A new direction for privacy laws?

https://www.cpomagazine.com/data-protection/my-health-my-data-washington-poised-to-upend-how-companys-handle-health-information/

My Health My Data! Washington Poised to Upend How Company’s Handle Health Information

Adding to the ever increasing sea of state-sponsored privacy regulations, the state of Washington in April threw its hat in the privacy ring, or rather, its net in the water. Instead of a tailored regulation, however, Washington’s My Health My Data Act (“MHMDA”) is the legislative equivalent of bottom trawling—casting a net so wide that it threatens to engulf businesses from nearly every sector.

Supporters have billed MHMDA as providing necessary protection for health data not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) in the wake of the Supreme Court’s Dobbs v. Jackson Women’s Health Organization which overturned its ruling in Roe v. Wade. MHMDA’s broad scope and definitions, however, will undoubtedly expand its reach to data not normally considered health data and businesses who do not traditionally consider themselves to be health care providers or to be collecting consumer health data. And given the expansive private right of action given to consumers, MHMDA is sure to create a new wave of privacy class action litigations.

Either they never had a plan to save these emails or the plan was horribly inadequate.

https://www.theregister.com/2023/06/26/jp_morgan_fined_for_deleting/

JP Morgan accidentally deletes evidence in multi-million record retention screwup

JP Morgan has been fined $4 million by the US Securities and Exchange Commission (SEC) for deleting millions of email records dating from 2018 relating to its Chase Bank subsidiary.

The Financial services outfit apparently deleted somewhere in the region of 47 million electronic communications records from about 8,700 electronic mailboxes covering the period January 1 through to April 23, 2018.

Many of these, it turns out, were business records that were required to be retained under the Securities Exchange Act of 1934, the SEC said in a filing [PDF] detailing its ruling.

Worse still, the stuffup meant that it couldn't produce evidence that that the SEC and others subpoenaed in their investigations. "In at least 12 civil securities-related regulatory investigations, eight of which were conducted by the Commission staff, JPMorgan received subpoenas and document requests for communications which could not be retrieved or produced because they had been deleted permanently," the SEC says.