Photo of Scot Ganow

Scot is a partner in Taft’s Dayton office, and chair of the firm’s Privacy and Data Security Practice.  As a former chief privacy officer and leveraging more than ten years of management and compliance experience in Fortune 500 companies, Scot brings a diverse business background to his privacy and data security practice. Scot has represented clients in a variety of sectors, including consumer reporting, construction, healthcare, and manufacturing.

Tuesday, Jan. 30, 2024

11 a.m. – 12 p.m. ET

You read the news every day and maybe even receive notices yourself: data security and privacy compliance is a growing area of concern and risk for businesses. With security incidents on the rise across various industries of all sizes, as well as increased regulation of privacy and security-related issues, evaluating and addressing your current data governance program is a crucial step in protecting your business in the new year. Just

Continue Reading Webinar: 10 Privacy and Security Resolutions in the New Year

Last year, we discussed the growing focus and increased regulation on data brokers nationwide, including bills in California, Delaware, Massachusetts, Oregon, and Washington. Now, California has a new bill (S.B. 362) that would revamp its requirements on data brokers and provide California residents new rights over their personal information. The bill is now on California Governor Gavin Newsom’s desk for signature. The purpose of this bill is to address differences between existing data broker requirements and the California Consumer Privacy Act (CCPA).Continue Reading California’s New Data Broker Requirements

On May 19, 2023, Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (the “MTCDPA”) into law, becoming the ninth state to enact a comprehensive consumer privacy act. Montana joins California, Colorado, Connecticut, Indiana, Iowa, Utah, and Virginia with legislation that protects their residents’ personal data.

The MTCDPA will go into effect on October 1, 2024. In preparation for MCTDPA to be signed into law, companies doing business in Montana should start thinking of ways to incorporate the law’s requirements into their existing privacy policies and procedures.Continue Reading Montana Enacts Privacy Law

On May 3, 2023, Utah’s Online Pornography Viewing Age Requirements Act (the “Act”) went into effect. The Act states that website operators must require internet users to prove they are eighteen years of age or older through a “digitized identification card” or third-party age-verification service when accessing websites containing “pornography or other materials harmful to minors.” In other words, to access adult websites in Utah, users must either upload their driver’s license (or other state-issued identification) or subject themselves to third-party age verification through tools such as biometric scanning. Simply clicking “I am 18 or older” is no longer sufficient with this legislation; an individual must now give personally identifiable information, including in some cases, a biometric face scan.Continue Reading Porn, Privacy & Protecting Kids:  States Seek to Balance Individual Rights and Business Interests in New Online Age Verification Laws

As we previously covered in February, there has been an increase in lawsuits, including class actions, filed against website operators in various states (including California, Florida, Indiana, Illinois, and Pennsylvania) for violations of state wiretapping laws or the Video Privacy Protection Act of 1988 (VPPA). Since then, there have been some updates to such pending litigation. For purposes of this post, the pending litigation can be broken out into three categories: (1) Chat window wiretapping claims; (2) Session replay technology claims; and (3) claims under the VPPA.Continue Reading UPDATE: Litigation Related to Website Technology & Data Sharing

In our previous post, “A Primer on Artificial Intelligence and the Law in 2023,” we briefly discussed how the federal government is preparing for legislation and regulation regarding Artificial Intelligence (“AI”) through provisions of the National Artificial Intelligence Initiative Act of 2020 (the “Act”). While no comprehensive federal statute regulating AI has been signed into law, regulatory agencies must contend with the emerging technology under existing laws.Continue Reading Artificial Intelligence: U.S. Federal Considerations

Over the past year, there has been a growing number of lawsuits, including class actions, filed against website operators in various states (including California, Florida, Illinois, and Pennsylvania) for violations of state wiretapping laws or the Video Privacy Protection Act of 1988 (“VPPA”).Continue Reading Heads Up!  Increasing Litigation Related to Website Technology & Data Sharing

As you consider the end of the year and beginning of a new year, we in Taft’s Privacy and Data Security Practice thought to provide you with a simple list of data protection resolutions you might consider, both professionally and personally.

1.  Get strong!  Now is a good time to make a change in passwords for your accounts, and specifically make them strong passwords (i.e. ten characters or more, including an upper and lower case letter, number, and

Continue Reading 2023 Privacy and Data Security Resolutions

If you haven’t already seen the notifications in the Taft Privacy and Data Security Mobile App, we wanted to make you aware or remind you about some important security updates issued by Apple affecting multiple products. CISA (Cybersecurity & Infrastructure Security Agency) is recommending consumers update their devices as soon as possible.


Continue Reading Important Security Updates Issued by Apple

In the wake of the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, here is a reminder about the protections available for privacy and the confidentiality of health-related information under current law. This bulletin will discuss the Health Insurance Portability and Accountability Act (HIPAA).

First off, it is important to understand that HIPAA, composed of a Privacy Rule, Security Rule, and Data Breach Rule, regulates the use of patient information in the provision of health care in the United States. It only applies to “protected health information” (PHI) that is generated by a “covered entity” — health care provider, payer, or clearing house — in the provision of health care treatment, payment, or operations to a patient. Any other information, even if health-related, does not get the protections of HIPAA.
Continue Reading HIPAA: Its Confidentiality Protections (And Limits)