As we approach the end of the year, here are the Top 10 SEC Cyber/AI posts on the Debevoise Data Blog in 2024 by page views. If you are not already a Blog subscriber, click here to sign up. 100 Days of Cybersecurity Incident Reporting on Form 8-K: Lessons Learned (March 28, 2024) On December 18, 2023, the SEC’s rule…

As we approach the end of the year, here are the Top 10 Cybersecurity posts on the Debevoise Data Blog in 2024 by page views. If you are not already a Blog subscriber, click here to sign up. Managing Cybersecurity Risks Arising from AI – New Guidance from the NYDFS (October 20, 2024) As cybersecurity risks continue to grow, so does the…

As we approach the end of the year, here are the Top 11 Artificial Intelligence (“AI”) posts on the Debevoise Data Blog in 2024 by page views. If you are not already a Blog subscriber, click here to sign up. Good AI Vendor Risk Management Is Hard, But Doable (September 26, 2024) As companies slowly ramp up the depth and…

On November 22, 2024, the California Privacy Protection Agency (the “CPPA”) opened the formal public comment period for its recently approved formal proposed rulemaking package for annual cybersecurity audits, automated decision-making technology, privacy requirements, insurance companies’ obligations, and other updates to existing regulations (the “Draft Regulations”). The Draft Regulations fulfill the CPPA’s mandate under the California Consumer Privacy Act (the…

In Part 1 of this series, we discussed the recent Circular and accompanying Appendix issued by Hong Kong’s Security and Futures Commission (the “SFC”) on cybersecurity risks and mitigations related to the use of generative artificial intelligence language models (“AI LMs” or “LMs”). In this Part 2, we discuss the SFC’s expectations for how licensed corporations (“LCs”) (generally securities and…

On November 12, 2024, Hong Kong’s Security and Futures Commission (the “SFC”) issued a Circular (the “Circular”) with an accompanying appendix (the “Appendix”) setting out the SFC’s view of the risks associated with the use of generative artificial intelligence language models (“AI LMs”) and its expectations for how licensed corporations (“LCs”) (generally securities and futures markets participants such as private…

November 1, 2024 marked the one-year anniversary of the second amendment to the New York Department of Financial Services’ (“NYDFS” or the “Department”) Cybersecurity Regulation (the “Regulation” or “Part 500”). In Part One of this Debevoise Data Blog post series, we discussed the Part 500 requirements that came into effect on November 1, 2024. In this Part Two, we look…

Developers of artificial intelligence (“AI”) systems notched a victory last week when a federal judge dismissed claims under the Digital Millennium Copyright Act (“DMCA”) premised on the use of copyrighted works in AI training data, holding that the plaintiffs had failed to show any concrete harm and therefore lacked standing to bring their claims.  Raw Story Media, Inc. v. OpenAI…

The Department of Justice (“DOJ”) has moved ahead with its effort to protect Americans’ sensitive personal data and U.S. government data from exploitation by countries of concern or related covered persons, issuing a Notice of Proposed Rulemaking (the “Proposal”) that closely tracks its earlier Advance Notice of Proposed Rulemaking (the “Advance Notice”). The Advance Notice had been released in February concurrently…

On October 22, 2024, the U.S. Department of Justice (“DOJ”) announced that The Pennsylvania State University (“Penn State”), a public university in University Park, Pennsylvania, agreed to pay $1.25 million to resolve allegations that it violated the False Claims Act (the “FCA”). Specifically, Penn State allegedly failed to meet cybersecurity requirements in federal government contracts, misrepresented compliance timelines and plans,…