🤖 ARTIFICIAL INTELLIGENCE

The Cybersecurity Threat of AI

Financial firms are not safe from the threat of AI, says the New York State Department of Financial Services.

The recommendation was part of an 11-page guidance document the department released this week, which cited risks from social engineering, cyberattacks and the theft of nonpublic information, reports the Wall Street Journal. The NYDFS regulates about 3,000 financial institutions with collectively manage some $9.7 trillion.

“I think it’s really about making sure there’s expertise in the institution, making sure they’re engaging with lots of stakeholders, so they understand the development of the technology,” said Adrienne Harris, superintendent of the NYDFS. “It’s about making sure that you’ve got the right expertise in-house—or that you’re otherwise seeking it through external parties—to make sure your institution is equipped to deal with the risk presented."

As the Insurance Journal notes, the NYDFS's guidance also encourages firms to integrate AI into their cybersecurity measures for "substantial" benefits. “AI’s ability to analyze vast amounts of data quickly and accurately is tremendously valuable for: automating routine repetitive tasks, such as reviewing security logs and alerts, analyzing behavior, detecting anomalies, and predicting potential security threats; efficiently identifying assets, vulnerabilities, and threats; responding quickly once a threat is detected; and expediting recovery of normal operations,”

But as New York state is upping its regulation around AI, California is fumbling its response. Late last month, Governor Gavin Newsom vetoed an AI safety bill (SB 1047), citing that "smaller, specialized models may emerge as equally or even more dangerous than the models targeted by SB 1047 — at the potential expense of curtailing the very innovation that fuels advancement in favor of the public good," NPR details.

California State Senator Scott Weiner, who co-authored the bill, took to X to write that the veto "leaves us with the troubling reality that companies aiming to create an extremely powerful technology face no binding restrictions from U.S. policymakers, particularly given Congress's continuing paralysis around regulating the tech industry in any meaningful way."

AI & Big Law

An analysis by KPMG found that "legal departments will be on the front lines of defending against cyber attacks and upholding organizational resilience." Specifically, the professional services firm adds that legal teams will help organizations respond to these attacks by "working with in-house technology or operational teams to implement or adopt appropriate cybersecurity technology to protect the organization’s data (in compliance with stricter data protection/cyber security laws)."

Verdict

As we've written here before, AI's effects on society are still in their opening chapters. And while the benefits of the technology are being loudly touted by Silicon Valley and other industry leaders, but security risks should also be carefully considered and buttressed against.

‍

🔒 DATA PRIVACY

23andMe and Data Privacy too

It's a question raised by many critics of DNA service 23andMe have raised for years: who has access to my genetic data once it's been collected?

Now, the question is being asked with increased urgency as the company teeters on the verge of collapse. As NPR explains, the company has lost about 99% of its value in the years since its 2021 IPO. But if 23andMe files for bankruptcy, what happens to the genetic data of the 15 million-plus customers who have used the service since 2006?

“HIPAA does not protect data that’s held by direct-to-consumer companies like 23andMe,” Anya Prince, a law professor who specializes in genetic privacy at University of Iowa's College of Law, told NPR. Prince does note that states like New York and California offer some protections to genetic data. She adds that, in those states, “if customers are really worried, they could ask for their samples to be withdrawn from these databases under those laws."

Speaking to the New York Times, Yale Biomedical Informatics professor Mark Gerstein said the threat is that a "threat actor" could gain access to personal genetic data and reveal "someone’s medical characteristics and potential for health risks…like psychosis or heart disease."

But Andy Kill, a spokesperson for 23andMe assured the public that the company follows "laws that regulate the data we collect and believes strongly that customers should have the choice and ability to decide how their data is used…Nothing about that commitment has changed.”

Still, many question the weight of Kill's statement.

Following a data breach at the company in February, Suzanne Bernstein, a law fellow at the Electronic Privacy Information Center told The Guardian that "there are no serious safeguards, no regulation around the collection and sale of really sensitive personal data…For 23andMe, the nefarious [data] breach constitutes a security issue, but so does the company sharing your information with a party that you didn’t know about. Customers may technically consent to their data being shared by accepting the terms and conditions, but those are really long and a lot of people don’t read them.”

Arizona v. Mitcham

A case before the Arizona Supreme Court asks whether the government can test biological material it already has in its possession (such as donated blood) without first obtaining a warrant. In an amicus brief for the case, the ACLU has argued that "given the revealing nature of DNA, collecting and analyzing it constitutes a seizure and a search under the Fourth Amendment." Moreover, "a person’s limited consent to a search of biological material for a specific purpose—in this case, a blood alcohol test for a DUI arrest—does not overcome that requirement."

Verdict

The potential dissolution of 23andMe may be the first time the general public has considered the implications of genetic data privacy. For proponents of stricter regulations, this may be the perfect opportunity to build in new safeguards.

‍