BizTech Law Blog

The Cybersecurity Information Sharing Act of 2015 (“CISA”) expired yesterday on September 30, 2025.

Though Congress discussed renewing the statute prior to its expiration, CISA was not officially reauthorized by the federal government.

CISA was designed to encourage private organizations to share cybersecurity information with other private sector entities and the federal government through the Department of Homeland Security, aiming to strengthen overall monitoring capabilities and bolster collective defense against cyber threats. In particular, the statute ...

Choosing a college or university is one of the most important, and expensive, decisions students and families will ever make. Unfortunately, scammers know this too, and they are using fake websites to steal money and personal information from unsuspecting applicants.

Recently, Michigan Attorney General Dana Nessel issued a consumer alert warning about fraudulent websites that impersonate real colleges and universities. These sites are designed to look convincing but have no connection to legitimate institutions. Instead, they trick students into sharing sensitive ...

To hear more on this topic, business & IP attorney, Lindsey Mead, recently appeared on an episode of Expert Connexions to discuss the copyrightability of AI-generated content. See the interview here.

The United States Copyright Office (the “Office”) released the latest part in its Report on Copyright and Artificial Intelligence on January 29, 2025. Part 1, titled “Digital Replicas” was published on July 31, 2024 and discussed videos, images, and audio recordings that are manipulated to falsely depict individuals and information. This practice of creating ...

The Federal Trade Commission (FTC) is continuing its firm stance in regulating companies making unsubstantiated or exaggerated claims about their products or services employing artificial intelligence (AI).

On January 20, 2025, President Donald Trump revoked former President Joe Biden’s executive order related to the utilization of artificial intelligence (“AI”).

Now is a busy time for businesses as they wrap things up before year-end. But the holiday season can be stressful for a different reason when the owner or some of the employees are responsible for the care of aging family members on top of working full-time.

With the rise of generative artificial intelligence (AI) and its various synthetic media outputs, deepfakes are just one of many new risks to businesses. Deepfakes pose considerable threats to companies, potentially damaging reputation, trust, and financial stability through malicious impersonation and manipulation of digital content.

On April 14, 2021, the U.S. Department of Labor’s (“DOL”) Employee Benefits Security Administration (“EBSA”) issued its first cybersecurity best practices guidance for retirement plans. The EBSA guidance was highly anticipated as the frequency and cost of data breaches affecting employee benefit plans continues to rise. 

Artificial intelligence (AI) is fast becoming an integral element in the operation of virtually every business and organization.

The AI Revolution is here! Startups across our region are using AI tools in innovative new ways. But could there be legal pitfalls you haven’t considered?

Whether you are the CEO of a big corporation working in the office six days a week or an analyst working remotely from home entering data, everyone is at risk of a cyber-attack. Despite the fact that all organizations, regardless of size, are at risk, few have preventative measures in place, or have even planned for how they would respond in the event of an attack. 

In the wake of the Colonial Pipeline ransomware attack, cyber attacks such as ransomware and phishing continue to be a major threat for all businesses, large or small. Even with precautions in place, it is not a matter of "if" but "when" a business will experience an attack. In the case of Colonial Pipeline, the hackers not only demanded and received millions from Colonial Pipeline in May 2021, but the resulting ransomware attack forced the company into a fuel distribution shutdown, making headlines across the country and causing gas shortages on the east coast. The attack also compromised thousands of individuals' personal information. 

On April 14, 2021, the U.S. Department of Labor’s (“DOL’s”) Employee Benefits Security Administration (“EBSA”) issued its first cybersecurity best practices guidance for retirement plans. The EBSA guidance has been highly anticipated as the frequency and cost of data breaches affecting employee benefit plans continues to rise. The EBSA guidance focuses on actions that plan sponsors, plan fiduciaries, record-keepers, and plan participants can take.

This article has been updated with new information since it was originally published on November 16, 2020.

As health care providers continue to face new challenges relating to the COVID-19 pandemic, it is important for providers to maintain compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Although the Department of Health and Human Services Office for Civil Rights (“OCR”) has loosened some requirements to allow health care providers flexibility during the COVID-19 pandemic, a majority of the patient protections under the HIPAA Privacy Rule have remained intact.

With more employees working remotely for the foreseeable future, a resulting increase in spoofing and other hacking attempts is becoming a very common and real threat. It is imperative for a business to have the proper protection policies and procedures in place.

In the following video, moderated by Patricia Scott, attorneys Taylor Gast and Robert Hamor discuss ways to minimize risk and avoid disaster as more employees work remotely. This video touches on the recent rise in computer hacking attempts, along with a discussion on strategies to protect businesses and employees.

Click the thumbnail below to view the full video.

This video is for general information purposes only and IS NOT LEGAL ADVICE. If you seek legal counsel or need help in determining how this information applies to a specific situation, contact a Foster Swift business & tax law attorney before taking any action.

As if COVID-19 wasn’t enough of a challenge for many struggling hospitals and health care systems, there is another growing threat they must guard against: cyberattacks.

On October 28, 2020, the FBI, Department of Health and Human Services, and Cybersecurity and Infrastructure Security Agency issued a report warning of "an increased and imminent cybercrime threat" to U.S. hospitals and health care providers.

We are frequently asked about insurance policies that cover internet-based risks like those involving network security like data breaches and ransomware, as well as data privacy related risks like class action lawsuits for privacy violations and costs related to the increasingly complex landscape of privacy rules.

This blog post has since been updated with new information

Hackers are more sophisticated than ever. It is often not a matter of ‘if’ but ‘when’ a data breach will occur. October is National Cybersecurity Awareness Month and with new threats frequently reported in the media; individuals, businesses, municipalities and other organizations need to do their due diligence in preparing for the inevitable.

As a business or business owner, one thing to consider when creating a cybersecurity plan, is a vendor management program. Vendor management programs can help businesses address risks that arise when working with vendors and third parties that might be receiving sensitive information or business information.

This is the second part in a series discussing the actions that companies can take to prepare for potential data privacy legislation. Part One summarizes and discusses recently proposed data privacy legislation.

More than 30 states have legalized medical marijuana and more than 10 have legalized marijuana for recreational use, including Michigan in a 2018 ballot proposal. Marijuana retailers have significant issues to address as the industry and the rules governing it mature over time. Among those issues, retailers should not overlook data privacy and cybersecurity issues.  

If 2018 was any indication, cybersecurity compliance should be high on the list of SEC-regulated companies’ priorities in 2019. Take, for example, the SEC’s 2018 enforcement action against Voya Financial Advisor, Inc. (“Voya”) for violation of the Red Flags Rule, which resulted in a $1 million settlement.

Whose responsibility within a company is cybersecurity? Should key decisions fall to IT, or should higher management be involved more heavily in day-to-day cybersecurity risk management? Given the large fines and compliance obligations facing companies today, it’s probably obvious to most that data privacy and security is not just a technology issue.

Federal data privacy legislation in the United States is looking increasingly likely to pass in the foreseeable future. This renewed outlook is a stark change for those who remember previous legislative proposals, like the 2009 Personal Data Privacy and Security Act that never received a floor vote.

Data privacy and cybersecurity concerns are changing the way potential investors and acquirers evaluate a target company through due diligence. Data and security related risks can be extremely costly – especially those that are not uncovered in due diligence.

On November 2, 2018, Ohio became the most recent state to update its data breach laws by enacting the Ohio Data Protection Act.

For an introduction to these areas, visit Taylor's previous video, an Introduction to Data Privacy, Cybersecurity and Third Party Vendor Management. 

In recent years, security risks and data breaches have increased and businesses are working to be better equipped to respond to emergency cyber attack and breach situations. 

With the rise of data breaches and regulatory enforcement, businesses must acknowledge cybersecurity and data privacy issues as significant business risks.

Health care systems are eager to adapt to newer technology and widespread network options, all in the name of giving patients the best possible care. However, this comes with a price: more outlets for hackers to breach valuable data. 

It's not hyperbole to say that the General Data Protection Regulation's May 25th enforcement date marks one of the largest shifts in the history of privacy laws.

This is the second article in a series on Third Party and Vendor Management. The first article discussed pertinent considerations for vendor contracts in the context of cybersecurity.

The legal fallout from ridesharing service Uber's 2016 data breach, which affected approximately 57 million riders and drivers, has been significant.

This is the first article in a series on Third Party and Vendor Management. The next article in this series discusses provisions for vendor contracts.

When people think of the term "cybercrime", things like fraud and phishing scams commonly come to mind. Less known and discussed is the “DarkNet,” a digital underworld that is inaccessible to most and where illicit marketplaces exist for things like stolen identity information.

Today, the use of software as a service ("SaaS") is widespread and the cybersecurity considerations are an afterthought.

Earlier this year it was revealed that hackers had seized 1.5 terabytes of data from HBO, and over the course of the summer the hackers released the stolen property, including script summaries for "Game of Thrones," as well as scripts and entire seasons of other HBO shows.

In September 2017, credit reporting agency Equifax announced that personal information for over 140 million U.S. consumers was potentially compromised. Equifax’s forensic investigations have put the number closer to 145.5 million. The compromised data includes names, social security numbers, birth dates, addresses, driver’s license numbers and even credit card numbers. Within a matter of weeks after the breach, Equifax’s CEO, Richard Smith, announced he was stepping down. It soon became clear that Equifax’s troubles were just beginning.

In our fast-paced, interconnected business world, the ability to quickly, easily and safely wire money is essential. Companies rely on wire transfers to complete transactions and keep supply chains moving. But with this convenience comes risks.

The U.S. Department of Health and Human Service's Office for Civil Rights ("OCR") recently published guidance for entities covered by HIPAA, entitled "My entity just experienced a cyber-attack! What do we do now?"

In today's world, technology is ever changing and data breaches are widespread. Both have repercussions for the legal profession. As technology has evolved and become more intrusive, the obligations of attorneys and how attorneys handle client matters has also evolved.

Cyber attacks can be costly. Target recently reached a settlement with 47 states to pay $18.5 million, the largest multistate data breach settlement to date. In November 2013, Target's systems were infiltrated and 40 million customers' payment card information was stolen as was the personal information of 60 million customers. In addition to the settlement, Target paid for free credit monitoring services for consumers affected by the breach as part of a $10 million class-action lawsuit settlement. 

The recently formed Cybersecurity Unit of the Criminal Division of the Department of Justice (the “DOJ”) recently issued guidance regarding best practices for organizations to protect against and respond to cybersecurity risks. The guidance, titled “Best Practices for Victim Response and Reporting of Cyber Incidents,” was drafted with smaller organizations in mind, but has relevance to larger ones as well.

What to Do in Advance of a Breach

The DOJ urges organizations to prepare an incident response plan before a breach occurs, and recommends that an organization do the following: