In December 2024, New York Governor Kathy Hochul signed into law two bills (A8872A and S2376B; collectively, the “Bills”) that amend New York’s Data Breach Notification Law.1 The Bills introduce a maximum thirty-day timeframe for notifying affected New York residents of a reportable “breach of the security of the system”2 under state law (a “Data Breach”), require Data Breaches to be reported to the New York State Department of Financial Services (“NYSDFS”), and add medical information and health insurance information to categories of private information that may be subject to a Data Breach. According to their legislative history, the Bills were introduced in order to address “a broad sense of uncertainty by experts and lawmakers as to which federal regulations, if any, [are] charged with the responsibility to monitor and do regular supervision on cybersecurity.”3 While the Bills are likely to have a limited effect on HIPAA covered entities and business associates, they stand to significantly impact other persons and businesses in New York, including life sciences and consumer health care companies that are not subject to HIPAA.

Click here to read the full Ropes & Gray client alert.

In December 2024, the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (“ASTP/ONC”) within the U.S. Department of Health and Human Services (“HHS”) published two final rules that establish health data interoperability and information blocking regulations (the “New HTI Final Rules”).

The New HTI Final Rules will affect Trusted Exchange Framework and Common Agreement (“TEFCA”) qualified health information networks (“QHINs”) and health care organizations that exchange data through QHINs, as well as developers of certified health information technology, health information exchanges and networks, and health care providers (collectively, “Actors”) that are subject to the Information Blocking Rule.

Click here to read the full Ropes & Gray client alert which summarizes key provisions of the New HTI Final Rules.

On January 8, 2025, the Department of Justice (“DOJ”) published its Final Rule to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”). This follows the DOJ’s publication of its Notice of Proposed Rulemaking (“NPRM”) in October 2024, and its Advance Notice of Proposed Rulemaking (“ANPRM”) earlier in 2024. (Ropes & Gray published alerts on the NPRM and ANPRM)

The Final Rule continues to assert the DOJ as a critical regulator of data transfers involving countries of concern or covered persons. Organizations transacting with entities or individuals located in or otherwise having relationships with the People’s Republic of China (including Hong Kong and Macau) (the “PRC”), Russia, Iran, North Korea, Cuba, and Venezuela should carefully review the Final Rule for potential impacts on their business models. The Final Rule prohibits certain data brokerage transactions and transactions involving human ‘omic data. The Final Rule also creates a set of restricted transactions involving vendor agreements, employment agreements, or investment agreements in which U.S. persons may engage only if they comply with a set of cybersecurity requirements. In tandem with the publication of the Final Rule, on January 8, 2025 Cybersecurity and Infrastructure Security Agency (“CISA”) published its final security requirements for restricted transactions.

Click here to read the full Ropes & Gray client alert for more detailed information.

As a recent DataPhiles post explored, the threat to telecommunications infrastructure and private call records posed by foreign threat actors only continues to grow. In fact, at least one U.S. government agency has urged employees to avoid using mobile communications for any work-related activity. This has led private entities to wonder how they might protect the sensitive mobile communications of officers and employees.

Continue Reading New Year, New Threats: Practical Tips for Secure Communications after Salt Typhoon

After its election to power in July 2024, the newly formed Labour government wasted little time in announcing its legislative priorities for the coming year. Unsurprisingly, these priorities included several proposed Bills relating to data protection, cybersecurity and digital regulation. At the time of writing, only one of these Bills—the Data (Use and Access) Bill (“DUAB”)—has been introduced to Parliament, with the others expected to follow in early 2025.

Continue Reading Meet the In-Laws: the UK’s Digital Legislative Agenda for 2025

Cybersecurity and national security collided in significant ways in 2024, with governments and private-sector entities grappling with the legal, technical, and policy challenges of a rapidly evolving cyber landscape. Offensive cyber operations, questions of foreign ownership of social media companies, and the balance of power between the Executive and Legislative branches are just a few of the pressing issues shaping the modern landscape. OAs governments and private entities grapple with these challenges, the legal frameworks governing cybersecurity are evolving rapidly, offering both opportunities and risks for practitioners.

Continue Reading Deck the Halls with Cyber Walls: Navigating National Security in the Digital Age

2024 was a record year for cyberattacks in the healthcare sector. According to the Breach Portal maintained by the U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”), to date this year, there have been more than 530 breaches of protected health information (“PHI”) affecting 500 or more individuals. 2024 also the saw the largest known breach of PHI at a HIPAA-regulated entity: Russia-linked cybercrime organization, BlackCat/ALPHV executed a ransomware attack on Change Healthcare, Inc., the payment processor owned by UnitedHealth, which affected the records of more than 100 million individuals.

Continue Reading A Flurry of Healthcare Sector Cybersecurity Regulatory Developments in 2024

While there are many significant federal laws and regulations related to cybersecurity, states have led the way in regulating this area on a general, sector-agnostic basis, with the most notable and widely acknowledged state cybersecurity provisions being state data breach notification laws.  However, more recently, states have focused on passing comprehensive privacy, rather than security, laws, and 2025 promises to be a continuation of this trend, with eight additional comprehensive state privacy laws coming into effect next year.  

Continue Reading Making a List and Checking it Twice:  Navigating State Privacy and Security Regulations This Year

In the six years since the EU’s General Data Protection Regulation (“GDPR”) took effect, governments around the world have updated their data protection laws to reflect the seismic changes in data processing that were created with the introduction of the smartphone. Having been in place for nearly 40 years, Australia’s Privacy Act (1988) has been a notable outlier – but that is now changing, with significant reforms to the country’s data protection regime being introduced in the latter half of 2024.

Continue Reading Australia’s Privacy Reforms: Claus for Concern?

Ropes & Gray Data, Privacy & Cybersecurity senior associate Matthew Cin spoke withLaw360 about an emerging split among Illinois state and federal courts over the question of whether recent amendments to Illinois’s Biometric Information Privacy Act (“BIPA”) are retroactive. In November 2024, the U.S. District Court for the Northern District of Illinois issued two orders nearly one week apart with directly conflicting interpretations and conclusions as to whether the amendments are retroactive or prospective. In light of these developments, careful attention to BIPA requirements remains critical. Read the full Law360 article here.