Last week, I had the privilege to attend one of the Midwest’s largest artificial intelligence conferences dedicated to AI developers, users, and enthusiasts: Cincy AI Week. During the three-day event, which brought together over 950 local professionals, I spoke on a panel entitled “Managing Risk in the Age of AI and Automation.”
Here are six important observations I shared during that panel:
Last year, we wrote about updates from the Department of Justice (DOJ) and the DOJ’s proposed enforcement efforts and regulations implementing Executive Order 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Data by Countries of Concern” (Rule).
A year later, the DOJ has finalized the Rule and developed guidance on what companies handling (i) bulk U.S. sensitive personal data or (ii) U.S. Government-related data must know, especially when interacting with persons and entities in ”Countries of Concern,” which currently include:
In April of this year, the DOJ’s National Security Division (NSD) issued its Data Security Program and corresponding Compliance Guide (DSP) and Frequently Asked Questions (FAQs) providing information that all U.S. entities must understand and follow to comply with the Rule. The NSD’s stated primary mission with respect to the implementation and enforcement of the DSP is to protect U.S. national security from Countries of Concern that may seek to collect and weaponize both government data and Americans’ most sensitive personal data.
As we have written previously, the DSP will require U.S. organizations to look deeply into their data collection and data sharing practices to determine whether they are (i) providing covered data to a Country of Concern and (ii) subject to the DSP’s requirements.
All U.S. organizations handling government-related data and bulk U.S. sensitive personal data must make good-faith efforts to comply with the DSP by July 8, 2025.
As we reported early last year, the Federal Trade Commission (FTC) issued a notice of proposed rulemaking to the Children’s Online Privacy Protection Act rule (COPPA). On April 22, 2025, over a year after the notice of proposed rulemaking was issued, the FTC has finalized its amendments to the COPPA rule and are set to go into effect on June 23, 2025.
To note, while the amendments will be effective on June 23, 2025, regulated entities under COPPA have until April 22, 2026 to comply.
Continue Reading Children’s Online Privacy Protection Act Amendments Effective June 23, 2025
On April 11, 2025, North Dakota Governor Kelly Armstrong signed HB 1127 (the Act) into law.
The Act, which takes effect on August 1, 2025, establishes new data security requirements for certain financial institutions and nonbanking financial service providers. In addition, the Act amends multiple sections related to financial institution licensing and oversight.
Continue Reading North Dakota Governor Signs Cybersecurity Governance Law for Financial Institutions
Several states and the Federal Trade Commission (FTC) have implemented autorenewal laws aimed at (i) better protecting consumers and providing transparency in automatic renewals (e.g., subscriptions) and (ii) mandating easy cancellation processes to terminate such products.
Although state laws vary, the amended California Automatic Renewal Law (CARL) and the FTC’s Click-to-Cancel Rule (FTC Rule) provide a comprehensive overview of what businesses can expect when complying with autorenewal laws. While these autorenewal requirements have consumers saying “click, click hooray” understanding and implementing these obligations can create a compliance conundrum for businesses. Here is a summary of what businesses should know.
Continue Reading Click, Click Hooray: What Businesses Need to Know about Autorenewal Laws and Subscription Cancellation Requirements
The California Privacy Protection Agency (“CPPA”) recently issued a decision requiring American Honda Motor Co. to pay a $632,500 fine and change certain business practices related to alleged violations under the California Consumer Privacy Act (“CCPA”). While not specifically related to connected vehicles, this decision comes after the CPPA’s announcement in 2023 that it would be focusing on connected vehicle manufacturers’ compliance with the CCPA.
Continue Reading California Privacy Enforcement Update: Verifying Consumer Requests and Banners Must Be Symmetrical
Biometrics continue to be a hot issue and one primed for litigation and related liabilities. We in the Privacy and Data Security Practice are happy to share this upcoming Taft webinar, which will include a discussion on BIPA class action risks. Join our colleagues from Taft’s Litigation Practice on April 15th.
Time: 12 p.m. – 1:15 p.m. EST
Register HERE.
The Google Threat Intelligence Group revealed a chilling reality: nation-states are weaponizing AI tools like Gemini for sophisticated cyberattacks. This new frontier of AI-powered fraud demands immediate attention from business leaders and general counsel, who stand at the confluence of technology, data security, and governance.
Recent Incidents and the Evolving Sophistication of These Attacks
Generative AI, like the tools used by these cybercriminals, can create highly convincing text, images, voice recordings, and even video interactions that are nearly impossible to distinguish from genuine content. In the report Adversarial Misuse of Generative AI, the Google Threat Intelligence Group explains how more than 20 countries have used Google’s generative AI tool named Gemini for nefarious purposes, including cyber espionage, destructive computer network attacks, and attempts to influence online audiences in a deceptive, coordinated manner.
Continue Reading AI-Powered Fraud: Immediate Action Steps to Protect Companies from Next-Generation Payment Scams
As we previously discussed here, the Federal Communications Commission’s (FCC) new One-to-One Consent Rule, which amends the Telephone Consumer Protection Act (TCPA), was set to go into effect on January 27, 2025.
While the identified goal of the FCC was to close the “lead generator loophole,” this new rule, among other requirements, would require all businesses seeking to send any marketing text messages to obtain consent from the customer for one identified seller (business) at a time.
Continue Reading UPDATE: FCC’s One-to-One Consent Rule Delayed, Then Overturned
What does it take for a data breach plaintiff to have standing to sue in Illinois? More than a mere increased risk of harm, said the Illinois Supreme Court in a case where Taft represented the defendant, a large multi-specialty group medical practice.
This post highlights the importance of a thorough post-data breach investigation.
Continue Reading Taft Wins First Data Breach Class Action to Reach Illinois Supreme Court: Key Takeaways