On April 9, 2025, the U.S. Securities and Exchange Commission (the “SEC”) and the U.S. Attorney’s Office for the Southern District of New York filed parallel actions against Albert Saniger, the former CEO of Nate, Inc. (“Nate”), alleging that he made materially false and misleading statements to investors about the company’s artificial intelligence (“AI”) capabilities. This matter is particularly noteworthy…

Most companies have implemented protocols for when an employee emails confidential information to the wrong person.  A new version of that problem occurs when an employee uploads sensitive information to a consumer (i.e., not enterprise) AI tool, which gives rise to the following questions: Can the data be clawed back or deleted, and if so, how? Can humans at the…

OVERVIEW OF THE NEW LEGISLATION Definitions The new legislation, described as the first Hong Kong cybersecurity law, regulates designated “Operator of Critical Infrastructure” (the “CIO”) and its “Critical Computer Systems” (the “CCS”). “Critical Infrastructure” (the “CI”) is defined as: any infrastructure that is essential to the continuous provision of an essential service in Hong Kong in eight specified sectors: energy,…

Given that AI models require large swathes of data to operate, the GDPR’s expansive definition of personal data means that many applications of AI involve complex data protection issues – especially where those datasets are obtained from third-party sources. At the Irish DPC’s request, the European Data Protection Board (“EDPB”) has adopted Opinion 28/2024 on data protection considerations when developing…

Our top-five European data protection developments from February are: European Commission publishes guidelines on prohibited AI practices: The EU Commission has published non-binding guidance on the EU AI Act’s prohibited use cases. European Parliamentary Research Service Report Highlights Tension Between the EU AI Act and GDPR: The ERPS published a report warning of a potential conflict between the EU AI…

South Korea has become the latest country to pass a national AI law. The “Basic Act on the Development of Artificial Intelligence and Establishment of Foundation for Trust” (the “Basic Act” or the “Act”), which has several similarities to – and differences from – the EU AI Act, and comes into force on January 22, 2026. Like its EU counterpart,…

As the first quarter of 2025 draws to a close and we look ahead to the spring, important changes to the Federal Rules of Evidence (“FRE”) regarding the use of AI in the courtroom are on the horizon. Specifically, the Federal Judicial Conference’s Advisory Committee on Evidence Rules (the “Committee”) is expected to vote on at least one AI-specific proposal…

On Tuesday, April 29, 2025 at 1:15 pm, Erez Liebermann will be moderating a panel at RSAC 2025 Conference to discuss the growing regulatory expectations around governance, including that from the Securities and Exchange Commission (SEC) and other regulators beating their cyber drums. The panelists will share best practices to educate the board, both ahead of and during an incident.…

On Wednesday, April 30, 2025 at 2:25 pm, Erez Liebermann will be moderating a panel at RSAC 2025 Conference to discuss different approaches of private equity firms in evaluating cyber maturity and in working with portfolio companies on M&A, risk management, and incident response. The panel will feature: Rich Adduci, Operating Executive, Berkshire Partners James Goddard, Senior Operating Executive, Hellman…

On Tuesday, April 29, 2025 at 9:40 am, Erez Liebermann will be moderating a panel at RSAC 2025 Conference to dive into the work that financial services companies, the government, and cloud service providers are taking to mature incident response. The panel will feature: Todd Conklin, Chief AI Officer and Deputy Assistant Secretary, US Treasury Heather Hogsett, Senior Vice President,…