Photo of Scot Ganow

Scot Ganow

Subscribe to Scot Ganow's Posts

Scot is a partner in Taft’s Dayton office, and chair of the firm’s Privacy and Data Security Practice.  As a former chief privacy officer and leveraging more than ten years of management and compliance experience in Fortune 500 companies, Scot brings a diverse business background to his privacy and data security practice. Scot has represented clients in a variety of sectors, including consumer reporting, construction, healthcare, and manufacturing.

Follow:Read more about Scot GanowScot's Linkedin Profile

As 2025 comes to a close, we asked several members of Taft’s Privacy and Data Security practice group to share their thoughts on what should be on a client’s “wish list” for the holiday season, or on a list of resolutions for 2026.

Here are their thoughts for businesses considering to not only meet the requirements of new laws and mitigate existing risks, but also looking to seize the opportunity to maximize the impact of technology to unleash the power in their data.Continue Reading Closing Out 2025: Key Privacy & Data Security Updates from Taft

An ongoing issue many of our clients are dealing with are claims under the California Information Privacy Act (CIPA). This is actually a criminal statute and should not be confused with the California Consumer Privacy Act (CCPA).

A cottage industry of California plaintiffs’ firms are sending demand letters, filing suits, and initiating arbitrations for alleged CIPA violations. Here at Taft, we are seeing 1-2 new claims a week.Continue Reading What to Know: Your Company Website and the California Information Privacy Act

On July 24, 2025, the California Privacy Protection Agency (CPPA) approved a sweeping set of amendments to the California Consumer Privacy Act (CCPA) regulations. These updates introduce new compliance obligations for businesses around automated decision making, cybersecurity audits, risk assessments, and more.

Below, we discuss some of these new requirements.Continue Reading California Finalizes Major CCPA Amendments

Special thanks to Taft Summer Associate Richard Roediger for his significant contributions to this post.

On May 20, 2025 Ohio Rep. Adam Mathews (District 56) and Ohio Rep. Haraz N. Ghanbari (District 75) introduced Ohio House Bill 283 (the Act), legislation that requires political subdivisions within the state to enact cybersecurity programs. In Ohio, a “political subdivision” is a county, township, municipal corporation, or other body corporate and politic responsible for governmental activities in a geographic area smaller than the whole state.

The Act’s language was incorporated in its entirety into Ohio’s state budget bill passed on June 30, 2025.Continue Reading Ohio Budget Bill Requires Counties, Townships, and Cities to Enact Cybersecurity Program by September 29

Last year, we wrote about updates from the Department of Justice (DOJ) and the DOJ’s proposed enforcement efforts and regulations implementing Executive Order 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Data by Countries of Concern” (Rule).

A year later, the DOJ has finalized the Rule and developed guidance on what companies handling (i) bulk U.S. sensitive personal data or (ii) U.S. Government-related data must know, especially when interacting with persons and entities in ”Countries of Concern,” which currently include:

  • China (includes Hong Kong and Macau)
  • Cuba
  • Iran
  • North Korea
  • Russia
  • Venezuela

In April of this year, the DOJ’s National Security Division (NSD) issued its Data Security Program and corresponding Compliance Guide (DSP) and Frequently Asked Questions (FAQs) providing information that all U.S. entities must understand and follow to comply with the Rule. The NSD’s stated primary mission with respect to the implementation and enforcement of the DSP is to protect U.S. national security from Countries of Concern that may seek to collect and weaponize both government data and Americans’ most sensitive personal data.

As we have written previously, the DSP will require U.S. organizations to look deeply into their data collection and data sharing practices to determine whether they are (i) providing covered data to a Country of Concern and (ii) subject to the DSP’s requirements.

All U.S. organizations handling government-related data and bulk U.S. sensitive personal data must make good-faith efforts to comply with the DSP by July 8, 2025. Continue Reading One Month to Go: What You Need to Know about the U.S. Department of Justice’s Data Security Program

Biometrics continue to be a hot issue and one primed for litigation and related liabilities.  We in the Privacy and Data Security Practice are happy to share this upcoming Taft webinar, which will include a discussion on BIPA class action risks.   Join our colleagues from Taft’s Litigation Practice on April 15th.

Time: 12 p.m. – 1:15 p.m. EST
Register HERE.Continue Reading Taft Takeaways: Class Action Insights and Updates

Special thanks to Taft summer associate Tanner Wilburn for his significant contributions to this post. 

On July 12, 2024, the European Union’s Artificial Intelligence Act (AI Act) was published in the EU Official Journal.

This comprehensive legislation establishes the first risk-based regulatory framework for AI systems, with far-reaching implications for businesses using AI. The AI Act is effective August 2, 2024, with the enforcement of the majority of its provisions commencing on August 2, 2026.

Continue Reading The EU AI Act – What Businesses Need to Know

Special thanks to Taft summer associates Tanner Wilburn and Lizzie Dobbins for their contributions to this post. 

On June 20, 2024, the U.S. District Court for the Northern District of Texas vacated a portion of guidance issued by the Department of Health and Human Services (HHS) regarding the use of online tracking technologies. This decision is beneficial to healthcare providers and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) which use third-party tracking tools on their public-facing websites, but such entities should be cautious to not read the case too broadly.Continue Reading Federal Court Strikes Down HHS Rule on Website Tracking Technologies… To an Extent

Special thanks to Taft summer associate Tanner Wilburn for his significant contributions to this post. 

Earlier this year, we provided a law bulletin on changes coming to the Health Insurance Portability and Accountability Act (HIPAA). To recap briefly, in April 2024, the Department of Health and Human Services (HHS) issued a final regulation that modified the HIPAA Privacy Rule to safeguard individuals’ protected health information (PHI) concerning reproductive health care.

The regulations go into effect on June 25, 2024, and those subject to the regulations must comply with the requirements by December 23, 2024. HHS also set a special compliance date of February 16, 2026, for the regulations’ changes involving HIPAA notices of privacy practices (NPPs).

With the law going into effect this week and the compliance deadline coming in six months, we’ve put together a breakdown of what must happen, and when. Continue Reading Six Months to Go: HIPAA Privacy Rule Changes Require Additional Diligence

Tuesday, Jan. 30, 2024

11 a.m. – 12 p.m. ET

You read the news every day and maybe even receive notices yourself: data security and privacy compliance is a growing area of concern and risk for businesses. With security incidents on the rise across various industries of all sizes, as well as increased regulation of privacy and security-related issues, evaluating and addressing your current data governance program is a crucial step in protecting your business in the new year. Just

Continue Reading Webinar: 10 Privacy and Security Resolutions in the New Year