A recent decision from the Northern District of Texas has upended the Department of Health and Human Services’ 2024 amendments to the HIPAA Privacy Rule (the 2024 Rule), which were intended to bolster privacy protections for reproductive health care information.

The court’s ruling in Purl v. HHS vacates almost all of these amendments, finding that HHS overstepped its statutory authority and improperly interfered with state law.

Continue Reading HIPAA’s Reproductive Health Shake-Up:  What the <em>Purl</em> Ruling Means for Health Plans and Covered Entities

Early on July 1, the U.S. Senate voted to halt an effort to impose a 10-year moratorium on state regulation of artificial intelligence. The vote, 99-1, removed the AI provision from President Trump’s “Big, Beautiful Bill” that had evolved from a full moratorium on state AI regulation for the next decade, to its most recent iteration that required states to adopt the ban in order to receive federal broadband funding over the next five years.

Yesterday, Sen. Marsha Blackburn of Tennessee and Sen. Ted Cruz of Texas attempted to revise the AI ban to address current regulations. According to media reporting, efforts toward banning state AI regulation broke down amidst concerns that the language was overly broad and could adversely impact existing laws concerning privacy, consumer protection, and child safety.

Continue Reading US States Can (And Will) Continue To Regulate Artificial Intelligence … for Now

Last week, I had the privilege to attend one of the Midwest’s largest artificial intelligence conferences dedicated to AI developers, users, and enthusiasts: Cincy AI Week. During the three-day event, which brought together over 950 local professionals, I spoke on a panel entitled “Managing Risk in the Age of AI and Automation.”

Here are six important observations I shared during that panel:

Continue Reading Cybersecurity in the Era of Generative and Agentic AI: Six Observations

Last year, we wrote about updates from the Department of Justice (DOJ) and the DOJ’s proposed enforcement efforts and regulations implementing Executive Order 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Data by Countries of Concern” (Rule).

A year later, the DOJ has finalized the Rule and developed guidance on what companies handling (i) bulk U.S. sensitive personal data or (ii) U.S. Government-related data must know, especially when interacting with persons and entities in ”Countries of Concern,” which currently include:

  • China (includes Hong Kong and Macau)
  • Cuba
  • Iran
  • North Korea
  • Russia
  • Venezuela

In April of this year, the DOJ’s National Security Division (NSD) issued its Data Security Program and corresponding Compliance Guide (DSP) and Frequently Asked Questions (FAQs) providing information that all U.S. entities must understand and follow to comply with the Rule. The NSD’s stated primary mission with respect to the implementation and enforcement of the DSP is to protect U.S. national security from Countries of Concern that may seek to collect and weaponize both government data and Americans’ most sensitive personal data.

As we have written previously, the DSP will require U.S. organizations to look deeply into their data collection and data sharing practices to determine whether they are (i) providing covered data to a Country of Concern and (ii) subject to the DSP’s requirements.

All U.S. organizations handling government-related data and bulk U.S. sensitive personal data must make good-faith efforts to comply with the DSP by July 8, 2025.

Continue Reading One Month to Go: What You Need to Know about the U.S. Department of Justice’s Data Security Program

As we reported early last year, the Federal Trade Commission (FTC) issued a notice of proposed rulemaking to the Children’s Online Privacy Protection Act rule (COPPA). On April 22, 2025, over a year after the notice of proposed rulemaking was issued, the FTC has finalized its amendments to the COPPA rule and are set to go into effect on June 23, 2025.

To note, while the amendments will be effective on June 23, 2025, regulated entities under COPPA have until April 22, 2026 to comply.

Continue Reading Children’s Online Privacy Protection Act Amendments Effective June 23, 2025

On April 11, 2025, North Dakota Governor Kelly Armstrong signed HB 1127 (the Act) into law.

The Act, which takes effect on August 1, 2025, establishes new data security requirements for certain financial institutions and nonbanking financial service providers. In addition, the Act amends multiple sections related to financial institution licensing and oversight.

Continue Reading North Dakota Governor Signs Cybersecurity Governance Law for Financial Institutions

Several states and the Federal Trade Commission (FTC) have implemented autorenewal laws aimed at (i) better protecting consumers and providing transparency in automatic renewals (e.g., subscriptions) and (ii) mandating easy cancellation processes to terminate such products.

Although state laws vary, the amended California Automatic Renewal Law (CARL) and the FTC’s Click-to-Cancel Rule (FTC Rule) provide a comprehensive overview of what businesses can expect when complying with autorenewal laws. While these autorenewal requirements have consumers saying “click, click hooray” understanding and implementing these obligations can create a compliance conundrum for businesses. Here is a summary of what businesses should know.

Continue Reading Click, Click Hooray: What Businesses Need to Know about Autorenewal Laws and Subscription Cancellation Requirements

The California Privacy Protection Agency (“CPPA”) recently issued a decision requiring American Honda Motor Co. to pay a $632,500 fine and change certain business practices related to alleged violations under the California Consumer Privacy Act (“CCPA”). While not specifically related to connected vehicles, this decision comes after the CPPA’s announcement in 2023 that it would be focusing on connected vehicle manufacturers’ compliance with the CCPA.

Continue Reading California Privacy Enforcement Update: Verifying Consumer Requests and Banners Must Be Symmetrical

Biometrics continue to be a hot issue and one primed for litigation and related liabilities.  We in the Privacy and Data Security Practice are happy to share this upcoming Taft webinar, which will include a discussion on BIPA class action risks.   Join our colleagues from Taft’s Litigation Practice on April 15th.

Time: 12 p.m. – 1:15 p.m. EST
Register HERE.

Continue Reading Taft Takeaways: Class Action Insights and Updates

The Google Threat Intelligence Group revealed a chilling reality: nation-states are weaponizing AI tools like Gemini for sophisticated cyberattacks. This new frontier of AI-powered fraud demands immediate attention from business leaders and general counsel, who stand at the confluence of technology, data security, and governance.

Recent Incidents and the Evolving Sophistication of These Attacks

Generative AI, like the tools used by these cybercriminals, can create highly convincing text, images, voice recordings, and even video interactions that are nearly impossible to distinguish from genuine content. In the report Adversarial Misuse of Generative AI, the Google Threat Intelligence Group explains how more than 20 countries have used Google’s generative AI tool named Gemini for nefarious purposes, including cyber espionage, destructive computer network attacks, and attempts to influence online audiences in a deceptive, coordinated manner.

Continue Reading AI-Powered Fraud: Immediate Action Steps to Protect Companies from Next-Generation Payment Scams