Earlier this year, the Attorneys General of Massachusetts and Connecticut entered into settlement agreements with Comstar, LLC, an ambulance billing firm, relating to alleged HIPAA regulation violations in connection with a ransomware incident. Comstar is a business associate under HIPAA
AI and privilege: Assessing recent court rulings
We recently drafted an article that discussed court decisions that reached very different conclusions about how the attorney-client privilege and work product doctrine apply to materials submitted to and created by generative AI (GenAI) tools. A recent decision from the
Celebrating Global Information Governance Day: Why information governance matters more than ever
Happy Global Information Governance Day!! Today we celebrate information governance and raise awareness of how to manage data, balance risks and build a culture focused on good data hygiene.
Working with large and small companies around the world, we have
New York’s algorithmic pricing law
On November 10, 2025, New York’s disclosure law on algorithmic pricing went into effect. This post will describe the law, a recent federal court case, and some potential effects, using precise geolocation data as an example.
The law
The law
Regulators, including FCC, emphasize third party vendor cybersecurity monitoring requirements
Many data breaches occur not at the company that controls or owns the data, but rather at the company’s third-party service providers or vendors. Regulators have noticed and have begun placing emphasis on a company’s obligation to monitor its service
Happy e-Discovery Day
Happy e-Discovery Day! On December 4, 2025, legal professionals around the globe will unite to celebrate e-Discovery Day, a day where we honor the pivotal 2006 amendments to the Federal Rules of Civil Procedure (FRCP) that marked a turning point
California tightens data breach notification timelines, imposes 30-day notice requirement
California recently signed into law Senate Bill No. 446, which amends its data breach notification law, Section 1798.82 of the Civil Code, to require covered companies to notify affected California residents within 30 calendar days of discovery of the data
NYDFS fines licensee $2 million for lack of email retention policy and MFA
On August 14, 2025, the New York Department of Financial Services (“NYDFS”) entered into a consent order with Healthplex, Inc, (“Healthplex”), which is licensed by NYDFS as an independent claims adjuster and as a life and/or accident health insurance agent.
California’s anti-employment-discrimination regulations now include AI, expand retention requirements
On June 27, 2025, the California Civil Rights Council, which is part of the Civil Rights Department, published revised regulations to protect against employment discrimination as a result of an employer’s use of artificial intelligence (AI) and other technologies that
FTC finalizes COPPA rule amendments
On January 16, 2025, the Federal Trade Commission (FTC) announced significant amendments to the Children’s Online Privacy Protection Act (COPPA) Rule after a comprehensive review that began in 2019. This marks the first major update since 2013 and represents a