The EU’s General Data Protection Regulation 2016 (the “GDPR”) changed the global privacy landscape, and has been called the “gold standard” for data protection regulation. Recently, a number of U.S. states have introduced privacy laws, which borrow certain GDPR concepts (the “State Privacy Laws”): the Californian Consumer Rights Privacy Act 2020 (the “CPRA”) which amends the California Consumer Privacy Act…

On 10 November 2022, the European Parliament approved the EU Digital Operational Resilience Act (“DORA”). Subject to the Council of the EU’s approval, DORA will impose far-reaching operational resilience requirements and management oversight requirements on financial services firms – including banks, insurers and private equity firms – as well as critical service providers that, for the first time, will be…

On Wednesday, November 30, 2022 at 12:00 PM ET, Avi Gesser, Co-Chair of the Debevoise Data Strategy and Security Group,  will participate in the online WSJ Pro Cybersecurity Forum on a panel on Cybersecurity Whistleblowers, which will examine: Why employees blow the whistle poor cybersecurity practices; How companies should prepare for a rise in internal data scrutiny; and What steps…

On Friday, November 18, 2022 at 10:30AM ET, Eric Dinallo, Avi Gesser, Erez Liebermann, Caroline Novogrod Swett, and Johanna Skrzypczyk participated in a webcast examining the new draft amendments to the Part 500 Cybersecurity Rules (“Draft Amendments”) proposed by the New York Department of Financial Services (“NYDFS”) and the implications they may have for insurance companies and other NYDFS-regulated entities.…

Machines are increasingly making important decisions that have traditionally been made by humans, such as who should get a job interview or who should receive a loan. For valid legal, reputational, and technical reasons, many organizations and regulators do not fully trust machines to make these judgments by themselves. As a result, humans usually remain involved in AI decision making,…

On November 9, 2022, the New York Department of Financial Services (“NYDFS”) announced the publication of the official proposed amendments to its 2017 Cybersecurity Regulation 23 NYCRR 500 (“Proposed Amendments”). This announcement follows a highly active pre-proposal comment period, during which industry stakeholders shared their thoughts with the NYDFS on the changes under consideration, which we covered here for an…

Debevoise & Plimpton LLP has been named one of the finalists in the “Innovation in Digitizing Legal Services” category by the Financial Times’ North America Innovative Lawyers Awards. The firm was selected for its Data Portal, which consists of a groundbreaking suite of tools that helps clients address business critical cybersecurity and AI issues, including: The Cyber Breach Notification Assessment…

On Thursday, November 17, 2022, at 1:00 PM ET, Debevoise’s Anna Gressel will join TruEra for a conversation on New York City’s new Automated Employment Decision Tool Law, which requires employers to conduct an independent bias audit of their AI employment tools by January 1, 2023. Anna will be joined by Anupam Datta, TruEra’s Co-founder, President and Chief Scientist, as…

Key takeaways this October include: Facial Recognition: Businesses face continued challenges in establishing GDPR-compliant facial recognition technology, including those with no presence in the EEA, after the French CNIL fined Clearview AI €20 million for “intrusive and massive” data processing without consent or a valid legitimate interest, among other failings; Digital Services Act: The EU’s adoption of the Digital Services…

On 24 October 2022, the UK Information Commissioner’s Office (“ICO”) fined Interserve Group Limited £4.4 million for failing to implement appropriate technical and organisational measures to safeguard 113,000 individuals’ personal data in company HR databases. Here we outline what went wrong and lessons for businesses about how to manage the risk of similar incidents and regulatory enforcement action. What happened?…