Virginia’s HB 2094 regulates high-risk AI systems, focusing on consumer protection. Developers must ensure transparency and manage risks, while deployers must disclose AI use. Generative AI outputs must be identifiable. Enforcement includes penalties up to $10,000. Effective July 1, 2026.
Continue Reading Virginia Poised to Become Second State to Enact Comprehensive AI Legislation

On Jan. 17, 2025, EU Regulation 2022/2554 on digital operational resilience for the financial sector (DORA) became applicable in the EU.

DORA focusses on risk management and resilience testing, with a strong focus on vendor risk management, incident management and reporting, and resilience testing of key systems.

DORA applies to financial institutions that are authorized

Over the past few years, the rate of notable data breaches has risen considerably, and along with that rise has come an increase in class action litigation. In a world where any company can be the next victim of a breach, business leaders and their legal counsel should consider in advance how to protect privilege

The Security Innovation Network (SINET) hosted its 10th Annual SINET Risk Executive Workshop Jan. 29-30, bringing together CISOs and risk executives for an exclusive, invitation-only event. Over the course of two days, participants engaged in thought leadership sessions that explored the evolving role of modern CISOs and risk executives.

GT Shareholder Jena Valdetero, U.S.

As we settle in to 2025, and five additional state privacy laws have or are about to go into effect, we wanted to put on your radar the obligation to conduct data protection impact assessments (DPIAs). In general, a DPIA should contain:

  • a systematic description of potential processing operations and the purpose of the processing,

Greenberg Traurig Data Privacy & Cybersecurity Practice Shareholder Liz Harding presented “Artificial Intelligence: Understanding the US Legal and Regulatory Landscape Governing AI” to the ACC of Israel Feb. 11. The session discussed potential legal harms from the use of artificial intelligence and how the United States has addressed those harms, including by:

  • Reinterpreting consumer protection

Six months after the SEC’s Cybersecurity Incident Disclosure Rule (SEC Rule) came into force, an April 2024 GT Alert summarized disclosure trends. The GT Alert identified that the companies who filed a mandatory form 8-K disclosing a cybersecurity incident had erred on the side of caution, hedged on whether the materiality threshold had been met

On Jan. 16, 2025 the European Data Protection Board (EDPB) published guidelines on the pseudonymization of personal data for public consultation. The Berlin Data Protection Commissioner (BlnBDI) played a leading role in drafting these guidelines (see the German-language BlnBDI press release). The consultation is ongoing, and comments can be submitted until Feb. 28, 2025