Commercial Litigation Update

The widespread availability of Artificial Intelligence (AI) tools has enabled the growing use of “deepfakes,” whereby the human voice and likeness can be replicated seamlessly such that impersonations are impossible to detect with the naked eye (or ear). These deepfakes pose substantial new risks for commercial organizations. For example, deepfakes can threaten an organization’s brand, impersonate leaders and financial officers, and enable access to networks, communications, and sensitive information.

In 2023, the National Security Agency (NSA), Federal Bureau of Investigations (FBI), and Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Information Sheet (the “Joint CSI”) entitled “Contextualizing Deepfake Threats to Organizations,” which outlines the risks to organizations posed by deepfakes and recommends steps that organizations, including national critical infrastructure companies (such as financial services, energy, healthcare and manufacturing organizations), can take to protect themselves. Loosely defining deepfakes as “multimedia that have either been created (fully synthetic) or edited (partially synthetic) using some form of machine/deep learning (artificial intelligence),” the Joint CSI cautioned that the “market is now flooded with free, easily accessible tools” such that “fakes can be produced in a fraction of the time with limited or no technical expertise.” Thus, deepfake perpetrators could be mere amateur mischief makers or savvy, experienced cybercriminals. 

On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill No. 332, “An Act concerning online services, consumers, and personal data” (“SB 332”).  New Jersey is the fourteenth state to pass a comprehensive consumer privacy bill, and the obligations and rights created by SB 332 follow the format used in a growing number of states that have passed comprehensive consumer privacy laws.

Scope and Exemptions

SB 332 imposes obligations on “controllers”  – entities or individuals that determine the purpose and means of processing personal data – that ...

On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted its long-anticipated cybersecurity reporting rule (the “Final Rule”). The Final Rule applies to public companies subject to the reporting requirements of the Securities Exchange Act of 1934 and, in some cases, to foreign private issuers. As quoted in the SEC’s press release, SEC Commissioner Gary Gensler noted that many public companies already make cybersecurity disclosures to investors, and the Final Rule provides uniformity and structure for these future disclosures. The Final Rule also imposes a tight timeline for cybersecurity incident reporting and may include disclosure of an ongoing cybersecurity incident, as well as requiring periodic disclosures concerning organizational cybersecurity risk management processes and governance.

On March 15, 2022, President Biden signed into law the 2022 Consolidated Appropriations Act containing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Cyber Incident Reporting Act”). While President Biden’s remarks highlighted the $13.6 billion in funding “to address Russia’s invasion of Ukraine and the impact on surrounding countries,” the 2022 Consolidated Appropriations Act contained numerous other laws, including the Cyber Incident Reporting Act, which should not be overlooked. The Cyber Incident Reporting Act puts in motion important new cybersecurity reporting requirements that will likely apply to businesses in almost every major sector of the economy, including health care, financial services, energy, transportation and commercial facilities. Critical infrastructure entities should monitor the upcoming rule-making by the Cybersecurity and Infrastructure Security Agency (“CISA”), as the final regulations will clarify the scope and application of the new law.

The U.S. Cybersecurity and Infrastructure Agency (CISA) has urged a “Shields Up” defense in depth approach, as Russian use of wiper malware in the Ukrainian war escalates. The Russian malware “HermeticWiper” and “Whispergate” are destructive attacks that corrupt the infected computers’ master boot record rendering the device inoperable. The wipers effectuate a denial of service attack designed to render the device’s data permanently unavailable or destroyed. Although the malware to date appears to be manually targeted at selected Ukrainian systems, the risks now escalate of a spillover effect to Europe and the United States particularly as to: (i) targeted cyber attacks including on critical infrastructure and financial organizations; and (ii) use of a rapidly spreading indiscriminate wiper like the devastating “NotPetya” that quickly moves across trusted networks. Indeed, Talos researchers have found functional similarities between the current malware and “NotPetya” which was attributed to the Russian military to target Ukranian organizations in 2017, but then quickly spread around the world reportedly resulting in over $10 billion dollars in damage.[1] The researchers added that the current wiper has included even further components designed to inflict damage.

Recent decisions from the European Union (EU) have placed renewed focus on the use of common cookies used on ecommerce and other websites used by consumers and employees and transfers of personal data collected through cookies to the United States. The EU Data Protection Authorities (DPAs) found that the use of widely used website technologies (i.e., cookies and java script) to automatically collect identifiers from the users’ devices or through their use of internet protocols (e.g., IP addresses) resulted in the collection of personal data. The DPAs further found that the subsequent transfer of this data to Google servers located in the United States violated EU cross-border data transfer requirements because there were inadequate safeguards under the Schrems II decision invalidating the EU-US Privacy Shield. One notable impact of the decisions is to dismiss the adequacy of encryption technologies where the service provider (such as Google) has access to the cryptographic key and can be compelled to surrender it in order for the data to be decrypted and read by U.S. surveillance authorities. Consideration of the impact of these decisions is critically important for ecommerce and other websites operating in the EU, as well as more generally for organizations that transfer personal data of consumers and employees to the U.S.

There are cybersecurity lessons to be learned from high profile data breaches and the ensuing regulatory responses. The recent well-publicized Twitter hack is no different. According to the New York State Department of Financial Services (“NYSDFS”) investigation and report, on July 15, 2020, a 17-year old hacker and his accomplices easily misled Twitter’s employees into disclosing their credentials resulting in a breach of Twitter’s network and the hackers’ takeover of accounts assigned to high-profile users in just a 24-hour period. The NYSDFS concluded that ...

On March 10, 2020, the New York Department of Financial Services (“DFS”), which regulates a wide variety of financial institutions, including banks, insurance companies, and investment advisors doing business in New York, issued a series of letters regarding the response to the Novel Coronavirus (“COVID-19”). In addition to providing guidance, DFS has asked all regulated financial institutions to provide “assurance” that they have plans to address the operational and financial risks associated with COVID-19. A copy of the letter to regulated financial ...