On October 2, 2024, the New York State Department of Health (“NYSDOH”) finalized and adopted new hospital cybersecurity regulations. Effective immediately, hospitals in New York State are required to report to NYSDOH as promptly as possible, but not later than 72 hours after, determining that a cybersecurity incident has occurred. A cybersecurity incident is an
Cybersecurity
Navigating Cyber Risks: Learning from Outages
Last Friday arrived with the crash of millions of Windows computers used by companies across the globe, including critical infrastructure sectors such as hospitals, banks, airlines, and government agencies. Despite quick retraction of the cause, cascading effects continued throughout the day and into the weekend, demonstrating the widespread impact and significant business interruption losses. The outage is expected to trigger more stringent cybersecurity regulations, changes in cybersecurity governance, and adjustments to cyber insurance policies.Continue Reading Navigating Cyber Risks: Learning from Outages
Practical Considerations for Government Contractors Following Recent DOJ Cyber-Fraud Initiative Settlements
In 2021, the U.S. Department of Justice (“DOJ”) announced the launch of the Cyber-Fraud Initiative, a program utilizing the False Claims Act (“FCA”) to “pursue cybersecurity related fraud by government contractors and grant recipients.” Although the Initiative has netted less than 10 settlements, the two most recent serve as a reminder that data breaches with respect to government contracts can result in FCA exposure.
In its most recent enforcement effort as part of this Initiative, DOJ reached settlements with two consulting companies—Guidehouse Inc. (“Guidehouse”) and Nan McKay and Associates (“Nan McKay”)—in which both accepted responsibility for failing to comply with cybersecurity requirements in a federally funded contract and agreed to pay a total of $11.3 million to resolve related False Claims Act allegations.
This article explores implications of the settlements, as well as practical considerations for the industry.Continue Reading Practical Considerations for Government Contractors Following Recent DOJ Cyber-Fraud Initiative Settlements
Change Healthcare Cyberattack: HHS OCR Publishes Early Guidance on Breach and UnitedHealth Group Provides Critical Status Update
On March 13, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that it had opened an investigation into the monumental cyberattack on Change Healthcare (“Change”), a unit of UnitedHealth Group (“UHG”). The attack is one of the largest assaults against the U.S. health care system, with far-reaching…
New Cross-Sector 72 Hour Data Breach Requirements for Critical Infrastructure
The Cybersecurity and Infrastructure Security Agency (CISA) has issued its Notice of Proposed Rulemaking (NPRM) to establish the first cross-sectoral federal cybersecurity incident and ransomware payment reporting system.
As noted in an alert in March 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) into law just over two…
NIST Publishes Long-Awaited Cybersecurity Framework 2.0
On February 26, 2024, the National Institute of Standards and Technology (“NIST”) released version 2.0 of its Cybersecurity Framework (“CSF 2.0”)—the first significant update to the cybersecurity guidance since its initial publication a decade ago.[1] While the original guidance was tailored to critical infrastructure entities, the new version has a broader scope and applies to organizations of all sizes across industries, from large corporations with robust data protection infrastructure to small schools and nonprofits that may lack cybersecurity sophistication.[2] CSF 2.0 notably incorporates new sections on corporate governance responsibilities and supply chain risks; additionally, NIST has released supplemental implementation guides and reference tools that can assist organizations measure cybersecurity practices and hone data protection priorities.[3]Continue Reading NIST Publishes Long-Awaited Cybersecurity Framework 2.0
The Data Day: Protecting Your Company and Your Data in the Wake of a Cyber Incident
Tune in to Ropes & Gray’s podcast series, The Data Day, brought to you by the firm’s data, privacy & cybersecurity practice. This series focuses on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments in the world of data, and…
Merck Insurance Settlement Leaves Debate over Cyberwar and Cyberinsurance Unsettled
Merck’s settlement last week over its $1.4 billion claim tied to a 2017 Russian-linked “NotPetya” cyberattack leaves a major question in cybersecurity and international law anything but settled – can a “cyberattack” ever be considered an “attack” under the international laws of war? The insurance dispute is hardly the first time cybersecurity has been linked to nation-state security – as far back as 2014, China’s now President Xi Jinping declared that “without cybersecurity there is no national security” – but how did a major pharmaceutical chain’s insurance claim become a potential battleground for litigating the definition of war in the 21st century?Continue Reading Merck Insurance Settlement Leaves Debate over Cyberwar and Cyberinsurance Unsettled
Dealmaking with AI and Big Data – Charting the new frontier in life sciences
Megan Baca moderated Ropes & Gray’s annual “From the Boardroom” panel – held in San Francisco during the 2024 J.P. Morgan Healthcare Conference – which this year looked at the role of artificial intelligence and big data in the context of dealmaking. It can feel hard to escape AI at the moment, with some debate as to whether AI is currently over-hyped or in fact at a transformational tipping point. Continue Reading Dealmaking with AI and Big Data – Charting the new frontier in life sciences
NIST Cybersecurity Center of Excellence – Cybersecurity of Genomic Data Report
On December 20, 2023, the National Institute of Standards and Technology (“NIST”) National Cybersecurity Center of Excellence (“NCCoE”) published its Cybersecurity of Genomic Data report (the “Report”). The Report aims to assist organizations in protecting against misuse of genomic data and enabling secure collaborative innovations. Note, however, that the Report is not authoritative with respect to its assessment of the treatment of genomic data under the current U.S. regulatory framework, including with respect to the identifiability of such information.Continue Reading NIST Cybersecurity Center of Excellence – Cybersecurity of Genomic Data Report