Sasha Hondagneu-Messner, Author at Data Matters Privacy Blog

About Sasha Hondagneu-Messner

New York

Entries by Sasha Hondagneu-Messner

01 06 '26

Risk Analysis in the Crosshairs: Four Recent Ransomware Resolutions Preview the HIPAA Security Rule Amendments

June 1, 2026/in Health Privacy, HHS, OCR, Personal Data/by Sasha Hondagneu-Messner

On April 23, 2026, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced resolution agreements and corrective action plans with four regulated entities following separate ransomware investigations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlements are the culmination of OCR investigations into separate ransomware breaches collectively affecting more than 427,000 individuals and involving the exposure of unsecured electronic protected health information (ePHI) – demographic data, Social Security numbers, financial information, lab results, medications, and diagnoses or conditions. Under the settlements, the regulated entities agreed to implement corrective action plans subject to OCR monitoring for two years and pay a total resolution amount of $1,165,000 to OCR.

28 05 '26

New York Department of Financial Services Issues Coordinated Guidance on Frontier AI Cybersecurity Risks

May 28, 2026/in AI, Cybersecurity, Financial Sector, Information Security, Technology/by Sasha Hondagneu-Messner

On May 21, 2026, the New York State Department of Financial Services (“DFS”) issued two coordinated Industry Letters: a letter on Heightened Cybersecurity Risks Associated with Frontier AI Models (the […]

23 10 '25

New York Department of Financial Services (NYDFS) Clarifies Expectations for Third-Party Cybersecurity Risks Under its Cybersecurity Regulation, and Additional Amendments Go into Effect on November 1, 2025

October 23, 2025/in Cybersecurity, Financial Sector, Information Security/by Sasha Hondagneu-Messner

On October 21, 2025, NYDFS, the New York State agency responsible for regulating financial services and products, issued an Industry Letter clarifying how “Covered Entities”[1] should manage cybersecurity risks arising […]

31 07 '25

A Mid-Year Privacy Check-In – Important Developments and New Compliance Obligations for Privacy Laws

July 31, 2025/in AI, Biometrics, CCPA, Children’s Privacy, Health Privacy, Online Privacy, U.S. State Law/by Sasha Hondagneu-Messner

During the first half of 2025, state legislators and regulators have been working overtime to enact new data privacy laws and expand existing laws, all of which are likely to […]

29 07 '25

California Privacy Protection Agency Advances Substantial Rulemaking – Cyber Audits, Risk Assessments, New Automated Decisionmaking Technologies Rights, and More

July 29, 2025/in AI, Automated Decisionmaking, CCPA, Cybersecurity, Online Privacy, Policy, U.S. State Privacy Laws/by Sasha Hondagneu-Messner

The California Privacy Protection Agency (Agency) on Thursday, July 24, 2025, approved a comprehensive set of new California Consumer Privacy Act (CCPA) regulations that the Agency has been developing for […]

13 08 '24

New York Attorney General Publishes Guide to Avoid “Key Mistakes” Regarding Online Tracking Technologies

August 13, 2024/in Enforcement, FTC, Litigation, Online Privacy, State Privacy Laws/by Sasha Hondagneu-Messner

On July 30, 2024, New York Attorney General Letitia James announced website privacy guides for New York consumers and businesses. The guides, a business-focused Business Guide to Website Privacy Controls […]

05 06 '24

U.S. SEC Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information Amendments Adopted

June 5, 2024/in Compliance, Consumer Protection, Financial Privacy, Regulatory, SEC/by Sasha Hondagneu-Messner

On May 16, 2024, the U.S. Securities and Exchange Commission (SEC) adopted amendments to its Regulation S-P. These final amendments impose significant cybersecurity requirements for several SEC-registered entities and transfer […]

07 03 '24

FTC Proposes Significant and Sweeping Changes to COPPA and Requests Public Comment

March 7, 2024/in Children’s Privacy, Cybersecurity, Enforcement, FTC, Information Security, Online Privacy, Policy, Regulatory/by Sasha Hondagneu-Messner

On January 11, 2024, the Federal Trade Commission (“FTC”) published its Notice of Proposed Rule Making (“NPRM”) seeking to update the FTC’s Children’s Online Privacy Protection Act (“COPPA”) Rule in […]

31 07 '23

U.S. SEC Public Company Cybersecurity Disclosure Regulation Finalized With Swift Effective Date

July 31, 2023/in Compliance, Cybersecurity, Data Breaches, Governance, Policy, Public Companies, Regulation, SEC/by Sasha Hondagneu-Messner

On July 26, 2023, the U.S. Securities and Exchange Commission finalized its rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (the Final Rule), which will become effective […]

29 06 '23

SEC Delays Enactment of Cyber Rules Related to Investment Adviser and Public Companies to October 2023, Updates Timeline to April 2024 for Recently Proposed Cybersecurity Rules

June 29, 2023/in Cybersecurity, Data Breaches, Policy, Regulation, SEC/by Sasha Hondagneu-Messner

On June 13, 2023, the Office of Management and Budget released its Spring 2023 Unified Agenda of Regulatory and Deregulatory Actions, which includes updates on Securities and Exchange Commission (“SEC”) […]