The Path & The Practice Podcast Episode 120: Akshay Verna, COO (Spotdraft) [Podcast]
This episode of The Path & The Practice features a conversation with special guest Akshay Verma. Akshay is COO at Spotdraft. In this discussion he details a path that began in New Delhi, India. He reflects on a childhood passion for sports and pop culture and details his journey, including his decision to attend UC Berkeley for undergrad, working as a paralegal in big law before attending Santa Clara University School of Law, and then beginning his career as an environmental lawyer. Akshay reflects on pivoting from legal practice to the business side of law, including the years he spent as the head of legal operations a Meta. Akshay reflects on the role of legal operations professionals and gives wonderful advice on the importance of embracing feedback.
Akshay’s Profile:
Title: Chief Operating Officer
Company: Spot Draft
Hometown: San Francisco, CA
College: UC Berkeley
Law School: Santa Clara University School of Law
Cybersecurity Executive Order—Key Implications for the Manufacturing Industry
On January 16, 2025, President Joe Biden issued the “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity,” a comprehensive directive designed to address the growing complexity and sophistication of cyber threats targeting the United States. The Executive Order aims to establish a cohesive national strategy for improving cybersecurity across federal agencies, private businesses, and critical infrastructure sectors. The Executive Order governs a wide-array of critical issues, including new cybersecurity standards for federal contractors, enhanced public-private information sharing, the promotion of advanced technologies like quantum-resistant cryptography and artificial intelligence (AI), and the imposition of sanctions on foreign cyber actors. The Executive Order’s initiatives demonstrate a commitment to strengthening the nation’s cybersecurity defenses in a rapidly evolving digital landscape and incorporate approaches generally understood as best practices to enhance cybersecurity.
To further advance the initiatives outlined in the order, the Cybersecurity and Infrastructure Security Agency (CISA), a key federal entity responsible for coordinating national efforts to safeguard critical infrastructure, expanded on the directive with detailed implementation frameworks and additional guidance. CISA’s involvement underscores its crucial role in operationalizing the Executive Order and transforming its policy directives into actionable strategies. Through collaboration with industry leaders, technology innovators, and government stakeholders, CISA has addressed specific challenges, including adopting quantum-resistant cryptography, deploying artificial intelligence in cybersecurity defenses, and improving public-private information-sharing mechanisms. These efforts emphasize fostering innovation, enhancing resilience, and protecting the nation’s digital ecosystem from emerging threats. By building on the Executive Order, CISA seeks to bridge the gap between policy objectives and on-the-ground cybersecurity practices, ensuring that the nation’s cybersecurity posture evolves in tandem with the rapidly changing threat landscape.
The transition of the presidency to President Donald Trump on January 20, 2025, has led to questions about the future of the Biden Executive Order. Historically, President Trump has favored deregulation and, during his first term, had repealed several executive orders issued by previous administrations. The possibility of modification or repeal to the Executive Order is particularly significant for the manufacturing sector, which is both a critical component of the U.S. economy and a frequent target of cyberattacks.
The purpose of this guide is three-fold. First, it examines the key elements of the existing Executive Order. Next, it explores the potential modifications that the Trump administration may implement. Finally, it provides guidance tailored to manufacturing companies for navigating this evolving regulatory and threat environment, building on previous related resources published by Foley & Lardner and the Cybersecurity Manufacturing Innovation Institute (CyManII), which are referenced at the end of this alert.
Key Provisions of the Executive Order and their Impact on Manufacturing
Minimum Cybersecurity Standards for Federal Contractors
A central provision of the Executive Order mandates baseline cybersecurity measures for federal contractors. These include securing access to critical systems and data using Multi-factor authentication (MFA), incorporating endpoint detection and response (EDR) tools to monitor, detect, and respond to cybersecurity threats, and using encryption to protect sensitive data both during transit and at rest.
Manufacturers supplying goods or services to the federal government must adhere to these cybersecurity standards to maintain their eligibility for governmental contracts. For many companies, this may require substantial investments in upgrading systems, adopting new technologies, and training personnel. Non-compliance could lead to the loss of profitable federal contracts and potential reputational damage.
Enhanced Public-Private Information Sharing
The Executive Order directs federal agencies to enhance mechanisms for sharing threat intelligence with private-sector entities. This collaboration aims to provide timely and actionable insights to help businesses defend against emerging cyber threats.
This initiative benefits the manufacturing sector as it is a primary target for ransomware attacks and intellectual property theft. Access to real-time threat intelligence allows manufacturers to identify vulnerabilities, respond swiftly to incidents, and mitigate risks more effectively. A ransomware incident plan focused on manufacturing can be found here: Ransomware Playbook.
Transition to Quantum-Resistant Cryptography
The Executive Order highlights the urgent need to adopt quantum-resistant cryptographic algorithms to tackle the long-term threat arising from advancements in quantum computing. As manufacturing increasingly incorporates digital technologies and interconnected systems, safeguarding proprietary designs, supply chain data, and other sensitive information is essential to business. Early adoption of quantum-resistant encryption may provide a competitive advantage and safeguard critical assets against existing and future threats. Guidelines for approaching quantum-resistant cryptography are available from NIST and the first post-quantum encryption standards are found here.
Leveraging AI for Cybersecurity
The Executive Order promotes the use of AI-driven cybersecurity tools to identify and counter advanced cyber threats in real time. AI is potentially transformative for the manufacturing sector because it can automate threat detection and response strategies. AI is also a proven tool for minimizing operational disruptions, protecting intellectual property, and ensuring the integrity of production lines. The pilot programs outlined in the Executive Order could serve as a model for broader adoption across the industry. AI may significantly accelerate the detection and mitigation of cyber-attacks, an area under development by CyManII.
Sanctions on Foreign Cyber Actors
The Executive Order grants the federal government the authority to impose sanctions on individuals and entities responsible for cyberattacks targeting U.S. organizations. Sanctions serve as a deterrent against state-sponsored cyberattacks and industrial espionage. For manufacturers, this provision provides an extra layer of protection and highlights the government’s commitment to safeguarding critical industries.
Potential Changes Under the Trump Administration
Deregulation of Cybersecurity Standards
President Trump’s emphasis on minimizing regulatory burdens may result in a rollback of the cybersecurity requirements in the Executive Order. This could shift the responsibility for implementing robust cybersecurity measures from the federal government to individual companies.
Focus on Supply Chain Resiliency
Based on the criticality of U.S. manufacturing and its role in global competitiveness and economic stability, we anticipate President Trump will issue guidance on securing supply chain resiliency to enhance the productivity of U.S. manufacturers. We will monitor these anticipated changes and publish future alerts as applicable.
Reprioritization of Cybersecurity Initiatives
While the current Executive Order emphasizes quantum-resistant cryptography and AI, the Trump administration might focus first on immediate cybersecurity challenges and delay longer-term solutions that require significant investment.
Reduced Emphasis on Public-Private Collaboration
Changes to information-sharing initiatives could decrease government support for private-sector cybersecurity efforts, which may compel manufacturers to seek alternative sources of threat intelligence.
Selective Sanctions Enforcement
A more selective approach to sanctions could change the deterrent effect on foreign cyber actors, potentially raising the risk of targeted attacks on U.S. manufacturing companies.
Guidance for Manufacturing Companies
Given the uncertainty surrounding the future of the Executive Order, manufacturers must adopt a proactive approach to cybersecurity. Below are actionable steps to enhance resilience:
Strengthen Core Cybersecurity Measures
Adopt Industry Best Practices: Ensure the deployment of MFA, EDR, and encryption on all critical systems.
Secure Operational Technology (OT): Safeguard industrial control systems (ICS) and other OT components essential to manufacturing operations.
Conduct Regular Assessments: Regular audits can help identify vulnerabilities and prioritize remediation efforts.
Invest in Employee Training: Over 80% of ransomware and other cyber-attacks can be traced to the “human in the loop.” Thus, cybersecurity training is a solid investment to protect your company and its operations.
Monitor Regulatory Developments
Stay Informed: Stay informed about updates to the Executive Order and other relevant cybersecurity policies.
Engage Legal Counsel: Consult legal and compliance experts to assess the potential impact of policy changes on your business operations.
Invest in Advanced Cybersecurity Technologies
Explore AI Solutions: Leverage AI tools for predicting threats, identifying anomalies, and automating incident responses.
Transition to Quantum-Resistant Cryptography: Start planning cryptographic upgrades to protect sensitive data from emerging threats.
Collaborate with Industry Peers: Participate in forums and consortia to exchange best practices and establish standardized cybersecurity protocols.
Secure the Supply Chain
Evaluate Vendor Risks: Perform comprehensive cybersecurity assessments of suppliers and third-party partners.
Develop Redundancy Plans: Identify critical supply chain dependencies and develop contingency plans to mitigate potential disruptions.
Encrypt Communications: Safeguard data transfers throughout the supply chain to minimize the risk of interception.
Build Robust Incident Response Plans
Establish Comprehensive Protocols: Develop incident response plans tailored to manufacturing-specific threats, such as ransomware attacks on production systems. An example of industry guidance and template is available in CyManII’s Ransomware Preparation Guide: Prevention, Mitigation, and Recovery for Manufacturers.
Train Employees: Provide ongoing cybersecurity training to improve awareness and minimize human error.
Test and Refine Plans: Perform regular simulations to assess the effectiveness of response strategies and implement necessary adjustments.
Final Thoughts
The “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity” highlights the urgent need for robust cybersecurity measures, particularly within the manufacturing sector, vital to national security, economic stability, and global competitiveness. This sector faces an increasing number of sophisticated threats, including ransomware attacks, vulnerabilities in the supply chain, and intellectual property theft. While the future of the Executive Order under the Trump administration is uncertain, manufacturers cannot afford to delay action. Cyber-attacks on manufacturers will continue to rise in volume and sophistication over the coming years. Proactive measures such as implementing advanced security technologies, strengthening supply chain defenses, and keeping abreast of regulatory changes are essential for mitigating risks and ensuring operational continuity.
Furthermore, adhering to strict cybersecurity standards allows manufacturers to secure federal contracts, establish trust with stakeholders, and gain a competitive edge in the market. As potential changes to the Executive Order could lead to a fragmented regulatory landscape—spanning federal, state, and international levels—manufacturers must prepare for diverse compliance requirements. By prioritizing cybersecurity, the manufacturing sector not only safeguards its critical assets and processes but also reinforces its vital role in driving economic growth and technological innovation.
About CyManII
Launched in 2020 by the U.S. Department of Energy, CyManII works across the manufacturing industry, research and academic institutions, and federal government agencies to develop technologies that enable the security and growth of the U.S. manufacturing sector.
Additional information on cybersecurity risks faced by manufacturers can be found in prior articles authored by Foley & Larder and CyManII, including:
Recommendations for Managing Cybersecurity Threats in the Manufacturing Sector
So, You Think of Cybersecurity Only as a Cost Center? Think Again.
CyManII also contributed to this article.
The Regulation on Markets in Crypto-Assets Becomes Fully Applicable in All Member States of the European Union
Application of Markets in Crypto-Assets Phase I and Phase II
Starting on 30 June 2024, with the application of the first of two introduction phases of the Regulation on Markets in Crypto-assets (MiCA)1 across all member states of the European Union (EU), the EU has introduced for the first time a harmonized regulatory framework as well as accompanying passporting rights for service providers of the crypto-asset market, affecting both traditional institutions of the financial sector and new players emerging in the crypto-ecosystem.2
As of 30 December 2024, the second phase of MiCA, and therefore MiCA in its entirety, is directly applicable throughout the EU.
With the first phase of MiCA’s introduction, the provisions of Titles III and IV of MiCA, governing the authorisation and supervision of both: (i) crypto assets that aim to maintain a stable value by referencing several currencies that are legal tender, one or several commodities, one or several crypto-assets, or a basket of such assets (asset-referenced tokens or ART); and (ii) crypto assets that are intended primarily as a means of payment and that aim to stabilize their value by referencing only one fiat currency (e-money tokens or EMT), became applicable.
The second introduction phase has activated the remaining elements of MiCA regulating crypto-assets other than ART and EMT and regarding providers offering crypto-asset services, referred to as crypto-asset service providers (CASPs).
Several items of second-level legislation (delegated acts) have been either prepared by the European Securities and Markets Authority (ESMA), the EU’s financial markets regulator and supervisor, as final drafts or have already been issued by the European Commission in December 2024, regarding points such as own funds and qualified holding requirements, stress testing programmes and remuneration policy of issuers of ART and EMT.
Supersession by MiCA of the Local Virtual Asset Service Provider Regime and Transition Period
Prior to the general application of MiCA in all EU member states, providers of services with respect of virtual assets were subject to the supervisory regime under their applicable national law. In Luxembourg, the national legislator introduced the virtual asset service provider (VASP)3 regime, supervised by Luxembourg’s financial sector supervisory authority (CSSF). An entity contemplating to provide virtual asset services in Luxembourg is required to register upfront with the CSSF.
With the entry into force of MiCA, the VASP regime is no longer available for first-time registration. As of 30 December 2024, service providers seeking to carry out crypto-asset activities will be required to seek authorisation from their national competent authority (NCA) as a CASP (governed by MiCA). For certain entities already subject to prudential supervision, such as credit institutions and investment firms, it is sufficient to notify their NCA of their intention to provide crypto-asset services. Unlike the VASP regime, which is a purely national (Luxembourg) regime, the CASP regime grants the benefit of EU-wide passporting of activities under MiCA. Service providers already registered in Luxembourg as VASPs benefit from a transitionary regime, permitting them to be treated as CASPs in most respects until 1 July 2026, at which time they will be required to have become authorised CASPs.
ESMA Issues Statement on MiCA Transitional Measures
The 18-month transitional period provided for Luxembourg VASPs is the maximum window permitted by MiCA. MiCA permits EU member states to adopt a transitional period shorter than 18 months for local service providers. To date, 15 EU member states have taken that step and adopted five-, six-, nine- or 12-month transitional periods.4
Transitional periods that deviate between EU member states might create uncertainty for VASPs registered as such and providing covered services in multiple EU member states. A statement released by ESMA on 17 December 2024, clarifies that each EU member state’s transitional period will only apply to the provision of covered services provided in that relevant EU member state.5
For example, an entity, which is registered as a VASP and seeking a MiCA authorisation as a CASP in a first EU member state with a 12-months transition period, while also serving clients in a second EU member state with a six-month transition period, should take action to ensure compliance at all times with the applicable law of the EU member state with the shorter transition period. In particular, if the authorisation as CASP is granted in the first EU member state only after the transition period in the second EU member state has ended, the entity will not be able to provide crypto-asset services to clients in that second EU member state until it has obtained its authorisation as CASP and can rely on the passporting granted under MiCA.
In its statement, ESMA reminds NCAs across the EU to maintain a thorough picture of the cross-border activities of those service providers applying for a CASP status and to engage in early and continuous dialogue with their counterparts in relevant jurisdictions to mitigate the risk of disruptions in services that could cause harm to such service providers’ clients.
European Supervisory Authorities Joint Guidelines on Standardised Classification of Crypto-Assets
In advance of the entry into force of the second part of, and as contemplated by, MiCA, the three European supervisory authorities (ESAs): (i) the European Banking Authority; (ii) the European Insurance and Occupational Pensions Authority; and (iii) ESMA released on 10 December 20246, a set of joint guidelines to promote the consistent application of MiCA across the EU.
The guidelines intend to facilitate consistency in the regulatory classification of crypto-assets, noting that MiCA does not apply to crypto-assets that are unique and not fungible with other crypto-assets; or which qualify as financial instruments, deposits, insurance and pension products or similar products which are in scope of the relevant sectoral legal framework.
The guidelines include a standardised test for the classification of crypto-assets as well as templates market participants should use when communicating the regulatory classification of a crypto-asset to their relevant NCA.
ESMA Encourages Investor Prudence With Respect of Crypto-Assets
In the context of the full entry into force of MiCA and the sharp rise in value of certain crypto-assets in November 2024, ESMA issued a warning on 13 December 20247, reiterating the inherent risk of investing in crypto-assets and reminding investors that the safeguards provided by MiCA are less extensive than those for traditional investment products.
Comparing MiCA with the frameworks regulating the provision of traditional investment services, ESMA in particular notes, that:
Crypto-assets are not to be covered by an investor compensation scheme and, consequently, investors face the risk of a total loss, if a CASP is unable to return a crypto-asset to them;
MiCA does not require all providers of crypto-asset services to collect clients’ information to assess their ability to understand the crypto-asset products they wish to trade;
Crypto-asset service providers have no obligation to periodically report to clients the crypto-assets they hold on clients’ behalf with their updated or current value; and
The above-noted transitional period may leave investors without some of the investor-protection resources provided by MiCA until the relevant CASP’s authorisation as a CASP, as, under the VASP regime, an NCA’s power may be restricted to the enforcement of antimoney laundering rules.
Conclusion
The full implementation of MiCA heralds a new era of harmonised supervision for crypto-assets across the EU to provide legal certainty through a flexible legal framework for CASPs and protection for holders of crypto-assets (while remaining less extensive than those in place for traditional investment products), as well as to ensure the overall integrity of the crypto-asset market. The delegated acts in preparation and already issued by the European Commission, along with the supplementary guidance provided by ESMA and the ESAs promise to flesh out the MiCA framework.
Footnotes
1 Regulation – 2023/1114 – EN – EUR-Lex.
2 See the blog post dated 24 May 2024, for further details. This blog post is available here: EU/Luxembourg Update on the Regulation on Markets in Crypto-Assets and the Digital Operational Resilience Act.
3 See the client alert dated 13 September 2023, for further details. This client alert is available here: Luxembourg Financial Services Regulator, the Financial Sector Supervisory Commission, and Issues FAQs on “Virtual Asset Service Provider” Regime.
4 A table of transitional periods by EU member state has been published by ESMA and is available here: List of grandfathering periods decided by Member States under MiCA.
5 ESMA’s statement of 17 December 2024, is available here: ESMA Statement on MiCA Transitional Measures.
6 The joint guidelines issued by the ESAs are available here: Joint ESA Guidelines 10 December 2024.
7 ESMA’s warning of 13 December 2024, is available here: ESMA Warning on crypto-assets 13 December 2024.
FINAL DAY UPDATE: Several Efforts Grind Forward but One-to-One Still on Track to Go into Effect Monday
Well folks, its down to the wire.
With just one business day remaining until one-to-one goes into effect on Monday several efforts to stay or quash the ruling are ongoing, but none of have paid off.
Here’s the latest as of 10:10 am eastern:
No, the one-to-one rule has not been stayed. Anyone who has told you otherwise is spreading misinformation and you should probably never talk to them again.
R.E.A.C.H. filed an emergency petition to stay the ruling for 60 days on Monday following President Trump’s inauguration. In my view this remains the most likely path to a delayed implementation of one-to-one. The NCLC predictably opposed the petition on Wednesday. R.E.A.C.H. replied yesterday and Queenie and I flew out to DC to try to see it through. More soon.
The long-shot IMC appeal may still yield a stay but that window appears to be closing. Usually courts will grant stays early in the shot clock if they intend to do so. A last minute stay seems nearly out of the question at this point, but the oral argument went so well that many people are still crossing their fingers. We’ll see soon enough.
There is a less known path that actually has a shot also. The Online Lenders Alliance filed a petition this month to reconsider and re-open the notice period on one-to-one citing concerns about the rule’s impact on small business. The petition is quite clever in that it tracks the Eleventh Circuit’s observations about a consumer’s right to consent. Ultimately it requests: “the commission open a new rule making to consider alternatives to the current “One-To-One Consent” provisions contained in the Targeting and Eliminating Unlawful Text Messages, Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991 (CG Docket Nos. 02-278 and 21-402).”
The Supreme Court is also considering an issue related to the FCC’s power to enact TCPA rulings like one-to-one but it is extremely unlikely the Supremes will act between now and Monday. Still, that appeal is something for people to keep in mind because it could change how courts enforce one-to-one later this year.
So there you have it.
We are monitoring both the FCC and Eleventh Circuit Court of Appeals docket in real time. I should have some more direct information soon as well. Will share whatever I can.
No matter what happens, we all went down swinging if nothing else. I appreciate that. Hope you do too.
EU Updates Codes of Conduct on Countering Illegal Hate Speech Online
The European Commission has strengthened its framework for combating illegal hate speech online through an enhanced Code of Conduct, building upon the success of its 2016 predecessor. This updated version, known as the Code of Conduct on countering illegal hate speech online +, aligns with the Digital Services Act (DSA) and represents a significant step forward in the EU’s efforts to create a safer digital environment.
The Code brings together major technology platforms as signatories, including established participants like Google (YouTube), Meta platforms, and Microsoft, alongside newer additions such as TikTok, LinkedIn, and Twitch. These companies have committed to reviewing the majority of illegal hate speech notifications within 24 hours, with an ambitious target of processing at least 67% of notices from designated Monitoring Reporters in this timeframe.
Key improvements in the updated Code include enhanced transparency requirements, structured monitoring processes, and strengthened multi-stakeholder cooperation. Signatories must maintain clear terms and conditions prohibiting illegal hate speech and implement efficient notice-and-action mechanisms in compliance with the DSA.
The Code introduces a robust monitoring framework involving specialized Monitoring Reporters – non-profit or public entities with expertise in illegal hate speech. Annual monitoring exercises will evaluate the performance of signatories, with results published by the European Commission.
A notable innovation is the establishment of regular exchange forums for sharing best practices and addressing emerging challenges. The Code also emphasizes the importance of awareness-raising initiatives and educational programs to promote online civility and counter-narratives.
While voluntary in nature, this Code serves as a practical framework for implementing DSA requirements specifically related to illegal hate speech, demonstrating the EU’s commitment to combining regulatory oversight with industry collaboration in the fight against online hate speech, which is becoming increasingly relevant in the current global political climate.
FTC Announces Updates to COPPA Rule
On January 16, 2025, the Federal Trade Commission (FTC) issued a press release stating, “The updated [Children’s Online Privacy Protection Act (COPPA)] rule strengthens key protections for kids’ privacy online. By requiring parents to opt [into] targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetizing children’s data without active permission. The FTC is using all its tools to keep kids safe online.”
These changes are the first major updates to the rule since its inception in 2013. COPPA protects the online privacy of children under the age of 13. It imposes specific requirements on operators of websites or online services directed to children or that knowingly collect personal information from children. COPPA requires operators to obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13 and to provide clear and comprehensive notice of their information practices regarding children, including a link to their children’s privacy policy on their website or online service. The rule also requires operators to take reasonable steps to disclose children’s personal information only to third parties capable of maintaining its confidentiality, security, and integrity. COPPA also mandates that operators retain collected children’s personal information for only as long as necessary to fulfill the purpose of its collection and delete such information using reasonable measures to protect against unauthorized access or use.
COPPA also includes provisions related to the FTC’s ability to approve self-regulatory guidelines (known as Safe Harbor Programs), which allow operators to use alternative methods for obtaining parental consent, provided they meet the requirements of COPPA.
The amendments to the COPPA rule include:
An Expanded Definition of Personal Information: Now includes biometric and government-issued identifiers.
A New Definition of Mixed Audience Website or Online Service: These are websites or services directed to children, but do not target them as the primary audience and do not collect personal information from any visitor before determining if the visitor is a child.
Required Parental Consent for Data Disclosure: Operators must now obtain separate verifiable parental consent for disclosing a child’s personal information to third parties, such as for targeted advertising purposes.
New Methods for Verifiable Parental Consent: Expands the permissible methods, including knowledge-based authentications, submitting government-issued photographic identification, and using text messages with additional safeguards.
A Required Information Security Program: Operators are required to establish and maintain a written information security program appropriate to the sensitivity of the personal information collected from children. This program must be regularly tested and monitored.
Strengthened Data Retention Limitations: Operators must retain children’s personal information for only as long as necessary to fulfill a specific purpose and must maintain a publicly available written data retention policy.
More Accountability for Safe Harbor Programs: Comprehensive reviews of the operator’s privacy and security policies now required.
The FTC did not adopt proposed amendments to the rule related to limitations on using push notifications to children without parental consent or requirements for educational technology in schools. The changes to the rule will take effect 60 days after publication in the Federal Register (which has not yet occurred or been scheduled). Organizations subject to the final rule have one year to comply with the changes; however, compliance is required earlier in relation to COPPA Safe Harbor programs. To review the amendments, click here.
New York’s Proposed Health Information Privacy Act Takes Aim at Digital Health Companies
The New York Health Information Privacy Act (NYHIPA), if enacted, could create a chilling effect on patient access and engagement to readily available digital health care services relied upon by New Yorkers. Digital health companies will likely struggle to maintain patient engagement and care coordination and will almost certainly face hurdles in improving their products and services due to the financial and operational burdens created by NYHIPA.
As of January 23, 2025, the NYHIPA had passed both the New York Senate and Assembly and will be routed to the Governor for possible signature. If enacted, the NYHIPA would significantly impact how digital health companies collect, disclose, and use consumer health information in New York.
Who is regulated?
As currently drafted, NYHIPA will be applicable to any health care organization with patients or customers that have a connection to New York.
Specifically, NYHIPA would apply to any entity that:
controls the processing of regulated health information of a New York resident,
controls the processing of regulated health information of an individual who is physically present in New York while that individual is in New York, or
is located in New York and controls the processing of regulated health information.
The entity-level exemptions are limited as compared to other consumer data privacy laws. HIPAA-covered entities are exempt but only to the extent the entity maintains patient information in the same manner as HIPAA-protected health information. Although traditional medical records maintained by HIPAA-covered entities will likely be exempt, personal information collected early in the user workflow will likely be governed by NYHIPA and subject to the strict authorization requirements discussed below prior to any processing by a regulated entity — unless the entity is a HIPAA-covered entity and treats that information as HIPAA- protected health information.
What information is regulated?
NYHIPA seeks to regulate any and all information that could be linked to health or wellness, including device data. The information regulated is any information that is reasonably linkable to an individual or a device, collected or processed in connection with the physical or mental health of an individual, including location or payment information that relates to an individual’s physical or mental health or any inference drawn or derived about an individual’s physical or mental health that is reasonably linkable to an individual or a device. HIPAA-protected health information and deidentified information would be exempt from regulation.
What are the processing restrictions?
“Processing” would need to be narrowly tailored to the specific product or service requested by an individual, unless an explicit authorization is obtained. Processing, as defined under NYHIPA, generally means any operation performed on health information, including the collection, use, disclosure, access, sale, sharing, creation, generation, or deidentification of health information.
Regulated entities cannot process health information unless:
the individual has provided an authorization; or
the processing is strictly necessary for certain enumerated purposes, including providing or maintaining a specific product or service requested by such individual or conducting the regulated entity’s internal business operations.
Most importantly, and what will surely cause angst within the digital health community, internal business operations expressly exclude any activities related to marketing, advertising, research and development, or providing products or services to third parties without explicit authorization from the individual authorizing such activities.
When can an authorization be obtained and what must the authorization include?
NYHIPA will prohibit an authorization from being obtained from an individual for 24 hours after account creation or first use of the product or service. Opt-in consent will not be enough, as individuals will be required to obtain explicit authorization for each activity not deemed strictly necessary to the products or services requested by the individual.
The authorization must
be made separately from any part of a transaction;
(ii) be made at least 24 hours after the individual creates an account or first uses the requested product or service; and
allow the individual to provide or withhold authorization separately for each category of processing activity, among other requirements.
For individuals who have an online account with the entity – which will be the case for most digital health companies – the regulated entity must provide, “in a conspicuous and easily accessible place within the account settings,” a list of all processing activities for which the individual has provided authorization and, for each processing activity, allow the individual to revoke authorization in the same place “with one motion or action.” Entities cannot make a product or service contingent on providing authorization and cannot discriminate against an individual for withholding authorization, such as by charging different prices for products or services, including through the use of discounts or other benefits.
Is a privacy notice required?
NYHIPA would require a privacy notice if a regulated entity processes health information for a permissible purpose without an authorization. The notice would need to include the information processed, the nature of the processing activity, the “specific purposes” for such processing, names or categories of service providers and third parties to whom information is disclosed and the purpose of the disclosure, and the mechanism by which the individual may request access to and deletion of their health information. Notably, if the regulated entity materially alters its processing activities, the regulated entity would need to provide a clear and conspicuous notice, separate from a privacy policy, terms of service, or similar document, that describes any material changes to the processing activities and provide the individual with an opportunity to request deletion of the individual’s health information. Note that unlike other consumer data privacy laws, the only exception to the deletion requirement under NYHIPA as proposed allows retention “to the extent necessary to comply with the regulated entity’s legal obligations.”
What are other key requirements digital health companies should be aware of?
NYHIPA will require service providers to segregate health information by regulated entity. Regulated entities would need to enter into a written agreement with service providers. The required terms for those agreements generally look similar to other consumer data privacy laws. However, NYHIPA also requires that the service provider:
not combine the health information which the service provider receives from or on behalf of the regulated entity with any other personal information which the service provider receives from or on behalf of another party or collects from its own relationship with individuals; and
(ii) notify the regulated entity “a reasonable time in advance” before sharing health information with any further service providers.
All websites and communications would need to be reasonably accessible to individuals with disabilities and available in languages in which the regulated entity provides information via its website and services.
When could this law be effective and what are the possible penalties?
NYHIPA would go into effect one year after the bill is signed into law.
The New York Attorney General would have authority to enforce the law, including civil penalties of the greater of $50,000 per violation or 20% of the revenue obtained from New York consumers within the past fiscal year, among other remedies. The Attorney General also has authority to promulgate implementing rules and regulations.
What are the practical impacts of NYHIPA?
NYHIPA will pose significant financial and operational hurdles to digital health companies. Regulated entities would be required to upgrade websites and user workflows for each of the processing activities for which the regulated entity would seek authorization from an individual, as well as any necessary upgrades to meet the new accessibility requirements. The 24-hour moratorium on requesting authorization will effectively create a barrier to activities that improve the patient experience, engagement, and education. Service providers will experience financial impact as a result of implementing the requirements to segregate each regulated entity’s health information. Finally, NYHIPA will require digital health companies to comply with yet another state consumer privacy law that materially differs from other state privacy laws.
What digital health companies should do next?
NYHIPA has passed both legislative houses and only awaits the Governor’s signature to become law. As noted above, the effective date for the law would be one year after signature by the Governor. That one-year period is an incredibly short time for digital health companies to implement the changes that would be required to comply with NYHIPA. Therefore, if enacted, digital health companies with patients or customers in New York should immediately begin planning for compliance with NYHIPA.
Health care data privacy continues to rapidly evolve. Thus, digital health companies should closely monitor any new developments and continue to take necessary steps towards compliance.
FTC Settles Case with GM over Allegations of Collection + Use of Drivers’ Precise Geolocation
In its continued concentration on the collection and use of consumers’ precise geolocation, on January 16, 2024, the Federal Trade Commission (FTC) settled with General Motors (GM) over allegations that it collected, used, and sold drivers’ precise geolocation and driving behavior data from millions of vehicles—data that can be used to set insurance rates—without adequately notifying consumers and obtaining their affirmative consent.
The FTC accepted the proposed order for public comment, which will be open for 30 days.
The complaint against GM alleged that it “used a misleading enrollment process to get consumers to sign up for its OnStar connected vehicle service and the OnStar Smart Driver feature. GM failed to clearly disclose that it collected consumers’ precise geolocation and driving behavior data and sold it to third parties, including consumer reporting agencies, without consumers’ consent.” According to the complaint, GM collected driver data through OnStar as often as every three seconds. As in the previous four cases in 2024, the FTC alleges that “tracking and collecting geolocation data can be extremely [privacy-invasive], revealing some of the most intimate details about a person’s life, such as whether they visited a hospital or other medical facility, and expose their daily routines.” The proposed order, if accepted, “prohibits GM and OnStar from misrepresenting information about how they collect, use and share consumers’ location and driver behavior data.” In addition, the order prohibits them from disclosing consumers’ geolocation and driver behavior data to consumer reporting agencies for five years; requires them to obtain affirmative express consent from consumers before collecting connected vehicle data; allows consumers to obtain and delete their data; and allows consumers to limit data collection from their vehicles.
FTC Takes Action Against GoDaddy for Alleged Lax Data Security
The Federal Trade Commission (FTC) issued a proposed settlement order against GoDaddy alleging that it “has failed to implement reasonable and appropriate security measures to protect and monitor its website-hosting environments for security threats, and misled customers about the extent of its data security protections on its website hosting services.”
The proposed settlement order requires GoDaddy “to establish a comprehensive data security program that is similar to those in other FTC cases, including the recent settlement with Marriott International.”
The complaint alleged that GoDaddy had unreasonable security measures, including “failing to inventory and manage assets and software updates; assess risks to its shared hosting services; adequately log and monitor security-related events in the hosting environment; and segment its shared hosting from less-secure environments.” These data security failures caused several “major security breaches between 2019 and 2022.”
The order prohibits GoDaddy from misrepresenting its security practices, and requires it to establish and implement a comprehensive security program to be reviewed by an independent third-party assessor.
After Supreme Court Upholds Ban, Trump Issues EO Giving TikTok an Extension
Despite bipartisan support for banning TikTok – essentially spyware presenting a national security threat from the People’s Republic of China (PRC) – in the United States (as done by India) and the Supreme Court’s upholding of the law as constitutional and requiring the app to go dark, President Trump signed an Executive Order (EO) during his first day in office giving TikTok 75 days to “pursue a resolution.”
TikTok already had several months to “pursue a resolution,” which was to divest itself from the PRC so it could not collect and use Americans’ sensitive data. TikTok does not want to pursue this resolution because it wants to keep collecting, using, manipulating, and spying on U.S. citizens.
This is a disappointing development, and hopefully, Trump, who originally supported the ban, will come to his senses to protect national security and keep the PRC from spying on unwary citizens.
Video Game Maker to Pay $20 Million to Settle FTC COPPA Enforcement Action
Singapore-based Chinese video game developer Cognosphere, dba HoYoverse, known for “Genshin Impact,” a role-playing game involving collectible characters with unique fighting skills, has agreed to pay $20 million to settle Federal Trade Commission (FTC) allegations that it violated the Children’s Online Privacy Protection Act (COPPA) and deceived players about the cost of winning certain prizes.
Introduced in the U.S. in 2020, Genshin Impact was one of the first Chinese video games to go viral in this country.
The FTC alleged that the company collected children’s personal information without parental consent as required by COPPA. The FTC’s complaint stated that the company “shares device-related persistent identifier information and records of the player’s engagement, progress, and spending within the game with third-party analytics and advertising providers.”
Additionally, the game’s players pay real money for a virtual currency for the chance to win virtual prizes; however, the opportunities to win prizes are confusing and complicated and involve multiple types of in-game virtual currency with different exchange rates. The purchasing process obscures the reality that consumers must spend large amounts of real money to obtain 5-star heroes. As a result of the settlement, the company will introduce new age-gate and parental consent protections for children and young teens and increase its in-game disclosures related to its virtual currency and rewards for players in the U.S. In addition, it will also allow users to directly purchase content, using real money, from the game’s loot boxes and will cease misrepresenting the odds of loot boxes. The company must also restrict children under the age of 16 from purchasing loot boxes without parental consent.
Biden Issues Cyber Executive Order in Last Days of Term
Former President Joe Biden issued an Executive Order (EO) entitled “Strengthening and Promoting Innovation in the Nation’s Cybersecurity” on January 16, 2025. The EO is designed to
Remove Barriers to Threat Information Sharing Between Government and the Private Sector
Modernize and Implement Stronger Cybersecurity Standards in the Federal Government
Improve Software Supply Chain Security
Establish a Cyber Safety Review Board
Create Standardized Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
Improve Investigative and Remediation Capabilities
According to the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA), the EO – which is not posted to the new White House website – aims to “improve accountability for software and cloud service providers, strengthen the security of Federal communications and identity management systems, and promote innovative developments and the use of emerging technologies for cybersecurity.”
The EO charges NIST with:
Operationalizing Transparency and Security in Third-Party Software Supply Chains
Securing Federal Communications
Solutions to Combat Cybercrime and Fraud
Promoting Security with and in Artificial Intelligence
Aligning Policy to Practice.
NIST is to complete these tasks between March and November 2025.
CISA’s role in implementing the EO includes:
Removing Barriers to Threat Information Sharing Between Government and the Private Sector
Modernizing and Implementing Stronger Cybersecurity Standards across the Federal Government
Improving Software Supply Chain Security
Establishing a Cyber Safety Review Board
Creating Standardized Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
Improving Detection of Cybersecurity Incidents on Federal Government Networks
Improving Investigative and Remediation Capabilities
These goals are all needed and admirable. We will see how this develops throughout the year.