Health Law Advisor

As cybersecurity breaches grow more complex and frequent, regulators are increasingly focused on organizational compliance. Organizations such as Crowdstrike report that in 2025, cyberattacks are increasing in speed, volume, and sophistication—and cybercrime has evolved as a “highly efficient business.” The escalating threat landscape demands robust security frameworks that can withstand evolving risks.

Enter the amendments announced in November 2023 to the New York’s Department of Financial Services (NYDFS) Cybersecurity Regulation, 23 NYCRR Part 500 (“Amended Regulation”), that became effective on November 1. This post explores the breadth of these Amended Regulations, and the steps that covered entities need to take now.

Consumer privacy protection continues to be top of mind for regulators given a climate where technology companies face scrutiny for lax data governance and poor data stewardship.  Less than a year ago, California passed the California Consumer Privacy Act (CCPA) of 2018, to strengthen its privacy laws.  In many regards, the CCPA served as a watershed moment in privacy due to its breadth and similarities to the E.U. sweeping General Data Protection Regulation (GDPR) law.

Yet, California continues to push the envelope further.  Recently, California State Senator Jackson and Attorney ...

On February 11th, blockchain advocates, digital health enthusiasts, and patients received positive news from the Center for Medicare and Medicaid Services (“CMS”) and the Office of the National Coordinator for Health Information Technology (“ONC”) regarding patient data sharing.  These rules, taken together, seek to make data more liquid, which can promote patient access, continuity of care, research, collaboration across the industry and several other activities that previously faced challenges within a health care system built on data silos.

First, CMS ...

On October 26, 2018, the Federal Trade Commission (FTC) announced that it will hold four days of hearings between December of 2018 and February of 2019 to examine the FTC’s authority to deter unfair and deceptive conduct in data security and privacy matters.[1] The two days of December hearings will focus on data security, while the two days of February hearings will focus on consumer privacy. This announcement comes as part of the agencies Hearings on Competition and Consumer Protection in the 21^st Century, an initiative that has already scheduled hearings on closely related ...

One of the European Parliament’s 20 committees, the Civil Liberties Committee (“LIBE”), voted on October, 21, 2013 on a proposed EU General Data Protection Regulation. The regulation includes an increased level of fines and new regulatory requirements (in case of certain international data transfers and disclosure requests for personal data by foreign courts or authorities). Companies should monitor these issues closely in the next couple of months. Most likely, after the plenary vote on November 18-21, the Parliament will push for rapid negotiations with the Council ...