This quarterly update summarizes key legislative and regulatory developments in the first quarter of 2023 related to Artificial Intelligence (“AI”), the Internet of Things (“IoT”), connected and autonomous vehicles (“CAVs”), and data privacy and cybersecurity.

Artificial Intelligence

The first quarter of 2023 saw an array of proposed legislation, regulation, and informal guidance relating to AI.  At the federal level, some members of Congress have noted concerns with the rapid uptake of AI technologies.  For example, Representative Ted Lieu (D-CA-36) introduced a house resolution (H. Res. 66) that urges Congress to focus on AI and would resolve that the House of Representatives supports focusing on AI to ensure development of AI is done in a way that “is safe, ethical, and respects the rights and privacy of all Americans” and widely distributes AI benefits while minimizing risks.  There were a number of other AI legislative proposals introduced this quarter focused on AI in particular contexts, including the use of AI for water quality (H.R. 873), AI for telehealth (H.R. 207), and AI for drug prescriptions (H.R. 206), and the Department of Defense’s ability to procure AI-based endpoint security tools to improve cybersecurity defense (H.R. 1718).

There have also been several federal agency and regulatory developments on AI.  In January, the National Institute of Standards and Technology (NIST) released its Artificial Intelligence Management Framework to provide a resource to organizations “designing, developing, deploying, or using AI systems to help manage the many risks of AI and promote trustworthy and responsible development and use of AI systems.”  A detailed summary of this update can be found here.  Additionally, in February, the White House released an Executive Order, which directs federal agencies to “ensure that their own use of artificial intelligence and automated systems [] advances equity,” and to “focus their civil rights authorities and offices on emerging threats, such as algorithmic discrimination in automated technology,” among other items.  Under the Executive Order, agencies must investigate and address any algorithmic discrimination in technology services, improve accessibility for people with disabilities, and improve language access services. 

At the state level, there have been multiple bills introduced with the aim of regulating AI.  For example, in Massachusetts S. 31 would regulate generative AI models and require companies operating large-scale generative AI models (i.e., a machine learning model with a capacity of at least one billion parameters that generates text or other forms of output) to register with the Attorney General and adhere to specific standards, like programming text with a watermark and not engaging in bias.  Meanwhile in California, A.B. 331 would regulate automated decision tools by requiring, among other things, “deployers” (defined as a person, partnership, state or local government agency, or corporation that uses an automated decision tool to make a decision that has a legal, material, or similar significant effect on an individual’s life) to perform impact assessments for any automated decision tool, notify persons about the use of the tool, and prohibit using a tool that contributes to algorithmic discrimination.

Internet of Things

Federal legislators in both the House and Senate introduced a number of pieces of legislation related to the Internet of Things (IoT).  For example, Representative Anna Eshoo’s (D-CA-16) bill, H.R. 1123, the Understanding Cybersecurity of Mobile Networks Act, was introduced in and passed the House.  The bill directs the National Telecommunications and Information Administration (NTIA) to report to Congress on the cybersecurity and vulnerability of mobile service networks and devices to cyberattacks and surveillance.  Additionally, Representative John Curtis’s (R-UT-3) bill, H.R. 538, the Informing Consumers about Smart Devices Act, also passed the House.  It requires the disclosure of cameras or other recording abilities on certain internet-connected devices where such functionalities would be non-obvious to the user.  

Federal legislators also introduced a group of bills pertaining to precision agriculture.  Senator Deb Fischer (R-NE) introduced S. 720, the PRECISE Act, which provides incentives to adopt precision agriculture equipment and technology.  Precision agriculture technology includes IoT technology used in crop and livestock production.  Rep. Ashley Hinson (R-IA-2) introduced the House companion to the PRECISE Act, H.R. 1459.  Another bill, S. 734, the Promoting Precision Agriculture Act of 2023, was introduced by Senator John Thune (R-SD) and Senator Raphael Warnock (D-GA).  It would require the Secretary of Agriculture and NIST to develop and assess interconnectivity standards for precision agriculture. 

The White House’s recently released U.S. National Cybersecurity Strategy emphasized the Administration’s efforts to improve IoT cybersecurity through federal research and development, procurement, and risk management efforts, as directed in the IoT Cybersecurity Improvement Act of 2020. In addition, the Administration affirmed its efforts to continue to advance the development of IoT security labeling programs, as directed by Executive Order 14028, “Improving the Nation’s Cybersecurity.”  The strategy plans that, through the expansion of IoT security labels, consumers will be able to compare the cybersecurity protections offered by different IoT products, thus creating a market incentive for greater security across the entire IoT ecosystem.

Connected and Autonomous Vehicles

The first quarter of 2023 demonstrated that Congress, federal agencies, and industry groups plan to make advancing the development and deployment of CAVs a front-burner issue this year.  In early January, NIST launched an Automotive Cybersecurity Community of Interest to discuss, comment, and provide input on the work that NIST is doing which will affect the automotive industry, including cryptography, supply chain, and AI cybersecurity risk management in automated vehicles.  Government, industry, and academics are encouraged to join, as contributions from these stakeholders will inform future NIST frameworks on key aspects of automotive cybersecurity.  In February, the Federal Motor Carrier Safety Administration (FMCSA) issued a supplemental advance notice of proposed rulemaking requesting public comment about the factors the Agency should consider in amending the Federal Motor Carrier Safety Regulations to establish a regulatory framework for commercial motor vehicles (CMV) equipped with Level 4 and 5 automated driving systems (ADS), and we expect to see further rulemaking in this space that takes into account feedback FMCSA received during the public comment period.

Federal legislators have signaled action in the CAV space this year.  In the early months of 2023, bipartisan congressional leaders acknowledged the benefits of CAVs and discussed how to solidify the U.S. as a market leader for CAVs during hearings, interviews, and public meetings.  For example, on February 1, the House Committee on Energy and Commerce held a hearing entitled “Economic Danger Zone: How America Competes to Win the Future Versus China” during which both Republicans and Democrats emphasized the benefits of CAVs and the need to strengthen our position as a global leader in the development and deployment of the technology.  Bipartisan members of Congress also spoke at The Hill’s second annual EV/AV summit, which explored the barriers to electric vehicle adoption, the future of CAVs, and the critical infrastructure needed to make them both a reality.  This unified front could prove useful in advancing legislative and policy proposals in the CAV space, and CAV industry groups have taken steps to inform and support such proposals.  In March 2023, the Autonomous Vehicle Industry Association unveiled a Federal Policy Framework outlining recommendations for Congress and the Department of Transportation for the safe and advanced deployment and commercialization of CAVs in the U.S.  Recommendations include, but are not limited to, legislation and executive agency action that reforms and expands the vehicle exemption process, expands CAV testing and evaluation, and updates regulations to support CAV deployment.

Privacy & Cybersecurity

Privacy

Activities in Congress suggest that there will be efforts to reintroduce the American Data Privacy Protection Act (ADPPA) in the House.  Specifically, the House Committee on Energy and Commerce’s new Subcommittee on Innovation, Data and Commerce held two hearings on the importance of passing federal comprehensive privacy legislation.  During these hearings, lawmakers consistently emphasized their view of the ADPPA as the preferred framework to address current regulatory shortcomings.  Although there is broad bipartisan support for the ADPPA, some Senators, including Senator Ed Markey (D-MA), are urging colleagues to pass the Children and Teens’ Online Privacy and Protection Act (COPPA 2.0) prior to moving forward on comprehensive federal privacy legislation. 

Cyber

As mentioned above, the White House released its U.S. National Cybersecurity Strategy.  The Strategy, among other things, outlines fundamental shifts to how the federal government will attempt to allocate roles, responsibilities, and resources in the cyberspace.  The Strategy is built on five pillars:  (i) defend critical infrastructure; (ii) disrupt and dismantle threat actors; (iii) shape market forces to drive security and resilience; (iv) invest in a resilient future; and (v) forge international partnerships to pursue shared goals.  The Strategy signals a shift towards a more regulatory-focused approach to compel various businesses and industries to improve their cybersecurity, as well as the collective security of the internet.

Multiple cybersecurity bills were introduced in Congress this quarter, including: the Securing Semiconductor Supply Chains Act (S. 229); the Cyber Vulnerability Disclosure Reporting Act (H.R. 280); the Securing Open Source Software Act (S. 917); and the Strengthening Agency Management and Oversight of Software Assets Act (S. 931). We will continue to update you on meaningful developments in these quarterly updates and across our blogs.

Photo of Jennifer Johnson Jennifer Johnson

Jennifer Johnson is a partner specializing in communications, media and technology matters who serves as Co-Chair of Covington’s Technology Industry Group and its global and multi-disciplinary Artificial Intelligence (AI) and Internet of Things (IoT) Groups. She represents and advises technology companies, content distributors…

Jennifer Johnson is a partner specializing in communications, media and technology matters who serves as Co-Chair of Covington’s Technology Industry Group and its global and multi-disciplinary Artificial Intelligence (AI) and Internet of Things (IoT) Groups. She represents and advises technology companies, content distributors, television companies, trade associations, and other entities on a wide range of media and technology matters. Jennifer has almost three decades of experience advising clients in the communications, media and technology sectors, and has held leadership roles in these practices for almost twenty years. On technology issues, she collaborates with Covington’s global, multi-disciplinary team to assist companies navigating the complex statutory and regulatory constructs surrounding this evolving area, including product counseling and technology transactions related to connected and autonomous vehicles, internet connected devices, artificial intelligence, smart ecosystems, and other IoT products and services. Jennifer serves on the Board of Editors of The Journal of Robotics, Artificial Intelligence & Law.

Jennifer assists clients in developing and pursuing strategic business and policy objectives before the Federal Communications Commission (FCC) and Congress and through transactions and other business arrangements. She regularly advises clients on FCC regulatory matters and advocates frequently before the FCC. Jennifer has extensive experience negotiating content acquisition and distribution agreements for media and technology companies, including program distribution agreements, network affiliation and other program rights agreements, and agreements providing for the aggregation and distribution of content on over-the-top app-based platforms. She also assists investment clients in structuring, evaluating, and pursuing potential investments in media and technology companies.

Photo of Nicholas Xenakis Nicholas Xenakis

Nick Xenakis draws on his Capitol Hill experience to provide regulatory and legislative advice to clients in a range of industries, including technology. He has particular expertise in matters involving the Judiciary Committees, such as intellectual property, antitrust, national security, immigration, and criminal…

Nick Xenakis draws on his Capitol Hill experience to provide regulatory and legislative advice to clients in a range of industries, including technology. He has particular expertise in matters involving the Judiciary Committees, such as intellectual property, antitrust, national security, immigration, and criminal justice.

Nick joined the firm’s Public Policy practice after serving most recently as Chief Counsel for Senator Dianne Feinstein (C-DA) and Staff Director of the Senate Judiciary Committee’s Human Rights and the Law Subcommittee, where he was responsible for managing the subcommittee and Senator Feinstein’s Judiciary staff. He also advised the Senator on all nominations, legislation, and oversight matters before the committee.

Previously, Nick was the General Counsel for the Senate Judiciary Committee, where he managed committee staff and directed legislative and policy efforts on all issues in the Committee’s jurisdiction. He also participated in key judicial and Cabinet confirmations, including of an Attorney General and two Supreme Court Justices. Nick was also responsible for managing a broad range of committee equities in larger legislation, including appropriations, COVID-relief packages, and the National Defense Authorization Act.

Before his time on Capitol Hill, Nick served as an attorney with the Federal Public Defender’s Office for the Eastern District of Virginia. There he represented indigent clients charged with misdemeanor, felony, and capital offenses in federal court throughout all stages of litigation, including trial and appeal. He also coordinated district-wide habeas litigation following the Supreme Court’s decision in Johnson v. United States (invalidating the residual clause of the Armed Career Criminal Act).

Photo of Jayne Ponder Jayne Ponder

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection…

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection counsel to companies, including on topics related to privacy policies and data practices, the California Consumer Privacy Act, and cyber and data security incident response and preparedness.

Photo of Olivia Dworkin Olivia Dworkin

Olivia Dworkin minimizes regulatory and litigation risks for clients in the medical device, pharmaceutical, biotechnology, eCommerce, and digital health industries through strategic advice on complex FDA issues, helping to bring innovative products to market while ensuring regulatory compliance. With a focus on cutting-edge…

Olivia Dworkin minimizes regulatory and litigation risks for clients in the medical device, pharmaceutical, biotechnology, eCommerce, and digital health industries through strategic advice on complex FDA issues, helping to bring innovative products to market while ensuring regulatory compliance. With a focus on cutting-edge medical technologies and digital health products and services, Olivia regularly helps new and established companies navigate a variety of state and federal regulatory, legislative, and compliance matters throughout the total product lifecycle. She has experience counseling clients on the development, FDA regulatory classification, and commercialization of digital health tools, including clinical decision support software, mobile medical applications, general wellness products, medical device data systems, administrative support software, and products that incorporate artificial intelligence, machine learning, and other emerging technologies.

Olivia also assists clients in advocating for legislative and regulatory policies that will support innovation and the safe deployment of digital health tools, including by drafting comments on proposed legislation, frameworks, whitepapers, and guidance documents. Olivia keeps close to the evolving regulatory landscape and is a frequent contributor to Covington’s Digital Health blog. Her work also has been featured in the Journal of Robotics, Artificial Intelligence & Law, Law360, and the Michigan Journal of Law and Mobility.

Photo of Hensey A. Fenton III Hensey A. Fenton III

Hensey Fenton specializes in providing advice and guidance to clients on legislative and regulatory strategies. Hensey counsels clients on a myriad of issues in the policy and regulatory space, including issues involving cybersecurity, financial services, artificial intelligence, digital assets, international trade and development…

Hensey Fenton specializes in providing advice and guidance to clients on legislative and regulatory strategies. Hensey counsels clients on a myriad of issues in the policy and regulatory space, including issues involving cybersecurity, financial services, artificial intelligence, digital assets, international trade and development, and tax.

Another facet of Hensey’s practice involves cutting-edge legal issues in the cybersecurity space. Having published scholarly work in the areas of cybersecurity and cyberwarfare, Hensey keeps his finger on the pulse of this fast-developing legal field. His Duke Journal of Comparative & International Law article, “Proportionality and its Applicability in the Realm of Cyber Attacks,” was highlighted by the Rutgers Computer and Technology Law Journal as one of the most important and timely articles on cyber, technology and the law. Hensey counsels clients on preparing for and responding to cyber-based attacks. He regularly engages with government and military leaders to develop national and global strategies for complex cyber issues and policy challenges.

Hensey’s practice also includes advising international clients on various policy, legal and regulatory challenges, especially those challenges facing developing nations in the Middle East. Armed with a distinct expertise in Middle Eastern foreign policy and the Arabic language, Hensey brings a multi-faceted approach to his practice, recognizing the specific policy and regulatory concerns facing clients in the region.

Hensey is also at the forefront of important issues involving Diversity, Equity and Inclusion (DEI). He assists companies in developing inclusive and sustainable DEI strategies that align with and incorporate core company values and business goals.

Prior to joining Covington, Hensey served as a Judicial Law Clerk for the Honorable Judge Johnnie B. Rawlinson, United States Court of Appeals for the Ninth Circuit. He also served as a Diplomatic Fellow in the Kurdistan Regional Government’s Representation (i.e. Embassy) in Washington, DC.

Photo of Jorge Ortiz Jorge Ortiz

Jorge Ortiz is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Technology and Communications Regulation Practice Groups.

Jorge advises clients on a broad range of privacy and cybersecurity issues, including topics related…

Jorge Ortiz is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Technology and Communications Regulation Practice Groups.

Jorge advises clients on a broad range of privacy and cybersecurity issues, including topics related to privacy policies and compliance obligations under U.S. state privacy regulations like the California Consumer Privacy Act.

Photo of Jemie Fofanah Jemie Fofanah

Jemie Fofanah is an associate in the firm’s Washington, DC office. She is a member of the Privacy and Cybersecurity Practice Group and the Technology and Communication Regulatory Practice Group. She also maintains an active pro bono practice with a focus on criminal…

Jemie Fofanah is an associate in the firm’s Washington, DC office. She is a member of the Privacy and Cybersecurity Practice Group and the Technology and Communication Regulatory Practice Group. She also maintains an active pro bono practice with a focus on criminal defense and family law.

Photo of Shayan Karbassi Shayan Karbassi

Shayan Karbassi is an associate in the firm’s Washington, DC office. He is a member of the firm’s Data Privacy and Cybersecurity and White Collar and Investigations Practice Groups. Shayan advises clients on a range of cybersecurity and national security matters. He also…

Shayan Karbassi is an associate in the firm’s Washington, DC office. He is a member of the firm’s Data Privacy and Cybersecurity and White Collar and Investigations Practice Groups. Shayan advises clients on a range of cybersecurity and national security matters. He also maintains an active pro bono practice.