On January 22, 2025, the New York State Assembly and Senate rapidly passed the wide-ranging New York Health Information Privacy Act. If not vetoed by Governor Kathy Hochul, NY HIPA would be the fourth enacted state consumer health data privacy law, following the Washington My Health My Data Act, Nevada SB 370 and the
In December 2024, New York Governor Kathy Hochul signed into law two bills (A8872A and S2376B; collectively, the “Bills”) that amend New York’s Data Breach Notification Law.1 The Bills introduce a maximum thirty-day timeframe for notifying affected New York residents of a reportable “breach of the security of the system”2 under
While there are many significant federal laws and regulations related to cybersecurity, states have led the way in regulating this area on a general, sector-agnostic basis, with the most notable and widely acknowledged state cybersecurity provisions being state data breach notification laws. However, more recently, states have focused on passing comprehensive privacy, rather than security, laws, and 2025 promises to be a continuation of this trend, with eight additional comprehensive state privacy laws coming into effect next year. Continue Reading Making a List and Checking it Twice: Navigating State Privacy and Security Regulations This Year
Ropes & Gray Data, Privacy & Cybersecurity senior associate Matthew Cin spoke withLaw360 about an emerging split among Illinois state and federal courts over the question of whether recent amendments to Illinois’s Biometric Information Privacy Act (“BIPA”) are retroactive. In November 2024, the U.S. District Court for the Northern District of Illinois issued two
Throughout 2024, financial sector regulators sharpened their focus on data protection and cybersecurity issues impacting financial institutions and the public. Key federal agencies like the Securities and Exchange Commission (“SEC”), the Federal Trade Commission (“FTC”), and the Consumer Financial Protection Bureau (“CFPB”) have been joined by state regulators, such as the New York Department of Financial Services (“NYDFS”), in proposing and finalizing significant rulemaking, pursuing novel enforcement actions, and issuing influential guidance. 2025 promises to be a continuation of this considerable trend. Continue Reading Dashing Through Cybersecurity Regulations in the Financial Services Sector in 2024
On October 2, 2024, the New York State Department of Health (“NYSDOH”) finalized and adopted new hospital cybersecurity regulations. Effective immediately, hospitals in New York State are required to report to NYSDOH as promptly as possible, but not later than 72 hours after, determining that a cybersecurity incident has occurred. A cybersecurity incident is an
On Friday, August 2, Governor J.B. Pritzker of Illinois signed into law SB2979, an amendment to the state’s landmark biometric privacy law. The amendment offers a welcome step forward to correcting the rapid overexpansion of potential damages associated with violations of the law without curbing any of its privacy protections. The measure amends the state’s Biometric Information Privacy Act (“BIPA”) in two significant ways. First, the law, as amended now expressly includes electronic signatures as a form of “written release.” Second, the amendment limits actions for recovery to a maximum of one violation per plaintiff, rather than one violation per instance of collection or transmission of biometric information. This post examines the amendment and its impacts on businesses collecting biometric information in the state. We also highlight notable biometric privacy developments in Texas.Continue Reading Biometric Privacy Update: Illinois Legislature Balances BIPA, but Don’t Mess with Texas
With the Rhode Island Data Transparency and Privacy Protection Act (the “Act”), Rhode Island is the latest state to pass a comprehensive privacy law and join the evolving U.S. privacy landscape. The Act will take effect on January 1, 2026, the same date as the Indiana and Kentucky privacy laws.Continue Reading Rhode Island Joins the Fray with New Comprehensive State Privacy Law
Tune in to the latest episode of Ropes & Gray’s podcast series, The Data Day, brought to you by the firm’s data, privacy & cybersecurity practice. This series focuses on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments in the
On May 21, 2024, with a vote of 25-12, the California Senate passed SB-1446, a bill that would significantly restrict grocery and retail drug stores from providing self-checkout services and adopting new technologies. The bill, introduced on February 16 by Sen. Smallwood-Cuevas, rapidly moved through the California Senate Committee process and now has been sent over to the California Assembly for consideration. Retailers who provide self-checkout for their consumers or are looking to adopt new technologies should review the strict requirements in this bill and prepare to adjust their policies accordingly if the bill moves as swiftly through the California Assembly.Continue Reading California Legislature Looks to Restrict Self-Checkout Technology