Data Privacy, Cybersecurity, and Artificial Intelligence Insights from Relic Law’s Attorneys & Experts

Intelligence Feed: January 2024

Intelligence Feed: December 2023

Intelligence Feed: November 2023

Intelligence Feed: October 2023

Intelligence Feed: August & September 2023

Intelligence Feed: July 2023

Intelligence Feed: May & June 2023

Intelligence Feed: April 2023

Intelligence Feed: March 2023

Intelligence Feed: February 2023

Intelligence Feed: January 2023

US State Privacy Developments

A recent summary from IAPP shows the recent state privacy developments:

State Sen. Liz Brown reintroduced Senate Bill 5 to the Indiana Senate. Brown’s bill passed the Senate and two readings in the House during the 2022 legislative session. The bill is modeled after Virginia’s comprehensive privacy law. This year’s bill was assigned to the Senate Committee on Commerce and Technology.
Maryland House Bill 33 concerning biometric privacy was reintroduced. The bill passed the Maryland House in 2022 before stalling in the Senate.
State Sen. Angela Turner-Ford, reintroduced Senate Bill 2080, the Mississippi Consumer Data Privacy Act. The bill was not acted upon after its 2022 introduction.
Oregon’s comprehensive privacy bill, Senate Bill 619, was introduced and awaits committee referral from the Senate president. The Oregon attorney general’s office drafted the bill and is the product of a working group established during fall of 2022.
Oregon Senate Bill 196, the Oregon Age-Appropriate Design Code, was also introduced. The bill is modeled after the California Age-Appropriate Design Code Act passed in August 2022.
The Virginia House and Senate each introduced companion amendments to the state’s Consumer Data Protection Act. House Bill 1688 and Senate Bill 1026 propose updates to children’s privacy provisions in the comprehensive statute, notably raising the coverage to children age 18 and under.
Mississippi House Bill 467, the Biometric Identifiers Privacy Act, was introduced and referred to the Committee on the Judiciary A.
New York Assembly Bill 1362, the Biometric Privacy Act, was introduced and referred to the Committee on Consumer Affairs and Protection.
State Rep. Andrew Stoddard introduced an amendment to the Utah Consumer Privacy Act. House Bill 158 amends Utah’s law to include a carveout for law enforcement’s access to personal data with a warrant.
The Virginia Senate took up bills to amend the Virginia Consumer Data Protection Act. Senate Bill 1087 proposes provisions to protect genetic data privacy, while SB 1432 concerns protection of personal health records.
State Del. Wayne Clark introduced House Bill 2460, an act concerning children’s privacy, to the West Virginia House. The bill, which would bring privacy protections for children under 18, was referred to the House Committee on the Judiciary.
Two comprehensive privacy bills were introduced to the Hawaii Senate. Senate Bill 974 and SB 1110 passed their first readings on the Senate floor and await committee referrals.
A subcommittee of the Iowa House Committee on Economic Growth and Technology passed Iowa House Study Bill 12, an act to consumer data protection, to the full committee on a 3-0 vote.
The Massachusetts Legislature will consider two comprehensive privacy bills in addition to Senate Bill 745. Senate Bill 1971, the Massachusetts Information Privacy and Security Act, and House Bill 3245, Internet Bill of Rights, both take aspects from the EU General Data Protection Regulation.

Disclaimer

INSIGHTS IS PROVIDED PROVIDED BY RELIC LAW PLLC FOR GENERAL INFORMATION PURPOSES ONLY AND DOES NOT CONSTITUTE LEGAL ADVICE. PLEASE CONSULT YOUR LEGAL COUNSEL. ACCESSING INSIGHTS DOES NOT ESTABLISH AN ATTORNEY-CLIENT RELATIONSHIP. COMMUNICATIONS THROUGH THIS SITE MAY NOT BE PROTECTED BY ATTORNEY-CLIENT PRIVILEGE.

Relic Law PLLC’s Terms and Privacy Policy applies to your use of Insights.

	NIST Publishes Genomic Data Security Report The U.S. National Institute of Standards and Technology National Cybersecurity Center of Excellence released a report focusing on cybersecurity practices and suggestions for securing genomic data. The CSF Profile provides voluntary, actionable guidance to help organizations manage, reduce, and communicate cybersecurity risks for systems, networks, and assets that process any type of genomic data. The guidance aims to help organizations “assess, tailor, and prioritize their risk mitigation strategies and cyber investments for genomic data.”
	Quebec Publishes Draft Anonymization Requirement Under Law 25 The government of Quebec published a draft regulation for “respecting the anonymization of personal information” under Law 25 in the Quebec Gazette. The draft law, published December 2023, would require public bodies and applicable private entities to adequately anonymize all personally identifiable information it collects and spell out the criteria under which such anonymized information can be used for processing purposes. The draft regulation is currently under a 45-day public comment period.
	NIST Identifies AI Cybersecurity Vulnerabilities The U.S. National Institute of Standards and Technology explored how machine learning can be exploited through cyberattacks in a new publication. The report highlighted different ways artificial intelligence systems can be attacked and the current mitigation strategies that exist, although it notes current defenses “lack robust assurances that they fully mitigate the risks.”
	New Jersey Passes Comprehensive Privacy Bill The New Jersey Legislature granted final passage to a comprehensive privacy bill, Senate Bill 332, on the final day of the 2023 legislative session. The bill was amended to its comprehensive framework in December 2023 before receiving same-day approval from the Senate and Assembly January 8th. SB 332 contains attorney general rulemaking authority as well as provisions for universal opt-out mechanisms and unique children’s privacy provisions. The bill awaits final action from Governor Murphy, who has 45 days to approve, and would take effect one year after its enactment date.
	NIST embarks on Privacy Framework 1.1 According to NIST, “The Privacy Framework is a “living” tool meant to evolve to meet stakeholder needs, and the time has come to update to Version 1.1. The initial version was modeled upon the CSF so that the two frameworks could be used together more easily. We want to maintain the connection by making appropriate adjustments based on CSF 2.0 changes. In addition, stakeholders have had a few years to use the Privacy Framework and have identified areas where targeted improvements can be made. This year, they intend to implement a modest update to the Privacy Framework to support realignment with CSF 2.0, facilitate ease and effectiveness of use, and ensure the tool is responsive to current privacy risk management needs.”
	EDPB Creates Website Auditing Tool for GDPR Compliance The European Data Protection Board (EDPB) has introduced a user-friendly website auditing tool aimed at assessing compliance with data protection laws. Designed for use by both legal and technical auditors within data protection authorities (DPAs), as well as controllers and processors conducting self-assessments, the Free and Open Source Software can be downloaded from code.europa.eu. The tool allows for the seamless preparation, execution, and evaluation of audits, supporting compatibility with other tools like the EDPS website evidence collector. With an emphasis on accessibility for non-technical users, the EDPB developed the tool to simplify enforcement efforts by national DPAs and compliance checks by controllers. The software, initially presented at the EDPB Bootcamp in June 2023, received positive feedback, prompting its consolidation and release as open-source. A second version with additional features is planned for later this year, aligning with the EDPB’s broader 2021-2023 Strategy to enhance DPAs’ enforcement capabilities through common tools and a diverse pool of experts within the Support Pool of Experts.
	US AI Executive Order President Biden’s Executive Order on AI, issued three months ago, has seen substantial progress. The White House AI Council, under Deputy Chief Bruce Reed, has confirmed completion of the initial 90-day actions. Key efforts focus on bolstering AI safety, security, and innovation. Notable steps include using Defense Production Act powers to make AI developers report critical information, proposing rules for U.S. cloud companies involved in foreign AI training, and conducting risk assessments across critical infrastructure sectors. Initiatives like the National AI Research Resource pilot, AI Talent Surge for federal hiring, EducateAI for inclusive AI education, and the creation of AI-focused NSF Engines are also underway. The AI Task Force at the Department of Health and Human Services aims to provide regulatory clarity and drive AI innovation in healthcare, exemplified by the development of guiding principles for addressing racial biases in healthcare algorithms. Visit ai.gov for more details.
	CCPA Children’s Privacy Amendment Introduced Amidst the ongoing legal battle over the California Age-Appropriate Design Code Act (AADCA), California Attorney General Rob Bonta and state lawmakers are taking an alternative legislative route to enhance online safety for children. During a press conference on January 29, Bonta introduced two bills for the 2024 legislative session. The proposed Children’s Data Privacy Act aims to amend the California Consumer Privacy Act, strengthening coverage for minors and imposing penalties for violations. The second bill, the Protecting Youth from Social Media Addiction Act, focuses on moderating content and limiting manipulative features on social media platforms. Despite differences from AADCA, these bills are seen as crucial for children’s privacy. State Assemblywoman Buffy Wicks, the lead sponsor, emphasized the need to address extensive data collection by online advertising firms. The bills are expected to face legal challenges, similar to past instances involving technology association NetChoice. Meanwhile, other states are considering similar legislation, reflecting a broader push for enhanced children’s online safety.
	Connecticut Attorney General Publishes Report on Data Privacy Act Attorney General William Tong has released a report detailing the Office of the Attorney General’s actions to educate and enforce compliance with the Connecticut Data Privacy Act (CTDPA) since its implementation on July 1, 2023. The report, mandated by the Act, discloses over a dozen notices of violation (cure notices) issued by the Office, spanning various industries like retail, fitness, event services, career services, parenting technologies, and home improvement. Identified deficiencies include lacking, inadequate, confusing, burdensome, and broken/inactive disclosures and mechanisms related to consumer rights under the CTDPA. The CTDPA, one of the first comprehensive consumer privacy laws, grants Connecticut residents rights to access, correct, and delete personal data, opt-out of data sale and targeted advertising, and requires businesses to limit data collection and maintain transparent privacy notices. The report also suggests ways to strengthen and clarify the law, emphasizing the ongoing need for a balance between privacy and economic necessity in the global economy.
	EU AI Act Representatives from EU member states unanimously advanced the Artificial Intelligence Act, a groundbreaking set of rules shaping AI governance globally. The Council of the EU’s Committee of Permanent Representatives’ approval removes obstacles, with initial reservations from France, Austria, Germany, and Italy. Germany’s Digital Ministry leader, Volker Wissing, withdrew opposition after securing a clarification that the AI Act excludes medical device AI. The provisional agreement, released on February 2nd, received unanimous endorsement, signaling a balanced and innovative approach, according to European Commissioner Thierry Breton. The European Parliament’s internal market and civil liberties committees are set to vote on February 13th, with a full plenary vote expected on April 10th or 11th. Once adopted, the AI Act would enter into force 20 days after publication, with the European Commission leading delegated acts and establishing an AI Office. Challenges from France, Slovakia, and Austria center on the Act’s potential impact on AI development, critical terms, international alignment, data protection, law enforcement exceptions, and remote biometric identification.

	Poland’s DPA Launches GDPR Compliance Accreditation Poland’s data protection authority, announced companies will be able to obtain EU General Data Protection Regulation compliance certifications. The UODO said the certifications will be optional, and aim to “increase transparency and improve compliance with personal data protection standards.”
	FCC States to Coordinate on Cybersecurity The U.S. Federal Communications Commission announced it signed memorandums of understanding with the state attorneys general of Connecticut, Illinois, New York and Pennsylvania to coordinate cybersecurity and privacy-related investigations. The agreements say the entities share common legal interest in investigating and sometimes prosecuting these crimes under sections 201 and 222 of the Communications Act.
	EU Reaches Political Agreement on AI Act The European Union (EU) has reached a political agreement on the Artificial Intelligence Act. The trilogue process involving the European Commission, Council of the European Union, and European Parliament lasted over 32 hours across three days.The act aims to strike a delicate balance between promoting innovation and updating AI across Europe while respecting the fundamental rights of citizens. Key elements of the provisional agreement include regulations for general purpose AI with transparency requirements, additional obligations for more powerful models posing systemic risks, national and EU-level governance, prohibitions on certain AI systems like those manipulating human behavior, and requirements for high-risk systems in critical sectors. The act introduces human rights impact assessments, transparency measures for AI systems like chatbots and deepfakes, and various levels of fines for violations, including up to 7% of global annual turnover for unacceptable risks. Overall, the EU sees this agreement as a significant contribution to the development of global rules for human-centric AI.
	US House FISA Section 702 Bills Pulled from Consideration Two U.S. House proposals to reauthorize and narrow Section 702 of the Foreign Surveillance Intelligence Act were abandoned. House members could not agree on which bill to move forward, pushing the reauthorization discussion to April if Congress passes a short-term Section 702 extension in the National Defense Authorization Act.

	Proposed AI Act Negotiations Enter Final Stages EU Institutions made progress in their latest trilogue negotiations on the proposed Artificial Intelligence Act. In the most recent negotiations October 24, policymakers agreed on provisions for classifying high-risk AI applications and developed general guidance for using enhanced foundation models. However, negotiations did not include substantial dialogue on provisions for prohibitions and law enforcement use.
	EU Reach Agreement on Political Advertising The Council of the European Union and the European Parliament have tentatively reached an agreement on how targeted political advertising can work. The provision would only allow for targeted ads if a consumer gave explicit consent and would ban profiling based on personal data. Both parties must adopt the agreement before it can take effect.
	Thailand’s PDPC Drafts Data Transfer Regulations Thailand’s Personal Data Protection Committee released draft regulations on cross-border data transfers in accordance with Sections 28 and 29 of the Personal Data Protection Act. The draft provides for data being transferred to countries with adequate data protection standards, which the PDPC may decide on a case-by-case basis.
	EU Institutions Work Toward Final AI Act Compromises EU institutions are gearing up proposals to try to finalize the proposed Artificial Intelligence Act during the potential final trilogy negotiation December 6. Members of European Parliament circulated a compromise text that replaces a previously proposed full ban on biometric identification technologies with prohibited practices and narrow allowances. Meanwhile, the Spanish Presidency of the Council of the European Union proposed draft obligations tied to use and development of foundation models.
	EDPS Reach Understanding on Data Protection Rights The U.K. Information Commissioner’s Office and the European Data Protection Supervisor signed a memorandum of understanding regarding their work on individuals’ data protection and privacy rights. The agencies promised to share best practices and information to support their regulatory efforts and cooperate on certain projects of mutual interest. They out how the authorities will continue to share experiences and best practices; cooperate on specific projects of interest; share information or intelligence to support their regulatory work; and, promote dialogue among data protection authorities and other digital regulators.
	The IAPP-EY Privacy Governance Report 2023 Unveiled The IAPP published the IAPP-EY Privacy Governance Report 2023, which builds on previous comprehensive efforts to shine a light on the location, performance and significance of privacy governance within organizations. Research focused on governance and organizational structures, privacy strategy and planning, compensation and budget management, and performance metrics and monitoring. The full report is an IAPP member exclusive while an executive summary is available to the public.
	EU AI Act Negotiations France, Germany and Italy are pushing for a code of conduct in the proposed Artificial Intelligence Act that would allow companies to self-regulate rather than abide by a previously proposed tiered regulation model. Meanwhile, Spanish Secretary of State for Digitalisation and Artificial Intelligence Carme Artigas said AI Act negotiators should be open to changing proposed foundational model regulations while preserving transparency requirements. The Council of the European Union’s Telecommunications and Information Society Working Party will discuss foundational models in a November 21st meeting.
	FCC Adopts Rules to Safeguard Consumers’ Cellphone Accounts The U.S. Federal Communications Commission will require wireless providers to adopt more secure methods of authenticating a customer’s identity before putting their account on a new device. The rules are meant to protect users from scammers looking to gain access to their account’s personal data.
	European Parliament Tackles Governance Angle of Proposed AI Act Members of the European Parliament discussed November 21st, how artificial intelligence should be governed under the EU AI Act. A compromise bill would establish an AI Office to oversee enforcement aspects of the law, but would have EU countries carry out its tasks. An appointed AI Board would make sure the law is applied consistently.
	European Council Presidency Circulates AI Act Compromise Text The Spanish President of the Council of the European Union circulated half of the Artificial Intelligence Act provisions governing law enforcement’s use of AI models within the Committee of Permanent Representatives November 24th. The remaining half, which focuses on issues such as use of foundation models, access to source code, system governance, and the sanction regime, is anticipated to be addressed by the committee December 1st.

	Argentina’s AAIP Updates SCCs Argentina’s Agency for Access to Public Information updated standard contractual clauses for international transfers of personal data. The AAIP said the clauses “enable compliance with the principles of personal data protection, and provide companies or organizations with an economically viable alternative.” The SCCs were drafted by the Ibero-American Data Protection Network.
	Brazil’s ANPD Sanctions Health Department Brazil’s data protection authority, sanctioned the Health Department of the State of Santa Catarina for four alleged violations of the General Personal Data Protection Law. The ANPD determined the department neglected “the security of the systems for storing and processing personal data of millions of citizens” and, following a security incident that impacted 300,000 individuals, failed to communicate affected data “in a clear, adequate and timely manner.”
	China Launches Global AI Governance Initiative The South China Morning Post reports the Cyberspace Administration of China released its Global AI Governance Initiative, a framework for artificial intelligence. The framework calls for equal rights when developing AI, regardless of a country’s size, strength or social system. It states, “We oppose drawing ideological lines or forming exclusive groups to obstruct other countries from developing AI.” The initiative said AI could have a “profound influence,” while it presents unpredictable risks and complicated challenges.
	CFPB Proposes Personal Financial Data Rights The U.S. Consumer Financial Protection Bureau filed a Notice of Proposed Rulemaking for open banking that includes proposed rules concerning financial data. The proposed Personal Financial Data Rights rule includes consumer consent for third-party access to data with the aim of providing “robust protections to prevent unchecked surveillance and misuse of data” and to “move away from risky data collection practices.”

	Biden Administration Suggests Limiting FBI’s FISA Section 702 Access U.S. President Joe Biden’s Intelligence Advisory Board recommended prohibiting the FBI from fully utilizing warrantless surveillance under Section 702 of the Foreign Intelligence Surveillance Act. The panel proposed barring the FBI from searching communications data for investigations unrelated to foreign intelligence while maintaining access for national security matters.
	PETs Research Bill Clears US House Committee The U.S. House Committee on Science, Space and Technology voted 35-0 on a favorable report for House Resolution 4755 on privacy-enhancing technology research. The bill, which is now eligible for full House consideration, aims to support research on privacy enhancing technologies and promote responsible data use.
	US AI Legislation Tracker The Electronic Privacy Information Center published a U.S. legislation tracker for laws governing various aspects of artificial intelligence. Ten states have laws entering into force that regulate AI, but are part of broader comprehensive state-level consumer privacy laws. Multiple states have introduced tailored AI legislation for the fields of employment, health care, insurance and its use by government agencies. Attached is a list of current, passed, or proposed laws.
	Indian Parliament Set to Consider Proposed Data Protection Bill Indian Parliament can now consider the proposed Digital Personal Data Protection Bill. The 2023 version of the draft bill was introduced in the lower house of Parliament, the Lok Sabha, August 3rd and the Lok Sabha is expected to open its consideration of the DPDPB August 7th. The bill, deemed an “absolutely brand new framework” by Chandrasekhar, covers all India-based organizations that process personal data as well as international entities processing data on Indian residents. Key provisions include a broad definition for personal data, data processing permitted by individual consent and “deemed consent,” designations for approved cross-border data transfers, and the creation of the Data Protection Board of India.
	US Government Agencies Tackle Open Source Software Cybersecurity The U.S. White House’s Office of the National Cyber Director, in coordination with the Cybersecurity and Infrastructure Security Agency, the National Science Foundation, the Defense Advanced Research Projects Agency and the Office of Management and Budget, published a request for information on the cybersecurity of open source software. The request calls for opinions from the public and private sectors as the government works to “strengthen the open-source software ecosystem.”
	US launches AI Cyber Challenge The U.S. Defense Advanced Research Projects Agency announced the two-year AI Cyber Challenge competition. Leading software companies will compete for $20 million in prizes, developing code to protect digital networks of nationwide critical infrastructures. “With this new challenge, teams will now have the power of modern (artificial intelligence) to work through these complicated problems in support of our national security,” Deputy National Security Advisor for Cyber and Emerging Technology Ann Neuberger said.
	ICO opens first phase of biometric guidance The U.K. Information Commissioner’s Office issued the first phase of its guidance on biometrics use, which is now open for public consultation through 20 Oct. The second phase of the guidance will be issued early in 2024 and will focus on biometric classification and data protection, plus a call for evidence.
	Millions Affected by Multi-State Health Data Breach A sensitive health data breach through hacks of file transfer service MOVEit affected at least three U.S. states. Colorado’s Department of Health Care Policy and Financing reported hackers accessed its database of 4.1 million individuals while third-party data management firm PH Tech confirmed 1.7 million Oregonians had their information exposed through MOVEit. Missouri’s Department of Social Services reported the same cyberattack affected an unknown number of residents.
	India Digital Personal Data Protection Act India passed the Digital Personal Data Protection Act, its long awaited privacy law, which will establish guardrails for how organizations should handle personal data and offers citizens control over the personal data gathered for them. The act will make it mandatory for entities collecting use data to obtain express user consent before processing the data. Personal data may be processed only for a lawful purpose upon consent of an individual.
	ANPD Releases Monitoring Cycle Report Brazil’s data protection authority, the Autoridade Nacional de Protecao de Dado, published its first Monitoring Cycle Report for the assessment of actions carried out by the regulator. The report showed a majority of the ANPD’s 2022 activities focused on data breaches and data subject requests. To improve upon its 2022 work, the ANPD said it will bring more scrutiny against data protection officers and data protection impact assessments.
	Federal Privacy Bill Can Address AI Discrimination U.S. Senator Maria Cantwell, said the Consumer Online Privacy Rights Act, a bill she introduced in 2019 and again in 2021, could “help protect people from discrimination fueled by artificial intelligence.” Cantwell said AI can produce opportunities but there also should be “‘guardrails’ for potential pitfalls.” She said her bill would allow consumers to opt-in to receiving targeted advertisements and impose requirements for companies that deploy algorithms.
	Health Data Breach Lawsuits on the Rise Bloomberg Law reports costly U.S. health data breach lawsuits are on the rise as companies face increased cyberattacks. An analysis of 557 complaints filed in federal courts over the last five years showed many lawsuits seek millions of dollars in civil damages while the monthly average of health data breach class actions filed has nearly doubled from 2022. Attorneys cite increased consumer privacy awareness, public notification requirements and rising ransomware attacks.
	US Lawmaker Introduces Federal Cybersecurity Vulnerability Reduction Act U.S. Rep. Nancy Mace, chair of the House Oversight Committee’s Cybersecurity, Information Technology, and Government Innovation Committee, proposed The Federal Cybersecurity Vulnerability Reduction Act. The proposed legislation would require federal contractors to enact policies consistent with National Institute of Standards and Technology guidelines. Mace said the proposal would “ensure a proactive approach to cybersecurity, enabling contractors to identify and address software vulnerabilities promptly.”
	NIST Issues Draft Cybersecurity and Privacy Learning Program Guidance The U.S. National Institute of Standards and Technology published its initial draft of the government’s cybersecurity and privacy learning program. The document offers recommendations for initiatives, such as integrating privacy with cybersecurity in organization-wide learning programs and creating a data life cycle model allowing for “ongoing, iterative improvements and changes to accommodate cybersecurity (and) privacy.” The consultation period is open until October 27th.
	Federal Privacy Law can ‘Lay Strong Foundation’ for AI Regulation U.S. policymakers “need to lay a strong foundation” for artificial intelligence regulation that “must center around a national data privacy standard,” Representative Suzan DelBene wrote. DelBene said a “national privacy standard would ensure a baseline set of protections, no matter where someone lives in the U.S.” and “would restrict companies from storing and selling our personal data” that could otherwise be used to train AI algorithms.
	ICO Publishes Guidance on Email Communications The U.K. Information Commissioner’s Office warned organizations against using the blind carbon copy function when sending emails containing sensitive personal information. The ICO also published guidance for organizations on protecting personal information when sending bulk emails. “Organizations that use and share large amounts of data, including sensitive personal information, should consider using other secure means to send communications, such as bulk email services, so information is not shared with people by mistake,” the ICO said.
	Small Business Cyber Resiliency Act U.S. Senator Jim Risch, introduced a bill seeking to improve access to cybersecurity tools and resources for small businesses. The Small Business Cyber Resiliency Act would establish a Central Small Business Cybersecurity Unit at the Small Business Administration, enhance cybersecurity resources and training for small businesses, and improve cybersecurity information sharing between federal agencies.
	Delaware Personal Data Privacy Act The Delaware Personal Data Privacy Act was signed by Governor John Carney and will go into effect January 1st, 2025. An outreach period to inform consumers and businesses will begin no later than July 1st 2024. Director of the Department of Justice’s Fraud and Consumer Protection Division Owen Lefkon said the bill “gives consumers choice” and “puts the control back in the hands of the consumer.”
	US Health Agencies Update Security Risk Assessment Tool The Office of the U.S. National Coordinator for Health Information Technology and the Department of Health and Human Services’ Office for Civil Rights updated their Security Risk Assessment Tool for Health Insurance Portability and Accountability Act compliance. The tool is designed for small and medium-sized providers and aims to “help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule.”
	Potential AI Regulation A pair of U.S. Senate hearings on September 12th laid the foundations for potential forthcoming artificial intelligence regulations across a variety of different applications. Across both hearings, possible AI legislation could include requiring a licensing regime, establishing a new federal regulatory agency, and risk mitigation measures.
	California Legislature Approves Data Broker Bill The California State Legislature passed SB 362, the California Delete Act, which would empower the California Privacy Protection Agency to create a system allowing Californians to apply a single request to delete personal information held by registered data brokers operating in the state. The bill now awaits the signature of Governor Gavin Newsom.

Relic Law Insights