In December 2024, New York Governor Kathy Hochul signed into law two bills (A8872A and S2376B; collectively, the “Bills”) that amend New York’s Data Breach Notification Law.1 The Bills introduce a maximum thirty-day timeframe for notifying affected New York residents of a reportable “breach of the security of the system”2 under
Privacy/Data Protection
Biden Administration Finalizes Its Last Changes To Health Data Interoperability and Information Blocking Regulations
In December 2024, the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (“ASTP/ONC”) within the U.S. Department of Health and Human Services (“HHS”) published two final rules that establish health data interoperability and information blocking regulations (the “New HTI Final Rules”).
The New HTI Final Rules will affect Trusted Exchange…
DOJ Issues Final Rule Restricting Flow of Bulk Sensitive Personal Data to China and Other Countries of Concern
On January 8, 2025, the Department of Justice (“DOJ”) published its Final Rule to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”). This follows the DOJ’s publication of its Notice of Proposed Rulemaking (“NPRM”) in October 2024…
Meet the In-Laws: the UK’s Digital Legislative Agenda for 2025
After its election to power in July 2024, the newly formed Labour government wasted little time in announcing its legislative priorities for the coming year. Unsurprisingly, these priorities included several proposed Bills relating to data protection, cybersecurity and digital regulation. At the time of writing, only one of these Bills—the Data (Use and Access) Bill (“DUAB”)—has been introduced to Parliament, with the others expected to follow in early 2025.Continue Reading Meet the In-Laws: the UK’s Digital Legislative Agenda for 2025
Making a List and Checking it Twice: Navigating State Privacy and Security Regulations This Year
While there are many significant federal laws and regulations related to cybersecurity, states have led the way in regulating this area on a general, sector-agnostic basis, with the most notable and widely acknowledged state cybersecurity provisions being state data breach notification laws. However, more recently, states have focused on passing comprehensive privacy, rather than security, laws, and 2025 promises to be a continuation of this trend, with eight additional comprehensive state privacy laws coming into effect next year. Continue Reading Making a List and Checking it Twice: Navigating State Privacy and Security Regulations This Year
Australia’s Privacy Reforms: Claus for Concern?
In the six years since the EU’s General Data Protection Regulation (“GDPR”) took effect, governments around the world have updated their data protection laws to reflect the seismic changes in data processing that were created with the introduction of the smartphone. Having been in place for nearly 40 years, Australia’s Privacy Act (1988) has been a notable outlier – but that is now changing, with significant reforms to the country’s data protection regime being introduced in the latter half of 2024.Continue Reading Australia’s Privacy Reforms: Claus for Concern?
In Law360, Matthew Cin Discusses the Emerging Split on BIPA Retroactivity
Ropes & Gray Data, Privacy & Cybersecurity senior associate Matthew Cin spoke withLaw360 about an emerging split among Illinois state and federal courts over the question of whether recent amendments to Illinois’s Biometric Information Privacy Act (“BIPA”) are retroactive. In November 2024, the U.S. District Court for the Northern District of Illinois issued two…
DOJ Issues Notice of Proposed Rulemaking to Restrict Flow of Bulk Sensitive Personal Data to China and other Countries of Concern
On October 29, 2024, the Department of Justice (“DOJ”) published its Notice of Proposed Rulemaking (“NPRM”) to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This follows the DOJ’s publication of its Advance Notice of Proposed Rulemaking earlier this year. …
Pennsylvania Strengthens Data Breach Notification Law
On June 28, 2024, Pennsylvania enacted amendments to its Breach of Personal Information Notification Act (“BPINA”). These amendments contain a number of significant changes, including clarifying a key definition, adding a new notification obligation to the Attorney General, requiring organizations to provide credit monitoring services, and reducing the threshold to notify consumer reporting agencies. These amendments—which take effect today, September 26, 2024—bring Pennsylvania in line with many other states that have taken steps to strengthen their respective data breach notification laws.Continue Reading Pennsylvania Strengthens Data Breach Notification Law
Biometric Privacy Update: Illinois Legislature Balances BIPA, but Don’t Mess with Texas
On Friday, August 2, Governor J.B. Pritzker of Illinois signed into law SB2979, an amendment to the state’s landmark biometric privacy law. The amendment offers a welcome step forward to correcting the rapid overexpansion of potential damages associated with violations of the law without curbing any of its privacy protections. The measure amends the state’s Biometric Information Privacy Act (“BIPA”) in two significant ways. First, the law, as amended now expressly includes electronic signatures as a form of “written release.” Second, the amendment limits actions for recovery to a maximum of one violation per plaintiff, rather than one violation per instance of collection or transmission of biometric information. This post examines the amendment and its impacts on businesses collecting biometric information in the state. We also highlight notable biometric privacy developments in Texas.Continue Reading Biometric Privacy Update: Illinois Legislature Balances BIPA, but Don’t Mess with Texas