Michael Bloom – Debevoise Data Blog

Artificial Intelligence

Debevoise Data Blog: Top 14 AI Posts of 2025

By: Charu A. Chandrasekhar, Andrew J. Ceresney, Courtney M. Dankworth, Avi Gesser, Robert B. Kaplan, Gordon Moodie, Jim Pastore, Julie M. Riewe, Jeff Robins, Kristin Snyder, Matt Kelly, Johanna Skrzypczyk, Karen Levy, Diane Bernabei, Michael Bloom, HJ Brehmer, Suchita Mandavilli Brundage, Melyssa Eigen, Joshua A. Goland, Martha Hirst, Gabriel Kohan, Carl Lasker, Jeremy Liss, Andreas Constantine Pavlou, Joshua Plastrik, Achutha Raman, Adam Shankman, Stephanie Thomas, Nathaniel Waldman, Annabella M. Waszkiewicz, Stan Gershengoren, William Sadd, Nicholas T. Ziebell, Patty (Virtual AI Specialist) and Sergio (Virtual AI Specialist) December 8, 2025

Why Agentic AI Often Fails and the Enduring Value of Human Judgment (11/4/2025) We’ve been doing a lot of work recently on agentic AI workflows. In this post, we share…

Artificial Intelligence

Colorado Approves Extension of AI Regulation to Health and Auto Insurers

By: Avi Gesser, Johanna Skrzypczyk, Michael Bloom, Benjamin Leb and Ned Terrace September 9, 2025

On August 20, 2025, Colorado’s Division of Insurance (the “Division”) adopted final amendments to its regulation on the Governance and Risk Management Framework Requirements for certain insurers that use external…

Artificial Intelligence

AI Risk Management Part 1 – Optimizing Human Review of AI Content and Decisions

By: Avi Gesser, Matt Kelly, Michael Bloom and Sharon Shaji May 22, 2025

Artificial intelligence (“AI”) is improving, but even the best models still can hallucinate, miscite, and miscalculate. The primary strategy for managing these and other risks associated with AI deployment is…

Artificial Intelligence

An Employee Just Uploaded Sensitive Data to a Consumer AI Tool – Now What?

By: Avi Gesser, Matt Kelly, HJ Brehmer, Michael Bloom and Nathaniel Waldman April 16, 2025

Most companies have implemented protocols for when an employee emails confidential information to the wrong person. A new version of that problem occurs when an employee uploads sensitive information to…

Enforcement

FTC’s Consent Order Against Marriott: Expectations for Reasonable Security

By: Erez Liebermann, Jim Pastore, Christopher S. Ford, Michael Bloom, Mengyi Xu, Achutha Raman and Michelle Shen January 30, 2025

Introduction On December 20, 2024, the Federal Trade Commission (the “FTC”) finalized a consent agreement (“Consent Order”) with Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC…

Announcement

Debevoise Authors 2023 Edition of the PLI Privacy Law Answer Book

By: Luke Dembosky, Avi Gesser, Jyotin Hamid, Satish Kini, Henry Lebowitz, Erez Liebermann, Maura Kathleen Monaghan, David A. O'Neil, Jim Pastore, David Sarratt, Jeffrey P. Cunard, Kim Le, Tricia Bozyk Sherno, Johanna Skrzypczyk, Michael R. Roberts, Michael Bloom, Fanny Gauthier, Corey Goldstein, Kyle Kysela, Hannah R. Levine, Linda Lin, Melissa Muse, Kate Saba, Noah L. Schwartz and Mengyi Xu January 23, 2023

The Data Strategy and Security team at Debevoise & Plimpton LLP has authored the Practising Law Institute’s 2023 edition of the Privacy Law Answer Book, a user-friendly guide to the laws and…

Privacy

California’s Age-Appropriate Design Code Act Expands Businesses’ Privacy Obligations Regarding Minors

By: Avi Gesser, Johanna Skrzypczyk, Michael R. Roberts, Michael Bloom, Martha Hirst and Alessandra G. Masciandaro September 19, 2022

On September 15, 2022, California Governor Gavin Newsom signed into law the bipartisan AB 2273, known as the California Age-Appropriate Design Code Act (“California Design Code”). The California Design Code…

CCPA

Getting Ready for 2023: What Companies Can Do Now to Prepare for New Privacy Laws

By: Jeremy Feigelson, Avi Gesser, Johanna Skrzypczyk, Michael Bloom, Michael R. Roberts, Tricia Reville and Kate Saba December 16, 2021

The Virginia Consumer Data Protection Act (“VCDPA”) and amendments to the California Consumer Privacy Act (“CCPA”)—enshrined in the California Privacy Rights Act (“CPRA”)—take effect on January 1, 2023. In addition,…

Artificial Intelligence

Tips for Creating a Sensible Cybersecurity and AI Risk Framework for Critical Vendors

By: Avi Gesser, Anna Gressel, Zila Reyes Acosta-Grimes and Michael Bloom February 16, 2021

Companies face increasing cybersecurity and AI risk from third-party vendors. Cybersecurity risks arise when companies share sensitive personal data or company information with their vendors or when their vendors have…

Automated Decision Making

First Enforcement Action by New York DFS Under Its Cyber Rules Shows Where Companies Face Regulatory Risk – Six Quick Takeaways

By: Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Lisa Zornberg, Zila Reyes Acosta-Grimes, Michael Bloom, Christopher S. Ford and Mengyi Xu July 22, 2020

The New York State Department of Financial Services (“DFS”) issued a Statement of Charges and Notice of Hearing (the “Charges”) earlier today against First American Title Insurance Company (“First American”) for…