While students are about to embark on their holiday break, there is no such luck for educational technology (“EdTech”) providers. Privacy, cybersecurity, and artificial intelligence compliance obligations have proliferated over the past year, with no signs of slowing down. While it is hard to keep track of the numerous regulations and proposals on the state and federal level, below, I have highlighted a few issues for EdTech providers to monitor in the coming year.

Continue Reading No Holiday Break for EdTech Compliance

Throughout 2024, financial sector regulators sharpened their focus on data protection and cybersecurity issues impacting financial institutions and the public. Key federal agencies like the Securities and Exchange Commission (“SEC”), the Federal Trade Commission (“FTC”), and the Consumer Financial Protection Bureau (“CFPB”) have been joined by state regulators, such as the New York Department of Financial Services (“NYDFS”), in proposing and finalizing significant rulemaking, pursuing novel enforcement actions, and issuing influential guidance. 2025 promises to be a continuation of this considerable trend.  

Continue Reading Dashing Through Cybersecurity Regulations in the Financial Services Sector in 2024

On 30 November 2022, OpenAI made its ChatGPT generative artificial intelligence chatbot publicly available. In the two years since, its unprecedented growth has fostered a dramatic shift in public attention to and interest in all forms of AI. Now, the possibilities and risks presented by the continued development of AI are also firmly at the top of mind for businesses and regulators across the world.

Continue Reading New Year’s Resolutions: What 2025 Holds for AI Regulation

Although 2024 saw several states enact comprehensive privacy legislation, another year is nearly gone, and we still do not have a comprehensive federal privacy law to resolve the rapidly evolving patchworks of state laws. Despite the lack of comprehensive privacy legislation, privacy and cybersecurity were hot button issues across key federal agencies, such as the FTC and FCC, with significant enforcement activity throughout the year. In this edition of our Twelve Days of Data series, we highlight key developments across a few key federal agencies.

To no surprise, the Federal Trade Commission (FTC) was intensely focused on privacy and cybersecurity throughout 2024. We also saw important activity out of the Federal Communications Commission (FCC), which, among other things, issued guidance regarding the Telephone Consumer Protection Act (TCPA).

Continue Reading Key Privacy and Cybersecurity Watchdogs Make Their Naughty Lists

The National Institute of Standards and Technology (NIST) has been a leading voice in cybersecurity standards since 2013, when President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity tasked NIST, which is embedded within the Department of Commerce, with developing and updating a cybersecurity framework for reducing cyber risks to critical infrastructure. The first iteration of that framework was released in 2014, and Versions 1.1 and 2.0 followed in 2018 and 2024. NIST guidance has also expanded to include a privacy framework, released in 2020, and an AI risk management framework, released in 2023. This year, NIST made updates to both its cybersecurity and AI risk management frameworks and created a holistic data governance model that aims to provide a comprehensive approach for entities to address issues like data quality, privacy, security, and compliance, leveraging the various NIST frameworks under a unified data governance structure to help framework users address broader organizational risks. A retrospective of these developments and predictions for 2025 are detailed in this post.

Continue Reading A Very Merry NISTmas: 2024 Updates to the Cybersecurity and AI Framework

Data breaches made headlines throughout 2024, affecting governments, health care groups, and telecoms. Follow-on litigation has kept pace. Nearly 4,000 class actions involving data privacy issues are estimated to be filed in federal courts by the end of this year.

Growth in litigation meant that 2024 saw legal developments in several areas including standing to sue and web video suits. Increased attention on cybersecurity and privacy incidents unsurprisingly corresponded with active SEC enforcement and derivative suits related to inadequate data security.

Continue Reading Unwrapping 2024’s Key Trends in Data Privacy Litigation

Over the next few weeks, Ropes & Gray’s data, privacy, and cybersecurity team will bring you unique blogs reviewing key trends and developments in data protection. This year, each daily blog will focus on a specific set of legal developments or a regulated sector. These blogs will track topics covered by 12 of the 30+ chapters in PLI’s new edition of its cyber law treatise, Cybersecurity: A Practical Guide to the Law of Cyber Risk.  

The treatise, edited by Ropes & Gray data, privacy and cybersecurity partners Ed McNicholas and Fran Faircloth, is an annually updated, practical guide to the laws and regulations in the U.S. and abroad that govern cybersecurity as well as strategies to bolster your defenses against cyber risk. The new edition, which was just released, adds several new chapters and material related to additional regulated sectors and developments. Stay tuned over the next few weeks for bite-size breakdowns of our most relevant chapters, and for more information on the new edition click here.

We are making our list and checking it twice, so make sure you are subscribed to www.RopesDataPhiles.com to get alerts about the latest posts.

On October 29, 2024, the Department of Justice (“DOJ”) published its Notice of Proposed Rulemaking (“NPRM”) to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This follows the DOJ’s publication of its Advance Notice of Proposed Rulemaking earlier this year. Comments to the proposed rule are due on November 29, 2024.

Click here to read the full Ropes & Gray client alert for more details.

On October 22, 2024, the Securities and Exchange Commission (“SEC”) filed settled enforcement orders involving four current and former public companies – Unisys Corp., Avaya Holdings Corp., Check Point Software Ltd, and Mimecast Limited. The settlements concern the issuers’ disclosures relating to cybersecurity risks and intrusions following the December 2020 SUNBURST cybersecurity incident, which affected customers of SolarWinds’ Orion software. Alleging that the issuers “negligently minimized” the impacts of the breach, the SEC levied civil monetary penalties ranging from $990,000 to $4 million. Each settled order credits the issuers with cooperating in the SEC’s investigation. A dissent by Commissioners Hester Peirce and Mark Uyeda criticizes the majority for playing “Monday morning quarterback.”

As the first cybersecurity-related settlements of the agency’s new fiscal year, these cases illustrate the SEC’s continued focus on disclosure of cyber incidents. Click here to read the full Ropes & Gray client alert.

On October 2, 2024, the New York State Department of Health (“NYSDOH”) finalized and adopted new hospital cybersecurity regulations. Effective immediately, hospitals in New York State are required to report to NYSDOH as promptly as possible, but not later than 72 hours after, determining that a cybersecurity incident has occurred. A cybersecurity incident is an event that (i) has a material adverse impact on the normal operations of the hospital; (ii) has a reasonable likelihood of materially harming any part of the normal operation(s) of the hospital; or (iii) results in the deployment of ransomware within a material part of the hospital’s information systems. In addition, hospitals will need to come into compliance with new cybersecurity requirements within one year.

Click here to read the Ropes & Gray client alert for more details on these regulations.