FTC Issues Report to Congress Highlighting Collaboration with State Attorneys General

On April 10, 2024, the Federal Trade Commission issued a report to Congress on the agency’s collaboration with state attorneys general highlighting current cooperative law enforcement efforts, best practices to ensure continued collaboration and legislative recommendations to enhance such efforts.

The report, directed by the FTC Collaboration Act of 2021, “Working Together to Protect Consumers: A Study and Recommendations on FTC Collaboration with the State Attorneys General” makes legislative recommendations that would enhance these efforts, including reinstating the Commission’s authority to seek money for defrauded consumers and providing it with the independent authority to seek civil penalties.

“Today’s consumer protection challenges require an all-hands-on-deck response, and our report details how the FTC is working closely with state enforcers to share information, stop fraud, and ensure fairness in the marketplace,” said FTC attorney Samuel Levine, Director of the Bureau of Consumer Protection. “We look forward to seeking new opportunities to strengthen these ties and confront the challenges of the future.”

In June 2023, the Commission announced a request for public information (RFI) seeking public comments and suggestions on ways it can work more effectively with state AGs to help educate consumers about, and protect them from, potential fraud. After reviewing and analyzing the comments received, the agency developed the report to Congress issued today. The report is divided into three sections: 1) The FTC’s Existing Collaborative Efforts with State
Attorneys General to Prevent, Publicize, and Penalize Frauds and Scams; 2) Recommended Best Practices to Enhance Collaboration; and 3) Legislative Recommendations to Enhance Collaboration Efforts.

The first section lays out the roles and responsibilities of the FTC and state AGs in protecting consumers from frauds and scams, provides an overview of their respective law enforcement authority, and discusses how federal and state enforcers share their information and expertise to facilitate effective communication and cooperation. It also provides a breakdown of the FTC’s
structure and a description of the Consumer Sentinel consumer complaint database, the largest such information-sharing network in the United States.

The second section details best practices used to enhance strong information-sharing between the FTC and its state law enforcement partners, discusses how the Commission coordinates joint and parallel enforcement actions with state AGs and other state consumer protection agencies, and presents ideas on expanding the sharing of expertise and technical resources between agencies.

Finally, the third section stresses the legislative need to restore the FTC’s Section 13(b) authority to seek equitable monetary refunds for injured consumers, presents ways to enhance collaboration and conserve resources by providing the FTC with the independent authority to seek civil penalties, and describes the agency’s need for clear authority to pursue legal actions against those who assist and facilitate unfair or deceptive acts or practices.

The Commission vote approving the report to Congress was 3-0-2, with Commissioners Melissa Holyoak and Andrew N. Ferguson not participating. Chair Lina M. Khan issued a separate statement, in which she was joined by Commissioners Rebecca Kelly Slaughter and Alvaro M. Bedoya. Commissioner Slaughter also issued a separate statement.

California PFAS Ban in Products: 6th Largest Global Economy Enters the Fray

We reported extensively on the landmark legislation passed in Maine in 2021 and Minnesota in 2023, which were at the time the most far-reaching PFAS ban in the United States. Other states, including Massachusetts and Rhode Island, have subsequently introduced legislation similar to Maine and Minnesota’s regulations. While we have long predicted that the so-called “all PFAS / all products” legislative bans will become the trend at the state levels, it is significant to note that California, the world’s sixth largest economy, recently introduced a similar proposed PFAS ban for consumer products.

The California proposed legislation, coupled with the existing legislation passed or on the table, will have enormous impacts on companies doing business in or with the state of California, as well as on likely future consumer goods personal injury lawsuits. The California PFAS ban must therefore not be overlooked in companies’ compliance and product development departments.

California PFAS Ban

California’s SB 903 in its current form would prohibit for sale (or offering for sale) any products that contain intentionally added PFAS. A “product” is defined as “an item manufactured, assembled, packaged, or otherwise prepared for sale in California, including, but not limited to, its components, sold or distributed for personal, residential, commercial, or industrial use, including for use in making other products.” It further defines “component” as “an identifiable ingredient, part, or piece of a product, regardless of whether the manufacturer of the product is the manufacturer of the component.”

While the effective date of SB 903’s prohibition would be January 1, 2030, the bill gives the California Department of Toxic Substances Control (“DTSC”) the authority to prohibit intentionally added PFAS in a product before the 2030 effective date. It also allows DTSC to categorize PFAS in a product as an “unavoidable use”, thereby effectively creating an exemption to the bill’s ban, although California exemption would be limited to five years in duration. Similar carve outs were also included in the Maine and Minnesota bans. In each instance, certain information must be provided to the state to obtain an “unavoidable use” exemption. In California, an “unavoidable use” exemption would only be granted if:

  1. There are no safer alternatives to PFAS that are reasonably available.
  2. The function provided by PFAS in the product is necessary for the product to work.
  3. The use of PFAS in the product is critical for health, safety, or the functioning of society.

If a company sells a products containing PFAS in the state of California in violation of the proposed law, companies would be assessed a $1,000 per day penalty for each violation, a maximum of $2,500 per day for repeat offenders, and face possible Court-ordered prohibition of sales for violating products.

Implications To Businesses From The Minnesota PFAS Legislation

First and foremost of concern to companies is the compliance aspect of the California law. The state continues to modify and refine key definitions of the regulation, resulting in companies needing to consider the wording implications on their reporting requirements. In addition, some companies find themselves encountering supply chain disclosure issues that will impact reporting to the state of California, which raises the concern of accuracy of reporting by companies. Companies and industries are also very concerned that the information that is being gathered will provide a legacy repository of valuable information for plaintiffs’ attorneys who file future products liability lawsuits for personal injury, not only in the state of California, but in any state in which the same products were sold.

It is of the utmost importance for businesses along the whole supply chain to evaluate their PFAS risk. Public health and environmental groups urge legislators to regulate these compounds. One major point of contention among members of various industries is whether to regulate PFAS as a class or as individual compounds. While each PFAS compound has a unique chemical makeup and impacts the environment and the human body in different ways, some groups argue PFAS should be regulated together as a class because they interact with each other in the body, thereby resulting in a collective impact. Other groups argue that the individual compounds are too diverse and that regulating them as a class would be over restrictive for some chemicals and not restrictive enough for others.

Companies should remain informed so they do not get caught off guard. Regulators at both the state and federal level are setting drinking water standards and notice requirements of varying stringency, and states are increasingly passing PFAS product bills that differ in scope. For any manufacturers, especially those who sell goods interstate, it is important to understand how those various standards will impact them, whether PFAS is regulated as individual compounds or as a class. Conducting regular self-audits for possible exposure to PFAS risk and potential regulatory violations can result in long term savings for companies and should be commonplace in their own risk assessment.

FDA Takes Steps to Ensure Safety of Cinnamon Products Sold in the US

  • On March 6, 2024, the U.S. Food and Drug Administration (FDA) sent a letter to all cinnamon manufacturers, processors, distributors, and facility operators in the US, reminding them of the requirement to implement controls to prevent contamination from potential chemical hazards in food, including ground cinnamon products. The Agency also recommended the voluntary recall of certain ground cinnamon products sold by a number of brands at six different retail chains that were found to contain levels of lead.
  • This letter follows the recent incidents associated with certain cinnamon apple sauce pouches that resulted in lead poisoning in young children. As we have previously blogged, FDA’s investigation into the contaminated apple sauce pouches traced the contamination back to a manufacturer and cinnamon supplier in Ecuador.
  • FDA notified the distributors and manufacturers of products found to contain elevated levels of lead and recommended that the manufacturers voluntarily recall these products because prolonged exposure to them may be unsafe. The products were identified during an FDA-initiated sampling and testing effort to assess cinnamon sold across numerous retail stores. No illnesses or adverse events have been reported to date related to the ground cinnamon products listed in this news release, but the FDA is concerned that, because of the elevated lead levels in these products, continued and prolonged use of the products may be unsafe.
  • Since the issuance of the letter, recipient companies El Chilar and Raja Foods, as well as Stonewall Kitchen and Colonna, have issued voluntary recalls for some of their cinnamon products.
  • FDA continues to work with the Center for Disease Control and Prevention (CDC), as well as state and local partners, to investigate elevated lead and chromium levels in individuals with reported exposure to apple cinnamon fruit puree pouches.

Navigating Hemp THC Beverages

Nonalcoholic beverages infused with delta-9 tetrahydrocannabinol (THC) derived from hemp (aka intoxicating hemp beverages) are becoming increasingly popular for consumers looking for an alternative to alcohol.

With major alcohol retailers like Total Wine entering the cannabis space, alcohol beverage producers may be looking for opportunities to leverage their existing experience in manufacturing, marketing and distributing alcohol beverages towards the emerging intoxicating hemp beverage market. While intoxicating hemp beverages are arguably legal pursuant to the Agriculture Improvement Act of 2018 (2018 Farm Bill), risks remain under federal and state food and drug laws. Accordingly, beverage producers looking to enter this emerging market should become familiar with the ambiguities involved.

Federal Treatment of Intoxicating Hemp Beverages

The 2018 Farm Bill removed hemp, defined as cannabis (Cannabis sativa L.) and derivatives of cannabis with extremely low concentrations of delta-9 THC (specifically, no more than 0.3 percent THC on a dry weight basis), from the definition of “marijuana” in the Controlled Substances Act. The federal government defines hemp as “the plant Cannabis sativa L. and any part of that plant, including the seeds thereof and all derivatives, extracts, cannabinoids, isomers, acids, salts, and salts of isomers, whether growing or not, with a delta-9 tetrahydrocannabinol concentration of not more than 0.3 percent on a dry weight basis.” Accordingly, products that meet the definition of “hemp” may be marketed and sold in the United States and are no longer classified under federal law as illegal drugs.

How Is Hemp Regulated?

Under the 2018 Farm Bill, the US Department of Agriculture (USDA) has been assigned to regulate hemp production.

However, any hemp-derived foods, including beverages, are subject to regulation by the US Food & Drug Administration (FDA) under the Food, Drug, and Cosmetics Act (FDCA). While the FDA has largely avoided enforcement actions against such products, focusing most of its efforts on products making unsubstantiated medical and therapeutic claims, it has clearly concluded that it is a prohibited act under federal law to introduce any food in the market to which THC or cannabidiol (CBD) has been added. Therefore, the risk of federal enforcement remains until the agency changes its stance towards THC as a beverage additive.

State Regulation

While the federal government has been inactive in this space, the legal status of intoxicating hemp beverage products varies significantly by state. On the one hand, several states, including Minnesota, have expressly legalized the inclusion of hemp-derived cannabinoids in beverage products, with clear regulations regarding testing, labeling, advertising and more. On the other hand, some states have legalized hemp beverage products but lack a robust regulatory framework – leading to a mostly unregulated, laissez-faire market.

Further, many states fall into a grey area when it comes to the legality of such products. Some of these states have legalized hemp along the lines of the 2018 Farm Bill but have not officially opined on whether it can be added to beverage products, while others do not mention hemp products at all. A subset of states has expressly legalized hemp in beverages, as long as it complies with federal guidance, which currently does not affirmatively allow hemp to be used as a beverage additive.

One of the most extreme measures taken by state officials to ban hemp from beverage products is currently underway in South Carolina. The state’s Department of Health and Environmental Control (DHEC) recently issued a letter to the hemp industry warning that certain hemp products are not approved to be added to beverage products, including delta-9 THC.

In its letter, the DHEC also ruled that labels and packaging may not contain references to “THC,” “CBD” or “delta-9” products, or isolates, as this implies the product is no longer a food item but is a drug and is unlawful.

This new guidance is far from outlawing cannabinoids in beverages, but it affects a growing industry that has already been promoting intoxicating hemp beverages in the state. Indeed, some beverage manufacturers in South Carolina have been forced to halt production, citing confusion over the new labeling and packaging requirements. This demonstrates how the legal landscape around intoxicating hemp beverages can change rapidly.

Finally, it is important to note that even states that expressly allow and regulate THC-infused beverage products fall into a grey area when we consider the current state of federal regulations. Until Congress acts or the FDA changes its stance towards THC as a beverage additive, we will continue seeing a patchwork of different approaches.

 
For more on THC, visit the NLR Biotech, Food, Drug section.

OECD Tour de Table Includes Information on U.S. Developments on the Safety of Manufactured Nanomaterials

The Organization for Economic Cooperation and Development (OECD) has published the latest edition of the Developments in Delegations on the Safety of Manufactured Nanomaterials and Advanced Materials — Tour de Table. The Tour de Table compiles information provided by delegations on the occasion of the 23rd meeting of the OECD Working Party on Manufactured Nanomaterials (WPMN) in June 2023. The Tour de Table lists U.S. developments on the human health and environmental safety of nanomaterials. Risk assessment decisions, including the type of nanomaterials assessed, testing recommended, and outcomes of the assessment include:

  • The U.S. Environmental Protection Agency (EPA) completed review of four low volume exemptions (LVE) that included a graphene material, a titanium dioxide material, and two graphene oxide materials, one of which was a modification to an existing exemption. EPA denied two of the LVEs and granted two under conditions that limited human and environmental exposures to prevent unreasonable risks.
  • According to the Tour de Table, EPA has under review 17 premanufacture notices (PMN), 16 of which are for multi-walled carbon nanotube chemical substances and one of which is for a graphene material. The Tour de Table states that EPA is still reviewing these 17 chemical substances for potential risks to human health and the environment. EPA completed its review of one significant new use notice (SNUN) for a single-walled carbon nanotube, regulating it with a consent order due to limited available data on nanomaterials. The consent order limits uses and human and environmental exposures to prevent unreasonable risks.

The Tour de Table includes the following information regarding risk management approaches in the United States:

  • Between June 2022 and June 2023, EPA received notification of two nanoscale substances based on metal oxides that met reporting criteria pursuant to its authority under the Toxic Substances Control Act (TSCA) Section 8(a), bringing the total number of notifications to 87. Reporting criteria exempted nanoscale chemical substances already reported as new chemicals under TSCA and those nanoscale chemical substances that did not have unique or novel properties. According to the Tour de Table, most reporting was for metals or metal oxides.
  • Since January 2005, EPA has received and reviewed more than 275 new chemical notices for nanoscale materials under TSCA, including fullerenes and carbon nano-onions, quantum dots, semiconducting nanoparticles, and carbon nanotubes. EPA has issued consent orders and significant new use rules (SNUR) permitting manufacture under limited conditions. A manufacturer or processor wishing to engage in a designated significant new use identified in a SNUR must submit a SNUN to EPA at least 90 days before engaging in the new use. The Tour de Table notes that because of confidential business information (CBI) claims by submitters, EPA may not be allowed to reveal to the public the chemical substance as a nanoscale material in every new chemical SNUR it issues for nanoscale materials. EPA will continue to issue SNURs and consent orders for new chemical nanoscale materials in the coming year.
  • Because of limited data to assess nanomaterials, the consent orders and SNURS contain requirements to limit exposure to workers through the use of personal protective equipment (PPE), limit environmental exposure by not allowing releases to surface waters or direct releases to air, and limit the specific applications/uses to those described in the new chemical notification.

Regarding updates, including proposals, or modifications to previous regulatory decisions, the Tour de Table states that “[t]he approaches used, given the level of available information, are consistent with previous regulatory decisions. EPA’s assessments now assume that the environmental hazard of a nanomaterial is unknown unless acceptable hazard data is submitted with nanomaterial submission.”

The Tour de Table lists the following new regulatory challenge(s) with respect to any action for nanomaterials:

  • Standards/methods for differentiating between different forms of the same chemical substance that is a nanomaterial;
  • Standardized testing for the physical properties that could be used to characterize/identify nanomaterials; and
  • Differentiation between genuinely new nanoscale materials introduced in commerce and existing products that have been in commerce for decades or centuries.

PFAS MDL Settlements: Red Herrings For Downstream Companies

Leading up to the aqueous film-forming foam (AFFF) MDL litigation bellwether trial in June 2023, questions circulated regularly about the end game for the water utilities that had filed lawsuits alleging PFAS contamination to drinking water. With several hundred utilities with pending lawsuits seeking the costs for technology needed to filter PFAS from drinking water, monitoring wells, testing equipment, disposal costs, etc., and potentially thousands of other water utilities with similar potential lawsuits, the damages seemed astronomical. So, too, did the amount of time it would take to litigate each case to get the water utilities monetary relief. These two competing forces, plus the pressure of an actual trial date looming, led Dupont and 3M to announce PFAS MDL settlements in June 2023. At $1.185 billion by Dupont and between $10.3 billion and $12.5 billion by 3M, with the intention of both settlement funds to resolve all pending and potential water utility claims in the United States, it seemed to many that a resolution had been achieved that would address PFAS in drinking water systems without burdening utility customers or the utilities themselves.

The issue, though, is that over 9,000 water utilities were estimated to be in need of treatment technology to meet the EPA’s newly proposed drinking water standards. The American Water Works Association (AMWA) reminded everyone that their own estimates of the costs of compliance to the EPA’s level would cost utilities over $3.2 billion annually. Even buying into the old joke that lawyers are horrible at math, it does not take long for one to realize the significant gap in the proposed settlement amounts and AMWA’s estimates. Water utilities accepting money under the Dupont and 3M settlement funds are not all going to receive 100% of the necessary funding for remediation. How then will this deficit be resolved?

Water utilities will be reluctant to pass on all of the costs to customers, although pricing increases could provide a stopgap measure for water utilities on top of the MDL settlement funds. State or even federal funding may be available under grant, loan or other programs that can also assist. However, when the dust settles, it is likely that water utilities are going to look to a particular group of parties to pursue damages from – companies that discharged PFAS into waterways that fed into the water utility facilities. Lawsuits already abound nationally filed by private citizens against such companies for property damage, bodily injury and medical monitoring. Why then would water utilities finding themselves in need of significant money to properly treat drinking water not take similar legal action? Couple this with pressure water utilities are starting to receive in the form of finding themselves sued in class action lawsuits by private citizens, and the legal notion of contribution begins to ring very true for water utilities looking to minimize their own damages in such lawsuits and find sources of funding for remediation technology.

Companies that have historically discharged effluent into waterways that feed drinking water supplies must therefore keep all of the above in mind and not be lulled into a false sense of complacency that the Dupont and 3M settlements in the MDL are going to mean the end of PFAS drinking water litigation. I predict quite the opposite.

It is of the utmost importance that businesses along the whole commerce chain that have or believe that they might have used PFAS in certain processes take steps now to understand their PFAS risk. Public health and environmental groups urge legislators to regulate PFAS at an ever-increasing pace. Similarly, state level EPA enforcement action is increasing at a several-fold rate every year. Companies that did not manufacture PFAS, but merely utilized PFAS in their manufacturing processes, are becoming targets of costly enforcement actions at rates that continue to multiply year over year. Lawsuits are also filed monthly by citizens or municipalities against companies that are increasingly not PFAS chemical manufacturers. The only way to manage future risk is to fully understand what that risk picture looks like, and companies would be well-advised to invest in proper diligence for the PFAS risk question.

FDA Lists Regulations Under Development and Updates Priority Guidance Topics for Foods Program

  • The U.S. Food and Drug Administration’s (FDA’s) Foods Program has posted a new website listing regulations it plans to publish by October 2024 and long-term regulations it is prioritizing for publication at a later date. Additionally, FDA has updated the list of guidance topics it is considering and expects to publish by the end of 2024.
  • Regulations are officially announced in the Unified Agenda of Regulatory and Deregulatory Actions published each spring and fall. Some of the regulations FDA has listed on its website include use of the “healthy” nutrient content claim, the use of ultrafiltered milk in cheese and cheese related products, and front-of-package nutrition labeling, among others.
  • The following five topics have been added to the list of guidance documents the FDA expects to publish by the end of December 2024:
    • Notifying FDA of a Permanent Discontinuance in the Manufacture or an Interruption of the Manufacture of an Infant Formula; Draft Guidance for Industry;
    • Action Levels for Lead in Food Intended for Babies and Young Children: Guidance for Industry;
    • The Food Traceability Rule: Questions and Answers; Draft Guidance for Industry;
    • Hazard Analysis and Risk-Based Preventive Controls for Human Food; Chapter 12: Preventive Controls for Chemical Hazards: Draft Guidance for Industry; and
    • Voluntary Sodium Reduction Goals: Target Mean and Upper Bound Concentrations for Sodium in Commercially Processed, Packaged, and Prepared Foods (Edition 2): Draft Guidance for Industry
  • Public comments on the list of guidance topics can be submitted to www.regulations.gov using Docket ID FDA-2022-D-2088.

Multistate Coalition Supports EPA’s Proposed Revisions to the Safer Choice Standard

As reported in our December 5, 2023, memorandum, the U.S. Environmental Protection Agency (EPA) proposed updates to the Safer Choice Standard on November 14, 2023, that include a name change to the Safer Choice and Design for the Environment (DfE) Standard (Standard), an update to the packaging criteria, the addition of a Safer Choice certification for cleaning service providers, a provision allowing for preterm partnership termination under exceptional circumstances, and the addition of several product and functional use class requirements. 88 Fed. Reg. 78017. On January 16, 2024, California Attorney General Rob Bonta announced that, alongside a coalition of 12 attorneys general, he submitted a comment letter that:

  • Supports EPA’s proposed revisions to its Safer Choice Standard;
  • Recommends that EPA not allow products with plastic primary packaging to use the Safer Choice label or DfE logo;
  • Recommends that if EPA does allow products with plastic primary packaging to use the label and logo, EPA should prohibit the use of chemical recycling in meeting the proposed standard’s plastic packaging recycled content requirements; and
  • Calls on EPA to exclude any products or packaging that contain any per- and polyfluoroalkyl substances (PFAS), “whether intentionally introduced or not.”

Can Artificial Intelligence Assist with Cybersecurity Management?

AI has great capability to both harm and to protect in a cybersecurity context. As with the development of any new technology, the benefits provided through correct and successful use of AI are inevitably coupled with the need to safeguard information and to prevent misuse.

Using AI for good – key themes from the European Union Agency for Cybersecurity (ENISA) guidance

ENISA published a set of reports earlier last year focused on AI and the mitigation of cybersecurity risks. Here we consider the main themes raised and provide our thoughts on how AI can be used advantageously*.

Using AI to bolster cybersecurity

In Womble Bond Dickinson’s 2023 global data privacy law survey, half of respondents told us they were already using AI for everyday business activities ranging from data analytics to customer service assistance and product recommendations and more. However, alongside day-to-day tasks, AI’s ‘ability to detect and respond to cyber threats and the need to secure AI-based application’ makes it a powerful tool to defend against cyber-attacks when utilized correctly. In one report, ENISA recommended a multi-layered framework which guides readers on the operational processes to be followed by coupling existing knowledge with best practices to identify missing elements. The step-by-step approach for good practice looks to ensure the trustworthiness of cybersecurity systems.

Utilizing machine-learning algorithms, AI is able to detect both known and unknown threats in real time, continuously learning and scanning for potential threats. Cybersecurity software which does not utilize AI can only detect known malicious codes, making it insufficient against more sophisticated threats. By analyzing the behavior of malware, AI can pin-point specific anomalies that standard cybersecurity programs may overlook. Deep-learning based program NeuFuzz is considered a highly favorable platform for vulnerability searches in comparison to standard machine learning AI, demonstrating the rapidly evolving nature of AI itself and the products offered.

A key recommendation is that AI systems should be used as an additional element to existing ICT, security systems and practices. Businesses must be aware of the continuous responsibility to have effective risk management in place with AI assisting alongside for further mitigation. The reports do not set new standards or legislative perimeters but instead emphasize the need for targeted guidelines, best practices and foundations which help cybersecurity and in turn, the trustworthiness of AI as a tool.

Amongst other factors, cybersecurity management should consider accountability, accuracy, privacy, resiliency, safety and transparency. It is not enough to rely on traditional cybersecurity software especially where AI can be readily implemented for prevention, detection and mitigation of threats such as spam, intrusion and malware detection. Traditional models do exist, but as ENISA highlights they are usually designed to target or’address specific types of attack’ which, ‘makes it increasingly difficult for users to determine which are most appropriate for them to adopt/implement.’ The report highlights that businesses need to have a pre-existing foundation of cybersecurity processes which AI can work alongside to reveal additional vulnerabilities. A collaborative network of traditional methods and new AI based recommendations allow businesses to be best prepared against the ever-developing nature of malware and technology based threats.

In the US in October 2023, the Biden administration issued an executive order with significant data security implications. Amongst other things, the executive order requires that developers of the most powerful AI systems share safety test results with the US government, that the government will prepare guidance for content authentication and watermarking to clearly label AI-generated content and that the administration will establish an advanced cybersecurity program to develop AI tools and fix vulnerabilities in critical AI models. This order is the latest in a series of AI regulations designed to make models developed in the US more trustworthy and secure.

Implementing security by design

A security by design approach centers efforts around security protocols from the basic building blocks of IT infrastructure. Privacy-enhancing technologies, including AI, assist security by design structures and effectively allow businesses to integrate necessary safeguards for the protection of data and processing activity, but should not be considered as a ‘silver bullet’ to meet all requirements under data protection compliance.

This will be most effective for start-ups and businesses in the initial stages of developing or implementing their cybersecurity procedures, as conceiving a project built around security by design will take less effort than adding security to an existing one. However, we are seeing rapid growth in the number of businesses using AI. More than one in five of our survey respondents (22%), for instance, started to use AI in the past year alone.

However, existing structures should not be overlooked and the addition of AI into current cybersecurity system should improve functionality, processing and performance. This is evidenced by AI’s capability to analyze huge amounts of data at speed to provide a clear, granular assessment of key performance metrics. This high-level, high-speed analysis allows businesses to offer tailored products and improved accessibility, resulting in a smoother retail experience for consumers.

Risks

Despite the benefits, AI is by no-means a perfect solution. Machine-learning AI will act on what it has been told under its programming, leaving the potential for its results to reflect an unconscious bias in its interpretation of data. It is also important that businesses comply with regulations (where applicable) such as the EU GDPR, Data Protection Act 2018, the anticipated Artificial Intelligence Act and general consumer duty principles.

Cost benefits

Alongside reducing the cost of reputational damage from cybersecurity incidents, it is estimated that UK businesses who use some form of AI in their cybersecurity management reduced costs related to data breaches by £1.6m on average. Using AI or automated responses within cybersecurity systems was also found to have shortened the average ‘breach lifecycle’ by 108 days, saving time, cost and significant business resource. Further development of penetration testing tools which specifically focus on AI is required to explore vulnerabilities and assess behaviors, which is particularly important where personal data is involved as a company’s integrity and confidentiality is at risk.

Moving forward

AI can be used to our advantage but it should not been seen to entirely replace existing or traditional models to manage cybersecurity. While AI is an excellent long-term assistant to save users time and money, it cannot be relied upon alone to make decisions directly. In this transitional period from more traditional systems, it is important to have a secure IT foundation. As WBD suggests in our 2023 report, having established governance frameworks and controls for the use of AI tools is critical for data protection compliance and an effective cybersecurity framework.

Despite suggestions that AI’s reputation is degrading, it is a powerful and evolving tool which could not only improve your business’ approach to cybersecurity and privacy but with an analysis of data, could help to consider behaviors and predict trends. The use of AI should be exercised with caution, but if done correctly could have immeasurable benefits.

___

* While a portion of ENISA’s commentary is focused around the medical and energy sectors, the principles are relevant to all sectors.

Exploring the Future of Information Governance: Key Predictions for 2024

Information governance has evolved rapidly, with technology driving the pace of change. Looking ahead to 2024, we anticipate technology playing an even larger role in data management and protection. In this blog post, we’ll delve into the key predictions for information governance in 2024 and how they’ll impact businesses of all sizes.

  1. Embracing AI and Automation: Artificial intelligence and automation are revolutionizing industries, bringing about significant changes in information governance practices. Over the next few years, it is anticipated that an increasing number of companies will harness the power of AI and automation to drive efficient data analysis, classification, and management. This transformative approach will not only enhance risk identification and compliance but also streamline workflows and alleviate administrative burdens, leading to improved overall operational efficiency and effectiveness. As organizations adapt and embrace these technological advancements, they will be better equipped to navigate the evolving landscape of data governance and stay ahead in an increasingly competitive business environment.
  2. Prioritizing Data Privacy and Security: In recent years, data breaches and cyber-attacks have significantly increased concerns regarding the usage and protection of personal data. As we look ahead to 2024, the importance of data privacy and security will be paramount. This heightened emphasis is driven by regulatory measures such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR). These regulations necessitate that businesses take proactive measures to protect sensitive data and provide transparency in their data practices. By doing so, businesses can instill trust in their customers and ensure the responsible handling of personal information.
  3. Fostering Collaboration Across Departments: In today’s rapidly evolving digital landscape, information governance has become a collective responsibility. Looking ahead to 2024, we can anticipate a significant shift towards closer collaboration between the legal, compliance, risk management, and IT departments. This collaborative effort aims to ensure comprehensive data management and robust protection practices across the entire organization. By adopting a holistic approach and providing cross-functional training, companies can empower their workforce to navigate the complexities of information governance with confidence, enabling them to make informed decisions and mitigate potential risks effectively. Embracing this collaborative mindset will be crucial for organizations to adapt and thrive in an increasingly data-driven world.
  4. Exploring Blockchain Technology: Blockchain technology, with its decentralized and immutable nature, has the tremendous potential to revolutionize information governance across industries. By 2024, as businesses continue to recognize the benefits, we can expect a significant increase in the adoption of blockchain for secure and transparent transaction ledgers. This transformative technology not only enhances data integrity but also mitigates the risks of tampering, ensuring trust and accountability in the digital age. With its ability to provide a robust and reliable framework for data management, blockchain is poised to reshape the way we handle and secure information, paving the way for a more efficient and trustworthy future.
  5. Prioritizing Data Ethics: As data-driven decision-making becomes increasingly crucial in the business landscape, the importance of ethical data usage cannot be overstated. In the year 2024, businesses will place even greater emphasis on data ethics, recognizing the need to establish clear guidelines and protocols to navigate potential ethical dilemmas that may arise. To ensure responsible and ethical data practices, organizations will invest in enhancing data literacy among their workforce, prioritizing education and training initiatives. Additionally, there will be a growing focus on transparency in data collection and usage, with businesses striving to build trust and maintain the privacy of individuals while harnessing the power of data for informed decision-making.

The future of information governance will be shaped by technology, regulations, and ethical considerations. Businesses that adapt to these changes will thrive in a data-driven world. By investing in AI and automation, prioritizing data privacy and security, fostering collaboration, exploring blockchain technology, and upholding data ethics, companies can prepare for the challenges and opportunities of 2024 and beyond.

Jim Merrifield, Robinson+Cole’s Director of Information Governance & Business Intake, contributed to this report.