Find an umbrella. . . .  The recent deluge of state-level privacy legislation continues.  Legislatures in three additional states—Indiana, Montana, and Tennessee—have adopted comprehensive privacy laws.  The Indiana Consumer Data Protection Act (ICDPA) was signed into law on May 1, 2023, making Indiana the seventh state to adopt such a law, and legislatures in Montana and Tennessee have passed legislation that is expected to be signed into law by their respective governors soon.  Only one month ago, Iowa became the sixth state to adopt a comprehensive privacy law, and, of course, California, Colorado, Connecticut, Utah, and Virginia each have laws that either are already in effect or that will go into effect later his year.  Meanwhile, on April 27, 2023, the governor of Washington signed into law the My Health My Data Act, a significant development that will impact many businesses that collect or process consumer health data (expect an update on this topic here soon).  

Continue Reading When It Rains, It Pours (State Privacy Laws)

Tune in to the third episode of Ropes & Gray’s podcast series, The Data Day, brought to you by the firm’s data, privacy & cybersecurity practice. This series focuses on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments in the world of data, and features a range of guests, including clients, regulators and colleagues. On this episode, hosts Fran Faircloth, a partner in Ropes & Gray’s Washington, D.C. office, and Edward Machin, a London-based associate, are joined by special guest Jackie Koven, who is head of cyber threat intelligence at blockchain analysis firm, Chainalysis.

Click here to listen as they discuss how Jackie and the Chainalysis team track cybercriminals and nation-state actors who are involved with ransomware payments and other cryptocurrency schemes.

A number of encrypted messaging services have signed an open letter calling on the UK Government to reconsider various aspects of the Online Safety Bill (OSB) pending its final reading in the House of Lords, over concerns that the bill could threaten end-to-end encryption.

End-to-end encryption currently delivers a strong level of security for electronic messages, meaning that messages can only be read on the apps of the sender and intended recipient.  

Continue Reading Messaging Apps Call for Re-evaluation of the Online Safety Bill

On this episode of the R&G Tech Studio, intellectual property transactions and technology co-leader Megan Baca, who’s also co-leader of the firm’s digital health initiative, sits down with data, privacy & cybersecurity partner Fran Faircloth to discuss the innovation of AI and its impacts on collaboration, research and development, particularly in the digital health space. Click here to listen to their discussion.

On March 29, 2023, the California Office of Administrative Law (the “OAL”) approved the first substantive set of California Privacy Rights Act (“CPRA”) regulations from the California Privacy Protection Agency (the “CPPA”), which we addressed in a previous blog. Those regulations went into effect immediately. As discussed in a recent episode of Ropes & Gray’s privacy podcast, The Data Day, the CPPA has also begun consideration of an additional set of regulations that would implement other CPRA requirements, issuing an Invitation for Preliminary Comments on Proposed Rulemaking Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking. Enforcement of the CPRA, including its implementing regulations, is scheduled to begin on July 1, 2023. However, on March 30, 2023—just one day after the OAL approved the CPPA’s regulations—the California Chamber of Commerce announced that it had filed suit in Sacramento Superior Court seeking to delay enforcement until 12 months after a final and complete set of regulations has been adopted.

Continue Reading California Finalizes Privacy Regulations: Enforcement Scheduled to Begin in July 2023

On March 28, Iowa Governor Kim Reynolds signed Senate File 262 into law, making Iowa the sixth state to adopt comprehensive data privacy legislation. The Iowa Consumer Data Protection Act (ICDPA) is set to take effect on January 1, 2025.

The ICDPA is largely business friendly and mostly comparable to the Utah Consumer Privacy Act. Businesses that are already in compliance with other states’ privacy laws—such as the California Consumer Privacy Act—likely will not need to make any additional changes to their policies or practices to comply with the ICDPA. The ICDPA does not require businesses to conduct risk assessments, practice purpose limitations or data minimization, and businesses have a generous 90-day cure period for suspected violations. Furthermore, as we’ve seen with the other states that have recently passed comprehensive privacy laws, the law does not provide a private right of action for consumers, as enforcement authority sits exclusively with the Iowa Attorney General.

Continue Reading Iowa Becomes Sixth State to Pass Comprehensive Data Privacy Law

On March 15, 2023, the SEC issued a release (the “Release”) containing proposed amendments to Regulation S-P (the “Proposals”). These Proposals were published in the Federal Register today, March 21. If adopted, the Proposals would require broker-dealers, registered investment companies (with business development companies, “registered funds”) and investment advisers to adopt written policies and procedures creating an incident response program to deal with unauthorized access to customer information, including procedures for notifying persons affected by the incident within 30 days.

These proposals are in addition to the SEC’s other pending cybersecurity regulations, and the SEC has re-opened comments on the registered investment adviser cybersecurity proposal, almost certainly delaying its release past the April regulatory agenda estimate.

Click here to read Ropes and Gray’s Client Alert on the proposed amendments.

Blackbeard may not be the first name that comes to mind when considering cybercrime, but prior international efforts to stop stateless rogue actors can point us toward the proper focus for cybersecurity—governments taking responsibility to solve a classic collective action problem by direct action, supporting existing industry defense measures, and leading multilateral cooperation efforts. This strategy stands in stark contrast to the SEC’s proposed cybersecurity approach: name and shame public companies that, after suffering a data breach, would be forced to issue public statements to shareholders before they have closed the exploited vulnerability or fully assessed the situation. Our hope is that the fight against maritime piracy can point to a better way to address online pirates.

Click here to read our article for New York Law Journal in which we discuss how governments can take a coordinated approach to combatting data breaches and ransomware attacks.

Tune in to the second episode of Ropes & Gray’s podcast series The Data Day, brought to you by the firm’s data, privacy & cybersecurity practice. This series focuses on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments in the world of data, and will feature a range of guests, including clients, regulators and colleagues. On this episode, hosts Fran Faircloth, a partner in Ropes & Gray’s Washington, D.C. office, and Edward Machin, a London-based associate, are joined by special guest Kevin Angle, a Boston-based counsel. Click here to listen as they discuss recent enforcement by the California Attorney General, including a new round of enforcement sweeps, actions by the California Privacy Protection Agency, and the relationship between the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

On February 22, 2023, the Cyberspace Administration of China (“CAC”) promulgated the final version of the Measures for the Standard Contract for Cross-Border Transfer of Personal Information (the “Measures”), along with the final version of the standard contractual clauses for cross-border transfer of personal information stipulated under the Personal Information Protection Law (the “PIPL SCCs”). The Measures and the PIPL SCCs will become effective on June 1, 2023. Similar to the EU General Data Protection Regulation (“GDPR”) SCCs, the PIPL SCCs can be used for outbound transfer of personal information that does not need to undergo a security assessment under China’s PIPL.

Click here to read Ropes and Gray’s Client Alert on the Measures