On June 2, 2026, Connecticut Governor Ned Lamont signed Senate Bill 5 into law, designated as Public Act 26-15 and also known as the Connecticut Artificial Intelligence Responsibility and Transparency Act (the “CART Act” or “Act”).1 The CART Act is among the most comprehensive state AI laws enacted to date, creating distinct obligations for employment-related automated decision tools, consumer chatbots, frontier-model developers, generative-AI provenance, and online platforms used by minors, while also addressing AI applications in healthcare through targeted carveouts and innovation initiatives.
Continue Reading Connecticut Enacts Sweeping AI Law Covering Employment, Healthcare, and Online Safety
Trump’s AI Cybersecurity Order: A Voluntary Framework with Mandatory Implications
On June 2, 2026, President Trump signed an executive order titled “Promoting Advanced Artificial Intelligence Innovation and Security” (the “Order”), which establishes a new framework for government collaboration with the AI industry on cybersecurity and the secure deployment of advanced AI models.1 While voluntary in form, the Order builds significant institutional architecture, including classified benchmarks administered by the National Security Agency (NSA) and a government-managed pre-release review window, that marks the administration’s first direct engagement with pre-deployment evaluation of frontier AI capabilities.
This alert examines the Order’s key provisions and their implications for AI developers, critical infrastructure operators, enterprises deploying AI tools, and investors in AI-driven companies.
Continue Reading Trump’s AI Cybersecurity Order: A Voluntary Framework with Mandatory ImplicationsNewsom Signs Executive Order Establishing AI Vendor Certification and Procurement Framework
On March 30, 2026, Governor Gavin Newsom signed Executive Order N-5-26 (the “Order”), directing California state agencies to develop new certification requirements and procurement standards for companies seeking to provide AI-enabled products or services to the state.1 The Order represents the latest move in an intensifying contest between California and the federal government over the future of AI regulation in the United States.
Continue Reading Newsom Signs Executive Order Establishing AI Vendor Certification and Procurement FrameworkWhen Cyberwar Hits the Corporate Home Front
As recent events indicate, American companies may be the subject of destructive data “wiper” attacks and potential data theft by Iran-linked hackers. Ongoing tensions in the Middle East underscore the stark and evolving cyberthreat landscape facing companies. These types of cyberattacks blend the regulatory and litigation exposure of a traditional data breach with the extreme business risks associated with near total operational disruption. This alert highlights potential legal implications and outlines practical steps companies should consider to strengthen preparedness.
Continue Reading When Cyberwar Hits the Corporate Home Front
Supreme Court to Consider the Video Privacy Protection Act
Last week, the U.S. Supreme Court agreed to hear a case that is expected to resolve a long-developing split among federal courts of appeals over the scope of the Video Privacy Protection Act of 1988 (“VPPA”), 18 U.S.C. § 2710. In granting certiorari in Salazar v. Paramount Global, the Court will address a question that has increasingly shaped VPPA class action litigation in recent years: who qualifies as a “consumer” protected by the statute.
Continue Reading Supreme Court to Consider the Video Privacy Protection ActOn the Fourth Day of Data… All is Calm, All is Bright? Securing Agentic AI Before the Lights Go Out
As 2025 draws to a close and some organizations slip into a quieter holiday rhythm, their AI systems continue humming in the background—summarizing customer inquiries, triaging security alerts, generating code, and synchronizing records across critical systems. Within that uninterrupted activity, however, lies a less festive truth: agentic AI introduces cyber risks of unprecedented complexity and novelty, beyond what conventional architectures were designed to manage.
Agentic AI—the class of systems that can reason, plan, act, and adapt toward goals with reduced human oversight—promises measurable gains across legal services, finance, healthcare, and supply chain operations. But the same autonomy that drives new efficiencies also creates a distinctly complex cybersecurity risk profile. By initiating actions, calling tools, exchanging data with other agents, and escalating privileges to meet objectives, autonomous systems expand the attack surface and introduce “digital insiders” that can err at scale, leak data silently, and even be co-opted by threat actors. For those advising on governance, cyber preparedness, and emerging-tech strategy, the takeaway is clear: companies need a practical, defensible program tailored to agentic environments—one that reduces the likelihood and blast radius of failures before a single misaligned step turns out all the lights.
Continue Reading On the Fourth Day of Data… All is Calm, All is Bright? Securing Agentic AI Before the Lights Go OutResponding to the SitusAMC Data Breach
Recently, major media reported that a key financial services provider, SitusAMC, suffered a substantial data security incident. This Alert summarizes what we know so far, the possible legal implications, and some action items for the corporate clients of SitusAMC.
Continue Reading Responding to the SitusAMC Data BreachPixel Litigation Risk at Financial Institutions
An increasingly aggressive plaintiffs’ bar has brought purported class action suits based on the nearly ubiquitous use of tracking technologies used for website analytics. Although any actual harm to the plaintiffs is difficult to articulate, the health care industry has been plagued by a series of these cases. Now the plaintiffs may be moving to financial services with the potential for statutory penalties of hundreds of dollars per user when a duty of confidentiality can be credibly implicated.
The tracking tags, pixels and similar website analytics technologies are nothing new. Rather, the technologies at issue in such complaints are widely used on websites and mobile applications across industries, including by government entities, to collect information about user behaviors and interactions with the online platform where they are embedded. That information is then sent to a third party for analytics used to enhance user experience on the platform. Many of these technologies are integral to an organization’s ability to ensure its websites and applications are functioning properly, among other things providing crash reports when users encounter issues. Additionally, many consumer-facing businesses contract with third parties to provide session replay scripts, a software that monitors and records web-user activity such as keystrokes, clicks, and scrolling. Despite the pervasiveness of these technologies, plaintiffs have seized on ambiguities in the California state wiretap act, known as the California Information Privacy Act, as well as federal wiretap law as the basis for exceptionally large damage demands.
Continue Reading Pixel Litigation Risk at Financial InstitutionsR&G Tech Studio Presents: AI Innovation vs. Safety—Insights on Trump’s New Executive Order
On this episode of the R&G Tech Studio podcast, Ropes & Gray partners and co-leaders of the firm’s AI initiative, Megan Baca and Ed McNicholas, delve into the key implications of President Trump’s new AI Executive Order 14179, contrasting it with the previous Biden administration’s approach to AI regulation. They explore the nuances of AI
DOJ Releases FAQs and Compliance Guidance for Final Rule Restricting Flow of Bulk Sensitive Personal Data to China and other Countries of Concern
On April 11, 2025, the Department of Justice (“DOJ”) released additional detail regarding the Final Rule implementing former President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” (the “Final Rule”), which went into effect on April 8, 2025. The release included additional