24_1742_12 Days of Data_Graphic_10299

2024 was a record year for cyberattacks in the healthcare sector. According to the Breach Portal maintained by the U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”), to date this year, there have been more than 530 breaches of protected health information (“PHI”) affecting 500 or more individuals. 2024 also the saw the largest known breach of PHI at a HIPAA-regulated entity: Russia-linked cybercrime organization, BlackCat/ALPHV executed a ransomware attack on Change Healthcare, Inc., the payment processor owned by UnitedHealth, which affected the records of more than 100 million individuals.

Continue Reading A Flurry of Healthcare Sector Cybersecurity Regulatory Developments in 2024
24_1742_12 Days of Data_Graphic_10298

While there are many significant federal laws and regulations related to cybersecurity, states have led the way in regulating this area on a general, sector-agnostic basis, with the most notable and widely acknowledged state cybersecurity provisions being state data breach notification laws.  However, more recently, states have focused on passing comprehensive privacy, rather than security, laws, and 2025 promises to be a continuation of this trend, with eight additional comprehensive state privacy laws coming into effect next year.  

Continue Reading Making a List and Checking it Twice:  Navigating State Privacy and Security Regulations This Year
24_1742_12 Days of Data_Graphic_10297

In the six years since the EU’s General Data Protection Regulation (“GDPR”) took effect, governments around the world have updated their data protection laws to reflect the seismic changes in data processing that were created with the introduction of the smartphone. Having been in place for nearly 40 years, Australia’s Privacy Act (1988) has been a notable outlier – but that is now changing, with significant reforms to the country’s data protection regime being introduced in the latter half of 2024.

Continue Reading Australia’s Privacy Reforms: Claus for Concern?
cyber-7111037_1280 (1)

Ropes & Gray Data, Privacy & Cybersecurity senior associate Matthew Cin spoke withLaw360 about an emerging split among Illinois state and federal courts over the question of whether recent amendments to Illinois’s Biometric Information Privacy Act (“BIPA”) are retroactive. In November 2024, the U.S. District Court for the Northern District of Illinois issued two orders nearly one week apart with directly conflicting interpretations and conclusions as to whether the amendments are retroactive or prospective. In light of these developments, careful attention to BIPA requirements remains critical. Read the full Law360 article here.

24_1742_12 Days of Data_Graphic_10296

While students are about to embark on their holiday break, there is no such luck for educational technology (“EdTech”) providers. Privacy, cybersecurity, and artificial intelligence compliance obligations have proliferated over the past year, with no signs of slowing down. While it is hard to keep track of the numerous regulations and proposals on the state and federal level, below, I have highlighted a few issues for EdTech providers to monitor in the coming year.

Continue Reading No Holiday Break for EdTech Compliance
24_1742_12 Days of Data_Graphic_10295

Throughout 2024, financial sector regulators sharpened their focus on data protection and cybersecurity issues impacting financial institutions and the public. Key federal agencies like the Securities and Exchange Commission (“SEC”), the Federal Trade Commission (“FTC”), and the Consumer Financial Protection Bureau (“CFPB”) have been joined by state regulators, such as the New York Department of Financial Services (“NYDFS”), in proposing and finalizing significant rulemaking, pursuing novel enforcement actions, and issuing influential guidance. 2025 promises to be a continuation of this considerable trend.  

Continue Reading Dashing Through Cybersecurity Regulations in the Financial Services Sector in 2024
24_1742_12 Days of Data_Graphic_10294

On 30 November 2022, OpenAI made its ChatGPT generative artificial intelligence chatbot publicly available. In the two years since, its unprecedented growth has fostered a dramatic shift in public attention to and interest in all forms of AI. Now, the possibilities and risks presented by the continued development of AI are also firmly at the top of mind for businesses and regulators across the world.

Continue Reading New Year’s Resolutions: What 2025 Holds for AI Regulation
24_1742_12 Days of Data_Graphic_10293

Although 2024 saw several states enact comprehensive privacy legislation, another year is nearly gone, and we still do not have a comprehensive federal privacy law to resolve the rapidly evolving patchworks of state laws. Despite the lack of comprehensive privacy legislation, privacy and cybersecurity were hot button issues across key federal agencies, such as the FTC and FCC, with significant enforcement activity throughout the year. In this edition of our Twelve Days of Data series, we highlight key developments across a few key federal agencies.

To no surprise, the Federal Trade Commission (FTC) was intensely focused on privacy and cybersecurity throughout 2024. We also saw important activity out of the Federal Communications Commission (FCC), which, among other things, issued guidance regarding the Telephone Consumer Protection Act (TCPA).

Continue Reading Key Privacy and Cybersecurity Watchdogs Make Their Naughty Lists
24_1742_12 Days of Data_Graphic_10292

The National Institute of Standards and Technology (NIST) has been a leading voice in cybersecurity standards since 2013, when President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity tasked NIST, which is embedded within the Department of Commerce, with developing and updating a cybersecurity framework for reducing cyber risks to critical infrastructure. The first iteration of that framework was released in 2014, and Versions 1.1 and 2.0 followed in 2018 and 2024. NIST guidance has also expanded to include a privacy framework, released in 2020, and an AI risk management framework, released in 2023. This year, NIST made updates to both its cybersecurity and AI risk management frameworks and created a holistic data governance model that aims to provide a comprehensive approach for entities to address issues like data quality, privacy, security, and compliance, leveraging the various NIST frameworks under a unified data governance structure to help framework users address broader organizational risks. A retrospective of these developments and predictions for 2025 are detailed in this post.

Continue Reading A Very Merry NISTmas: 2024 Updates to the Cybersecurity and AI Framework
24_1742_12 Days of Data_Graphic_1029

Data breaches made headlines throughout 2024, affecting governments, health care groups, and telecoms. Follow-on litigation has kept pace. Nearly 4,000 class actions involving data privacy issues are estimated to be filed in federal courts by the end of this year.

Growth in litigation meant that 2024 saw legal developments in several areas including standing to sue and web video suits. Increased attention on cybersecurity and privacy incidents unsurprisingly corresponded with active SEC enforcement and derivative suits related to inadequate data security.

Continue Reading Unwrapping 2024’s Key Trends in Data Privacy Litigation