Over two years since the GDPR came into force, the full extent of its impact is still developing at pace.  In this post, we look back at the 2020 European data protection landscape and five trends that help companies understand not only where we are, but where data protection enforcement, litigation, and practice may be headed. 1. Enforcement against a…

Introduction For those following emerging artificial intelligence (“AI”) regulations and enforcement closely, one issue of great interest is remedies. In particular: in what circumstances, if any, would regulators or courts find that a flawed machine learning or AI model must be scrapped entirely? A hot-off-the-press decision from the U.S. Federal Trade Commission (the “FTC”) suggests regulators will not shy away…

On January 6, 2021, Avi Gesser and Anna Gressel from Debevoise’s Data Strategy and Security Group and Keith Slattery from Debevoise’s Insurance Group has an insightful conversation with Stefan Toi from Aon Cyber Solutions and Marcello Antonucci from Beazley on cyber insurance coverage and the gaps it may leave for the unique risks posed by artificial intelligence. During the webcast,…

On January 12, Judge James Boasberg of the U.S. District Court for the District of Columbia granted plaintiff Guo Wengui’s motion to compel production of a report (the “Report”)—and related materials—prepared by forensic vendor Duff & Phelps in Guo’s lawsuit against the law firm that formerly represented him, Clark Hill, PLC (the “Firm”).  See Wengui v. Clark Hill, PLC, No.…

Regulators in the United States and abroad are showing increasing interest in pursuing enforcement actions against companies that deploy artificial intelligence, machine learning, or algorithmic-based applications (“AI”) in a way that the regulators perceive as harmful to the public. These regulators expect transparent and comprehensive disclosures by companies regarding AI that can negatively affect clients or customers. The United States…

On January 12, 2021, the Federal Deposit Insurance Corporation (“FDIC”), the Office of the Comptroller of the Currency (“OCC”) and the Federal Reserve Board (“FRB”) (together the “Agencies”) published a notice of proposed rulemaking (“Proposed Rule”) that would significantly update the Agencies’ guidance on data breach response. The Proposed Rule would impose prompt reporting requirements on banking organizations and their…

Tough Cookie: French CNIL Hits Google and Amazon with a Total of €135 million in Fines On December 7, 2020, the French data protection authority, the CNIL (“Commission Nationale de l’Informatique et des Libertés”), fined first Google LLC and Google Ireland Ltd €100 million, and then Amazon Europe Core €35 million for violations of the French Data Protection Act (“French DPA”).…

On December 10, 2020, California’s Attorney General formally announced a fourth round of proposed modifications to the AG’s regulations regarding the California Consumer Privacy Act (“CCPA”). These modifications include the long-awaited proposal for a universal form of “opt-out” button for businesses to use on their websites – shown below without further ado: The proposal responds to a mandate, in the…

We have recently written about the persistence of the four most common varieties of cyberattacks: Ransomware, Phishing, Business Email Compromises, and Credential Stuffing, as well as the increased regulatory scrutiny that companies face when they fall victim to these attacks. Over the last few months, we have observed an increase in another form of cybersecurity threat: DDoS ransom attacks, where cybercriminals demand a…

At many companies, employees are increasingly using non-business communication applications (“apps”) such as iMessage, WhatsApp and WeChat for business-related communications. This trend has likely accelerated in the COVID era, as work-from-home arrangements blur traditional lines between “business” and “personal” time, and many conversations that were normally held in person are now done virtually. A recent SEC enforcement action highlights the…