Tougher laws, bigger penalties: A look at the latest data privacy compliance trends

State legislatures and federal regulators continue to tighten data breach notification requirements and enforce compliance with privacy and security rules. Below are recent notable developments from California and Oklahoma proposing stricter timelines for breach notifications, as well as a significant HIPAA enforcement action by the U.S. Department of Health and Human Services against Warby Parker.

Proposal to amend California Breach notification law

The California state Senate Judiciary Committee voted to approve a bill that would require data breaches to be disclosed within 30 calendar days of discovery or notification of the data breach, with exceptions provided for accommodating the needs of law enforcement or "as necessary to determine the scope of the breach and restore the reasonable integrity of the data system" (CPR, April 8). The bill, S.B. 446 Reg Sess., also provides that, in cases where a controller is required to issue a notification to more than 500 California residents, a sample of the notice sent to such residents must be submitted to the attorney general within 15 calendar days of discovery or notification of the breach. Existing law requires the submission of the sample notice but does not specify a due date.

Proposal to amend Oklahoma’s Breach notification law

In Oklahoma, the state House Appropriations Committee voted on April 7 to approve an amendment to the state's breach notification law that requires entities experiencing a data breach to notify the state attorney general of the breach within 60 days after providing notice to impacted residents (CPR, April 9). The bill provides exemptions from the 60-day requirement for breaches affecting fewer than 500 residents or 1,000 residents in the case of credit bureaus.

HHS $1.5mm civil penalty against Warby Parker

On February 20, 2025, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $1.5 million civil penalty against Warby Parker Inc. after a cyberattack compromised the ePHI of almost 200,000 Warby Parker customers. OCR's investigation found that from September to November 2018, unauthorized third parties accessed Warby Parker customer accounts by using credentials obtained by data breaches on other websites, a tactic known as "credential stuffing." The ePHI that was potentially compromised included customers' names, addresses, payment card details, and eyewear prescription information. Warby Parker subsequently reported additional credential stuffing attacks to OCR in September 2019, January 2020, April 2020, and June 2022, which led to unauthorized access to ePHI.

OCR determined that Warby Parker violated three provisions of the HIPAA Security Rule. Specifically, OCR found that Warby Parker failed to: (1) conduct an accurate and thorough risk analysis to identify the potential risks and vulnerabilities to ePHI in Warby Parker's systems; (2) implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level; and (3) implement procedures to regularly review records of information system activity.

Takeaway: It is essential that companies subject to HIPAA have a comprehensive HIPAA compliance program in place, conduct regular risk assessments and maintain appropriate security controls to protect health information. Covered Entities should conduct the below remediation activities following a ransomware or other serious cyber attack:

1. Immediately conduct a risk assessment (third party if possible) after the incident. This must include an analysis of compliance with the security and privacy rules
2. Document the remediation plan and dates of remediation activities
3. Ensure the root cause of the incident is remediated and document such remediation

Attorneys from McDonald Hopkins’ national data privacy and cybersecurity practice group will continue to monitor and report on recent data security and compliance  developments.