Zachary Heck, CIPP, CIPM on LinkedIn: Virtual Philadelphia KnowledgeNet: 26 June 2024 (2024)

Did you know that the Department of Health and Human Services (HHS) updated its final regulation that modified the HIPAA Privacy Rule to safeguard individuals' protected health information (PHI) relating to reproductive healthcare? The regulations went into effect yesterday, and those subject to the regulations must comply with the requirements by December 23. HHS also set a special compliance date of February 16, 2026 for the regulations' changes involving HIPAA notices of privacy practices (NPPs). To learn more about these changes and the impact they will have, check out the blog below co-authored by my colleagues Scot Ganow, CIPP/US and summer associate Tanner Wilburnhttps://lnkd.in/gJBcbbEp

5

The Vermont Data Privacy Act is no more. Governor Scott vetoed the bill last week, and after calling a special legislative session, the Vermont Senate failed to override the veto by just a single vote.What does the VDPA’s defeat mean for the future of consumer privacy laws? What should businesses take away from all of this? Learn more in my latest blog.https://lnkd.in/gkxwntiK

5

Remember that aggressive "game changer" privacy bill that passed the Vermont legislature last month? You know, the one with a private right of action and restrictions for age appropriate design coding? The one that other states may start looking to in an attempt to form more aggressive consumer protection privacy laws? It was VETOED. Last Thursday, Governor Phil Scott vetoed the would-be Vermont Data Privacy Act, citing concerns that it was anti-business (for the private right of action) and could implicate First Amendment concerns (currently being litigated with California's age appropriate coding provisions). Instead, Gov. Scott recommended that Vermont adopt a bill similar to Connecticut's privacy law in an effort to achieve "regional harmony." Check out my latest blog article recapping the veto and how businesses should adjust their privacy practices. https://lnkd.in/gkxwntiK

1

When it comes to artificial intelligence ("AI"), I am often asked what the liability exposure is when AI makes a mistake. Various governmental agencies, legislative bodies, and courts have started setting forth different rules and guidelines for who (or what) is liable when AI goes wrong. To learn more, check out my blog below co-authored by my colleague John Jareckihttps://lnkd.in/gK62qY-6

5

Deep in the heart of Texas... prosecutions for online privacy and security cases appears to be on the horizon. Yesterday, Texas Attorney General Ken Paxton launched a data privacy and security initiative to establish a team within his office that will focus on enforcing Texas privacy laws. Per AG Paxton, the team will focus on enforcing Texas' privacy protection laws like the Data Privacy and Security Act ("TDPSA"), which was approved last year. The new team will also seek to enforce other state laws related to biometric identifiers and deceptive practices, as well as federal child online safety and health privacy laws. Texas is not the only state to devote a team within the AG's office to privacy and security matters. But with the TDPSA set to take effect in just four weeks, this signals a shift in prioritization. For businesses subject to the new Texas law, heightened vigilance will be essential to ensure compliance with all requisite notices, policies, and procedures for honoring data subject rights. To learn more about the newly established team within the Texas AG, check out this article from the Texas Tribune. https://lnkd.in/gkP6atPX

4

Yesterday, the Office of the National Cyber Director, The White House published a recommendation for developing a framework for reciprocity of baseline requirements with respect to cybersecurity regulation. The publication notes that in August 2023, the Office of the National Cyber Director released a request for information to formally jumpstart conversation with industry and ask for input to better understand the cybersecurity regulatory landscape. Following 86 responses representing 11/16 critical infrastructure sectors, as well as nonprofits, trade associations, and research organizations, the conclusion was clear: we need better uniformity and harmonization in cybersecurity regulations. This call to action is hardly surprising. We counsel clients through the alphabet soup of privacy and security laws and regulations including HIPAA, GLBA, NIST, ISO, 23 NYCRR 500, etc. It can be a lot to navigate and for organizations processing different types of regulated data, finding a common denominator of requirements can present unique challenges. Click the link below to read the publication. Have you completed a data governance review lately? How does your organization relate and respond to these challenges?

1

Earlier this year, President Biden Issued Executive Order 14117, entitled "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern." The main objective of the EO is to protect the sensitive personal data of individuals located in the United States. Simple enough. But the practical application and reasons for the EO are shrouded in nuance. My Privacy and Data Security colleague, Jordan Jennings explains it all in her latest blog post on the matter. https://lnkd.in/gukHgPg3

7

Hot on the heels of the European Union's AI Act, Colorado has passed its own artificial intelligence regulatory bill! Set to take effect on February 1, 2026, the Colorado AI law allocates regulatory responsibility based on the risk presented by any given AI system. To learn more, check out the latest bulletin from my colleague Joey Balthazor. https://lnkd.in/ejhHr2nG

4