|
Welcome
Welcome to our seventh 2024 issue of Decoded - our technology law insights e-newsletter. We have a few events we want to pass along to those interested in technology, but also other areas of law and business.
Spilman Event - Your Business in the Digital Era: Legal and Commercial Challenges, September 19, 2024
Join Spilman attorneys and digital soothsayers on September 19 in Pittsburgh for a journey to uncover the truth about wireless barbarians, rogue IP thieves, a coming AI invasion, and more. This forum, intended for business owners and risk management professionals, is offered free of charge to VIP clients and friends of the firm. We will address cybersecurity threats, data privacy, legal and ethical concerns with AI in business operations, intellectual property protection, and how to avoid and protect yourself from litigation. You can learn more and register here.
Spilman Event – SuperVision in Winston-Salem, October 4, 2024
You are cordially invited to join Spilman attorneys for the highly anticipated return of our full-day SuperVision Symposium, designed to inspire your confidence in navigating complex employment decisions. This complimentary symposium is tailored for business owners, HR professionals, and anyone who manages employees. Dive into a day of invaluable insights on topics such as remote work; workplace investigations; AI, emerging technologies, and privacy; union avoidance; workplace violence; and more. This event is October 4, 2024 at Truist Stadium in Winston-Salem, North Carolina. Click here to learn more and register.
New York State Bar Association Event
Alex Turner is a panelist for the topic "The Legal and Regulatory Challenges of AI in Insurance Underwriting" to the NYSBA Dispute Resolution Section of the Insurance Disputes Committee on September 26 in New York City at the American Arbitration Association. This should be a very informative and interesting session. Click here to learn more.
As always, if you have any suggested topics you would like us to address here or in a webinar format, please let us know.
Thank you for reading.
Nicholas P. Mooney II, Co-Editor of Decoded, Chair of Spilman's Technology Practice Group, and Co-Chair of the Cybersecurity & Data Protection Practice Group
and
Alexander L. Turner, Co-Editor of Decoded and Co-Chair of the Cybersecurity & Data Protection Practice Group
| |
|
“Voters, campaign workers, and media professionals must understand these risks and take proactive measures.”
Why this is important: The article highlights the growing threat of deepfakes and misinformation in regard to election security, emphasizing that the primary danger is not the security of voting machines but the manipulation of public perception through fake media. “Deepfakes” are artificial or altered images, video, and other media edited or generated with AI. With the rise of generative AI, creating convincing deepfakes has become easier, allowing malicious actors to spread false information convincingly. The spread of misinformation can have significant consequences - influencing voter decisions, undermining public trust, and destabilizing the integrity of elections. The importance of this issue underscores the need for comprehensive strategies to combat deepfakes, including cybersecurity training, rapid response teams, and the development of advanced detection tools. Additionally, the article stresses the role of legislation in regulating AI technologies and calls for international cooperation to address the global threats posed by deepfakes. As elections become increasingly influenced by digital media, the need for vigilance, education, and robust safeguards is critical to maintaining democratic processes. --- Alison M. Sacriponte
| |
|
“This recent third-party breach is a reminder that compliance with cybersecurity standards is not just a regulatory requirement but a foundational requirement for safeguarding all sensitive data.”
Why this is important: As data breaches and cyberthreats increase, more and more companies’ sensitive information is being taken. The information being collected is not only from the companies that experience breaches, but also from their consumers. As a result of a breach, companies not only lose tangible materials, including possible trade secrets and customers' personal information, but they can also lose the intangible, such as customer goodwill, trust, and market confidence. Consumers and potential customers may not trust any organization that cannot keep its customers' data safe. In addition, the companies that lose the trust of their current and potential customers will likely miss out on revenue due to these data breaches.
Due to the rapid pace of technological evolution, cybersecurity is not a one-time setup that lasts forever. Companies that take a passive and reactive approach to cybersecurity and data protection are more likely to be targeted because their security measures are not up-to-date, and are thus easier to attack. As the abilities and technology of cybercriminals evolve, the companies defending against these attacks must also evolve. It is no longer sufficient for companies to only check their security measures annually. Instead, companies need to be constantly vigilant and that they are following regulatory standards, at a minimum. These regulatory standards are not there to just be checked off, but are there for the protection of the companies and their stakeholders. While being proactive does not fully guarantee that your company will not experience a breach, it does significantly lower the risk and the ultimate impact if a breach does occur.
Companies have to look at the bigger picture when it comes to data breaches. It is no longer enough to just focus on your company’s individual cybersecurity compliance. Companies need to broaden their scope and make sure the third parties in their supply chain are similarly vigilant and following governmental regulatory standards, at a minimum. By failing to ensure your company’s vendors’ compliance, you may be exposing your company to liability and negative reputational consequences. --- Nicholas A. Muto
| |
|
“Some products undergo recall after recall while they remain on the market.”
Why this is important: Not all recalls are created equal. The public is conditioned to believe that a recall means that a product is removed from the market because federal product safety agencies, like the Consumer Product Safety Commission, the National Highway Traffic Safety Administration, and FDA often tell customers that in the event of a recall to stop using the product altogether, or in regards to a vehicle, to bring it to local dealer for repairs. However, the FDA may take a different tact when dealing with the recall of a medical device. The FDA may decide to keep the medical device being recalled in use after considering all options. This is called a “correction” recall. This type of recall results in the manufacturer addressing the issue in the field through repairing, adjusting, relabeling, or inspecting the device. The FDA spokesperson stated that “[w]hen deciding whether a recall warrants device removal from the field, the FDA considers the frequency and severity of adverse events, effectiveness of the corrective actions that have been executed, and the benefits and risks of preserving patient access to the device.” This evaluation may lead to numerous rounds of recalls that do not result in a medical device being removed from the market. These numerous rounds of recalls can include additional training, changes to warnings and instructions, additional technical guidance, or software updates and patches. Even as the manufacturer and the FDA work through how to make the medical device safer while it is still available to the public, injuries can and still do occur. If these remedial measures do not improve the safety of the medical device, the FDA can still ask the manufacturer to stop marketing the device or remove it from the market altogether. --- Alexander L. Turner
| |
|
“Aaron Anderson, the director of innovation for Swinerton, dishes on the tech and the tools the firm uses to stay competitive.”
Why this is important: Swinerton, a construction and project management firm, is incorporating generative AI into its operations in partnership with FutureTech and Microsoft. The integration of this technology is aimed at enhancing project design and management processes, highlighting the growing role of AI in the construction industry. Construction professionals should take note of Swinerton’s recent partnership as AI-driven tools can streamline project management by predicting potential issues, optimizing schedules, and managing resources more effectively. This can reduce delays and cost overruns. Further, by automating routine tasks and providing advanced analytics, generative AI can significantly boost productivity on construction sites, leading to faster project completion and reduced labor costs. However, while the integration of generative AI offers numerous benefits, implementation requires a significant investment of time and resources. Construction professionals may face a steep learning curve and need extensive training to utilize these tools efficiently. Additionally, the effectiveness of AI systems heavily depends on the quality of the data they use, meaning poor or incomplete data can lead to inaccurate outputs and unreliable recommendations that affect decision-making. Overall, the use of generative AI represents a significant advancement in the construction industry by promoting greater efficiency, cost savings, and innovation in project execution. Construction professionals however must take a pragmatic approach towards the implementation of any AI systems to not only maximize its benefits, but mitigate its intrinsic risks. --- Jonathan A. Deasy
| |
|
“The financial severity of claims related to ransomware attacks increased more than 400% from 2022 to 2023, the study found.”
Why this is important: Cyber risk company Resilience released a report highlighting a significant increase in ransomware insurance losses, with the financial severity of claims rising over 400 percent from 2022 to 2023. The surge is attributed to increased merger and acquisition (M&A) activity and the reliance on interconnected software systems, which create vulnerabilities that malicious actors can exploit. As businesses grow more interconnected through M&A deals, the risks of cyberattacks escalate; newly acquired companies bring additional vulnerabilities into the mix and different IT systems may need to be integrated post-acquisition. The findings of this report underscore the importance of maintaining a cybersecurity strategy, as traditional due diligence in M&A deals may not fully protect against ongoing risks. Heightened vigilance and robust cyber risk management are critical in an increasingly interconnected business landscape. --- Alison M. Sacriponte
| |
|
“Despite the disruption, Jen Easterly said the outage was a ‘useful exercise’ to determine the resiliency of critical infrastructure organizations.”
Why this is important: CrowdStrike is a U.S. cybersecurity firm with 43 U.S. states and nearly 300 companies in the Fortune 500 as clients; not to mention clients in the U.K., India, France, Australia, and other nations. They offer a wide array of services, most of which is endpoint monitoring: the practice of continuous monitoring and management of devices that connect to a network, such as computers, mobile devices, and servers. On Friday, July 19, 2024, much of the world stopped when a CrowdStrike update containing a defect in a single content update for Windows hosts caused an out-of-bounds memory read. Out-of-bounds memory reads are a type of memory access error that can cause crashes, incorrect behavior, or security vulnerability. Thousands of flights were grounded. In some states, 911 lines were down. Hospital patient records systems were down. And many industries across the globe felt the impact.
The most important aspect of this event was that this was not an attack. Save for the defect, the system update would have happened normally as all other updates have in the past and we never would have collectively been forced to realize our interconnected vulnerability. We can be sure that the enemies of the United States took notice. Top brass at the Cybersecurity and Infrastructure Security Agency (CISA) noted the event as a big lesson. Hackers from China have already made clear that U.S. infrastructure, drinking, and wastewater systems are prime targets. The CrowdStrike incident proved how many nations, companies, and the comforts of modern society are vulnerable. The focus now is on building resilience in our networks and working to drive down the recovery time. Diversifying service providers or using local versus cloud-based software are a few simple considerations that could make a difference. Regardless, awareness must spread and actions must be taken to reinforce critical systems in a way that will prevent total collapse. --- Sophia L. Hines
| |
|
“This action follows Attorney General Paxton’s June 2024 announcement that he opened an investigation into several car manufacturers regarding allegations that the companies had improperly collected mass amounts of data about drivers directly from the vehicles and then sold the information to third parties.”
Why this is important: In past issues of Decoded, we have discussed how the Internet of Things (IOT) has resulted in the commoditization of your personal information. We have also discussed how this has been extended to your new car. Automakers are continually looking for new revenue streams, and are exploring multiple revenue-generating opportunities. This includes subscription services to use common functions in the vehicle, like heated seats. Another revenue-generating opportunity is to collect and sell your private data. This goes beyond just monitoring where you go, when you go there, how fast you drive, and how hard you brake. Many vehicles now download everything on your phone and send it back to the manufacturer when you connect your phone to your vehicle’s infotainment system. They are selling all of this personal data to advertisers, marketing companies, insurance companies, and even governments. The problem is that many consumers are completely unaware that this is happening.
At least one state is stepping up to address auto manufacturers’ collection and selling of customers’ personal data. Texas Attorney General Ken Paxton has initiated legal action against General Motors for false, deceptive, and misleading business practices related to what he defines as unlawful collection and sale of Texas citizens’ private information to insurance companies. He alleges that his investigation showed that these sales of data were without the consumers’ knowledge or consent. In a statement regarding his lawsuit, Attorney General Paxton stated that “[o]ur investigation revealed that General Motors has engaged in egregious business practices that violated Texans’ privacy and broke the law. We will hold them accountable. Companies are using invasive technology to violate the rights of our citizens in unthinkable ways. Millions of American drivers wanted to buy a car, not a comprehensive surveillance system that unlawfully records information about every drive they take and sells their data to any company willing to pay for it.” It is likely that other states will bring similar suits on behalf of their citizens. --- Alexander L. Turner
| |
|
This is an attorney advertisement. Your receipt and/or use of this material does not constitute or create an attorney-client relationship between you and Spilman Thomas & Battle, PLLC or any attorney associated with the firm. This e-mail publication is distributed with the understanding that the author, publisher and distributor are not rendering legal or other professional advice on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use.
Responsible Attorney: Michael J. Basile, 800-967-8251
| | | | |
