On November 13, 2023, New York Governor Kathy Hochul announced the release of proposed statewide hospital cybersecurity regulations that would require state-licensed hospitals to establish cybersecurity programs, policies and procedures (the “Proposed Regulations”). The Proposed Regulations feature requirements regarding cybersecurity policies and procedures, personnel, user authentication methods, security risk assessments, incident response plans, and two-hour reporting of certain incidents.

If approved by the New York State Public Health and Health Planning Council (“PHHPC”) and subsequently finalized, the Proposed Regulations would supplement federal Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule requirements but would be broader in some respects, including with regard to what information is subject to the requirements.

Click here to read Ropes & Gray’s Client Alert on the proposed requirements

On October 30, 2023, President Biden issued an executive order (“EO”) on the safe, secure, and trustworthy development and deployment of artificial intelligence (“AI”) that has the potential to set far-reaching standards governing the use and development of AI across industries. Although the EO does not directly regulate private industry, apart from certain large-scale models or computing clusters deemed to potentially impact national security (discussed below), it requires federal agencies including the Departments of Commerce (principally through the National Institute of Standards and Technology (“NIST”)), Energy, and Homeland Security, among others, to issue standards and guidance and to use their existing authorities, including regulatory authorities, to police the use of AI in ways that will impact business for years to come. In addition, it devotes federal resources toward AI-related education, training and research, including the further development of privacy enhancing technologies (“PETs”) such as differential privacy and synthetic data generation.

Click here to read Ropes & Gray’s Client Alert detailing the new EO.

On November 1, 2023, New York Governor Kathy Hochul announced that the New York Department of Financial Services (“NYDFS”) finalized amendments to its Part 500 Cybersecurity Regulations (“Final Amendments”)—the first significant change to the regulations since their inception in March 2017. The Final Amendments generally track previous NYDFS proposed amendments—including the November 9, 2022 proposal that we covered here—with certain important changes.

Continue Reading NYDFS Finalizes Significant Amendments to its Cybersecurity Regulations

On October 10, 2023, Governor Gavin Newsom signed into law the California Delete Act, which imposes new requirements on “data brokers.” Because of the California law’s broad definition of the term “data broker,” the law will apply to many businesses that would not typically think of themselves as engaged in buying and selling data.  The Delete Act will require such “data brokers” to make new disclosures and, beginning in 2026, respond to bulk deletion requests submitted via a mechanism established by the California Privacy Protection Agency (CPPA), which is likely to prove onerous.  Unlike current deletion requests, which are sent on a one-off basis to specific businesses, the Delete Act will require these requests to be honored by all businesses registered with the CPPA as a data broker simultaneously.  As a result, data brokers will see a significant increase in the volume of such requests they are required to process.  Additionally, beginning in 2028, data brokers will be required to undergo costly third-party compliance audits. 

Continue Reading California Adopts “Delete Act”:  New Requirements for Data Brokers

On September 28, 2023, the Cyberspace Administration of China (“CAC”) issued a Draft Rule on the Regulation and Facilitation of Cross-Border Transfer of Personal Information (the “Draft Rule”). The Draft Rule seeks to streamline the security requirements pertaining to cross-border transfer of personal information under certain circumstances. The Draft Rule is open for comments from the public until October 15, 2023.

Continue Reading China Proposes to Ease Oversight of Cross-Border Transfer of Personal Information

At its Sept. 8 board meeting, the California Privacy Protection Agency reviewed draft regulations addressing cybersecurity audits and risk assessments. If adopted, the proposed regulations would require many businesses already subject to the California Consumer Privacy Act to conduct new, independent audits of their cybersecurity programs.  The proposed regulations would also impose broad rules around the use of automated decision-making technologies that could affect the development of artificial intelligence-based systems and other types of processing of personal information deemed to create a significant risk to consumer privacy.

Data, privacy & cybersecurity counsel Kevin Angle and associates Ashley Fisher and Jessica Grischkan noted in an article for Law360 that the audit would require board-level involvement along with documentation of specific cybersecurity controls, ranging from account management and unique passwords to record retention, which could create a baseline expectations for the agency as to the “reasonable security procedures and practices” required under the CCPA and other statutes. The draft regulations also propose broad definitions of “artificial intelligence” and “automated decision-making” that could bring into their scope a wide variety of products. Prior to training artificial intelligence, businesses could be required to conduct detailed risk assessments and document safeguards in place to protect the privacy of personal information.

Last week, Delaware Governor John Carney signed into law the Delaware Personal Data Privacy Act (“DPDPA”), the state’s new consumer privacy law that will become effective January 1, 2025. The First State is now the 12th state to fully enact a comprehensive consumer data privacy law, joining California, Colorado, Connecticut, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. Our previous posts on laws in those states can be found here. Though the DPDPA generally tracks consumer privacy laws in other states—particularly those in Colorado, Connecticut, and Oregon—it does contain nuances that organizations should note, particularly a lack of general exclusions for nonprofits and higher education institutions as well as a lower threshold for applicability.

Continue Reading Delaware Becomes Twelfth State to Pass Consumer Privacy Law

On this episode of the R&G Tech Studio, mergers & acquisitions partner Sarah Young sits down with data, privacy & cybersecurity partner Fran Faircloth to discuss how she advises clients on all aspects of corporate strategy, and whether she thinks artificial intelligence and machine learning will impact her clients in the months and years ahead.

Click here to listen to their discussion.

With the onslaught of state privacy laws passed earlier this spring and summer, the Texas Data Privacy and Security Act (the “TDPSA”) signed into law on June 18, 2023, may not have received its due.  Although largely following the template set in other states, the Texas law is unique among the non-California comprehensive privacy laws in tying its scoping criteria to the size of a business rather than to a threshold number of data subjects whose information a business processes annually—typically 100,000 state residents.  The company must also (1) conduct business in Texas or produce a product or service consumed in the state and (2) process or “sell” personal data (more on the definition of “sell” below, which would include many disclosures made through online advertising).  As a result, many mid-market businesses that process smaller amounts of data (falling under the 100,000-resident threshold applicable in many states) could still be required to comply.

Continue Reading Texas Data Privacy and Security Act Could Impact More Businesses

On July 20, 2023, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) and the Federal Trade Commission (“FTC”) sent warning letters to approximately 130 hospital systems and telehealth providers. The letters were intended to warn those entities of the privacy and security risks of online tracking technologies integrated into their websites and mobile applications. The agencies noted that the entities may be impermissibly disclosing consumers’ sensitive personal health information to third parties such as Meta/Facebook pixel and Google Analytics through the use of such online tracking technologies in potential violation of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended (collectively, “HIPAA”), the FTC Act, and/or the FTC Health Breach Notification Rule (“HBNR”).

Continue Reading HHS and FTC Warning Letters Highlight Continued Scrutiny of Use of Online Tracking Technologies in Healthcare