Photo of Zachary Heck

Zachary Heck

Subscribe to Zachary Heck's Posts

Zach’s practice focuses on privacy and data security. Specifically, Zach assists clients in the areas of privacy compliance, defense litigation, class action defense and guidance in the aftermath of an information security event, including data breach. Zach has experience advising clients with respect to FTC investigations, federal privacy regulations such as HIPAA, FCRA, TCPA, and GLBA, as well as state laws governing personally identifiable information. For his clients, he also provides regulatory analysis, risk management, policy development, training and audits.

Follow:Read more about Zachary HeckZachary's Linkedin Profile

On August 26, 2025, in NRA Group, LLC v. Durenleau et al., the U.S. Court of Appeals for the Third Circuit addressed two legal questions: (1) whether workplace policy infractions can turn into federal crimes, and (2) whether passwords protecting propriety business information qualify as trade secrets under federal or Pennsylvania law.

The case was reheard and affirmed on October 7, 2025, with the Third Circuit firmly answering both questions in the negative. The decision significantly limits employers’ potential claims against employees who breach company policies without engaging in actual hacking or unauthorized access.Continue Reading Passwords, Policies, and Trade Secrets: Lessons from NRA Group v. Durenleau and what it Means for Employers

Last month, I had the opportunity to speak to entrepreneurs at Launch Dayton’s Startup Week regarding the positive effects that strong privacy and data governance practices have on business.

As regulations increase and complexity rises, many businesses remain hesitant to view privacy and security obligations as anything other than impediments to innovation. In practice, embedding privacy by design and developing strategic approaches to cybersecurity and artificial intelligence laws serve as valuable drivers for growth.

Navigating the Regulatory Landscape
The environment

Continue Reading Privacy by Design, Profit by Strategy: Thoughts from Dayton’s Startup Week

Colorado legislators have approved a five-month delay for the implementation of the Colorado Artificial Intelligence Act (the Act), moving the start date from Feb. 1, 2026, to June 30, 2026.

The decision follows a special legislative session called because of concerns stemming from compliance costs, industry lobbying, and fiscal impacts on businesses and the state. Colorado Budget Director Mark Ferrandino indicated that the law could cost the state alone between $2.5 million and $5 million annually to implement, and Colorado Governor Jared Polis indicated that the amount could be as much as $6 million per year. The Act, originally designed to address risks of algorithmic discrimination in sectors like employment, housing, and lending, will now give both lawmakers and businesses more time to clarify provisions and prepare compliance programs.Continue Reading Colorado Gives Businesses Breathing Room Before AI Act Takes Effect

Special thanks to Taft Summer Associate Richard Roediger for his significant contributions to this post.

On May 20, 2025 Ohio Rep. Adam Mathews (District 56) and Ohio Rep. Haraz N. Ghanbari (District 75) introduced Ohio House Bill 283 (the Act), legislation that requires political subdivisions within the state to enact cybersecurity programs. In Ohio, a “political subdivision” is a county, township, municipal corporation, or other body corporate and politic responsible for governmental activities in a geographic area smaller than the whole state.

The Act’s language was incorporated in its entirety into Ohio’s state budget bill passed on June 30, 2025.Continue Reading Ohio Budget Bill Requires Counties, Townships, and Cities to Enact Cybersecurity Program by September 29

A recent decision from the Northern District of Texas has upended the Department of Health and Human Services’ 2024 amendments to the HIPAA Privacy Rule (the 2024 Rule), which were intended to bolster privacy protections for reproductive health care information.

The court’s ruling in Purl v. HHS vacates almost all of these amendments, finding that HHS overstepped its statutory authority and improperly interfered with state law.Continue Reading HIPAA’s Reproductive Health Shake-Up:  What the Purl Ruling Means for Health Plans and Covered Entities

Early on July 1, the U.S. Senate voted to halt an effort to impose a 10-year moratorium on state regulation of artificial intelligence. The vote, 99-1, removed the AI provision from President Trump’s “Big, Beautiful Bill” that had evolved from a full moratorium on state AI regulation for the next decade, to its most recent iteration that required states to adopt the ban in order to receive federal broadband funding over the next five years.

Yesterday, Sen. Marsha Blackburn of Tennessee and Sen. Ted Cruz of Texas attempted to revise the AI ban to address current regulations. According to media reporting, efforts toward banning state AI regulation broke down amidst concerns that the language was overly broad and could adversely impact existing laws concerning privacy, consumer protection, and child safety.Continue Reading US States Can (And Will) Continue To Regulate Artificial Intelligence … for Now

Last week, I had the privilege to attend one of the Midwest’s largest artificial intelligence conferences dedicated to AI developers, users, and enthusiasts: Cincy AI Week. During the three-day event, which brought together over 950 local professionals, I spoke on a panel entitled “Managing Risk in the Age of AI and Automation.”

Here are six important observations I shared during that panel:Continue Reading Cybersecurity in the Era of Generative and Agentic AI: Six Observations

On April 11, 2025, North Dakota Governor Kelly Armstrong signed HB 1127 (the Act) into law.

The Act, which takes effect on August 1, 2025, establishes new data security requirements for certain financial institutions and nonbanking financial service providers. In addition, the Act amends multiple sections related to financial institution licensing and oversight.Continue Reading North Dakota Governor Signs Cybersecurity Governance Law for Financial Institutions

This month, the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking in the Federal Register, which is intended to strengthen cybersecurity requirements for HIPAA-covered entities and business associates (the Proposed Rule). The comment period will close on March 7, 2025, with enactment of the proposed rule expected to take place later this year.

If adopted, this would be the first significant update to the HIPAA Security Rule in over a decade, a time when both technology and cybersecurity have advanced rapidly, and cyberattacks in health care have become more frequent and damaging. According to the preamble, the proposed rule seeks to address common compliance gaps identified by HHS’s Office for Civil Rights (OCR) and to build on guidelines from other agencies like the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA).Continue Reading HIPAA Security Rule to Experience Major Updates in 2025

A new year means new effective dates for state privacy legislation.  On January 1, 2025, four states witnessed consumer privacy protection laws take effect:  Delaware, Iowa, Nebraska, and New Hampshire. 

These four states join another 16 that have comprehensive data privacy laws in place. Although there are similarities in the approaches of these 20 states, each law carries unique provisions that companies must navigate in building a data governance program. This blog is intended to give a high-level overview of 2025’s newest consumer privacy laws.Continue Reading New Year Rings in New State Privacy Laws