Stephanie Thomas – Debevoise Data Blog

Announcement

Debevoise Data Blog: Top 5 Cybersecurity Blog Posts of 2025

By: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Daniel M. Gitner, Erez Liebermann, Jim Pastore, Benjamin R. Pedersen, Jeff Robins, Julie M. Riewe, Kristin Snyder, Matt Kelly, HJ Brehmer, John Jacob, Gabriel Kohan, Amer Mneimneh, Andreas Constantine Pavlou, Lily Schoen, Cameron Sharp, Stephanie Thomas and Cindy Tu December 10, 2025

As we approach the end of the year, here are the Top 5 Cybersecurity posts on the Debevoise Data Blog in 2025. 1. Protecting Privilege in Incident Response: Litigation Lessons…

Artificial Intelligence

Debevoise Data Blog: Top 14 AI Posts of 2025

By: Charu A. Chandrasekhar, Andrew J. Ceresney, Courtney M. Dankworth, Avi Gesser, Robert B. Kaplan, Gordon Moodie, Jim Pastore, Julie M. Riewe, Jeff Robins, Kristin Snyder, Matt Kelly, Johanna Skrzypczyk, Karen Levy, Diane Bernabei, Michael Bloom, HJ Brehmer, Suchita Mandavilli Brundage, Melyssa Eigen, Joshua A. Goland, Martha Hirst, Gabriel Kohan, Carl Lasker, Jeremy Liss, Andreas Constantine Pavlou, Joshua Plastrik, Achutha Raman, Adam Shankman, Stephanie Thomas, Nathaniel Waldman, Annabella M. Waszkiewicz, Stan Gershengoren, William Sadd, Nicholas T. Ziebell, Patty (Virtual AI Specialist) and Sergio (Virtual AI Specialist) December 8, 2025

Why Agentic AI Often Fails and the Enduring Value of Human Judgment (11/4/2025) We’ve been doing a lot of work recently on agentic AI workflows. In this post, we share…

Artificial Intelligence

AI Discrimination Risk in Lending: Lessons from the Massachusetts AG’s Recent $2.5 Million Settlement

By: Avi Gesser, Johanna Skrzypczyk, Stephanie Thomas, Melyssa Eigen and Achutha Raman July 20, 2025

Using AI to make important decisions about individuals carries a risk of bias, especially for underwriting, credit, employment, and educational admission decisions. In this Debevoise Data Blog post, we discuss…

SEC

Financial Services Industry Petitions the SEC for a Rulemaking to Amend the Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure Rule

By: Erez Liebermann, Benjamin R. Pedersen, John Jacob, Stephanie Thomas and Cindy Tu May 27, 2025

Debevoise’s Data Strategy and Security group recently assisted five leading financial services industry trade associations in preparing a joint rulemaking petition in response to the Securities and Exchange Commission’s (“SEC”)…

Artificial Intelligence

European Data Protection Roundup – Q4 2024

By: Robert Maddox, Johanna Skrzypczyk, Aisling Cowell, Stephanie Thomas, Michiko Wongso, Richard Blomqvist, Olivia Halderthay, Mia Hermann, Jeevika Bali, Samuel Thomson, Alexander McGinley, Christina Newall and Oliver Binns January 17, 2025

Our top-eleven European data protection developments for the end of 2024 are: EU Cyber Resilience Act: The Council of the European Union approved the Cyber Resilience Act, introducing cybersecurity requirements…

Artificial Intelligence

Colorado Proposes Extending AI Regulation to Health and Auto Insurers

By: Eric Dinallo, Avi Gesser, Marshal Bozzo, Matt Kelly, Samuel J. Allaman, Melyssa Eigen, Ned Terrace, Stephanie Thomas and Mengyi Xu December 16, 2024

On September 21, 2023, the Colorado Division of Insurance (the “Division”) released Regulation 10-1-1, Governance and Risk Management Framework Requirements for Life Insurers’ Use of External Consumer Data and Information…

Artificial Intelligence

Top 10 (Well, 11) Cybersecurity Blog Posts for 2024

By: Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Gareth Hughes, Erez Liebermann, Jim Pastore, Caroline Novogrod Swett, Marshal Bozzo, Matt Kelly, Robert Maddox, Johanna Skrzypczyk, HJ Brehmer, Stephanie Cipolla, Jackie Dorward, Melyssa Eigen, Joshua A. Goland, Martha Hirst, Karen Joo, Gabriel Kohan, Jarrett Lewis, Noah L. Schwartz, Ned Terrace, Stephanie Thomas, Annabella M. Waszkiewicz, Michiko Wongso and Mengyi Xu December 10, 2024

As we approach the end of the year, here are the Top 10 Cybersecurity posts on the Debevoise Data Blog in 2024 by page views. If you are not already…

Compliance

Part 500, One Year Later (Part Two) – Defining “Material Compliance”

By: Luke Dembosky, Avi Gesser, Erez Liebermann, Stephanie Thomas and Joshua A. Goland November 13, 2024

November 1, 2024 marked the one-year anniversary of the second amendment to the New York Department of Financial Services’ (“NYDFS” or the “Department”) Cybersecurity Regulation (the “Regulation” or “Part 500”).…

Data Transfers

Biden Administration Proposes to Limit Access to Sensitive Personal Data by Countries of Concern

By: Satish Kini, Rick Sofield, Erez Liebermann, Robert Dura, Taylor Richards, Stephanie Thomas, Jordan Corrente Beck and Yair Strachman November 6, 2024

The Department of Justice (“DOJ”) has moved ahead with its effort to protect Americans’ sensitive personal data and U.S. government data from exploitation by countries of concern or related covered…

Cybersecurity

NYDFS Part 500, One Year Later (Part One) – New Requirements Effective November 1, 2024

By: Avi Gesser, Erez Liebermann, Stephanie Thomas and Joshua A. Goland October 30, 2024

November 1, 2024, marks the one-year anniversary of the second amendment to the New York Department of Financial Services’ (“NYDFS” or the “Department”) Cybersecurity Regulation (the “Regulation” or “Part 500”).…