The US Senate’s Bipartisan AI Policy Roadmap is a highly anticipated document expected to shape the future of artificial intelligence (AI) in the United States over the next decade. This comprehensive guide, which complements the AI research, investigations, and hearings conducted by Senate committees during the 118th Congress, identifies areas of consensus that could help policymakers establish the ground rules for AI use and development across various sectors.
From intellectual property reforms and substantial funding for AI research to sector-specific rules and transparent model testing, the roadmap addresses a wide range of AI-related issues. Despite the long-awaited arrival of the AI roadmap, Sen. Chuck Schumer (D-NY), the highest-ranking Democrat in the Senate and key architect of the high-level document, is expected to strongly defer to Senate committees to continue drafting individual bills impacting the future of AI policy in the United States.
The Senate’s bipartisan roadmap is the culmination of a series of nine forums held last year by the same group, during which they gathered diverse perspectives and information on AI technology. Topics of the forums included:
Inaugural Forum
Supporting US Innovation in AI
AI and the Workforce
High Impact Uses of AI
Elections and Democracy
Privacy and Liability
Transparency, Explainability, Intellectual Property, and Copyright
Safeguarding
National Security
The wide range of views and concerns expressed by over 150 experts including developers, startups, hardware and software companies, civil rights groups, and academia during these forums helped policymakers develop a thorough and inclusive document that reveals the areas of consensus and disagreement. As the 118th Congress continues, it’s expected that Sen. Schumer will reach out to his counterparts in the US House of Representatives to determine the common areas of interest. Those bipartisan and bicameral conversations will ultimately help Congress establish the foundational rules for AI use and development, potentially shaping not only the future of AI in the United States but also influencing global AI policy.
The final text of this guiding document focuses on several high-level categories. Below, we highlight a handful of notable provisions:
Publicity Rights (Name, Image, and Likeness)
The roadmap encourages senators to consider whether there is a need for legislation that would protect against the unauthorized use of one’s name, image, likeness, and voice, as it relates to AI. While state laws have traditionally recognized the right of individuals to control the commercial use of their so-called “publicity rights,” federal recognition of those rights would mark a major shift in intellectual property law and make it easier for musicians, celebrities, politicians, and other prominent public figures to prevent or discourage the unauthorized use of their publicity rights in the context of AI.
Disclosure and Transparency Requirements
Noting that the “black box” nature of some AI systems can make it difficult to assess compliance with existing consumer protection and civil rights laws, the roadmap encourages lawmakers to ensure that regulators are able to access information directly relevant to enforcing those laws and, if necessary, place appropriate transparency and “explainability” requirements on “high risk” uses of AI. The working group does not offer a definition of “high risk” use cases, but suggests that systems implicating constitutional rights, public safety, or anti-discrimination laws could be forced to disclose information about their training data and factors that influence automated or algorithmic decision making. The roadmap also encourages the development of best practices for when AI users should disclose that their products utilize AI, and whether developers should be required to disclose information to the public about the data sets used to train their AI models.
The document also pushes senators to develop sector-specific rules for AI use in areas such as housing, health care, education, financial services, news and journalism, and content creation.
Increased Funding for AI Innovation
On the heels of the findings included in the National Security Commission on Artificial Intelligence’s (NSCAI) final report, the roadmap encourages Senate appropriators to provide at least $32 billion for AI research funding at federal agencies, including the US Department of Energy, the National Science Foundation, and the National Institute of Standards and Technology. This request for a substantial investment underscores the government’s commitment to advancing AI technology and seeks to position federal agencies as “AI ready.” The roadmap’s innovation agenda includes funding the CHIPS and Science Act, support for semiconductor research and development to create high-end microchips, modernizing the federal government’s information technology infrastructure, and developing in-house supercomputing and AI capacity in the US Department of Defense.
Investments in National Defense
Many members of Congress believe that creating a national framework for AI will also help the United States compete on the global stage with China. Senators who see this as the 21st century space race believe investments in the defense and intelligence community’s AI capabilities are necessary to push back against China’s head start in AI development and deployment. The working group’s national security priorities include leveraging AI’s potential to build a digital armed services workforce, enhancing and accelerating the security clearance application process, blocking large language models from leaking intelligence or reconstructing classified information, and pushing back on perceived “censorship, repression, and surveillance” by Russia and China.
Addressing AI in Political Ads
Looking ahead to the 2024 election cycle, the roadmap’s authors are already paying attention to the threats posed by AI-generated election ads. The working group encourages digital content providers to watermark any political ads made with AI and include disclaimers in any AI-generated election content. These guardrails also align with the provisions of several bipartisan election-related AI bills that passed out of the Senate Rules Committee the same day of the roadmap’s release.
Privacy and Legal Liability for AI Usage
The AI Working Group recommends the passage of a federal data privacy law to protect personal information. The AI Working Group notes that the legislation should address issues related to data minimization, data security, consumer data rights, consent and disclosure, and the role of data brokers. Support for these principles is reflected in numerous state privacy laws enacted since 2018, and in bipartisan, bicameral draft legislation (the American Privacy Rights Act) supported by Rep. McMorris Rogers (D-WA), and Sen. Maria Cantwell (D-WA).
As we await additional legislative activity later this year, it is clear that these guidelines will have far-reaching implications for the AI industry and society at large.
The Council on Environmental Quality (“CEQ”) is tasked with issuing National Environmental Policy Act (“NEPA”) regulations to guide federal agencies in its implementation. In 2021, CEQ began a two-phase process to revise these regulations. “Phase 1” largely reversed several changes made to the regulations in 2020 under the prior Trump Administration, including key changes relating to defining “purpose and need” and the long-used concepts of direct, indirect, and cumulative effects. The new “Phase 2” revisions are more extensive. Some of the Phase 2 revisions codify in regulation amendments to NEPA made by the Fiscal Responsibility Act of 2023 (“FRA”) and intended to improve the efficiency of the NEPA process, such as establishing page limits for environmental documents and facilitating the use of categorical exclusions (“CEs”). The Phase 2 revisions also restore additional concepts or provisions from the 1978 regulations and case law interpreting those regulations, remove additional changes made in 2020 that CEQ now “considers imprudent,” and, for the first time, specifically require consideration of effects relevant to environmental justice and climate change. We highlight some of these changes below.
The Phase 2 Final Rule will impact a broad range of projects needing federal authorizations or funding. Many of the efficiency measures included in the Final Rule implement changes that were enacted in the FRA. Although these changes could help address some long-standing issues in the NEPA process around delays and litigation, the effect of the proposed changes will be highly dependent on how the individual federal agencies carry out the changes through their own procedures and implementing regulations. Moreover, the Phase 2 Final Rule makes other important changes to the regulations that, rather than streamlining and improving efficiency, could increase burdens and challenges associated with NEPA compliance.
The Phase 2 Final Rule is scheduled to go into effect on July 1, 2024. However, industry groups and others already have signaled their frustration with these revisions, including several key members of Congress, led by Senator Joe Manchin, who have announced that they will seek to overturn the Phase 2 Final Rule using the Congressional Review Act.
Provisions Directed Towards Promoting Efficiency and Streamlining
Page Limits and Timelines. The Final Rule makes many small and some larger changes to promote efficiency and streamline the NEPA process. The Final Rule incorporates the FRA’s page limits of 75 pages for environmental assessments (“EAs”), 150 pages for environmental impact statements (“EISs”), and 300 pages for EISs of “extraordinary complexity.” It includes the FRA’s time limits for completion of NEPA documents, requiring completion of EAs within one year and EISs within two years, although it allows for an agency to extend this deadline, in consultation with any project applicant, to the extent necessary to complete the document. To further promote efficiency, the Final Rule also requires agencies to set deadlines and schedules appropriate to specific actions or types of actions.
Categorical Exclusions. The Final Rule also makes substantial changes to its regulations governing CEs that should facilitate agencies’ adoption of CEs as a tool to streamline NEPA compliance in certain circumstances, as allowed under the FRA. It sets forth a process for agencies to adopt and utilize other agencies’ CEs, as allowed under the FRA without having to amend their regulations. The Final Rule clarifies that agencies can establish CEs individually as well as jointly with other agencies. And it allows agencies to establish CEs through land use plans, decision documents supported by a programmatic EIS or EA, or similar planning or programmatic decisions, without having to go through a separate rulemaking process. According to CEQ, by expanding the means by which agencies can establish CEs, these changes will, among other things, encourage agencies to undertake programmatic and planning reviews, as well as promote and speed the process for establishing CEs.
Programmatic Reviews and Tiering. The Final Rule includes various revisions to codify best practices for the use of programmatic NEPA reviews and tiering, which CEQ acknowledges “are important tools to facilitate more efficient environmental reviews and project approvals.”
Provisions that Could Increase NEPA Compliance Burdens
While the Phase 2 Final Rule emphasizes efficiency, it includes a range of regulatory changes that could have the opposite effect, creating additional burdens and potentially perpetuating opportunities for contentious litigation.
Climate Change, Environmental Justice, and Tribal Resources. Reflected in a wide range of revisions to the regulations, the Phase 2 Final Rule aims to further advance the Biden Administration’s policy focus on climate change, environmental justice, and Tribal resources. Among other provisions, the Final Rule explicitly requires agencies to analyze “disproportionate and adverse human health and environmental effects on communities with environmental justice concerns” and climate change-related effects, including quantification of greenhouse gas emissions where feasible, in their NEPA reviews. Agencies also must review these effects, as well as effects on Tribal rights and resources, in identifying the environmentally preferable alternative or alternatives. Similarly, the Final Rule defines “extraordinary circumstances”—which agencies must consider in determining whether to apply a CE—to include potential substantial disproportionate and adverse effects on communities with environmental justice concerns, potential substantial climate change effects, and potential substantial effects on historic or cultural properties. Moreover, agencies now “should, where relevant and appropriate, incorporate mitigation measures” to address effects “that disproportionately and adversely affect communities with environmental justice concerns.” And the Final Rule directs agencies, where appropriate, to use projections when evaluating climate change-related effects, including relying on models to project a range of possible future outcomes, provided that they disclose relevant assumptions or limitations. While these codifications are new—particularly the regulation directing agencies to consider mitigation for impacts to environmental justice communities—most agencies have been including some environmental justice and greenhouse gas emission impacts in their NEPA reviews based upon federal governmentwide and agency policy and court precedent.
Major Federal Actions. Implementing changes in the FRA and further responding to changes made in the 2020 rule, the Final Rule revises the definition of “major federal action”—the trigger for environmental review under NEPA. The FRA, in addition to specifying that a major federal action requires “substantial Federal control and responsibility,” established several exclusions including for certain types of projects receiving loans, loan guarantees, or other types of federal financial assistance. In an effort to address some of the uncertainty raised by these exclusions, the revised regulations provide that major federal actions generally include “[p]roviding more than a minimal amount of financial assistance, . . . where the agency has the authority to deny in whole or in part the assistance due to environmental effects, has authority to impose conditions on the receipt of the financial assistance to address environmental effects, or otherwise has sufficient control and responsibility over the subsequent use of the financial assistance” or effects of the funded activity.
Alternatives. The Phase 2 Final Rule clarifies that agencies are not required to consider “every conceivable alternative to a proposed action” but rather only “a reasonable range of alternatives that will foster informed decision making.” Additionally, the revised regulations provide that agencies have the discretion, but are not required, to include reasonable alternatives not within the lead agency’s jurisdiction. CEQ continues to anticipate that this will occur relatively infrequently and notes that such alternatives still must be technically and economically feasible and meet the proposed action’s purpose and need. The Final Rule also requires that environmental documents (and not just records of decision) identify one or more environmentally preferable alternatives, which could be the proposed action, the no action alternative, or a reasonable alternative.
Mitigation. Although NEPA has long been understood to be a procedural, rather than substantive, requirement, the Phase 2 Final Rule includes several provisions intended to encourage agencies to mitigate the impacts of proposed actions and to ensure that mitigation measures that agencies rely on in making their environmental determinations are actually carried out. When an agency incorporates and relies upon mitigation measures—whether in its analysis of reasonably foreseeable effects or in a mitigated finding of no significant impact—the revised regulations require the agency to explain the enforceable mitigation requirements or commitments to be undertaken and the authority to enforce them (for example, permit conditions, agreements, or other measures), and to prepare a monitoring and compliance plan.
Development of New Information. While agencies generally historically have not been required to develop data that was not readily available, CEQ “now considers it vital to the NEPA process for agencies to undertake studies and analyses” that provide information “essential to a reasoned choice among alternatives,” provided the overall costs are not unreasonable, and includes provisions to that effect in the Final Rule.
Exhaustion, Judicial Review, and Remedies. The Phase 2 Final Rule removes several changes included in the 2020 rule relating to exhaustion, judicial review, and remedies that were intended to reduce NEPA-related litigation and project delays.
The Phase 2 revisions take effect on July 1, 2024, and apply to any NEPA process that commences after that date, although the Final Rule states that agencies may apply them to ongoing activities and environmental documents that commence prior to that date. In addition to following the CEQ regulations, agencies also have adopted agency-specific NEPA implementing procedures. Agencies must revise these procedures to incorporate changes necessitated by the Phase 2 Final Rule by July 1, 2025.
In today’s digital landscape, the exchange of personal information has become ubiquitous, often without consumers fully comprehending the extent of its implications.
The recent actions undertaken by the Federal Trade Commission (FTC) shine a light on the intricate web of data extraction and mishandling that pervades our online interactions. From the seemingly innocuous permission requests of game apps to the purported protection promises of security software, consumers find themselves at the mercy of data practices that blur the lines between consent and exploitation.
The FTC’s proposed settlements with companies like X-Mode Social (“X Mode”) and InMarket, two data aggregators, and Avast, a security software company, underscores the need for businesses to appropriately secure and limit the use of consumer data, including previously considered innocuous information such as browsing and location data. In a world where personal information serves as currency, ensuring consumer privacy compliance has never been more critical – or posed such a commercial risk for failing to get it right.
X-Mode and InMarket Settlements: The proposed settlements with X-Mode and InMarket concern numerous allegations based on the mishandling of consumers’ location data. Both companies supposedly collected precise location data through their own mobile apps and those of third parties (through software development kits). X-Mode is alleged to have sold precise location data (advertised as being 70% accurate within 20 meters or less) linked to timestamps and unique persistent identifiers (i.e., names, email addresses, etc.) of its consumers to private government contractors without obtaining proper consent. Plotting this data on a map makes it easy to reveal each person’s movements over time.
InMarket purportedly utilized location data to cross-reference such data with points of interest to sort consumers into particularized audience segments for targeted advertising purposes without adequately informing consumers – examples of audience segments include parents of preschoolers, Christian church attendees, and “wealthy and not healthy,” among other groupings.
Avast Settlement: Avast, a security software company, allegedly sold granular and re-identifiable browsing information of its consumers despite assuring consumers it would protect their privacy. Avast allegedly collected extensive browsing data of its consumers through its antivirus software and browser extensions while ensuring its consumers that their browsing data would only be used in aggregated and anonymous form. The data collected by Avast revealed visits to various websites that could be attributed to particular people and allowed for inferences to be drawn about such individuals – examples include academic papers on symptoms of breast cancer, education courses on tax exemptions, government jobs in Fort Meade, Maryland with a salary over $100,000, links to FAFSA applications and directions from one location to another, among others.
Sensitivity of Browsing and Location Data
It is important to note that none of the underlying datasets in question contained traditional types of personally identifiable information (e.g., name, identification numbers, physical descriptions, etc.) (“PII”). Even still, the three proposed settlements by the FTC underscore the sensitive nature of browsing and location data due to the insights such data reveals, such as religious beliefs, health conditions, and financial status, and the ease with which the insights can be linked to certain individuals.
In the digital age, the amount of data available about individuals online and collected by various companies makes the re-identification of individuals easier every day. Even when traditional PII is not included in a data set, by linking sufficient data points, a profile or understanding of an individual can be created. When such profile is then linked to an identifier (such as username, phone number, or email address provided when downloading an app or setting up an account on an app) and cross-referenced with various publicly available data, such as name, email, phone number or content on social media sites, it can allow for deep insights into an individual. Despite the absence of traditional types of PII, such data poses significant privacy risks due to the potential for re-identification and the intimate details about individuals’ lives that it can divulge.
The FTC emphasizes the imperative for companies to recognize and treat browsing and location data as sensitive information and implement appropriate robust safeguards to protect consumer privacy. This is especially true when the data set includes information with the precision of those cited by the FTC in its proposed settlements.
Accountability and Consent
With browsing and location data, there is also a concern that the consumer may not be fully aware of how their data is used. For instance, Avast claimed to protect consumers’ browsing data and then sold that very same browsing information, often without notice to consumers. When Avast did inform customers of their practices, the FTC claims it deceptively stated any sharing would be “anonymous and aggregated.” Similarly, X-Mode claimed it would use location data for ad-personalization and location-based analytics. Consumers were unaware such location data was also sold to government contractors.
The FTC has recognized that a company may need to process an individual’s information to provide them with services or products requested by the individual. The FTC also holds that such processing does not mean the company is then free to collect, access, use, or transfer that information for other purposes (e.g., marketing, profiling, background screening, etc.). Essentially, purpose matters. As the FTC explains, a flashlight app provider cannot collect, use, store, or share a user’s precise geolocation data, or a tax preparation service cannot use a customer’s information to market other products or services.
If companies want to use consumer personal information for purposes other than providing the requested product or services, the FTC states that companies should inform consumers of such uses and obtain consent to do so.
The FTC aims to hold companies accountable for their data-handling practices and ensure that consumers are provided with meaningful consent mechanisms. Companies should handle consumer data only for the purposes for which data was collected and honor their privacy promises to consumers. The proposed settlements emphasize the importance of transparency, accountability, meaningful consent, and the prioritization of consumer privacy in companies’ data handling practices.
Implementing and Maintaining Safeguards
Data, especially specific data that provide insights and inferences about individuals, is extremely valuable to companies, but it is that same data that exposes such individuals’ privacy. Companies that sell or share information sometimes include limitations for the use of the data, but not all contracts have such restrictions or sufficient restrictions to safeguard individuals’ privacy.
For instance, the FTC alleges that some of Avast’s underlying contracts did not prohibit the re-identification of Avast’s users. Where Avast’s underlying contracts prohibited re-identification, the FTC alleges that purchasers of the data were still able to match Avast users’ browsing data with information from other sources if the information was not “personally identifiable.” Avast also failed to audit or confirm that purchasers of data complied with its prohibitions.
The proposed complaint against X-Mode recognized that at least twice, X-Mode sold location data to purchasers who violated restrictions in X-Mode’s contracts by reselling the data they bought from X-Mode to companies further downstream. The X-Mode example shows that even when restrictions are included in contracts, they may not prevent misuse by subsequent downstream parties.
Ongoing Commitment to Privacy Protection:
The FTC stresses the importance of obtaining informed consent before collecting or disclosing consumers’ sensitive data, as such data can violate consumer privacy and expose them to various harms, including stigma and discrimination. While privacy notices, consent, and contractual restrictions are important, the FTC emphasizes they need to be backed up by action. Accordingly, the FTC’s proposed orders require companies to design, implement, maintain, and document safeguards to protect the personal information they handle, especially when it is sensitive in nature.
What Does a Company Need To Do?
Given the recent enforcement actions by the FTC, companies should:
Consider the data it collects and whether such data is needed to provide the services and products requested by the consumer and/or a legitimate business need in support of providing such services and products (e.g., billing, ongoing technical support, shipping);
Consider browsing and location data as sensitive personal information;
Accurately inform consumers of the types of personal information collected by the company, its uses, and parties to whom it discloses the personal information;
Collect, store, use, or share consumers’ sensitive personal information (including browser and location data) only with such consumers’ informed consent;
Limit the use of consumers’ personal information solely to the purposes for which it was collected and not market, sell, or monetize consumers’ personal information beyond such purpose;
Design, Implement, maintain, document, and adhere to safeguards that actually maintain consumers’ privacy; and
Audit and inspect service providers and third-party companies downstream with whom consumers’ data is shared to confirm they are (a) adhering to and complying with contractual restrictions and (b) implementing appropriate safeguards to protect such consumer data.
Over the many years of litigation, the lawsuit consolidated several class action filings from New York, Florida, and California into a single, multi-district litigation with several, different lead plaintiffs. All plaintiffs alleged that “All Natural” claims for 39 KIND granola bars and other snacks were deceptive. Id. at 3. Plaintiff had alleged that the following ingredients rendered the KIND bars not natural: soy lecithin, soy protein isolate, citrus pectin, glucose syrup/”non-GMO” glucose, vegetable glycerine, palm kernel oil, canola oil, ascorbic acid, vitamin A acetate, d-alpha tocopheryl acetate/vitamin E, and annatto.
The Second Circuit found that, in such cases, the relevant state laws followed a “reasonable consumer standard” of deception. Id. at 10. Further, according to the Second Circuit, the “Ninth Circuit has helpfully explained” that the reasonable consumer standard requires “‘more than a mere possibility that the label might conceivably be misunderstood by some few consumers viewing it in an unreasonable manner.’” Id. (quoting McGinity v. Procter & Gamble Co., 69 F.4th 1093, 1097 (9th Cir. 2023)). Rather, there must be “‘a probability that a significant portion of the general consuming public or of targeted consumers, acting reasonably in the circumstances, could be misled.’” Id. To defeat summary judgement, the plaintiffs would need to present admissible evidence showing how “All Natural” tends to mislead under this standard.
The Second Circuit agreed with the lower court that plaintiffs’ deposition testimony failed to provide such evidence where it failed to “establish an objective definition” representing reasonable consumer understanding of “All Natural.” Id. at 28. While one plaintiff believed the claim meant “not synthetic,” another thought it meant “made from whole grains, nuts, and fruit,” while yet another believed it meant “literally plucked from the ground.” Id. The court observed that plaintiffs “fail[ed] to explain how a trier of fact could apply these shifting definitions.” Id. The court next rejected as useful evidence a dictionary definition of “natural,” which stated, “existing or caused by nature; not made or caused by humankind.” Id. at 29. The court reasoned that the dictionary definition was “not useful when applied to a mass-produced snack bar wrapped in plastic” – something “clearly made by humans.” Id.
The court, finally, upheld the lower court’s decision to exclude two other pieces of evidence the plaintiffs offered. First, the Second Circuit agreed that a consumer survey was subject to exclusion where leading questions biased the results. Id. at 21-22. The Second Circuit also agreed that an expert report by a chemist lacked relevance where it assessed “typical” sourcing of ingredients, not necessarily how KIND’s ingredients were manufactured or sourced. Id. at 22-24.
But for firms trying to achieve CRM success, the “beaten path” involves investing tens of thousands of dollars into the latest and greatest technology and hiring internal Data Stewards to maintain the data flowing into the system. This can take up a significant number of firm resources and there is no guarantee that CRM Success will be achieved.
Let’s face it, the traditional approach to CRM and Data Quality Success often leads to more headaches and challenges than it does to success. Without the right experience and expertise, leading a CRM implementation project or a data quality clean-up can be disastrous.
Hundreds of thousands of records flow in from departmental databases which need to be analyzed and categorized properly. Meetings need to be held with firm leadership to understand their expectations for the system, and meetings need to be coordinated with vendors to set up demonstrations along with Requests For Proposals (RFPs).
To add more fuel to the fire, meetings also need to be held with end users to understand their needs and requirements so system selection can be catered to them. In the end, firms are left with high training and implementation costs; limited staffing pools due to required expertise; and increased employee burnout due to the overwhelming nature of the work.
The Path Less Traveled: Outsourcing
Many forward-thinking firms have taken the path less traveled to CRM success and have outsourced many of their core marketing technology positions and data quality work to trusted service providers. Outsourced Marketing Technology Managers and Data Stewards can provide all the benefits of retaining these positions in-house at a cost-efficient price all while reducing managerial headaches.
The route less traveled gives you access to a pool of highly skilled professionals without the additional costs associated with hiring internally. Many outsourced Marketing Technology Managers and Data Stewards have years of industry experience working with the nation’s top firms tackling complex data quality issues and guiding implementations ensuring they are implemented and integrated effectively.
To achieve CRM and data quality success, sometimes the beaten path won’t get you there. Here are three ways taking the path less traveled can help you achieve CRM and data quality success:
1. Cost Savings
Utilizing outsourced service providers for marketing technology or data quality roles can help firms save a significant amount of money. For firms with around 250 professionals, hiring an internal CRM Manager and Data Steward can cost firms around $116,640.
For firms that have limited resources and budgets, outsourcing providers offer various pricing models for their services. From contracting their workers on an as-needed basis for short-term or long-term projects to paying-as-you-go. This allows firms to allocate more of their investments to higher-priority projects or initiatives. Depending on the rate of the service provider, firms can expect to pay up to 33% less ($77,350) when they outsource their core marketing technology and data quality work.
2. Improved Data Quality
Opposed to internal Data Stewards, outsourced data quality professionals can focus on key responsibilities and can work more efficiently than their internal counterparts who have to focus on other tasks or priorities. These outsourced professionals understand the intricacies of the professional service industry and seamlessly fit into your firm’s day-to-day processes.
Outsourced Data Stewards have the ability and know-how to implement data standardization processes and protocols, minimizing the number of dirty records that may flow into the system. They also have access to industry-leading tools that can streamline and automate data management so your attorneys and professionals can worry less about maintaining their contacts and more about serving their clients.
3. Reduction In Turnover
Traditionally, hiring Data Stewards internally has been a revolving door, where firms would hire a new team member to maintain their data quality, train them, compensate them, motivate them, then, replace them. Given how outsourced service providers are not directly involved with the firm’s core services, they assume the role of finding, hiring, training, motivating and managing the data quality professional.
This frees up your marketing and business development teams to focus on growing the firm and nurturing client relationships rather than chasing down contact data from the organization’s professionals. They can help you with a wide range of data-related activities including:
Regularly reviewing new records
Enhancing records with geographical information, financial data, or who-knows-who relationships
Creation and management of segmented and targeted lists for marketing or business development campaigns
To achieve CRM and data quality success, sometimes the beaten path won’t get you there. So, if you are struggling with your marketing technology or data quality, don’t be afraid to explore alternate routes, like outsourcing. It can open your firm up to a pool of highly skilled professionals who have years of experience solving the same issues you may be going through. An outsourced team can provide your firm with significant cost savings, improved data quality, and a reduction in employee turnover and managerial headaches.
These operational efficiencies lead to greater productivity and returns on marketing spend – meaning greater profitability for the firm.
Writing and publishing articles or blog posts can be a powerful branding and business development tool for lawyers. Not only do they demonstrate your expertise in your practice area, but they also significantly enhance your visibility and credibility.
However, your work doesn’t end once the article is published – in fact, it’s just beginning. Here are some tips to maximize the value, reach and impact of your published work.
1. Optimize for Online Search First and foremost, ensure your article is search engine optimized (SEO). This means incorporating relevant keywords that potential clients might use to find information related to your legal expertise. SEO increases the visibility of your content on search engines like Google, making it easier for your target audience to find you.
2. Share on Social Media Utilize your personal and professional social media platforms to share your article. LinkedIn, Twitter and even Facebook are excellent venues for reaching other professionals and potential clients. Don’t just share it once; periodically repost it, especially if the topic is evergreen. Engage with comments and discussions to further boost your post’s visibility.
3. Incorporate Into Newsletters If you or your firm sends out a regular newsletter, include a link to your article. This not only provides added value to your subscribers but also keeps your existing client base engaged with your latest insights and activities. This approach can help reinforce your position as a thought leader in your field. Also, consider launching a LinkedIn newsletter. LinkedIn’s platform offers a unique opportunity to reach a professional audience directly, increasing the potential for networking and attracting new clients who are actively interested in your area of expertise.
4. Speak at Conferences and Seminars Use your article as a springboard to secure speaking engagements. Conferences, seminars and panel discussions often look for experts who can contribute interesting insights. Your article can serve as a proof of your expertise and a teaser of your presentation content, making you an attractive candidate for these events.
5. Create Multimedia Versions Expand the reach of your article by adapting it into different formats. Consider recording a podcast episode discussing the topic in depth, or creating a short-form video for LinkedIn and YouTube. These formats can attract different segments of your audience and make the content more accessible.
6. Network Through Professional Groups Share your article in professional groups and online forums in your field, as well as alumni groups (law school, undergrad school and former firms). This can lead to discussions with peers and can even attract referrals. Active participation in these groups, coupled with sharing insightful content, can significantly expand your professional network.
7. Use as a Teaching Resource Offer to guest lecture at local law schools and use your article as a teaching resource. This not only enhances your reputation as an expert but also builds relationships with the upcoming generation of lawyers who could become colleagues or refer clients in the future.
8. Repurpose Content for Blogs or Articles Break down the article into smaller blog posts or develop certain points further into new articles. This can help maintain a consistent stream of content on your website, which is good for SEO and keeps your audience engaged over time.
9. Monitor and Engage with Feedback Keep an eye on comments and feedback from your article across all platforms. Engaging with readers can provide insights into what your audience finds useful, shaping your future writing to better meet their needs. It also helps in building a loyal following.
10. Track Metrics Utilize analytics tools (web, social media and email) to track how well your article performs in terms of views, shares and engagement. This data can help you understand what works and what doesn’t, guiding your content strategy for future articles.
11. Leverage the Power of Content Repurposing Content repurposing can significantly extend the life and reach of your original article. By transforming the article into different content formats—such as infographics, webinars, slide decks or even e-books—you cater to various learning styles and preferences, reaching a broader audience. This strategy not only maximizes your content’s exposure but also enhances engagement by presenting the information in new, accessible ways. Repurposing content can help solidify your reputation as a versatile and resourceful expert in your field.
Publishing an article or blog post is just the beginning. By strategically promoting and leveraging your published works, you can enhance your visibility, establish yourself as a thought leader and attract more clients. Every article has the potential to open new doors; it’s up to you to make sure it does!
The FCC sent a cease and desist letter to DigitalIPvoice informing them of the need to investigate suspected traffic. The FCC reminded them that failure to comply with the letter “may result in downstream voice service providers permanently blocking all of DigitalIPvoice’s traffic”.
For background, DigitalIPvoice is a gateway provider meaning they accept calls directly from foreign originating or intermediate providers. The Industry Traceback Group (ITG) investigated some questionable traffic back in December and identified DigitalIPvoice as the gateway provider for some of the calls. ITG informed DigitalIPvoice and “DigitialIPVoice did not dispute that the calls were illegal.”
This is problematic because as the FCC states “gateway providers that transmit illegal robocall traffic face serious consequences, including blocking by downstream providers of all of the provider’s traffic.”
Emphasis in original. Yes. The FCC sent that in BOLD to DigitalIPvoice. I love aggressive formatting choices.
The FCC then gave DigitalIPvoice steps to take to mitigate the calls in response to this notice. They have to investigate the traffic and then block identified traffic and report back to the FCC and the ITG on the outcome of the investigation.
The whole letter is worth reading but a few points for voice service providers and gateway providers:
You have to know who your customers are and what they are doing on your network. The FCC is requiring voice service providers and gateway providers to include KYC in their robocall mitigation plans.
You have to work with the ITG. You have to have a traceback policy and procedures. All traceback requests have to be treated as a P0 priority.
You have to be able to trace the traffic you are handling. From beginning to end.
The FCC is going after robocalls hard. Protect yourself by understanding what is going to be required of your network.
WEBINAR – Registration Is Open For “Harmonizing TSCA Consent Orders with OSHA HCS 2012”: Register now to join The Acta Group (Acta®) and Bergeson & Campbell, P.C. (B&C®) for “Harmonizing TSCA Consent Orders with OSHA HCS 2012,” a complimentary webinar covering case studies and practical applications of merging the requirements for consent order language on the Safety Data Sheet (SDS). In this webinar, Karin F. Baron, MSPH, Director of Hazard Communication and International Registration Strategy, Acta, will explore two hypothetical examples and provide guidance on practical approaches to compliance. An industry perspective will be presented by Sara Glazier Frojen, Senior Product Steward, Hexion Inc., who will discuss the realities of managing this process day-to-day.
SAVE THE DATE – “TSCA Reform — 8 Years Later” On June 26, 2024: Save the date to join Acta affiliate B&C, the Environmental Law Institute (ELI), and the George Washington University Milken Institute School of Public Health for a day-long conference reflecting on the challenges and accomplishments since the implementation of the 2016 Lautenberg Amendments and where the Toxic Substances Control Act (TSCA) stands today. This year, the conference will be held in person at the George Washington University Milken Institute School of Public Health (and will be livestreamed via YouTube). Continuing legal education (CLE) credit will be offered in select states for in-person attendees only. Please check ELI’s event page in the coming weeks for more information, including an agenda, CLE information, registration, and more. If you have questions in the meantime, please contact Madison Calhoun (calhoun@eli.org).
AUSTRALIA
Changes To Categorization, Reporting, And Recordkeeping Requirements For Industrial Chemicals Will Take Effect April 24, 2024: The Australian Industrial Chemicals Introduction Scheme (AICIS) announced regulatory changes to categorization, reporting, and recordkeeping requirements will start April 24, 2024. For the changes to take effect, the Industrial Chemicals (General) Rules 2019 (Rules) and Industrial Chemicals Categorisation Guidelines will be amended. According to AICIS, key changes to the Rules include:
Written undertakings replaced with records that will make compliance easier;
Greater acceptance of International Nomenclature of Cosmetic Ingredients (INCI) names for reporting and recordkeeping;
Changes to the categorization criteria to benefit:
Local soap makers;
Introducers of chemicals in flavor and fragrance blends; and
Introducers of hazardous chemicals where introduction and use are controlled; and
Strengthening criteria and/or reporting requirements for health and environmental protection.
AICIS announced final changes to the Industrial Chemicals Categorisation Guidelines that will take effect April 24, 2024. According to AICIS, the changes include:
Refinement of the requirement to check for hazardous esters and salts of chemicals on the “List of chemicals with high hazards for categorisation” (the List);
Provision to include highly hazardous chemicals to the List based on an AICIS assessment or evaluation;
Expanded options for introducers to demonstrate the absence of skin irritation and skin sensitization; and
More models for in silico predictions and an added test guideline for ready biodegradability.
AICIS states that it will publish a second update to the Guidelines in September 2024 due to industry stakeholders’ feedback that they need more time to prepare for some of the changes. It will include:
For the List: add chemicals based on current sources and add the European Commission (EC) Endocrine Disruptor List (List I) as a source; and
Refined requirements for introducers to show the absence of specific target organ toxicity after repeated exposure and bioaccumulation potential.
CANADA
Canada Provides Updates On Its Implementation Of The Modernized CEPA: As reported in our June 23, 2023, memorandum, Bill S-5, Strengthening Environmental Protection for a Healthier Canada Act, received Royal Assent on June 13, 2023. Canada is working to implement the bill through initiatives that include the development of various instruments, policies, strategies, regulations, and processes. In April 2024, Canada updated its list of public consultation opportunities:
Discussion document on the implementation framework for a right to a healthy environment under the Canadian Environmental Protection Act, 1999 (CEPA) (winter 2024);
Proposed Watch List approach (spring/summer 2024);
Proposed plan of chemicals management priorities (summer 2024);
Draft strategy to replace, reduce or refine vertebrate animal testing (summer/fall 2024);
Draft implementation framework for a right to a healthy environment under CEPA (summer/fall 2024);
Discussion document for toxic substances of highest risk regulations (winter 2025); and
Discussion document on the restriction and authorization of certain toxic substances regulations (winter/spring 2025).
EUROPEAN UNION (EU)
ECHA Checks More Than 20 Percent Of REACH Registration Dossiers For Compliance: The European Chemicals Agency (ECHA) announced on February 27, 2024, that between 2009 and 2023, it performed compliance checks of approximately 15,000 Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH) registrations, representing 21 percent of full registrations. ECHA states that it met its legal target for dossier evaluation, which increased from five percent to 20 percent in 2019. ECHA notes that for substances registered at quantities of 100 metric tons or more per year, it has checked compliance for around 30 percent of the dossiers.
According to ECHA, in 2023, it conducted 301 compliance checks, covering more than 1,750 registrations and addressing 274 individual substances. ECHA “focused on registration dossiers that may have data gaps and aim to enhance the safety data of these substances.” ECHA sent 251 adopted decisions to companies, “requesting additional data to clarify long-term effects of chemicals on human health or the environment.” ECHA states that during the follow-up evaluation process, it will assess the incoming information for compliance. ECHA will share the outcome of the incoming data with the EU member states and the EC to enable prioritization of substances. ECHA will work closely with the member states for enforcement of non-compliant dossiers. Compliance of registration dossiers will remain a priority for ECHA. In 2024, ECHA will review the impact of the Joint Evaluation Action Plan, aimed at improving REACH registration compliance, and, together with stakeholders, develop new priority areas on which to focus. More information is available in our March 29, 2024, blog item.
Council Of The EU And EP Reach Provisional Agreement On Proposed Regulation On Packaging And Packaging Waste: The Council of the EU announced on March 4, 2024, that its presidency and the European Parliament’s (EP) representatives reached a provisional political agreement on a proposal for a regulation on packaging and packaging waste. The press release states that the proposal considers the full life-cycle of packaging and establishes requirements to ensure that packaging is safe and sustainable by requiring that all packaging is recyclable and that the presence of substances of concern is minimized. It also includes labeling harmonization requirements to improve consumer information. In line with the waste hierarchy, the proposal aims to reduce significantly the generation of packaging waste by setting binding re-use targets, restricting certain types of single-use packaging, and requiring economic operators to minimize the packaging used. The proposal would introduce a restriction on the placing on the market of food contact packaging containing per- and polyfluoroalkyl substances (PFAS) above certain thresholds. The press release notes that to avoid any overlap with other pieces of legislation, the co-legislators tasked the EC to assess the need to amend that restriction within four years of the date of application of the regulation.
EP Adopts Position On Establishing System To Verify And Pre-Approve Environmental Marketing Claims: The EP announced on March 12, 2024, that it adopted its first reading position on establishing a verification and pre-approval system for environmental marketing claims to protect citizens from misleading ads. According to the EP’s press release, the green claims directive would require companies to submit evidence about their environmental marketing claims before advertising products as “biodegradable,” “less polluting,” “water saving,” or having “biobased content.” Micro enterprises would be exempt from the new rules, and small and medium-sized enterprises (SME) would have an extra year to comply compared to larger businesses. The press release notes that the EP also decided that green claims about products containing hazardous substances should remain possible for now, but that the EC “should assess in the near future whether they should be banned entirely.” The new EP will follow up on the file after the European elections that will take place in June 2024.
On April 3, 2024, a coalition of industry associations issued a “Joint statement in reference to ‘the ban of green claims for products containing hazardous substances’ in the Green Claims Substantiation Directive (GCD).” The associations “fully support the principle that consumers should not be misled by false or unsubstantiated environmental claims and share the EU’s objective to establish a clear, robust and credible framework to enable consumers to make an informed choice.” The associations express concern that the proposed prohibition of environmental claims for products containing certain hazardous substances “will run contrary to the objective of the Directive to enable consumers to make sustainable purchase decisions and ensure proper substantiation of claims.” According to the associations, for a number of consumer products, “the reference to ‘products containing’ would encompass substances that would have intrinsic hazardous properties,” implying that there would be a ban of making any environmental claim(s), “even if such trace amounts of unavoidable and unintentional impurities and contaminants are present in these products.” The signatories include the International Association for Soaps, Detergents and Maintenance Products; the European Brands Association; APPLiA; the Association of Manufacturers and Formulators of Enzyme Products; CosmeticsEurope; the European Power Tool Association; the Federation of the European Sporting Goods Industry; the International Fragrance Association; LightingEurope; the International Natural and Organic Cosmetics Association; Toy Industries of Europe; Verband der Elektro- und Digitalindustrie; and the World Federation of Advertisers.
ECHA Clarifies Next Steps For PFAS Restriction Proposal: ECHA issued a press release on March 13, 2024, to outline how the Scientific Committees for Risk Assessment (RAC) and for Socio-Economic Analysis (SEAC) will progress in evaluating the proposal to restrict PFAS in Europe. As reported in our February 13, 2023, memorandum, the national authorities of Denmark, Germany, the Netherlands, Norway, and Sweden submitted a proposal to restrict more than 10,000 PFAS under REACH. The proposal suggests two restriction options — a full ban and a ban with use-specific derogations — to address the identified risks. Following the screening of thousands of comments received during the consultation, ECHA states that it is clarifying the next steps for the proposal. According to ECHA, RAC and SEAC will evaluate the proposed restriction together with the comments from the consultation in batches, focusing on the different sectors that may be affected.
In tandem, the five national authorities who prepared the proposal are updating their initial report to address the consultation comments. This updated report will be assessed by the committees and will serve as the foundation for their opinions. The sectors and elements that will be discussed in the next three committee meetings are:
March 2024 Meetings
Consumer mixtures, cosmetics, and ski wax;
Hazards of PFAS (only by RAC); and
General approach (only by SEAC).
June 2024 Meetings
Metal plating and manufacture of metal products; and
More information is available in our March 18, 2024, blog item.
ECHA Adopts And Publishes CoRAP For 2024-2026: On March 19, 2024, ECHA adopted and published the Community rolling action plan (CoRAP) for 2024-2026. The CoRAP lists 28 substances suspected of posing a risk to human health or the environment for evaluation by 11 Member State Competent Authorities. The CoRAP includes 11 newly allocated substances and 17 substances already included in the previous CoRAP 2023-2025 update, published on March 21, 2023. For 11 out of these 17 substances, ECHA notes that the evaluation year has been postponed, mainly to await submission of new information requested under dossier evaluation. Of the 28 substances to be evaluated, ten are to be evaluated in 2024, 13 in 2025, and five in 2026. The remaining substance of the 24 substances listed in the previous CoRAP was withdrawn as its evaluation is currently considered to be a low priority. According to ECHA, for this substance, a compliance check is needed first. ECHA states that the substance can be placed in the CoRAP list again, if after the conclusion of the dossier evaluation process, concerns remain beyond what can be clarified through dossier evaluation. ECHA has posted a guide for registrants that need to update their dossiers with new relevant information such as hazard, tonnages, use, and exposure.
Comments On Proposals To Identify New SVHCs Due April 15, 2025: A public consultation on proposals to identify two new substances of very high concern (SVHC) will close on April 15, 2024. The substances and examples of their uses are:
Bis(α,α-dimethylbenzyl) peroxide: This substance is used in products such as pH-regulators, flocculants, precipitants, and neutralization agents; and
Triphenyl phosphate: This substance is used as a flame retardant and plasticizer in polymer formulations, adhesives, and sealants.
UNITED KINGDOM (UK)
HSE Publishes UK REACH Work Programme For 2023/24: In February 2024, the Health and Safety Executive (HSE) published its UK REACH Work Programme 2023/24. The Work Programme sets out how HSE, with the support of the Environment Agency, will deliver its regulatory activities to meet the objectives and timescales set out in UK REACH. Alongside these activities, HSE and the Environment Agency will engage with stakeholders. The Work Programme includes the following deliverables and target deadlines:
Topic
Deliverable
Target
Substance evaluation
Evaluate substances in the Rolling Action Plan (RAP)
Evaluate one
Authorization
Complete the processing of received applications within the statutory deadline (this includes comments from public consultation and REACH Independent Scientific Expert Pool (RISEP) input)
100 percent
SVHC identification
Undertake an initial assessment of substances submitted for SVHC identification under EU REACH during 2022/23 and consider if they are appropriate for SVHC identification under UK REACH
Assess up to five
Regulatory management options analysis (RMOA)
Complete RMOAs initiated in 22/23
Initiate RMOAs for substances identified as priorities
Up to ten
Up to five
Restriction
Complete ongoing restriction opinions
Begin Annex 15 restriction dossiers
Initiate scoping work for restrictions
Two
One
Two
HSE Opens Call For Evidence On PFAS In FFFs: HSE is working with the Environment Agency to prepare a restriction dossier that will assess the risks of PFAS in firefighting foams (FFF). HSE will propose restrictions, if necessary, to manage any significant risks identified. To help compile the dossier, HSE opened a call for evidence. HSE states that it would like stakeholders to identify themselves as willing to engage in further dialogue throughout the restrictions process. In particular, it would like to hear from stakeholders with relevant information on PFAS (or alternatives) in FFFs, especially information specific to Great Britain (GB). Regarding relevant information, HSE is interested in all aspects of FFFs, including:
Manufacture of FFFs: Substances used, process, quantities;
Import of FFF products of all types: Quantities, suppliers;
Use: Quantities, sector of use, frequency, storage on site, products used;
Alternatives to PFAS in FFF: Availability, cost, performance in comparison to PFAS-containing foams, barriers to switching;
Hazardous properties: SDSs, new studies on intrinsic properties and exposure, recommended risk management measures;
Environmental fate: What happens to the FFF after it is used, where does it go;
Waste: Disposal requirements, recycling opportunities, remediation; and
Standards: Including product-specific legislation, performance, certification.
HSE states that the call for evidence targets companies (manufacturers, importers, distributors, and retailers) and professional users of FFFs, trade associations, environmental organizations, consumer organizations, and any other organizations and members of the public holding relevant information. HSE intends to publish the final dossier, including any restriction proposals, on its website in March 2025. Interested parties will also then be able to submit comments on any proposed restriction.
New GB BPR Data Requirements Will Apply To Applications Submitted In October 2025:The Biocidal Products (Health and Safety) (Amendment and Transitional Provision etc.) Regulations 2024, which update the data requirements in Annexes II and III of the GB Biocidal Products Regulation (BPR), were laid in Parliament on March 13, 2024, and came into force on April 6, 2024. The legislation updates some of the data requirements to reflect developments in science and technology. These include the use of alternative testing approaches to determine some hazardous properties that previously relied on animal testing. HSE held a public consultation on the proposed changes in 2023 and has posted a report on the outcome of the consultation. The new data requirements will apply to applications received 18 months after the legislation came into force (October 6, 2025) and do not apply to existing applications. HSE will provide further guidance on the changes in the future.
The National Institute of Mental Health reported that 16.32% of youth (aged 12-17) in the District of Columbia (DC) experience at least one major depressive episode (MDE).
Although the prevalence of youth with MDE in DC is lower compared to some states, such as Oregon (where it reached 21.13%), it is important to address mental health challenges in youth early, as untreated mental health challenges can persist into adulthood. Further, the number of youths with MDE climbs nationally each year, including last year when it rose by almost 2% to approximately 300,000 youth.
It is important to note that there are programs specifically designed to help and treat youth that have experienced trauma and are living with mental health challenges. In DC, several mental health services and professional counseling services are available to residents. Most importantly, there is a broad reaching school-based mental health program that aims to provide a behavioral health expert in every school building. Additionally, on the DC government’s website, there is a list of mental health services programs available, which can be found here.
In conjunction with the mental health programs, early identification of students at risk for suicide, self-harm, and behavioral issues can help states, including DC, ensure access to mental health care and support for these young individuals. In response to the widespread youth mental health crisis, K-12 schools are employing the use of artificial intelligence (AI)-based tools to identify students at risk for suicide and self-harm. Through AI-based suicide risk monitoring, natural language processing, sentiment analysis, predictive models, early intervention, and surveillance and evaluation, AI is playing a crucial role in addressing the mental challenges faced by youth.
AI systems, developed by companies like Bark, Gaggle, and GoGuardian, aim to monitor students’ digital footprint through various data inputs, such as online interactions and behavioral patterns, for signs of distress or risk. These programs identify students who may be at risk for self-harm or suicide and alert the school and parents accordingly.
Proposals for using AI models to enhance mental health surveillance in school settings by implementing chat boxes to interact with students are being introduced. The chat box conversation logs serve as the source of raw data for the machine learning. According to Using AI for Mental Health Analysis and Prediction in School Surveys, existing survey results evaluated by health experts can be used to create a test dataset to validate the machine learning models. Supervised learning can then be deployed to classify specific behaviors and mental health patterns. However, there are concerns about how these programs work and what safeguards the companies have in place to protect youths’ data from being sold to other platforms. Additionally, there are concerns about whether these companies are complying with relevant laws (e.g., the Family Educational Rights and Privacy Act [FERPA]).
The University of Michigan identified AI technologies, such as natural language processing (NLP) and sentiment analysis, that can analyze user interactions, such as posts and comments, to identify signs of distress, anxiety, or depression. For example, Breathhh is an AI-powered Chrome extension designed to automatically deliver mental health exercises based on an individual’s web activity and online behaviors. By monitoring and analyzing the user’s interactions, the application can determine appropriate moments to present stress-relieving practices and strategies. Applications, like Breathhh, are just one example of personalized interventions designed by monitoring user interaction.
When using AI to address mental health concerns among K-12 students, policy implications must be carefully considered.
First, developers must obtain informed consent from students, parents, guardians, and all stakeholders before deploying such AI models. The use of AI models is always a topic of concern for policymakers because of the privacy concerns that come with it. To safely deploy AI models, there needs to be privacy protection policies in place to safeguard sensitive information from being improperly used. There is no comprehensive legislation that addresses those concerns either nationally or locally.
Second, developers also need to consider and factor in any bias engrained in their algorithm through data testing and regular monitoring of data output before it reaches the user. AI has the ability to detect early signs of mental health challenges. However, without such proper safeguards in place, we risk failing to protect students from being disproportionately impacted. When collected data reflects biases, it can lead to unfair treatment of certain groups. For youth, this can result in feelings of marginalization and adversely affect their mental health.
Effective policy considerations should encourage the use of AI models that will provide interpretable results, and policymakers need to understand how these decisions are made. Policies should outline how schools will respond to alerts generated by the system. A standard of care needs to be universally recognized, whether it be through policy or the companies’ internal safeguards. This standard of care should outline guidelines that address situations in which AI data output conflicts with human judgment.
Responsible AI implementation can enhance student well-being, but it requires careful evaluation to ensure students’ data is protected from potential harm. Moving forward, school leaders, policymakers, and technology developers need to consider the benefits and risks of AI-based mental health monitoring programs. Balancing the intended benefits while mitigating potential harms is crucial for student well-being.
The cyberthreat landscape is evolving as threat actors develop new tactics to keep up with increasingly sophisticated corporate IT environments. In particular, threat actors are increasingly exploiting supply chain vulnerabilities to reach downstream targets.
The effects of supply chain cyberattacks are far-reaching, and can affect downstream organizations. The effects can also last long after the attack was first deployed. According to an Identity Theft Resource Center report, “more than 10 million people were impacted by supply chain attacks targeting 1,743 entities that had access to multiple organizations’ data” in 2022. Based upon an IBM analysis, the cost of a data breach averaged $4.45 million in 2023.
What is a supply chain cyberattack?
Supply chain cyberattacks are a type of cyberattack in which a threat actor targets a business offering third-party services to other companies. The threat actor will then leverage its access to the target to reach and cause damage to the business’s customers. Supply chain cyberattacks may be perpetrated in different ways.
Software-Enabled Attack: This occurs when a threat actor uses an existing software vulnerability to compromise the systems and data of organizations running the software containing the vulnerability. For example, Apache Log4j is an open source code used by developers in software to add a function for maintaining records of system activity. In November 2021, there were public reports of a Log4j remote execution code vulnerability that allowed threat actors to infiltrate target software running on outdated Log4j code versions. As a result, threat actors gained access to the systems, networks, and data of many organizations in the public and private sectors that used software containing the vulnerable Log4j version. Although security upgrades (i.e., patches) have since been issued to address the Log4j vulnerability, many software and apps are still running with outdated (i.e., unpatched) versions of Log4j.
Software Supply Chain Attack: This is the most common type of supply chain cyberattack, and occurs when a threat actor infiltrates and compromises software with malicious code either before the software is provided to consumers or by deploying malicious software updates masquerading as legitimate patches. All users of the compromised software are affected by this type of attack. For example, Blackbaud, Inc., a software company providing cloud hosting services to for-profit and non-profit entities across multiple industries, was ground zero for a software supply chain cyberattack after a threat actor deployed ransomware in its systems that had downstream effects on Blackbaud’s customers, including 45,000 companies. Similarly in May 2023, Progress Software’s MOVEit file-transfer tool was targeted with a ransomware attack, which allowed threat actors to steal data from customers that used the MOVEit app, including government agencies and businesses worldwide.
Legal and Regulatory Risks
Cyberattacks can often expose personal data to unauthorized access and acquisition by a threat actor. When this occurs, companies’ notification obligations under the data breach laws of jurisdictions in which affected individuals reside are triggered. In general, data breach laws require affected companies to submit notice of the incident to affected individuals and, depending on the facts of the incident and the number of such individuals, also to regulators, the media, and consumer reporting agencies. Companies may also have an obligation to notify their customers, vendors, and other business partners based on their contracts with these parties. These reporting requirements increase the likelihood of follow-up inquiries, and in some cases, investigations by regulators. Reporting a data breach also increases a company’s risk of being targeted with private lawsuits, including class actions and lawsuits initiated by business customers, in which plaintiffs may seek different types of relief including injunctive relief, monetary damages, and civil penalties.
The legal and regulatory risks in the aftermath of a cyberattack can persist long after a company has addressed the immediate issues that caused the incident initially. For example, in the aftermath of the cyberattack, Blackbaud was investigated by multiple government authorities and targeted with private lawsuits. While the private suits remain ongoing, Blackbaud settled with state regulators ($49,500,000), the U.S. Federal Trade Commission, and the U.S. Securities Exchange Commission (SEC) ($3,000,000) in 2023 and 2024, almost four years after it first experienced the cyberattack. Other companies that experienced high-profile cyberattacks have also been targeted with securities class action lawsuits by shareholders, and in at least one instance, regulators have named a company’s Chief Information Security Officer in an enforcement action, underscoring the professional risks cyberattacks pose to corporate security leaders.
What Steps Can Companies Take to Mitigate Risk?
First, threat actors will continue to refine their tactics and techniques. Thus, all organizations must adapt and stay current with all regulations and legislation surrounding cybersecurity. Cybersecurity and Infrastructure Security Agency (CISA) urges developer education for creating secure code and verifying third-party components.
Second, stay proactive. Organizations must re-examine not only their own security practices but also those of their vendors and third-party suppliers. If third and fourth parties have access to an organization’s data, it is imperative to ensure that those parties have good data protection practices.
Third, companies should adopt guidelines for suppliers around data and cybersecurity at the outset of a relationship since it may be difficult to get suppliers to adhere to policies after the contract has been signed. For example, some entities have detailed processes requiring suppliers to inform of attacks and conduct impact assessments after the fact. In addition, some entities expect suppliers to follow specific sequences of steps after a cyberattack. At the same time, some entities may also apply the same threat intelligence that it uses for its own defense to its critical suppliers, and may require suppliers to implement proactive security controls, such as incident response plans, ahead of an attack.
Finally, all companies should strive to minimize threats to their software supply by establishing strong security strategies at the ground level.
