Volume 6, Issue 6
Welcome to our sixth issue of 2025 of Decoded - our technology law insights e-new
CISA, NSA, FBI Issue New Guidelines on AI Data Security
“This includes methods such as ‘poisoning’ of scraped sources and targeting of weak points in infrastructure and authentication.”
Why this is important: Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency’s Artificial Intelligence Security Center (NSA AISC), and the FBI have issued new AI data security guidelines. These new guidelines are aimed at assisting organizations that handle data used to train AI. The guidelines focus on data drift and potentially poisoned data, and also risks in the data supply chain. The guidelines include lofty goals that are not practical in the real world, like screening all scrapped data for malicious and inaccurate data. What is working counter to this guideline is not just the herculean task of reviewing all of the data used to build an AI model, but the fact that data security is not prioritized in the rush to create AI models. The AI data security guidance suggests early adoption of a quantum-resistant method of encryption, and turning to NIST for advice on both that and its FIPS 140-3 standard covering certified data storage devices. The guidelines also suggest that AI should train AI. However, this may only compound the issue if the training AI has its own inherent flaws that were not caught by programs when it was created. While the new guidelines are intended to protect the development of new AI models, it appears that the application of these guidelines is not practical. --- Alexander L. Turner
Judge Dismisses Hyundai Biometric Data Lawsuit Over Driver Monitoring System
“The lawsuit claimed Hyundai violated Illinois' Biometric Information Privacy Act by using an infrared camera to collect and store facial data without the owner's consent.”
Why this is important: A recent dismissal of Kathleen M. deGrasse v. Hyundai Motor America, a proposed class-action lawsuit alleging a violation of the Illinois Biometric Information Privacy Act (BIPA) against Hyundai over its Forward Attention Warning system, highlights the critical intersection of rapidly advancing automotive technology and evolving biometric privacy laws. Enacted in 2008, BIPA requires consent from individuals if a company intends to collect or disclose personal biometric identifiers (such as facial geometry, fingerprints, or voiceprints).
Hyundai’s system was designed to detect driver inattentiveness by monitoring eye position and issuing a visual warning when needed. Hyundai moved to dismiss the case, arguing the plaintiff failed to show the company "captured, collected, or otherwise obtained" biometric data as defined under BIPA. The U.S. District Court agreed that Hyundai had not "captured, collected, or otherwise obtained" biometric identifiers, as defined by BIPA, providing a win for the Korean automaker.
This case underscores the growing legal scrutiny surrounding in-vehicle data collection and offers important lessons for both consumers and manufacturers. The case also brings to light broader legal implications for the automotive industry:
- Transparency is Key: Companies must be explicitly transparent about all data collected by vehicle systems, particularly sensitive biometric information. Vague or absent disclosures can expose companies to future legal challenges.
- Defining "Collection" and "Biometric Identifier": The nuanced legal definitions of "collection" and "biometric identifier" were crucial to Hyundai’s Motion to Dismiss. As vehicular monitoring systems become more sophisticated, courts will continue to grapple with whether internal processing of data for operational purposes (e.g., driver alertness) crosses the line into data “collection.”
- Patchwork of Laws: While BIPA is state-specific, other states are enacting similar biometric privacy laws relating to biometric data that presents a complex regulatory landscape for automakers and would-be plaintiffs nationwide.
--- James T. Taylor
Coinbase Faces Lawsuit Over Alleged Breaches of Illinois Biometric Privacy Law
“The complaint said Coinbase requires users to verify their identity by uploading a government-issued photo ID and a selfie, which is then sent to a third-party facial recognition software to scan and extract facial geometry.”
Why this is important: We’ve discussed in prior issues of Decoded how plaintiffs regularly make use of Illinois’ Biometric Information Privacy Act (BIPA) to file private lawsuits against companies that are alleged to mishandle biometric data. For the second time in the past few years, the largest U.S.-based cryptocurrency exchange is the target of one of those suits. The lawsuit alleges that Coinbase collected faceprints in order to comply with Know Your Customer regulations, but collected that data without customers’ informed consent and failed to provide customers with information about the sharing of that data. The prior suit was directed to proceed in arbitration and later dismissed. We will know shortly if this lawsuit is also sent to arbitration. Regardless, this lawsuit and others like it show that managing the requirements of different federal and state laws and regulations (Know Your Customer regulations vs. BIPA) is often difficult and can lead to hefty consequences if not correctly done. --- Nicholas P. Mooney II
Trump EO Pumps Brakes on Software Security Requirements
“Industry officials are now closely watching how NIST pulls together a consortium that will help develop software security implementation guidance.”
Why this is important: President Trump recently signed an Executive Order that maintained the Biden-era requirement that government contractors execute a self-attestation that they are in compliance with federal government security requirements based on the NIST framework. However, his new Executive Order removed the portion of President Biden’s Executive Order that directed the development of new acquisition regulations requiring software vendors to provide proof of compliance with the NIST framework. This was removed in order to streamline the acquisition process. Instead of new contract requirements, President Trump directed NIST to establish an industry consortium by August 1, 2025 to develop guidance that “demonstrates the implementation of secure software development, security, and operations practices” in the SSDF. Trump’s Executive Order also directs NIST to publish a preliminary update to the SSDF by December 1, 2023 to include “practices, procedures, controls and implementation examples regarding the secure and reliable development and delivery of software as well as the security of the software itself.” --- Alexander L. Turner
This Rural Community Fought the Country’s Second-Biggest Gas-Powered Data Center, and Won
“Inside the grassroots opposition that fended off a 2,200-acre data center campus in southern Virginia, and why their struggle isn’t over yet.”
Why this is important: Artificial intelligence is increasing the power demand for data centers, which are used to power the large language models on which AI operates. According to the U.S. Department of Energy, the power demand for data centers is expected to double or triple by 2028 compared to 2023 levels. The creation of data centers has recently been the focus of several states and commonwealths, including West Virginia, Virginia, Alabama, and Kentucky. In fact, Virginia has been called the “Data Center Capital of the World,” with 507 data centers located north of Richmond, which is a higher concentration than in any other state or country. The article discusses a proposal to build 84 warehouse-sized data center buildings and a 3,500-megawatt power plant fueled by natural gas on 750 acres of land. The proposal also sought to rezone 14 parcels of land, previously zoned for agricultural and rural residential use. The article tells the story of how many neighboring landowners sought to stop this proposal from being approved. They teamed with air pollution researchers at Harvard University to successfully defeat the proposal. Issues like this are almost certain to arise more frequently in the future. There will be a push to create more data centers, and that push will continue to lead to friction and disputes with local residents. --- Nicholas P. Mooney II
Study: 19% of Home Care Providers Discontinued Telehealth Post-Pandemic, Citing Limited Reimbursement
“Many reported that even during the pandemic, the Centers for Medicare & Medicaid Services failed to reimburse patient care conducted through virtual care at rates comparable to in-person services.”
Why this is important: According to a recent study published by Health Services Research, since its adoption in response to the COVID-19 pandemic, the use of telehealth services by many home healthcare companies has ceased. The study found that roughly 19 percent of home health providers stopped using telemedicine after the peak of the pandemic due to, in part, a lack of federal reimbursement from Centers for Medicare & Medicaid Services (CMS). Many of the study participants reported that a significant makeup of their patient population was individuals of advanced age with significant cognitive impairment, including such conditions as dementia, who would greatly benefit from access to remote care. Another significant contributing factor reported by home healthcare companies in the drop in patient access to remote care was a lack of technological literacy, resulting in a lack of demand. Some home healthcare companies were just blatantly against giving virtual care in a home health setting, arguing it should only be provided as in-person care. In assessing the efficacy of telehealth services, the authors of the study urge more research to determine if telehealth could play a role in improving patient outcomes, especially if performed at a reduced cost. --- Jennifer A. Baker
Data Security Concerns Hamper Patient Portal Uptake: Survey
“Seventeen percent of respondents who don’t use online portals said they haven’t adopted them due to security concerns.”
Why this is important: The introduction of patient portals to healthcare has made healthcare more accessible to patients. From messaging the provider, requesting prescription refills, and reviewing test results, to paying bills and scheduling appointments, patient portals offer numerous conveniences to patients. However, in a recent survey commissioned by LexisNexis Risk Solutions, 16 percent of the respondents said they had never accessed a patient portal. Patients who have not used a patient portal reported numerous reasons for not doing so: 36 percent said they preferred to talk to a human, 27 percent were not aware of their portal or how to access it, and 17 percent expressed security concerns. --- Brienne T. Marco
Hacking, Ransomware Driving More Healthcare Data Breaches: Study
“Hacking and IT incidents accounted for 88% of patient records exposed from 2010 to 2024, while ransomware made up nearly 40%, according to the research published in JAMA Network Open.”
Why this is important: A new study confirms that healthcare data breaches are on the rise. The study, published by the JAMA Network Open on May 14, 2025, has found that the number of healthcare data breaches more than doubled between 2010 and 2024. In particular, hacking and IT incidents have risen as a cause for breaches from 4 percent in 2010 to 81 percent in 2024, and as a cause for unauthorized release of patient records from 2 percent in 2010 to 91 percent in 2024. While down from its peak in 2021, ransomware attacks have increased from 0 cases in 2010 to 11 percent of all healthcare data breach cases in 2024. The good news: breaches due to theft, unauthorized access, and improper disposal or loss have decreased in the same time span. Hospitals, health plans, and other healthcare organizations continue to be particularly vulnerable to ransomware attacks owing to their limited cybersecurity resources and the potential consequences of delays to patient care. The JAMA Network Open researchers suggest certain mitigation strategies, including mandatory ransomware fields in OCR reporting, revised security classifications, and monitoring cryptocurrency. If you need assistance with preparing to thwart a cyberattack or to review your contracts with vendors to ensure that you are protected in the event that they become the victim of a cyberattack, please contact a member of Spilman’s Health Care Practice Group for assistance. --- Timothy J. Lovet
