EDITOR’S NOTE: This is part three of “Cyber AI Chronicles” – written by lawyers and named by ChatGPT. This series will highlight key legal, privacy, and technical issues associated with the continued development, regulation, and application of artificial intelligence

As with all other products and technologies, we can expect to see (and in fact already do see) the emergence of varying approaches to governance for artificial intelligence systems. Currently, AI oversight may be addressed within independent federal, state, and international frameworks – for instance, within the regulation of autonomous vehicle development, or laws applicable to automated decision-making. So, how can we expect regulatory frameworks to develop for AI as an independently regulated field?

On July 26, the Securities and Exchange Commission adopted a new rule regarding cybersecurity risk management, strategy, governance, and incident disclosure.  The “Cybersecurity Incident Disclosure Rule” will be applicable to public companies subject to the reporting requirements of the Securities Exchange Act of 1934. It is premised on the belief that investors will benefit from more timely and consistent disclosure about material cybersecurity incidents, and follows interpretive guidance the SEC issued in 2011 and 2018. The Final Rule will take effect 30 days after being published in the Federal Register – likely by September 1.

EDITOR’S NOTE: This is part two of “Cyber AI Chronicles” – written by lawyers and named by ChatGPT.  This series will highlight key legal, privacy, and technical issues associated with the continued development, regulation, and application of artificial intelligence.

Recent developments in Artificial Intelligence have opened the door to exciting possibilities for innovation. From helping doctors communicate better with their patients to drafting a travel itinerary as you explore new locales (best to verify that all the recommendations are still open!), AI is beginning to demonstrate that it can positively affect our lives. 

However, these exciting possibilities also allow malicious actors to abuse the systems and introduce new or “improved” cyber threats.

On July 10, 2023, the European Commission (“EC”) adopted its adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”).

EDITOR’S NOTE: This is part one of “Cyber AI Chronicles” – written by lawyers and named by ChatGPT.  This series will highlight key legal, privacy, and technical issues associated with the continued development, regulation, and application of artificial intelligence.

Artificial Intelligence is not a new concept or endeavor. In October 1950, Alan Turing published Computing Machinery and Intelligence,” proposing the question: Can machines think? Since then, the concept has been studied at length, with an immediately recognizable example being IBM Watson, which memorably defeated Jeopardy! champions Ken Jennings and Brad Rutter in 2011. AI has been captured and fictionalized in movies, video games, and books. Even if we are not aware of it, AI underlies many technical tools that we use every day.

The national impact of ransomware is expanding. Following a dip in the recorded number of ransomware attacks for 2022, there have been multiple nationwide events with devastating effect in 2023.  Given the damage across private and public enterprises, the federal government has sought to provide additional information and resources to assist those who are preparing to defend against an attack or for businesses who have already experienced a ransomware attack.

On Friday, the Sacramento Superior Court issued a ruling delaying the enforcement of recently enacted California Privacy Rights Act regulations until March 2024. The CPRA, which amended the California Consumer Privacy Act, directs the California Privacy Protection Agency to promulgate regulations that further explain and detail the requirements of the CPRA. The agency was supposed to issue regulations by July 1, 2022, with an enforcement date of July 1, 2023. However, the agency did not issue those regulations until March 24, 2023.

Oregon will soon join Iowa, Indiana, Florida, Montana, Texas, and Tennessee in passing a comprehensive data privacy law. On June 25, the Oregon legislature passed the Oregon Consumer Privacy Act. The OCPA has moved to the desk of Gov. Tina Kotek (D), who is expected to sign it into law. Assuming she does, the law will take effect on July 1, 2024.

The European Court of Justice has issued two important decisions interpreting the European Union’s General Data Protection Regulation. One addresses the right to compensation for GDPR violations, and the other addresses the scope of an individual’s right of access when his or her data has been provided by a controller to other recipients. Each decision is discussed below.

This year has so far proven to be quite active in terms of state privacy legislation. In 2022, California, Virginia, Colorado, Utah, and Connecticut were the five states with consumer privacy laws on the books, all set to take effect in 2023. Then, earlier this year, Iowa, Indiana, and Tennessee enacted their own respective comprehensive privacy laws. Iowa’s and Tennessee’s laws will take effect in 2025, and Indiana’s law will take effect in 2026.

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 

Subscribe

* indicates required
Back to Page