U.S. Department of Commerce Seeks to Protect Drones Supply Chain From Foreign Adversaries
On January 3, 2025, the U.S. Department of Commerce Bureau of Industry and Security (BIS) Office of Information and Communications Technology and Services (OICTS) published an Advance Notice of Proposed Rulemaking (ANPRM) on the national security risks posed by foreign adversary involvement in the supply chain for unmanned aerial systems (UAS) (i.e., drones), including risks to critical infrastructure and U.S. sensitive data. BIS seeks public input to inform regulations on the supply of certain UAS components developed by entities linked to the People’s Republic of China (China) and Russia.
Colorado Finalizes Privacy Act Rules: Key Updates for Businesses
The new year brings with it several state privacy law developments, including the effective dates for comprehensive privacy legislation in Delaware, Iowa, Nebraska, New Hampshire and New Jersey. Among this flurry of new state law obligations, however, privacy officers should not lose sight of continuing developments in states that helped pioneer the wave of state privacy laws, such as in Colorado.
CMS Proposes Artificial Intelligence Limits and Utilization Management Guardrails for Medicare Advantage
On December 10, 2024, the Centers for Medicare & Medicaid Services (CMS) published a proposed rule with technical changes for the Medicare Advantage (MA) Program and the Medicare Prescription Drug Benefit Program for Calendar Year 2026 (Proposed Rule). Citing the growing use of Artificial Intelligence (AI) within the healthcare sector and reports that the use of AI may lead to “algorithmic discrimination” that exacerbates inequalities within healthcare, CMS proposes, for the first time, new guardrails that must be adopted by MA plans when using AI to manage patient care. CMS also proposes several reforms addressing utilization management (UM) techniques adopted by MA plans, including requirements for such plans to conduct and report detailed analyses on the use of prior authorizations. Notably, the Proposed Rule primarily modifies MA regulations, without direct application to the Medicare Part D prescription drug program.
Asia-Pacific Regulations Keep Pace With Rapid Evolution of Artificial Intelligence Technology
Regulation of artificial intelligence (AI) technology in the Asia-Pacific region (APAC) is developing rapidly, with at least 16 jurisdictions having some form of AI guidance or regulation. Some countries are implementing AI-specific laws and regulation, while others take a more “soft” law approach in reliance on nonbinding principles and standards. While regulatory approaches in the region differ, policy drivers feature common principles including responsible use, data security, end-user protection, and human autonomy.
An Artificial Intelligence, Privacy, and Cybersecurity Update for Indian Companies Doing Business in the United States and Europe
Pivotal shifts have occurred in global data privacy, artificial intelligence (AI), and cybersecurity from executives facing more pressure to monitor their organizations’ cybersecurity operations, to an unprecedented wave of consumer data privacy laws and rapid advancements in AI technology use and deployment. Indian organizations should establish best practices to address these new (and emerging) laws, regulations, and frameworks.
FinCEN Seeks Input on Banks’ Collecting Partial Social Security Numbers for Customer Identification Programs
On March 28, 2024, the Financial Crimes Enforcement Network (FinCEN), in consultation with the U.S. banking agencies and the National Credit Union Administration, issued a request for information (RFI) regarding the customer identification program (CIP) requirement for depository institutions (referred to herein as banks) to collect tax identification numbers (TINs).1 Comments are due by May 28, 2024.
The U.S. Plans to ‘Lead the Way’ on Global AI Policy
Policymakers around the world took significant steps toward regulating artificial intelligence (AI) in 2023. Spurred by the launch of revolutionary large language models such as OpenAI’s GPT series of models, debates surrounding the benefits and risks of AI have been brought into the foreground of political thought. Indeed, over the past year, legislative forums, editorial pages, and social media platforms were dominated by AI discourse. And two global races have kicked into high gear: Who will develop and deploy the most cutting-edge, possibly risky AI models, and who will govern them? In this article, published by the Lawfare Institute in cooperation with Brookings, Sidley lawyers Alan Charles Raul and Alexandra Mushka suggest that “the United States intends to run ahead of the field on AI governance, analogous to U.S. leadership on cybersecurity rules and governance—and unlike the policy void on privacy that the federal government has allowed the EU to fill.”
UK Publishes Cyber Governance Code of Practice for Consultation
On 23 January 2024, the UK government published its draft Cyber Governance Code of Practice (the “Code”) to help directors and other senior leadership boost their organizations’ cyber resilience. The draft Code, which forms part of the UK’s wider £2.6bn National Cyber Strategy, was developed in conjunction with several industry experts and stakeholders – including the UK National Cyber Security Centre. The UK government is seeking views from organizations on the draft Code by 19 March 2024.
U.S. CFTC Seeks Public Input on Use of Artificial Intelligence in Commodity Markets and Simultaneously Warns of AI Scams
The staff of the Commodity Futures Trading Commission (CFTC) is seeking public comment (the Request for Comment) on the risks and benefits associated with use of artificial intelligence (AI) in the commodity derivatives markets. According to the Request for Comment, the staff “recognizes that use of AI may lead to significant benefits in derivatives markets, but such use may also pose risks relating to market safety, customer protection, governance, data privacy, mitigation of bias, and cybersecurity, among other issues.”
Federal and State Regulators Fine Foreign Bank for Unauthorized Disclosure of Confidential Supervisory Information
On January 17, 2024, the New York Department of Financial Services (NYDFS) entered into a consent order with Industrial and Commercial Bank of China Ltd. (ICBC or the Bank), resolving a matter in which ICBC’s New York branch disclosed confidential supervisory information (CSI) without authorization. The order includes a civil monetary penalty of $30 million. Two days later, the Board of Governors of the Federal Reserve System (Federal Reserve) entered into a consent cease-and-desist order with ICBC and its New York branch that includes a fine of approximately $2.4 million for the unauthorized disclosure of CSI. The Federal Reserve specifically noted that its action was taken in conjunction with the prior action of NYDFS.