24_1742_12 Days of Data_Graphic_10293

Although 2024 saw several states enact comprehensive privacy legislation, another year is nearly gone, and we still do not have a comprehensive federal privacy law to resolve the rapidly evolving patchworks of state laws. Despite the lack of comprehensive privacy legislation, privacy and cybersecurity were hot button issues across key federal agencies, such as the FTC and FCC, with significant enforcement activity throughout the year. In this edition of our Twelve Days of Data series, we highlight key developments across a few key federal agencies.

To no surprise, the Federal Trade Commission (FTC) was intensely focused on privacy and cybersecurity throughout 2024. We also saw important activity out of the Federal Communications Commission (FCC), which, among other things, issued guidance regarding the Telephone Consumer Protection Act (TCPA).

Continue Reading Key Privacy and Cybersecurity Watchdogs Make Their Naughty Lists
24_1742_12 Days of Data_Graphic_10292

The National Institute of Standards and Technology (NIST) has been a leading voice in cybersecurity standards since 2013, when President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity tasked NIST, which is embedded within the Department of Commerce, with developing and updating a cybersecurity framework for reducing cyber risks to critical infrastructure. The first iteration of that framework was released in 2014, and Versions 1.1 and 2.0 followed in 2018 and 2024. NIST guidance has also expanded to include a privacy framework, released in 2020, and an AI risk management framework, released in 2023. This year, NIST made updates to both its cybersecurity and AI risk management frameworks and created a holistic data governance model that aims to provide a comprehensive approach for entities to address issues like data quality, privacy, security, and compliance, leveraging the various NIST frameworks under a unified data governance structure to help framework users address broader organizational risks. A retrospective of these developments and predictions for 2025 are detailed in this post.

Continue Reading A Very Merry NISTmas: 2024 Updates to the Cybersecurity and AI Framework
24_1742_12 Days of Data_Graphic_1029

Data breaches made headlines throughout 2024, affecting governments, health care groups, and telecoms. Follow-on litigation has kept pace. Nearly 4,000 class actions involving data privacy issues are estimated to be filed in federal courts by the end of this year.

Growth in litigation meant that 2024 saw legal developments in several areas including standing to sue and web video suits. Increased attention on cybersecurity and privacy incidents unsurprisingly corresponded with active SEC enforcement and derivative suits related to inadequate data security.

Continue Reading Unwrapping 2024’s Key Trends in Data Privacy Litigation
24_1742_12 Days of Data_Graphic_102913

Over the next few weeks, Ropes & Gray’s data, privacy, and cybersecurity team will bring you unique blogs reviewing key trends and developments in data protection. This year, each daily blog will focus on a specific set of legal developments or a regulated sector. These blogs will track topics covered by 12 of the 30+ chapters in PLI’s new edition of its cyber law treatise, Cybersecurity: A Practical Guide to the Law of Cyber Risk.  

The treatise, edited by Ropes & Gray data, privacy and cybersecurity partners Ed McNicholas and Fran Faircloth, is an annually updated, practical guide to the laws and regulations in the U.S. and abroad that govern cybersecurity as well as strategies to bolster your defenses against cyber risk. The new edition, which was just released, adds several new chapters and material related to additional regulated sectors and developments. Stay tuned over the next few weeks for bite-size breakdowns of our most relevant chapters, and for more information on the new edition click here.

We are making our list and checking it twice, so make sure you are subscribed to www.RopesDataPhiles.com to get alerts about the latest posts.

globe-8704013_1280

On October 29, 2024, the Department of Justice (“DOJ”) published its Notice of Proposed Rulemaking (“NPRM”) to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This follows the DOJ’s publication of its Advance Notice of Proposed Rulemaking earlier this year. Comments to the proposed rule are due on November 29, 2024.

Click here to read the full Ropes & Gray client alert for more details.

lock-6081598_1280

On October 22, 2024, the Securities and Exchange Commission (“SEC”) filed settled enforcement orders involving four current and former public companies – Unisys Corp., Avaya Holdings Corp., Check Point Software Ltd, and Mimecast Limited. The settlements concern the issuers’ disclosures relating to cybersecurity risks and intrusions following the December 2020 SUNBURST cybersecurity incident, which affected customers of SolarWinds’ Orion software. Alleging that the issuers “negligently minimized” the impacts of the breach, the SEC levied civil monetary penalties ranging from $990,000 to $4 million. Each settled order credits the issuers with cooperating in the SEC’s investigation. A dissent by Commissioners Hester Peirce and Mark Uyeda criticizes the majority for playing “Monday morning quarterback.”

As the first cybersecurity-related settlements of the agency’s new fiscal year, these cases illustrate the SEC’s continued focus on disclosure of cyber incidents. Click here to read the full Ropes & Gray client alert.

doctor-563428_1280

On October 2, 2024, the New York State Department of Health (“NYSDOH”) finalized and adopted new hospital cybersecurity regulations. Effective immediately, hospitals in New York State are required to report to NYSDOH as promptly as possible, but not later than 72 hours after, determining that a cybersecurity incident has occurred. A cybersecurity incident is an event that (i) has a material adverse impact on the normal operations of the hospital; (ii) has a reasonable likelihood of materially harming any part of the normal operation(s) of the hospital; or (iii) results in the deployment of ransomware within a material part of the hospital’s information systems. In addition, hospitals will need to come into compliance with new cybersecurity requirements within one year.

Click here to read the Ropes & Gray client alert for more details on these regulations.

pexels-maik-poblocki-2170626-20240697

On June 28, 2024, Pennsylvania enacted amendments to its Breach of Personal Information Notification Act (“BPINA”). These amendments contain a number of significant changes, including clarifying a key definition, adding a new notification obligation to the Attorney General, requiring organizations to provide credit monitoring services, and reducing the threshold to notify consumer reporting agencies. These amendments—which take effect today, September 26, 2024—bring Pennsylvania in line with many other states that have taken steps to strengthen their respective data breach notification laws.

Continue Reading Pennsylvania Strengthens Data Breach Notification Law
file

Rohan Massey and Edward Machin, partner and counsel in Ropes & Gray’s data, privacy & cybersecurity practice will be hosting a webinar on The EU AI Act – The Road to Compliance. The EU AI Act entered into force on August 1st, 2024. The Act is the first piece of comprehensive legislation to regulate the development, deployment and use of AI systems, and seeks to ensure that these systems are safe, transparent, traceable, non-discriminatory and environmentally friendly. Organizations now have a timeline for compliance of between 6 and 24 months, depending on the role they play under the Act and the risk and capabilities of their AI systems. This session will look at the requirements of the EU AI Act, its extra-territorial application and possible sanctions for non-compliance – and will provide an overview of what steps organizations should be taking now to ensure that they can comply with the Act.

The webinar will take place on September 18, 2024, 12-1pm ET. Click here to register.

We request all attendees register by September 16. For any questions, please email Tierney.DeRobertis@ropesgray.com.

fingerprint-4703841

Ropes & Gray data, privacy & cybersecurity associate Matthew Cin spoke with  Law360, about Illinois’s recent amendments to its Biometric Information Privacy Act (BIPA). Ever since it was enacted in 2008, BIPA, which can restrict companies from collecting and sharing biometric data without data subjects’ consent, has been a source of privacy-related litigation and prompted confusion around what constitutes a violation for the purpose of calculating damages. The amendments, which were signed into law earlier this month, provide clarity that a company only violates the statute once, even if it collects biometric data multiple times from the same person, using the same means. Read the full Law360 article here, and see further analysis of the amendments in our blog post here.