSchool incident, what should schools do going forward?

This is not the first vendor incident that has affected schools and it will not be the last. There are many steps schools and any organizations should consider taking following a vendor’s breach affecting the organization’s data. However, for the moment, affected schools and customers should focus on the incident at hand. When the time comes, they should consult with experienced legal counsel and information security experts to be sure they have adopted reasonable safeguards at a minimum to protect their data, and that they have assessed whether their vendors are doing the same.

* * *

For organizations large and small, incidents like this can be a significant disruption. To minimize that disruption, organizations may want and need to communicate with their applicable communities, and should do so confidently, but carefully. More information can be very helpful, but too much information and information that is repetitive can be confusing and frustrating. Organizations should involve key persons internally and possibly seek outside expertise and counsel to reach an appropriate balance in their response strategy and communications.

Ask any chief information security officer (CISO), cyber underwriter or risk manager, or cybersecurity attorney about what controls are critical for protecting an organization’s information systems, you’ll likely find multifactor authentication (MFA) at or near the top of every list. Government agencies responsible for helping to protect the U.S. and its information systems and assets (e.g., CISA, FBI, Secret Service) send the same message. But that message may be evolving a bit as criminal threat actors have started to exploit weaknesses in MFA.  

According to a recent report in Forbes, for example, threat actors are harnessing AI to break though multifactor authentication strategies designed to prevent new account fraud. “Know Your Customer” procedures are critical in certain industries for validating the identity of customers, such as financial services, telecommunications, etc. Employers increasingly face similar issues with recruiting employees, when they find, after making the hiring decision, that the person doing the work may not be the person interviewed for the position.

Threat actors have leveraged a new AI deepfake tool that can be acquired on the dark web to bypass the biometric systems that been used to stop new account fraud. According to the Forbes article, the process goes something like this:

1. Bad actors use one of the many generative AI websites to create and download a fake image of a person.

2. Next, they use the tool to synthesize a fake passport or a government-issued ID by inserting the fake photograph…

3. Malicious actors then generate a deepfake video (using the same photo) where the synthetic identity pans their head from left to right. This movement is specifically designed to match the requirements of facial recognition systems. If you pay close attention, you can certainly spot some defects. However, these are likely ignored by facial recognition because videos are prone to have distortions due to internet latency issues, buffering or just poor video conditions.

4. Threat actors then initiate a new account fraud attack where they connect a cryptocurrency exchange and proceed to upload the forged document. The account verification system then asks to perform facial recognition where the tool enables attackers to connect the video to the camera’s input.

5. Following these steps, the verification process is completed, and the attackers are notified that their account has been verified.”

Sophisticated AI tools are not the only MFA vulnerability. In December 2024, the Cybersecurity & Infrastructure Security Agency (CISA) issued best practices for mobile communications. Among its recommendations, CISA advised mobile phone users, in particular highly-targeted individuals,  

Do not use SMS as a second factor for authentication. SMS messages are not encrypted—a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals.

In a 2023 FBI Internet Crime Report, the FBI reported more than 1,000 “SIM swapping” investigations. A SIM swap is just another technique by threat actors involving the “use of unsophisticated social engineering techniques against mobile service providers to transfer a victim’s phone service to a mobile device in the criminal’s possession.

In December, Infosecurity Magazine reported on another vulnerability in MFA. In fact, there are many reports about various vulnerabilities with MFA.

Are we recommending against the use of MFA. Certainly not. Our point is simply to offer a reminder that there are no silver bullets to achieving security of information systems and that AI is not only used by the good guys. An information security program, preferably one that is written (a WISP), requires continuous vigilance, and not just from the IT department, as new technologies are leveraged to bypass older technologies.

In 2024, Israel became the latest jurisdiction to enact comprehensive privacy legislation, largely inspired by the EU’s General Data Protection Regulation (“GDPR”). On August 5, 2024, Israel’s parliament, the Knesset, voted to approve the enactment of Amendment No. 13 (“the Amendment”) to the Israel Privacy Protection Law (“IPPL”). The amendment which will take effect on August 15, 2025, is considered an overhaul to the IPPL, which has been left largely untouched since the law’s enactment in 1996.

Key Features of the Amendment include:

  • Expansion of key definitions in the law
    • Personal Information – Expanded to include any “data related to an identified or identifiable person”.Highly Sensitive Information – Replaces the IPPL’s current definition of “sensitive information” and is similar in kind to the GDPR’s Special Categories of Data.  Types of information that qualify as highly sensitive information under the Amendment include biometric data, genetic data, location and traffic data, criminal records and assessment of personality types.Data Processing The Amendment broadens the definition of processing to include any operation on information, including receipt, collection, storage, copying, review, disclosure, exposure, transfer, conveyance, or granting access.Database Controller – The IPPL previously used the term “database owner”, and akin to the GDPR has changed the term to database controller, which is defined as the person or entity that determines the purpose of processing personal information in the database.
    • Database Holder – Similar to the GDPR’s “processor”, the Amendment includes the term database holder which is defined as an entity “external to the data controller that processes information on behalf of the data controller”, which due to the broad definition of data processing, captures a broad set of third-party service providers.
  • Mandatory Appointment of a Privacy Protection Officer & Data Security Officer
    • Equivalent to the GDPR’s Data Protection Officer (DPO) role, an entity that meets certain criteria based on size and industry (inclusive of both data controllers and processors), will be required to implement a new role in their organization entitled the Privacy Protection Officer, tasked with ensuring compliance with the IPPL and promoting data security and privacy protection initiatives within their organization.   Likewise, the obligation to appoint a Data Security Officer, which was a requirement for certain organizations prior to the Amendment, has now been expanded to apply to a broader set of entities.
  • Expansion of Enforcement Authority
    • The Privacy Protection Authority (“PPA”), Israel’s privacy regulator, has been given broader enforcement authority including a significant increase in financial penalties based on the number of data subjects impacted due to a violation, the type of violation and the violating entity’s financial turnover.  Financial penalties are capped at 5% of the businesses‘ annual turnover for larger organizations which could reach millions of dollars (e.g. a data processor that processes data without the controller’s permission in a database of 1,000,000 data subjects (8 ILS per data subject) can be fined 8,000,000 ILS (approx. $2.5 million USD)).  Small and micro businesses are capped at penalties of 140,000 ILS ($45,000 USD) per year. Other enhancements to the PPA’s authority include expansive investigative and supervisory powers as well as increased authority for the Head of the PPA to issue warnings and injunctions. 

Additional updates to the Amendment include expansion of the notice obligation in the case of a data breach, increased rights of data subjects, extension of the statute of limitations and exemplary damages. In following segments on the IPPL leading up to the August 2025 effective date, we will dive deeper on some of the key features of the Amendment, certain to have impact on entities with customers and/or employees in Israel.

Data privacy and security regulation is growing rapidly around the world, including in Israel. This legislative activity, combined with the growing public awareness of data privacy rights and concerns, makes the development of a meaningful data protection program an essential component of business operations.

The Indiana Attorney General Office (OAG) filed a detailed complaint on December 23, 2024 (Complaint) which arose out of the following patient complaint:

The OAG received a consumer complaint stating that the consumer had contacted Arlington Westend Dental on multiple occasions to receive copies of their x-rays, but Arlington Westend Dental stated it no longer had the x-rays because someone “hacked” their systems.

Under both federal and state law, patients generally have rights to their medical records. In fact, over the last several years, the federal Office for Civil Rights (OCR), which enforces the HIPAA Privacy and Security Rules, has vigorously enforced these rights. In October 2024, the agency announced its 50th enforcement action, touting a $70,000 settlement, coincidentally with another dental practice.

It should be no surprise that the patient sought redress from the OAG, particularly after being told the reason for the lack of records was a “hacking” to the dental practice’s systems. At that point, according to Complaint, the patient had not received notice of the incident. However, the facts that follow in the Complaint may be surprising for some.

According to the Complaint:

  • A ransomware attack occurred in October 2020. Because no forensic investigation was performed, scope of the incident could not be determined.
  • The ransomware attack was not reported to the OAG when required by law. It was discovered during the investigation. When it was ultimately reported, the report indicated that the incident was not an intrusion, “but an incident of data being lost when the on-site internal hard drive of the server got formatted by mistake.”
  • The OAG obtained recordings of customer service calls from the dental practices software vendor that told a different story about the incident, confirming facts consistent with a ransomware attack, encryption of all records on the impacted server, and the existence of a ransom note.

The OAG’s findings about the ransomware incident prompted further investigation into the practice’s compliance with HIPAA generally. According to the Complaint, the practice had one set of HIPAA policies located at one of its six locations, with no evidence of implementation. No risk assessment had been conducted. In addition to a lack of evidence of regulatory compliance with policy and procedure obligations under HIPAA, the OAG also learned that the practice “repeatedly disclosed PHI in public replies to online patient reviews and made public posts disclosing PHI and identifying individuals, including minor children, as patients of [the practice] without patient authorization.”

The OAG included in the Complaint examples of the photographs of patients made public by the practice and some of the responses to online reviews. Here is one of those responses:

Ms. [redacted] I am sorry to hear that you are upset with the treatment that your husband received at our office. We strive for nothing but the best care for our patients. And let me assure you that your husband got very good dental care. Your husband came in as an emergency because of pain and infection and wanted to have the tooth extracted. We took time out of our busy schedule to take care of him and provide the same-day treatment, for which most people are grateful. He was already in so much pain as you stated when he came in, which means he already had severe infection. We treated the infection by extracting the tooth which was the source of the infection. The doctor also prescribed antibiotics and pain medication. I don’t understand why you would say that we did not take the whole tooth out. We have a post-op X-ray that shows the entire tooth has been extracted. Perhaps you should seek professional opinion of another dentist rather than giving us an unfair review based upon your vague and uninformed assumptions.

Clearly, a lot went wrong here, and there are some serious allegations by the OAG about how this incident and the investigation were handled by the practice. But there are some recurring lessons for providers, particularly smaller and midsized practices, that include:

  • Having a set of HIPAA policies in a draw that no one in the practice sees will do little to support an argument for HIPAA compliance.
  • Complaints about timely and adequate responses to requests for patient records will get the attention of federal and state agencies, and if true likely lead to penalties.
  • While they can be upsetting and possibly disruptive to the practice, responding to patient reviews online and in social media can be serious traps for the unwary. We have seen it play out badly for providers here, here, and here.

We have helped many small to midsized providers, including dental practices, work through the issues and avoid these kinds of settlements and enforcement actions.

As the healthcare sector continues to be a top target for cyber criminals, the Office for Civil Rights (OCR) issued proposed updates to the HIPAA Security Rule (scheduled to be published in the Federal Register January 6). It looks like substantial changes are in store for covered entities and business associates alike, including healthcare providers, health plans, and their business associates.

According to the OCR, cyberattacks against the U.S. health care and public health sectors continue to grow and threaten the provision of health care, the payment for health care, and the privacy of patients and others. In 2023, the OCR has reported that over 167 million people were affected by large breaches of health information, a 1002% increase from 2018. Further, seventy nine percent of the large breaches reported to the OCR in 2023 were caused by hacking. Since 2019, large breaches caused by successful hacking and ransomware attacks have increased 89% and 102%.

The proposed Security Rule changes are numerous and include some of the following items:

  • All Security Rule policies, procedures, plans, and analyses will need to be in writing.
  • Create, maintain a technology asset inventory and network map that illustrates the movement of ePHI throughout the regulated entity’s information systems on an ongoing basis, but at least once every 12 months.
  • More specificity needed for risk analysis. For example, risk assessments must be in writing and include action items such as identification of all reasonably anticipated threats to ePHI confidentiality, integrity, and availability and potential vulnerabilities to information systems.
  • 24 hour notice to regulated entities when a workforce member’s access to ePHI or certain information systems is changed or terminated.
  • Stronger incident response procedures, including: (I) written procedures to restore the loss of certain relevant information systems and data within 72 hours, (II) written security incident response plans and procedures, including testing and revising plans.
  • Conduct compliance audit every 12 months.
  • Business associates to verify Security Rule compliance to covered entities by a subject matter expert at least once every 12 months.
  • Require encryption of ePHI at rest and in transit, with limited exceptions.
  • New express requirements would include: (I) deploying anti-malware protection, and (II) removing extraneous software from relevant electronic information systems.
  • Require the use of multi-factor authentication, with limited exceptions.
  • Require review and testing of the effectiveness of certain security measures at least once every 12 months.
  • Business associates to notify covered entities upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.
  • Group health plans must include in plan documents certain requirements for plan sponsors: comply with the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

After reviewing the proposed changes, concerned stakeholders may submit comments to OCR for consideration within 60 days after January 6, by following the instructions outlined in the proposed rule. We support clients with respect to developing and submitting comments they wish to communicate to help shape the final rule, as well as complying with the requirements under the rule once made final.

As the year comes to a close here are some of the highlights from the Workplace Privacy, Data Management & Security Report with our most popular topics and posts from 2024.

Expanding State Privacy Laws

This year saw a further expansion of state comprehensive consumer data privacy laws. These legislative measures aim to enhance the protection of consumer data, ensuring greater transparency and accountability for businesses that collect and process personal information. Several states introduced robust frameworks designed to safeguard consumer privacy. Whether you are an attorney, an executive, or a leader in human resources, marketing, operations, risk management, and of course IT, it is vital to stay informed about these evolving legal standards and their implications for both businesses and consumers.

Read more on these developments:

Bluegrass State Becomes Third State to Pass a Comprehensive Consumer Privacy Data Law in 2024

Maryland Passes Comprehensive Data Privacy Law, Joining the Swelling State Ranks

Minnesota Passes a Comprehensive Consumer Data Privacy Law

Nebraska Adds to the List of States That Have Enacted a Comprehensive Consumer Data Privacy Law

New Hampshire Passes Comprehensive Consumer Data Privacy Law

New Jersey Legislature Enacts the First Consumer Privacy Law of 2024

Rhode Island Passes a Comprehensive Consumer Data Privacy Law

Growing AI Regulation

In 2024, the landscape of artificial intelligence (AI) regulation experienced significant changes, reflecting the rapid advancements and widespread adoption of AI technologies across various industries. Regulators have increasingly focused on addressing the ethical, legal, and privacy implications of AI, leading to new laws and amendments aimed at safeguarding individuals’ rights and ensuring transparency in AI deployment. One example at the federal level is the use of AI when conducting background checks and potential Fair Credit Reporting Act (FCRA) implications. A notable example at the state level is Illinois which made significant amendments to its Human Rights Act, setting a precedent for other states by incorporating specific provisions related to AI.

Read more about these developments:

AI Regulation Continues to Grow as Illinois Amends its Human Rights Act

AI Notetakers – Evaluating the Risks Along with the Benefits

3 Key Risks When Using AI for Performance Management and Ways to Mitigate Them

AI and Other Decision-Making Tools: Does the Fair Credit Reporting Act Apply?

Data Breach Risks Escalate

Businesses faced significant regulatory and legislative developments pertaining to data breaches in 2024, reflecting the growing need to protect sensitive information in an increasingly digital world. Key updates include the strengthening of breach notification requirements by multiple states, such as Utah, and the emphasis on multi-factor authentication to prevent unauthorized access. The rising scrutiny and evolving legal landscape underscore the necessity for businesses to implement robust cybersecurity measures and comply with updated data breach notification laws to mitigate risks and avoid severe penalties.

Read more about these developments:

Utah Updates to Breach Notification Requirements Take Effect

Multi-factor Authentication (MFA) Bypassed to Permit Data Breach

Website Tracking Concerns for Business

In 2024, the scrutiny surrounding website tracking technologies has intensified significantly. It has become critical for businesses to understand the evolving legal landscape of online tracking practices. Increased regulatory pressure and new legislative measures across different states have highlighted the need for businesses to implement robust privacy policies. These policies must comply not only with state-specific regulations but also with broader federal guidelines, ensuring the protection of consumer data and transparency in data collection. Moreover, recent guidance from the New York Attorney General and other regulatory bodies has emphasized that non-compliance can lead to severe penalties, making it imperative for online retailers and all businesses employing website tracking technologies to stay abreast of the latest legal requirements and best practices.

Read more about these developments:

California Invasion of Privacy Act Violations Aimed at Online Retailers

The Spotlight Shines Even Brighter: New York Attorney General Publishes Guidance On Businesses’ Use Of Website Tracking Technologies

Litigation Under Wiretap Law and What Website Owners Need to Know

Administrative Guidance on Cybersecurity

This year several administrative agencies issued guidance on cybersecurity, emphasizing the critical importance of protecting sensitive data and ensuring robust security measures across various sectors. This year, the Department of Labor (DOL) expanded fiduciary obligations to include cybersecurity for health and welfare plans, reflecting a growing recognition of the vulnerabilities and risks associated with inadequate cybersecurity practices. When plan fiduciaries set out to assess their plan service providers, they might consider amendments the Securities and Exchange Commission (SEC) made in 2024 to Regulation S-P which regulates many of those same service providers. If the service provider is subject to S-P, confirming they comply with the SEC requirements for an incident response plan and other cybersecurity policy and procedure requirements, would help the fiduciaries satisfy their obligation to make prudent selections.

Read more about these developments:

DOL Expands Fiduciary Obligations for Cybersecurity to Health and Welfare Plans

Why Retirement Plan Sponsors and Fiduciaries Need to Know about the SEC Cybersecurity Amendments

The Broadening Data Security Mandate: SEC Incident Response Plan and Data Breach Notification Requirements

Jackson Lewis will continue to track important developments in privacy, data management, and cybersecurity in the new year. If you have questions about these or other related issues, contact a Jackson Lewis attorney to discuss.

A healthcare provider delivering pain management services in Florida and other states faces a $1.19 million civil monetary penalty from the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). The OCR investigation stems from a data breach, but not the type of breach we are used to seeing in the news – it was not a ransomware attack, business email compromise, or some other type of attack by an unknown hacker. Similar to many other OCR enforcement actions, however, a lack of basic safeguards under the Security Rule drove the penalty.

According to the OCR:

  • On May 3, 2018, the covered entity retained an independent contractor to provide business consulting services.
  • The contractor’s services ceased in August of 2018.
  • On February 20, 2019, the covered entity discovered that on three occasions, between September 7, 2018, and February 3, 2019, the contractor impermissibly accessed the provider’s electronic medical record (EMR) system and accessed the electronic protected health information (ePHI) of approximately 34,310 individuals. The contractor used that information to generate approximately 6,500 false Medicare claims.
  • On February 21, 2019, the covered entity terminated the independent contractor’s access to its systems, and in early April of that same year filed a breach report with OCR. The report described that the compromised PHI included names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.

Evidently, the contractor continued to have access to the covered entity’s information systems for 6 months following the point at which services ended, according to the OCR.

“Current and former workforce can present threats to health care privacy and security—risking continuity of care and trust in our health care system,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity and compliance with the HIPAA Security Rule means being proactive in reviewing who has access to health information and responding quickly to suspected security incidents.” 

The OCR commenced an investigation and reported findings that the covered entity:

  • did not conduct a thorough and accurate risk analysis prior to the breach incident, or until September 30, 2022, more than three years after the incident,
  • had not implemented policies and procedures to regularly review records of information system activity containing ePHI,
  • did not implement termination procedures designed to remove access to ePHI for workforce members who had separated, and
  • did not implement policies and procedures addressing access to workstations.

It is worth noting that the $1.19 million penalty comes after a reduction for “Recognized Security Practices.” Recall that following an amendment enacted in 2022, the HITECH Act now requires the OCR to take into account Recognized Security Practices in connection with certain enforcement and audit activities under the HIPAA Security Rule. In short, if a covered entity can demonstrate Recognized Security Practices as being in place continuously for the 12 months prior to a security incident, a reduction in the amount of civil monetary may be warranted.

In this case, OCR provided the covered entity an opportunity to adequately demonstrate that it had RSPs in place. The covered entity did and OCR applied a reduction to the penalty.

Regulated entities, including healthcare providers, often cite to “controls” they have in place, believing they are sufficient to address their compliance obligations. This application of the rule for Recognized Security Practices is a good example of why that is not the case. That is, while it is important to maintain good controls, those efforts still need to be measured against the applicable compliance requirements, such as set forth under the HIPAA Security Rule.

On November 8, 2024, the California Privacy Protection Agency (CPPA) voted to proceed with formal rulemaking regarding artificial intelligence (AI) and cybersecurity audits. This comes on the heels of the California Civil Rights Department moving forward with its own regulations about AI.

The current version of the proposed regulations covers several areas:

  1. Automated Decision-Making Technology (ADMT):

The current draft regulations propose establishing consumers’ rights to access and opt out of businesses’ use of ADMT.

They also require businesses to disclose their use of ADMT and provide meaningful information about the logic involved, as well as the significance and potential consequences of such processing for the consumer.

  1. Cybersecurity Audits:

The draft regulations propose mandating certain businesses to conduct annual cybersecurity audits to ensure compliance with the California Consumer Privacy Act (CCPA) and other relevant regulations. And specify the criteria and standards for these audits, including the scope, methodology, and reporting requirements.

  1. Risk Assessments:

The draft regulations require businesses to perform regular risk assessments to identify and mitigate potential privacy risks associated with their data processing activities.

Under the regulations, businesses would need to document their risk assessment processes and findings, and make these available to the CPPA upon request.

  1. Insurance Regulations:

 Clarifies when insurance companies must comply with the CCPA, ensuring that consumer data handled by these entities is adequately protected.

The proposed regulations will enter a 45-day public comment period, during which stakeholders can submit written and oral comments.  The CPPA will hold public hearings to gather additional feedback and discuss potential revisions to the proposed rules.

After the public comment period, the CPPA will review all feedback and make necessary adjustments to the regulations. This stage may involve multiple rounds of revisions and additional public consultations.

Once the CPPA finalizes the regulations, they will be submitted to the Office of Administrative Law (OAL) for review and approval. If approved, the regulations are expected to become effective by mid-2025.

Announcing its fourth ransomware cybersecurity investigation and settlement, the Office for Civil Rights (OCR) also observed there has been a 264% increase in large ransomware breaches since 2018.

Here, the OCR reached an agreement with a medium-size private healthcare provider following a ransomware attack relating to potential violations of the HIPAA Security Rule. The settlement included a payment of $250,000 and a promise by the covered entity to take certain steps regarding the security of PHI.

“Cybercriminals continue to target the heath care sector with ransomware attacks. Health care entities that do not thoroughly assess the risks to electronic protected health information and regularly review the activity within their electronic health record system leave themselves vulnerable to attack, and expose their patients to unnecessary risks of harm,” OCR Director Melanie Fontes Rainer.

In this case, the OCR announcement states that nearly 300,000 patients were affected by the ransomware attack. Like most OCR investigations under similar circumstances, the agency examines the covered entity’s compliance with the Security Rule. And, as described in many of its settlements, the OCR focuses on the administrative, physical, and/or technical standards it believes the covered entity or business associate failed to satisfy. By focusing on these actions now, a covered entity facing an OCR investigation, perhaps because of a ransomware or other data breach, likely will be in a stronger defensible position.

These actions include: 

  • Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI; 
  • Implement a risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis; 
  • Develop a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports; 
  • Develop policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI; 
  • Develop written procedures to assign a unique name and/or number for identifying and tracking user identity in its systems that contain ePHI; and 
  • Review and revise, if necessary, written policies and procedures to comply with the HIPAA Privacy and Security Rules.  

The OCR also recommends the following steps to mitigate or prevent cyber-threats: 

  • Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations. 
  • Integrate risk analysis and risk management into business processes; conducted regularly and when new technologies and business operations are planned. 
  • Ensure audit controls are in place to record and examine information system activity. 
  • Implement regular review of information system activity. 
  • Utilize multi-factor authentication to ensure only authorized users are accessing ePHI. 
  • Encrypt ePHI to guard against unauthorized access to ePHI. 
  • Incorporate lessons learned from incidents into the overall security management process. 
  • Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security. 

Of course, taking these steps should include documenting that you took them. During an OCR investigation, the agency is not going to take your word for the good work that you and your team did. You will need to be able to show the steps taken, and that means written policies and procedures, written assessments, sign in sheets for training and the materials covered during the training, etc.

HIPAA covered entities and business associates are not all the same, and some will be expected to have a more robust program than others. The good news is that the regulations contemplate this risk-based approach to compliance. But all covered entities and business associates need to take some action in these areas to protect the PHI they collect and maintain.