On February 26, 2024, the National Institute of Standards and Technology (“NIST”) released version 2.0 of its Cybersecurity Framework (“CSF 2.0”)—the first significant update to the cybersecurity guidance since its initial publication a decade ago.[1] While the original guidance was tailored to critical infrastructure entities, the new version has a broader scope and applies to organizations of all sizes across industries, from large corporations with robust data protection infrastructure to small schools and nonprofits that may lack cybersecurity sophistication.[2] CSF 2.0 notably incorporates new sections on corporate governance responsibilities and supply chain risks; additionally, NIST has released supplemental implementation guides and reference tools that can assist organizations measure cybersecurity practices and hone data protection priorities.[3]Continue Reading NIST Publishes Long-Awaited Cybersecurity Framework 2.0
Cybersecurity
The Data Day: Protecting Your Company and Your Data in the Wake of a Cyber Incident
Tune in to Ropes & Gray’s podcast series, The Data Day, brought to you by the firm’s data, privacy & cybersecurity practice. This series focuses on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments in the world of data, and…
Merck Insurance Settlement Leaves Debate over Cyberwar and Cyberinsurance Unsettled
Merck’s settlement last week over its $1.4 billion claim tied to a 2017 Russian-linked “NotPetya” cyberattack leaves a major question in cybersecurity and international law anything but settled – can a “cyberattack” ever be considered an “attack” under the international laws of war? The insurance dispute is hardly the first time cybersecurity has been linked to nation-state security – as far back as 2014, China’s now President Xi Jinping declared that “without cybersecurity there is no national security” – but how did a major pharmaceutical chain’s insurance claim become a potential battleground for litigating the definition of war in the 21st century?Continue Reading Merck Insurance Settlement Leaves Debate over Cyberwar and Cyberinsurance Unsettled
Dealmaking with AI and Big Data – Charting the new frontier in life sciences
Megan Baca moderated Ropes & Gray’s annual “From the Boardroom” panel – held in San Francisco during the 2024 J.P. Morgan Healthcare Conference – which this year looked at the role of artificial intelligence and big data in the context of dealmaking. It can feel hard to escape AI at the moment, with some debate as to whether AI is currently over-hyped or in fact at a transformational tipping point. Continue Reading Dealmaking with AI and Big Data – Charting the new frontier in life sciences
In Law360, Attorneys Urge Businesses to Navigate Generative AI Indemnity Shields with Care
In a Law360 article, IP transactions and technology partner Regina Sam Penti, IP transactions counsel Georgina Jones Suzuki and IP transactions associate Derek Mubiru analyzed the recent trend of artificial intelligence (AI) providers offering indemnity shields and urged businesses to exercise caution in relying on these indemnities.
In response to a number of…
NIST Cybersecurity Center of Excellence – Cybersecurity of Genomic Data Report
On December 20, 2023, the National Institute of Standards and Technology (“NIST”) National Cybersecurity Center of Excellence (“NCCoE”) published its Cybersecurity of Genomic Data report (the “Report”). The Report aims to assist organizations in protecting against misuse of genomic data and enabling secure collaborative innovations. Note, however, that the Report is not authoritative with respect to its assessment of the treatment of genomic data under the current U.S. regulatory framework, including with respect to the identifiability of such information.Continue Reading NIST Cybersecurity Center of Excellence – Cybersecurity of Genomic Data Report
Making a List and Checking it Twice: The Impact of Cybersecurity Regulations on Financial Services in 2023
Not that long ago, financial sector regulations seldom mentioned cybersecurity expressly, instead addressing the issue indirectly through restrictions focused on general system safeguards and omnibus reporting requirements. Gone are those days. Over the past few years, federal and state regulators have increased focus on information security issues impacting financial institutions, introducing a spate of cyber rules that often include stringent regulatory reporting and disclosure requirements. This year was no different.Continue Reading Making a List and Checking it Twice: The Impact of Cybersecurity Regulations on Financial Services in 2023
Walking in a Data Wonderland: A Look Back at the FTC’s 2023 Privacy Enforcement Actions
On the first Day of Data, we recap a busy year for the Federal Trade Commission (“FTC”), highlighting key enforcement decisions from 2023 and reading the tea leaves for what promises to be an equally active 2024 for the agency on topics ranging from online tracking technologies to artificial intelligence.Continue Reading Walking in a Data Wonderland: A Look Back at the FTC’s 2023 Privacy Enforcement Actions
‘Tis the Season for Data Protection: Unwrapping the 12 Days of Data
As the year draws to a close, we’re excited to kick off the third annual installment of the 12 Days of Data, our favorite holiday tradition.
Join us for a festive journey over the next few weeks, as we count down twelve key areas of growth in privacy and cybersecurity in 2023 and look forward…
New York State Proposes New Cybersecurity Program and Incident Reporting Requirements for Hospitals
On November 13, 2023, New York Governor Kathy Hochul announced the release of proposed statewide hospital cybersecurity regulations that would require state-licensed hospitals to establish cybersecurity programs, policies and procedures (the “Proposed Regulations”). The Proposed Regulations feature requirements regarding cybersecurity policies and procedures, personnel, user authentication methods, security risk assessments, incident response plans, and two-hour…