Following the trend towards comprehensive state consumer data privacy laws over the past half decade, five more states—New Jersey, New Hampshire, Kentucky, Nebraska, and Maryland—have passed their own such laws since the beginning of this year alone. Joining the ranks of California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia, these five states bring the total number of states with comprehensive state privacy laws to 17 (or 19, if you count more narrowly scoped privacy laws in Florida and Nevada), a near 50% increase in states with comprehensive privacy laws in only five months. New Jersey led the charge at the beginning of 2024, with Governor Phil Murphy signing the New Jersey Privacy Act (NJPA) on January 16. Next followed New Hampshire Governor Chris Sununu’s signature on SB 255 (acronym surely soon to follow). Kentucky (KCDPA) and Nebraska (NDPA) were next, signing laws on April 4 and 17, respectively, and Maryland rounded out this wave of privacy legislation when Governor Wes Moore signed the Maryland Online Data Privacy Act of 2024 (MODPA) into law on May 9.

Continue Reading Five State Privacy Laws in Five Months

On this episode of the R&G Tech Studio podcast, managing principal and global head of advanced E-Discovery and A.I. strategy Shannon Capone Kirk sits down with data, privacy & cybersecurity partner Fran Faircloth to discuss how new and ever-evolving technology is impacting her clients, particularly generative AI, and the challenges that arise in litigation and compliance. She also discusses her team’s development of the AI Court Order Tracker, which examines standing orders and local rules on the use of AI in connection with court filings.

Click here to listen.

On March 13, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that it had opened an investigation into the monumental cyberattack on Change Healthcare (“Change”), a unit of UnitedHealth Group (“UHG”). The attack is one of the largest assaults against the U.S. health care system, with far-reaching effects on hospitals, physicians, and other health care providers across the nation. On April 19, OCR published a new FAQ webpage about the cybersecurity incident and the implications for covered entities and business associates with business associate relationships with Change. OCR does not provide any new bombshell details—the agency confirms it has not yet received breach reports from Change/UHG—though the site does include background information and early guidance for covered entities beginning to evaluate possible notification obligations.

Click here to read the Ropes & Gray client alert for more information on OCR’s guidance as well as recommended next steps.

On April 24, President Biden signed a sweeping foreign aid bill into law, which included a critical provision covering privacy and data transfers known as the Protecting Americans’ Data from Foreign Adversaries Act (“PADFA”). This Act is separate from the TikTok divestment portion of the legislation, which has received far greater attention in the press.  PADFA generally prohibits data brokers from transferring personally identifiable sensitive data to certain named foreign adversary countries, including the People’s Republic of China, and any entity controlled by certain foreign adversaries. The law includes broad definitions of the terms “data brokers,” “personally identifiable sensitive data,” and “controlled by a foreign adversary,” which means the law applies to a wide range of companies. It is worthwhile for companies, even those who at first glance think they may not be covered, to review the law and consider adjusting their practices accordingly.

Click here to view the Ropes & Gray client alert for a more in-depth analysis of PADFA.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued its Notice of Proposed Rulemaking (NPRM) to establish the first cross-sectoral federal cybersecurity incident and ransomware payment reporting system.

As noted in an alert in March 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) into law just over two years ago, requiring “covered entities”—organizations in certain critical infrastructure sectors—to report substantial cybersecurity incidents to the Department of Homeland Security within 72 hours after the organization reasonably believes the cyber-incident has occurred. Covered entities will also be required to report ransom payments within 24 hours of making a payment in response to a ransomware attack. The NPRM was formally published in the Federal Register on April 4 and the public has until June 3 to submit written comments. CISA is required to publish a final rule by October 2025.

Click here to read the Ropes & Gray client alert which summarizes critical aspects of the NPRM and crucial next steps for businesses to ensure they comply with the proposed rule.

On 5 March 2024, the UK data protection regulator (ICO) published guidance on biometric recognition (the Guidance), following a consultation with stakeholders in October 2023. The Guidance clarifies the concept and properties of biometric data and provides practical considerations for organisations contemplating or using biometric recognition systems.

Continue Reading ICO Publishes Biometric Data Guidance

On February 28, 2024, President Biden announced an Executive Order (“EO”) directing the Department of Justice (“DOJ”) to promulgate regulations that restrict or prohibit transactions involving certain bulk sensitive personal data or United States Government-related data and countries of concern or covered persons. As directed by the EO, on February 28, the DOJ published an Advance Notice of Proposed Rulemaking (“ANPRM”) on topics related to the implementation of the EO. The Ropes & Gray team provided detailed analysis on both the EO and ANPRM here.

Continue Reading Lawmakers Pass Milestone Privacy Bill Overshadowed by TikTok Fever

In a Bloomberg Law article, attorneys examined Washington State’s comprehensive new privacy law, the My Health My Data Act, the first state law that specifically safeguards consumer health data.

The article discusses the new law’s scope, applicability, and ensuing company obligations. The Act will apply to many life sciences companies, pharmaceutical and device manufactures and is enforceable through a private right of action, creating a risk of class action litigation related to potential violations.

The Act requires regulated entities and small businesses to develop a website privacy policy; secure opt-in consent prior to collecting and sharing identifiable consumer health data; obtain prior authorization to sell consumer health data; create mechanisms to track, respond to and grant consumer rights; implement reasonable security measures; ensure data protection agreements are in place with processors; and eliminate any geofences around entities that provide in-person health care services.​

On February 26, 2024, the National Institute of Standards and Technology (“NIST”) released version 2.0 of its Cybersecurity Framework (“CSF 2.0”)—the first significant update to the cybersecurity guidance since its initial publication a decade ago.[1] While the original guidance was tailored to critical infrastructure entities, the new version has a broader scope and applies to organizations of all sizes across industries, from large corporations with robust data protection infrastructure to small schools and nonprofits that may lack cybersecurity sophistication.[2] CSF 2.0 notably incorporates new sections on corporate governance responsibilities and supply chain risks; additionally, NIST has released supplemental implementation guides and reference tools that can assist organizations measure cybersecurity practices and hone data protection priorities.[3]

Continue Reading NIST Publishes Long-Awaited Cybersecurity Framework 2.0

Employee monitoring isn’t new, but its extent and how it has been conducted has seen significant changes in the last few decades; we have come a long way from the punch cards of the 1900s to the current use of video surveillance, e-comms monitoring and AI, among other monitoring tools.

Part of this comes from the usual progress of technology, drive to make more data-centric decisions and organisational pressures to maximise efficiency. However part of this also comes particularly as a result of the COVID-19 pandemic, as the rise of hybrid working meant that organisations had to adopt new technologies to monitor employees that were working remotely.

Recent decisions by the CNIL and ICO in the last few months highlight the flipside of using such technologies however, as the use of video surveillance and biometric data (including facial recognition) for employee monitoring purposes led to enforcement action (including a €32 million fine) in these decisions. With the EU’s AI Act looming on the horizon, the use of AI for employee monitoring purposes may also bring the obligations of the AI Act onto an organisation’s already extensive list of compliance considerations.

Click here to read our article exploring the takeaways from these decisions, as well as practical considerations for organisations when conducting employee monitoring using certain technologies.