On October 30, 2023, President Biden signed an Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (the “Order”). The Order is the most comprehensive federal policy on AI to date and covers a wide range of topics. It sets new standards for AI safety and security, addresses how AI developments could impact individuals’ privacy and civil rights, discusses how the U.S. can continue to be a leader in AI innovation and competition, and much more. This Order closely follows the July 21, 2023, announcement by the Biden administration that seven major AI companies, Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and Open AI, voluntarily agreed with the administration to place more guardrails around the development and deployment of AI. The Order has many implications for companies that are developing and deploying AI systems:

Continue Reading Biden’s Executive Order and Its Possible Effects on Companies Developing and Deploying AI Systems

The Big Apple now demands big commitments from financial institutions regarding cybersecurity practices. Yesterday, the New York State Department of Financial Services (“NYDFS”) adopted its second set of amendments to its 2015 “Cybersecurity Requirements For Financial Services Companies” (“Amended Cybersecurity Regulation”), with some amendments immediately going into effect. The law requires “covered entities,” including but limited to financial institutions or insurance providers authorized to conduct business in New York, to implement and maintain a cybersecurity program, to report cybersecurity events, and to annually certify their compliance with the law. The Amended Cybersecurity Regulation now requires:

Continue Reading Security State of Mind: Amendments to NYDFS’s Cybersecurity Regulation Go Live

The SEC has been on a cybersecurity tear in 2023, instituting new rules on disclosures of cybersecurity events and threat assessments. But not wanting to let go of the past, it brought suit on October 30 in the Southern District of New York against SolarWinds and its Chief Information Security Officer, Timothy Brown. The SEC based the action on what it saw as mismatches between SolarWinds’ public disclosures and what the SEC saw in its investigation. The case certainly is a first in many ways: the first cybersecurity-related SEC case with allegations of intentional concealment, in which internal controls have figured prominently, and where SEC brought an action against the CISO personally. This has been blown up in data security media to suggest that CISO is somehow the most dangerous position in a corporation. In reality, this is not IT Armageddon, but there are some practical lessons.

Continue Reading SEC Enforcement Against SolarWinds and Its CISO: Time to Freak Out?

Many businesses think their websites, like a spacecraft following Newton’s laws of motion, should just keep going once established. What may be reasonable in deep space is not particularly safe in the galaxy of data privacy, which is choked with debris, asteroids, and radiation. This fall is as good a time as any to make sure your electronic presence is still on course—especially as more states come online with new laws and regulations in 2024. Consider three questions:

Continue Reading Start Your Website Spring Cleaning – This Fall

This year, the Cook County docket has seen an influx of class action claims seeking redress under an older Illinois privacy statute, the Genetic Information Privacy Act (GIPA), no doubt due to the statute’s extreme statutory damage provisions. GIPA, enacted in 1998, provides a private right of action and permits recovery for actual damages or for statutory damages of $2,500 per negligent violation and $15,000 per intentional or reckless violation of the statute. The potential for massive awards has clearly caught the eye of the plaintiff’s bar. Indeed, despite sporadic filings over the past decade, nearly 30 cases have been brought under GIPA in 2023 in Cook County alone, the majority of which have been filed in the last two months.

Continue Reading Employers Beware – New Life for an Old Statute: Cook County Class Action Litigation Under the Genetic Information Privacy Act

In a very short time, AI has evolved from an abstract idea to a practical tool. This demands legal thinking that can account for its use. AI as a concept began in the 1950s when well-known mathematician and scientist Alan Turing conceptualized using computers to simulate intelligent behavior and critical thinking. However, even though labs developed checkers and chess programs in the 1950s and rudimentary chatbots by the 1960s, hardware and software constraints made AI inaccessible to most people until the 2000s, when developers began to integrate deep learning into AI applications. Today, cell phones, computers, and other intelligent machines perform complicated functions that once only inhabited human imagination and (science) fiction. For example, map applications use AI to help drivers efficiently navigate traffic; social media applications use AI in facial recognition functions; digital devices use AI for voice recognition commands; and cars are increasingly self-driving with the help of AI. In addition, businesses use AI to predict consumer trends, monitor employees, and make important financial decisions such as approving loans and deciding customers’ insurance policies. The potential applications of AI are still being realized, and the possibilities seem endless.

Continue Reading An Overview of AI

One of today’s litigation hot spots has its roots among the cobwebs of ancient data privacy law. The United States today has a patchwork of national data privacy laws, all of which deal with sectors, be it ages of data subjects (like the Children’s Online Protection Act), healthcare patients (the Healthcare Insurance Portability and Accountability Act), and financial customers (the Gramm-Leach-Bliley Act). These laws were all passed before 2001, there has never since been a single comprehensive national data privacy act, and the proposed American Data Privacy and Protection Act has languished in fights about preemption.

We do have precedent for fast action in data privacy laws. The first true national data privacy law – one that required explicit opt-in for sharing of personal data – sailed through the Capitol in one year, in 1987-1988, by a bipartisan vote. Congress only needed the right motivation:

Continue Reading Don’t Forget to Rewind: Replaying Video Privacy Laws.

In data privacy and security, we might have a “forest for the trees” moment right now. And they may not be the trees we expected. By now, you are familiar with the term ESG (Environmental, Social, and Governance). Although the term itself can induce political and social tensions today, it is a shorthand for a basket of intangible aspects of a business that, through the reactions of shareholders, employees, and customers, can affect the bottom line or even enterprise viability. The terminology is new; the underlying concepts of internal and external perception go back to the 1960s, if not much earlier. The danger of this new name lies in divisive cultural issues relating to “E” and “S” overwhelming “G”—governance, an uncontroversial concept crucial to businesses handling personal data.

Continue Reading Focusing on the “G” in ESG: Why it Makes the Most Money Sense for the Short and the Long Haul

The Securities and Exchange Commission (SEC) has taken a significant step in bolstering cybersecurity disclosures for public companies by adopting new rules that aim to provide investors with comprehensive and standardized information on cyber risk management, strategy, governance, and incidents. These rules build upon previous interpretive guidance issued by the SEC.

Continue Reading SEC Adopts New Cybersecurity Disclosure Requirements

On Monday, May 22, the European Data Protection Board (EDPB) published a decision hitting Meta, parent of Facebook, WhatsApp, and Instagram, with a €1.2b ($1.3b) fine for impermissibly transmitting personal information from the European Economic Area (EEA) to the United States. The EDPB described Meta’s activities as “serious” and including “transfers that are systematic, repetitive, and continuous,” and it stated that the fine was intended to serve as a “strong signal to organizations that serious infringements have far-reaching consequences.”

Continue Reading How Much Forgiveness Does $1.3 Billion Buy in the EU?