AI is reshaping product development and the regulatory landscape, and the pace of change is accelerating. In this episode of the Cybersecurity Awareness Series, Amy S. Mushahwar and Kathleen A. McGee discuss the rapid expansion of state AI and privacy laws, evolving breach notification obligations, and heightened scrutiny around model integrity, safety, and ethical use. From algorithmic regulation to concerns about hallucinations and data contamination, today’s risks extend far beyond traditional compliance.
Speakers:
- Amy S. Mushahwar, Partner, Chair, Data Privacy, Security, Safety & Risk Management
- Kathleen A. McGee, Partner, Data Privacy, Security, Safety & Risk Management, White Collar
READ THE TRANSCRIPT
Kathleen A. McGee: So, AI is obviously a huge issue for our clients, both in terms of product development and also in the regulatory landscape. It is a very popular subject for state laws that are being rolled out across the country—usually consumer facing, but algorithmic use and AI, SAS product-oriented regulations are starting to blossom throughout the state landscape.
Amy S. Mushahwar: We are having privacy statutes creep and crawl across the country, just like data breach statutes did now 20 years ago, starting with the first California data breach statute.
So, we are seeing an escalation of the amount of data laws—AI, data disposal, still granular breach and more breach obligations and more breach subject data—and the scary thing for our clients is many of these laws require notification and notification on a stepped-up timetable.
What is fascinating for me is the fact that we have moved beyond what most firms are looking at, which is simple equal protection to ethical use, efficacy of the models, and whether or not the models are hallucinating. Some security companies, like CrowdStrike, have argued that just 150,000 records injected into your models and within your model-training data, can create marginally different outcomes. And can you imagine being a GC who all of a sudden realizes that the AI they are relying upon—perhaps for employment, for lending, and for other very serious use cases and perhaps even the distribution of benefits—maybe that's not working the way it should.
We advise our clients that when dealing especially with more modern safety issues—bullying, bulimia, true safety issues and trafficking, and we have clients who are actively assisting in some of these areas—they’re just an issue that it doesn't matter whether or not federal enforcement occurs. A) it probably will occur because it's not politically expedient to avoid it, and B) there are still state attorneys general that will aggressively go after safety issues because that is squarely within their, you know, Mini Section 5 jurisdiction.
