On July 27, 2022, the Securities and Exchange Commission (“SEC”) separately charged three financial institutions with violations of Rule 201 of Regulation S-ID (“Reg S-ID”), also known as the Identity Theft Red Flags Rule (“Red Flags Rule”). The announcement of multiple Reg S-ID enforcement settlements (all of which were investigated by the SEC’s recently expanded Crypto Assets and Cyber Unit…

On Friday, August 5, 2022 from 10:30 – 11:20 am EDT, Eric Dinallo, Luke Dembosky, Avi Gesser, Erez Liebermann, and Charu Chandrasekhar will be participating in the latest installment of Debevoise’s series of Friday webinars. The webinar will examine the draft amendments to the Part 500 Cybersecurity Rules (“Draft Amendments”) proposed by the New York Department of Financial Services (“NYDFS”)…

On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Part 500 Cybersecurity Rules, which include a mandatory 24-hour notification for cyber ransom payments, annual independent cybersecurity audits for larger entities, increased expectations for board expertise, and tough new restrictions on privileged accounts. There will be a very short 10-day pre-proposal comments period…

On July 8, 2022, the California Privacy Protection Agency (the “Agency”) issued a Notice of Proposed Rulemaking, kicking off a forty-five day comment period for proposed updates to the California Consumer Privacy Act (“CCPA”) regulations. These updates streamline the CCPA regulations and revise them to reflect the changes made by the amendments in the Consumer Privacy Rights Act of 2020…

On July 8, 2022, the U.S. Department of Justice (the “DOJ”) announced that Aerojet Rocketdyne (“Aerojet”), a California-based aerospace and defense contractor, agreed to pay $9 million to resolve allegations that it violated the False Claims Act (the “FCA”) by misrepresenting its compliance with cybersecurity requirements in federal government contracts. The DOJ’s announcement follows the court’s approval of a tentative…

On July 5, 2022, the European Parliament voted to approve the final text of the Digital Services Act (“DSA” or the “Act”), a landmark regulation that—along with its sister regulation, the Digital Markets Act (“DMA”)—is poised to transform the global regulatory landscape for social media platforms, hosting services like cloud service providers, and other online intermediaries. Lawmakers have billed the…

A growing number of employers are turning to artificial intelligence (“AI”) tools to assist in recruiting and other employment decisions. According to Forbes, almost all Fortune 500 companies use talent-sifting software, and more than half of human resource leaders in the U.S. leverage predictive algorithms to support hiring. Widespread adoption of these tools has led to concerns from regulators and…

On June 21, 2022, the House Energy and Commerce Committee formally introduced a new federal privacy bill: the American Data Privacy and Protection Act (“ADPPA”). Notably, the ADPPA has diverse support from both branches of Congress and both political parties. The ADPPA aims to create a national framework that would preempt many, but not all, state privacy laws. It is…

On Friday, July 15, 2022, Eric Dinallo, Avi Gesser, Erez Liebermann, and Anna Gressel participated in the latest installment of Debevoise’s Insurance Series webcast to discuss the implications of the recent California Insurance Department Bulletin on Allegations of Racial Bias and Unfair Discrimination in Marketing, Rating, Underwriting, and Claims Practices by the Insurance Industry.  Their discussion included: The scope of…

On June 30, 2022, the California Department of Insurance (the “Department”) released Bulletin 2022-5 (the “Bulletin”), which places several limitations on the use of Artificial Intelligence (“AI”) and alternative data sets (“Big Data”) by the insurance industry. The Bulletin states that the Department is aware of recent allegations of racial discrimination in marketing, rating, underwriting and claims practices by insurance…