On April 23, 2026, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced resolution agreements and corrective action plans with four regulated entities following separate ransomware investigations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlements are the culmination of OCR investigations into separate ransomware breaches collectively affecting more than 427,000 individuals and involving the exposure of unsecured electronic protected health information (ePHI) – demographic data, Social Security numbers, financial information, lab results, medications, and diagnoses or conditions. Under the settlements, the regulated entities agreed to implement corrective action plans subject to OCR monitoring for two years and pay a total resolution amount of $1,165,000 to OCR.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Michael C. Hochmanhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngMichael C. Hochman2026-06-01 14:37:572026-06-01 14:38:24Risk Analysis in the Crosshairs: Four Recent Ransomware Resolutions Preview the HIPAA Security Rule Amendments
https://datamatters.sidley.com/wp-content/uploads/sites/2/2025/05/MN-24013-Data-Matters-Blog-Imagery-Refresh_A_10.jpg606833David Lashwayhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngDavid Lashway2026-05-28 12:27:112026-05-28 12:50:55New York Department of Financial Services Issues Coordinated Guidance on Frontier AI Cybersecurity Risks
The Chambers 2026 Global Practice Guide for Artificial Intelligence provides the latest legal information on the rapidly evolving AI landscape, covering the commercial use of AI across key industries, AI-specific legislation and regulation, government and regulatory oversight, generative AI, agentic AI systems and autonomous decision-making, liability, procurement and supply chain accountability, employment, IP, data protection, antitrust, cybersecurity, ESG, and AI governance and compliance.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Colleen T. Brownhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngColleen T. Brown2026-05-27 12:47:192026-05-27 12:49:06Chambers 2026 Global Practice Guide for Artificial Intelligence
On 15 April 2026, the European Data Protection Board (“EDPB”) published its long-awaited draft Guidelines 1/2026 on the processing of personal data for scientific research purposes (the “Guidelines”), marking the most comprehensive regulatory statement to date on how the GDPR applies to scientific research activities.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2025/05/MN-24013-Data-Matters-Blog-Imagery-Refresh_A_11.jpg606833Francesca Blythehttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngFrancesca Blythe2026-05-12 14:58:532026-05-12 14:58:53Scientific Research and the GDPR: EDPB Issues Long-Awaited Guidelines
The Data (Use and Access) Act 2025 (“DUAA”) has made a number of changes to the UK’s data protection regime, many of which have already come into force. From 19 June 2026, organisations will need to implement or update their data protection complaints procedure to align with the new DUAA requirements which provide a mechanism for complaints made directly to a controller. This new requirement is supported by recent guidance from the UK Information Commissioner’s Office (“ICO”). This marks a shift towards a more formalised, controller-led complaints-handling framework, requiring organisations to treat certain expressions of dissatisfaction as regulated complaints with defined procedural obligations.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Francesca Blythehttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngFrancesca Blythe2026-05-05 12:35:302026-05-05 12:38:34Preparing for the UK’s New Data Protection Complaints Regime: Key Steps Before June 2026
The U.S. Securities and Exchange Commission has issued amendments to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, which became effective on August 2, 2024 (the Final Amendments). For smaller entities, including registered investment advisers with less than $1.5 billion in assets under management, as well as certain broker-dealers and other SEC-regulated entities, the compliance deadline is June 3, 2026. The compliance deadline for larger entities was December 3, 2025. For a full list of entities required to comply, please see June 4, 2024 Sidley Update.
On 12 March 2026, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a Joint Opinion (the “Joint Opinion”) on the proposed European Biotech Act I (the “Biotech Act”). The Joint Opinion broadly supports the EU’s ambition to strengthen its biotechnology sector. However, it emphasises that data protection safeguards must be tightened, particularly where health data is involved. The recommendations signal forthcoming scrutiny during the legislative process and highlight key compliance considerations for organisations involved in clinical trials.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Francesca Blythehttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngFrancesca Blythe2026-04-29 11:47:182026-04-29 11:47:18European Biotech Act I: Navigating the EDPB/EDPS Vision for the Future of Clinical Trials
On April 13, 2026, the staff of the Division of Trading and Markets (Staff) of the U.S. Securities and Exchange Commission (SEC or the Commission) issued a statement (Statement) that it would not object to certain technology providers — referred to as “Covered User Interface Providers” — creating, offering, and/or operating software interfaces that allow users to prepare and submit transactions in crypto asset securities without registering as broker-dealers.
Risk Analysis in the Crosshairs: Four Recent Ransomware Resolutions Preview the HIPAA Security Rule Amendments
On April 23, 2026, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced resolution agreements and corrective action plans with four regulated entities following separate ransomware investigations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlements are the culmination of OCR investigations into separate ransomware breaches collectively affecting more than 427,000 individuals and involving the exposure of unsecured electronic protected health information (ePHI) – demographic data, Social Security numbers, financial information, lab results, medications, and diagnoses or conditions. Under the settlements, the regulated entities agreed to implement corrective action plans subject to OCR monitoring for two years and pay a total resolution amount of $1,165,000 to OCR.
Michael C. Hochman
Washington, D.C.
michael.hochman@sidley.com
Sasha Hondagneu-Messner
New York
shondagneumessner@sidley.com
Brad A. Carney
Washington, D.C.
brad.carney@sidley.com
New York Department of Financial Services Issues Coordinated Guidance on Frontier AI Cybersecurity Risks
On May 21, 2026, the New York State Department of Financial Services (“DFS”) issued two coordinated Industry Letters: a letter on Heightened Cybersecurity Risks Associated with Frontier AI Models (the “AI Advisory”) and accompanying Guidance on Measures Regulated Entities Should Consider in a Heightened Cybersecurity Threat Environment (the “Guidance,” and together, the “May 2026 Publications”). The AI Advisory builds on DFS’s October 2024 guidance on cybersecurity risks arising from AI, but is narrower in focus. Specifically, it addresses frontier models that may materially increase the speed and effectiveness of vulnerability discovery and exploitation.
(more…)
David Lashway
Washington D.C.
dlashway@sidley.com
Jennifer B. Seale
Washington, D.C.
jseale@sidley.com
Sasha Hondagneu-Messner
New York
shondagneumessner@sidley.com
Chambers 2026 Global Practice Guide for Artificial Intelligence
The Chambers 2026 Global Practice Guide for Artificial Intelligence provides the latest legal information on the rapidly evolving AI landscape, covering the commercial use of AI across key industries, AI-specific legislation and regulation, government and regulatory oversight, generative AI, agentic AI systems and autonomous decision-making, liability, procurement and supply chain accountability, employment, IP, data protection, antitrust, cybersecurity, ESG, and AI governance and compliance.
(more…)
Colleen T. Brown
Washington, D.C.
ctbrown@sidley.com
Michael C. Hochman
Washington, D.C.
michael.hochman@sidley.com
Brittany A. Bolen
Washington, D.C.
bbolen@sidley.com
Jack W. Pirozzolo
Boston
jpirozzolo@sidley.com
Sheri Porath Rockwell
Century City
sheri.rockwell@sidley.com
Garrett Lance
Washington, D.C.
glance@sidley.com
Stephanie Y. Lim
New York
stephanie.lim@sidley.com
Scientific Research and the GDPR: EDPB Issues Long-Awaited Guidelines
On 15 April 2026, the European Data Protection Board (“EDPB”) published its long-awaited draft Guidelines 1/2026 on the processing of personal data for scientific research purposes (the “Guidelines”), marking the most comprehensive regulatory statement to date on how the GDPR applies to scientific research activities.
(more…)
Francesca Blythe
London
fblythe@sidley.com
Eleanor Dodding
London
edodding@sidley.com
Preparing for the UK’s New Data Protection Complaints Regime: Key Steps Before June 2026
The Data (Use and Access) Act 2025 (“DUAA”) has made a number of changes to the UK’s data protection regime, many of which have already come into force. From 19 June 2026, organisations will need to implement or update their data protection complaints procedure to align with the new DUAA requirements which provide a mechanism for complaints made directly to a controller. This new requirement is supported by recent guidance from the UK Information Commissioner’s Office (“ICO”). This marks a shift towards a more formalised, controller-led complaints-handling framework, requiring organisations to treat certain expressions of dissatisfaction as regulated complaints with defined procedural obligations.
Francesca Blythe
London
fblythe@sidley.com
William RM Long
London
wlong@sidley.com
Eleanor Dodding
London
edodding@sidley.com
U.S. SEC Regulation S-P: Compliance Deadline Approaching for Smaller Entities
The U.S. Securities and Exchange Commission has issued amendments to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, which became effective on August 2, 2024 (the Final Amendments). For smaller entities, including registered investment advisers with less than $1.5 billion in assets under management, as well as certain broker-dealers and other SEC-regulated entities, the compliance deadline is June 3, 2026. The compliance deadline for larger entities was December 3, 2025. For a full list of entities required to comply, please see June 4, 2024 Sidley Update.
(more…)
Ranah Esmaili
Washington, D.C., New York
resmaili@sidley.com
Jonathan M. Wilan
Washington, D.C.
jwilan@sidley.com
Victoria A. Anglin
Los Angeles
vanglin@sidley.com
European Biotech Act I: Navigating the EDPB/EDPS Vision for the Future of Clinical Trials
On 12 March 2026, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a Joint Opinion (the “Joint Opinion”) on the proposed European Biotech Act I (the “Biotech Act”). The Joint Opinion broadly supports the EU’s ambition to strengthen its biotechnology sector. However, it emphasises that data protection safeguards must be tightened, particularly where health data is involved. The recommendations signal forthcoming scrutiny during the legislative process and highlight key compliance considerations for organisations involved in clinical trials.
(more…)
Francesca Blythe
London
fblythe@sidley.com
Josefine Sommer
Brussels
jsommer@sidley.com
U.S. SEC Clears Path for Decentralized Crypto Asset Security Trading With Broker Registration Exception for User Interfaces
On April 13, 2026, the staff of the Division of Trading and Markets (Staff) of the U.S. Securities and Exchange Commission (SEC or the Commission) issued a statement (Statement) that it would not object to certain technology providers — referred to as “Covered User Interface Providers” — creating, offering, and/or operating software interfaces that allow users to prepare and submit transactions in crypto asset securities without registering as broker-dealers.
(more…)
Lilya Tessler
Dallas, Miami
ltessler@sidley.com
Andrew P. Blake
Washington, D.C.
ablake@sidley.com
Kate Lashley
Miami, New York
klashley@sidley.com
Andrew J. Sioson
Washington, D.C.
asioson@sidley.com
Charles A. Sommers
Washington, D.C.
csommers@sidley.com
Nicole K. Chipi
Miami
nchipi@sidley.com
Alec J. Silvester
Miami
asilvester@sidley.com
Upcoming Events
Resources