The National Institute of Standards and Technology (NIST) has been a leading voice in cybersecurity standards since 2013, when President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity tasked NIST, which is embedded within the Department of Commerce, with developing and updating a cybersecurity framework for reducing cyber risks to critical infrastructure. The first iteration of that framework was released in 2014, and Versions 1.1 and 2.0 followed in 2018 and 2024. NIST guidance has also expanded to include a privacy framework, released in 2020, and an AI risk management framework, released in 2023. This year, NIST made updates to both its cybersecurity and AI risk management frameworks and created a holistic data governance model that aims to provide a comprehensive approach for entities to address issues like data quality, privacy, security, and compliance, leveraging the various NIST frameworks under a unified data governance structure to help framework users address broader organizational risks. A retrospective of these developments and predictions for 2025 are detailed in this post.

Continue Reading A Very Merry NISTmas: 2024 Updates to the Cybersecurity and AI Framework

Data breaches made headlines throughout 2024, affecting governments, health care groups, and telecoms. Follow-on litigation has kept pace. Nearly 4,000 class actions involving data privacy issues are estimated to be filed in federal courts by the end of this year.

Growth in litigation meant that 2024 saw legal developments in several areas including standing to sue and web video suits. Increased attention on cybersecurity and privacy incidents unsurprisingly corresponded with active SEC enforcement and derivative suits related to inadequate data security.

Continue Reading Unwrapping 2024’s Key Trends in Data Privacy Litigation

Over the next few weeks, Ropes & Gray’s data, privacy, and cybersecurity team will bring you unique blogs reviewing key trends and developments in data protection. This year, each daily blog will focus on a specific set of legal developments or a regulated sector. These blogs will track topics covered by 12 of the 30+ chapters in PLI’s new edition of its cyber law treatise, Cybersecurity: A Practical Guide to the Law of Cyber Risk.  

The treatise, edited by Ropes & Gray data, privacy and cybersecurity partners Ed McNicholas and Fran Faircloth, is an annually updated, practical guide to the laws and regulations in the U.S. and abroad that govern cybersecurity as well as strategies to bolster your defenses against cyber risk. The new edition, which was just released, adds several new chapters and material related to additional regulated sectors and developments. Stay tuned over the next few weeks for bite-size breakdowns of our most relevant chapters, and for more information on the new edition click here.

We are making our list and checking it twice, so make sure you are subscribed to www.RopesDataPhiles.com to get alerts about the latest posts.

On October 29, 2024, the Department of Justice (“DOJ”) published its Notice of Proposed Rulemaking (“NPRM”) to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This follows the DOJ’s publication of its Advance Notice of Proposed Rulemaking earlier this year. Comments to the proposed rule are due on November 29, 2024.

Click here to read the full Ropes & Gray client alert for more details.

On October 22, 2024, the Securities and Exchange Commission (“SEC”) filed settled enforcement orders involving four current and former public companies – Unisys Corp., Avaya Holdings Corp., Check Point Software Ltd, and Mimecast Limited. The settlements concern the issuers’ disclosures relating to cybersecurity risks and intrusions following the December 2020 SUNBURST cybersecurity incident, which affected customers of SolarWinds’ Orion software. Alleging that the issuers “negligently minimized” the impacts of the breach, the SEC levied civil monetary penalties ranging from $990,000 to $4 million. Each settled order credits the issuers with cooperating in the SEC’s investigation. A dissent by Commissioners Hester Peirce and Mark Uyeda criticizes the majority for playing “Monday morning quarterback.”

As the first cybersecurity-related settlements of the agency’s new fiscal year, these cases illustrate the SEC’s continued focus on disclosure of cyber incidents. Click here to read the full Ropes & Gray client alert.

On October 2, 2024, the New York State Department of Health (“NYSDOH”) finalized and adopted new hospital cybersecurity regulations. Effective immediately, hospitals in New York State are required to report to NYSDOH as promptly as possible, but not later than 72 hours after, determining that a cybersecurity incident has occurred. A cybersecurity incident is an event that (i) has a material adverse impact on the normal operations of the hospital; (ii) has a reasonable likelihood of materially harming any part of the normal operation(s) of the hospital; or (iii) results in the deployment of ransomware within a material part of the hospital’s information systems. In addition, hospitals will need to come into compliance with new cybersecurity requirements within one year.

Click here to read the Ropes & Gray client alert for more details on these regulations.

On June 28, 2024, Pennsylvania enacted amendments to its Breach of Personal Information Notification Act (“BPINA”). These amendments contain a number of significant changes, including clarifying a key definition, adding a new notification obligation to the Attorney General, requiring organizations to provide credit monitoring services, and reducing the threshold to notify consumer reporting agencies. These amendments—which take effect today, September 26, 2024—bring Pennsylvania in line with many other states that have taken steps to strengthen their respective data breach notification laws.

Continue Reading Pennsylvania Strengthens Data Breach Notification Law

Rohan Massey and Edward Machin, partner and counsel in Ropes & Gray’s data, privacy & cybersecurity practice will be hosting a webinar on The EU AI Act – The Road to Compliance. The EU AI Act entered into force on August 1st, 2024. The Act is the first piece of comprehensive legislation to regulate the development, deployment and use of AI systems, and seeks to ensure that these systems are safe, transparent, traceable, non-discriminatory and environmentally friendly. Organizations now have a timeline for compliance of between 6 and 24 months, depending on the role they play under the Act and the risk and capabilities of their AI systems. This session will look at the requirements of the EU AI Act, its extra-territorial application and possible sanctions for non-compliance – and will provide an overview of what steps organizations should be taking now to ensure that they can comply with the Act.

The webinar will take place on September 18, 2024, 12-1pm ET. Click here to register.

We request all attendees register by September 16. For any questions, please email Tierney.DeRobertis@ropesgray.com.

Ropes & Gray data, privacy & cybersecurity associate Matthew Cin spoke with  Law360, about Illinois’s recent amendments to its Biometric Information Privacy Act (BIPA). Ever since it was enacted in 2008, BIPA, which can restrict companies from collecting and sharing biometric data without data subjects’ consent, has been a source of privacy-related litigation and prompted confusion around what constitutes a violation for the purpose of calculating damages. The amendments, which were signed into law earlier this month, provide clarity that a company only violates the statute once, even if it collects biometric data multiple times from the same person, using the same means. Read the full Law360 article here, and see further analysis of the amendments in our blog post here.

On Friday, August 2, Governor J.B. Pritzker of Illinois signed into law SB2979, an amendment to the state’s landmark biometric privacy law. The amendment offers a welcome step forward to correcting the rapid overexpansion of potential damages associated with violations of the law without curbing any of its privacy protections. The measure amends the state’s Biometric Information Privacy Act (“BIPA”) in two significant ways. First, the law, as amended now expressly includes electronic signatures as a form of “written release.” Second, the amendment limits actions for recovery to a maximum of one violation per plaintiff, rather than one violation per instance of collection or transmission of biometric information. This post examines the amendment and its impacts on businesses collecting biometric information in the state. We also highlight notable biometric privacy developments in Texas.

Continue Reading Biometric Privacy Update: Illinois Legislature Balances BIPA, but Don’t Mess with Texas