Search:

Recent Posts

Popular Topics

Contributors

Archives

Legal developments in data, privacy, cybersecurity, and other emerging technology issues

Last updated: January 17, 2024

To assist privacy practitioners keep track of new state laws, below is a chart containing links to the major enacted state privacy laws and their respective regulations.  Bookmark this page, and we will update this chart periodically as new laws are enacted.

Since the arrival of AI programs like OpenAI’s ChatGPT, Google’s Bard, and other similar technologies (“Generative AI”) in late 2022, more programs have been introduced and several existing programs have been upgraded or enhanced, including ChatGPT’s upgrade to ChatGPT-4. Our previous posts have identified the features and functionality of Generative AI programs and outlined the emerging regulatory compliance requirements related to such programs. This post discusses how regulatory agencies worldwide have begun to address these issues.

In March 2023, the White House released the National Cybersecurity Strategy, which details the Biden administration’s policy and agency directives to strengthen U.S. cybersecurity across the public and private sectors. Cybersecurity regulations and cybersecurity responses affect both U.S. national security as well as the security and stability of U.S. businesses and individuals. The 2023 National Cybersecurity Strategy replaces the 2018 National Cyber Strategy set forth under the Trump administration and builds on the 2008 Comprehensive National Cybersecurity Initiative set forth under the Obama administration.  

Since late 2022, terms like “large language models,” “chat-bots,” and “natural language processing models” increasingly have been used to describe artificial intelligence (AI) programs that collect data and respond to questions in a human-like fashion, including Bard and ChatGPT. Large language models collect data from a wide range of online sources, including books, articles, social media accounts, blog posts, databases, websites, and other general online content. They then provide logical and organized feedback in response to questions or instructions posed by users. The technology is capable of improving its performance and otherwise building its knowledge base through its internal analysis of user interactions, including the questions that users ask and the responses provided. These AI programs have a variety of applications and benefits, but businesses should be aware of potential privacy and other risks when adopting the technology.

On February 17, 2023, the FTC brought its first civil enforcement action under the Telemarketing Sales Rule, 16 C.F.R. Part 310 (“TSR”), in nearly one year.  In U.S. v. Stratics Networks Inc., et al., which was filed in the U.S. District Court for the Southern District of California, the FTC seeks to stop a group of companies and individuals that it claims are “responsible for delivering tens of millions of unwanted Voice Over Internet Protocol (VoIP) and ringless voicemail (RVM) phony debt service robocalls to consumers nationwide.”  Because the FTC is seeking civil penalties, the Complaint was filed by the Department of Justice on behalf of the FTC.

In an eye-opening 4-3 decision issued on Friday, the Illinois Supreme Court ruled that a separate Biometric Information Privacy Act (“BIPA”) claim accrues “with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” Cothron v. White Castle System, Inc., 2023 IL 128004 ¶ 45. The decision may have staggering consequences on all pending BIPA cases, converting what might have been a single claim, into thousands of separate claims for $1,000 or $5,000 (depending on whether the violation is negligent or willful). The impact of the decision is even more severe in light of the Illinois Supreme Court’s recent decision in Tims v. Black Horse Carriers, Inc., 2023 IL 127801, applying a five-year statute of limitations to all BIPA claims. 

Topics: Biometrics, BIPA

The Illinois Supreme Court has issued its highly anticipated ruling in Tims v. Black Horse Carriers, Inc., 2023 IL 127801, which expands the statute of limitations period for certain claims under the Biometric Information Privacy Act (BIPA) from one year to five years. The Court reversed in part a previous ruling by the appellate court, which held that a one-year limitations period applied to claims under subsections 15(c) and (d) of BIPA, prohibiting the sale and unauthorized disclosure of biometric data, and affirmed the appellate court’s judgment that a five-year period applied to other claims under BIPA.

Topics: Biometrics, BIPA

As seen from the recent release of the ChatGPT artificial intelligence (“AI”) tool, AI technologies have a major potential to transform society rapidly. However, the technologies also pose potential unique risks. Because AI risk management is a key component of responsible development and use of AI systems, the National Institute of Standards and Technology last week released its voluntary AI Risk Management Framework, which will be a helpful resource to assist businesses to responsibly incorporate AI into their processes, products and services.

Because the use of passwords alone is a relatively weak method to prove identity, enforcement agencies are ramping up pressure for companies to implement multi-factor authentication (MFA) both internally and to customers for online services. MFA makes it more difficult for cyber threat actors to gain access to networks and information systems if authentication information, such as passwords, is compromised through phishing attacks or other means. Below is information that may be helpful in assessing whether your company should implement MFA, and how to do so.

The Ohio Supreme Court recently ruled that the “Electronic Equipment” endorsement of a property insurance policy does not provide coverage for a policyholder’s losses following a ransomware attack.  In EMOI Servs., LLC. v. Owners Ins. Co., 2022-Ohio-4649 (Ohio 2022), the Ohio Supreme Court reversed an appellate court’s decision which held, among other things, that there was potential coverage under the “Electronic Equipment” endorsement because damage to software could constitute “direct physical loss of or damage” to covered property.  

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.