Commercial Litigation Update

The widespread availability of Artificial Intelligence (AI) tools has enabled the growing use of “deepfakes,” whereby the human voice and likeness can be replicated seamlessly such that impersonations are impossible to detect with the naked eye (or ear). These deepfakes pose substantial new risks for commercial organizations. For example, deepfakes can threaten an organization’s brand, impersonate leaders and financial officers, and enable access to networks, communications, and sensitive information.

In 2023, the National Security Agency (NSA), Federal Bureau of Investigations (FBI), and Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Information Sheet (the “Joint CSI”) entitled “Contextualizing Deepfake Threats to Organizations,” which outlines the risks to organizations posed by deepfakes and recommends steps that organizations, including national critical infrastructure companies (such as financial services, energy, healthcare and manufacturing organizations), can take to protect themselves. Loosely defining deepfakes as “multimedia that have either been created (fully synthetic) or edited (partially synthetic) using some form of machine/deep learning (artificial intelligence),” the Joint CSI cautioned that the “market is now flooded with free, easily accessible tools” such that “fakes can be produced in a fraction of the time with limited or no technical expertise.” Thus, deepfake perpetrators could be mere amateur mischief makers or savvy, experienced cybercriminals. 

As a privacy officer, what keeps you up at night?

Is it the ransomware boogeyman, or perhaps the data breach creeps?

Whatever it may be, Epstein Becker Green litigators J.T. Wilson III, Stuart Gerson, and Brian Cesaratto are here to shed light on the subject in this episode of Speaking of Litigation.

On January 16, 2024, New Jersey Governor Phil Murphy signed into law Senate Bill No. 332, “An Act concerning online services, consumers, and personal data” (“SB 332”).  New Jersey is the fourteenth state to pass a comprehensive consumer privacy bill, and the obligations and rights created by SB 332 follow the format used in a growing number of states that have passed comprehensive consumer privacy laws.

Scope and Exemptions

SB 332 imposes obligations on “controllers”  – entities or individuals that determine the purpose and means of processing personal data – that ...

On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted its long-anticipated cybersecurity reporting rule (the “Final Rule”). The Final Rule applies to public companies subject to the reporting requirements of the Securities Exchange Act of 1934 and, in some cases, to foreign private issuers. As quoted in the SEC’s press release, SEC Commissioner Gary Gensler noted that many public companies already make cybersecurity disclosures to investors, and the Final Rule provides uniformity and structure for these future disclosures. The Final Rule also imposes a tight timeline for cybersecurity incident reporting and may include disclosure of an ongoing cybersecurity incident, as well as requiring periodic disclosures concerning organizational cybersecurity risk management processes and governance.

Last week, blockchain analysis firm, Chainalysis, held its annual conference, Links 2023, in New York City, where private and public sector leaders met to discuss emerging issues impacting the blockchain, cryptocurrency, and digital asset space. The conference featured presentations from notable public and private sector leaders, including government regulators, enforcement bodies who investigate and assist in prosecuting virtual asset fraud, and executives from financial institutions.

On July 7, 2022, the Consumer Financial Protection Bureau (“CFPB”) issued an advisory opinion entitled ‘“Fair Credit Reporting: Permissible Purposes for Furnishing, Using, and Obtaining Consumer Reports.”[1] The advisory opinion clarifies that “permissible purposes” under the Fair Credit Reporting Act (the “FCRA”) are “consumer specific” and highlights that a person who uses or obtains a “consumer report” is “strictly prohibit[ed]” from doing so without a permissible purpose under the FCRA. In the midst of ongoing Congressional efforts to pass a comprehensive federal data privacy law, the CFPB’s advisory opinion is a reminder of the existing rules that protect consumer privacy.

Last week, FINRA published its 2022 Report on its Examination and Risk Monitoring Program (the “Report”), identifying key areas of focus for broker-dealer exams this year. The Report contains many of the same areas of focus as last year’s report, including anti-money laundering, cybersecurity, Reg BI and Form CRS, communications with the public, best execution and segregation of customer funds. Although the Report again identifies these general areas, it identifies new concerns and recent examination findings in those areas. In an effort to be user friendly, the Report highlights that new content in bold and identifies new areas for 2022. A key takeaway from the Report is the continued challenges posed by technology.

Our colleague Stuart Gerson of Epstein Becker Green has a new post on SCOTUS Today that will be of interest to our readers: "The Supreme Court Limits the Effective Reach of the Computer Fraud and Abuse Act."

The following is an excerpt:

Those of us who deal regularly with cybersecurity matters have been waiting eagerly for the Supreme Court’s decision in Van Buren v. United States, which raised the question of whether the language of the Computer Fraud and Abuse Act of 1986 (CFAA), 18 U. S. C. §1030(a)(2), which subjects to criminal liability anyone who “intentionally ...

There are cybersecurity lessons to be learned from high profile data breaches and the ensuing regulatory responses. The recent well-publicized Twitter hack is no different. According to the New York State Department of Financial Services (“NYSDFS”) investigation and report, on July 15, 2020, a 17-year old hacker and his accomplices easily misled Twitter’s employees into disclosing their credentials resulting in a breach of Twitter’s network and the hackers’ takeover of accounts assigned to high-profile users in just a 24-hour period. The NYSDFS concluded that ...