Hello everybody, and welcome to another edition of C&F Talks, where I get to speak to one of the speakers at one of our forthcoming events. Today, it's my great pleasure to be interviewing Ed McNicholas. He's a Partner and Data, Privacy & Cyber Security Practice Leader at Ropes & Gray. Ed's going to be speaking at our forthcoming Data, AI and the Future of Financial Services Summit in London on the 16th of March.

As I said, Ed leads Ropes & Gray's Global Data Privacy and Cybersecurity Practice. He represents technologically sophisticated clients facing complex data privacy and cybersecurity issues in litigation, investigative and counselling matters. Ed, welcome.

A pleasure to be here.

Great to have you with us. So, let's turn to our first question.

How does the US legal and regulatory system differ from that of the UK in relation to data privacy and cybersecurity? And to what extent is it extra-jurisdictional in nature?

Thank you for that question. The US and UK approaches are very much related, but as in many things, we are two people divided by a common language. In the UK, we have this rights-based omnibus approach driven by the GDPR Data Privacy Act of 2018 and some of the NIS and some of the directives.

And so, you can generally look towards a unified set of requirements that have been developed in a coherent manner, and they focus on reasonableness under those safeguards and accountability because there's a clear pathway.

The US has chosen a different pathway. We have a state-level regime. Most of the privacy and cybersecurity rules have developed at a state level. And then we have a sector-specific regime laid on top of that, which is largely federal, although has some state elements to it. And so, to understand the requirements for a particular business, you would have to look at its location in this very complex ecosystem.

For instance, if you were a British bank with an office in New York, you would fall under the New York Department of Financial Services, which is a state-level entity and has its own very strict cybersecurity rules. Whereas if you were a US entity, you would fall under US federal requirements from a prudential regulator. And it's a very complex interplay here in the US and makes it much more interesting from a legal perspective, although perhaps too interesting from a compliance perspective.

Absolutely. I suppose that interplay between federal and state makes it that much more complex in comparison to the UK, and of course Europe, which has a sort of pan-European approach to both data and AI regulation.

What impact has AI had on the nature of the risks involved? Has it increased the range and scope of potential incidents? And what are the implications for investigations, enforcement, and settlements?

Indeed, AI is rapidly changing everything, and it's changing, I would think, the velocity, volume, and variety of attacks. We have a real shift in the cost curve for threat actors. They can look broader, faster, they have better deepfakes, and they have more aggressive malware.

The AI also introduces new attack services. You have prompt injection attacks, poison data, and supply chain risk as people have AI built into systems that you wind up using. This is going to create fantastic complexity as we get into litigation over AI.

Most recently, the Southern District of New York, one of our leading federal courts, held that a communication between a person and an AI model, even if that person intended to give the output to their attorney in order to get legal advice, is not privileged because there's no special relationship of trust and confidence between you and your AI model. Those sorts of things, I think, just point towards where we're going to have a series of steps over the years that will change the standards for everybody.

It's a completely novel development, isn't it?

But, of course, we're dealing with gen AI, which, in many ways, is simpler than the next stage of AI development, agentic AI. So how does self-autonomous agents, how will agentic AI change the situation? Does it bring new legal risks beyond those you associate with gen AI, and does it increase the potential for litigation?

Well, I think it will create another wave of litigation. In the US, we are solving this in a more common law way than even the home of the common law. We have plaintiff's lawyers who are pursuing aggressive notions of negligence and consumer deception.

You even see trespass to chattel being brought out for some data privacy cases. And agentic AI, I think, will broaden the type of attacks because it shifts from the model, the LLM being an advisor, to being an actor. And you're going to have this new actor inside of your environment.

And it will, no doubt, there will be times when people either through prompt injection or through negligence or just novelty of the model, you will have models making promises that cannot be actually honoured, either because they are not commercial or because they are just impossible to honour. And the attribution and responsibility for those promises will lead to very interesting litigation. We will live in an interesting time here for years to come.

Yeah, I mean, as you say, very interesting times. And of course, in many ways, not entirely predictable because beyond the agentic AI, then there are the new world models, as they describe them, which provide context for the agentic AI. And that's a whole other debate.

Indeed. And quantum will hypercharge all of this. What is quantum? 5, 10 years? Maybe.

Yeah, the pace of acceleration is so rapid. But Ed, thanks very much for sharing your time with us today and sharing your thoughts. Very, very interesting.

Just to remind our viewers, Ed's speaking at our upcoming Data, AI, and the Future of Financial Services Summit being held in London on the 16th of March. If you'd like further information, please visit our website, www.cityandfinancial.com, where you'll find further information on the program, the topics, and the ability to register to attend.

It only remains for me to say, Ed, thank you so much for joining us and look forward to seeing you on the 16th.

My pleasure. I look forward to meeting you in person on the 16th.