Katten's Privacy, Data and Cybersecurity Quick Clicks is a monthly newsletter highlighting the latest news and legal developments involving privacy, data and cybersecurity issues across the globe.
To read more issues of Katten's Privacy, Data and Cybersecurity Quick Clicks, please click here.
New Joint Commission Guidance on the Use Of Artificial Intelligence in Healthcare
By Paul DeMuro, Brandon von Kriegelstein and Taylor Stilwell
On September 17, the Joint Commission, in collaboration with the Coalition for Health AI (CHAI), issued its first high-level framework on the responsible use of artificial intelligence (AI) in healthcare. The Guidance on the Responsible Use of AI in Healthcare (Guidance) is intended to help hospitals and health systems responsibly deploy, govern and monitor AI tools across organizations. The goal of the Guidance is to help "…the industry align elements that enhance patient safety by reducing risks associated with AI error and improving administrative, operational, and patient outcomes by leveraging AI's potential." Read more about how the Guidance applies broadly to "health AI tools."
AI Usage in the Banking and Financial Services Industry and the Current State of Regulation and Litigation Involving AI
By Eric Hail and Ted Huffman
This September 18 article, published by TexasBarCLE, explores the growing role of AI in the delivery of financial products and services, the emerging legal challenges arising from its use, and how legislatures and regulators are working to keep pace with the technology. Though still evolving, banks and consumer finance companies are actively leveraging AI to augment and improve a multitude of financial services functions with the ultimate goal of lowering costs for such services. Read more about how AI is being used to enhance cybersecurity, detect fraud and more.
'What is illegal offline, must be illegal online': Cyberflashing and the Online Safety Act
By Terry Green and Larry Wong
On September 29, UK Technology Secretary Liz Kendall announced that cyberflashing will be categorized as a "priority offence" under the Online Safety Act (OSA) in a push to protect women and girls online, where one in three teenage girls report having received unsolicited pictures at least once. This is not the first time that the Secretary of State has used its powers to amend the list of priority offences under the OSA via secondary legislation. She made it clear that "what is illegal offline, must be illegal online," which could mean more changes are on the horizon. Read more about the designation of cyberflashing as a priority offence and what this means for platforms.
FTC's Landmark $2.5 Billion Amazon Settlement Highlights Ongoing Focus on "Dark Patterns"
By Catherine O'Brien and Christopher Cole
Three days into trial, Amazon agreed to pay $2.5 billion to settle a Federal Trade Commission (FTC) lawsuit alleging that the company misled millions of consumers into subscribing to Amazon Prime and then made it unreasonably difficult for them to cancel, in alleged violation of the FTC Act. The settlement is instructive for several reasons: (1) it represents the largest ever obtained by the Ferguson (GOP-led) FTC; (2) it serves as phase one of FTC litigation against Amazon, with a monopolization case to follow in the Western District of Washington; (3) it forms part of a broader litigation campaign against the online retail giant that includes state attorneys general and private class actions; (4) it offers insight into how the FTC will interpret and apply its jurisdiction over "difficult" cancellations, and it marks the first prominent enforcement action in the agency's ongoing campaign against so-called "dark patterns," allegedly manipulative design practices that steer consumers into unintended transactions; and (5) it illustrates how these issues may play out in court, where employees' and contractors' emails featured prominently in the FTC's case. Read more about the FTC complaint and the trial evidence against Amazon.
Are You Ready? – New York DFS Cybersecurity Regulation Approaches Its Final Compliance Phase
By Carl Kennedy, Trisha Sircar and Caron Song
Are you operating as a financial services business? Are you aware of the new cybersecurity rules that will soon apply to New York–regulated financial firms? If you are a financial services business and are unaware of the upcoming compliance date for New York's cybersecurity requirements, please mark your calendar. On November 1, the final phase of compliance under the New York Department of Financial Services' (DFS) 23 NYCRR Part 500 (Cybersecurity Regulation) will take effect. These requirements stem from the second amendment to the Cybersecurity Regulation (Second Amendment), which was originally adopted in 2017 and has been rolling out in phases since the Second Amendment was finalized in November 2023. Read more background on the cybersecurity regulation and what it means for firms.
FDA Seeks Stakeholder Feedback on AI-Enabled Medical Device Performance
By Kate Hardey
The US Food and Drug Administration (FDA) is offering an opportunity for stakeholders to provide feedback to "advance a broader discussion among the AI healthcare ecosystem." Specifically, the FDA has issued a Request for Public Comment to gather insights on evaluating the real-world performance of AI-enabled medical devices, including generative AI technologies. This initiative, detailed in Docket No. FDA-2025-N-4203, aims to ensure these devices remain safe and effective post-deployment by further evaluating challenges like data drift that may impact the accuracy and reliability of predictive models. Comments are due by December 1. Read more about key topics included in the series of targeted questions.
