Privacy & Information Security Law Blog

Ace American Insurance Company (“Ace”) recently filed a subrogation lawsuit against two technology and cybersecurity providers, following a cybersecurity incident suffered by an insured policyholder that had engaged the providers. This case highlights the growing risk of subrogation lawsuits following a cybersecurity incident.

On September 30, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a settlement with five affiliated health care providers collectively known as Cadia Healthcare Facilities for potential violations of the HIPAA Privacy and Breach Notification Rules.

The Federal Trade Commission announced that Citizens Disability and its subsidiary CD Media agreed to pay $1 million to resolve allegations that the companies violated Section 5 of the FTC Act and the Telemarketing Sales Rule in connection with tens of millions of telemarketing calls.

On October 8, 2025, California Governor Newsom signed into law the Opt Me Out Act, which amends the CCPA to require web browsers to provide California consumers with the ability to send a single opt-out preference signal to all businesses with which the consumer interacts through the browser.

On September 26, 2025, California Governor Newsom signed into law Assembly Bill 45, which amends existing California law to strengthen privacy protections for health and location data of individuals seeking health care services, including reproductive health care.

The U.S. Department of Health and Human Services’ Office for Civil Rights and the Assistant Secretary for Technology Policy have released a new version of their Security Risk Assessment Tool, along with an updated SRA Tool User Guide.

On September 29, 2025, California Governor Newsom signed into law the Transparency in Frontier Artificial Intelligence Act. The Act sets new transparency and safety requirements, and whistleblower protections, for companies developing “frontier” artificial intelligence models.

On September 26, 2025, following a public comment period, the California Privacy Protection Agency adopted its regulations concerning the Delete Request and Opt-Out Platform.

Tractor Supply Company, the largest rural lifestyle retailer in the country, recently agreed to pay $1.35 million fine to the California Privacy Protection Agency for CCPA violations.

On September 26, 2025, the European Commission initiated a public consultation on draft guidance and a draft reporting template for serious AI incidents under the EU AI Act.