On October 2, 2024, the New York State Department of Health (“NYSDOH”) finalized and adopted new hospital cybersecurity regulations. Effective immediately, hospitals in New York State are required to report to NYSDOH as promptly as possible, but not later than 72 hours after, determining that a cybersecurity incident has occurred. A cybersecurity incident is an event that (i) has a material adverse impact on the normal operations of the hospital; (ii) has a reasonable likelihood of materially harming any part of the normal operation(s) of the hospital; or (iii) results in the deployment of ransomware within a material part of the hospital’s information systems. In addition, hospitals will need to come into compliance with new cybersecurity requirements within one year.

Click here to read the Ropes & Gray client alert for more details on these regulations.

On June 28, 2024, Pennsylvania enacted amendments to its Breach of Personal Information Notification Act (“BPINA”). These amendments contain a number of significant changes, including clarifying a key definition, adding a new notification obligation to the Attorney General, requiring organizations to provide credit monitoring services, and reducing the threshold to notify consumer reporting agencies. These amendments—which take effect today, September 26, 2024—bring Pennsylvania in line with many other states that have taken steps to strengthen their respective data breach notification laws.

Continue Reading Pennsylvania Strengthens Data Breach Notification Law

Rohan Massey and Edward Machin, partner and counsel in Ropes & Gray’s data, privacy & cybersecurity practice will be hosting a webinar on The EU AI Act – The Road to Compliance. The EU AI Act entered into force on August 1st, 2024. The Act is the first piece of comprehensive legislation to regulate the development, deployment and use of AI systems, and seeks to ensure that these systems are safe, transparent, traceable, non-discriminatory and environmentally friendly. Organizations now have a timeline for compliance of between 6 and 24 months, depending on the role they play under the Act and the risk and capabilities of their AI systems. This session will look at the requirements of the EU AI Act, its extra-territorial application and possible sanctions for non-compliance – and will provide an overview of what steps organizations should be taking now to ensure that they can comply with the Act.

The webinar will take place on September 18, 2024, 12-1pm ET. Click here to register.

We request all attendees register by September 16. For any questions, please email Tierney.DeRobertis@ropesgray.com.

Ropes & Gray data, privacy & cybersecurity associate Matthew Cin spoke with  Law360, about Illinois’s recent amendments to its Biometric Information Privacy Act (BIPA). Ever since it was enacted in 2008, BIPA, which can restrict companies from collecting and sharing biometric data without data subjects’ consent, has been a source of privacy-related litigation and prompted confusion around what constitutes a violation for the purpose of calculating damages. The amendments, which were signed into law earlier this month, provide clarity that a company only violates the statute once, even if it collects biometric data multiple times from the same person, using the same means. Read the full Law360 article here, and see further analysis of the amendments in our blog post here.

On Friday, August 2, Governor J.B. Pritzker of Illinois signed into law SB2979, an amendment to the state’s landmark biometric privacy law. The amendment offers a welcome step forward to correcting the rapid overexpansion of potential damages associated with violations of the law without curbing any of its privacy protections. The measure amends the state’s Biometric Information Privacy Act (“BIPA”) in two significant ways. First, the law, as amended now expressly includes electronic signatures as a form of “written release.” Second, the amendment limits actions for recovery to a maximum of one violation per plaintiff, rather than one violation per instance of collection or transmission of biometric information. This post examines the amendment and its impacts on businesses collecting biometric information in the state. We also highlight notable biometric privacy developments in Texas.

Continue Reading Biometric Privacy Update: Illinois Legislature Balances BIPA, but Don’t Mess with Texas

On July 9, 2024, the White House Office of Science and Technology Policy (“OSTP”) issued highly anticipated final guidelines setting forth a framework under which academic research institutions must establish and operate formal research security programs (the “Final Guidelines”).1 These final guidelines will be critically important to research operations at universities, academic medical centers, and other research institutions, and will affect the daily operations of, for example, such institutional offices as information technology, privacy, sponsored research, international programs, in-house legal counsel, export controls, and faculty affairs. Specifically, the Final Guidelines establish a definition of “Covered Institution” and outline standardized requirements that institutions must adopt relating to (1) cybersecurity; (2) foreign travel security; (3) research security training; and (4) export control training.

We have prepared a timeline of the implementation deadlines set forth in the Final Guidelines at the end of this Alert. Click here to read.

Last Friday arrived with the crash of millions of Windows computers used by companies across the globe, including critical infrastructure sectors such as hospitals, banks, airlines, and government agencies. Despite quick retraction of the cause, cascading effects continued throughout the day and into the weekend, demonstrating the widespread impact and significant business interruption losses. The outage is expected to trigger more stringent cybersecurity regulations, changes in cybersecurity governance, and adjustments to cyber insurance policies.

Continue Reading Navigating Cyber Risks: Learning from Outages

On April 4, 2024, the Federal Communications Commission (“FCC”) adopted new rules updating the Telephone Consumer Protection Act’s (“TCPA”) requirements regarding a consumer’s ability to revoke consent to receive calls and messages (collectively “messages”). Generally speaking, the TCPA in part restricts messages sent using an automated telephone dialing system absent the organization obtaining the necessary prior consent from the consumer. Importantly, the rules (1) further clarify the ways in which a consumer may revoke consent; (2) require that organizations honor requests within a reasonable time; and (3) clarify the process by which organizations can confirm the scope of a consumer’s request to revoke consent to receive further messages. We unpack these key developments in more detail below.

Continue Reading FCC Provides Long-Awaited Clarification on Revocation of Consent

With the Rhode Island Data Transparency and Privacy Protection Act (the “Act”), Rhode Island is the latest state to pass a comprehensive privacy law and join the evolving U.S. privacy landscape. The Act will take effect on January 1, 2026, the same date as the Indiana and Kentucky privacy laws.

Continue Reading Rhode Island Joins the Fray with New Comprehensive State Privacy Law

On 12 July 2024, the EU AI Act (“AI Act”) was published in the Official Journal of the European Union. As the AI Act will enter into force 20 days from the date of its publication (1 August 2024), this starts the clock for organisations within the scope of the AI Act to prepare for compliance. 

The exact amount of time organisations have to comply with their relevant provisions under the AI Act will depend on the role they play under the AI Act, as well as the risk and capabilities of their AI systems. For example, providers[1] of general-purpose AI systems will be required to comply with the requirements of the AI Act before providers of high-risk AI systems. 

Continue Reading EU AI Act Published in the Official Journal of the European Union; Clock Starts for Compliance