Photo of Matthew T. Hays

Matt Hays is a go-to advisor in matters relating to data sensitive projects, agreements, services and investigations. He has worked extensively with clients as they wrangle with the explosion of innovative and complicated artificial intelligence driven technologies, including the deployment of generative AI tools through internal development or sourced from a technology provider. With a background in engineering and patent law, Matt possesses a unique ability to quickly understand and assess new and complicated technologies to advise on the legal risk to your business. Working with clients in the insurance, health, tech and financial services industries, Matt’s wide experience brings a holistic approach to compliance projects that ends with a solution, and not at just identifying the problem.

In Greek mythology, Sisyphus was punished by Hades for cheating death (twice) by forcing him to roll an immense boulder up a hill only for it to roll back down every time it neared the top. AI stakeholders know the feeling. Attempting to keep pace with the downpour of artificial intelligence-related regulation, guidance, rules and requirements emerging over the past two years feels like a mythical challenge.

At any point in time, there are 50 U.S. states, five inhabited territories, the White House, a federal district, a dozen federal agencies, a hundred-odd state agencies and a couple thousand municipalities all tackling the same question: what are the rules for a safe, legal and generally non-evil deployment of artificial intelligence tools?

Different regulators have come up with different answers to that question. What have they focused on so far?Continue Reading Understanding Trends in AI Legislation

Effective January 1, 2023, companies subject to the California Consumer Privacy Act (“CCPA”) will face heightened compliance requirements when collecting personal information about their workers, business partners, and job applicants. The partial moratoriums in the CCPA that had applied to these data sets are set to expire, meaning that the CCPA will now apply with full force come the new year. Further, the California Privacy Rights Act (“CPRA”), which amends and reenacts the CCPA, becomes fully effective on January 1, 2023, and enforced beginning July 1, 2023, with a look-back period to January 1, 2022. The CPRA provides additional obligations and consumer data rights that will further complicate covered businesses’ compliance efforts with regard to the personal information of their employees and business contacts.

What were the partial exemptions?

Continue Reading CCPA/CPRA Set To Cover Employee, Job Applicant, and Business Personal Information: A Trap for the Unwary?

It has been impossible to ignore the constant spam of news articles detailing the epidemic of malicious attempts at data disruption and theft. While the cybersecurity risks of ransomware, malicious data extraction, and business e-mail compromise have been top of mind for professionals in heavily regulated industries for some time now, data from 2020 and the first half of 2021 compels an alarming new conclusion: cybercriminals are no longer a problem just for banks, health care organizations and oil pipelines to worry about. Businesses from a wide range of previously untargeted industries are now squarely in the cross-hairs of malicious threat actors.
Continue Reading Cybercriminals Finding Success In Targeting New Industries

Despite its unassuming name, the EARN IT Act has substantial cybersecurity implications, its relative obscurity in today’s coronavirus-obsessed headlines notwithstanding. The Eliminating Abusive and Rampant Neglect of Interactive Technologies (“EARN IT”) Act has already caught the ire of the collective internet and technology spheres due to its dramatic alteration of the safe harbor provisions of Section 230 of the Communications Decency Act (Title V of the Telecommunications Act Of 1996). Although still in the early stages of the legislative process, curbing Section 230’s protections has already garnered substantial support from leaders in both parties, including Joe Biden and Ted Cruz. Therefore, EARN IT’s progress merits close monitoring.
Continue Reading Putting in the Work: What Does the EARN IT Act Have in Store for Average Businesses

Passed in 2008, the Illinois Biometric Information Privacy Act (BIPA) regulates collection of biometric markers such as fingerprints or facial metrics. Since its passage, the Illinois BIPA has been used to restrict technology giants and their use of users’ personal information, particularly photographs. To understand the scale of this, Facebook reported in a 2013 whitepaper that its users have uploaded more than 250 billion photos. It was estimated in 2017 that the total number of digital photos stored in electronic databases was around 5 trillion.

Documenting and categorizing the faces of a significant percentage of the world’s population represents a major opportunity for technology and data companies. Ten years into enforcement and a figurative eternity into the technological evolution of the process, the Illinois BIPA has been an unavoidable feature of the big data landscape. Though potentially impactful cases remain pending (or on appeal), technology companies largely have been unable to convince courts that their facial recognition technologies should escape regulation under BIPA. 
Continue Reading Technology Defendants Continue to Test Whether the Illinois BIPA Law Can Cope with Modern Facial Recognition Technology