This year, our focus is simple: privacy with a purpose.
For us, that means two things.
Privacy With a Purpose: Data Privacy Day 2026
Oklahoma Amends Data Breach Notification Statute
Key point: Oklahoma recently updated its breach notification statute for the first time since enactment, aligning with broader state trends and underscoring the ongoing, continuous review of data breach notification laws by lawmakers.
Effective January 1, 2026, Oklahoma’s Senate Bill 626 substantially revises the state’s data breach notification statute by expanding the definition of personal information, introducing a regulatory notice requirement, and updating safe-harbor exemptions. The amendments are the first changes to the law since it was enacted in 2008 and are consistent with trends in other states in recent years. For example, California adopted similar amendments set to take effect on January 1, 2026.
The below article provides an overview of the amendments.
Third Circuit Provides Helpful Guidance on the “Party Exception” to Wiretap Liability and What Constitutes “Medical Information” Under the CMIA
Key point: The Third Circuit Court of Appeals recently issued an opinion affirming the dismissal of a class action complaint asserting both California Invasion of Privacy Act (CIPA) and California Medical Information Act (CMIA) claims, providing helpful guidance on the application of the “party exception” defense to a wiretap claim, as well as the meaning of “medical information” under the CMIA claim.
Fourth Circuit Finds Public Disclosure Required for Standing in Data Breach Case
Key point: Courts are concluding that not all data breaches should result in a lawsuit. Businesses need to consider causation and damages when responding to an incident and take steps to determine if there is no evidence of harm or traceability including on a class wide basis.
Important Guidance on Third-Party Service Provider Cyber Risk
Key point: All businesses struggle with cybersecurity risks presented by their service providers. New guidance from the NY DFS applies to all DFS regulated entities, but the guidance would assist any business in any industry in addressing these risks.
On October 21, 2025, the New York Department of Financial Services (the “DFS”) issued important guidance for covered entities (including all DFS licensees) for managing their cybersecurity risk related to third-party service providers (“TPSPs”). Industry Letter – October 21, 2025: Guidance on Managing Risks Related to Third-Party Service Providers | Department of Financial Services specifically includes the covered entity’s use of cloud, file transfer, AI and fintech providers (“Guidance”). According to the DFS, the “Guidance does not impose new requirements or obligations . . ..” Rather, “it is intended to clarify regulatory requirements, recommend industry best practices . . ., and promote compliance . . ..” The Guidance highlights that managing the cybersecurity risk presented by TPSPs “remains a crucial element of a Covered Entity’s cybersecurity program,” and notes that it applies to all covered entities, regardless of size.
3 Takeaways From Recent Cyberattacks On Healthcare Cos.
Published in Law360 on June 4, 2025. © Copyright 2025, Portfolio Media, Inc., publisher of Law360. Reprinted here with permission.
Significant data breaches have affected major players in the healthcare industry in the last year, with the methods of attack being as diverse as the affected entities themselves.
FTC Settlement Spotlights Security of APIs Proliferating Across the Internet
Jim Shreve and Joel Lutz, attorneys with Troutman Pepper, were quoted in the March 5, 2025 Cybersecurity Law Report article, “FTC Settlement Spotlights Security of APIs Proliferating Across the Internet.”