Information Security

Subscribe to Information Security via RSS
sasun-bughdaryan-cX8kNl8X0Ys-unsplash

It has been a busy spring for data privacy in the Southeast. On April 17, 2026, Alabama Governor Kay Ivey signed the Alabama Personal Data Protection Act (HB 351). Weeks later, on May 11, 2026, Governor Kemp signed Georgia’s SB 111. There is an important caveat there: although the Senate-passed version of SB 111 carried the title “Georgia Consumer Privacy Protection Act,” the House substituted the bill’s entire text with unrelated amendments to the rural hospital tax credit. The Senate agreed to the substitute on April 2, and the version Kemp ultimately signed has nothing to do with consumer privacy. Legislative tracking services continue to display the original title, which has caused understandable confusion, but Georgia did not enact a comprehensive privacy law this session.

That leaves the Southeast with three states currently operating under a comprehensive privacy statute: Florida (in effect since 2024), Tennessee (in effect since 2025), and Alabama (taking effect in 2027). Georgia remains a state to watch, with sponsors expected to introduce a successor measure when the new General Assembly convenes in 2027. And in keeping with the national trend, each state’s “omnibus” law (or proposed law) takes a slightly different approach with qualifying thresholds and defined terms. This article provides a short summary of what businesses operating in the region need to know and what they should be working on today.

Who Is Covered: Three Enacted Laws and Three Thresholds (and a Note on Georgia)

The biggest difference among the three enacted statutes is the way each defines businesses that must comply.

Florida’s Digital Bill of Rights (FDBR), which took effect on July 1, 2024, has the narrowest scope by a wide margin. The FDBR imposes obligations on controllers with annual global revenue of more than $1 billion that also meet one of three additional criteria: derive 50% or more of annual revenue from selling online ads, operate a consumer smart speaker with an integrated virtual assistant, or operate an app store with at least 250,000 applications. By design, the majority of the FDBR’s controller obligations apply only to the largest tech and platform companies. As a practical matter, most Southern businesses will never need to worry about Florida’s controller obligations, though enforcement has now begun. The Florida AG’s October 2025 action against Roku is a useful reminder that the FDBR is no longer dormant for the companies that do qualify.

Continue Reading Southeastern Privacy Laws Taking Shape: Current and Upcoming Omnibus Laws for Alabama, Georgia, Florida, and Tennessee
google-deepmind-LIlsk-UFVxk-unsplash

When Colorado enacted the first comprehensive state AI law in 2024, it imported the conceptual architecture of the EU AI Act: a risk-based regime built on duties of care, risk management programs, and impact assessments. Two years later, and within a matter of weeks, the state has dismantled that legislation. On May 14, 2026, Governor Jared Polis signed Senate Bill 26-189, which repeals SB 24-205 and replaces it with a disclosure-and-rights framework focused on automated decision-making technology (“ADMT”). The new framework takes effect January 1, 2027.

The substance of the rewrite has been well-covered already. Less examined is how Colorado got here, and what the speed and direction of the pivot signal for the rest of the state AI regulatory landscape. The new bill was introduced and signed within two weeks of its introduction. The Governor’s AI Policy Working Group did the heavy lift in advance: roughly six months of stakeholder consultation produced the draft framework released on March 17, 2026. But the final two-week sprint reflects pressure to land the rewrite before the original AI Act’s June 30, 2026 effective date and amid escalating federal headwinds.

The Federal Backdrop

On December 11, 2025, the White House issued an executive order (“EO”) titled, “Ensuring a National Policy Framework for Artificial Intelligence.” The EO directs federal agencies to challenge conflicting state AI laws through litigation and coordinated federal action, and urges development of a preemptive national framework. It specifically named Colorado’s AI Act as an example of a state law that, in the administration’s view, would compel AI systems to “produce false results in order to avoid a ‘differential treatment or impact’ on protected groups.”

Continue Reading Colorado’s AI Reset: Two Weeks, a White House Callout, and a Pivot Away from the EU Model
brianpenny-ai-generated-8540917

Legal500 featured an article by Seyfarth partners Kathleen McConnell and Lauren Gregory Leipold, and associate Daniel Riley“AI Governance In (and Beyond) Privacy: Regulatory Tensions in Automated Decision‑Making, the Digital Authenticity Crisis, and Restrictions on Professional Use.

The piece, published as a part of the Legal500 Country Comparative Guides, examines the rapidly

akshat-sharma-mrTVz_fosMY-unsplash

Now in its sixth year, Seyfarth’s Commercial Litigation Outlook provides a clear view into the forces reshaping business disputes in 2026. This year’s analysis highlights a risk landscape defined by accelerating technological change, an increasingly fragmented regulatory environment, and growing economic pressures across multiple industries.

According to the Outlook, artificial intelligence is creating new categories of legal risk, from the challenges of authenticating AI‑generated content to navigating the use of algorithmic tools while courts and regulators rapidly reset expectations around emerging technology. At the same time, state‑level regulation continues to expand, particularly around non‑competes, privacy, and biometrics, creating a compliance patchwork that requires businesses to adapt strategies by jurisdiction. Coupled with elevated interest rates, rising debt, and post‑pandemic strain, especially in real estate, health care, and franchise sectors, the commercial litigation environment remains fluid, fast‑moving, and resistant to neat predictions. Against this backdrop, eDiscovery, information governance, and cybersecurity response functions play increasingly central roles in managing litigation risk and staying ahead of shifting expectations.

Authored by Jay Carle, Matthew Christoff, and Danny Riley, this year’s eDiscovery & Innovation article spotlights one of the most significant and fast‑moving risks in the discovery landscape: the rise of AI‑enabled notetaking and meeting‑summarization tools. As generative AI capabilities become embedded directly into videoconferencing platforms, these tools now routinely record meetings, create transcripts with speaker attribution, and auto‑generate summaries—often by default. The result is a sudden proliferation of new, unvetted records that can capture sensitive, strategic, or privileged conversations. The article warns that these tools exponentially increase the risk of inadvertent disclosure, while also creating evidentiary challenges when transcripts or summaries are later used to establish what was said, by whom, and with what intent.

The article also highlights that litigation risk is expanding beyond the developers of these tools to the organizations deploying them. AI notetakers raise overlapping consent, privacy, wiretap, and biometric concerns, and courts will increasingly scrutinize whether companies can demonstrate how meeting data was captured, stored, and controlled. As with prior waves of privacy litigation, the differentiator will be operational discipline: organizations that implement clear governance around meeting recording, restrict distribution of AI‑generated outputs, and define authoritative versions of records will be far better positioned to defend against disclosure missteps, authenticity disputes, and statutory claims.

Click here to download the 2026 Commercial Litigation Outlook.

Continue Reading The Changing Discovery Landscape: Takeaways from Seyfarth’s 2026 Commercial Litigation Outlook
zeng-yili-QWKAv65uhQs-unsplash

When Judge Jed Rakoff ruled in United States v. Heppner (S.D.N.Y. Feb. 17, 2026)  that documents a criminal defendant created through exchanges with Anthropic’s Claude platform weren’t protected by attorney-client privilege or the work product doctrine, the decision generated significant attention across the legal community. Many practitioners read that ruling as a sweeping statement: using

growtika-nGoCBxiaRO0-unsplash

Introduction

Robotics and artificial intelligence are converging at an unprecedented pace. As robotics systems increasingly integrate AI-driven decision-making, businesses are unlocking new efficiencies and capabilities across industries from manufacturing and logistics to healthcare and real estate.

Yet this convergence introduces complex legal and regulatory challenges. Companies deploying AI-enabled robotics must navigate issues related to data privacy, intellectual property, workplace safety, liability, and compliance with emerging AI governance frameworks.

The Shift: Robotics as an AI Subset

Traditionally, robotics was viewed as a standalone discipline focused on mechanical automation. Today, robotics is increasingly powered by machine learning algorithms, natural language processing, and predictive analytics—hallmarks of AI technology.

This evolution raises critical questions for legal teams:

  • Who owns the data generated by AI-enabled robots?
  • How do we allocate liability when autonomous systems make decisions without human intervention?
  • What contractual safeguards should be in place when outsourcing robotics solutions to third-party vendors?

As robotics increasingly incorporates AI functionality, traditional contract structures for hardware procurement and service agreements require significant updates. This evolution introduces new risk categories that must be addressed through precise drafting and negotiation.

Continue Reading The AI-Driven Evolution of Robotics
chad-madden-bTfza0M0hCE-unsplash

On Friday, October 17, 2025, U.S. District Court Judge Vince Chhabria issued a biting Order granting defendant Eating Recovery Center, LLC’s (“ERC”) motion for summary judgment on the plaintiff Jane Doe’s California Invasion of Privacy Act (CIPA) claims, a law enacted in 1967 to address the increasing use of wiretapping to eavesdrop on private phone

thomas-lefebvre-gp8BLyaTaA0-unsplash

On July 24, 2025, the California Privacy Protection Agency (“CPPA”) unanimously voted to adopt a package of Proposed Regulations for the California Consumer Privacy Act (“CCPA”), marking a significant development in California privacy law. These cover Automated Decision-making Technology (“ADMT”), mandatory Cybersecurity Audits, Risk Assessments, and clarifications for the CCPA’s applicability to Insurance Companies. The package will move into its final review stage before formal enactment, once filed with the California Office of Administrative Law.

CCPA Steering Toward Operational Compliance

This is a clear signal that privacy compliance expectations in California are trending toward a more operational phase. The new rules are designed to give Californians greater control over how their personal information is used while pushing businesses toward higher levels of transparency and accountability, especially when automated decision-making and high-risk data processing is involved. For companies, this is more than just a theoretical update – it’s a clarion call to ensure these requirements are built into day-to-day governance, technology and process design, and vendor management practices.

Continue Reading California Privacy Protection Agency (CPPA) Finally Voted to Adopt Much Debated Update to CCPA Regulations: What Your Business Should Know
joel-durkee-5HdF3ugOSxM-unsplash

On June 3, 2025, the California Senate unanimously passed Senate Bill 690 (SB 690), a bill that seeks to add a “commercial business purposes” exception to the California Invasion of Privacy Act (CIPA).

After multiple readings on the Senate floor, SB 690 passed as amended, and will now proceed to the California State Assembly. SB

conny-schneider-xuTJZ7uD7PI-unsplash (2)

Seyfarth Shaw is proud to sponsor the 2025 Masters Conference, a premier boutique legal event hosted in cities across the U.S., as well as in Toronto and London. The conference will be held on Tuesday, May 20, 2025, at Seyfarth’s Chicago office and will feature keynote presentations, panel discussions, workshops, and networking opportunities.

Topics will include eDiscovery, Artificial Intelligence, Information and Data Governance, Legal Project Management, Forensics and Investigations, Knowledge Management, and Cybersecurity.

Seyfarth partners Jay Carle, Matthew Christoff, and Jason Priebe will share their insights as featured panelists throughout the day. Additional information about their panel topics is outlined below.

For more information and to register, click here.

Continue Reading Seyfarth to Sponsor and Present at 2025 Masters Conference