Photo of Edward McNicholas

Edward McNicholas

Subscribe to Edward McNicholas's Posts
Contact:Read more about Edward McNicholas

Last week, the U.S. Supreme Court agreed to hear a case that is expected to resolve a long-developing split among federal courts of appeals over the scope of the Video Privacy Protection Act of 1988 (“VPPA”), 18 U.S.C. § 2710. In granting certiorari in Salazar v. Paramount Global, the Court will address a question that has increasingly shaped VPPA class action litigation in recent years: who qualifies as a “consumer” protected by the statute.Continue Reading Supreme Court to Consider the Video Privacy Protection Act

day4

As 2025 draws to a close and some organizations slip into a quieter holiday rhythm, their AI systems continue humming in the background—summarizing customer inquiries, triaging security alerts, generating code, and synchronizing records across critical systems. Within that uninterrupted activity, however, lies a less festive truth: agentic AI introduces cyber risks of unprecedented complexity and novelty, beyond what conventional architectures were designed to manage.

Agentic AI—the class of systems that can reason, plan, act, and adapt toward goals with reduced human oversight—promises measurable gains across legal services, finance, healthcare, and supply chain operations. But the same autonomy that drives new efficiencies also creates a distinctly complex cybersecurity risk profile. By initiating actions, calling tools, exchanging data with other agents, and escalating privileges to meet objectives, autonomous systems expand the attack surface and introduce “digital insiders” that can err at scale, leak data silently, and even be co-opted by threat actors. For those advising on governance, cyber preparedness, and emerging-tech strategy, the takeaway is clear: companies need a practical, defensible program tailored to agentic environments—one that reduces the likelihood and blast radius of failures before a single misaligned step turns out all the lights.Continue Reading On the Fourth Day of Data… All is Calm, All is Bright? Securing Agentic AI Before the Lights Go Out

money-7923867_1280

An increasingly aggressive plaintiffs’ bar has brought purported class action suits based on the nearly ubiquitous use of tracking technologies used for website analytics. Although any actual harm to the plaintiffs is difficult to articulate, the health care industry has been plagued by a series of these cases. Now the plaintiffs may be moving to financial services with the potential for statutory penalties of hundreds of dollars per user when a duty of confidentiality can be credibly implicated. 

The tracking tags, pixels and similar website analytics technologies are nothing new. Rather, the technologies at issue in such complaints are widely used on websites and mobile applications across industries, including by government entities, to collect information about user behaviors and interactions with the online platform where they are embedded. That information is then sent to a third party for analytics used to enhance user experience on the platform. Many of these technologies are integral to an organization’s ability to ensure its websites and applications are functioning properly, among other things providing crash reports when users encounter issues. Additionally, many consumer-facing businesses contract with third parties to provide session replay scripts, a software that monitors and records web-user activity such as keystrokes, clicks, and scrolling.  Despite the pervasiveness of these technologies, plaintiffs have seized on ambiguities in the California state wiretap act, known as the California Information Privacy Act, as well as federal wiretap law as the basis for exceptionally large damage demands.Continue Reading Pixel Litigation Risk at Financial Institutions

globalisation-3390877_1280

On April 11, 2025, the Department of Justice (“DOJ”) released additional detail regarding the Final Rule implementing former President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”), which went into effect on April 8, 2025. The release included additional

digitization-5231610_1280

Today, the Department of Justice’s (“DOJ”) Final Rule implementing former President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”) took effect.

Earlier this year, Ropes & Gray published an alert providing an overview of the Final Rule, material changes

digitization-5231610_1280

On January 8, 2025, the Department of Justice (“DOJ”) published its Final Rule to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”). This follows the DOJ’s publication of its Notice of Proposed Rulemaking (“NPRM”) in October 2024

globe-8704013_1280

On October 29, 2024, the Department of Justice (“DOJ”) published its Notice of Proposed Rulemaking (“NPRM”) to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.” This follows the DOJ’s publication of its Advance Notice of Proposed Rulemaking earlier this year. 

lock-6081598_1280

On October 22, 2024, the Securities and Exchange Commission (“SEC”) filed settled enforcement orders involving four current and former public companies – Unisys Corp., Avaya Holdings Corp., Check Point Software Ltd, and Mimecast Limited. The settlements concern the issuers’ disclosures relating to cybersecurity risks and intrusions following the December 2020 SUNBURST cybersecurity incident, which affected