Privacy & Information Security Law Blog

On January 8, 2025, the General Court of the Court of Justice of the European Union issued its judgment in the case of Bindl v Commission (Case T-354/22), ruling that the European Commission must pay damages to a German citizen whose personal data was transferred to the U.S. without adequate safeguards.

During the week of January 6, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights entered into resolution agreements and corrective action plans with Elgon Information Systems, Virtual Private Network Solutions, LLC and USR Holdings, LLC for violations of the Health Insurance Portability and Accountability Act of 1996 Security Rule.

The New York Department of Financial Services (“NYDFS”) recently cautioned regulated entities to be aware of individuals applying for remote technology-related positions due to an increase in reported threats from North Korea. Threat actors have repeatedly attempted to access company systems and illegally generate revenue for North Korea under the guise of seeking remote Information Technology jobs at U.S. companies.

On January 6, 2025, the New Jersey Division of Consumer Affairs Cyber Fraud Unit published a set of frequently asked questions and answers on the New Jersey Data Privacy Law.

On December 27, 2024, the U.S. Department of Justice issued a comprehensive final rule implementing Executive Order 14117, Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. The Final Rule will go into effect on April 8, 2025, with the exception of certain due diligence, audit and reporting obligations, which will become effective on October 5, 2025.

On December 27, 2024, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) announced a Notice of Proposed Rulemaking (“NPRM”) to update the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule.  The NPRM is intended to strengthen cybersecurity protections for electronic protected health information (“ePHI”) in light of increasing cybersecurity threats to the health care sector.

On December 17, 2024, the European Data Protection Board adopted an opinion on the processing of personal data in the context of AI models. This blog entry provides a summary of the opinion. 

Earlier this month, the Federal Trade Commission’s Office of Technology and Division of Privacy and Identity Protection posted a set of recommendations related to the security risks posed by developing products like AI, targeted advertising and surveillance pricing.

In January 2025, comprehensive data privacy laws go into effect in Delaware, Iowa, Nebraska, New Hampshire and New Jersey.

Texas Attorney General Ken Paxton recently launched investigations into Character.AI and 14 other technology companies on allegations of failure to comply with the safety and privacy requirements of the Securing Children Online through Parental Empowerment Act and the Texas Data Privacy and Security Act.