The Matrix

Since late 2022, terms like “large language models,” “chat-bots,” and “natural language processing models” increasingly have been used to describe artificial intelligence (AI) programs that collect data and respond to questions in a human-like fashion, including Bard and ChatGPT. Large language models collect data from a wide range of online sources, including books, articles, social media accounts, blog posts, databases, websites, and other general online content. They then provide logical and organized feedback in response to questions or instructions posed by users. The technology is capable of improving its performance and otherwise building its knowledge base through its internal analysis of user interactions, including the questions that users ask and the responses provided. These AI programs have a variety of applications and benefits, but businesses should be aware of potential privacy and other risks when adopting the technology.

On February 17, 2023, the FTC brought its first civil enforcement action under the Telemarketing Sales Rule, 16 C.F.R. Part 310 (“TSR”), in nearly one year.  In U.S. v. Stratics Networks Inc., et al., which was filed in the U.S. District Court for the Southern District of California, the FTC seeks to stop a group of companies and individuals that it claims are “responsible for delivering tens of millions of unwanted Voice Over Internet Protocol (VoIP) and ringless voicemail (RVM) phony debt service robocalls to consumers nationwide.”  Because the FTC is seeking civil penalties, the Complaint was filed by the Department of Justice on behalf of the FTC.

In an eye-opening 4-3 decision issued on Friday, the Illinois Supreme Court ruled that a separate Biometric Information Privacy Act (“BIPA”) claim accrues “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” Cothron v. White Castle System, Inc., 2023 IL 128004 ¶ 45. The decision may have staggering consequences on all pending BIPA cases, converting what might have been a single claim, into thousands of separate claims for $1,000 or $5,000 (depending on whether the violation is negligent or willful). The impact of the decision is even more severe in light of the Illinois Supreme Court’s recent decision in Tims v. Black Horse Carriers, Inc., 2023 IL 127801, applying a five-year statute of limitations to all BIPA claims. 

The Illinois Supreme Court has issued its highly anticipated ruling in Tims v. Black Horse Carriers, Inc., 2023 IL 127801, which expands the statute of limitations period for certain claims under the Biometric Information Privacy Act (BIPA) from one year to five years. The Court reversed in part a previous ruling by the appellate court, which held that a one-year limitations period applied to claims under subsections 15(c) and (d) of BIPA, prohibiting the sale and unauthorized disclosure of biometric data, and affirmed the appellate court’s judgment that a five-year period applied to other claims under BIPA.

As seen from the recent release of the ChatGPT artificial intelligence (“AI”) tool, AI technologies have a major potential to transform society rapidly. However, the technologies also pose potential unique risks. Because AI risk management is a key component of responsible development and use of AI systems, the National Institute of Standards and Technology last week released its voluntary AI Risk Management Framework, which will be a helpful resource to assist businesses to responsibly incorporate AI into their processes, products and services.

Because the use of passwords alone is a relatively weak method to prove identity, enforcement agencies are ramping up pressure for companies to implement multi-factor authentication (MFA) both internally and to customers for online services. MFA makes it more difficult for cyber threat actors to gain access to networks and information systems if authentication information, such as passwords, is compromised through phishing attacks or other means. Below is information that may be helpful in assessing whether your company should implement MFA, and how to do so.

The Ohio Supreme Court recently ruled that the “Electronic Equipment” endorsement of a property insurance policy does not provide coverage for a policyholder’s losses following a ransomware attack.  In EMOI Servs., LLC. v. Owners Ins. Co., 2022-Ohio-4649 (Ohio 2022), the Ohio Supreme Court reversed an appellate court’s decision which held, among other things, that there was potential coverage under the “Electronic Equipment” endorsement because damage to software could constitute “direct physical loss of or damage” to covered property.  

Last week, the Consumer Financial Protection Bureau (“CFPB”) took a significant step forward in enhancing consumer control over private financial data when it launched a rulemaking process under Section 1033 of the Dodd–Frank Wall Street Reform and Consumer Protection Act (“Section 1033”). Section 1033 requires the CFPB to implement a rule to allow consumers to access their financial information. Currently, there is no duty under Section 1033 to maintain or keep any information about a consumer. The CFPB has yet to adopt a rule relating to data access, despite its authority to do so.

On October 12, 2022, a jury returned a verdict against the defendant, BNSF Railway Company (“BNSF”), in the first trial in a class action asserting claims under the Illinois Biometric Information Privacy Act (“BIPA”). Shortly thereafter, the Court entered a staggering judgment against BNSF in the amount of $228 million. To the extent that companies operating in Illinois have not already recognized the significant impact of BIPA, they should be paying attention now. While the case seemingly addressed a number of issues that companies have been grappling with in considering the implications of this law, many important questions about BIPA’s reach still persist.

The DOJ recently published guidance regarding website accessibility under the Americans with Disabilities Act (ADA). This guidance reiterated the DOJ’s longstanding position that websites of businesses open to the public (defined as “places of public accommodations” under Title III of the ADA) are required to be accessible to people with disabilities and provided some non-binding indicators of what it means for a website to be accessible.