Dec. 6, 2023

Dos and Don’ts for Employee Use of Generative AI

A year after ChatGPT’s public release, companies are revising their initial rules that address how employees can use generative AI (Gen AI) tools. Many companies have given employees Gen AI dos and don’ts for the workplace and directed them to use only brand-new enterprise versions of Gen AI applications. This article examines employers’ shift in Gen AI policies and practices, including training and risk assessment, and presents several dos and don’ts for employees’ Gen AI use. See “Key Legal and Business Issues in AI-Related Contracts” (Aug. 9, 2023).

Navigating a Breach As a Third-Party Service Provider: Communications and Investigation

The series of significant third-party breaches in 2023, notably the MOVEit breach, highlighted the complex incident response considerations that arise when a service provider is a victim of a cyberattack. Collaboration and coordination among various stakeholders are key, all while the response time remains unyieldingly critical. At a Privacy+Security Forum Fall Academy panel, Troutman Pepper attorneys, along with Kroll’s global head of threat intelligence, discussed third-party incident response issues and practical ways to address them. In this first installment of our two-part series distilling the insights offered, we address messaging, forensic investigations and navigating the dark web. Part two will cover notifications, containment, restoring service and preserving attorney-client privilege. See our two-part series on a ransomware tabletop’s 360-degree incident response view: “Days One to Four” (Jan. 4, 2023), and “Day Five Through Post-Mortem” (Jan. 11, 2023).

U.K. Penalizes Morgan Stanley for Lax Electronic Communications Practices

While the SEC and CFTC continue to target appropriate recording and retention of electronic communications relevant to business operations, a recent U.K. proceeding is an important reminder that firms must also be cognizant of the requirements of other jurisdictions and regulators. The U.K.’s Office of Gas and Electricity Markets determined that Morgan Stanley & Co. International plc (MSIP) had violated recordkeeping regulations applicable to trading in the energy markets by failing to record and retain employees’ WhatsApp messages. The matter resulted in the first fine issued in the U.K. for failure to record and retain electronic communications relating to trading in wholesale energy products, wherein MSIP will pay a penalty of £5.41 million. This article details the relevant regulatory regime and MSIP’s violations. See “SEC and CFTC Continue to Penalize Firms for Electronic Communications Recordkeeping Violations” (Sep. 20, 2023).

Seasoned Cybersecurity and Data Privacy Attorney Joins Stinson in Dallas

Stinson LLP has announced that Jenifer McIntosh has joined the firm’s intellectual property and technology practice division as of counsel in its Dallas office. McIntosh brings more than 20 years of experience and arrives from Ferguson Braswell Fraser Kubasta PC.