Photo of Dante A. Stella

Dante Stella is a creative, logical, and efficient problem solver who focuses his practice on litigation and investigations that involve challenging legal, factual, and data management issues. He also provides non-litigation counseling to clients on information lifecycle management, information infrastructure, and electronic discovery readiness planning.

That whistling sound you hear may not be an old-school newspaper walking past a graveyard—it may well be an AI industry-killing asteroid. On December 27, 2023, the New York Times filed a groundbreaking suit against OpenAI and Microsoft. The Times alleged copyright infringement, vicarious copyright infringement, contributory copyright infringement, violations of the Digital Millennium Copyright Act’s prohibition on removing copyright management, unfair competition, and trademark dilution. The 69-page, 204-paragraph complaint, filed in the Southern District of New York, alleges, among many other things, that:Continue Reading Will the New York Times Take Down Large Language Models?

The Department of Justice recently announced a “disruption campaign” against the Blackcat ransomware group (aka ALPHV or Noberus), including seizing the group’s darknet website and releasing a decryption tool for victim entities to recover their systems.Continue Reading ALPHV/Blackcat Ransomware Group Announces New Rule: No Rules…Anything, Anywhere

On October 30, 2023, President Biden signed an Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (the “Order”). The Order is the most comprehensive federal policy on AI to date and covers a wide range of topics. It sets new standards for AI safety and security, addresses how AI developments could impact individuals’ privacy and civil rights, discusses how the U.S. can continue to be a leader in AI innovation and competition, and much more. This Order closely follows the July 21, 2023, announcement by the Biden administration that seven major AI companies, Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and Open AI, voluntarily agreed with the administration to place more guardrails around the development and deployment of AI. The Order has many implications for companies that are developing and deploying AI systems:Continue Reading Biden’s Executive Order and Its Possible Effects on Companies Developing and Deploying AI Systems

The SEC has been on a cybersecurity tear in 2023, instituting new rules on disclosures of cybersecurity events and threat assessments. But not wanting to let go of the past, it brought suit on October 30 in the Southern District of New York against SolarWinds and its Chief Information Security Officer, Timothy Brown. The SEC based the action on what it saw as mismatches between SolarWinds’ public disclosures and what the SEC saw in its investigation. The case certainly is a first in many ways: the first cybersecurity-related SEC case with allegations of intentional concealment, in which internal controls have figured prominently, and where SEC brought an action against the CISO personally. This has been blown up in data security media to suggest that CISO is somehow the most dangerous position in a corporation. In reality, this is not IT Armageddon, but there are some practical lessons.Continue Reading SEC Enforcement Against SolarWinds and Its CISO: Time to Freak Out?

Many businesses think their websites, like a spacecraft following Newton’s laws of motion, should just keep going once established. What may be reasonable in deep space is not particularly safe in the galaxy of data privacy, which is choked with debris, asteroids, and radiation. This fall is as good a time as any to make sure your electronic presence is still on course—especially as more states come online with new laws and regulations in 2024. Consider three questions:Continue Reading Start Your Website Spring Cleaning – This Fall

One of today’s litigation hot spots has its roots among the cobwebs of ancient data privacy law. The United States today has a patchwork of national data privacy laws, all of which deal with sectors, be it ages of data subjects (like the Children’s Online Protection Act), healthcare patients (the Healthcare Insurance Portability and Accountability Act), and financial customers (the Gramm-Leach-Bliley Act). These laws were all passed before 2001, there has never since been a single comprehensive national data privacy act, and the proposed American Data Privacy and Protection Act has languished in fights about preemption.

We do have precedent for fast action in data privacy laws. The first true national data privacy law – one that required explicit opt-in for sharing of personal data – sailed through the Capitol in one year, in 1987-1988, by a bipartisan vote. Congress only needed the right motivation:Continue Reading Don’t Forget to Rewind: Replaying Video Privacy Laws.

In data privacy and security, we might have a “forest for the trees” moment right now. And they may not be the trees we expected. By now, you are familiar with the term ESG (Environmental, Social, and Governance). Although the term itself can induce political and social tensions today, it is a shorthand for a basket of intangible aspects of a business that, through the reactions of shareholders, employees, and customers, can affect the bottom line or even enterprise viability. The terminology is new; the underlying concepts of internal and external perception go back to the 1960s, if not much earlier. The danger of this new name lies in divisive cultural issues relating to “E” and “S” overwhelming “G”—governance, an uncontroversial concept crucial to businesses handling personal data.Continue Reading Focusing on the “G” in ESG: Why it Makes the Most Money Sense for the Short and the Long Haul

On Monday, May 22, the European Data Protection Board (EDPB) published a decision hitting Meta, parent of Facebook, WhatsApp, and Instagram, with a €1.2b ($1.3b) fine for impermissibly transmitting personal information from the European Economic Area (EEA) to the United States. The EDPB described Meta’s activities as “serious” and including “transfers that are systematic, repetitive, and continuous,” and it stated that the fine was intended to serve as a “strong signal to organizations that serious infringements have far-reaching consequences.”Continue Reading How Much Forgiveness Does $1.3 Billion Buy in the EU?

In between impeaching an Attorney General and creating a new type of business court, the 88th Texas Legislature passed the Texas Data Privacy and Security Act (TDPSA) (H.B. 4), which, once signed by Governor Abbott, will take effect July 1, 2024. State data privacy statutes generally track concepts in Europe’s General Data Protection Regulation (GDPR), including notices of data collection, data subject rights (knowing what data a business has, correcting it, deleting it, opting out of certain uses of personal data, etc.), and restrictions on use or transfer of personal data. Texas, which would join nine other states in enacting “comprehensive” data privacy regulations, has added some twists and traps for the unwary, particularly midsized businesses engaging in interstate commerce. Here are three notable features of the TDPSA.Continue Reading Texas Passes One of the Strongest Data Privacy Laws in the Nation

The United Kingdom may be headed for a major break from EU GDPR. In mid-2022, the UK began studying potential reform of GDPR. This was revived with the United Kingdom’s Data Protection and Digital Information (No. 2) Bill (Bill 265, 58/3), introduced on March 8, 2023. It includes 106 groups of line-item amendments to the General Data Protection Act 2018 (UK GDPR). Particularly significant is a modification to what qualifies “personal data” under the prior act (and the EU GDPR). Article 4(1) of GDPR (and present UK GDPR) sweeps into “personal data;”

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…”

(emphasis added). Continue Reading UK GDPR Reform: A Bridge Too Far?