On February 26, 2024, the National Institute of Standards and Technology (“NIST”) released version 2.0 of its Cybersecurity Framework (“CSF 2.0”)—the first significant update to the cybersecurity guidance since its initial publication a decade ago.[1] While the original guidance was tailored to critical infrastructure entities, the new version has a broader scope and applies to organizations of all sizes across industries, from large corporations with robust data protection infrastructure to small schools and nonprofits that may lack cybersecurity sophistication.[2] CSF 2.0 notably incorporates new sections on corporate governance responsibilities and supply chain risks; additionally, NIST has released supplemental implementation guides and reference tools that can assist organizations measure cybersecurity practices and hone data protection priorities.[3]Continue Reading NIST Publishes Long-Awaited Cybersecurity Framework 2.0
Fran Faircloth
New Executive Order Would Restrict Transfer of Certain Bulk Sensitive Personal Data and United States Government-Related Data to China and Other Countries of Concern
On February 28, 2024, President Biden announced an Executive Order directing the Department of Justice to promulgate regulations that restrict or prohibit transactions involving certain bulk sensitive personal data or United States Government-related data and countries of concern or covered persons. The DOJ’s initially identified countries are China (including Hong Kong and Macau), Russia, Iran…
DoorDash and California Attorney General Reach Settlement Over Privacy Allegations
Following up on announcements of sweeps from late January, last week California Attorney General Rob Bonta announced a settlement with the popular food delivery service DoorDash related to allegations that DoorDash breached the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). The announcement doubles down on the Attorney General’s reiteration that privacy will continue to be priority for his office, while the new California Privacy Protection Agency (CPPA) is getting up to speed.Continue Reading DoorDash and California Attorney General Reach Settlement Over Privacy Allegations
2024 Is Set To Be Democracy and Deepfakes’ Biggest Year. Is U.S. Legislation …Ready For It?
The FCC has issued a declaratory ruling, employing the protection of the Telephone Consumer Protection Act (TCPA) to outlaw robocalls that use AI-generated voices. The Commission’s unanimous decision was spurred by public fallout from the doctored audio message of a purported President Biden urging voters in New Hampshire not to vote in the state’s Democratic primary last month. The announcement makes clear that the potential for malicious actors to use AI to deceive voters and subvert democratic processes is on the government’s top-of-mind this election year. This is not the first time that the TCPA has been used to protect the public from election interference, but rather than go after individual actors for individual instances of election interference as it has in the past, this decision creates a much wider blanket ban on AI-generated voices in robocalls which will cover election-related AI-generated calls among others.Continue Reading 2024 Is Set To Be Democracy and Deepfakes’ Biggest Year. Is U.S. Legislation …Ready For It?
The Data Day: Protecting Your Company and Your Data in the Wake of a Cyber Incident
Tune in to Ropes & Gray’s podcast series, The Data Day, brought to you by the firm’s data, privacy & cybersecurity practice. This series focuses on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments in the world of data, and…
Dashing Through 2023’s Privacy Litigation Trends
Looking back on 2023, the trend of privacy-based class actions has only increased, and it doesn’t seem poised to halt or even slow down in the new year. Businesses are feeling acutely the threat of future litigation. At the end of 2022, the hundreds of cross-industry respondents to the Annual Litigation Trends Survey cited cybersecurity, data protection, and data privacy as the second-highest ranked area of future concern for class actions, and their concerns turned out to be justified. From peeved Pixel plaintiffs to data breach defendants, class actions abounded this year.Continue Reading Dashing Through 2023’s Privacy Litigation Trends
Reviewing 2023’s Global AI Landscape Across Practice Areas
In a Law360 article, co-authored by data, privacy & cybersecurity partner Fran Faircloth and associate May Yang, the team reflect on 2023 Global AI highlights, noting “2023 stands out as a landmark year for artificial intelligence and for generative AI in particular.”
“The launch of OpenAI’s ChatGPT in late 2022 marked a turning point, igniting a global race among tech companies and investors to harness and evolve this burgeoning technology,” said Fran and May. This development brings a myriad of legal implications, touching on intellectual property challenges, data privacy and cybersecurity risks, and ethical considerations in AI Deployment.Continue Reading Reviewing 2023’s Global AI Landscape Across Practice Areas
‘Tis the Season for Data Protection: Unwrapping the 12 Days of Data
As the year draws to a close, we’re excited to kick off the third annual installment of the 12 Days of Data, our favorite holiday tradition.
Join us for a festive journey over the next few weeks, as we count down twelve key areas of growth in privacy and cybersecurity in 2023 and look forward…
Delaware Becomes Twelfth State to Pass Consumer Privacy Law
Last week, Delaware Governor John Carney signed into law the Delaware Personal Data Privacy Act (“DPDPA”), the state’s new consumer privacy law that will become effective January 1, 2025. The First State is now the 12th state to fully enact a comprehensive consumer data privacy law, joining California, Colorado, Connecticut, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. Our previous posts on laws in those states can be found here. Though the DPDPA generally tracks consumer privacy laws in other states—particularly those in Colorado, Connecticut, and Oregon—it does contain nuances that organizations should note, particularly a lack of general exclusions for nonprofits and higher education institutions as well as a lower threshold for applicability.Continue Reading Delaware Becomes Twelfth State to Pass Consumer Privacy Law
R&G Tech Studio Presents: Mergers & Acquisitions Partner Sarah Young
On this episode of the R&G Tech Studio, mergers & acquisitions partner Sarah Young sits down with data, privacy & cybersecurity partner Fran Faircloth to discuss how she advises clients on all aspects of corporate strategy, and whether she thinks artificial intelligence and machine learning will impact her clients in the months and years…