Photo of Zachary Heck

Zachary Heck

Subscribe to Zachary Heck's Posts

Zach’s practice focuses on privacy and data security. Specifically, Zach assists clients in the areas of privacy compliance, defense litigation, class action defense and guidance in the aftermath of an information security event, including data breach. Zach has experience advising clients with respect to FTC investigations, federal privacy regulations such as HIPAA, FCRA, TCPA, and GLBA, as well as state laws governing personally identifiable information. For his clients, he also provides regulatory analysis, risk management, policy development, training and audits.

Follow:Read more about Zachary HeckZachary's Linkedin Profile

As we begin 2026, Kentucky has officially enacted the Kentucky Consumer Data Protection Act (KCDPA), a comprehensive privacy statute that took effect on January 1, 2026. As with Indiana, is KCDPA is modeled on the now‑familiar Virginia‑style framework. The KCDPA establishes consumer data rights, imposes governance obligations on businesses, and grants exclusive enforcement authority to the Kentucky Attorney General.Continue Reading Kentucky Consumer Data Protection Act: Key Takeaways for the New Bluegrass Statute

Indiana has joined the growing list of states with a comprehensive consumer privacy statute, codified at Indiana Code 24‑15 and effective January 1, 2026.

The law follows the “Virginia model,” but introduces several nuances that will matter for organizations doing business in, or targeting residents of, Indiana.Continue Reading HOO- HOO- HOO- HOOSIERS Brace for Indiana Consumer Data Protection Act

President Trump’s Dec. 11, Executive Order, “Ensuring a National Policy Framework for Artificial Intelligence” (the “order”), targets what the administration views as burdensome and fragmented state AI regulation in favor of a single national framework.

Although the order does not overturn any existing or proposed state AI law, it directs federal agencies to challenge certain state AI laws, condition federal funding on compliance with the order, and propose federal preemption legislation.Continue Reading President Trump Signs Executive Order to Limit State AI Regulation

As 2025 comes to a close, we asked several members of Taft’s Privacy and Data Security practice group to share their thoughts on what should be on a client’s “wish list” for the holiday season, or on a list of resolutions for 2026.

Here are their thoughts for businesses considering to not only meet the requirements of new laws and mitigate existing risks, but also looking to seize the opportunity to maximize the impact of technology to unleash the power in their data.Continue Reading Closing Out 2025: Key Privacy & Data Security Updates from Taft

On August 26, 2025, in NRA Group, LLC v. Durenleau et al., the U.S. Court of Appeals for the Third Circuit addressed two legal questions: (1) whether workplace policy infractions can turn into federal crimes, and (2) whether passwords protecting propriety business information qualify as trade secrets under federal or Pennsylvania law.

The case was reheard and affirmed on October 7, 2025, with the Third Circuit firmly answering both questions in the negative. The decision significantly limits employers’ potential claims against employees who breach company policies without engaging in actual hacking or unauthorized access.Continue Reading Passwords, Policies, and Trade Secrets: Lessons from NRA Group v. Durenleau and what it Means for Employers

Last month, I had the opportunity to speak to entrepreneurs at Launch Dayton’s Startup Week regarding the positive effects that strong privacy and data governance practices have on business.

As regulations increase and complexity rises, many businesses remain hesitant to view privacy and security obligations as anything other than impediments to innovation. In practice, embedding privacy by design and developing strategic approaches to cybersecurity and artificial intelligence laws serve as valuable drivers for growth.

Navigating the Regulatory Landscape
The environment

Continue Reading Privacy by Design, Profit by Strategy: Thoughts from Dayton’s Startup Week

Colorado legislators have approved a five-month delay for the implementation of the Colorado Artificial Intelligence Act (the Act), moving the start date from Feb. 1, 2026, to June 30, 2026.

The decision follows a special legislative session called because of concerns stemming from compliance costs, industry lobbying, and fiscal impacts on businesses and the state. Colorado Budget Director Mark Ferrandino indicated that the law could cost the state alone between $2.5 million and $5 million annually to implement, and Colorado Governor Jared Polis indicated that the amount could be as much as $6 million per year. The Act, originally designed to address risks of algorithmic discrimination in sectors like employment, housing, and lending, will now give both lawmakers and businesses more time to clarify provisions and prepare compliance programs.Continue Reading Colorado Gives Businesses Breathing Room Before AI Act Takes Effect

Special thanks to Taft Summer Associate Richard Roediger for his significant contributions to this post.

On May 20, 2025 Ohio Rep. Adam Mathews (District 56) and Ohio Rep. Haraz N. Ghanbari (District 75) introduced Ohio House Bill 283 (the Act), legislation that requires political subdivisions within the state to enact cybersecurity programs. In Ohio, a “political subdivision” is a county, township, municipal corporation, or other body corporate and politic responsible for governmental activities in a geographic area smaller than the whole state.

The Act’s language was incorporated in its entirety into Ohio’s state budget bill passed on June 30, 2025.Continue Reading Ohio Budget Bill Requires Counties, Townships, and Cities to Enact Cybersecurity Program by September 29

A recent decision from the Northern District of Texas has upended the Department of Health and Human Services’ 2024 amendments to the HIPAA Privacy Rule (the 2024 Rule), which were intended to bolster privacy protections for reproductive health care information.

The court’s ruling in Purl v. HHS vacates almost all of these amendments, finding that HHS overstepped its statutory authority and improperly interfered with state law.Continue Reading HIPAA’s Reproductive Health Shake-Up:  What the Purl Ruling Means for Health Plans and Covered Entities

Early on July 1, the U.S. Senate voted to halt an effort to impose a 10-year moratorium on state regulation of artificial intelligence. The vote, 99-1, removed the AI provision from President Trump’s “Big, Beautiful Bill” that had evolved from a full moratorium on state AI regulation for the next decade, to its most recent iteration that required states to adopt the ban in order to receive federal broadband funding over the next five years.

Yesterday, Sen. Marsha Blackburn of Tennessee and Sen. Ted Cruz of Texas attempted to revise the AI ban to address current regulations. According to media reporting, efforts toward banning state AI regulation broke down amidst concerns that the language was overly broad and could adversely impact existing laws concerning privacy, consumer protection, and child safety.Continue Reading US States Can (And Will) Continue To Regulate Artificial Intelligence … for Now