Data Security

Subscribe to Data Security via RSS

One of the most valuable AI companies in the world may have just accidentally given away one of its crown jewels and immediately turned to copyright law to limit the damage. On March 31, 2026, Anthropic accidentally exposed the source code for Claude Code, one of its most valuable AI products. The company issued Digital Millennium Copyright Act (DMCA) takedown requests that removed over 8,000 copies of the leaked code from GitHub. However, within hours of the leak, and before those takedown requests could be processed, a developer used AI to translate the entire codebase into a new Python repository that became the fastest-growing in GitHub history. This all comes at a time when AI companies are relying heavily on fair use as a defense in their mounting copyright infringement lawsuits over their use of copyrighted works to train their models, and as courts have made it clear that copyright law does not recognize AI as an author. This article examines how copyright law applies to AI-generated works and what the AI Code leak reveals about the tensions at the heart of AI and intellectual property.

Continue Reading AI Code Leak Exposes the Fault Lines of Copyright

Key Takeaways:

  • The Minnesota Consumer Data Privacy Act (the “Act”) follows established trends regarding transparency, data minimization, and required assessments, but represents the next evolution in consumer rights under U.S. state-by-state privacy legislation.
  • The Act provides consumers with special rights related to profiling, that is, automated processing of personal data to evaluate, analyze, or predict personal aspects of an individual, including through AI, not found in other state laws.
  • The Act requires covered organizations to adapt and expand their existing compliance programs in order to respond to these new consumer rights.

Summary:

Starting July 31, Minnesota will join the growing list of U.S. states with its own comprehensive consumer data privacy law, but with a key difference. Signed into law in 2024, the Minnesota Consumer Data Privacy Act follows the broader national trend toward stronger data protection and use standards. Like other U.S. state privacy laws, the Act requires covered organizations to:

Continue Reading The Minnesota Consumer Data Privacy Act Is the Next Evolution in Consumer Privacy Rights

We’re not playing horseshoes here, folks. It’s time to review your consumer privacy rights forms and mechanisms.

Key Takeaways

  • The fields relating to requests to opt-out of sale/sharing and requests to limit should only solicit the information strictly necessary to complete the request, which is likely less than the other more substantive requests (like access and delete). This applies to authorized agent opt-out requests as well.
  • For the more substantive requests (like access and delete), re-evaluate how much information is actually necessary for you to fulfill the consumer’s request. Ensure your form is not asking for anything extraneous.
  • Review your cookie consent toggles to ensure that the exact number of steps are involved in opting-out of certain cookies as they are for opting-in.
  • Ensure you have CCPA-compliant contracts with your advertising technology providers saved in your files.
Continue Reading Close Enough Is Not Good Enough When It Comes to Consumers’ Privacy Rights

The Department of Justice recently announced a “disruption campaign” against the Blackcat ransomware group (aka ALPHV or Noberus), including seizing the group’s darknet website and releasing a decryption tool for victim entities to recover their systems.

Continue Reading ALPHV/Blackcat Ransomware Group Announces New Rule: No Rules…Anything, Anywhere

The SEC has been on a cybersecurity tear in 2023, instituting new rules on disclosures of cybersecurity events and threat assessments. But not wanting to let go of the past, it brought suit on October 30 in the Southern District of New York against SolarWinds and its Chief Information Security Officer, Timothy Brown. The SEC based the action on what it saw as mismatches between SolarWinds’ public disclosures and what the SEC saw in its investigation. The case certainly is a first in many ways: the first cybersecurity-related SEC case with allegations of intentional concealment, in which internal controls have figured prominently, and where SEC brought an action against the CISO personally. This has been blown up in data security media to suggest that CISO is somehow the most dangerous position in a corporation. In reality, this is not IT Armageddon, but there are some practical lessons.

Continue Reading SEC Enforcement Against SolarWinds and Its CISO: Time to Freak Out?

Many businesses think their websites, like a spacecraft following Newton’s laws of motion, should just keep going once established. What may be reasonable in deep space is not particularly safe in the galaxy of data privacy, which is choked with debris, asteroids, and radiation. This fall is as good a time as any to make sure your electronic presence is still on course—especially as more states come online with new laws and regulations in 2024. Consider three questions:

Continue Reading Start Your Website Spring Cleaning – This Fall

One of today’s litigation hot spots has its roots among the cobwebs of ancient data privacy law. The United States today has a patchwork of national data privacy laws, all of which deal with sectors, be it ages of data subjects (like the Children’s Online Protection Act), healthcare patients (the Healthcare Insurance Portability and Accountability Act), and financial customers (the Gramm-Leach-Bliley Act). These laws were all passed before 2001, there has never since been a single comprehensive national data privacy act, and the proposed American Data Privacy and Protection Act has languished in fights about preemption.

We do have precedent for fast action in data privacy laws. The first true national data privacy law – one that required explicit opt-in for sharing of personal data – sailed through the Capitol in one year, in 1987-1988, by a bipartisan vote. Congress only needed the right motivation:

Continue Reading Don’t Forget to Rewind: Replaying Video Privacy Laws.

On Monday, May 22, the European Data Protection Board (EDPB) published a decision hitting Meta, parent of Facebook, WhatsApp, and Instagram, with a €1.2b ($1.3b) fine for impermissibly transmitting personal information from the European Economic Area (EEA) to the United States. The EDPB described Meta’s activities as “serious” and including “transfers that are systematic, repetitive, and continuous,” and it stated that the fine was intended to serve as a “strong signal to organizations that serious infringements have far-reaching consequences.”

Continue Reading How Much Forgiveness Does $1.3 Billion Buy in the EU?

In between impeaching an Attorney General and creating a new type of business court, the 88th Texas Legislature passed the Texas Data Privacy and Security Act (TDPSA) (H.B. 4), which, once signed by Governor Abbott, will take effect July 1, 2024. State data privacy statutes generally track concepts in Europe’s General Data Protection Regulation (GDPR), including notices of data collection, data subject rights (knowing what data a business has, correcting it, deleting it, opting out of certain uses of personal data, etc.), and restrictions on use or transfer of personal data. Texas, which would join nine other states in enacting “comprehensive” data privacy regulations, has added some twists and traps for the unwary, particularly midsized businesses engaging in interstate commerce. Here are three notable features of the TDPSA.

Continue Reading Texas Passes One of the Strongest Data Privacy Laws in the Nation