David Kessler (US)

Contact:

The differences between non-disclosure, exfiltration and notice – a court’s view

By David Kessler (US) & Susan Ross (US) on March 19, 2025

By David Kessler and Sue Ross

Although there is scant case law on the question, it is generally accepted that it is not a violation of one’s duty not to disclose information if it is stolen from you. Put another…

Happy Information Governance Day

By David Kessler (US) & Andrea D'Ambra (US) on February 20, 2025

Happy February 20^th and Information Governance Day! Today is an opportunity to reflect on the evolution of information governance and, more importantly, its future. In our view, information governance is in its ascendency and is only becoming more and…

FTC settlement requires disconnection of hardware from all no longer supported software

By David Kessler (US) & Susan Ross (US) on February 18, 2025

On January 16, 2025, the FTC announced a proposed complaint and consent agreement with one of the largest hosting companies in the world: GoDaddy. According to the complaint, the FTC found GoDaddy’s security practices “unreasonable for a company of its…

US Dept of Health proposes Security Rule amendments that includes new deadlines

By Will Daugherty (US), David Kessler (US), Sarah Knight (US), Susan Ross (US) & Megan Kunnel (US) on February 4, 2025

On December 27, 2024, the United States Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued a proposed rule to improve data protection measures in the healthcare sector.

Learn more about the…

$3 million HIPAA Settlement

By David Kessler (US) & Susan Ross (US) on January 21, 2025

On January 14, 2025, the U.S. Department of Health and Human Services (“HHS”) entered into a settlement agreement relating to alleged HIPAA regulation violations with Solara Medical Supplies LLC, a direct-to-consumer distributer of continuous glucose monitors, insulin pumps, and other…

Two HIPAA settlements, $1.6 million in penalties

By David Kessler (US) & Susan Ross (US) on December 20, 2024

On December 4, 2024, HHS announced an agreement with Gulf Coast Pain Consultants calling for payment of $1.1 million in civil penalties due to alleged lack of compliance with HIPAA’s security requirements. Two days later, HHS announced an agreement with…

New York hospitals have new cybersecurity requirements

By David Kessler (US), Susan Ross (US) & Remi Gambino (US) on October 23, 2024

On October 2, 2024, the New York State Department of Health (DOH) published a new cybersecurity regulation (10 NYCRR 405.46) for all general hospitals licensed pursuant to article 28 of the Public Health Law. Although most of the regulation will…

New York Department of Financial Services addresses cybersecurity risks from artificial intelligence

By David Kessler (US), Susan Ross (US), Kelly Atherton (US) & Gerar Mazarakis (US) on October 17, 2024

On October 16, 2024, the New York Department of Financial Services (“NYDFS” or “DFS”) issued guidance raising awareness about combatting cybersecurity risks arising from artificial intelligence (“AI”) used by DFS licensees, such as insurers and virtual currency businesses. Risks revolve…

Security cameras, CAN-SPAM, and “reasonable or appropriate security”

By David Kessler (US) & Susan Ross (US) on September 9, 2024

On August 30, 2024, the Federal Trade Commission (FTC) announced a proposed settlement with security camera manufacturer Verkada Inc., claiming Verkada committed a variety of unfair or deceptive acts or practices in violation of § 5 of the Federal Trade…

California Attorney General and data security, access and retention

By David Kessler (US), Susan Ross (US) & Alyssa Saenz (US) on August 28, 2024

On June 13, 2024, the California Attorney General announced a $6.75 million judgment against Blackbaud regarding its data breach from 2020. (We had previously covered the FTC’s settlement in February here.) In the judgment with the California Attorney General…

Data Protection Report