The Biden Administration’s Blueprint for an AI Bill of Rights

As the use of artificial intelligence (AI) rapidly expands throughout the private sector and government, the Biden administration has published a report titled A Blueprint for an AI Bill of Rights. A summary is available at and the full document is available at

The report cites a myriad of issues with AI systems, including uses in hiring and credit decisions that have been found to reproduce existing inequities or create new harmful bias, uses in patient care that proved to be unsafe or ineffective, and increased collection or use of data that threatens people’s opportunities or undermines their privacy.  The report argues these harmful outcomes are not inevitable and that the AI tools have the potential to revolutionize many industries and benefit all parts of society.

The report sets out 5 basic rights of people that should be respected in connection with AI systems.

Read more ›
Tagged with: , , ,
Posted in Artificial Intelligence

NIST Issues New Artificial Intelligence Risk Management Framework

The National Institute of Standards and Technology (NIST) recently released version 1.0 of its Artificial Intelligence Risk Management Framework. The framework is available at, and a full set of supporting documents is available at

There is an emerging consensus that AI systems present a significantly different risk profile than conventional information technology systems.  While there is currently no legal requirement to use a risk management framework when developing AI systems, there are a growing number of proposals that would require the use of a risk management framework or offer a safe harbor from certain types of liability if one is used.

The framework identifies 6 factors for mitigating risk and evaluating the trustworthiness of an artificial intelligence (AI) system.

Read more ›
Tagged with: , , , ,
Posted in Artificial Intelligence

AI: What You Need to Know

Andy Baer is joined by three of his Cozen O’Connor colleagues for a panel discussion exploring the evolving law of artificial intelligence in the U.S. and Europe, including legal risks associated with ChatGPT and other AI tools, the current state of regulation, and how providers and users of AI tools can manage risk going forward.

Download this episode.

Read more ›
Posted in Cyber Law Monitor Podcast

You’ve Been Breached – Who Do You Call?

Host Andrew Baer is joined by Matthew Klahre from Cozen O’Connor’s Technology, Privacy, & Data Security practice group for a discussion, with practical tips, on how to manage internal and external communications following a data breach.

Download this episode.

Read more ›
Posted in Cyber Law Monitor Podcast

Update on EU-US Personal Data Transfers

Andy Baer is joined by Christopher Dodson of Cozen O’Connor to discuss EU-US personal data transfers after Schrems II, including the latest on the EU-US Data Privacy Framework.

Download this episode.

Read more ›
Posted in Cyber Law Monitor Podcast

Incoming State Privacy Laws in 2023

Introducing the Cyber Law Monitor Podcast, a podcast from Cozen O’Connor’s Technology, Privacy & Data Security practice group with discussions and perspectives on emerging trends, developments and best practices. In the inaugural episode, host Andrew Baer is joined by his Cozen O’Connor colleague, Benjamin Mishkin, for a discussion about the new state privacy laws in the United States, which will go into effect in 2023.

Download this episode.

Read more ›
Posted in Cyber Law Monitor Podcast

Federal Privacy Law Passage in Doubt?

A few months ago it seemed like the American Data Privacy and Protection Act (ADPPA) was gaining momentum in Congress and represented the best hope in years for passage of a federal data privacy law that would preempt the five overlapping (but not totally consistent) state comprehensive privacy laws and offer businesses a uniform national framework. However, California’s attorney-general Rob Bonta and nine other state attorneys-general are now opposing the ADPPA in its current form, claiming that there should be no preemption and any federal privacy law should establish a “floor not a ceiling.” Of course, this would be the worst possible outcome for many businesses, which would face an additional compliance regime overlaid on the existing ones as well as a private right of action substantially broader than California’s. Please check out the following article published by Meghan Stoppel of Cozen O’Connor’s State Attorneys General group, which examines the state AGs’ position and evaluates the ADPPA’s chances of passage. 

Posted in Uncategorized

The New Standard Contractual Clauses Deadline is Approaching

On June 4, 2021, the European Commission introduced the new set of Standard Contractual Clauses (“SCCs”), a primary mechanism for lawfully transferring personal data from Europe to the United States under the European Union’s General Data Protection Regulation. These new SCCs replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46. For those entities that entered into a transfer agreement based on the previous SCCs before September 27, 2021, a transition period has been granted until December 27, 2022 to switch to the new SCCs, provided that the processing operations that are the subject matter of the contract remain unchanged. Thus, all new and existing contracts must be transitioned to the new SCCs by December 27, 2022. Below is an overview of key updates in the new SCCs, and recommendations for ensuring compliance prior to the December 27, 2022 deadline.

Important Updates for the New SCCS

Modular Approach

The new SCCs are divided into four modules to address four different cross-border transfer scenarios: (i) Module One: controller to controller; (ii) Module Two: controller to processor; (iii) Module Three: processor to processor; and (iv) Module Four: processor to controller. This is different from the previous SCCs, which only contemplated cross-border transfer scenarios involving two controllers, and a controller to a processor. Under the new SCCs, the parties can tailor the clauses for their specific transfer scenario, reflecting the complexity of modern processing chains.

Transfer Impact Assessment

The new SCCs impose an obligation on the parties in all modules to conduct and record a transfer impact assessment. At the time of entering into the new SCCs, the parties must warrant that they have no reason to believe that the laws and practices applicable to the data importer are not in line with the requirements under the new SCCs. In conducting the transfer impact assessment, the parties must also account for the circumstances of the intended transfer, define the parameters of the transfer (i.e. length of processing chain), define the safeguards that are implemented, and assess the risk posed by the laws and practices of the third country of destination.

Docking Clause

While the previous SCCs did not permit additional parties to join directly, the new SCCs contain a clause that allow additional data exporters or importers to accede to the new SCCs throughout the lifecycle of the contract. The acceding party will have the rights and obligations arising under the new SCCs from the point of entering into the new SCCs.


In addition to using the new SCCs in any future contracts that involve data transfers from the European Union, entities should develop strategies to prioritize and update existing contracts that involve  personal data transfers from Europe to the U.S. Entities need to determine if the new SCCs are needed for cross-border transfer scenarios involving a processor to a controller or a processor to a processor, as the previous SCCs were not required for these scenarios. It is critical that entities identify all existing contracts that will need to be amended to include the new SCCs before the deadline of December 27, 2022.

Tagged with: , , , , ,
Posted in GDPR, Regulations, Standards

AI and Cybersecurity Issues Look Set to Dominate the Privacy Landscape in 2022

Meghan Stoppel, who spent over a decade serving as an Assistant Attorney General, and later a Consumer Protection Chief, to both Democratic and Republican state attorneys generals, talks to Andy Baer, Chair of Cozen O’Connor’s Technology, Privacy and Data Security practice, about how state AGs are weighing in on both policy and enforcement with respect to privacy.

Andy: Meghan, the state privacy legislation landscape is evolving rapidly, as you discussed in your recent article in WestLaw. What other “hot” topics in privacy drew the state AGs’ attention in 2021? How might that affect their priorities in 2022? Are there any takeaways for the business community?

Meghan: No doubt, 2021 was a revealing year. We saw state AGs publicly express concern, in multiple forums, about algorithms and the potential for bias-based discrimination in automated decision-making. A number of AGs called for both cooperation and increased transparency from the business community, while the D.C. Attorney General introduced his own legislation in late 2021 to ban “algorithmic discrimination.” And although the AGs did not announce any formal enforcement actions in this area in 2021, I would not be surprised if investigations are already underway. Businesses that rely on algorithms to make automated decisions should be aware of increased AG attention in this area, especially with respect to essential products and services such as housing and financial products (e.g. credit).

Read more ›
Posted in Legislation, Policies and Procedures, Regulations

SEC Proposes New Cybersecurity Disclosure Rules for Public Companies

On March 9, 2022, the SEC proposed new rules (“Proposed Rules”) that would expand cybersecurity disclosures applicable to public companies subject to the reporting requirements of the Securities Exchange Act of 1934 (“Exchange Act”). Existing SEC rules do not explicitly require cybersecurity disclosures, and instead provide management with the discretion to reveal information based on materiality assessments. If the Proposed Rules are adopted, these rules would impose new reporting obligations with respect to cybersecurity matters, such as specifically mandating current and periodic reporting of material cybersecurity incidents, and also requiring periodic disclosure of a company’s policies and procedures to identify and manage cybersecurity risks, management’s role and expertise in implementing cybersecurity policies, procedures, and strategies, and the board of directors’ oversight role and cybersecurity expertise, if any.

Read more ›
Tagged with: , , , , , ,
Posted in Regulations
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates


Cozen O’Connor Blogs