On March 2, 2023, the White House Office of the National Cyber Director (“ONCD”) released the Biden Administration’s (the “Administration”) long-awaited National Cybersecurity Strategy (the “Strategy”), the first since the Trump Administration’s strategy was issued in September 2018. The Strategy positions cybersecurity very clearly as a critical national security issue and builds on the Administration’s issuance of the May 2021…

In February 2022, the SEC proposed its first-ever cybersecurity rules for registered investment advisers (“RIAs”) (including RIAs to private funds) and Funds (which include registered investment companies (“RICs”) and closed-end funds that have elected to be treated as business development companies (“BDCs”) under the Investment Company Act), which we previously discussed here. The SEC has indicated that it plans to…

On 23 February 2023, the UK ICO hosted its latest privacy forum in a series aimed at helping product designers and managers incorporate “privacy by design” or “data protection by design and by default” principles into their work. Presenters from a wide range of sectors, including from the ICO, offered practical guidance that may help companies better understand current market practice,…

On March 2 and 3, 2023, the U.S. Department of Justice (“DOJ”) announced several updates to its corporate enforcement policies, in significant part formalizing recent pronouncements about corporate compliance programs. Deputy Attorney General Lisa Monaco and Assistant Attorney General Kenneth A. Polite, Jr. announced these updates in remarks at the ABA’s National Institute on White Collar Crime. In particular, DOJ:…

On February 27, 2023, the FTC released guidance entitled “Keep Your AI Claims in Check” (“AI Claims Blog Post”), reminding companies that false or unsubstantiated claims about a product’s efficacy are core areas of FTC enforcement activity. We have previously written on how the FTC has entered into a new era under FTC Chair Lina Khan. It has asserted its…

Risk assessments are a critical component of a robust cybersecurity program. To benchmark their risk assessments and cybersecurity maturity reviews, companies often look to recognized industry standards such as the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF” or “the Framework”). In this Debevoise Data Blog post, we discuss proposed changes to the Framework and offer takeaways for…

On Tuesday, February 21st, Avi Gesser, Sam Allaman and Melissa Muse from our Data Strategy and Security Group hosted for a conversation between ChatGPT and ChatGPT on how lawyers are using ChatGPT, as well as its risks and benefits to the legal industry. The webcast included: A demonstration of ChatGPT’s ability to draft legal documents. The use of other AI…

Key takeaways from December and January include: Cookies: Businesses should consider reviewing their cookie compliance following major CNIL fines against Microsoft (€60 million) and TikTok (€5 million) calling for companies to ensure user consent is paramount and that refusing cookies is as easy as accepting them; More on cookies: Websites are advised to implement user-friendly cookie consent mechanisms such as…