Information Governance

Subscribe to Information Governance via RSS
ramon-salinero-vEE00Hx5d0Q-unsplash (1)

The lesson from the PocketOS database deletion is not that agentic AI is dangerous. It’s about governance and controls.

You have probably seen some version of the headline by now: “AI Agent Deletes Company’s Entire Database in 9 Seconds.” It is a compelling story. But the headline, while technically accurate, obscures the far more important lesson buried in the details.

So what actually happened? PocketOS, a small SaaS company that makes software for car rental businesses, was using a popular AI-powered code editor running on Anthropic’s Claude Opus 4.6 model. The AI agent was tasked with resolving a routine issue in a staging environment. When it hit a credential mismatch, the agent decided on its own initiative to “fix” the problem by deleting a volume on Railway, the company’s cloud hosting provider. The agent found a password in an unrelated file and used it to execute a deletion command. Because of permissions made available to the agent and the way access to the infrastructure was configured, that single command using a password which was valid across all systems wiped both the production database and all associated backups.  

The agent, when asked to explain itself, produced what multiple outlets described as a “confession,” acknowledging it had violated its own safety instructions. The story has gone viral. The framing in most coverage puts the AI squarely at the center of the narrative: the agent “went rogue,” it “confessed,” it acted autonomously and destroyed a business. But the reports are not entirely accurate and usually miss the point.

Continue Reading The AI Didn’t Go Rogue. Guardrails Were Never There.
akshat-sharma-mrTVz_fosMY-unsplash

Now in its sixth year, Seyfarth’s Commercial Litigation Outlook provides a clear view into the forces reshaping business disputes in 2026. This year’s analysis highlights a risk landscape defined by accelerating technological change, an increasingly fragmented regulatory environment, and growing economic pressures across multiple industries.

According to the Outlook, artificial intelligence is creating new categories of legal risk, from the challenges of authenticating AI‑generated content to navigating the use of algorithmic tools while courts and regulators rapidly reset expectations around emerging technology. At the same time, state‑level regulation continues to expand, particularly around non‑competes, privacy, and biometrics, creating a compliance patchwork that requires businesses to adapt strategies by jurisdiction. Coupled with elevated interest rates, rising debt, and post‑pandemic strain, especially in real estate, health care, and franchise sectors, the commercial litigation environment remains fluid, fast‑moving, and resistant to neat predictions. Against this backdrop, eDiscovery, information governance, and cybersecurity response functions play increasingly central roles in managing litigation risk and staying ahead of shifting expectations.

Authored by Jay Carle, Matthew Christoff, and Danny Riley, this year’s eDiscovery & Innovation article spotlights one of the most significant and fast‑moving risks in the discovery landscape: the rise of AI‑enabled notetaking and meeting‑summarization tools. As generative AI capabilities become embedded directly into videoconferencing platforms, these tools now routinely record meetings, create transcripts with speaker attribution, and auto‑generate summaries—often by default. The result is a sudden proliferation of new, unvetted records that can capture sensitive, strategic, or privileged conversations. The article warns that these tools exponentially increase the risk of inadvertent disclosure, while also creating evidentiary challenges when transcripts or summaries are later used to establish what was said, by whom, and with what intent.

The article also highlights that litigation risk is expanding beyond the developers of these tools to the organizations deploying them. AI notetakers raise overlapping consent, privacy, wiretap, and biometric concerns, and courts will increasingly scrutinize whether companies can demonstrate how meeting data was captured, stored, and controlled. As with prior waves of privacy litigation, the differentiator will be operational discipline: organizations that implement clear governance around meeting recording, restrict distribution of AI‑generated outputs, and define authoritative versions of records will be far better positioned to defend against disclosure missteps, authenticity disputes, and statutory claims.

Click here to download the 2026 Commercial Litigation Outlook.

Continue Reading The Changing Discovery Landscape: Takeaways from Seyfarth’s 2026 Commercial Litigation Outlook
thomas-lefebvre-gp8BLyaTaA0-unsplash

On July 24, 2025, the California Privacy Protection Agency (“CPPA”) unanimously voted to adopt a package of Proposed Regulations for the California Consumer Privacy Act (“CCPA”), marking a significant development in California privacy law. These cover Automated Decision-making Technology (“ADMT”), mandatory Cybersecurity Audits, Risk Assessments, and clarifications for the CCPA’s applicability to Insurance Companies. The package will move into its final review stage before formal enactment, once filed with the California Office of Administrative Law.

CCPA Steering Toward Operational Compliance

This is a clear signal that privacy compliance expectations in California are trending toward a more operational phase. The new rules are designed to give Californians greater control over how their personal information is used while pushing businesses toward higher levels of transparency and accountability, especially when automated decision-making and high-risk data processing is involved. For companies, this is more than just a theoretical update – it’s a clarion call to ensure these requirements are built into day-to-day governance, technology and process design, and vendor management practices.

Continue Reading California Privacy Protection Agency (CPPA) Finally Voted to Adopt Much Debated Update to CCPA Regulations: What Your Business Should Know
conny-schneider-xuTJZ7uD7PI-unsplash (2)

Seyfarth Shaw is proud to sponsor the 2025 Masters Conference, a premier boutique legal event hosted in cities across the U.S., as well as in Toronto and London. The conference will be held on Tuesday, May 20, 2025, at Seyfarth’s Chicago office and will feature keynote presentations, panel discussions, workshops, and networking opportunities.

Topics will include eDiscovery, Artificial Intelligence, Information and Data Governance, Legal Project Management, Forensics and Investigations, Knowledge Management, and Cybersecurity.

Seyfarth partners Jay Carle, Matthew Christoff, and Jason Priebe will share their insights as featured panelists throughout the day. Additional information about their panel topics is outlined below.

For more information and to register, click here.

Continue Reading Seyfarth to Sponsor and Present at 2025 Masters Conference

At the end of May, 2022, the California Privacy Protection Agency (“Agency”) released a preliminary draft of proposed regulations for the California Privacy Rights Act (“CPRA”). The 66-page draft proposal only covers a few topics the Agency is seeking to cover. The issues covered in this draft of the regulations include data collection and processing

In response to the COVID-19 crisis, nearly all companies and organizations were abruptly forced to transition portions of, and in many cases, their entire workforce to remote work.  After a few weeks, it seems that many companies have adjusted to this “new normal” and settled in, albeit with some lingering technical and connectivity issues.  As companies raced to get their employees up and running remotely, it is likely many were primarily focused on connectivity and security, while necessarily ignoring the complex privacy, security, compliance, and document preservation challenges lurking below the surface of the “new norm.”

Companies will begin to realize that transitioning to a remote workforce can lead to unintended consequences that can and should now be addressed. Some of these unintended consequences include:

  1. Information Technology (“IT”) departments deploying software and systems such as Microsoft Teams, Slack, etc that have not yet been properly tested, including establishing retention periods, back-up procedures, and acceptable use policies.
  2. “Shadow IT” issues relating to employees using whatever services and products they think will help them do their remote job better, even when those products or services are not vetted by, supported by, or welcomed by corporate IT.
  3. Informal communications using messaging tools or social media platforms that are either not preserved subject to an active litigation hold notice, or that violate company policy, or frame the company in a negative light.
  4. Remote employee use of unauthorized external or cloud-based storage for company data.
  5. Information subject to a litigation hold notice being lost due to the inadequate back-up of laptops and other systems being used off-premises.
  6. Recycling of laptops, desktops, and mobile devices subject to a litigation hold notice in order to ensure rapid deployment of remote workforce.
  7. Employees using personal devices to store information and communications that are or could become subject to a litigation hold notice.
  8. Risking breach of confidential, sensitive, or personally identifying information (“PII”) due to lack of adequate remote security.
  9. Employees using unauthorized, unsecured, commercial collaboration tools.
  10. Employees using unsecured endpoints or endpoints with consumer-grade antivirus or antimalware.
  11. Employees operating off-network such that corporate firewalls for phishing and network intrusion are not engaged.
  12. Terminated employees subject to a litigation hold notice.

Continue Reading COVID-19 Remote Workforce Risks – Preservation, Compliance, Privacy, and Data Security Risks

The eDiscovery and Information Governance Group has been ranked in Tier Three in the latest Legal 500 ranking. Richard (Rick) Lutkus was also recognized as a Rising Star in Media, Technology & Telecoms – Cyber Law. Rick Lutkus and Kathleen McConnell were also recognized by the editorial as recommended lawyers. Led by Scott Carlson (also

Seyfarth eDiscovery attorneys Jason Priebe and Natalya Northrip will present “A Practical Roadmap for EU Data Protection and Cross-Border Discovery” at this year’s RelativityFest on October 24, 2017.

This presentation will provide attendees with practical tips for leveraging the new Sedona International Principles to help in your compliance with stringent GDPR requirements, and in seeking

Natalya Northrip and Emily Dorner will be presenting on two interesting eDiscovery topics this April; presentations will focus on litigation hold maintenance and best practices, as well as recordkeeping for human resources professionals.  Presentations will take place on April 6, and April 26, respectively.  Summaries of presentation content and links to sign up are provided