Cybersecurity

Subscribe to Cybersecurity via RSS
TPL_Podcasts_ConsumerFinance_LinkedIn

In this episode of The Consumer Finance Podcast, Chris Willis is joined by Troutman Pepper Locke Partners Stefanie Jackman and Brent Hoard to take a close look at the world of medical debt collection. The discussion covers how HIPAA applies to medical debt, what it really means to be a “business associate,” and common privacy challenges that can turn routine collection efforts into regulatory headaches. They also focus on key federal and state debt collection regimes, including the FDCPA, the No Surprises Act, and increasingly complex credit reporting requirements. The group provides insight on collection strategies for health care providers and third-party collectors that are both compliant and workable in practice. For anyone handling medical-related receivables, this episode serves as a practical guide to safeguarding patient information, maintaining tax-exempt status, and enhancing collections while staying within regulatory boundaries.

AI_chatbot_1200x600_GettyImages-1472037495

In Parts 1-3 of this series, we covered the mechanics of the CCPA’s new cybersecurity audit requirement: who is covered, when audits are required, what must be audited, who can perform the audit, how it fits with existing security frameworks, and what needs to be documented.

Michigan State Flag. Waving Fabric Satin Texture National Flag of Michigan 3D Illustration. Real Texture Flag of the State of Michigan in the United States of America. USA. High Detailed Flag

A federal court in Michigan significantly narrowed Michigan Attorney General (AG) Dana Nessel’s privacy and consumer protection case against Roku, Inc. (Roku) dismissing all non-Children’s Online Privacy Protection Act (COPPA) claims for lack of standing while allowing the state’s privacy claims under COPPA to proceed. The decision highlights COPPA’s utility as a vehicle for state AGs to bring enforcement actions in federal court, while also underscoring the jurisdictional limits on bringing companion state privacy and consumer protection claims in the same forum.

Cyber_1200x600_GettyImages-1987307560

In Part 1 of this series, we outlined the basics of the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement: who is covered, when audits are required, and the key obligations to keep in mind. In Part 2, we explored the mechanics and explained what the California Privacy Protection Agency (CalPrivacy) expects the cybersecurity audit to look like in practice, including what must be evaluated, who may conduct the audit, how thorough it must be, and what goes into the audit report.

On March 16, 2026, New York Attorney General (AG) Letitia James rallied in support of the “One Fair Price Package” — a pair of bills aimed at curbing algorithmic and surveillance pricing in New York. Together, the bills would prohibit the use of personalized algorithmic pricing based on consumer data, ban electronic shelf labels in large food and drug retailers, and create robust enforcement mechanisms and private rights of action. The announcement from New York comes shortly after New Jersey Governor Mikie Sherrill backed legislation to ban what she has called “surveillance” pricing, and after California Attorney General Rob Bonta announced an investigative sweep focused on businesses that use consumer data to individualize prices for their goods or services earlier this year.

Cyber_1200x600_GettyImages-2155090853

In Part 1 of this series, we walked through the basics of the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement: which businesses are covered, when audits are required, and the high-level obligations to have on your radar.

This five-part series provides an introductory roadmap to the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement and the California Privacy Protection Agency’s (CalPrivacy) implementing regulations.

istock_102344703_og_cybersecurity-privacy

Key Point: Under the revised NYDFS Cybersecurity Regulation, covered entities must implement and enforce MFA for all access to all information systems — not just adopt MFA tools — and carefully document any CISO-approved compensating controls. Given the November 1, 2025 effective date of the new, expanded MFA requirement, and the annual certification of compliance for 2025 due April 15, 2026, now is the time for covered entities to review carefully their compliance in view of the NYDFS interpretations and guidance.

Privacy_1200x600_GettyImages-2154887234

This article takes the next step and focuses on what businesses can do before an incident to structure their vendor relationships and IR plans in alignment with these key legal lessons. We focus on four core IR vendor types: digital forensics vendors, restoration vendors, public relations (PR)/communications firms, and data mining/data review vendors.

Cybersecurity_1132275581

Reprinted with permission from the February 9, 2026 edition of The Legal Intelligencer. © 2026 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For permission to reprint or license this article, please contact 877-256-2472 or asset-and-logo-licensing@alm.com.

Investigations led by counsel, triggered by legal risk, and designed to elicit legal advice remain protected, even if their findings later inform business decisions. For cyber incidents, FirstEnergy outlines how to structure IR investigations to maximize privilege and work product protection while supporting an effective technical and business response.