NY DOH Publishes Electronic Material Health Care Transaction Reporting Form, Increasing Disclosure Requirements to Include Potentially Sensitive Business Information
On May 15, 2025, the New York State Department of Health (“DOH”) announced the launch of the electronic Material Transaction Reporting Form for health care transactions (“Electronic Form”). To assist reporting entities in preparing their submissions, the DOH has also released a list of all questions included in the Electronic Form.
Collectively, the reporting requirements set forth in the Electronic Form appear significantly more extensive than those imposed by other states, including California’s health care transaction reporting framework. Notably, the Electronic Form includes obligations to disclose potentially sensitive business information, such as investor materials.
Existing Statutory Authority
Proskauer has tracked the evolving reporting obligations in a series of posts, including one published last month that discussed the latest DOH guidance concerning the reporting obligations.
Pursuant to PHL § 4552, a health care entity shall submit to the DOH “written notice, with supporting documentation as described below and further defined in regulation developed” by the DOH. Such written notice “shall include, but not be limited to:”
The names of the parties to the material transaction and their current addresses;
Copies of any definitive agreements governing the terms of the material transaction, including pre- and post-closing conditions;
Identification of all locations where health care services are currently provided by each party and the revenue generated in the state from such locations;
Any plans to reduce or eliminate services and/or participation in specific plan networks;
The closing date of the proposed material transaction; and
A brief description of the nature and purpose of the proposed material transaction.
As of the publication date of this post, the DOH has not promulgated regulations concerning the law. Nevertheless, the Electronic Form outlines a range of documents and information that reporting entities must submit to the state as part of a material transaction report.
Reporting Obligations to Consider
Below are certain categories of information requested in the Electronic Form that may raise particular concerns for investors and sponsors. Some of the requested categories are sensitive in nature, and careful attention should be paid to ensuring that the DOH treats the submitted information as confidential. Other categories of requested information may require significant effort to analyze and prepare a response, particularly for larger enterprises.
Reporting Obligation Contained in Electronic Form
Impact and Considerations
Part 2, Section A.10-Provide the identities of and interrelationships among the Party and all persons known to control or to be controlled by or under common control with the Party, in a chart that clearly presents the relationships.
-Additionally, the organizational chart must identify (1) voting percentage: the percentage of voting securities for each person identified in the organizational chart and (2) other control: if control of any person is maintained other than by the ownership or control of voting securities, then indicate the basis of such control for each relevant party identified in the organizational chart; as to each person, indicate the type of organization (e.g., corporation, trust, partnership) and the State or other jurisdiction of domicile.
The form appears to require broad disclosure of ownership and control rights of each Party. Of note, the form asks for the disclosure of “all persons known to control or to be controlled by or under common control with the Party,” which may require analysis and review in highly complex, sponsor-backed deal structures to disclose affiliates of the Party.
Part 3, Section B-C-Projected annual revenue (in $ millions) of the Surviving Entity over the next three years.
-Provide information on all transaction activity in the past 3 years by each Party to this Material Transaction.
Any “Party” to the “Material Transaction” must report historic “transaction activity.” The Electronic Form does not clarify whether the disclosure obligation concerns all other historic Material Transactions, or if the DOH expects a party to disclose all historic transactions involving health care entities in the state, regardless of size over the prior 3 years. The historic transaction reporting obligation may require careful review and consideration by entities who consistently engage in transactions in the ordinary course of business.
Part 3, Section D, Subparagraphs (c)-(d)-How many transactions has the Surviving Entity from this Material Transaction engaged in within the prior 12 months (from the anticipated close of this Material Transaction) that have increased gross in-state revenues?
-Considering the most recent of these transactions: Submit the Surviving Entity’s standalone gross in-state revenue before the transaction’s close date. Submit the combined gross in-state revenue of the Parties to this transaction as of the transaction’s close date.
Notice: Any series of transactions designed to evade the threshold provisions of this article shall be deemed a Material Transaction and subject to the notice requirements of Article 45-A of the Public Health Law.
In posing this question, it appears that the DOH is requiring parties to submit information as to prior transactions in a 12-month period in order to potentially determine whether the Parties have complied with the reporting obligations.
Part 3, Section EFor all Parties, submit Financial Statements in conformity with U.S. Generally Accepted Accounting Principles (“GAAP”) or other accounting principles prescribed or permitted under law (audited with an independent CPA’s opinion thereof, preferred but not required) of the Parties to this Material Transaction as of the end of the last two fiscal years.
These financial statements shall include the following components: Balance Sheet; Income Statement; Statement of Cash Flows; Notes to Financial Statement (Narrative); and For the Surviving Entity, also submit projected financial statements dated one day after closing.
The Electronic Form requires all Parties to the Material Transaction to submit financial information.
Part 4, Section A, Subparagraph (a)-(c)-Describe the health care services provided by each Party to the Material Transaction at all locations of operation within New York.
-Does any party to this transaction directly or indirectly employ physicians? If so, each party that directly or indirectly employs physicians should fill out the “Physician Locations Spreadsheet” and upload it in question A(d).
The question asks an entity to report all locations in which it operates in New York. For each location, the Electronic Form asks for gross in-state commercial, Medicare, Medicaid, and other revenue. In addition, if any Party to the Material Transaction employs physicians, the entity is to upload an additional worksheet, titled “Physician Location Spreadsheet”. The spreadsheet requires detailed reporting of physician relationships, including whether the physician is employed or otherwise affiliated with the Party, including their NPI, and hours worked at each location.
Part 4, Section BWhich best describes this transaction?
An acquisition resulting in a Surviving Entity-For each acquired entity, in the 12-month period preceding the proposed transaction, what is the average contracted commercial payor rate for each service line identified in Question A (a) (v) (“Services Offered at Location”)? Your response should be expressed in a dollar ($) amount.-For the surviving entity, what is the anticipated overall contracted commercial payor rate by service line in the year immediately following the Material Transaction close date for the Surviving Entity as a result of this transaction?
A merger or other transaction resulting in the formation of a New Entity (“NewCo”)-For each entity involved in the formation of NewCo, in the 12-month period preceding the proposed transaction, what is the average contracted commercial payor rate for each service line identified in Question A (a) (v) (“Services Offered at Location”)? Your response should be expressed in a dollar ($) amount-For the NewCo, what is the anticipated overall contracted commercial payor rate increase in the year immediately following the Material Transaction close date as a result of this transaction? For any commercial rate increases that are expected as a result of the deal, describe in detail (including any differential in rate increases expected by service and/or location, and the degree of the differential).
The question requires the reporting entity to submit confidential and detailed information concerning health plan reimbursements for each “service line.” The Electronic Form does not define what a “service line” is, a term traditionally utilized by hospitals to describe their business segments.
Part 5-Required Documents: Definitive Transaction Document(s) (e.g., Asset Purchase Agreement); Charter and Bylaws; Operating Agreements or Partnership Agreement(s); and Financing Agreements or documents.
-As Applicable Documents: Fairness Opinions, Offering Memoranda, Private Placement Memoranda, Investor Disclosure Statements, and Other Investor Solicitation Materials.
The broad document request covers a host of documents that are treated as highly confidential in the ordinary course of business.
PROFESSIONAL NEGLIGENCE?: Vonage Failed to Honor DNC Requests in a Manner Leading to TCPA Class Action New Lawsuit Claims
So I was reviewing a $90+MM telecommunications services contract for a major brand yesterday.
$90MM folks.
The money in this industry is insane. But so are the stakes.
Fail to set up your system right and face a TCPA class action with damages that may dwarf an 8 figure contract.
Here’s a cautionary tale.
A company called YF FC Operations, LLC, dba YouFit was sued in a TCPA class action down in Florida by Jeniel Petrovich and Mauricio Cardero.
The essence of the allegations, apparently, was that YouFit failed to honor a DNC request received by YouFit via text message.
Not good.
But YouFit didn’t take the issue lying down.
Instead it sued its telecommunications provider– Vonage– for indemnity and professional negligence claiming that it was Vonage’s fault the stop notifications at issue in the underlying TCPA class action.
Per YouFit’s complaint:
On or around July 22, 2023, YouFit engaged Vonage to perform an integration of its systems with YouFit’s CRM provider Hubspot so that YouFit could communicate with its customers and potential customers using a short code (the “Integration”) rather than its toll-free number. The Integration was intended to monitor for the receipt of opt-out text messages from YouFit customers and, upon receipt of an opt-out text message, the customer’s request would be noted in Hubspot and further communication via text would end.
Because of Vonage’s actions, the opt-out messages of Petrovich and Cardero, and potentially thousands of other putative class members, were not recorded in Hubspot as was intended by the Integration. Subsequently, Vonage sent text messages potentially in violation of the TCPA and/or the FTSA.
Now let me just say, I HATE the content of these paragraphs to the extent they essentially concede away critical issues in the TCPA suit.
Why would you admit that “potentially thousands” of individuals received illegal text messages? Literally no reason to do that. Allegations that if anybody received text messages–which should be denied– it was Vonage’s fault would have been sufficient.
But I digress.
The point is that YouFit went straight for the jugular here against Vonage. The Complaint goes on to allege that Vonage shirked its responsibilities to YouFit to defend the suit:
After the Class Action was served on YouFit, YouFit advised Vonage of the Class Action and requested that Vonage assist in the defense and resolution of the Class Action in light of Vonage’s actions. Vonage rejected the request.
Now I am going to guess that Vonage had a contract that disclaimed all liability here, so it will be very interesting to see how this plays out.
Complaint here: Vonage Removal
The bottom line is companies need to be working hand in glove with their telecom platforms to avoid this sort of thing and retaining knowledgeable counsel.
CRITICAL to keep in mind the following when setting up an outreach campaign and to EXPRESSLY set these items out in the MSA or IOs:
Which party is responsible for providing phone numbers to be called? Where will they be sourced from? What level of consent will be required? How will that consent be documented and stored?
Which party is responsible for supplying the DIDs (outpulse phone numbers)? How will they be provisioned? How long will they be kept? Is the use of local touch permitted in the jurisdiction to which calls are made? Who is responsible for assuring that?
Which party is responsible for ingesting, tracking and honoring revocation notifications? How broadly will those revocations be treated? How will multi-channel revocations be handeled?
Is the platform to be treated as an ATDS or regulated technology under the TCPA or state laws? If not, who has the risk associated with that assumption? If so, who has the responsibility to assure compliance with applicable consent rules?
Is AI to be used? If not, there should be a clear representation to that effect. If so, there should be a clear articulation of whose responsibility it is to assure training and accuracy of AI model, disclosure of AI usage, and properly documented consents and AI-specific opt outs.
Is telemarketing at issue here? If so, who has responsibility for TSR recordkeeping requirements?
Is outreach to be recorded or reviewed in real time either by the calling party or by any third-party vendor? If so a massive number of state level privacy laws may be triggered– particularly the anti-wiretapping statutes like the California Invasion of Privacy Act. CRITICAL to spot these issues and assign compliance responsibilities between the parties.
These are just a handful of the issues that need to be thought through in virtually any deal. If you’re not working with experienced counsel that knows how to work through these issues you could be in SERIOUS trouble.
Just ask YouFit.
And trust me, suing for indemnity after facing a potentially business-ending lawsuit is not where you want to be. Set expectations. Work with good partners. And, most importantly, work with good counsel. And you should be able to avoid these issues in the first place.
D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
On May 21, 2025, the U.S. District Court for the District of Columbia ruled that two Democrat members of the United States Privacy and Civil Liberties Oversight Board (“PCLOB”) were unlawfully terminated by President Trump.
The plaintiffs, Travis LeBlanc and Edward Felten, argued in their complaint against the PCLOB and others that the termination by the President of their positions on the PCLOB violated federal law and the U.S. Constitution. The court concluded that Congress intended to restrict the President’s power to remove PCLOB members, the restriction as applied to the plaintiffs is constitutional, and the plaintiffs’ required relief is appropriate. Accordingly, the court granted plaintiffs’ motion for summary judgment and denied the defendants’ cross-motion for summary judgment.
In reaching its conclusion, the court reasoned:
In response to the 9/11 Commission Report, Congress created an independent, multimember board of experts and tasked its members with the weighty job of overseeing the government’s counterterrorism actions and policies, and recommending changes to ensure that those actions and policies adequately protect privacy and civil liberties interests. And, as the Court has now concluded, that responsibility is incompatible with at-will removal by the President, because such unfettered authority would make the Board and its members beholden to the very authority it is supposed to oversee on behalf of Congress and the American people. To hold otherwise would be to bless the President’s obvious attempt to exercise power beyond that granted to him by the Constitution and shield the Executive Branch’s counterterrorism actions from independent oversight, public scrutiny, and bipartisan congressional insight regarding those actions. And, when the President contravenes a statutory scheme designed by Congress to ensure that these interests are adequately protected, it is specifically the “province and duty” of the independent Judiciary to “say what the law is.”
Getting Too Personal? Illinois Court Says Family Medical History is Genetic Information
On May 15, 2025, a district court in Illinois denied a motion by defendant Hospital Sisters Health System and Saint Francis (HSHS) to dismiss a class action claim brought against the hospital system under the Illinois Genetic Information Privacy Act (GIPA).
GIPA regulates the use, disclosure, and acquisition of genetic information and has adopted the same definition of genetic information as provided in the federal Health Insurance Portability and Accountability Act (HIPAA):
(i) the individual’s genetic tests; (ii) the genetic tests of family members of the individual; (iii) the manifestation of a disease or disorder in family members of such individual; or (iv) any request for, or receipt of, genetic services, or participation in clinical research which includes generic services, by the individual or any family member of the individual.
GIPA prohibits employers from soliciting or requesting genetic testing or genetic information of a person or their family members as a condition of employment. GIPA also prohibits employers from changing the terms, conditions, or privileges of employment or terminating the employment of any person due to a person or their family member’s genetic testing or information.
In this case, the plaintiff filed their complaint in December 2024, which states that the hospital system requires potential employees to submit a pre-employment medical examination that an HSHS employee conducts. This examination allegedly entails job applicants being required to disclose information concerning their family medical histories. The plaintiff alleges that she was a job applicant with HSHS and that she, too, was required to submit a medical examination that asked questions about her family’s medical history. These questions reportedly included inquiries on family history of heart disease, asthma, or psychological conditions in the plaintiff’s family.
In its motion to dismiss filed in February 2025, HSHS argued that the generic family medical history questions included in its medical examination are routine medical questions that do not constitute genetic information as protected by GIPA. The court was unconvinced, holding that “these questions involved[d] a clear report of the manifestation of a disease or disorder in a family which is clearly specified in GIPA through its adaptation of HIPAA’s definitions.” In addition, to support its holding, the court noted that the federal Genetic Information Nondiscrimination Act (GINA), which is also incorporated into GIPA, defines the term “family medical history” as “information about the manifestation of disease or disorder” in family members.
Though GIPA litigation has not yet risen to the level of litigation regarding Illinois’ Biometric Information Privacy Act (BIPA), several courts in 2024 have noted that GIPA should apply broadly. In Taylor v. Union Pacific Railroad Co., No. 23-CV-16404, 2024 WL 3425751, (N.D. Ill. July 16, 2024), the court held that GIPA plaintiffs have lenient standing requirements, concluding that BIPA’s definition of “aggrieved persons” – which encompasses individuals who sustained no actual injury beyond a violation of their rights under the statute – applies to GIPA, as well. In McKnight v. United Airlines, Inc., No. 23-CV-16118, 2024 WL 3426807, at *1 (N.D. Ill. July 16, 2024), the court found that individuals outside of Illinois may nonetheless initiate GIPA litigation if the underlying activity “occurred primarily substantially in Illinois” and that GIPA has a five-year statute of limitations.
Employers with ties to Illinois should note that GIPA may apply to them. Any questions about a job applicant’s family medical history may be considered genetic information under the act—even if these questions are intended to be routine health inquiries—and could give rise to a GIPA claim. Pre-employment exams should be structured carefully to avoid running afoul of GIPA and potential class action risks.
FTC Order with GoDaddy Finalized Over Lax Data Security
On May 21, 2025, the Federal Trade Commission (FTC) finalized its order with GoDaddy over allegations that GoDaddy “failed to implement standard data security tools and practices to protect customers’ websites and data.” In a Complaint filed against GoDaddy in January 2025, the FTC alleged that the company had “failed to implement reasonable and appropriate security measures to protect and monitor its website-hosting environments for security threats, and misled customers about the extent of its data security protections on its website hosting services.”
The allegations against GoDaddy include not implementing multi-factor authentication, monitoring for security threats, and securing connections to consumer data. As a result, GoDaddy suffered several data breaches, which “allowed bad actors to gain unauthorized access to customers’ websites and data.” In addition, the FTC alleged that GoDaddy “deceived” users about its data security practices and compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.
Pursuant to the order, GoDaddy is:
Prohibited from making misrepresentations about its security and the extent to which it complies with any privacy or security program sponsored by a government, self-regulatory, or standard-setting organization;
Required to establish and implement a comprehensive information-security program that protects the security, confidentiality, and integrity of its website-hosting services; and
Required to hire an independent third-party assessor to conduct reviews of its information-security program.
The FTC voted unanimously, 3-0, to finalize the order. The order emphasizes the FTC’s continued focus on data security and companies’ representations of data security measures to consumers. Therefore, companies may wish to reassess and update data security practices to confirm that they are commercially reasonable and consistent with their assertions to the public.
Data Breach Lawsuits Surge Against Chord Specialty Dental Partners
Pennsylvania-based Chord Specialty Dental Partners is under fire after a September 2024 data breach compromised the personal information of over 173,000 individuals. At least seven proposed class action lawsuits have been filed in federal courts in Tennessee and Pennsylvania, alleging the company failed to secure and protect patient data properly.
The lawsuits claim Chord Dental violated its obligations under state and federal laws, including the Federal Trade Commission (FTC) Act and the Health Insurance Portability and Accountability Act (HIPAA). Plaintiffs argue that the company did not implement reasonable cybersecurity measures or provide timely and sufficient notice of the breach.
Exposed data included names, addresses, Social Security numbers, driver’s license numbers, bank and payment card information, dates of birth, and medical and insurance records.
The plaintiffs claim that they have suffered harm, including out-of-pocket costs, time spent mitigating the damage, emotional distress, and increased risk of identity theft. One plaintiff also seeks to represent a specific subclass of affected Pennsylvania residents.
The flurry of suits alludes to various legal claims, from negligence and breach of contract to unjust enrichment. Plaintiffs are seeking damages, restitution, credit monitoring, and court orders requiring stronger data protections.
As legal proceedings unfold, the case highlights ongoing concerns over cybersecurity practices in the healthcare industry—and the steep costs of failing to protect protected health information.
AI Service Provider Faces Class Actions Over Catholic Health Data Breach
AI service provider Serviceaide Inc. faces two proposed class action lawsuits from a data breach tied to Catholic Health System Inc., a nonprofit hospital network in Buffalo, New York. The breach reportedly exposed the personal information of over 480,000 individuals, including patients and employees.
Filed in the U.S. District Court for the Northern District of California, the lawsuits allege that Serviceaide acted negligently and failed to protect sensitive data in its Elasticsearch database that was made publicly accessible allegedly for months before being disclosed.
Serviceaide, which provides AI-driven chatbots and IT support solutions, was contracted by Catholic Health and entrusted with managing protected health information and employment records. Plaintiffs allege that the company delayed notification to the affected individuals, waiting seven months after the incident to notify affected individuals. The affected data included patient records and personal information.
The lawsuits allege claims of negligence, breach of implied contract, unjust enrichment, invasion of privacy, and violations of California’s Unfair Competition Law.
Both plaintiffs seek to represent a nationwide class of individuals whose data was compromised and are seeking injunctive relief, damages, and attorneys’ fees.
These lawsuits highlight growing legal exposure for tech firms that handle protected health information, especially as more hospitals and healthcare systems outsource services to AI and cloud vendors. The healthcare sector remains one of the most targeted industries for cyber threats, and breaches involving third-party vendors are drawing increasing legal scrutiny.
Florida Data Broker Fined $46,000 by California Privacy Watchdog
In yet another reminder that California takes data privacy seriously, this month, the California Privacy Protection Agency (CPPA) fined Florida-based data broker Jerico Pictures, Inc. (d/b/a National Public Data) $46,000 for failing to register under the state’s Delete Act.
The fine is the maximum allowed by law and was imposed after the company failed to register with the state’s Data Broker Registry for over 230 days. Registration only occurred after the CPPA’s Enforcement Division contacted the company during an investigation. National Public Data did not contest the allegations, prompting the CPPA Board to issue a default order.
“This case arose under the Delete Act rather than under California’s comprehensive consumer privacy law, [but] the takeaway is the same,” said Michael Macko, head of enforcement at the CPPA. “We will litigate and bring enforcement actions when businesses violate California’s privacy laws.”
The Delete Act, which took effect in 2024, requires data brokers to register annually and pay a fee that supports the California Data Broker Registry. That registry will soon underpin a major consumer privacy tool: the Delete Request and Opt-Out Platform (DROP), launching in 2026. DROP will allow Californians to request that all registered data brokers delete their personal information with a single action.
This enforcement action sends a clear message to data brokers nationwide: comply or face consequences.
Privacy Tip #444 – Best Phishing Campaigns are from HR or IT
Everyone thinks they can spot a phish. Whether it is an email, SMS text, or QRish phishing, people have an overinflated view of their capabilities to detect them.
A new summary by KnowB4, “What Makes People Click?” provides an insightful review and proves that people still click when curiosity gets the best of them.
According to the summary of top-clicked phishing tests between January and March 2025, phishes impersonating HR or IT are the most successful. People were more likely to interact with links related to internal team topics, open PDFs, HTML files, and .doc Word files and continue to be vulnerable to impersonation of trusted company brands. The companies most likely to be impersonated as part of a successful phishing campaign are Microsoft, LinkedIn, the company the victim works for, Google, and Okta.
And then there are QR codes. Everyone makes fun of me for constantly warning about QR codes, and I am grateful to KnowB4 for having my back on this one. Its summary illustrates that users continue to be duped into scanning malicious QR codes. The top three successful QR scams are QR codes related to the company’s new drug and alcohol policy, a DocuSign for review and signing, and a happy birthday message from Workday. Please take these statistics to heart and beware of these and similar scams. Think twice before clicking on that Happy Birthday message from Workday.
I frequently conduct employee education sessions and carefully follow KnowBe4’s insights. It always has its finger on the pulse and provides practical solutions in real-time. Review its 1st quarter summary, which is jam-packed with useful information for yourself and your users.
CFPB Reduces Civil Penalty in Settled Remittance Enforcement Action
On May 15, the CFPB issued an amended consent order against an international remittance provider, reducing its civil penalty from $2.025 million to $44,955. The order alleges violations of the Electronic Fund Transfer Act (EFTA), its implementing Regulation E, and the Consumer Financial Protection Act (CFPA).
The amended order replaces the January 2025 consent order (previously discussed here) and significantly reduces the civil money penalty to $44,955, while maintaining approximately $450,000 in required consumer redress. The revised enforcement terms also require the company to overhaul its compliance program, including disclosure practices, refund timing, and error resolution procedures.
Key allegations in the consent order include:
Inaccurate Fee Representations. The company advertised ATM fees that were not applicable to U.S. consumers.
Deficient Disclosures. Required information regarding fees, exchange rates, and contact details was incomplete or inaccurate.
Improper Refund and Error Resolution Practices. The company failed to provide timely refunds and did not properly investigate reported transfer errors.
The amended order imposes a five-year compliance period and mandates the development of a new compliance management system, board oversight, and annual reporting. It also requires enhanced consumer-facing disclosures and timely redress procedures. Respondent must report its progress to the CFPB and remain subject to recordkeeping, audit, and monitoring provisions.
Putting It Into Practice: The amended order reflects the CFPB’s recent shift toward less aggressive enforcement (previously discussed here and here). Nonetheless, the Bureau will continue to prioritize matters involving tangible consumer harm, particularly in areas of mortgage servicing, data furnishing under the FCRA, and debt collection under the FDCPA as outlined in its April 16 internal memo (previously discussed here)
Clock Ticking: DOJ’s New Data Security Rule Requires Compliance by July 8
U.S. companies are running out of time to comply with a sweeping new Department of Justice (DOJ) rule that limits sharing sensitive personal data with certain foreign countries—including China, Russia, and Iran. With a hard compliance deadline of July 8, 2025, businesses must act quickly to avoid steep civil or criminal penalties.
The rule, which is part of a broader DOJ national security initiative, took effect on April 8, 2025. However, the agency is offering a short “good faith” grace period for companies actively working to meet the new requirements. After July 8, enforcement actions can carry fines of up to $1 million and potential prison sentences of up to 20 years.
What the Rule Covers
The DOJ’s data security rule prohibits or restricts U.S. companies from sharing bulk sensitive personal datawith individuals or entities from designated “foreign adversary” nations. Affected data types include:
Human genomic and biometric data
Precise geolocation
Health information
Financial data and identifiers like account names and passwords
Logs from fitness apps or wearables
Government-related location data or data linked to U.S. government employees
What Companies Need to Do Now
To comply, businesses can take the following actions:
Audit DataIdentify whether the company stores or transmits regulated data and whether the volumes meet “bulk” thresholds defined by the rule.
Review Contracts and Data-Sharing AgreementsAmend or terminate any transactions or contracts that give covered foreign persons access to sensitive data, including data licensing, brokerage, or research partnerships.
Evaluate Foreign PartnershipsAgreements with non-adversary foreign entities must now include language stating that data will not be passed on to restricted parties.
Assess Vendor and Investment ExposureTransactions that grant foreign employees, investors, or vendors access to regulated data require strong security controls and may require renegotiation.
Build a Compliance ProgramCompanies should implement written policies, employee training, and auditing systems and report violations to the DOJ.
With less than two months remaining, companies are urged to determine the next steps for compliance, conduct a comprehensive risk assessment, and review the DOJ’s newly released compliance guide. The DOJ encourages informal inquiries before the deadline but will not review requests for advisory opinions or licenses before July 8.
Companies that handle sensitive personal data must treat the new rule as a top compliance priority or risk serious consequences for the business.
CFPB Proposes to Rescind Risk-Based Supervision Rulemaking
On May 14, the CFPB issued a proposed rule to rescind recent amendments (here, here, and here) to its nonbank supervisory program. The amendments were designed to expand and formalize the Bureau’s process for subjecting nonbank covered persons to supervision under the Consumer Financial Protection Act (CFPA). Under the CFPA, the CFPB is authorized to supervise a nonbank covered person if it has reasonable cause to determine if the nonbank covered person was engaged in financial services-related conduct that posed a risk to consumers. Among other things, the amendments introduced a mechanism for the Director to publicly release final decisions and order.
Putting It Into Practice: If finalized, the rescission would restore the Bureau’s original 2013 procedures, eliminating mechanisms for the public release of a designation of supervisory oversight over non-banks the Bureau found posed “risk to consumers.” supervision. Opponents of the rule complained the Bureau’s procedures simply were a way to name and shame companies that objected to CFPB supervisory oversight. The proposed rollback continues the Bureau’s broader deregulatory trend, following the withdrawal of rules and guidance documents introduced under prior leadership (previously discussed here, here, and here).
Listen to this post