Merck’s settlement last week over its $1.4 billion claim tied to a 2017 Russian-linked “NotPetya” cyberattack leaves a major question in cybersecurity and international law anything but settled – can a “cyberattack” ever be considered an “attack” under the international laws of war? The insurance dispute is hardly the first time cybersecurity has been linked to nation-state security – as far back as 2014, China’s now President Xi Jinping declared that “without cybersecurity there is no national security” – but how did a major pharmaceutical chain’s insurance claim become a potential battleground for litigating the definition of war in the 21st century?Continue Reading Merck Insurance Settlement Leaves Debate over Cyberwar and Cyberinsurance Unsettled

Megan Baca moderated Ropes & Gray’s annual “From the Boardroom” panel – held in San Francisco during the 2024 J.P. Morgan Healthcare Conference – which this year looked at the role of artificial intelligence and big data in the context of dealmaking. It can feel hard to escape AI at the moment, with some debate as to whether AI is currently over-hyped or in fact at a transformational tipping point. Continue Reading Dealmaking with AI and Big Data – Charting the new frontier in life sciences

On December 20, 2023, the National Institute of Standards and Technology (“NIST”) National Cybersecurity Center of Excellence (“NCCoE”) published its Cybersecurity of Genomic Data report (the “Report”).  The Report aims to assist organizations in protecting against misuse of genomic data and enabling secure collaborative innovations.  Note, however, that the Report is not authoritative with respect to its assessment of the treatment of genomic data under the current U.S. regulatory framework, including with respect to the identifiability of such information.Continue Reading NIST Cybersecurity Center of Excellence – Cybersecurity of Genomic Data Report 

In a Law360 article, co-authored by data, privacy & cybersecurity partner Fran Faircloth and associate May Yang, the team reflect on 2023 Global AI highlights, noting “2023 stands out as a landmark year for artificial intelligence and for generative AI in particular.”

“The launch of OpenAI’s ChatGPT in late 2022 marked a turning point, igniting a global race among tech companies and investors to harness and evolve this burgeoning technology,” said Fran and May. This development brings a myriad of legal implications, touching on intellectual property challenges, data privacy and cybersecurity risks, and ethical considerations in AI Deployment.Continue Reading Reviewing 2023’s Global AI Landscape Across Practice Areas

On November 13, 2023, New York Governor Kathy Hochul announced the release of proposed statewide hospital cybersecurity regulations that would require state-licensed hospitals to establish cybersecurity programs, policies and procedures (the “Proposed Regulations”). The Proposed Regulations feature requirements regarding cybersecurity policies and procedures, personnel, user authentication methods, security risk assessments, incident response plans, and two-hour

On November 1, 2023, New York Governor Kathy Hochul announced that the New York Department of Financial Services (“NYDFS”) finalized amendments to its Part 500 Cybersecurity Regulations (“Final Amendments”)—the first significant change to the regulations since their inception in March 2017. The Final Amendments generally track previous NYDFS proposed amendments—including the November 9, 2022 proposal that we covered here—with certain important changes.Continue Reading NYDFS Finalizes Significant Amendments to its Cybersecurity Regulations

On July 26, 2023, the Securities and Exchange Commission (the “SEC”) voted 3–2 to adopt rules requiring public companies to disclose material cybersecurity incidents as well as information regarding their cybersecurity risk management, strategy, and governance (the “Cybersecurity Disclosure Rules” or “Final Rules”).1 The Final Rules require disclosure of “material cybersecurity incidents”. The disclosure must be made within four business days from the date on which a cybersecurity incident is determined to be “material” as opposed to four business days from the date on which the occurrence of an incident is discovered; although, that distinction may be difficult to implement in practice. Covered entities, which include all issuers that file annual reports on Form 10-K or Form 20-F, should promptly review their cybersecurity protocols and procedures to address further required disclosure items.2Continue Reading SEC Adopts Final Rules on Public Company Cybersecurity Disclosures

Ropes & Gray, in partnership with Mass Insight Global Partnerships, hosts and presents the Data Insights webinar series. This series focuses on bringing together business people, academics and researchers, and government policy makers to discuss issues associated with the collection and use of data to address significant problems across a broad range of contexts. The