This quarterly update summarizes key legislative and regulatory developments in the third quarter of 2022 related to Artificial Intelligence (“AI”), the Internet of Things (“IoT”), connected and autonomous vehicles (“CAVs”), and data privacy and cybersecurity.
Many employers and employment agencies have turned to artificial intelligence (“AI”) tools to assist them in making better and faster employment decisions, including in the hiring and promotion processes. The use of AI for these purposes has been scrutinized and will now be regulated in New York City. The New York City Department of Consumer and Worker Protection (“DCWP”) recently issued a Notice of Public Hearing and Opportunity to Comment on Proposed Rules relating to the implementation of New York City’s law regulating the use of automated employment decision tools (“AEDT”) by NYC employers and employment agencies. As detailed further below, the comment period is open until October 24, 2022.…
On July 5, 2022, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the National Institute of Standards and Technology (“NIST”) strongly recommended that organizations begin preparing to transition to a post-quantum cryptographic standard. “The term ‘post-quantum cryptography’ is often referred to as ‘quantum-resistant cryptography’ and includes, ‘cryptographic algorithms or methods that are assessed not to be specifically vulnerable to attack by” a CRQC (cryptanalytically relevant quantum computer) or a classical computer. NIST “has announced that a new post-quantum cryptographic standard will replace current public-key cryptography, which is vulnerable to quantum-based attacks.” NIST does not intend to publish the new post-quantum cryptographic standard for commercial products until 2024 but urges companies to begin preparing now by following the Post-Quantum Cryptography Roadmap. …
This quarterly update summarizes key federal legislative and regulatory developments in the second quarter of 2022 related to artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and data privacy, and highlights a few particularly notable developments in U.S. state legislatures. In the second quarter of 2022, Congress and the Administration focused on addressing algorithmic bias and other AI-related risks and introduced a bipartisan federal privacy bill.…
This quarterly update summarizes key federal legislative and regulatory developments in the first quarter of 2022 related to artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and data privacy, and highlights a few particularly notable developments in the States. In the first quarter of 2022, Congress and the Administration focused on required assessments and funding for AI, restrictions on targeted advertising using personal data collected from individuals and connected devices, creating rules to enhance CAV safety, and children’s privacy topics.
Continue Reading U.S. AI, IoT, CAV, and Privacy Legislative Update – First Quarter 2022
Utah appears poised to be the next state with a comprehensive privacy law on its books, following California, Virginia, and Colorado. On March 2nd, the Utah House of Representatives voted unanimously to approve an amended version of the legislative proposal, and the Senate concurred with the House amendment on the following day. Formalities are now being completed to send the bill to Governor Spencer Cox for signature.
The Utah Consumer Privacy Act (“UCPA”) provides for consumer rights and responsibilities for controllers and processors. Although the bill generally tracks the comprehensive privacy law passed in Virginia last year, the VCDPA, there are some notable differences. Key provisions in the bill include the following:…
Continue Reading Utah Legislature Passes Comprehensive Privacy Bill
In early February, the Department of Homeland Security Cybersecurity & Infrastructure Security Agency (“CISA”) announced the publication of a joint cybersecurity advisory observing “an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally” during 2021. The report—which was coauthored by cybersecurity authorities in the United States (CISA, the Federal Bureau of Investigation, and the National Security Agency), Australia (the Australian Cyber Security Centre), and United Kingdom (the National Cyber Security Centre)—emphasizes that the continued evolution of ransomware tactics and techniques throughout the past year “demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally.”…
Continue Reading CISA Issues Joint Cybersecurity Advisory on 2021 Ransomware Trends and Recommendations
2021 was another busy year for data privacy regulatory enforcement and litigation. With some distance to reflect on last year, we have prepared this post identifying and describing important trends from 2021 that can help provide insight into what to expect in the data privacy landscape in 2022.
Data Privacy Regulatory Enforcement Trends
Federal Trade Commission (FTC) and state enforcement action in 2021 centered on several key areas, including protecting children.
An FTC enforcement action last year alleged that the maker of an online coloring book application violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information about children who used the app without notifying their parents and obtaining their consent. The allegations note that the app included a “Kids” category that was targeted to children. The FTC further claimed that the app’s social media features collected personal information from users and that some parents, lacking knowledge of these features, may have inadvertently permitted their young children to use the app.
Continue Reading 2021 Trends in Privacy Regulatory Enforcement and Litigation
On February 4, 2022, the National Institute of Standards and Technology (“NIST”) published its Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products (“IoT Criteria”). The IoT Criteria make recommendations for cybersecurity labeling for consumer IoT products, in other words, for IoT products intended for personal, family, or household use.
The purpose of the publication, as described by NIST, is to identify “key elements of a potential labeling scheme.” The publication makes clear, however, that the scheme would not be established or managed by NIST, but rather “by another organization or program,” referred to in the publication as the “scheme owner.” The identity of the scheme owner is undetermined, but it “could be a public or private sector” entity.
The publication of the IoT Criteria represents another step toward a national cybersecurity labeling scheme for consumer IoT products. We should expect that the framework established by NIST in this publication will serve as a model for these requirements. …
Continue Reading NIST Publishes Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products
As 2021 comes to a close, we will be sharing the key legislative and regulatory updates for artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and privacy this month. Lawmakers introduced a range of proposals to regulate AI, IoT, CAVs, and privacy as well as appropriate funds to study developments in these emerging spaces. In addition, from developing a consumer labeling program for IoT devices to requiring the manufacturers and operators of CAVs to report crashes, federal agencies have promulgated new rules and issued guidance to promote consumer awareness and safety. We are providing this year-end round up in four parts. In this post, we detail IoT updates in Congress, the states, and federal agencies.
Part IV: Internet of Things
This quarter’s IoT-related Congressional and regulatory updates ranged from promoting consumer awareness to bolstering the security of connected devices. In particular, the Federal Communications Commission (“FCC”) has taken a number of actions to promote the growth of IoT while the National Institute of Standards and Technology (“NIST”) continues to work to fulfill its obligations under President Biden’s May Executive Order on Improving the Nation’s Cybersecurity (“EO”). The IoT Cybersecurity Improvement Act of 2020 (H.R.1668) additionally tasked NIST with developing security standards and guidelines for the federal government’s IoT devices. This year NIST put out a number of reports to carry out this mandate, including guidance documents to assist federal agencies with evaluating the security capabilities required in their IoT devices (NIST SP 800-213).
Continue Reading U.S. AI and IoT Legislative Update – Year-End 2021