Over the years, state, federal, and international data security laws have proliferated. These laws impose security requirements on the businesses and governmental entities that they cover.

Image for post
Image for post

At first, these laws focused on specific sectors of the economy, such as financial services, health care, or government. Later, state legislatures, foreign governments, and international bodies created more general data protection laws that cut broadly across sectors.

Some of these laws establish only general requirements, such as the mandate to protect certain kinds of information with “reasonable security.” …


Data breaches continue to be an everyday occurrence. We see them in the news all the time. The recent Equifax breach is only the latest in a long string of breaches. Competitors, former employees, and state-sponsored groups seek companies’ trade secrets in order to bolster competing businesses. Hacktivist groups seek to damage the reputation of companies by publicizing sensitive information. Organized crime rings seek sensitive information for profit.

Image for post
Image for post

The consequences of data breach liability are becoming apparent. Merchants sued for data breaches are paying staggering amounts to investigate and settle the cases against them. The TJX Companies set aside $107 million to cover the litigation against it and regulatory actions. Heartland Systems set aside $73.3 …


Image for post
Image for post

Imagine for a moment that you believe your company may have experienced a data breach.

In other words, your security company has detected or has been notified of some event. What do you do now?

First, take a deep breath. It is important to think clearly and not react instantly based on gut feelings and instincts.

Next, if you’ve done advance planning, you will have a breach response plan ready to go. It is a matter of executing the plan that you have already created. Initial steps include notification to your breach response team. Depending on the nature of the breach, team members include senior executives from the legal, IT, security, HR, marketing, and finance departments. …


Image for post
Image for post

One of the things in looking at AI and robotics that I think about is the effect of other, related technologies on AI and robotics. AI and robotics shouldn’t be looked at in isolation to each other, to themselves, or to other types of technologies. Big data, cloud computing, Internet of things — these can and do all work together with AI and robotics, depending on the application. As a result, you need to understand an entire ecosystem of services in order to comprehend the real risks associated with AI and robotics. The complexity of each system in relation to the other creates what is arguably a synergistic or algorithmic effect. …


Image for post
Image for post

The Health Insurance Portability and Accountability Act and its regulations are the main laws governing data privacy and security in the healthcare field. Nonetheless, HIPAA and its Privacy Rule and Security Rule protections predate the widescale adoption of artificial intelligence and robotics in healthcare. Is HIPAA compliance required for the operation of robots and AI systems in the clinical setting? Yes. HIPAA compliance is necessary for the use robots and AI systems because of the general way the law was written.

HIPAA and its regulations cover the protection of “protected health information” (PHI) generally regardless of the technologies used. It requires reasonable and appropriate administrative, physical, and technical safeguards to protect PHI. The law is flexible enough to cover new situations and new technologies, including robots and AI systems. …


Image for post
Image for post

Growing up, I used to think New York City was the capital of the world. I started life in Columbus, Ohio, and spent most of my early years in a Cleveland, Ohio suburb called Chagrin Falls. Of course, I knew that Washington, D.C. was the political capital of the nation and that the world itself didn’t have an official capital. Nonetheless, Cleveland revolved in New York’s orbit.

While Chicago was closer, my Ohio peers and I at least subconsciously thought of New York as the place to go to seek your fortune. When young people in my area of Ohio wanted to make it to the big time, they would plan a move to New York. New York was the source of much of our media, arts, theater, jazz, literature, fashion, great sports history, and so much more. And yes, we were jealous of all those Yankee World Series wins. …


Image for post
Image for post

Organizations using machine learning systems require data to train their systems. But where does that data come from? And can they get into trouble if they don’t have the rights to use that data? The short answer is yes; they can get into trouble if they aren’t careful.

A few recent cases show the risks associated with companies using personal information for training AI systems allegedly without authorization. First, Burke v. Clearview AI, Inc., a class action filed in federal district court in San Diego at the end of February 2020, involves a company, Clearview, accused of “scraping” thousands of sites to obtain three billion images of faces of individuals used for training AI algorithms for facial recognition and identification purposes. “Scraping” refers to the process of automated processes scanning the content of websites, collecting certain content from them, storing that content, and using it later for the collecting company’s own purposes. The basis for the complaint is that Clearview AI failed to obtain consent to use the scraped images. …


Image for post
Image for post

In a judgment issued last week, the European Court of Justice invalidated the EU-U.S. Privacy Shield Program by which businesses in the United States could self-certify their compliance with a framework of principles for data protection. This judgment is the top privacy story for multinational companies this year. What does this mean for artificial intelligence companies? For AI companies using personal data to train machine learning systems, the answer is that it just got harder to import personal data from the European Union (EU) and broader European Economic Area (EEA) to the United States.

The background is that some U.S. businesses in the artificial intelligence field are importing personal data from European countries to train machine learning systems with a myriad of applications. Companies with a physical presence in the EEA, companies directing marketing efforts to EEA member states, and companies monitoring the behavior of individuals present in EEA member states are subject to the European Union’s General Data Protection Regulation. For more details, see my earlier blog post. In addition, other U.S. businesses may provide services to another U.S. business that has already imported personal data from EEA countries. Such U.S. businesses must then agree by contract to protect personal data from those countries with the same level of protection they would receive under GDPR in the EEA. Therefore, some AI companies are required, directly or indirectly, to meet GDPR standards. …


Image for post
Image for post
Stephen Wu

I am an artificial intelligence and robotics lawyer. That sentence sounds like I might be an artificial intelligence machine that can perform legal tasks. But that’s not what I am talking about. I am a human practicing lawyer in Silicon Valley in the 2020s diving into the law of artificial intelligence and robotics. I strike deals, defend my client’s rights, help my clients comply with the law, investigate mishaps, and help govern AI and robotics systems for sellers and buyers of the AI and robotics technology.

People sometimes ask me why I am focusing a major part of my law practice on artificial intelligence and robotics. The short answer is that I can’t think of a more exciting, interesting, and rewarding career path in the law than AI and robotics law. I had been a science fiction fan as a high school and college student, and now I feel like I am practicing the “law of science fiction.” But that doesn’t give you a full picture of why I find the field exciting, interesting, or rewarding. …


Image for post
Image for post

Startup artificial intelligence and robotics companies face constant business challenges, especially in this year of COVID-19 and the resulting economic downturn. Startup companies are looking to weather the storm, while some entrepreneurs, perhaps out of necessity, are beginning new businesses. With limited budgets for legal fees, what kinds of contracts do startup AI and robotics companies really need?

Non-disclosure Agreement (NDA)

First, every AI and robotics company should have a nondisclosure agreement, abbreviated as “NDA.” In an NDA, the company and some other business or individuals agree that some kinds of information will be treated as confidential information. That confidential information must not be disclosed or used without authorization. And the party receiving confidential information must take steps to protect it from unauthorized access. Sometimes NDAs are one-way, in which one of the two parties is providing confidential information, and the other party has to protect it. …

About

Stephen Wu

Technology/AI attorney and shareholder at Silicon Valley Law Group.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store