Debevoise’s AI Subscription Platform (STAAR), Which Helps Clients Fast-Track Their AI Adoption, Featured in Law360
Announcement| Debevoise Data Blog
On 2 August 2025, the second wave of requirements under the EU AI Act (the “Act”) entered into force, following the first implementation phase six months ago. This latest set of requirements primarily covers General Purpose AI (“GPAI”) model providers, as well as containing operational requirements for the EU and Member State oversight and enforcement [...]| Debevoise Data Blog
Ahead of the EU AI Act’s (the “Act”) General Purpose AI (“GPAI”) model requirements coming into force on 2 August 2025, EU authorities have released further guidance and Codes of Practice detailing how these rules should be interpreted and applied. In particular: GPAI Model Provider Guidance: The Commission has published additional guidance targeted specifically at [...]| Debevoise Data Blog
The California Privacy Protection Agency (the “CPPA”) Board met on July 24, 2025, to decide whether to adopt its comprehensive rulemaking package covering cybersecurity audits, automated decision-making technology, and other adjustments to its existing regulations (collectively, the “Draft Regulations”). We have written about these topics in December 2024, February 2025, and May 2025 respectively. Ultimately, [...]| Debevoise Data Blog
Yesterday, the White House released “Winning the Race: America’s AI Action Plan” (the “Action Plan”), a comprehensive framework that emphasizes AI adoption, innovation, and competitiveness over previous priority areas, such as AI safety, protected class discrimination, and ethical usage. The White House also subsequently released three Executive Orders in line with the objectives outlined in [...]| Debevoise Data Blog
Announcement| Debevoise Data Blog
Artificial Intelligence| www.debevoisedatablog.com
No one really knows how the large language models (“LLMs”) that power generative AI (“GenAI”) tools like ChatGPT actually come up with their answers to our queries. This is referred to as the “black box” or the “explainability” problem, and it is often given as a reason why GenAI should not be used for making [...]| Debevoise Data Blog
Using AI to make important decisions about individuals carries a risk of bias, especially for underwriting, credit, employment, and educational admission decisions. In this Debevoise Data Blog post, we discuss how a recent settlement by the Massachusetts Attorney General’s Office highlights the risks that can arise in AI-powered lending decisions and ways to reduce those [...]| Debevoise Data Blog
In a recent Debevoise Data Blog post, we provided a quick guide on selecting the appropriate OpenAI models offered through GPT Enterprise for various legal tasks (e.g., o3 for research, GPT-4.5 for writing, and GPT-4o for image generation). In this follow-up post, we provide a broad overview of the various tools and features that are also [...]| Debevoise Data Blog
Asset managers are increasingly incorporating AI into critical operations, such as investment, trading, valuation, reporting, and risk management, either through vendor solutions or in their own processes. As with any dependency, asset managers must assess and prepare for potential failures that could result in the need for business and operational responses, as well as potential [...]| Debevoise Data Blog
Announcement| Debevoise Data Blog
Allowing employees to use generative AI (“GenAI”) comes with significant risks—such as the loss of confidentiality over sensitive firm and client information, mistakes occurring in important documents or decisions, loss of critical skills, and potential violations of contractual obligations and regulatory requirements. That said, one of the biggest AI risks comes from not letting employees [...]| Debevoise Data Blog
With federal preemption of AI regulation appearing unlikely, having been removed by a vote of U.S. senators in the negotiation over the federal budget bill, it is a good time to take stock of U.S. state-level AI regulation. In the second half of 2024, many observers had predicted a rapid spread of EU‑style, cross‑sector “AI Acts” [...]| Debevoise Data Blog
Two years ago, we outlined how directors should think about oversight of AI-related risks. Since then, we have seen a steady increase in AI projects that sit squarely inside our clients’ core business functions, which raises three board oversight issues that we discuss in this Debevoise Data Blog update: (1) identifying core AI projects, (2) assigning specific management responsibility, and (3) peer benchmarking.| Debevoise Data Blog
Whether copyrighted works can be freely used to train generative artificial intelligence (“AI”) models is at the core of dozens of lawsuits filed since AI burst onto the scene several years ago. This week, the Northern District of California issued two of the first opinions that begin to answer that question, but there remains a [...]| Debevoise Data Blog
At Debevoise, we have access to a lot of generative AI (“GenAI”) models. We’ve found different models to be good at different tasks for legal practice, and model capabilities are changing quite frequently. But in light of the recent release of OpenAI’s o3 pro model, we thought it would be helpful to provide a quick [...]| Debevoise Data Blog
There are dozens of cases pending against AI developers stemming from their use of copyrighted works to train generative AI models. In response, developers have uniformly asserted that such use is a fair use. To date, despite years of litigation, those cases have resulted in just one opinion: a District of Delaware order that arose outside of the generative AI context and rejected the fair use defense as a matter of law.| Debevoise Data Blog
Artificial Intelligence| www.debevoisedatablog.com
President Trump issued an Executive Order on June 6, 2025, that sheds light on the Administration’s approach to cybersecurity and AI by highlighting foreign threats to U.S. cybersecurity, emphasizing federal agencies’ management of AI-related vulnerabilities, and rescinding prescriptive Biden-era requirements for agencies and contractors in favor of more flexible guidance. While the Executive Order primarily [...]| Debevoise Data Blog
In July, we previewed the new rules adopted by the Securities and Exchange Commission (“SEC”) for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. Under these rules, Item 1.05 of Form 8-K requires U.S. public companies to disclose material cybersecurity incidents. We have been tracking Form 8-K filings under the new SEC requirements since the rules went into effect on December 18, 2023. In this chart, you can find links to each of these filings, as well as t...| Debevoise Data Blog
On July 26, 2023, the SEC adopted the long-anticipated final rules on cybersecurity risk management, strategy, governance, and incident disclosure for issuers. The new rules are part of the SEC’s larger efforts focused on cybersecurity regulation with a growing universe of rules aimed at different types of SEC registrants, including: (i) its proposed cybersecurity rules for registered investment advisers and funds and market entities, including broker-dealers, (ii) its proposed amendmen...| Debevoise Data Blog
Cybersecurity| www.debevoisedatablog.com
We’re proud to share that Debevoise & Plimpton’s Data Strategy & Security group has been recognized as one of the few elite law firms ranked by Chambers for both Artificial Intelligence (AI) and Privacy & Data Security, highlighting our dual prominence in these areas and reaffirming our position as a leader in advising clients on [...]| Debevoise Data Blog
Many businesses use customer-tracking technology and other tools—such as pixels, session replay, software development kits (“SDKs”), and chatbots—to improve website user experiences, understand customer behavior, train their technology, and gauge effectiveness of advertisements. Increasingly, however, these technologies present litigation risks under the California Invasion of Privacy Act (“CIPA”). In this blog post, we provide an [...]| Debevoise Data Blog
All eyes are on the DOJ Bulk Sensitive Data Rule (28 C.F.R. Part 202), and July 8, 2025, when the recently announced good-faith safe harbor expires. The rule, which the Department of Justice now refers to as the Data Security Program (the “DSP”), creates a comprehensive export control regime to restrict the transfer of bulk [...]| Debevoise Data Blog
Debevoise’s Data Strategy and Security group recently assisted five leading financial services industry trade associations in preparing a joint rulemaking petition in response to the Securities and Exchange Commission’s (“SEC”) cybersecurity disclosure rule. The rule was adopted in July 2023 to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incidents. Debevoise worked [...]| Debevoise Data Blog
Artificial intelligence (“AI”) is improving, but even the best models still can hallucinate, miscite, and miscalculate. The primary strategy for managing these and other risks associated with AI deployment is human review, also known as putting a “human-in-the-loop.” Here are various measures that we have seen businesses use to optimize human review of AI decisions [...]| Debevoise Data Blog
As AI adoption continues to increase, businesses are looking for familiar risk management protocols for AI governance. One obvious governance framework to use is cybersecurity, which is another area where rapid technological change has required businesses to quickly adapt to complex challenges. Because of the similarities between cybersecurity and AI risk (e.g., both are relatively [...]| Debevoise Data Blog
In Part 1 of this series, we discussed the annual cybersecurity audit requirements in the California Privacy Protection Agency (the “CPPA”)’s proposed rulemaking package (the “Draft Regulations”). In Part 2, we discussed the Draft Regulations’ provisions on automated decision-making technology (“ADMT”). In this Part 3, we discuss the Draft Regulations’ amendments to existing privacy-related requirements [...]| Debevoise Data Blog
Debevoise & Plimpton LLP partners Luke Dembosky, Erez Liebermann and Jim Pastore have again been named to Cybersecurity Docket’s “Incident Response 50 List” for 2025. The list recognizes the “50 best data breach response lawyers in the business” and the top incident response attorneys and compliance professionals who not only have the right credentials and [...]| Debevoise Data Blog
On March 12, 2025, the California Privacy Protection Agency (the “CPPA”) announced a decision and stipulated final order stemming from its investigation of the American Honda Motor Company’s (the “Company” or “Honda”) data privacy practices. In addition to implementing changes in its practices, the Company agreed to pay an administrative fine of $632,500. The decision [...]| Debevoise Data Blog
On April 9, 2025, the U.S. Securities and Exchange Commission (the “SEC”) and the U.S. Attorney’s Office for the Southern District of New York filed parallel actions against Albert Saniger, the former CEO of Nate, Inc. (“Nate”), alleging that he made materially false and misleading statements to investors about the company’s artificial intelligence (“AI”) capabilities. [...]| Debevoise Data Blog
Most companies have implemented protocols for when an employee emails confidential information to the wrong person. A new version of that problem occurs when an employee uploads sensitive information to a consumer (i.e., not enterprise) AI tool, which gives rise to the following questions: Can the data be clawed back or deleted, and if so, [...]| Debevoise Data Blog
OVERVIEW OF THE NEW LEGISLATION Definitions The new legislation, described as the first Hong Kong cybersecurity law, regulates designated “Operator of Critical Infrastructure” (the “CIO”) and its “Critical Computer Systems” (the “CCS”). “Critical Infrastructure” (the “CI”) is defined as: any infrastructure that is essential to the continuous provision of an essential service in Hong Kong [...]| Debevoise Data Blog
Given that AI models require large swathes of data to operate, the GDPR’s expansive definition of personal data means that many applications of AI involve complex data protection issues – especially where those datasets are obtained from third-party sources. At the Irish DPC’s request, the European Data Protection Board (“EDPB”) has adopted Opinion 28/2024 on [...]| Debevoise Data Blog
Our top-five European data protection developments from February are: European Commission publishes guidelines on prohibited AI practices: The EU Commission has published non-binding guidance on the EU AI Act’s prohibited use cases. European Parliamentary Research Service Report Highlights Tension Between the EU AI Act and GDPR: The ERPS published a report warning of a potential [...]| Debevoise Data Blog
South Korea has become the latest country to pass a national AI law. The “Basic Act on the Development of Artificial Intelligence and Establishment of Foundation for Trust” (the “Basic Act” or the “Act”), which has several similarities to – and differences from – the EU AI Act, and comes into force on January 22, [...]| Debevoise Data Blog
As the first quarter of 2025 draws to a close and we look ahead to the spring, important changes to the Federal Rules of Evidence (“FRE”) regarding the use of AI in the courtroom are on the horizon. Specifically, the Federal Judicial Conference’s Advisory Committee on Evidence Rules (the “Committee”) is expected to vote on [...]| Debevoise Data Blog
On Tuesday, April 29, 2025 at 1:15 pm, Erez Liebermann will be moderating a panel at RSAC 2025 Conference to discuss the growing regulatory expectations around governance, including that from the Securities and Exchange Commission (SEC) and other regulators beating their cyber drums. The panelists will share best practices to educate the board, both ahead [...]| Debevoise Data Blog
On Wednesday, April 30, 2025 at 2:25 pm, Erez Liebermann will be moderating a panel at RSAC 2025 Conference to discuss different approaches of private equity firms in evaluating cyber maturity and in working with portfolio companies on M&A, risk management, and incident response. The panel will feature: Rich Adduci, Operating Executive, Berkshire Partners James [...]| Debevoise Data Blog
On Tuesday, April 29, 2025 at 9:40 am, Erez Liebermann will be moderating a panel at RSAC 2025 Conference to dive into the work that financial services companies, the government, and cloud service providers are taking to mature incident response. The panel will feature: Todd Conklin, Chief AI Officer and Deputy Assistant Secretary, US Treasury [...]| Debevoise Data Blog
On Thursday, April 24, 2025 at 9:00 AM ET, as a part of IAPP Global Privacy Summit 2025, Erez Liebermann will be moderating a panel of experienced in-house counsel and a former in-house counsel to discuss the pitfalls of incident response and lessons learned from crisis management missteps. By sharing real-world examples, insights and actionable recommendations, [...]| Debevoise Data Blog
Our top five European data protection developments from January are: UK ransomware reporting proposals. The UK Government released a consultation on ransomware related legislative proposals, including possible reporting obligations and payment bans for cyber ransom incidents. DeepSeek investigated by Italian DPA over AI chatbot data collection practices. The Italian DPA opened an investigation into DeepSeek [...]| Debevoise Data Blog
On February 20, 2025, the SEC announced the creation of the Cyber and Emerging Technologies Unit (“CETU”) to focus on “combatting cyber-related misconduct and to protect retail investors from bad actors in the emerging technologies space.” In this blog post, we provide an overview of the announcement, which illustrates that the Trump administration will continue [...]| Debevoise Data Blog
Because media is constantly urging us to use more AI, Professor Ethan Mollick’s recent post that identified 5 Times Not to Use AI caught our attention. After dispensing with the obvious scenarios (e.g., using AI for illegal purposes, in high-stakes situations where errors could be catastrophic, or for decisions that ethically require human work), Professor [...]| Debevoise Data Blog
In a ruling with potential implications for other pending generative artificial intelligence (“AI”) copyright cases, the United States District Court for the District of Delaware in Thomson Reuters Enterprise Centre GmbH & West Publishing Corp. v. ROSS Intelligence Inc. has granted summary judgment for Thomson Reuters on direct copyright infringement and related defenses, as well [...]| Debevoise Data Blog
In Part 1 of this series, we discussed the annual cybersecurity audit requirements in the proposed rulemaking package (the “Draft Regulations”) of the California Privacy Protection Agency (the “CPPA”). In this Part 2, we discuss the Draft Regulations’ provisions on Automated Decision-Making Technology (“ADMT”). Most notably, the Draft Regulations’ definition of ADMT is more expansive [...]| Debevoise Data Blog
On Thursday, March 6, 1:00pm-2:30pm EST, Avi Gesser will participate in a panel discussion along with Jenifer McIntosh, CIPP, Of Counsel at Stinson during an upcoming Strafford live video webinar, “Board Oversight of Artificial Intelligence: Best Practices for Governance, Compliance, and Ethical Considerations.” The panel will examine the corporate governance, data security and other challenges [...]| Debevoise Data Blog
On January 28, 2025, FINRA released its 2025 FINRA Annual Regulatory Oversight Report (the “Report”). As was the case in 2024, the Report highlights continuing and emerging trends in artificial intelligence (“AI”) in the financial services sector, among other topics. In this Debevoise Client Update, we review the Report’s discussion of common generative AI (“Gen [...]| Debevoise Data Blog
After many rounds of motions to dismiss, intellectual property cases against AI developers are moving into the discovery phase. As we previewed in our 2024 AI year in review, one of the big areas to watch in 2025 will be how much discovery courts are prepared to order into the inner workings of AI companies, [...]| Debevoise Data Blog
The first wave of the EU AI Act’s requirements came into force on 2 February 2025, namely: Prohibited AI: the ban on the use and distribution of prohibited AI systems, and AI Literacy: the requirement to ensure staff using and operating AI possess sufficient AI literacy. All businesses caught by the EU AI Act’s jurisdictional [...]| Debevoise Data Blog
Introduction On December 20, 2024, the Federal Trade Commission (the “FTC”) finalized a consent agreement (“Consent Order”) with Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC (collectively, “Marriott”) to settle allegations that Marriott failed to implement reasonable data security measures, resulting in three large data breaches from 2014 to 2020 and [...]| Debevoise Data Blog
On December 19, 2024, the U.S. Department of Treasury (“Treasury”) released a report on The Uses, Opportunities, and Risks of Artificial Intelligence in the Financial Services Sector (the “Report”). The Report summarizes key themes from comments from a variety of industry stakeholders (“respondents”) in response to Treasury’s June 2024 Request for Information (“RFI”), and recommends [...]| Debevoise Data Blog
Our top-eleven European data protection developments for the end of 2024 are: EU Cyber Resilience Act: The Council of the European Union approved the Cyber Resilience Act, introducing cybersecurity requirements for digital products sold in the EU. Businesses may wish to start applying the requirements to products and processes ahead of the Act becoming fully [...]| Debevoise Data Blog
DOJ Issues Landmark Rules on Sensitive Data On December 27, 2024, the U.S. Department of Justice (“DOJ”) issued the “Final Rule on Preventing Access to Sensitive Data,” creating a comprehensive export control regime to restrict the transfer of bulk sensitive personal and government-related data to foreign adversaries deemed threats to U.S. national security.[1] The rule [...]| Debevoise Data Blog
As generative AI platforms grow in sophistication, the initial era of text chatbots led by ChatGPT has evolved into a complex AI ecosystem of voice assistants and image and video creation platforms. Yet that is just the beginning; a world of autonomous AI agents is on the horizon. Generative AI has transformed how people around [...]| Debevoise Data Blog
On September 21, 2023, the Colorado Division of Insurance (the “Division”) released Regulation 10-1-1, Governance and Risk Management Framework Requirements for Life Insurers’ Use of External Consumer Data and Information Sources, Algorithms, and Predictive Models (the “Current Regulation”), which became effective on November 14, 2023, and which we have previous discussed in depth. The Current Regulation [...]| Debevoise Data Blog
As we approach the end of the year, here are the Top 10 SEC Cyber/AI posts on the Debevoise Data Blog in 2024 by page views. If you are not already a Blog subscriber, click here to sign up. 100 Days of Cybersecurity Incident Reporting on Form 8-K: Lessons Learned (March 28, 2024) On December [...]| Debevoise Data Blog
As we approach the end of the year, here are the Top 10 Cybersecurity posts on the Debevoise Data Blog in 2024 by page views. If you are not already a Blog subscriber, click here to sign up. Managing Cybersecurity Risks Arising from AI – New Guidance from the NYDFS (October 20, 2024) As cybersecurity risks continue [...]| Debevoise Data Blog
As we approach the end of the year, here are the Top 11 Artificial Intelligence (“AI”) posts on the Debevoise Data Blog in 2024 by page views. If you are not already a Blog subscriber, click here to sign up. Good AI Vendor Risk Management Is Hard, But Doable (September 26, 2024) As companies slowly [...]| Debevoise Data Blog
On November 22, 2024, the California Privacy Protection Agency (the “CPPA”) opened the formal public comment period for its recently approved formal proposed rulemaking package for annual cybersecurity audits, automated decision-making technology, privacy requirements, insurance companies’ obligations, and other updates to existing regulations (the “Draft Regulations”). The Draft Regulations fulfill the CPPA’s mandate under the [...]| Debevoise Data Blog
In Part 1 of this series, we discussed the recent Circular and accompanying Appendix issued by Hong Kong’s Security and Futures Commission (the “SFC”) on cybersecurity risks and mitigations related to the use of generative artificial intelligence language models (“AI LMs” or “LMs”). In this Part 2, we discuss the SFC’s expectations for how licensed [...]| Debevoise Data Blog
On November 12, 2024, Hong Kong’s Security and Futures Commission (the “SFC”) issued a Circular (the “Circular”) with an accompanying appendix (the “Appendix”) setting out the SFC’s view of the risks associated with the use of generative artificial intelligence language models (“AI LMs”) and its expectations for how licensed corporations (“LCs”) (generally securities and futures [...]| Debevoise Data Blog
November 1, 2024 marked the one-year anniversary of the second amendment to the New York Department of Financial Services’ (“NYDFS” or the “Department”) Cybersecurity Regulation (the “Regulation” or “Part 500”). In Part One of this Debevoise Data Blog post series, we discussed the Part 500 requirements that came into effect on November 1, 2024. In [...]| Debevoise Data Blog
Developers of artificial intelligence (“AI”) systems notched a victory last week when a federal judge dismissed claims under the Digital Millennium Copyright Act (“DMCA”) premised on the use of copyrighted works in AI training data, holding that the plaintiffs had failed to show any concrete harm and therefore lacked standing to bring their claims. Raw [...]| Debevoise Data Blog
The Department of Justice (“DOJ”) has moved ahead with its effort to protect Americans’ sensitive personal data and U.S. government data from exploitation by countries of concern or related covered persons, issuing a Notice of Proposed Rulemaking (the “Proposal”) that closely tracks its earlier Advance Notice of Proposed Rulemaking (the “Advance Notice”). The Advance Notice had [...]| Debevoise Data Blog
On October 22, 2024, the U.S. Department of Justice (“DOJ”) announced that The Pennsylvania State University (“Penn State”), a public university in University Park, Pennsylvania, agreed to pay $1.25 million to resolve allegations that it violated the False Claims Act (the “FCA”). Specifically, Penn State allegedly failed to meet cybersecurity requirements in federal government contracts, [...]| Debevoise Data Blog
On November 8th, Avi Gesser, Luke Dembosky, Erez Lieberman, and Charu Chandrasekhar from the Debevoise Data Strategy and Security Group discussed the recent NYDFS Industry Letter providing guidance on assessing cybersecurity risks associated with the use of AI. The webcast provided a deeper dive into the topics covered in our recent blog post including: The [...]| Debevoise Data Blog
November 1, 2024, marks the one-year anniversary of the second amendment to the New York Department of Financial Services’ (“NYDFS” or the “Department”) Cybersecurity Regulation (the “Regulation” or “Part 500”). It is also the date that a number of new requirements under Part 500 come into effect, including requirements surrounding governance, encryption, and incident response [...]| Debevoise Data Blog
On October 22, 2024, the U.S. Securities and Exchange Commission (the “SEC”) announced settled charges in separate actions against four technology companies—Avaya Holdings Corp. (“Avaya”), Check Point Software Technologies Ltd. (“Check Point”), Mimecast Limited (“Mimecast”), and Unisys Corp. (“Unisys”)—each of which was a downstream victim of the unprecedented 2020 cyber-attack in which threat actors believed [...]| Debevoise Data Blog
When a company is hit by a cyber attack, normal business gives way to the chaos of managing the investigation, operational disruptions, legal issues, and communications with customers, employees, vendors, regulators, and more. A tabletop exercise (“tabletop”) allows a team to practice responding to a cybersecurity incident without the pressures and uncertainty that are inevitable [...]| Debevoise Data Blog
On Thursday, October 31, Avi Gesser and Matt Kelly will speak at the 8th Annual Disruption and Innovation in the Delivery of Legal Services Conference 2024-25 as a part of the workshop on “How AI is Transforming the Law Firm Internally and Externally.” The speakers will address the current use of AI in law firms, [...]| Debevoise Data Blog
On October 16, 2024, the New York Department of Financial Services (the “NYDFS”) issued an Industry Letter providing guidance on assessing cybersecurity risks associated with the use of AI (the “Guidance”) under the existing 23 NYCRR Part 500 (“Part 500” or “Cybersecurity Regulation”) framework. The Guidance applies to entities that are covered by Part 500 [...]| Debevoise Data Blog
Debevoise & Plimpton LLP has been shortlisted for the Financial Times’ Innovative Lawyers North America awards in the “Innovation in New Services to Manage Risk” category. The firm was selected for its global and interdisciplinary Data Strategy and Security practice (DSS) and the approach taken by DSS to developing its people and their skills. As a result of [...]| Debevoise Data Blog
Earlier this year, the U.S. Department of Housing and Urban Development (“HUD”) released an unannounced and immediately effective Cyber Incident Reporting Requirement (the “Original Requirements”) in Mortgagee Letter 2024-10, which imposed onerous requirements for Federal Housing Administration (“FHA”)-approved Mortgagees. These requirements included a 12-hour notification to HUD of even suspected incidents or incidents that violated [...]| Debevoise Data Blog
On Thursday, October 17th, at 10:40-11:25 AM (ET), Robert Maddox will speak on a virtual panel entitled “Ransomware in Europe: Best Practices and Pitfalls for Corporates and Other Organizations.” To learn more about the conference please click here. To register for free, please click here and use the code DEBEVOISE24EU Incident Response Forum Europe 2024 is a unique, [...]| Debevoise Data Blog
As companies slowly ramp up the depth and breadth of their AI adoption, one of the most difficult challenges they face is managing third-party risk. Most companies contemplating AI adoption will look to third-party vendors to provide AI-enabled products or services for their businesses. Companies often struggle when deciding what diligence to perform for these [...]| Debevoise Data Blog
In the UK, unannounced inspections of businesses’ premises, or “dawn raids”, are most often associated with authorities such as the Serious Fraud Office, National Crime Agency, Competition and Markets Authority and Metropolitan Police. However, data controllers and processers should be aware that the UK’s Information Commissioner’s Office (“ICO”) can also carry out dawn raids as [...]| Debevoise Data Blog
On September 23, 2024, the U.S. Department of Justice updated its guidance to federal prosecutors related to the “Evaluation of Corporate Compliance Programs” (the “ECCP”).[1] This revision, the first since March 2023, addresses how companies manage risks associated with new and emerging technology, including artificial intelligence, and expands on preexisting guidance regarding employee reporting channels, [...]| Debevoise Data Blog
Our top-five European data protection developments from August are: Uber fined for personal data transfer: The Dutch Data Protection Authority fined Uber €290 million for the unlawful transfer of European drivers’ personal data to the U.S., following Uber’s move away from relying on the standard contractual clauses (“SCCs”) in 2021. Businesses may wish to assess [...]| Debevoise Data Blog
On November 14-15, 2024, the University of Texas School of Law and McCombs School of Business will host a groundbreaking event limited to public company directors and C-suite executives — the Director-Executive Summit. Debevoise partner Erez Lieberman will be moderating the Cybersecurity panel, which is scheduled for the morning of Friday, November 15. To learn more about [...]| Debevoise Data Blog
Our top five European data protection developments from July are: EU AI guidance: Businesses should consider reviewing their AI policies and practices following guidance from the French CNIL and the Irish DPC recommending that businesses conduct AI risk assessments and prepare AI policies and procedures, alongside the EDPB’s statement supporting the appointment of DPAs as [...]| Debevoise Data Blog
The European Commission has published a draft regulation containing further detail on the “technical and methodological” security measures, and cybersecurity incident reporting threshold triggers, under the incoming NIS2 directive (the “NIS2 Regulation”). Once finalised, the regulation will apply from 18 October 2024 in line with member states’ deadline for NIS2 implementation. NIS2: a recap The [...]| Debevoise Data Blog
On July 29, 2024, the Standing Committee on Ethics and Professional Responsibility of the American Bar Association (“ABA”) published Formal Opinion 512, providing guidance on the ethical use of generative AI tools by legal professionals (the “Opinion”). The Opinion is the latest of several similar ethical guidelines published by various state courts and bar ethics [...]| Debevoise Data Blog
Our top five European data protection developments from June are: Non-material damage under GDPR: The CJEU clarified the scope of compensation for non-material damage in the context of identity theft and data subjects’ fear that their personal data had been exposed. Businesses may wish to review their policies and procedures for responding to compensation requests [...]| Debevoise Data Blog
When drafting policies on the use of artificial intelligence, one challenge that many businesses face is how to define AI, and relatedly, when should AI governance and compliance programs apply to models that do not meet the definition of AI. Choosing a Regulatory Definition of AI One common approach is to adopt the definition that [...]| Debevoise Data Blog
On July 18, 2024, in the landmark SEC v. SolarWinds Corp. case, U.S. District Judge Paul Engelmayer dismissed the majority of the claims brought by the U.S. Securities and Exchange Commission (the “SEC”) against SolarWinds Corporation (“SolarWinds”), including the SEC’s previously untested claim that alleged deficiencies in SolarWinds’ cybersecurity controls amounted to violations of the internal accounting [...]| Debevoise Data Blog
On Friday, July 26 at 11:00am EDT, Eric Dinallo from Debevoise’s Insurance Regulatory practice joined Avi Gesser and Sharon Shaji from the firm’s Data Strategy and Security practice, for a debrief on the final version of Insurance Circular No. 7, which sets out detailed requirements for insurance companies operating in New York that use AI [...]| Debevoise Data Blog
On July 11, 2024, the New York State Department of Financial Services (the “NYDFS”) adopted Insurance Circular Letter No. 7 regarding the Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing (the “Final Circular”). The Final Circular largely adopts that language of the January 2024 Proposed Insurance [...]| Debevoise Data Blog
The EU AI Act (the “Act”) has made it through the EU’s legislative process and has passed into law today; it will come into effect on 2 August 2024. Most of the substantive requirements will come into force two years later, from 2 August 2026, with the main exception being “Prohibited” AI systems, which will be [...]| Debevoise Data Blog
Debevoise’s Data Strategy and Security group recently assisted four leading trade associations that represent the financial services industry in preparing a joint comment letter in response to the Cybersecurity and Infrastructure Security Agency’s (“CISA”) notice of proposed rulemaking for reporting requirements for critical infrastructure entities that experience covered cybersecurity incidents (the “Proposed Rule”), developed pursuant [...]| Debevoise Data Blog
This is the second post in our two-part Debevoise Data Blog series covering the U.S. Treasury Department’s report on Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector (the “Report”). In Part 1, we addressed the Report’s coverage of the state of AI regulation and best practices recommendations for AI risk management and governance. In Part [...]| Debevoise Data Blog
While the SEC made an early foray into proposing rules to govern use of generative AI (Gen AI) by broker-dealers,[1] FINRA has been taking a more traditional approach to emergent technology: surveying members on uses, issuing white papers,[2] publishing observations from its examinations program,[3] and issuing guidance about the application of existing rules.[4] Consistent with [...]| Debevoise Data Blog
Over the last week, the Consumer Financial Protection Bureau (“CFPB”) and the Office of the Comptroller of the Currency (“OCC”) approved the Quality Control Standards for Automated Valuation Models (the “Rule”), which will require mortgage originators and secondary market issuers to ensure that algorithms used for real estate valuation, including artificial intelligence (“AI”) systems (collectively, [...]| Debevoise Data Blog
Our top five European data protection developments from May are: UK guidance on ransom payments: The UK NCSC and various insurance industry bodies co-published guidance on key considerations for ransomware payments. The guidance does not introduce new restrictions or obligations, and is consistent with prior industry standards, as well as UK NCSC and UK ICO [...]| Debevoise Data Blog
June 27, 2024 On June 24, 2024, the staff of the Division of Corporation Finance of the Securities and Exchange Commission (the “SEC”) released five new Compliance & Disclosure Interpretations (“C&DIs”) relating to the disclosure of material cybersecurity incidents under Item 1.05 of Form 8-K. A summary of the updates is below, followed by the [...]| Debevoise Data Blog
As the European Union edges ever-closer to formally enacting the EU AI Act, attention is turning to how other jurisdictions will approach AI regulation. In the UK, individual regulators will oversee the use of AI within their respective areas of competence. This blog post analyses the UK Competition and Markets Authority’s (“CMA”) proposed approach to [...]| Debevoise Data Blog
Companies across a range of industries are increasingly incorporating artificial intelligence (“AI”) into their businesses. As with any new technology, AI presents a number of questions concerning its relation to and compliance with antitrust laws. U.S. antitrust enforcers under the current administration have expressed a range of concerns around AI, including its effects on the [...]| Debevoise Data Blog
