Earlier this year, the U.S. Department of Housing and Urban Development (“HUD”) released an unannounced and immediately effective Cyber Incident Reporting Requirement (the “Original Requirements”) in Mortgagee Letter 2024-10, which imposed onerous requirements for Federal Housing Administration (“FHA”)-approved Mortgagees. These requirements included a 12-hour notification to HUD of even suspected incidents or incidents that violated policy. (We wrote about the…

On Thursday, October 17th, at 10:40-11:25 AM (ET), Robert Maddox will speak on a virtual panel entitled “Ransomware in Europe: Best Practices and Pitfalls for Corporates and Other Organizations.” To learn more about the conference please click here. To register for free, please click here and use the code DEBEVOISE24EU Incident Response Forum Europe 2024 is a unique, one-day conference that brings together…

As companies slowly ramp up the depth and breadth of their AI adoption, one of the most difficult challenges they face is managing third-party risk. Most companies contemplating AI adoption will look to third-party vendors to provide AI-enabled products or services for their businesses. Companies often struggle when deciding what diligence to perform for these vendors and how to mitigate…

In the UK, unannounced inspections of businesses’ premises, or “dawn raids”, are most often associated with authorities such as the Serious Fraud Office, National Crime Agency, Competition and Markets Authority and Metropolitan Police. However, data controllers and processers should be aware that the UK’s Information Commissioner’s Office (“ICO”) can also carry out dawn raids as part of investigations into compliance…

On September 23, 2024, the U.S. Department of Justice updated its guidance to federal prosecutors related to the “Evaluation of Corporate Compliance Programs” (the “ECCP”).[1] This revision, the first since March 2023, addresses how companies manage risks associated with new and emerging technology, including artificial intelligence, and expands on preexisting guidance regarding employee reporting channels, whistleblower protection, post-acquisition compliance integration,…

Our top-five European data protection developments from August are: Uber fined for personal data transfer: The Dutch Data Protection Authority fined Uber €290 million for the unlawful transfer of European drivers’ personal data to the U.S., following Uber’s move away from relying on the standard contractual clauses (“SCCs”) in 2021. Businesses may wish to assess their own cross-border data transfer…

On November 14-15, 2024, the University of Texas School of Law and McCombs School of Business will host a groundbreaking event limited to public company directors and C-suite executives — the Director-Executive Summit. Debevoise partner Erez Lieberman will be moderating the Cybersecurity panel, which is scheduled for the morning of Friday, November 15. To learn more about the event, please click here.…

Our top five European data protection developments from July are: EU AI guidance: Businesses should consider reviewing their AI policies and practices following guidance from the French CNIL and the Irish DPC recommending that businesses conduct AI risk assessments and prepare AI policies and procedures, alongside the EDPB’s statement supporting the appointment of DPAs as the national authorities responsible for…

The European Commission has published a draft regulation containing further detail on the “technical and methodological” security measures, and cybersecurity incident reporting threshold triggers, under the incoming NIS2 directive (the “NIS2 Regulation”). Once finalised, the regulation will apply from 18 October 2024 in line with member states’ deadline for NIS2 implementation. NIS2: a recap The second Network and Information Systems…

On July 29, 2024, the Standing Committee on Ethics and Professional Responsibility of the American Bar Association (“ABA”) published Formal Opinion 512, providing guidance on the ethical use of generative AI tools by legal professionals (the “Opinion”). The Opinion is the latest of several similar ethical guidelines published by various state courts and bar ethics committees, including the September 2023…