BizTech Law Blog

The Cybersecurity Information Sharing Act of 2015 (“CISA”) expired yesterday on September 30, 2025.

Though Congress discussed renewing the statute prior to its expiration, CISA was not officially reauthorized by the federal government.

CISA was designed to encourage private organizations to share cybersecurity information with other private sector entities and the federal government through the Department of Homeland Security, aiming to strengthen overall monitoring capabilities and bolster collective defense against cyber threats. In particular, the statute ...

Following Executive Order 14179 from January 23, 2025 titled Removing Barriers to American Leadership in Artificial Intelligence, President Donald Trump’s administration has unveiled its awaited artificial intelligence (“AI”) roadmap to cement the United States as a front runner in the “race to achieve global dominance in [AI]”.

The plan, titled American’s AI Action Plan (the “Plan”), is a 28-page document that outlines more than 90 federal policy actions under three strategic pillars: (1) accelerating innovation; (2) building American AI ...

On January 20, 2025, President Donald Trump revoked former President Joe Biden’s executive order related to the utilization of artificial intelligence (“AI”).

With the rise of generative artificial intelligence (AI) and its various synthetic media outputs, deepfakes are just one of many new risks to businesses. Deepfakes pose considerable threats to companies, potentially damaging reputation, trust, and financial stability through malicious impersonation and manipulation of digital content.

Yesterday, on October 16, the Federal Trade Commission (“FTC”) issued final amendments to the “Rule Concerning Recurring Subscriptions and Other Negative Option Programs”, also referred to as the “Click-to-Cancel” Rule (the “Rule”). See the following link from the FTC’s website for more information: Federal Trade Commission Announces Final “Click-to-Cancel” Rule Making It Easier for Consumers to End Recurring Subscriptions and Memberships | Federal Trade Commission (ftc.gov).

On April 14, 2021, the U.S. Department of Labor’s (“DOL”) Employee Benefits Security Administration (“EBSA”) issued its first cybersecurity best practices guidance for retirement plans. The EBSA guidance was highly anticipated as the frequency and cost of data breaches affecting employee benefit plans continues to rise. 

Many businesses are using Artificial Intelligence (AI) tools in a variety of innovative ways to improve productivity and to save time and money. According to a 2023 Forbes article (forbes.com/advisor/business/software/ai-in-business/), 1 in 3 businesses plan to use ChatGPT to write their website content while 97% of business owners believe it will help their business.

Artificial intelligence (AI) is fast becoming an integral element in the operation of virtually every business and organization.

The AI Revolution is here! Startups across our region are using AI tools in innovative new ways. But could there be legal pitfalls you haven’t considered?

Whether you are the CEO of a big corporation working in the office six days a week or an analyst working remotely from home entering data, everyone is at risk of a cyber-attack. Despite the fact that all organizations, regardless of size, are at risk, few have preventative measures in place, or have even planned for how they would respond in the event of an attack. 

Nearly two years after the start of the COVID-19 pandemic, the state of Michigan is continuing to design new programs to help support Michigan businesses that were negatively impacted by the pandemic and resulting economic shutdowns. Beginning March 1, 2022, Michigan will distribute up to $409 million under the new Afflicted Business Relief (ABR) grant program. Eligible businesses can apply beginning March 1, 2022 through March 31, 2022. Grants are not first-come, first-serve, but instead may be prorated depending on the number of eligible businesses that apply.

In the wake of the Colonial Pipeline ransomware attack, cyber attacks such as ransomware and phishing continue to be a major threat for all businesses, large or small. Even with precautions in place, it is not a matter of "if" but "when" a business will experience an attack. In the case of Colonial Pipeline, the hackers not only demanded and received millions from Colonial Pipeline in May 2021, but the resulting ransomware attack forced the company into a fuel distribution shutdown, making headlines across the country and causing gas shortages on the east coast. The attack also compromised thousands of individuals' personal information. 

On April 14, 2021, the U.S. Department of Labor’s (“DOL’s”) Employee Benefits Security Administration (“EBSA”) issued its first cybersecurity best practices guidance for retirement plans. The EBSA guidance has been highly anticipated as the frequency and cost of data breaches affecting employee benefit plans continues to rise. The EBSA guidance focuses on actions that plan sponsors, plan fiduciaries, record-keepers, and plan participants can take.

On Friday February 12, the Maryland State Senate voted to override Maryland’s governor to pass a bill creating a tax on annual gross revenues derived from digital advertising services in Maryland. Maryland’s digital advertising tax is the first of its kind in the United States.

With more employees working remotely for the foreseeable future, a resulting increase in spoofing and other hacking attempts is becoming a very common and real threat. It is imperative for a business to have the proper protection policies and procedures in place.

In the following video, moderated by Patricia Scott, attorneys Taylor Gast and Robert Hamor discuss ways to minimize risk and avoid disaster as more employees work remotely. This video touches on the recent rise in computer hacking attempts, along with a discussion on strategies to protect businesses and employees.

Click the thumbnail below to view the full video.

This video is for general information purposes only and IS NOT LEGAL ADVICE. If you seek legal counsel or need help in determining how this information applies to a specific situation, contact a Foster Swift business & tax law attorney before taking any action.

With the addition of new rules from the SBA (Small Business Administration), business & tax law attorneys Taylor Gast and Mike Zahrt discuss these updates regarding the impact of PPP Loans on Mergers & Acquisitions activity.

As PPP (Paycheck Protection Program) Loan Applicants await for banks to open their portals and begin accepting forgiveness applications, Foster Swift Business & Tax attorneys Taylor Gast and Mike Zahrt discuss recent updates regarding applications along with answers to common questions to consider regarding the next steps in the loan process.

Click the thumbnail below to view the full video. 

This video is meant to provide general information and SHOULD NOT BE CONSIDERED LEGAL ADVICE. If you seek legal counsel or need help in determining how this information applies to a specific situation, contact a Foster Swift business attorney before taking any action. Our attorneys can help assist you in making the best decisions for your circumstances.

On August 26, 2020 the Securities and Exchange Commission (SEC) adopted amendments to Rule 501(a) of the Securities Act that expand the definition of “accredited investor” to include additional categories of investors who may invest in unregistered private offerings. This amendment is intended to provide greater access to private investment markets. The amendments become effective 60 days after the new rule is published in the Federal Register.

For more articles from the June 2020 issue of Business & Tax Law News, click here.

The CARES Act created the Employee Retention Tax Credit (“ERTC”), which is designed to provide financial relief to employers during the COVID-19 pandemic. The ERTC is a refundable tax credit that is credited against an employer’s share of social security taxes for specific wages paid on or after March 12, 2020 and before January 1, 2021. An eligible employer can access ERTC funds by (1) immediately reducing employment tax obligations, (2) applying for an advance payment of the estimated credit, or (3) calculating the final credit amount at the end of the applicable calendar quarter, usually on Form 941.  Importantly, an employer that has received a Paycheck Protection Program (PPP) loan cannot also claim the ERTC (unless the employer has repaid its PPP loan by May 14, 2020).

We are frequently asked about insurance policies that cover internet-based risks like those involving network security like data breaches and ransomware, as well as data privacy related risks like class action lawsuits for privacy violations and costs related to the increasingly complex landscape of privacy rules.

This blog post has since been updated with new information

Hackers are more sophisticated than ever. It is often not a matter of ‘if’ but ‘when’ a data breach will occur. October is National Cybersecurity Awareness Month and with new threats frequently reported in the media; individuals, businesses, municipalities and other organizations need to do their due diligence in preparing for the inevitable.

As a business or business owner, one thing to consider when creating a cybersecurity plan, is a vendor management program. Vendor management programs can help businesses address risks that arise when working with vendors and third parties that might be receiving sensitive information or business information.

The Children’s Online Privacy Protection Act (“COPPA”) was enacted in 1998 and was created to address concerns with the online collection of children’s personal information. Recently, the Federal Trade Commission (“FTC”) has announced several large fines for companies not in compliance.

The International Association of Privacy Professionals Global Privacy Summit (“GPS”) occurred at the beginning of this month in Washington, D.C., giving more than 4,000 privacy professionals the chance to meet, reconnect, discuss developing issues, and learn from leaders in data privacy and security. Much of the conversation centered around the General Data Protection Regulation ("GDPR"), now approaching one year since its effective date.

This is the second part in a series discussing the actions that companies can take to prepare for potential data privacy legislation. Part One summarizes and discusses recently proposed data privacy legislation.

More than 30 states have legalized medical marijuana and more than 10 have legalized marijuana for recreational use, including Michigan in a 2018 ballot proposal. Marijuana retailers have significant issues to address as the industry and the rules governing it mature over time. Among those issues, retailers should not overlook data privacy and cybersecurity issues.  

If 2018 was any indication, cybersecurity compliance should be high on the list of SEC-regulated companies’ priorities in 2019. Take, for example, the SEC’s 2018 enforcement action against Voya Financial Advisor, Inc. (“Voya”) for violation of the Red Flags Rule, which resulted in a $1 million settlement.

Whose responsibility within a company is cybersecurity? Should key decisions fall to IT, or should higher management be involved more heavily in day-to-day cybersecurity risk management? Given the large fines and compliance obligations facing companies today, it’s probably obvious to most that data privacy and security is not just a technology issue.

Federal data privacy legislation in the United States is looking increasingly likely to pass in the foreseeable future. This renewed outlook is a stark change for those who remember previous legislative proposals, like the 2009 Personal Data Privacy and Security Act that never received a floor vote.

Data privacy and cybersecurity concerns are changing the way potential investors and acquirers evaluate a target company through due diligence. Data and security related risks can be extremely costly – especially those that are not uncovered in due diligence.

On November 2, 2018, Ohio became the most recent state to update its data breach laws by enacting the Ohio Data Protection Act.

On June 28, California governor Jerry Brown signed into law the California Consumer Privacy Act of 2018. The Act will significantly impact companies (including many based outside of California) and United States legislation in the coming months, although it is unclear whether the new law will serve as an example for other states or an outlier. Importantly, the Act contains a number of "GDPR-like" features, making it the most restrictive data privacy law that the United States has ever seen.

Health care systems are eager to adapt to newer technology and widespread network options, all in the name of giving patients the best possible care. However, this comes with a price: more outlets for hackers to breach valuable data. 

It's not hyperbole to say that the General Data Protection Regulation's May 25th enforcement date marks one of the largest shifts in the history of privacy laws.

The legal fallout from ridesharing service Uber's 2016 data breach, which affected approximately 57 million riders and drivers, has been significant.

On December 12, 2017 President Trump signed the National Defense Authorization Act. In part, the Act requires registration of all drones weighing more than .55 and up to 55 pounds, if you plan on flying them outside.

Earlier this year it was revealed that hackers had seized 1.5 terabytes of data from HBO, and over the course of the summer the hackers released the stolen property, including script summaries for "Game of Thrones," as well as scripts and entire seasons of other HBO shows.

Influencer marketing on social media is a very big business. Here’s how it works: brands team up with individuals with large and engaged followings on social media platforms such as YouTube, Facebook and Instagram (i.e., “influencers”), and pay them to promote their products.

Businesses are understandably concerned about negative reviews posted on popular websites such as Yelp, Facebook, and TripAdvisor.

The U.S. Department of Health and Human Service's Office for Civil Rights ("OCR") recently published guidance for entities covered by HIPAA, entitled "My entity just experienced a cyber-attack! What do we do now?"

The District of Columbia Court of Appeals recently struck down a regulation from the Federal Aviation Administration ("FAA") mandating registration of all drones. The Court found that the registration requirement was too intrusive and overstepped the bounds of the FAA. The petitioner argued that the registration requirement imposed by the FAA violated the statute's clear instruction not to promulgate any rule or regulation relating to model aircraft. The Court found the argument persuasive and vacated the registration rule to the extent it applies to model aircraft used by hobbyist.

Recently, international travelers have noticed US Customs and Border Protection agents with increased interest in searching cell phones, laptops, and other portable technology. Employers should be aware that this trend increases the risk that an unauthorized individual will access sensitive company information, which could result in an inadvertent data breach.

Some international travelers have been asked by border agents to unlock cell phones or provide a password needed to unlock the device. One report included a customs agent threatening to seize a travelers' phone if he did not unlock his cellphone. Employers are rightfully concerned that these searches may allow unauthorized individuals to access sensitive company information.

In 2016 Lansing, MI's Board of Water and Light fell victim to a cyber-attack that resulted in $2.4 million in costs, including a $25,000 ransom paid to the perpetrators. In the aftermath of the breach, BWL announced that it was filing for a $1.9 million insurance claim under its cyber insurance policy, including $2 million in covered losses, less a $10,000 deductible.

There is a lot at stake for businesses when it comes to cyber-crime, which is why more and more businesses are investigating and purchasing cyber insurance to hedge against the risks associated with cyber security and data privacy.

No matter how carefully, thoughtfully and diligently a company works to prevent it, data breaches happen. Company management, IT teams and outside consultants can do everything right and still end up dealing with a breach. That means that knowing how to best respond when (not if) a breach happens should be part of every company’s data protection strategy.

We recommend that every company assemble a security breach team, consisting of individuals inside and outside of the organization who possess different skill sets. This may include technology officers, as well as staff from IT, human resources, communications, legal departments, outside counsel, and outside vendors. The composition of the team will depend on the type and size of the organization, but each member should be in a position and have skills that enable the organization to quickly and properly respond to an incident. The team must also be equipped, authorized and empowered to evaluate and immediately react to an incident once it has occurred.

We recently wrote about how a Cyberattack on Lansing, Michigan's Board of Water and Light ("BWL") resulted in costs nearing $2 million for technical support and equipment upgrades. In fact, BWL's total costs have now stretched to $2.4 million, including a $25,000 ransom paid to the attackers. These facts underscore that the costs of such attacks can be enormous, especially when ransomware is involved.

A recent decision by the U.S. Court of Appeals for the Sixth Circuit (the “Sixth Circuit”) may make it easier for plaintiffs to bring costly lawsuits against companies that allow sensitive data to fall into the wrong hands. Most troubling from a company's perspective, the Sixth Circuit used language that some states legally require in data breach notification letters to justify allowing the case to move forward. Read more about this case here.

It sounds like something out of a Hollywood screenplay: foreign hackers, possibly from Russia, induce an unsuspecting employee of a major utility company to click on an email attachment that is infected with malware, enabling the hackers to cripple the utility’s computer systems unless a ransom is paid. Unfortunately, this story is fact, not fiction.

President Obama recently signed the Defend Trade Secrets Act (the “Act”) into law. The Act creates a new cause of action - which became effective immediately - for trade secret misappropriation.

Prior to the Act, civil claims for trade secret misappropriation were primarily governed by state law. The Act creates federal jurisdiction for claims brought under the Act, which provides plaintiffs with the option to sue in federal court.

On June 21, 2016, the Federal Aviation Administration (“FAA”) released its much-awaited operational rules for drones. We have been tracking these rules for the last year. The biggest change from the proposed rules to final rules is that the final rules eliminate the need for commercial drone operators to obtain a manned aircraft pilot's license. Instead, drone operators will have to pass a knowledge test for unmanned aircraft. The test will be administered at FAA approved testing centers nationwide. 

One of this year's hottest gifts now comes with a registration requirement according to newly-released Federal Aviation Administration regulations.

 On December 14, 2015 the FAA announced that drone owners must register with the FAA before their drone's first outdoor flight. The registration requirement applies to drones that weigh between 0.55 and 55 pounds. Noncommercial users may register through a new web-based system while commercial users must submit a paper application at this time. The $5 registration fee will be waived between December 21, 2015 and January 20, 2016, and all drones must be registered by February 19, 2016. The FAA will provide users with identification numbers which must be marked on any drones that a registered user flies.