Joseph Lazzarotti of JacksonLewis writes: State breach-notification laws continue to evolve, and legislatures are using 2026 sessions to tighten consumer protections and shift the civil liability landscape that often follows a cyber event. For businesses, the practical takeaway is that incident response planning increasingly needs to account not only for “whether notice is required,” but...

Source

Alexander Martin reports: The British government’s plans to overhaul the country’s main cybercrime law would offer such narrow legal protections that most security researchers would be left in the same position as today, multiple sources briefed on the proposals have told Recorded Future News. Plans to amend the Computer Misuse Act 1990 were announced in the...

Source

Troutman Pepper Locke writes: In Part One of this series, we discussed how wellness products sit at the intersection of Food and Drug Administration (FDA), Health Insurance Portability and Accountability Act (HIPAA), Federal Trade Commission (FTC), and state privacy/breach laws. In Part Two, we analyzed FDA’s 2026 General Wellness guidance and what it means for device-level cybersecurity expectations....

Source

There’s an update to a lawsuit involving Blue Cross Blue Shield of Montana’s parent company, HCSC, and Montana’s state auditor. As previously reported, after BCBSMT notified the state of the Conduent breach that had affected 462,000 members, the state auditor opened an investigation into whether the notification to the state was timely. HCSC claimed the...

Source

CPI reports: Connecticut Attorney General William Tong has issued a sweeping advisory clarifying that businesses deploying artificial intelligence systems remain fully subject to the state’s existing legal framework—even in the absence of a comprehensive, AI-specific statute. The guidance, as analyzed by Squire Patton Boggs, underscores a central message for compliance officers and in-house counsel: AI does...

Source

Siobhan Harms reports: The Ohio Auditor of State’s Office will begin evaluating school districts’ cybersecurity policies in July. As outlined by House Bill 96, districts had to implement a cybersecurity program that safeguards the district’s data, information technology and information technology resources to ensure availability, confidentiality and integrity. The law reads, “The program shall be...

Source

The IAPP writes: Last year, the California Privacy Protection Agency adopted a major new rule requiring certain businesses to conduct an annual cybersecurity audit. The rule went into effect 1 Jan. 2026. This pioneering requirement, the first of its kind among state data privacy laws of general applicability, may entail substantial compliance efforts for affected companies to...

Source

From HHS OCR: This video presentation is intended to raise awareness and provide practical education to HIPAA covered entities and business associates of the HIPAA Security Rule’s Risk Management requirement. Like risk analysis, effective risk management is an essential component of both HIPAA Security Rule compliance and broader cybersecurity preparedness. Risk management is a critical step not only for...

Source

A press release on April 6, 2026 from Maine House Democrats:  On Thursday, the Maine House voted unanimously to advance a bill from Rep. Julie McCabe, D-Lewiston, that would help prevent cybersecurity attacks on Maine hospitals and ensure continuity of patient care when future cyberattacks occur. As amended, LD 2103 would require Maine hospitals to adopt a...

Source