|
Welcome
Welcome to our ninth 2024 issue of Decoded - our technology law insights e-newsletter.
2025 BEST LAW FIRMS
We are very pleased to announce that the firm was named to the 2025 "Best Law Firms" list by Best Lawyers in 71 areas of law throughout the firm’s footprint. The rankings are based on a rigorous assessment process that involved the collection of client and lawyer evaluations, peer review from leading attorneys, and review of additional information provided by law firms. Click here to learn more.
As always, if you have any suggested topics you would like us to address here or in a webinar format, please let us know.
Thank you for reading and we wish you a wonderful Thanksgiving holiday.
Nicholas P. Mooney II, Co-Editor of Decoded, Chair of Spilman's Technology Practice Group, and Co-Chair of the Cybersecurity & Data Protection Practice Group
and
Alexander L. Turner, Co-Editor of Decoded and Co-Chair of the Cybersecurity & Data Protection Practice Group
| |
|
“The majority of employees — 53 percent — within any CIO organization are now using GenAI tools in their daily work, according to the report.”
“Excitement is falling among desk workers, who fear being perceived as incompetent or lazy for using the technology, according to a Slack survey.”
Why this is important: As employers of all types grapple with the influx of new generative AI tools available online, often for free, the employees they oversee are having mixed reactions. A recent report of State Chief Information Officers (CIOs) from across the nation has found that a majority of state employees working under the CIO (53 percent) are using generative AI tools in their daily, routine work. In some states, this majority has reached closer to two-thirds or three-fourths of the workforce.
The CIOs interviewed commented that the use of these free tools available online is becoming as ubiquitous as a Google search. In response, an overwhelming majority of the respondents have created advisory committees around the issue and have begun crafting policies to govern the use of AI tools among the workforce.
In contrast to the rise among state employees in the U.S., recent studies suggest employees globally have started to slow down the adoption of AI tools. This is despite interest by many private employers to incorporate AI tools into their workforce to increase efficiencies. Respondents to the study cited a lack of clear norms and rules to explain the confusion and avoidance around AI. Most AI vendors are now helping to adapt tools to strengthen governance and place more guardrails against inappropriate or potentially harmful uses.
Despite the current drawback, generative AI tools seem to be here to stay and are a force all businesses must plan for and deal with. If your business needs assistance drafting an AI use policy tailored to your specific needs, please reach out to Spilman. --- Shane P. Riley
| |
|
“One example of an existing NIST password standard is checking for exposed passwords against previous data breaches.”
Why this is important: Passwords, the bane of everyone’s existence. Everyone has experienced the frustration of trying to remember your Netflix password when you log in from a new device. That is because you utilize good password discipline and do not share passwords across platforms. However, even with unique passwords, that may not be enough to protect your password-protected data. Hackers may be able to extrapolate your current password by using permutations of past exposed passwords. In response to this problem, the National Institute of Standards and Technology (NIST) has published a new draft standard for passwords. This draft standard includes:
- Requiring passwords to be a minimum of 8 characters, with a recommended minimum length of 15 characters;
- Allowing passwords to be up to 64 characters long;
- Accepting all printing ASCII [RFC20] characters and the space character in passwords;
- Accepting Unicode [ISO/ISC 10646] characters in passwords, with each Unicode point counting as a single character towards password length;
- Stop requiring arbitrary password complexity, like forcing the use of special characters or a mixture of numbers, letters, and symbols; and
- Stop requiring periodic password resets on specified intervals unless there is evidence of password compromise.
NIST also recommends that organizations:
- Stop allowing users to save password hints;
- Stop requiring users to answer security questions to reset forgotten passwords; and
- Verify the entire password, not a truncated/substring of the password.
Good luck remembering the suggested 15 to 64-character password with no prompts or reminders. Whether this draft standard is workable in the real world remains to be seen. But there is something that you can do now to secure your password-protected network and the data it holds - multifactor authentication. By utilizing multifactor authentication, you require users to provide more than one credential to verify their identity. This may be a password, and then a randomly generated code that is sent to the person’s phone that is then entered before they can access the network. There is a delicate balance between access and protection, and strong passwords are both the gateway and the barrier to entry. --- Alexander L. Turner
| |
|
“This discovery opens doors to future applications in genome editing without the risk of DNA cuts, which could lead to more precise tools for research and biotechnology.”
Why this is important: Researchers from Vilnius University's Life Sciences Center, led by Prof. Patrick Pausch, have discovered a novel method for silencing specific genes without cutting DNA. Published in Nature Communications, the study reveals a new mechanism using the type IV-A CRISPR system, which operates like a "pause button" for gene expression. Unlike traditional CRISPR systems that act as molecular "scissors," this approach utilizes an RNA-guided effector complex to recruit the DinG enzyme, which silences genes more subtly by unwinding DNA.
The system's precision relies on proteins Cas8 and Cas5, which identify short DNA sequences adjacent to the RNA guide's target. This process forms R-loops—open DNA structures where RNA binds—signaling the system to initiate gene silencing. DinG further enhances the suppression by unwinding the DNA across longer sequences.
This discovery has significant potential for safer gene-editing applications, offering a way to modify faulty genes associated with diseases without the risks of cutting DNA. The researchers believe this innovation could lead to more precise and secure genetic tools for research and biotechnology. --- Shane P. Riley
| |
|
“Financial firms monitor for fraud by looking for unusual activity, but an artificial intelligence model can be trained to transact like a real person.”
Why this is important: Americans lost $10.2 billion to fraud last year. Financial institutions typically search customers’ accounts for activity that is out of the normal patterns for a particular customer. Has a customer suddenly started making large purchases? Is the customer now making purchases at new merchants? Is the customer suddenly making purchases at higher-risk merchants? Has the customer’s payment history changed? These can be signs that the customer’s account has been compromised and is now in the control of cyberattackers. These types of attacks leave breadcrumbs that institutions may spot and that may cause heightened scrutiny. However, the article warns that attackers now can use AI to mimic a customer’s spending and payment habits and that the best industry participants are able to currently offer is that institutions need to be prepared for these attacks. Institutions need to employ multiple layers of fraud detection to try to discover these new types of AI-powered attacks. --- Nicholas P. Mooney II
| |
|
“Despite dire warnings from the pro basketball league and the U.S. Chamber of Commerce about ‘abusive’ video privacy litigation, a U.S. appeals court revived a class action accusing the NBA of improperly allowing Facebook to harvest personal data from viewers of NBA-posted videos.”
Why this is important: Did you know that the Video Privacy Protection Act (VPPA) protects consumer’s personally identifiable information (PII) related to video rentals or purchases? This federal law was passed in 1988 after U.S. Supreme Court nominee Robert Bork’s videotape rental history was disclosed during the confirmation process. The VPPA prohibits videotape service providers from disclosing a consumer's PII without their written consent. PII includes information like names, addresses, and video titles. But with Blockbuster and Redbox now gone, is the VPPA even relevant now that no one rents movies anymore? The 2nd Circuit stated in a recent ruling that the VPPA is still alive and viable. The 2nd Circuit in its ruling extended the VPPA to include videos accessed through an NBA email newsletter. To receive the newsletter, Michael Salazar (Mr. Salazar), the putative class representative, provided the NBA with his personal information. The NBA then allowed a Facebook subsidiary to track his video viewing. Upon learning about this tracking of his video viewing habits, he brought a putative class action against the NBA for alleged violations of the VPPA. The NBA moved to dismiss Mr. Salazar’s VPPA claim, and the lower court granted its Motion to Dismiss. Mr. Salazar then appealed that ruling to the 2nd Circuit. In overruling the ruling of the lower court, the 2nd Circuit stated that “The VPPA is no dinosaur statute. Congress deployed broad language in defining the term ‘consumer,’ showing it did not intend for the VPPA to gather dust next to our VHS tapes. Our modern means of consuming content may be different, but the VPPA's privacy protections remain as robust today as they were in 1988.” Despite allowing Mr. Salazar’s VPPA claim to survive a Motion to Dismiss, the 2nd Circuit said that the NBA may prevail on other arguments. What this case shows is that, in the absence of a federal data privacy statute, even what would have been considered an antiquated data privacy law can still be effective in protecting consumer’s PII. --- Alexander L. Turner
| |
|
“The researchers will develop new methods for integrating structured data and free-text notes from various health professionals—including nurses, physical and occupational therapists, and speech and language pathologists—into electronic health records.”
Why this is important: The integration of AI into all aspects of human existence has begun in earnest, and the use of AI in electronic medical records is no different. This article dives into the current research and implementation of AI with nursing, physical and occupational therapists, and speech and language pathologists' electronic records, and how those records can then be data mined to better help with patient care, particularly with fall risks. AI is coming whether we like it or not, so the better we understand its usefulness and potential pitfalls the better we can care for our patients. --- Matthew W. Georgitis
| |
|
“The solutions are out there, but the right amount of investment is still an enigma for firms in the industry.”
Why this is important: Construction professionals looking to leverage the power of generative artificial technology are asking themselves whether or not this is the right move for their business. Often, this technology is marketed at the highest level, simply exclaiming how much value it can provide without really providing any real examples. That being said, the answer on whether or not construction professionals should implement this technology as part of their business is context-dependent. Those involved in large construction projects may certainly benefit the most from this technology. For example, generative AI models can be created to alert an administrator if a change order is more than $5,000 or exceeds the gross profit margin of a given job. Regardless, construction professionals at all levels must still be cognizant of the data security issues that may arise through the use of generative AI. --- Jonathan A. Deasy
| |
|
"Schools must foster partnerships with technology providers, cybersecurity firms, and government agencies to stay ahead of the curve."
Why this is important: When considering cybersecurity targets and threats, K-12 institutions may not be the first thing that comes to mind. Yet student records, personnel data, health records, and administrative files are all vital pieces of information that K-12 institutions maintain and risk compromising when data security in a K-12 setting is breached by a cyber threat. As previously reported in several of our publications, cyberattacks targeting educational institutions have increased, making it crucial to address this issue in a manner that not only prevents data loss, but also disruptions to the learning environment. To avoid cyberattacks and mitigate the damage they cause, this article offers various measures that educational institutions, including K-12 schools, can employ to protect their databases.
One effective step in this important work is to secure technology. Schools often operate with outdated technology and software, which makes them more vulnerable to increasingly complex cyberattacks. Due to recent moves to more remote and hybrid learning models, technology is used more in K-12 settings than ever before. While beneficial in many respects, this means that vulnerable information resides on more devices. Regular vulnerability checks can help to identify weaknesses in school networks and digital infrastructure that need to be secured. Meanwhile, strict encryption protocols for sensitive data can aid in further ensuring that even if intercepted, the data remains unreadable and secure. In addition, grants from governmental agencies such as the Department of Homeland Security are available to support the replacement of outdated technology and to implement security infrastructure upgrades.
Regular training of both staff and students is also critical for reducing the likelihood of a successful cyberattack. Required learning sessions for the individuals who use school-issued technology, or personal technology that provides access to school networks or sensitive data, equip them with the information needed to recognize cyber threats and react appropriately, including by immediately reporting related concerns to a designated school official. Educational institutions can also implement a comprehensive technology security plan to ensure all constituents know how to respond in the event of a cyber threat. In addition, while reliance on third-party support for data storage needs may be acceptable, it is imperative that institutions first vet their vendors’ data security policies and practices and establish an agreement that ensures the vendors’ use of any required technical safeguards and prompt notification of any threatened or actual data breach, among other obligations.
By adopting proactive measures to secure critical data and information, educational institutions can avoid costly reactive solutions and better manage their already limited budgets. The solution to increased cyberattacks against K-12 schools is not a one-time fix. As technology evolves and the threats become more elaborate and harder to recognize, the cybersecurity measures that educational institutions implement must be stronger to respond in kind. Like all educational institutions, K-12 schools must prioritize cybersecurity and continually update their security measures to avoid cyberattacks. --- Nicholas A. Muto
| |
The Corporate Transparency Act: Deadline Approaching
| |
|
By Brienne T. Marco
Before we know it, 2024 will be coming to a close. As we approach the end of the year, we want to remind you of an important upcoming deadline under the Corporate Transparency Act. Companies formed before January 1, 2024 must file their initial beneficial owner report no later than December 31, 2024.
Click here to read the entire article.
| |
|
This is an attorney advertisement. Your receipt and/or use of this material does not constitute or create an attorney-client relationship between you and Spilman Thomas & Battle, PLLC or any attorney associated with the firm. This e-mail publication is distributed with the understanding that the author, publisher and distributor are not rendering legal or other professional advice on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use.
Responsible Attorney: Michael J. Basile, 800-967-8251
| | | | |
