As legislators and regulators around the world are trying to determine how to approach the novel risks and opportunities that AI technologies present, the draft European Union Artificial Intelligence Act (the “EU AI Act” or the “Act”) is a highly anticipated step towards the future of AI regulation. Despite recent challenges in the EU “trilogue negotiations”, proponents still hope to…

On Tuesday, November 28 Avi Gesser, Erez Liebermann and Stephanie Thomas of the Debevoise Data Strategy and Security group hosted a webcast that examined the final amendments to Cybersecurity Regulation, 23 NYCRR Part 500, announced by the NYDFS on November 1, 2023. They discussed what changes made it into the final version, and the implications that the final rules have for…

Key takeaways from October include: Employee monitoring: Following new guidance issued by the UK ICO, employers may want to review their existing employee monitoring to ensure it meets the regulator’s latest expectations, including ensuring that any monitoring is necessary, proportionate, and conducted transparently. Data protection & AI: In particular: (i) the French CNIL published its first set of guidance on…

On November 16, 2023, the Committee on Professional Responsibility and Conduct for the State Bar of California (“COPRAC”) provided initial recommendations regarding use of generative AI by lawyers (the “Guidance”). The Guidance uses the existing Rules of Professional Conduct as a framework, but recognizes that generative AI is a rapidly evolving technology that might necessitate new regulation and rules in…

On Thursday, December 7th, 8:10-8:55 AM (ET), Robert Maddox will speak on a virtual panel entitled “Incident Response in Europe: State of Play.” To learn more about the conference please click here. To register for free, please click here and contact us for the Debevoise registration code. Incident Response Forum Europe 2023 is a unique, one-day conference that brings together…

On November 7, 2023, the profilic ransomware group AlphV (a/k/a “BlackCat”) reportedly breached software company MeridianLink’s information systems, exfiltrated data and demanded payment in exchange for not publicly releasing the stolen data.   While this type of cybersecurity incident has become increasingly common, the threat actor’s next move was less predictable. AlphV filed a whistleblower tip with the U.S. Securities and…

As will be discussed in our November 28, 2023 webcast, on November 1, 2023, the New York Department of Financial Services (“NYDFS” or the “Department”) announced the adoption of the second amendment to its Cybersecurity Regulation (the “Second Amendment” or “Final Amendment”) that reflects NYDFS’s revisions as a result of comments it received on the proposed amendment released in June…

On 26 October 2023, the Bank of England, Prudential Regulation Authority (“PRA”) and Financial Conduct Authority (“FCA”, collectively the “UK Financial Authorities”) published FS2/23 on Artificial Intelligence and Machine Learning (the “Response Paper”). It summarises participants’ responses to the October 2022 AI discussion paper (DP5/22, the “Discussion Paper”), which outlined the UK Financial Authorities’ proposed approach to AI regulation. The…

On October 27, 2023, the Federal Trade Commission (“FTC”) approved an amendment (“Amended Rule”) to the Standards for Safeguarding Customer Information (the “Safeguards Rule”) that will require non-banking financial institutions (“covered entities”) to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the unauthorized acquisition of unencrypted customer information…

SIFMA and SIFMA AMG Comment on the SEC’s Proposed Rules for BDs and RIAs Among its many uses in the financial world, technology can improve operational efficiencies, reduce risk and provide valuable information and services to clients. In this joint post with SIFMA, we explore how new rules proposed by the U.S. Securities and Exchange Commission, purportedly focused on predictive…