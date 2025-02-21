Publications & Advisories

State AGs Publish Guidance on How State Laws Apply to AI

On December 24, 2024 and January 13, 2025, the Oregon Attorney General's (AG's) Office and the California AG's Office published advisories explaining how existing statutes may be used to regulate, investigate, and enforce against artificial intelligence (AI). These advisories serve to remind AI developers, suppliers, and users of heightened regulatory scrutiny of AI and of potential regulatory enforcement tools. This blog post briefly summarizes the authorities that the Oregon and California AGs have identified as potential vehicles for AI regulation and enforcement and provides key takeaways for each.

CISA Releases the AI Cybersecurity Collaboration Playbook to Strengthen AI-Related Cybersecurity Information Sharing and Collaboration

On January 14, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released the AI Cybersecurity Collaboration Playbook to provide guidance to organizations within the AI community (including AI providers, developers, and adopters) to voluntarily share AI-related cybersecurity information with CISA and its partners through the Joint Cyber Defense Collaborative. To combat AI-related cybersecurity threats and enhance the cybersecurity resilience of AI systems, the playbook encourages organizations to incorporate its recommendations into their existing practices.

DeepSeek Grabs Headlines – but Could It Be Unlawful by April? Considerations for Companies from Recent U.S. Data Regulations

In January 2025, a new generative AI large language model called DeepSeek was publicly launched by two Chinese entities, the Hangzhou and Beijing DeepSeek Artificial Intelligence Basic Technology Research Cos. Ltd. DeepSeek is currently driving headlines claiming it represents a "Sputnik moment" in AI development. As companies evaluate DeepSeek, it remains prudent to consider potential obstacles that could arise from recent data-related regulations passed in the United States that are designed to broadly restrict the availability of U.S.-person data to Chinese organizations.

Last-Minute Biden Cybersecurity and Artificial Intelligence Executive Orders Survive Initial Trump Revocations

In the final week of the Biden Administration's term in office, former President Biden issued two high-profile Executive Orders that could have significant ramifications for the cybersecurity and technology industries. The first, issued on January 14, 2025, is Advancing United States Leadership in Artificial Intelligence Infrastructure. The second, issued on January 16, 2025, is Strengthening and Promoting Innovation in the Nation's Cybersecurity.

Texas AG Files Complaint Against Major Insurance Company Regarding Data Practices

On January 13, 2025, Ken Paxton, the Texas AG, filed a complaint against a large insurance entity and its subsidiary company. The complaint outlines alleged violations of the Texas Data Privacy and Security Act.

FTC Announces Proposed Settlement with GoDaddy Incorporating Prescriptive Cybersecurity Requirements

On January 15, 2025, the Federal Trade Commission (FTC) announced a proposed settlement with GoDaddy Inc. for making false or misleading representations about its security practices in violation of Section 5 of the FTC Act.

FTC Finalizes COPPA Rule Amendments

On January 16, 2025, the FTC voted 5–0 to approve the finalized amendments to the Children's Online Privacy Protection Rule that would offer additional privacy safeguards for children under the age of 13.

Top 10 Takeaways from California AG's Health Care AI Advisory

On January 13, 2025, California AG Rob Bonda issued an advisory describing providers' and businesses' obligations for the development, sale, and use of AI and automated decision systems in the health care industry. The advisory puts health care providers, insurers, and businesses serving the health care industry on notice of the AG's heightened scrutiny of AI and the variety of potential enforcement options available to the AG related to AI systems.

Key Points for DHS Playbook for Public Sector GenAI Deployment

On January 7, 2025, the Department of Homeland Security (DHS) released its first "Playbook for Public Sector Generative Artificial Intelligence Deployment" to serve as a comprehensive guide for DHS and other public sector organizations to responsibly integrate GenAI into their operations. The playbook emphasizes the importance of deploying AI technologies in a manner that is responsible, trustworthy, and effective.

OFAC Announces Sanctions Against Chinese-Based Cybersecurity Company

On January 3, 2025, the Department of the Treasury's Office of Foreign Assets Control announced sanctions on a China-based cybersecurity company, Integrity Technology Group Inc. These sanctions were in response to Integrity Tech's "role in multiple computer intrusion incidents against U.S. victims."

New York Amends Data Breach Notification Law with Immediate Implications

In late December 2024, the New York governor signed two bills (S2659B and S2376B) amending the state's data breach notification law to expand the definition of "reportable personal information" and impose new covered entity reporting obligations in the event of a data breach.

The D.C. Circuit's TikTok Decision Could Portend Greater Regulation of Chinese-Owned Apps

On December 6, 2024, the U.S. Court of Appeals for the D.C. Circuit upheld the constitutionality of the Protecting Americans from Foreign Adversary Controlled Applications Act. The Act, signed into law by President Biden on April 24, 2024, prohibits the "distribution or maintenance" in the U.S. of applications controlled by ByteDance, TikTok's China-based parent. The Act also allows the President to subject other applications to the prohibition if he determines the company that owns the application is "controlled by a foreign adversary" and "presents a significant threat to ... national security."

CPPA Opens Formal Public Comment Period for CCPA Proposed Regulations

On November 22, 2024, the California Privacy Protection Agency issued a notice of proposed rulemaking and opened the formal comment period for its proposed regulations on updates to existing California Consumer Privacy Act (CCPA) regulations, cybersecurity audits, risk assessments, automated decision-making technology, and the applicability of the CCPA to insurance companies.

Department of Homeland Security Releases Recommended Framework for AI in Critical Infrastructure

On November 14, 2024, DHS announced a set of voluntary recommendations called the "Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure." Recognizing the severe consequences associated with disruption to the nation's critical infrastructure, DHS released the framework to address certain risks associated with the use of AI across critical infrastructure sectors.

Selected Global Privacy & Cybersecurity Updates

First Milestone in the Implementation of the EU AI Act

The AI Act is the European Union's comprehensive legal framework on AI that aims to promote the responsible development and use of artificial intelligence in the EU. The timeline for implementation of the AI Act follows a staggered approach: while the AI Act entered into force on August 1, 2024, most of its provisions will apply from August 2, 2026. However, the AI Act's requirements relating to prohibited AI practices and AI literacy are effective as of February 2, 2025.

UK's National Cyber Security Centre Releases 2024 Annual Review

The United Kingdom's National Cyber Security Centre has released its annual review for 2024. As in prior years, the report covers the UK's cybersecurity position, both in terms of threats to the public and private sectors and the country's readiness to deal with those threats.

Chile Passes New Data Protection Law

On November 14, and after many years of negotiations, Chile adopted a new Data Protection Act (DPA). This new DPA aims to provide Chile with an updated regulatory framework for the protection of personal data by replacing the law that had been in force since 1999. The DPA is also expected to align with international privacy and data protection standards, such as the General Data Protection Regulation in Europe (GDPR), General Data Protection Law in Brazil (LGPD), and Personal Data Protection Law in Argentina (LPDP).

