Bridging the Gap: Applying Anti-Money Laundering Techniques and AI to Combat Tariff Evasion
Introduction
In today’s global economy, characterized by complex supply chains and escalating trade tensions, tariff evasion has emerged as a significant threat to economic stability, fair competition, and government revenue. Traditional detection methods increasingly fall short against sophisticated evasion schemes that adapt quickly to regulatory changes. This article presents a compelling case for integrating advanced anti-money laundering (AML) methodologies with cutting-edge artificial intelligence to revolutionize tariff evasion detection. We also examine how established legal frameworks like the False Claims Act and transfer pricing principles from tax law can be weaponized against tariff fraud, and explore the far-reaching implications for commercial enterprises’ compliance programs — including how these tools can level the playing field for businesses facing unfair competition.
The Convergence of TBML and Tariff Evasion: An Untapped Opportunity
Trade-based money laundering (TBML) and tariff evasion operate through remarkably similar mechanisms, creating a natural synergy for detection strategies. Both practices manipulate legitimate trade channels for illicit purposes:
Mis-invoicing: Deliberate falsification of price, quantity, or product descriptions
False Classification: Strategic misclassification of goods under favorable Harmonized System (HS) codes
Value Manipulation: Artificial inflation or deflation of goods’ values
Phantom Shipments: Creation of entirely fictitious trade transactions
This striking overlap presents customs authorities with a valuable opportunity: leverage the sophisticated detection infrastructure already developed for AML compliance to identify and prevent tariff evasion.
TBML Detection Techniques: A Ready Arsenal for Customs Authorities
The AML compliance ecosystem has developed sophisticated techniques that can be immediately deployed to combat tariff evasion:
Advanced Price Anomaly Detection: Statistical modeling to identify transactions that deviate significantly from market norms, historical patterns, and comparable trade flows
Comprehensive Quantity Analysis: Algorithmic comparison of declared quantities against shipping documentation, customs records, and production capacity data
Systematic HS Code Scrutiny: Pattern recognition to flag suspicious classification practices, such as strategic code-switching or exploitation of classification ambiguities
Geographic Risk Mapping: Targeted scrutiny of transactions involving high-risk jurisdictions known for corruption, weak regulatory oversight, or prevalent smuggling
Related Party Transaction Surveillance: Enhanced monitoring of intra-company trades where pricing manipulation is more feasible
Integrated Data Analytics: Cross-referencing multiple data sources to identify inconsistencies that may indicate fraudulent intent
Network Analysis: Sophisticated mapping of business relationships to uncover hidden connections and coordinated evasion schemes
Artificial Intelligence: The Game-Changer in Tariff Evasion Detection
AI dramatically enhances detection capabilities through its ability to process vast datasets, identify subtle patterns, and continuously improve accuracy:
Deterministic AI and Machine Learning
Advanced Anomaly Detection: Supervised and unsupervised learning models that identify subtle deviations from established trade patterns by simultaneously analyzing multiple variables
Multi-factor Risk Classification: Algorithms that dynamically assess transaction risk based on importer history, commodity characteristics, trade routes, and pricing patterns
Predictive Regression Modeling: Statistical techniques that establish expected transaction values and flag significant deviations for investigation
Adaptive Learning Systems: Models that continuously refine detection parameters based on investigation outcomes, ensuring responsiveness to evolving evasion tactics
Large Language Models (LLMs)
Comprehensive Document Analysis: Automated extraction and verification of critical information across diverse trade documentation, identifying inconsistencies that human reviewers might miss
Natural Language Risk Assessment: Analysis of unstructured data sources including news reports, regulatory filings, and industry communications to develop comprehensive risk profiles
Behavioral Pattern Recognition: Identification of suspicious trade patterns that may indicate coordinated evasion strategies
Contextual Trade Analysis: Advanced semantic understanding that can detect mismatches between declared product uses and actual characteristics
Legal Frameworks: Powerful Tools for Enforcement and Competitive Equity
Effective enforcement requires robust legal mechanisms to prosecute and penalize violations:
The False Claims Act: A Powerful but Underutilized Weapon
The False Claims Act (FCA) represents a particularly potent tool in the anti-evasion arsenal, with key advantages that make it especially effective:
Broad Scope of Liability: Importantly, the FCA does not require proof of specific intent to defraud. This means the law covers a spectrum of non-compliant behaviors ranging from simple negligence and mistakes to deliberate fraud, significantly expanding the universe of actionable violations
Whistleblower Incentives: Qui tam provisions that allow individuals with insider knowledge to report violations and share in financial recoveries, creating powerful incentives for disclosure
Treble Damages: Provisions for triple damages that significantly raise the stakes for would-be evaders
Reduced Burden of Proof: Civil rather than criminal standards of evidence, making successful prosecution more achievable
Extended Statute of Limitations: Longer timeframes for investigation and prosecution, allowing authorities to address complex schemes
A Competitive Equity Tool for Businesses
The FCA serves not only as a government enforcement mechanism but as a powerful resource for companies facing unfair competition:
Leveling the Playing Field: Companies that suspect competitors are gaining unfair advantages through tariff evasion can leverage the FCA to prompt investigation and enforcement
Industry Self-Regulation: The qui tam provisions enable industry insiders to report violations, effectively allowing sectors to police themselves
Competitive Intelligence Application: Information gathered through compliance monitoring can help identify and address unfair competitive practices
Market Access Protection: By ensuring all market participants play by the same rules, legitimate businesses are protected from being undercut by non-compliant competitors
Transfer Pricing Principles: Adapting Section 482 to Tariff Contexts*
Transfer pricing principles offer a sophisticated framework for addressing value manipulation:
Arm’s Length Standard: Application of market-based valuation standards to related-party transactions
Comparable Transaction Analysis: Methodologies for establishing appropriate pricing benchmarks
Documentation Requirements: Structured approaches to establishing and documenting fair market value
Burden-Shifting Frameworks: Legal mechanisms that require importers to justify significant pricing discrepancies
Impact on Commercial Enterprise Compliance Programs
The government’s adoption of these advanced detection techniques has profound implications for corporate compliance strategies:
Transformative Effects on Corporate Compliance
Elevated Risk Profiles: Companies face significantly increased detection risk as governments deploy AI-enhanced monitoring, necessitating more robust internal controls
Expanded Documentation Requirements: Enterprises must maintain comprehensive transaction records that can withstand sophisticated algorithmic scrutiny
Proactive Compliance Monitoring: Organizations need to implement their own advanced analytics to identify and address potential issues before they trigger regulatory attention
Cross-functional Compliance Integration: Tariff compliance can no longer operate in isolation but must coordinate with AML, anti-corruption, and tax compliance functions
Strategic Compliance Responses
AI-Enhanced Self-Assessment: Forward-thinking enterprises are deploying their own AI systems to continuously monitor trade activities against regulatory benchmarks
Predictive Risk Modeling: Companies are developing sophisticated models to identify high-risk transactions before filing customs declarations
Transaction Testing Programs: Implementation of statistical sampling and testing protocols to verify compliance across high volumes of transactions
Enhanced Training Programs: Development of specialized training for procurement, logistics, and finance personnel on evasion risk indicators
Third-Party Due Diligence: More rigorous vetting of suppliers, customs brokers, and other trade partners
Competitive Advantages of Robust Compliance
Reduced Penalty Exposure: Companies with sophisticated compliance programs face lower penalties when violations occur
Expedited Customs Clearance: Trusted trader programs offer streamlined processing for companies with demonstrated compliance excellence
Supply Chain Stability: Reduced risk of shipment delays and seizures due to compliance concerns
Reputational Protection: Avoidance of negative publicity associated with customs violations
Strategic Data Utilization: Compliance data becomes a valuable asset for business intelligence and operational optimization
Competitive Intelligence and Market Protection
For businesses concerned about competitors gaining unfair advantages through tariff evasion, these tools offer strategic options:
Market Analysis: Advanced analytics can help identify pricing anomalies that may indicate competitors are benefiting from tariff evasion
Evidence Building: Systematic collection and analysis of market data can help build compelling cases for authorities to investigate
Whistleblower Protection: Companies can establish secure channels for employees or industry insiders to report suspected violations
Regulatory Engagement: Proactive sharing of competitive intelligence with customs authorities can trigger enforcement actions
Industry Collaboration: Formation of industry working groups to establish compliance benchmarks and identify suspicious practices
Challenges and Considerations
Implementing these advanced approaches presents several challenges:
Data Quality and Accessibility: Effective analysis requires comprehensive, accurate data, often from disparate sources
Supply Chain Complexity: Modern trade flows involve numerous intermediaries, complicating transaction monitoring
Cross-Border Cooperation: Effective enforcement requires unprecedented levels of international information sharing
Adversarial Adaptation: Evasion techniques evolve rapidly in response to detection methods
Algorithmic Fairness: AI systems must be designed and monitored to avoid discriminatory impacts on specific countries or industries
Cost-Benefit Balance: Compliance costs must be proportionate to risk and competitive realities
False Positive Management: Systems must be calibrated to distinguish between intentional evasion, negligence, and legitimate mistakes
Conclusion
The integration of AML techniques, artificial intelligence, and established legal frameworks represents a paradigm shift in the fight against tariff evasion. By leveraging these complementary approaches, customs authorities can dramatically enhance detection capabilities while creating powerful deterrents through robust enforcement.
For commercial enterprises, this evolving landscape creates both obligations and opportunities. The expanded scope of FCA liability—covering even negligent errors—demands heightened vigilance in compliance programs. Yet these same tools also offer legitimate businesses powerful mechanisms to combat unfair competition from less scrupulous rivals. Companies facing market distortions from competitors’ tariff evasion now have sophisticated means to identify suspicious patterns and trigger enforcement actions.
As global trade continues to evolve, this multi-faceted approach will be essential to preserving the integrity of international trade systems and ensuring a level playing field for legitimate businesses. Organizations that proactively embrace these changes will not only mitigate regulatory risk but may discover competitive advantages through superior compliance capabilities and the strategic use of enforcement mechanisms to ensure market fairness.
Shenzhen Releases Patent Subsidy Data – Huawei Received Over 35 Million RMB for Foreign Patent Grants
On April 14, 2025, the Shenzhen Municipal Administration for Market Regulation (SAMR) released the List of recipients of the second batch of special funds for intellectual property rights in Shenzhen in 2023 for foreign invention patent authorization (深圳市2023年第二批知识产权领域专项资金国外发明专利授权资助领款名单). Combined with the List of recipients of Shenzhen’s 2023 special fund for intellectual property rights for foreign invention patent authorization (深圳市2023年知识产权领域专项资金国外发明专利授权资助领款名单) published on March 28, 2024 Shenzhen’s SAMR has subsidized Huawei a total of 35,168,904 RMB for foreign patents granted in 2023. Huawei also received 2,619,103 RMB for Chinese invention patents that granted in 2023. ZTE and Tencent also received significant subsidies for foreign patent grants. Note that these statistics do not include subsidies for subsidiaries located in other cities. Note that direct subsidies for grants will end this year.
The top 5 total 2023 subsidies for foreign patent grants are:
No.
Name of the recipient
Amount
1
Huawei Technologies Co., Ltd.
CNY 35,168,904.98
2
ZTE Corporation
CNY 19,605,473.78
3
Tencent Technology (Shenzhen) Co., Ltd.
CNY 13,358,477.67
4
Shenzhen Goodix Technology Co., Ltd.
CNY 7,249,009.85
5
Shenzhen DJI Innovations Technology Co., Ltd.
CNY 6,430,024.87
The original data for the first tranche is here (Chinese only) and second tranche here (Chinese only). Translated datasets are available here: DomesticPatent1; ForeignPatent1; ForeignPatent2; and DomesticPatent2.
Breaches Within Breaches: Contractual Obligations After a Security Incident
We often cover consumer class action complaints against companies regarding the privacy and security of personal information. However, litigation can also arise from alleged breach of contract between two companies. This week, we will analyze a medical diagnostic testing laboratory’s April 2025 complaint against its managed services provider for its alleged failure to satisfy its HIPAA Security Rule and indemnification obligations under the HIPAA Business Associate Agreement (BAA) between the parties.
Complaint Background
According to the complaint, the laboratory – Molecular Testing Labs (MTL) – is a Covered Entity under HIPAA, and Ntirety is its Business Associate. Reportedly, the parties entered into a BAA in September 2018. The BAA’s intent was to “ensure that [Ntirety] will establish and implement appropriate safeguards” for protected health information (PHI) it handles in connection to the functions it performs on behalf of MTL. The complaint points to various provisions of the BAA related to Ntirety’s obligations, including complying with the HIPAA Security Rule. According to MTL, the BAA also includes an indemnification provision that requires Ntirety to indemnify, defend, and hold harmless MTL against losses and expenses due to a breach caused by Ntirety’s negligence.
Alleged HIPAA Violations
MTL asserts that around March 12, 2025, it received information about a material data breach involving data “that was required to have been secured by Ntirety under the BAA.” The complaint is unclear about how or from whom MTL received that information.
The complaint asserts that MTL’s forensic investigation determined that Ntirety had faced a ransomware attack, potentially from Russian threat actors. MTL’s forensic investigation determined that Ntirety had “significant deficiencies, shortcomings, and omissions” in its procedures and practices that enabled the threat actors to access Ntirety’s computer systems and MTL’s confidential information.
In addition, MTL alleges that “Ntirety failed to provide material support to MTL for weeks” and that the support offered was conducted “slowly and incompetently.” Allegedly, Ntirety informed MTL that it would charge MTL for such efforts. MTL argues that under its BAA obligations, Ntirety was required to support MTL in its efforts to respond to and mitigate the security incident’s harmful effects.
Alleged Breach of Contract – Indemnification Demand
MTL also asserts that it has incurred or expects to incur various damages related to “remediation efforts, HIPAA notification requirements, possible legal and regulatory actions, and direct and indirect harm to MTL’s business.” Specifically, MTL claims it has already incurred damages related to the forensic investigation and anticipates further damages associated with fulfilling HIPAA PHI breach notifications and providing credit monitoring services. MTL also expects to suffer harm to its business as a result of the breach and to be subject to lawsuits and regulatory action.
Reportedly, on March 25, 2025, and April 3, 2025, MTL sent formal demands to Ntirety for indemnification under the BAA for losses incurred as a result of the breach, but Ntirety “has provided no substantive response to MTL’s indemnification demands.”
Lessons Learned
After discovering a breach, companies have numerous obligations, such as determining whether data has been corrupted, containing the incident, conducting a forensic investigation, and identifying individuals whose data may have been involved. It can often take weeks or even months to understand the scope and extent of a breach, but companies should also promptly assess their contractual obligations post-breach. Whether in a BAA or another service agreement, companies may be required to let their vendors and other partners know about an incident.
In addition, companies should consider whether to communicate about the incident at a high level to their vendors and partners, even absent contractual requirements, particularly if news about the incident has already leaked. The risk of such communications includes potentially providing premature information that is likely to change as the forensic investigation unfolds. On the flip side, partners might appreciate the transparency and direct acknowledgment. There can be many legal and regulatory consequences of a data breach, but with adherence to contractual obligations and appropriate communication, a breach of contract claim doesn’t have to be one of them.
CISA Issues Alert on Potential Legacy Oracle Cloud Compromise
BleepingComputer has confirmed the rumor that Oracle has suffered a compromise affecting its legacy environment, including the compromise of old customer credentials (originally denied by Oracle). Oracle notified some affected clients that old legacy data from Oracle Classic (last used in 2017) was involved in the incident. BleepingComputer has reportedly had direct contact with the threat actor, which has “shared data with BleepingComputer from the end of 2024” and posted newer records from 2025 on a hacking forum.
The incident was discovered in late February. According to BleepingComputer, “the attacker allegedly exfiltrated data from the Oracle Identity Manager (IDM) database, including user emails, hashed passwords, and usernames.” The threat actor offered over six million data records for sale on BreachForums on March 20, 2025, alleging the data originated from the Oracle incident.
On April 16, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance on the “potential legacy Oracle Cloud compromise.” The guidance confirms that the incident’s scope and impact are uncertain but provides information about the risks associated with compromised credentials.
The Alert states:
The compromise of credential material, including usernames, emails, passwords, authentication tokens, and encryption keys, can pose significant risks to enterprise environments. Threat actors routinely harvest and weaponize such credentials to:
Escalate privileges and move laterally within networks.
Access cloud and identity management systems.
Conduct phishing, credential-based, or business email compromise (BEC) campaigns.
Resell or exchange access to stolen credentials on criminal marketplaces.
Enrich stolen data with prior breach information for resale and/or targeted intrusion.
The Alert provides recommendations to organizations “to reduce the risks associated with potential credential compromise.” The recommendations are solid for any credential compromise but particularly relevant to Oracle customers.
Judge Rules “Tester” Plaintiffs Cannot Bring Wiretap Claims under California Invasion of Privacy Act
In a big win for businesses, a California federal court just held that a “tester” plaintiff—someone who visits websites to initiate litigation—cannot bring a claim under the California Invasion of Privacy Act (CIPA). Rodriguez v. Autotrader.com, Inc., No. 2:24-cv-08735, 2025 WL 65409 (C.D. Cal. 1.8.25) Tester plaintiffs have started to focus on consumer protection statutes in hopes of broadening CIPA’s application to include internet communications, which would provide them a treasure trove of potential targets. However, the recent decision in Rodriguez provides a defense for businesses facing lawsuits by tester plaintiffs and bolsters another unrelated defense: setting privacy expectations with consumers.
I previously wrote about CIPA claims and the uptick in litigation claiming wiretap violations based on a website’s use of trackers.
Here, the plaintiff alleged violations of CIPA by Autotrader.com for its:
Operation of a pen register on its website using tracking technology that could collect a user’s IP address
Disclosure of website search terms to third parties (akin to illegal wiretapping)
The court dismissed these claims, stating that a tester plaintiff who “actively seeks out privacy violations” does not expect privacy. Because a tester plaintiff in a CIPA case visits the website and intentionally enters information into the website expecting their information to be “accessed, recorded, and disclosed,” the individual cannot claim an injury. The tester essentially expects the injury to occur.
What should your business do as a result of this decision? Be prepared and consider:
Reviewing your website and its Privacy Policy and Terms of Use;
Evaluate the types of tracking tools your website uses and their necessity/value (e.g., pixels, web beacons, cookies, etc.). Often, businesses discover that the website cookies and pixels are actually just left over from past initiatives or that certain cookies were installed but never used.
Consider using a scanning tool and analyze the scan results to learn what tracking technologies your website uses.
Determining what third parties do with the data collected via your website tracking tools;
Include appropriate disclosures in your Privacy Policy and cookie banner/preferences (e.g., to whom is the data disclosed, the use of the data, and a hyperlink to the Privacy Policy in the cookie banner).
For example, cookie banners should state that data is disclosed to third parties for targeted ad purposes, if that is the case, instead of only stating that the website uses cookies to improve user experience.
Providing an opt-out option (and symmetry of choice)
While opt-in consent is not required by applicable consumer privacy laws (such as the California Consumer Privacy Act as amended by the California Privacy Rights Act), allowing users to make informed choices about website tracking could prevent CIPA claims against your business.
Privacy Tip #440 – Text Scam Proceeds Surpass $470M in 2024
I have been getting a lot of texts that are clearly scams, and those around me have confirmed an increase in spammy texts.
According to an FTC Consumer Protection Data Spotlight, individuals lost over $470 million resulting from text scams. The top text scams of 2024 that accounted for half of the $470 million lost by consumers to fake texts included:
Fake package delivery problems;
Phony job opportunities;
Fake fraud alerts;
Bogus notices about unpaid tolls; and
“Wrong number” texts that aren’t.
According to the FTC, actionable ways to help stop text scams include:
Forwarding messages to 7726 (SPAM). This helps your wireless provider spot and block similar messages.
Reporting it on either the Apple iMessages app for iPhone users or Google Messages app for Android users.
Reporting it to the FTC at ReportFraud.ftc.gov.
How can you avoid text scams?
Never click on links or respond to unexpected texts. If you think it might be legit, contact the company using a phone number or website you know is legitimate. Don’t use the information in the text message. Filter unwanted texts before they reach you.
Remember that texts are just like emails and can be used for smishing instead of phishing. Treat them the same—with a healthy bout of caution and vigilance to avoid being victimized.
Video Game Developer’s Website Privacy Policy Disclosure and Cookie Banner Consent Defeat Wiretap Class Action
Video game developer Ubisoft, Inc. came out on top earlier this month in the Northern District of California when a judge dismissed, with prejudice, a class action claiming that the company’s use of third-party website pixels violated privacy laws. The judge concluded that the “issue of consent defeat[ed] all of Plaintiffs’ claims.” Lakes v. Ubisoft, Inc., No. 24-cv-06943, 2025 WL 1036639 (N.D. Cal. Apr. 2, 2025).
The plaintiffs alleged that Ubisoft collected and disclosed plaintiffs’ personal information and website usage without their consent through website pixels. Ubisoft moved to dismiss the claims based on the fact that the plaintiffs’ claims relied on the lack of consent but that plaintiffs had “consented to the use of cookies and pixels . . . at least three times during the purchase process” when plaintiffs (1) “interacted with the Cookies Banner” when visiting the website; (2) created accounts on the website, which required the plaintiffs to “accept Ubisoft’s Terms of Use, Terms of Sale, and Privacy Policy”; and (3) “made purchases” at which point Ubisoft’s terms and Privacy Policy were displayed again.
The court took judicial notice of Ubisoft’s Privacy Policy, cookie pop-up, and cookie settings and held that the plaintiffs’ consent defeated their claims:
Federal Wiretap Act: The federal Wiretap Act allows for the interception of communications where “one of the parties to the communication has given prior consent to such interception,” and the interception is not “for the purpose of committing any criminal or tortious act.” The court determined that the plaintiffs provided consent and that the crime-tort exception to consent did not apply.
California Invasion of Privacy Act, California Constitution, and Common-Law Invasion of Privacy: The court held that the plaintiffs’ consent was a “defense to all three claims” under CIPA, the California Constitution, and California common law invasion of privacy.
Video Privacy Protection Act: The court determined that Ubisoft’s disclosures in its Privacy Policy, terms, and on its website through banners and pop-ups satisfied each element of the VPPA’s consent provision.
The plaintiffs sought a request for leave to amend, but the court denied the request, concluding that any amendment would be “futile” because plaintiffs could not “amend their complaint to overcome the issue of consent.”
A key takeaway for companies to consider is to revamp your website Privacy Policy disclosures, confirm that your website’s cookie preferences and banner are visible and user-friendly, and clearly articulate the use of third-party trackers and the data disclosed to your website users.
International Students Face Visa Revocations & Status Terminations – What Does that Mean for Higher Education Institutions?
Over the past two weeks, institutions of higher education have been faced with the challenges of notifying members of their campus communities about visa revocations and status terminations, and advising affected international students on what to do next. Unlike more high-profile immigration cases that followed student protest activity, the latest round of visa revocations and status terminations appear to be happening because students are “failing to maintain status.” But what does that mean and how should institutions react?
To understand the impact, the meaning of key terms like “visa” and “status,” have to be understood, because they are distinct concepts in U.S. immigration law. When people speak of how long someone can stay in the United States, they might say “their visa expires in June” or “they have to leave because their visa is expiring,”; such statements are technically incorrect, however, because they confuse a visa with status.
While a visa is a critical immigration document, it does not actually determine how long someone can stay in the United States. A visa is issued by the U.S. government and allows a noncitizen to apply for entry to the country, but does not guarantee that the noncitizen will be actually allowed to enter or remain in the United States. In contrast, a noncitizen’s status determines how long and under what conditions they can stay in the United States. Notably, noncitizens can change status, for example from F-1 student status to H-1B specialty occupation status, without ever leaving the United States.
Most higher education students come to study in the United States. on an F-1 student visa. F-1 visas are issued by the U.S. Department of State. Once students enter the United States., they are granted F-1 student status, and their F-1 status is tracked by the Department of Homeland Security’s Student and Exchange Visitor Program (SEVP). As long as a student continues to maintain their F-1 student status, the requirements of which are set by law, they are permitted to remain in the United States.
While visa revocations have not traditionally been common, they are a tool available to immigration authorities. One of the scenarios that has historically led to visa revocation is an arrest for driving under the influence (DUI) leading to a visa revocation on health-related grounds (on the basis of suspected alcoholism or other substance abuse issues). A visa revocation, while significant, only impacts a person’s ability to return to the United States. following international travel. It does not impact status. An F-1 student can have their F-1 visa revoked, expire or cancelled, but can still remain in the United States with their valid F-1 student status.
Termination of status, however, ends a person’s permission to stay in the United States. A student’s F-1 student status can be terminated if a student “fails to maintain status” or due to an agency “termination of status.” Historically, a student’s failure to maintain their F-1 status was reported by the colleges and universities themselves if, for example, an international student engaged in unauthorized employment, failed to maintain a full course of study, or was convicted of certain crimes. The agency-initiated termination of status is limited by statute.
During the past two weeks, the U.S. government has changed its practices related to visa revocations and status terminations, and has begun terminating international students’ F-1 student status, either in addition to or instead of revoking their F-1 visas. As a result, F-1 students whose F-1 student status has been terminated no longer have permission to stay in the United States, even if they have a valid F-1visa.
Institutions are finding out about students’ F-1 status terminations by auditing their SEVIS (Student and Exchange Visitor Information System) record. SEVIS is a web-based system that colleges and the Department of Homeland Security use to maintain information about F-1 students. In some cases, students report being unaware that their F-1 status had been terminated until they receive outreach from their school after such audits, because they received no communication from the U.S. government about their status termination.
These changes have caused stress and uncertainty for institutions of higher education and their international students. In light of concerns expressed by higher education clients, we suggest that clients and higher education institutions work closely with in-house counsel, and recommend international student offices to keep abreast of the latest developments in this area. Specifically, colleges and universities should:
Regularly check SEVIS to determine if students’ F-1 status has been terminated and communicate any developments to the affected students as soon as possible.
Prepare to refer international students to immigration lawyers for individualized assistance. Many institutions of higher education have referral lists, but legal clinics available on some campuses are also an option.
Consider options for international students who may choose to leave the United States, specifically how they can continue their studies or transfer to another college or university in their home country. These considerations may be especially important or acute for graduate-level students engaged in fellowships, research, and TA-ships on campus.
Prepare for possible federal immigration enforcement activity on or around campus, including the types of requests for information federal agencies might make, and the institution’s obligations under state and federal law.
Develop and implement a plan to handle campus community and leadership, local community, and political concerns. In addition to planning for internal and external communications, expect that individual immigration cases and class action lawsuits related to F-1 visa revocations and F-1 status terminations may occur.
Antitrust & Tech At The 2025 Antitrust Spring Meeting
Technology was a key focus of this year’s ABA Antitrust Spring Meeting, one of the largest gatherings of antitrust professionals in the world. Over a dozen panels focused on cutting-edge technology issues as it pertains to antitrust, consumer protection, and privacy. Below are 5 key technology-related takeaways.
1. 2024 was a busy year for Big Tech cases, and 2025 looks to be on the same path.
One topic of conversation was the Big Tech antitrust cases that had seen developments in 2024 and 2025. For example, Apple filed a motion to dismiss in the U.S. v. Apple case, which is currently pending. In the FTC v. Amazon case, the FTC’s Sherman Act Section 2 and FTC Act Section 5 claims survived Amazon’s motion for dismissal. Panelists opined that there is a trend towards more high litigation risk cases from the government.
For tech-related updates coming down the pike, the panelists noted that Judge Mehta is expected to issue the remedies order in the U.S. v. Google search monopolization case, and the U.S. v. Google adsearch trial will begin later this year. Panelists also noted that Chair Ferguson of the FTC has publicly expressed interest in ensuring innovation in “Little Tech.”
2. Increasing interest in regulating big data across the globe.
Big data was also on the mind as both a driver of innovation and a potential tool of market dominance. Panelists emphasized that data is not inherently valuable—it must be analyzed effectively; stale or contaminated data can impose real costs; and more data isn’t always better since errors can be introduced.
For antitrust specifically, the panel noted big data issues come up in two contexts: 1) anticompetitive conduct like self-preferencing and refusal to deal and 2) as an important input in markets where no data means no competing. Additionally, big data often comes up in the context of barriers to entry, especially for smaller firms, considering how incumbents benefit from network effects and lower marginal costs. Panelists noted that some businesses are making essential facilities arguments about data. As such, companies may run into problems if they block access to big data through artificial impediments.
Panelists also touched on increasing scrutiny from regulators around the globe. In the EU, deals like Google/Fitbit have required data separation. The EU’s Digital Markets Act (DMA) and the UK’s Digital Markets, Competition and Consumers Act (DMCC) introduce obligations around data interoperability and access. While these interventions aim to prevent foreclosures and level the playing field, some panelists cautioned that preemptive regulation could stifle innovation. In the U.S., the panelists discussed DOJ’s search monopolization case against Google, noting that one of the proposed remedies is that Google share certain data with competitors for decade.
3. Uncertainty about the benefits and harms of algorithmic pricing software.
Algorithmic pricing and machine learning tools continue to gain traction in all sorts of industries. These tools promise efficiency and competitive pricing, but also present potential risks of collusion allegations. One widely-attended panel moderated by Maureen Ohlhausen, who originally analogized algorithmic pricing software to a guy named “Bob,” focused on these issues.
A central discussion point was the standard that courts are using to analyze algorithm-related price fixing claims. The prevailing view on the panel seemed to be that the rule of reason should apply, with analysis depending on factors like whether the data is public, forward-looking, or shared among competitors. On the flip side, other panelists suggested that use of an algorithmic pricing software could be likened to a hub and spoke conspiracy. As far as using the algorithms goes, the panel opined that using public data to feed the algorithm is probably safe territory although not an absolute safe harbor. Some panelists also suggested that courts look at how the software is being used, such as whether the user is blindly accepting the pricing recommendations, how much of the strategy is put up front in the prompts and programming, etc.
The panel also discussed how some jurisdictions are already experimenting with regulation of algorithm pricing software. For example, Germany has introduced AI-assisted gasoline pricing. Some evidence suggests in oligopoly situations, use of the algorithm seemed to lead to higher prices. However, many of the panelists cautioned against imposing blanket remedies before more research is done to understand any potential economic harms algorithm pricing software use may have.
Algorithmic pricing software also came up at the close of the Meeting during the Enforcers Roundtable. Elizabeth Odette, current chair of the NAAG Multistate Antitrust Task Force, noted that there was interest in regulating algorithmic software at the state and local level. For example, she stated that there were 4 cities in the U.S. that had banned algorithmic price software used in the housing context. However, she also noted that there was a concern with imposing wide bills banning use that ignores benefits to some competitors.
4. Tech cases are leading the charge in reviving refusal to deal claims.
Refusals to deal remain a hotly contested area in antitrust law, particularly as platforms and data gatekeepers exert growing control over digital ecosystems. One of the Spring Meeting’s panels discussed the potential revival the doctrine, particularly in technology cases. Due to limitations in the doctrine, the panelists noted that plaintiffs increasingly frame alleged anticompetitive conduct under alternative theories, such as exclusive dealing or foreclosure, to varying degrees of success. Some panelists cautioned that plaintiffs cannot elevate form over economic realities to avoid refusal to deal doctrine.
5. Document preservation issues related to technology is keeping some attorneys up at night.
As digital communications and technology use diversify, so do the risks of spoliation and other discovery failures. Regulators are increasingly focused on how companies preserve (or fail to preserve) electronic records, especially when tools like Slack, ephemeral messaging, and generative AI complicate compliance. One of the panels, including an attorney from the FTC, focused on these issues.
Recent enforcement actions underscore the stakes. The panel flagged major gaps in recordkeeping in cases like the U.S. v. Google search monopolization case and the failed Kroger/Albertsons merger, where use of personal devices and auto-deletion policies hindered document production. The panel also noted that on April 1, 2025, a DOJ Antitrust Division press release revealed that an individual had pleaded guilty for deleting text messages after receiving a litigation hold notice in connection with an antitrust investigation.
The panel also noted the inevitability of discovery requests for AI-generated content or prompts. One panelist gave the example of potentially relevant evidence being a business person asking AI to generate an email to a competitor without the use of the word “competition” to show the person’s state of mind. Interrogatories may soon probe usage of large language models and related tools, especially in high-stakes investigations.
ANOTHER ARBITRATION LOSS: Lead Buyers Just Can’t Catch a Break As Litigators Deny Visiting Websites
Pretty common theme right now in TCPAWorld.
Lead buyer buys a lead and makes an outbound call. Lead buyer sued by a litigator who claims “wasn’t me.” Lead buyer tries to enforce the arbitration provision–to kill the class action component of the case–and the court refuses to enforce because the Plaintiff denied visiting the website to begin with.
That fact scenario played itself out anew in Gilliam v. Prince Health, 2025 WL 1126545 (M.D. Tenn April 16, 2025).
There Prince Health bought a lead from JLN CORP d/b/a P1 Solutions who bought it from Techforcemedia LLC d/b/a Top American Insurance pertaining to website topamericaninsurance.com. (None of these companies are R.E.A.C.H. members!) The website contained an arbitration provision in its terms of use.
A visual rendering was provided to the court of the web session by either Active Propsect or Jornaya and it showed Plaintiff’s name and information being entered on the form. On that basis Prince Health tried to compel arbitration arguing plaintiff had accepted the terms and conditions and agreed to arbitrate claims arising out of the lead form submission.
Plaintiff, however, testified at deposition that he had not visited the website and it was not him who had filled out the form.
Just that simply the court denied the motion to compel arbitration. Although the court determined Prince had met its initial burden the fact Plaintiff denied visiting the website under oath was enough for the court to deny the arbitration motion and set further proceedings.
The court’s order is unclear in terms of next steps but under the Federal Arbitration Act a jury or bench trial is needed to determine whether a contract was formed and whether the case may proceed to arbitration. Of course such a proceeding is high stakes– if the plaintiff didn’t fill out the form then not only will he defeat arbitration he will also defeat any claim of consent!
And if the court finds one person didn’t fill out the form perhaps the court will question the credibility of the lead source and certify a class down the line…
So yeah, high stakes poker.
We’ll keep an eye on this and see where it goes.
Opposers Beware: Your Own Mark May Not Be Protectable
The US Court of Appeals for the Federal Circuit affirmed the Trademark Trial & Appeal Board’s dismissal of an opposition to the registration of the marks IVOTERS and IVOTERS.COM while also noting that the US Patent & Trademark Office (PTO) might want to reconsider whether it permits registration of those marks. Heritage Alliance v. Am. Policy Roundtable, Case No. 24-1155 (Fed. Cir. Apr. 9, 2025) (Prost, Taranto, Stark, JJ.)
American Policy Roundtable (APR), a publisher of campaign and political information since June 2010, filed applications to register the marks IVOTERS and IVOTERS.COM for “providing a web site of information on current public policy issues, political campaigns and citizen concerns related to political information” after the PTO approved the marks for publication. Heritage filed an opposition.
Since the 2008 US presidential election season, Heritage has published online voter guides under the names “iVoterGuide” and “iVoterGuide.com” (the iVoters marks). Without a valid registration but having priority of use, Heritage filed an opposition asserting its common law rights in the iVoters marks.
The Board considered Heritage’s opposition but ultimately found that Heritage’s mark was not distinctive. The Board first considered whether the iVoters marks were inherently distinctive and determined they were not just descriptive but “highly descriptive.” The Board next considered whether the iVoters marks had acquired distinctiveness through secondary meaning but found that the record evidence Heritage submitted was inadequate to support a finding that the iVoters marks had any source-identifying significance. Heritage appealed.
On appeal, Heritage argued that the Board had erred by finding the iVoters marks to have neither inherent nor acquired distinctiveness and that the Board violated the anti-dissection principle by evaluating the individual components of the marks instead of the marks as a whole. The Federal Circuit disagreed. The Court found the Board’s determination that the iVoters marks were highly descriptive to be supported by substantial evidence because the prefix “i” generally refers to something internet based. Heritage chose not to challenge the Board’s finding that “VoterGuide” and “.com” were not distinctive, a ruling the Court characterized as “facially reasonable.”
The Federal Circuit also disagreed with Heritage’s argument that the Board improperly evaluated the marks’ individual components. The Court found the Board properly considered the marks as a whole through its determination that the iVoters marks “on their face refer to online voter guides” and because no evidence demonstrated that the combination of the individual components conveyed “any distinctive source identifying impression contrary to the descriptiveness of the individual parts.”
Heritage argued that the Board had erred in its determination that notwithstanding over five years of use, the iVoters marks did not have statutory acquired distinctiveness. Under Section 2(f) of the Lanham Act, registration applicants may submit evidence that a mark has acquired distinctiveness because as a consequence of extensive use and promotion of the mark, consumers now directly associate the mark with the applicant as the source of those goods. Heritage argued that the Board should have accepted its five-plus years of continuous use as prima facie evidence of acquired distinctiveness. The Federal Circuit disagreed, explaining that Section 2(f) states that the Board “may accept” proof of substantially exclusive and continuous use of a mark for five years as evidence of distinctiveness. Because the language of the statute is discretionary, the Board was free to reject Heritage’s evidence. Federal Circuit case law “recognizes the Board’s discretion to weigh the evidence, especially for a highly descriptive mark.” The Court found no reason to disturb the Board’s decision to give little weight to the three declarations Heritage submitted as evidence of acquired distinctiveness and affirmed the Board’s determination that Heritage’s marks were highly descriptive and had not acquired distinctiveness.
The Federal Circuit further suggested that in view of the Board’s rulings, the PTO might reconsider its decision to approve APR’s marks for registration. Although registration should generally follow when an opposition fails, “the stated precondition is that the mark at issue be a ‘mark entitled to registration,’…which might allow the PTO, after an opposition fails, to reconsider the examiner’s pre-opposition allowance.” The Court also suggested the possibility that Heritage could now consider cancellation of APR’s marks.
We Get Privacy for Work: Why You Need a Cybersecurity Incident Response Plan Now [Podcast]
As states increasingly introduce legislative requirements for how companies respond to cybersecurity threats, it is more important now than ever for organizations to have a plan in place to address data breaches if and when they occur.
Transcript
INTRO
As states increasingly introduce legislative requirements for how companies respond to cybersecurity threats, it is more important now than ever for organizations to have a plan in place to address data breaches if and when they occur.
On this inaugural episode of We get Privacy for work, we guide organizations through the process of creating an incident response plan, including who should be involved and how to effectively notify stakeholders.
Today’s hosts are Damon Silver and Joe Lazzarotti, co-leaders of the firm’s Privacy, Data and Cybersecurity Group and principals, respectively, in the firm’s New York City and Tampa offices.
Damon and Joe, the question on everyone’s mind today is: Why should organizations have a cybersecurity incident response plan, what should be included in the plan, and how does that impact my business?
CONTENT
Joseph J. LazzarottiPrincipal, Tampa
Welcome to the We get Privacy podcast. I’m Joe Lazzarotti, and I’m joined by my co-host, Damon Silver. Damon and I co-lead the Privacy Data and Cybersecurity Group here at Jackson Lewis. In that role, our colleagues in the group and we receive a variety of questions every day from our clients, all of which boil down to the core question of how do we handle our data safely?
In other words, how do we leverage all the great things that data can do for our organizations without running headfirst into a wall of legal and other risks? How can we manage that risk without unreasonably hindering our business operations?
Damon W. SilverPrincipal, New York City
On each episode of the podcast, Joe and I are going to talk through a common question that we’re getting from our clients. We’re going to talk through it in the same way that we would with our clients, meaning with a focus on the practical. What are the legal risks? What options are available to manage those risks? What should we be mindful of from an execution perspective?
Joe, our question for today is, what is an incident response plan, and what should it include? To set the table for everyone, do you want to just talk a little bit about what an incident response plan is and what purpose it serves?
Lazzarotti
That is a great place to start. For a lot of organizations, when we talk about an incident response plan, there are a lot of different incidents that a company may face or crises that they may encounter. I’m here in Florida now, and hurricanes may be incidents that people might have a plan for, but we’re talking specifically about security incidents. Data breaches and things that may impact the organization’s systems and ultimately result in some access or acquisition of personal or confidential company information that may create legal obligations to provide notification in certain cases— whether that be to federal or state governmental entities, individuals who are affected, customers or whatnot. These plans can sometimes become pretty complex, depending on the organization, particularly if you’re in a highly regulated industry, but we’re going to try to talk about it at a high level.
For me, one thing that is pretty critical in the event of an incident is understanding how to communicate with the people who need to carry out that plan. That can be difficult. Bad guys have gotten into the system, and maybe they’re still in or can be monitoring email, or maybe the company’s email is not able to function at the moment. How do you communicate with people? So, having that alternate communication strategy can be pretty important, and having a plan for it is critical.
Silver
Related to that, we see all the time, especially with clients who haven’t been through one of these incidents previously, that they’re not really sure who the people who should be involved are, both internally and externally. If they haven’t been through this situation before, for example, if someone just happens to be the manager who finds out from an employee about a link they clicked on, a suspicious email they got or about the fact that they lost their company laptop. An important first step is for them to know who they are supposed to go to report this. Then, the person who receives that report needs to know whom they need to assemble. Who are the right people internally to be tasked with managing this?
There’s sometimes a misconception that it’s just going to be an IT function, and the IT department is going to handle it. Really, in a lot of these instances, the incident has a much broader impact, and IT alone is not going to be in a very good position to respond. You’re going to need people with a legal perspective. You might need people with an HR perspective if employee data is impacted. You might need people from the finance team if accounting data is impacted. You’re definitely going to need somebody or multiple people from leadership who are able to make decisions at the highest level for how the organization is going to respond.
Then, there’s also your external team. Your legal counsel can, under the cloak of privilege, help you do an investigation of the incident and assess your legal obligations. You might have a cyber insurance carrier or broker whom you want to put on notice quickly. You might have a digital forensics firm that you want to have on standby who understands your systems and can jump in quickly.
Knowing who those key players are helps make the process much smoother when something like this happens. Depending on the nature of the incident, it could be pretty chaotic in those early days. That’s not the time you want to try and figure out who’s supposed to be involved and, to Joe’s point, try and figure out how those people are going to communicate.
Lazzarotti
Absolutely, the roles and responsibilities of the individuals are important. One other thing, and this is not specific to the content of the plan per se, but you said something that made me think about it, Damon. What if you needed to get a copy of the plan and your systems are encrypted? So, where do you keep this plan and the contact information of the individuals who are on it? How do they know that they’re on this plan? So, these other things that come with what should be in an incident response plan. It’s also about socializing with those people, maybe doing a tabletop exercise, and keeping the contact information in a place that can be accessed.
Certainly, you mentioned your cyber insurance carrier; that’s really a critical piece of helping to respond to these incidents. Not only from the standpoint of providing resources in terms of having the policy pay for certain expenses that are incurred but also having gone through and helped to identify those external parts of the team that Damon referred to that will help in responding to the incident. Suppose you go out for renewal on a new cyber carrier the following year because you feel like you need to make a change, but they have a different set of people on their external team. Does that mean you have to update that in your incident response plan?
Some of the things that we’re talking about are things that you have to keep up to date. It is not something you just prepare, leave on the shelf and don’t actively use. A lot of this is about preparedness, and these plans can really help improve that position of being prepared, in addition to keeping the system secure. It’s really both of those. That’s what I’m seeing.
Silver
I totally agree, Joe. Honestly, there is value in the plan itself. It is, in many instances, a legal requirement to have the plan. Even more important than the document itself, in most instances, is building that muscle memory and going through the process of thinking through incidents. You do want to be specific about what type of incidents you think you’re most likely to face. You mentioned the example of a hurricane that knocks out your power, or there could be a ransomware attack or a business email compromise. If you have employees that work remotely or travel, you do want to think about those lost laptops, lost phones and other devices. If you have a website that potentially, let’s say, has customer accounts that store sensitive information, there could be some type of misconfiguration of your website. There’s a lot of value in thinking through the scenarios we are most likely to face or that would have the biggest impact if they happened.
Then, what are the steps we’d want to go through if those specific types of incidents happened? How do we make sure that our team is not trying to fumble around and find this plan, read through it and go step by step? In reality, that’s not how it’s going to play out, particularly if it’s a ransomware attack or some other type of event where you’re trying to respond quickly and things are feeling chaotic. You want people to have practiced this enough that they’re just acting on the plan and remembering at least key components of the plan. They’re likely not going to be in a position to go through it, so first, start reading up and trying to understand what the plan contains when there’s an actual incident. That piece of practicing on a regular basis and having key stakeholders involved in developing the plan is more important than the plan itself at the end of the day in terms of the value it can provide to you when responding to an incident.
Lazzarotti
That’s exactly right. Related to that, we are seeing clients who want to have all of the state laws available and exact drafts of notifications. To some degree, that really is a good idea because if you have a sample notice for an individual or a sample website notice, in the event you needed to put something out there, you would be in a better position. If you had some talking points for key people in the organization, some FAQs for a call center if you have a need for that. Those are all good things to have as a starting point.
However, to Damon’s point, when you’re in the situation, the circumstances are going to dictate things that you just might not have anticipated, or you’re going to need to tailor those sample tools that you’ve made a part of your plan to the actual circumstances. You don’t have to worry so much about everything being perfect because the situation is going to take you in a direction you just may not have anticipated, but at least you’ll have really good starting points that will speed the process along so that the plan can be useful for you when it’s needed.
Silver
Well said. We’ve laid the groundwork pretty well conceptually for what purpose these plans serve and how, from the standpoint of using them, a lot of the work is done at the front end before you actually have an incident.
When you’re working on preparing a plan or reviewing an existing draft of a plan, Joe, what are the most important types of things that you’re looking for?
Lazzarotti
For me, it’s clarity, usability and functionality in the sense that if there’s an incident response plan that is 40 or 50 pages, I’m looking at that saying, that seems like a lot to work through. You always want to be careful, and people may have put a lot of thought into it. What I’d recommend in that case is saying, why don’t we do a high-level summary, a checklist or something that is coupled with that large, well-thought-out plan that can be more action-oriented in a situation.
The other thing is to make sure that it covers all of the aspects of the business. One of the things that you said at the beginning is that, sometimes, this function gets pushed to the IT department. However, the IT department may focus on an incident response plan more from an IT perspective. How do we deal with the information system that’s down? What gets left out of that is how we communicate about it. How are our clients affected? Do we have contractual obligations and all that other stuff that may be relevant to the overall response? So, I’d want to be sure that the incident response plan really covers the whole organization, which may include HR, other business units or even wholly owned subsidiaries that may be the parent or even maybe a franchisor. It’s not directly their business, but they want to understand, and we have to protect the brand because there could be those kinds of issues. So, really give some thought to whether the plan is really going to help us. Is the plan as broad as we want so that we’re able to act on it in a situation?
Silver
I agree with that. Thinking about the high-level summary or the checklist that you mentioned, I’ve had similar discussions with clients about how to leverage the work that was done to create a really detailed plan. Also, it’s good to have some more accessible, actionable documents to work off of and keep you organized as you’re responding to an incident. What are some of the key items on that checklist for you?
Lazzarotti
How do you communicate with folks? Who do you need to reach out to? If you are a professional service firm, you need to notify your clients. Where do you go for that information? How do you assess what obligations you have? A lot of focus is on data breach notification laws, which we’re involved in a lot at the federal and state levels. However, there are increasing contractual obligations. Sometimes, it can be difficult, like where are those contracts or what obligations do we have? Having that available, or at least a path to them that you can easily access, can be helpful. Obviously, your broker and carrier— know how to contact them and how to get to the sample forms that you need. Those are some of the things that I’d like, but there are other things.
I’d be interested, Damon, in knowing how you might augment that list.
Silver
I agree with all of those. In some ways, it all starts with a triage list of what your objectives are early. You learn that some type of incident has happened; now, what are the first several steps that you need to take? Those are going to be the most pivotal from the standpoint of the incident response plan having value because those are the things you’re going to have to do potentially very quickly and without much opportunity to deliberate or to reach out to your attorney and run it by them. These are things that need to be done quickly, and it is going to vary depending on the organization. It’s also going to vary depending on the type of incident, but sometimes, if we’re dealing with something like ransomware, a big initial question is how do we get our business back up and running? We’re going to want to look at whether we have backups that we can restore from or if those backups were impacted by the incident. If we don’t have the backups, what other options do we have? Is there any type of publicly available decryption tool, and who do we go to try to explore that? That’s one early question, at least for certain types of incidents: How are we going to get our business back up and running?
Another key early question is how do we make sure that we’re going to be able to do the investigation that we want to do with this incident? Because I know both of us and other members of our team have seen many instances where the client’s internal IT or a managed service provider took some steps really early on in the process that resulted in the wiping of logs that otherwise might have been useful in showing that the scope of an incident was narrowed to certain systems or certain files, but those are wiped. So, the client is left in the position where they may have to make assumptions about what could have been impacted, which results in a much broader notification than might otherwise have been the case. Of course, another consideration is whether this incident is over or if it is a live incident. Is there still a continuing ongoing threat to the systems? What needs to be done from a containment perspective? Having those pieces spelled out clearly and in a practical way with actionable steps that people can take are going to be really important so that in those early moments, you don’t have issues that set you back weeks in terms of getting back up and running or set you back indefinitely in terms of losing evidence. All of those can be really valuable to spell out and also, again, looping back to the point of practicing to have people think through plans in connection with specific types of incidents that might come up.
Lazzarotti
I think we could probably talk forever about writing an incident response plan. One last question, Damon. Once you do have a plan and are practicing that plan, how often do you think a company should revisit and amend it if needed? How often should you review it and consider updates?
Silver
It’s a great question. It’s going to vary depending on the client’s circumstances. A really valuable exercise is to have a standing time on the calendar to look at it. If it’s every 6 months or even every 12 months, have that meeting scheduled.
Then, if something happens, like you experience an incident or you’re integrating some new technology that’s going to process a lot of data, that might be a good reason to either have that meeting sooner than was planned or to have an additional meeting because this really does need to be a living document. It’s not going to serve you very well if it just remains static over time. Putting that time on the calendar ensures that, at minimum, every 6 months or every 12 months, you’re giving it a look to see whether it still makes sense in light of the way that you’re handling data, and you have that opportunity to make corrective actions if that’s necessary.
Lazzarotti
That sounds great. I definitely hope all of our clients are thinking about this, and if they don’t have an incident response plan and are developing one, this session will give them some thoughts about that. We hope everybody enjoyed listening to our We get Privacy podcast, and thank you, Damon.