Connecticut Data Privacy Act New Opt-out Rights
On December 30, 2024, the Connecticut Attorney General issued an advisory to consumers and businesses that new opt-out rights under the Connecticut Data Privacy Act are effective as of January 1, 2025. Businesses must now honor global opt-out preference signals sent by consumers, e.g., via the Global Privacy Control, and treat those signals as requests to opt out of targeted advertising and sale of personal data. Additional resources are available on the Attorney General’s website.
The Telehealth Extension Has Ended…For Now
During the COVID-19 crisis, newly-created relief allowed first dollar coverage for telehealth services under a high deductible health plan (HDHP) without ruining health savings account (HSA) eligibility. That relief was extended for plan years beginning prior to January 1, 2025. You can read our articles regarding the initial relief and subsequent extensions here, here, and here.
An earlier version of the 2025 budget bill included a two-year extension of this HSA telehealth safe harbor relief. However, that provision did not make it into the slimmed down version of the budget bill that was signed by President Biden in late December. The slimmed down budget bill was intended to serve as a stop gap to keep the Federal government running through March 14, 2025. Industry members are hopeful that when budget talks resume, a telehealth extension will be a part of that discussion.
For now, the telehealth relief has ended. For plan years beginning on or after January 1, 2025, pre-HDHP deductible coverage for telehealth services will disqualify an individual from contributing to an HSA unless another exception applies.
What the Future May Hold for the Consumer Financial Protection Bureau’s Open Banking Rule
Will the Consumer Financial Protection Bureau’s (CFPB) recently promulgated open banking rule survive under the new Congress and incoming presidential administration? Two upcoming proceedings may hold the answer.
On 22 October 2024, the CFPB finalized a rule to govern personal financial data rights, known colloquially as the open banking rule.1 In promulgating the open banking rule, the CFPB relied on Section 1033 of the Dodd-Frank Act for authority. In general, the open banking rule requires banks to establish electronic facilities for the reliable and accurate transmission of consumer data to authorized third parties at the consumer’s request and for a specified purpose and time period. Under the new Congress and incoming presidential administration, the rule may face two significant challenges to its existence in the coming months.
The first challenge may occur rapidly now that the 119th Congress is in session. Under the Congressional Review Act (CRA), Congress may disapprove of any rule finalized by the CFPB within the last six months of the outgoing presidential administration. To do so, both the Senate and the House must pass an identical joint resolution of disapproval. All votes under the CRA are simple majority votes, and under most circumstances, the resolution is not subject to filibuster in the Senate. Whether Congress will reject the open banking rule remains to be seen. To disapprove of a rule under the CRA, Congress must act within a 60-day period that commences in mid-January. This review period overlaps with the first weeks of the new administration when the Senate is typically focused on confirming the president’s cabinet nominees. The CFPB also issued a flurry of rules in the final months of the outgoing administration, so the new Congress may need to pick and choose which ones to consider jettisoning during the short CRA review window.
The second challenge to the open banking rule is playing out in a lawsuit filed by a Kentucky-based national bank and the Bank Policy Institute in federal court in Lexington, Kentucky. In their amended complaint, the plaintiffs allege that the open banking rule exceeds the congressional grant of rulemaking authority in at least six ways, which include the following:
The rule purports to regulate the provision of data to third parties, but the statute only permits rulemaking with respect to banks’ obligations to “make available to a consumer, upon request, information in the control or possession of the [bank] concerning the consumer financial product or service that the consumer obtained” from the bank.2
The rule increases risk to consumers by forcing banks to make available information enabling third parties to initiate payment from a consumer’s account and tasks banks with ensuring that unsupervised third parties can be trusted with the data they receive.
The rule seeks to outsource the task of establishing standards for compliance to private entities.
The rule imposes vague and confusing performance standards for the developer interfaces that data providers are required to establish.
The rule would require compliance before any of the standard-setting bodies are convened, much less able to promulgate standards for compliance.
The rule prevents data providers from recouping any of the substantial costs that compliance with the rule will impose.3
The CFPB filed an answer to the amended complaint on 27 December 2024, and the court directed the parties to confer regarding a case schedule. The incoming CFPB director will have wide latitude to use the lawsuit to determine the fate of the rule. The new director could, for example, consent to an injunction that would prevent the rule from taking effect. Whether the open banking rule will meet this fate remains to be seen. The proposed rule drew bipartisan support, including from former US Representative Patrick McHenry, the then-chair of the House Financial Services Committee. And the final rule, though controversial in many respects, appears to have avoided the ire of at least some members of the incoming administration.
Regardless of what happens to the rule, open banking is likely here to stay. Data providers have already established private, though largely unregulated, facilities for the electronic sharing of consumer data. Consumers and market participants who take issue with the manner in which data is shared, or allegedly misused, have several legal remedies available to them, regardless of whether open banking is regulated by the CFPB.
While it is impossible to predict the ultimate fate of the open banking rule, this much is likely certain: it will meet its destiny sooner rather than later. the firm will continue to provide updates on the fate of the rule.
Footnotes
1 12 C.F.R. pt. 1033.
2 12 U.S.C. § 5533(a) (emphases added).
3 See Am. Compl. ¶¶ 12-18, Forcht Bank, N.A., et al. v. CFPB, No, 5:24-cv-00304-DCR (E.D.K.Y.).
CISA Publishes Security Requirements Pursuant to EO 14117 for DOJ Rulemaking on Restricted Data Transactions
On January 8, 2025, the U.S. Department of Homeland Security’s (“DHS”) Cybersecurity and Infrastructure Security Agency (“CISA”) published finalized Security Requirements for Restricted Transactions (the “Requirements”) as designated by the Department of Justice (“DOJ”) in the DOJ’s final rulemaking, each pursuant to Executive Order 14117 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern) (“EO 14117”). EO 14117 tasked CISA with developing security requirements for transactions designated as “restricted” by the DOJ. CISA issued the Requirements in conjunction with the DOJ’s final rule on EO 14117 (“DOJ Rule”), also published on January 8, 2025. The Requirements and DOJ Rule will go into effect on April 8, 2025. See selections of our related coverage of the DOJ Rule and EO 14117, with links to additional materials.
As discussed in those posts, the DOJ Rule and EO 14117 establish a new regulatory regime that either prohibits or restricts “covered data transactions,” which are data brokerage, employment agreements, investment agreements and vendor agreements that could result in access to bulk U.S. sensitive personal data or government-related data (1) by a “country of concern” (i.e., China, Cuba, Iran, North Korea, Russia and Venezuela) or (2) a “covered person” affiliated with a country of concern. While certain transactions are prohibited outright, U.S. persons must adhere to certain compliance requirements before engaging in “restricted transactions,” including security regulations established by CISA to “adequately mitigate the risks of access by countries of concern or covered persons to bulk sensitive personal data or United States Government-related data.” Restricted transactions include any sharing or access with a covered vendor, employee or investor.
The Requirements are divided in two sections: (1) organizational- and covered system-level requirements and (2) data-level requirements. CISA’s intent is to provide entities with direct means of mitigating the risk of access to covered data, establish effective governance, and establish an auditable basis for compliance purposes. The Requirements are based on several similar, widely used cybersecurity standards or frameworks (i.e., the NIST Cybersecurity Framework (“CSF”), NIST Privacy Framework (“PF”) and CISA Cybersecurity Performance Goals (“CPGs”)), and include:
(1) Organizational- and covered system-level requirements for “covered systems” that “interact with” the “covered data as part of a restricted transaction, regardless of whether the data is encrypted, anonymized, pseudonymized, or de-identified:”
Maintain an updated asset inventory (including at least monthly updates).
Designate a person responsible and accountable for (1) cybersecurity and (2) governance, risk and compliance (one for both or one for each).
Remediate known exploited vulnerabilities within at most 45 days.
Document and maintain all vendor/supplier agreements for covered systems.
Develop and maintain an accurate network topology and any network interfacing with a covered system.
Implement a policy for requiring approval for new hardware or software.
Maintain incident response plans and review at least annually.
Implement logical and physical access controls, including: enforcing MFA, promptly revoking credentials upon termination/role change, logging (and logging storage and access practices), implementing deny-by-default configurations (with limited exceptions), and managing credentials that adequately prevent access to covered data, transactions and functions by covered persons and/or countries of concern.
Conduct an internal data risk assessment.
Covered systems do not include systems that have the ability to view or read sensitive personal data (other than government-related data) but do not ordinarily interact with such data in bulk form.
(2) Data-level requirements for restricted transactions, to be implemented in a combination that is “sufficient to fully and effectively prevent access to covered data that is linkable, identifiable, unencrypted, or decryptable using commonly available technology by covered persons and/or countries of concern, consistent with the data risk assessment:”
Apply data minimization and masking strategies, including: maintaining a written data retention and deletion policy, processing data in a way that it is no longer covered data or minimizes the linkability to a U.S. person (g., via techniques like anonymization, making sure identities can’t be extrapolated from data sets).
Apply encryption techniques, including comprehensive encryption and specific key management practices.
Apply privacy enhancing technologies, g., privacy preserving computation or differential privacy techniques.
Configure the identity and access management techniques to deny authorized access to covered data.
Entities must also treat systems that do processing for data minimization, making and apply privacy enhancing technologies as covered systems subject to the organizational and system level requirements above.
CISA mapped each of the requirements to the corresponding NIST CSF controls, NIST PF controls and/or CISA CPGs. CISA declined to grant reciprocity for entities that already participate in existing data or cybersecurity regimes as they do not adequately “address the national security risks associated with restricted transactions,” but took various steps to introduce flexibility into many of the requirements and noted that it “remains open” to mapping the Requirements to existing frameworks such as ISO/IEC 27001 or NIST Special Publication 800-17. CISA also provided various examples to illustrate concepts like “access” to covered data. Companies should assess their readiness for the rapidly approaching enforcement date in April.
What Might Happen with Business Immigration Under the New Trump Administration
Navigating the Future of H-1B, L-1 and O-1 Visas
As the new Trump administration takes shape, tech companies and foreign workers are keenly observing potential changes to the H-1B visa program and other related tech visas. The administration is expected to appease its opposing stakeholders by maintaining strong relationships with the tech industry while also addressing concerns from those advocating for stricter immigration policies.
H-1B and L-1 Visas: A Balancing Act
While some factions within the administration may push for a reduction in high-skilled immigration, the administration’s close ties with tech companies suggests it will likely maintain current levels of H-1B and L-1 visa issuances. The tech industry heavily relies on these visas, and any drastic reduction could disrupt business operations and innovation. However, procedural changes that we saw in the previous administration, as well as new ones, might be introduced to indirectly limit access, such as increased scrutiny during adjudications, slower processing times, increased requests for evidence, higher denial rates, and more frequent site visits.
A particular focus is expected on third-party placement firms and staffing companies, which have been accused of misusing the H-1B program. Companies that are in the outsourcing/staffing industry may face heightened scrutiny and additional requirements, especially in terms of documenting third-party worksite placements.
Buy American, Hire American: Implications and Expectations
The anticipated “Buy American, Hire American” executive order could lead to reviews of companies using large numbers of H-1B visas to determine if they are prioritizing foreign workers over U.S. citizens. This may also involve increased activity from the Department of Justice’s Immigrant and Employee Rights Section (IER), which scrutinizes whether foreign nationals are being unfairly preferred in hiring.
Geopolitical Considerations and Security Checks
The administration might impose stricter limitations on H-1B visa holders from countries perceived as unfriendly, such as China and those countries that have been designated as state sponsors of terrorism. Enhanced security and administrative checks could lead to delays for nationals from these countries, reflecting broader geopolitical concerns. The administration could also bring back its Travel Bans via executive orders, as it did previously.
Potential Revisions to Existing Policies
There is speculation about reversing USCIS’s deference policy, which has allowed USCIS adjudicators to rely on prior approvals involving the same parties and facts rather that adjudicating every visa petition from scratch. While the recent H-1B modernization rule codifies the deference policy, the administration could issue directives requiring case-by-case reviews, potentially complicating and slowing the process for employers and applicants.
Additionally, work authorization for some spouses of tech workers may disappear. The Trump administration proposed eliminating the H-4 EAD in 2021 and it may try to do this again. There have been no similar attempts at, or discussions around, rescinding L-2 work authorization.
Optional Practical Training (OPT) and STEM OPT
Previous attempts by the Trump administration to limit OPT and STEM OPT were met with resistance from the tech industry and educational institutions. Further restrictions on these programs seem unlikely in the short term because any changes would likely face significant pushback due to their importance to tech companies and universities.
Prevailing Wage and Union Advocacy
Efforts to increase prevailing wages for H-1B workers may gain traction, with heightened scrutiny on companies accused of undercutting wages through foreign hires. The incoming head of the Department of Labor could advocate for policies that favor higher prevailing wages and address union concerns.
Conclusion: Navigating Uncertainty
While the new administration may introduce challenges for high-skilled immigration, the business community’s pushback and the economic benefits of these programs could help prevent implementation of any drastic measures. Companies and foreign workers should stay informed and prepare for potential procedural changes.
HHS OCR Settlements: Last Week in Review
During the week of January 6, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into resolution agreements and corrective action plans with Elgon Information Systems (“Elgon”), Virtual Private Network Solutions, LLC (“VPN Solutions”) and USR Holdings, LLC (“USR”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule.
The proposed resolutions with Elgon and VPN Solutions are the eighth and ninth ransomware investigation settlements announced by OCR. Elgon is required to pay $80,000 to OCR and will be subject to its monitoring for three years to ensure compliance with HIPAA. VPN Solutions is required to pay $90,000 and will be subject to one year of monitoring. The corrective action plans also lay out certain steps each entity is required to take to resolve potential violations of the HIPAA Privacy and Security Rules.
The proposed resolution with USR, announced on January 8, 2025, stems from a data breach, during which an unauthorized third party/parties were able to access a database containing the electronic protected health information (“ePHI”) of over 2,900 individuals and able to delete ePHI in the database. The resolution agreement requires USR to pay $337,750 to OCR and take steps to resolve potential violations of the HIPAA Privacy and Security Rules. USR will be subject to OCR monitoring for two years to ensure compliance with HIPAA.
Last week’s flurry of settlements is in keeping with a broader trend of OCR Security Rule enforcement activity in the past year. These agreements underscore how it is critical that organizations of all sizes that handle ePHI ensure their compliance with the HIPAA Security Rule, which requires administrative, physical and technical safeguards to ensure the confidentiality, integrity and availability of ePHI.
“A MESS”: Brandon Callier Defeats TCPA Defendant’s Summary Judgment Motion And TCPA Defense Lawyers Need to Do Better
What is going on with the practice of law these days?
I know, I know– I sound like an old guy. And I guess the Czar is getting a bit old.
But back in my day (leaning into it) lawyers took time to prepare quality briefs with well-organized and thoughtful arguments and–importantly– pristinely presented exhibits for the court’s consideration.
But Troutman Amin, LLP may be a dying breed in that respect.
Consider Callier v. Jascott Investments, et al 2025 WL 92391 (W.D. Tex. Jan 14, 2025). There repeat-TCPA litigator Brandon Callier just rose to an easy victory over a TCPA defendant’s summary judgment effort and the poor quality of the motion work by the defense lawyers appears to be the culprit.
Check this out. This is literally how the Court begins its analysis of the motion:
As an initial matter, Investments’ summary-judgment exhibits are a mess. Its opening brief cites to more than 1000 pages of exhibits by letter, but almost all exhibits have no letter label or have exhibit stickers with random numbers. Investments’ “Exhibit A” is 275 pages of discovery Investments apparently produced to Plaintiff, including inoperable placeholder sheets for audio recordings. The Court also received all 248 pages of Plaintiff’s deposition transcript along with its exhibits which contain internally inconsistent exhibit stickers derived apparently from exhibit stickers from discovery, using both numbers and “Plaintiff’s Exhibit” lettering. The Court is satisfied that it was ultimately able to locate the exhibits Investments intended to cite but respectfully requests greater care in future pleadings.
Oh man, that’s just awful. Anytime a court refers to your filing as a “mess” you know you’re not going to win– and Investments did not win. Not even close.
Indeed it appears the court thought the defense was basically wasting its time.
The Defendant argued Callier’s phone number was not residential in nature, but since Callier attested he used it for residential purposes the Defendant wasn’t going to in that one.
Defendant argued the number wasn’t on the DNC list– but again Callier attested that it was. So a jury needs to figure it out.
And Defendant argued Callier consented to receive calls but that assessment relied on a declaration that did not comply with the rules and was stricken. So… yeah.
Meanwhile Callier moved for cross-judgment on his own claims. The Court came close to granting judgment to Callier but determined a jury needed to confirm whether the ownership of his number was for residential or business purposes.
So yeah, bottom line– do better guys! A guy like Callier shouldn’t be skating to easy wins over bad motions.
CHASE: JP Morgan Chase Allowed to Pursue Debt Against TCPA Litigant via Counterclaim
This lady named Gina Henry allegedly owed Chase Bank some money. It made collection calls to her and Henry sued for TCPA violations.
Chase countersued Henry for the debt owed and Henry moved to dismiss the claim.
In Henry v. JP Morgan Chase, 2025 WL 91179 (N.D. Cal. Jan 14, 2025) the court denied this effort and allowed the bank to chase Henry for the debt.
Reasoning that the claim for the debt is related to the same operative facts as the phone calls at issue in the TCPA claim– the calls were made to collect the debt after all– the Court had little trouble concluding the two claims should proceed in one suit.
The Court also rejected the idea that allowing counterclaims might dissuade TCPA suits– Chase is free to sue Henry for the debt in state court regardless. So doing it all in one place will be easier for Henry in the Court’s view.
TCPA suits against debt collectors and servicers are at an all time low right now as Plaintiff lawyers focus their energies on origination and marketing callers. Still it is important to keep in mind that an occasional debt collection TCPA suit might still be filed–especially if prerecorded calls or RVM is used– and when they are pursuing the debt in a counterclaim is a splendid idea.
Nice work Chase.
D’ART OF WAR: Family Favorite Food Supplier Prepares For TCPA Battle.
Hey TCPAWorld!
Things are heating up as we’re less than two weeks away from one-to-one consent starting January 27, 2025.
With that being said, the TCPA complaint we’re covering this week includes a familiar name. D’Artagnan Inc., renowned for its gourmet food, has recently become the target of a TCPA lawsuit. Ariane Daguin, its CEO and founder, has revolutionized the culinary world as a female chef and entrepreneur, championing high-quality and ethically sourced ingredients since 1985. While its reputation for quality endures, the gourmet food giant now finds its telemarketing operations tested at the forefront of a TCPA dispute.
In MCGONIGLE v. D’ARTAGNAN, INC., No. 1:25-CV-00052 (E.D. Va. Jan. 11, 2025), McGonigle (“Plaintiff”) alleges that even though Plaintiff has been listed on the National Do-Not-Call Registry (“DNCR”) for over 10 years, D’artagnan, Inc. (“Defendant”) delivered at least eight telemarketing text messages to Plaintiff’s residential number, on at least seven separate days in September 2024. One example reads:
D’Artagnan: Don’t miss out! Enjoy $15 flat rate shipping + 10% OFF on all orders. Sale ends tonight. Shop now: https://dartagnan.attn.tv/agwvswGzqaA7
Id. at ¶ 13. Due to these accusations, Plaintiff filed a Complaint in the Eastern District of Virginia alleging Defendant violated the DNC provisions, 47 U.S.C. 227(c)(5) and 47 C.F.R. § 64.1200(c), by delivering telemarketing messages to Plaintiff, while Plaintiff was listed on the DNCR.
Plaintiff seeks to represent the following class:
All persons throughout the United States (1) who did not provide their telephone number to D’Artagnan, Inc., (2) to whom D’Artagnan, Inc. delivered, or caused to be delivered, more than one voice message or text message within a 12-month period, promoting D’Artagnan, Inc. goods or services, (3) where the person’s residential or cellular telephone number had been registered with the National Do Not Call Registry for at least thirty days before D’Artagnan, Inc. delivered, or caused to be delivered, at least two of the voice messages or text messages within the 12-month period, (4) within four years preceding the date of this complaint and through the date of class certification.
Id. at ¶ 21.
Frequently Asked Questions About the New Jersey Data Protection Act, Effective January 15, 2025
The New Jersey Data Protection Act (NJDPA), N.J. Stat. § 56:8-166.4 et seq., will go into effect on January 15, 2025, as New Jersey joins eighteen other states with comprehensive data privacy laws.
The Garden State’s Division of Consumer Affairs Cyber Fraud Unit recently posted answers to twenty-four frequently asked questions (FAQs) that offer a comprehensive summary of the law, outline definitions, and explain consumer rights and business responsibilities.
Quick Hits
The New Jersey Data Protection Act (NJDPA) takes effect on January 15, 2025, as New Jersey joins eighteen other states with comprehensive data privacy laws.
The NJDPA defines a “consumer” as a New Jersey resident acting in an individual or household context, excluding those acting in commercial or employment contexts.
The New Jersey Division of Consumer Affairs will provide a grace period for enforcement of the NJDPA until July 1, 2026.
Our prior article laid out the obligations the statute entails and the relatively small universe of companies that are covered under the NJDPA. (The statute does not have a specific title, and as a result, it has been referred to in different publications by various names, such as the “New Jersey Data Protection Act,” the “New Jersey Data Privacy Act,” or the “New Jersey Data Privacy Law.”) The FAQs offer some insight and further clarification as to the scope and application of the law.
Who Is a ‘Consumer’ Under the NJDPA?
The FAQs state an important distinction regarding the scope of the NJDPL, namely, that the NJDPL does not cover employment records. In the statute, “consumer” is defined as a person who is a New Jersey resident acting only in an individual or household context. In contrast, the definition of consumer does not include a person acting in a commercial or employment context. For example, a New Jersey resident who has his or her personal data collected by a retailer while making a purchase for the consumer’s household is protected under the NJDPL. However, a New Jersey resident who has his or her personal data collected by a potential employer while applying for a job is not protected under the NJDPL. (See FAQ #5.)
Are There Special Protections for Children and Minors?
The FAQs indicate that in New Jersey, controllers must obtain consent before processing personal data of consumers aged thirteen to sixteen. This requirement is broader than the statute, which only mandates consent for targeted advertising, selling personal data, or profiling with significant effects, and applies when the controller knows or willfully disregards that a consumer is thirteen to seventeen years old. Although nonbinding, the FAQs suggest the Division of Consumer Affairs may adopt a stricter approach to children’s privacy, using a “should know” standard rather than the statute’s “actual knowledge or willful disregard” standard. (See FAQ #18.)
Will Enforcement Begin Immediately When the NJDPA Becomes Effective?
The FAQs clarify that even though businesses and other entities that are controllers of personal data are expected to comply with the NJDPL when the law becomes effective, there will be a grace period for bringing enforcement actions. Specifically, until July 1, 2026, if the Division of Consumer Affairs identifies a potential violation that the controller can remedy, the division will send a notice to the controller to give them the chance to fix the problem. If the controller does not fix the problem within thirty days, the division can proceed with an enforcement action. (See FAQ #23.)
Does the New Jersey Division of Consumer Affairs Intend to Adopt Regulations?
The division stated in its answer to FAQ #24 that regulations would be issued in 2025. “In the meantime,” the division noted, “controllers and processors are required to comply with the [NJDPA] starting on January 15, 2025.”
CSB’s New Transparency Initiative
On January 14, 2025, the U.S. Chemical Safety and Hazardous Investigation Board (“CSB”) released Volume One of a series of detailed reports on serious accidental chemical incidents reported to CSB under the Accidental Release Reporting Rule, implemented in March 2020.[1]
Prior to July 2022, CSB incident reported was limited to basic incident data—facility name, locate, date, and outcome: fatality, serious injury, or substantial property damage. CSB’s new initiative represents a landmark shift in chemical safety transparency. The release of detailed incident summaries, including analysis of probable cause and contributing factors, creates significantly increased legal and operational risks that require immediate strategic attention.
Volume One: A Look at the Data
This initial report meticulously details 26 events from April 2020 to September 2023 across 15 states, including California, Texas, and Louisiana. The incidents, resulting in 5 fatalities, 17 serious injuries, and approximately $700 million in damages, involved refineries, chemical plants, and food processing facilities.
Volume One does not just report the what—it delves into the why, detailing various incident types and causes. This means that specifics about incidents, previously kept internal, will now be accessible to the public, including employees, communities, and competitors. As a result, companies should expect heightened scrutiny and a renewed focus on preventing incidents.
Each incident summary goes beyond a basic factual account, offering:
Detailed Chronology: A timeline of events, actions taken, and consequences.
Probable Cause Determination: A clear statement of the probable cause of the incident, often pinpointing equipment failures, process malfunctions, operational errors, or inadequate safety procedures.
Contributing Factors: A breakdown of secondary factors contributing to the incident’s severity, such as inadequate training, maintenance deficiencies, and design flaws.
Technical Specifications: Inclusion of technical data, such as pressure readings, temperatures, and quantities of materials released.
Safety Recommendations: Concrete, actionable recommendations for preventing similar incidents, directed at specific companies, industry organizations, and/or regulatory bodies.
Implications
The release of Volume One and future volumes carries significant implications for legal strategy and risk management. For example, the detailed reports may provide plaintiffs with readily accessible evidence and new avenues for legal action and argumentation. Any incidents reported to the CSB, no matter how minor, will be subject to public review and analysis. This includes the details of the incident and the CSB’s findings regarding its probable cause. CSB’s finding may also influence regulatory agencies to enact stricter enforcement and new regulations. Public awareness of incidents and associated probable causes may also affect a company’s reputation and investor or stakeholder relations.
The CSB’s new transparency initiative fundamentally changes the legal and operational environment for energy companies. Proactive analysis of Volume One and the implementation of robust safety and compliance measures are no longer optional—they are essential for mitigating future legal and reputational risks. CSB intends to make these compiled incident reports available to the public via its website “on a regular basis.”[2]
Volume One can be found here.
[1] CSB News Release, “U.S. Chemical Safety Board Announces New Safety Product to Provide the Public with More Information about Serious Chemical Incidents Reported to the Agency” (Jan. 14, 2025), available at https://www.csb.gov/-us-chemical-safety-board-announces-new-safety-product-to-provide-the-public-with-more-information-about-serious-chemical-incidents-reported-to-the-agency-/.
[2] Id.
New York Amends Data Breach Notification Law to Enhance Notification Requirements, Expand Definition of ‘Private Information’
On December 24, 2024, New York Governor Kathy Hochul signed into law amendments to New York’s private-sector data breach notification law (General Business Law § 899-aa) and government agency data breach notification law (New York State Technology Law § 208).
The private-sector changes include a thirty-day deadline for businesses to notify New York residents impacted by a data breach, and both laws now have an expanded definition of “private information” that includes medical and health insurance information. The new notification requirements are effective immediately, whereas the expanded definition of “private information” will become effective on March 21, 2025, for both laws.
Quick Hits
Businesses must now notify New York residents impacted by a data breach within thirty days after a data breach has been discovered.
The state’s Department of Financial Services must now be notified of a data breach along with other regulatory agencies.
The definition of “private information” was expanded to include a person’s medical information and health insurance information.
Notification Requirements
Effective immediately, persons or businesses that are required to notify New York residents of a data breach must provide notification within thirty days after discovery of the breach. This same thirty-day timeframe also applies to the obligation for service providers to notify the data owner or licensee of a data breach. Previously, the New York data breach notification law required only that disclosure of a breach be made as expediently as possible and without unreasonable delay, but it did not provide a specific deadline. The amendments further removed language in the law that allowed businesses to delay notification consistent with “any measures necessary to determine the scope of the breach and restore system integrity,” although notification may still be delayed based on the legitimate needs of law enforcement. Both of these changes eliminate the flexibility businesses were previously afforded in the timing of data breach notifications.
The amendments also expand data breach notice requirements to regulatory agencies. The New York State Department of Financial Services (NYDFS) must now be notified of a data breach, in addition to the previously existing requirement to notify the state’s attorney general, the New York Department of State, and the state police. Such agency notices must still include the timing, content, and distribution of the notices, the approximate number of affected persons, and a template of the individual notice. This requirement to notify NYDFS is also separate from the disclosure requirements for covered entities under the NYDFS cybersecurity regulations (23 NYCRR Part 500).
The thirty-day notification requirement, however, does not apply to data breach notification obligations for government agencies or entities. These public entities are still only required to notify affected individuals “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement … or any measures necessary to determine the scope of the breach and restore the integrity of the data system.” In other words, although private-sector businesses now have a strict thirty-day deadline to report data breaches, state governmental agencies and entities still enjoy wider discretion in the timing of their same notification obligations.
Expanded Definition of ‘Private Information’
The amendments further expand the definition of “private information” under both the private-sector and public-sector data breach notification laws. Effective March 21, 2025, private information under both laws will also include:
medical information, including the individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; and
health insurance information, including the individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application or claims history, including the individual’s appeals history.
The expanded definition of “private information” means that a data breach involving medical or health insurance information may now trigger notification requirements under New York law. Notably, the New York data breach notification laws are distinct from other state and federal laws that govern medical or health insurance information in certain contexts, such as the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, the Federal Trade Commission’s Health Breach Notification Rule, and the recently adopted New York State Department of Health’s hospital cybersecurity regulations. As a result, in some instances, a data breach involving medical or health insurance information may now implicate overlapping legal obligations and notification requirements.
Key Takeaways
Businesses may want to consider reviewing their incident response plans and other data security policies and practices to comply with New York’s updated data breach notification requirements.