Cyber adversaries in China and Russia continue to be a formidable threat to U.S. based companies. In the past, scams might be detected because a word was misspelled or the context didn’t make sense. Now, with the help of young Western hackers, cyber adversaries in Russia will be able to use insider knowledge of language and behavioral customs to develop and deploy campaigns against U.S. companies. In a 60 Minutes segment aired this week, the federal government and cybersecurity specialists outline how they are seeing a new threat from Scattered Spider, a coalition of foreign and domestic hacke ..read more

DoorDash, Inc. recently settled with the California Attorney General for alleged violations of the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). This is only the second public settlement with the California AG’s office for claims related to CCPA violations (the first was with Sephora in 2022). The AG’s complaint stated that DoorDash sold California consumers’ personal information (names, addresses, and transaction histories) as part of its participation in a couple of marketing co-ops that began in 2018. The sale of personal information is n ..read more

The U.S. government recently intervened in a False Claims Act qui tam case against Georgia Tech Research Corporation, Georgia Institute of Technology, and Georgia Tech Research Institute for violations of NIST 800-171 for failing to protect Controlled Unclassified Information (CUI). Long story short, the U.S. intervention means that the government is taking this case seriously, which means that the defendants have to take this case even more seriously. Defense contractors need to be intimately familiar with NIST 800-171, which applies to them through various regulations and through their contr ..read more

On April 15, 2024, the National Security Agency’s Artificial Intelligence Security Center published guidance on “Deploying AI Systems Securely,” together with CISA, the FBI, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, the New Zealand National Cyber Security Centre and the UK’s National Cyber Security Centre (a/k/a the Five Eyes). The Cybersecurity Information Sheet provides guidance for “best practices for deploying and operating externally developed artificial intelligence (AI) systems.” The guidance aims to: “Improve the confidentiality, integrity, and avai ..read more

The latest edition of the AI Index Report from Stanford University’s Human-Centered Artificial Intelligence Center provides a comprehensive look at artificial intelligence (AI) policy, regulation, and diversity trends across the globe. The number of AI-related regulations enacted by U.S. federal agencies like the FDA, EPA, and FCC has skyrocketed from just 1 in 2016 to 25 in 2023. This rapid increase signals how rapidly AI is being applied across different industries and sectors, requiring new governance frameworks. The regulations have focused on areas such as foreign trade/finance, health, c ..read more

Colorado Governor Jared Polis signed H.B. 24-01058 into law on Wednesday, April 17, 2024. The law amends the definition of personal information protected by the state’s privacy law to include protections for data generated by activity in the nervous system. The intent of the law is to require companies that collect, use, and disclose consumers’ neurodata to protect it as sensitive information, along with the other sensitive data elements included in the law. The law exempts neurodata that is collected by companies that must follow other privacy and security laws, including health care provider ..read more

The Federal Trade Commission (FTC) has declined to approve a new method for obtaining parental consent under the Children’s Online Privacy Protection Act (COPPA) that would involve analyzing facial geometry to verify an adult’s identity. In a letter to the Entertainment Software Rating Board (ESRB), Yoti (a digital identity company), and SuperAwesome (a company that provides technology parental verification requirements), the FTC denied the June 2023 application for the “Privacy-Protective Facial Age Estimation” software as a new means of obtaining parental consent under COPPA. However, the FT ..read more

The California Privacy Protection Agency (CPPA) recently issued an enforcement advisory encouraging covered businesses to focus on their data minimization obligations related to consumer requests under the California Consumer Privacy Act (CCPA). The advisory categorizes data minimization as a “foundational principle” of the CCPA and reflects the reasons why businesses will apply this principle for better compliance with the CCPA. The advisory states: “[b]usinesses should apply this principle [of data minimization] to every purpose for which they collect, use, retain, and share consumers’ perso ..read more

U.S. Senator Maria Cantwell (D-WA) and U.S. Representative Cathy McMorris Rodgers (R-WA) have made a breakthrough by agreeing on a bipartisan data privacy legislation proposal. The legislation aims to address concerns related to consumer data collection by technology companies and empower individuals to have control over their personal information. The proposed legislation aims to restrict the amount of data technology companies can gather from consumers. This step is particularly important given the large amount of data these technology companies possess. It would grant Americans the authorit ..read more

*This post was co-authored by Josh Yoo, legal intern at Robinson+Cole. Josh is not admitted to practice law. Health care entities maintain compliance programs in order to comply with the myriad, changing laws and regulations that apply to the health care industry. Although laws and regulations specific to the use of artificial intelligence (AI) are limited at this time and in the early stages of development, current law and pending legislation offer a forecast of standards that may become applicable to AI. Health care entities may want to begin to monitor the evolving guidance applicable to AI ..read more