David Kessler (US)

Contact:

FTC settlement requires disconnection of hardware from all no longer supported software

By David Kessler (US) & Susan Ross (US) on February 18, 2025

On January 16, 2025, the FTC announced a proposed complaint and consent agreement with one of the largest hosting companies in the world: GoDaddy. According to the complaint, the FTC found GoDaddy’s security practices “unreasonable for a company of its…

US Dept of Health proposes Security Rule amendments that includes new deadlines

By Will Daugherty (US), David Kessler (US), Sarah Knight (US), Susan Ross (US) & Megan Kunnel (US) on February 4, 2025

On December 27, 2024, the United States Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued a proposed rule to improve data protection measures in the healthcare sector.

Learn more about the…

$3 million HIPAA Settlement

By David Kessler (US) & Susan Ross (US) on January 21, 2025

On January 14, 2025, the U.S. Department of Health and Human Services (“HHS”) entered into a settlement agreement relating to alleged HIPAA regulation violations with Solara Medical Supplies LLC, a direct-to-consumer distributer of continuous glucose monitors, insulin pumps, and other…

Two HIPAA settlements, $1.6 million in penalties

By David Kessler (US) & Susan Ross (US) on December 20, 2024

On December 4, 2024, HHS announced an agreement with Gulf Coast Pain Consultants calling for payment of $1.1 million in civil penalties due to alleged lack of compliance with HIPAA’s security requirements. Two days later, HHS announced an agreement with…

New York hospitals have new cybersecurity requirements

By David Kessler (US), Susan Ross (US) & Remi Gambino (US) on October 23, 2024

On October 2, 2024, the New York State Department of Health (DOH) published a new cybersecurity regulation (10 NYCRR 405.46) for all general hospitals licensed pursuant to article 28 of the Public Health Law. Although most of the regulation will…

New York Department of Financial Services addresses cybersecurity risks from artificial intelligence

By David Kessler (US), Susan Ross (US), Kelly Atherton (US) & Gerar Mazarakis (US) on October 17, 2024

On October 16, 2024, the New York Department of Financial Services (“NYDFS” or “DFS”) issued guidance raising awareness about combatting cybersecurity risks arising from artificial intelligence (“AI”) used by DFS licensees, such as insurers and virtual currency businesses. Risks revolve…

Security cameras, CAN-SPAM, and “reasonable or appropriate security”

By David Kessler (US) & Susan Ross (US) on September 9, 2024

On August 30, 2024, the Federal Trade Commission (FTC) announced a proposed settlement with security camera manufacturer Verkada Inc., claiming Verkada committed a variety of unfair or deceptive acts or practices in violation of § 5 of the Federal Trade…

California Attorney General and data security, access and retention

By David Kessler (US), Susan Ross (US) & Alyssa Saenz (US) on August 28, 2024

On June 13, 2024, the California Attorney General announced a $6.75 million judgment against Blackbaud regarding its data breach from 2020. (We had previously covered the FTC’s settlement in February here.) In the judgment with the California Attorney General…

Violation of HIPAA Security Rule = Violation of NY SHIELD Act

By David Kessler (US), Susan Ross (US) & Susana Medeiros (US) on August 22, 2024

On August 13, 2024, the New York Attorney General announced a settlement agreement, along with the Attorneys General of Connecticut and New Jersey, with Enzo Biochem Inc. and its subsidiary corporation, Enzo Clinical Labs, Inc., regarding a security incident…

Minnesota enacts comprehensive privacy law

By Susan Ross (US), David Kessler (US), Amelia Klitenic (US), Kelly Atherton (US) & Rachel Cooper (US) on June 24, 2024

On May 24, 2024, the Minnesota Governor signed the Minnesota Consumer Data Privacy Act (“MCDPA”), making Minnesota the eighteenth state to enact a comprehensive privacy law. The new law takes effect on July 31, 2025, for most regulated entities, with…

Data Protection Report