As AI adoption continues to increase, businesses are looking for familiar risk management protocols for AI governance.  One obvious governance framework to use is cybersecurity, which is another area where rapid technological change has required businesses to quickly adapt to complex challenges. Because of the similarities between cybersecurity and AI risk (e.g., both are relatively new to many businesses, tech-driven,…

In Part 1 of this series, we discussed the annual cybersecurity audit requirements in the California Privacy Protection Agency (the “CPPA”)’s proposed rulemaking package (the “Draft Regulations”). In Part 2, we discussed the Draft Regulations’ provisions on automated decision-making technology (“ADMT”). In this Part 3, we discuss the Draft Regulations’ amendments to existing privacy-related requirements under the California Consumer Privacy…

Debevoise & Plimpton LLP partners Luke Dembosky, Erez Liebermann and Jim Pastore have again been named to Cybersecurity Docket’s “Incident Response 50 List” for 2025. The list recognizes the “50 best data breach response lawyers in the business” and the top incident response attorneys and compliance professionals who not only have the right credentials and experience to manage a data…

On March 12, 2025, the California Privacy Protection Agency (the “CPPA”) announced a decision and stipulated final order stemming from its investigation of the American Honda Motor Company’s (the “Company” or “Honda”) data privacy practices. In addition to implementing changes in its practices, the Company agreed to pay an administrative fine of $632,500. The decision details various failures to appropriately…

On April 9, 2025, the U.S. Securities and Exchange Commission (the “SEC”) and the U.S. Attorney’s Office for the Southern District of New York filed parallel actions against Albert Saniger, the former CEO of Nate, Inc. (“Nate”), alleging that he made materially false and misleading statements to investors about the company’s artificial intelligence (“AI”) capabilities. This matter is particularly noteworthy…

Most companies have implemented protocols for when an employee emails confidential information to the wrong person.  A new version of that problem occurs when an employee uploads sensitive information to a consumer (i.e., not enterprise) AI tool, which gives rise to the following questions: Can the data be clawed back or deleted, and if so, how? Can humans at the…

OVERVIEW OF THE NEW LEGISLATION Definitions The new legislation, described as the first Hong Kong cybersecurity law, regulates designated “Operator of Critical Infrastructure” (the “CIO”) and its “Critical Computer Systems” (the “CCS”). “Critical Infrastructure” (the “CI”) is defined as: any infrastructure that is essential to the continuous provision of an essential service in Hong Kong in eight specified sectors: energy,…

Given that AI models require large swathes of data to operate, the GDPR’s expansive definition of personal data means that many applications of AI involve complex data protection issues – especially where those datasets are obtained from third-party sources. At the Irish DPC’s request, the European Data Protection Board (“EDPB”) has adopted Opinion 28/2024 on data protection considerations when developing…

Our top-five European data protection developments from February are: European Commission publishes guidelines on prohibited AI practices: The EU Commission has published non-binding guidance on the EU AI Act’s prohibited use cases. European Parliamentary Research Service Report Highlights Tension Between the EU AI Act and GDPR: The ERPS published a report warning of a potential conflict between the EU AI…

South Korea has become the latest country to pass a national AI law. The “Basic Act on the Development of Artificial Intelligence and Establishment of Foundation for Trust” (the “Basic Act” or the “Act”), which has several similarities to – and differences from – the EU AI Act, and comes into force on January 22, 2026. Like its EU counterpart,…