Tune in to the latest episode of Ropes & Gray’s podcast series, The Data Day, brought to you by the firm’s data, privacy & cybersecurity practice. This series focuses on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments in the world of data, and features a range of guests, including clients, regulators and colleagues. On this episode, hosts Fran Faircloth, a partner in Washington, D.C., and Edward Machin, counsel in London, discuss the latest developments keeping the data team busy, including the drive to build AI governance programs in Europe and the U.S. and the launch of a new state privacy law microsite. The microsite features an interactive map of the U.S. that captures the rapidly developing privacy laws emerging from each state.

Click here to listen.

On May 16, 2024, the SEC issued a release (the “Release”) adopting amendments to Regulation S-P (the “Amendments”) that require broker-dealers, registered investment companies (together, with business development companies, “registered funds”) and registered investment advisers to adopt written policies and procedures creating an incident response program to deal with unauthorized access to customer information, including procedures for notifying persons affected by the incident within 30 days. The Amendments are substantially identical to the proposals in the 2023 proposing release.

Click here to read the Ropes & Gray client alert for more details on the Amendments.

In 2021, the U.S. Department of Justice (“DOJ”) announced the launch of the Cyber-Fraud Initiative, a program utilizing the False Claims Act (“FCA”) to “pursue cybersecurity related fraud by government contractors and grant recipients.” Although the Initiative has netted less than 10 settlements, the two most recent serve as a reminder that data breaches with respect to government contracts can result in FCA exposure.

In its most recent enforcement effort as part of this Initiative, DOJ reached settlements with two consulting companies—Guidehouse Inc. (“Guidehouse”) and Nan McKay and Associates (“Nan McKay”)—in which both accepted responsibility for failing to comply with cybersecurity requirements in a federally funded contract and agreed to pay a total of $11.3 million to resolve related False Claims Act allegations.

This article explores implications of the settlements, as well as practical considerations for the industry.

Continue Reading Practical Considerations for Government Contractors Following Recent DOJ Cyber-Fraud Initiative Settlements

On May 21, 2024, with a vote of 25-12, the California Senate passed SB-1446, a bill that would significantly restrict grocery and retail drug stores from providing self-checkout services and adopting new technologies. The bill, introduced on February 16 by Sen. Smallwood-Cuevas, rapidly moved through the California Senate Committee process and now has been sent over to the California Assembly for consideration. Retailers who provide self-checkout for their consumers or are looking to adopt new technologies should review the strict requirements in this bill and prepare to adjust their policies accordingly if the bill moves as swiftly through the California Assembly.

Continue Reading California Legislature Looks to Restrict Self-Checkout Technology

On May 15, 2024, the New York State Department of Health (“NYSDOH”) published revisions to the proposed hospital cybersecurity regulations that it first released in November 2023. Most of the requirements of the initially proposed regulations have been retained in the revised version, subject to a few modifications. The revised proposed regulations are subject to a notice and comment period until July 1, 2024 and, if finalized, would come into effect one year after finalization—with the exception of the requirement for hospitals to report security incidents to NYSDOH within 72 hours, which would take effect immediately. To comply, hospitals would need to update their cybersecurity policies and procedures, hire cybersecurity professionals, change their incident response procedures, and revise their planned security risk assessments.

Click here to read the Ropes & Gray client alert for more information on how these proposed regulations will affect New York hospital operations.

Following the trend towards comprehensive state consumer data privacy laws over the past half decade, five more states—New Jersey, New Hampshire, Kentucky, Nebraska, and Maryland—have passed their own such laws since the beginning of this year alone. Joining the ranks of California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia, these five states bring the total number of states with comprehensive state privacy laws to 17 (or 19, if you count more narrowly scoped privacy laws in Florida and Nevada), a near 50% increase in states with comprehensive privacy laws in only five months. New Jersey led the charge at the beginning of 2024, with Governor Phil Murphy signing the New Jersey Privacy Act (NJPA) on January 16. Next followed New Hampshire Governor Chris Sununu’s signature on SB 255 (acronym surely soon to follow). Kentucky (KCDPA) and Nebraska (NDPA) were next, signing laws on April 4 and 17, respectively, and Maryland rounded out this wave of privacy legislation when Governor Wes Moore signed the Maryland Online Data Privacy Act of 2024 (MODPA) into law on May 9.

Continue Reading Five State Privacy Laws in Five Months

On this episode of the R&G Tech Studio podcast, managing principal and global head of advanced E-Discovery and A.I. strategy Shannon Capone Kirk sits down with data, privacy & cybersecurity partner Fran Faircloth to discuss how new and ever-evolving technology is impacting her clients, particularly generative AI, and the challenges that arise in litigation and compliance. She also discusses her team’s development of the AI Court Order Tracker, which examines standing orders and local rules on the use of AI in connection with court filings.

Click here to listen.

On March 13, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that it had opened an investigation into the monumental cyberattack on Change Healthcare (“Change”), a unit of UnitedHealth Group (“UHG”). The attack is one of the largest assaults against the U.S. health care system, with far-reaching effects on hospitals, physicians, and other health care providers across the nation. On April 19, OCR published a new FAQ webpage about the cybersecurity incident and the implications for covered entities and business associates with business associate relationships with Change. OCR does not provide any new bombshell details—the agency confirms it has not yet received breach reports from Change/UHG—though the site does include background information and early guidance for covered entities beginning to evaluate possible notification obligations.

Click here to read the Ropes & Gray client alert for more information on OCR’s guidance as well as recommended next steps.

On April 24, President Biden signed a sweeping foreign aid bill into law, which included a critical provision covering privacy and data transfers known as the Protecting Americans’ Data from Foreign Adversaries Act (“PADFA”). This Act is separate from the TikTok divestment portion of the legislation, which has received far greater attention in the press.  PADFA generally prohibits data brokers from transferring personally identifiable sensitive data to certain named foreign adversary countries, including the People’s Republic of China, and any entity controlled by certain foreign adversaries. The law includes broad definitions of the terms “data brokers,” “personally identifiable sensitive data,” and “controlled by a foreign adversary,” which means the law applies to a wide range of companies. It is worthwhile for companies, even those who at first glance think they may not be covered, to review the law and consider adjusting their practices accordingly.

Click here to view the Ropes & Gray client alert for a more in-depth analysis of PADFA.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued its Notice of Proposed Rulemaking (NPRM) to establish the first cross-sectoral federal cybersecurity incident and ransomware payment reporting system.

As noted in an alert in March 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) into law just over two years ago, requiring “covered entities”—organizations in certain critical infrastructure sectors—to report substantial cybersecurity incidents to the Department of Homeland Security within 72 hours after the organization reasonably believes the cyber-incident has occurred. Covered entities will also be required to report ransom payments within 24 hours of making a payment in response to a ransomware attack. The NPRM was formally published in the Federal Register on April 4 and the public has until June 3 to submit written comments. CISA is required to publish a final rule by October 2025.

Click here to read the Ropes & Gray client alert which summarizes critical aspects of the NPRM and crucial next steps for businesses to ensure they comply with the proposed rule.