On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Part 500 Cybersecurity Rules. We provided our initial thoughts on the Draft Amendments in a blog post, and then had a webcast on August 5, 2022, during which we received dozens of questions, some of which we did not have time to answer.…

On July 27, 2022, the Securities and Exchange Commission (“SEC”) separately charged three financial institutions with violations of Rule 201 of Regulation S-ID (“Reg S-ID”), also known as the Identity Theft Red Flags Rule (“Red Flags Rule”). The announcement of multiple Reg S-ID enforcement settlements (all of which were investigated by the SEC’s recently expanded Crypto Assets and Cyber Unit…

On Friday, August 5, 2022, Eric Dinallo, Luke Dembosky, Avi Gesser, Erez Liebermann, and Charu Chandrasekhar participated in a webcast on the proposed draft amendments to the NYDFS cyber rules. The webinar examined the draft amendments and the implications they may have for insurance companies and other NYDFS-regulated entities. The discussion covered: New governance, technology, and notification-related obligations proposed under…

On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Part 500 Cybersecurity Rules, which include a mandatory 24-hour notification for cyber ransom payments, annual independent cybersecurity audits for larger entities, increased expectations for board expertise, and tough new restrictions on privileged accounts. There will be a very short pre-proposal comment period (ending…

On July 8, 2022, the California Privacy Protection Agency (the “Agency”) issued a Notice of Proposed Rulemaking, kicking off a forty-five day comment period for proposed updates to the California Consumer Privacy Act (“CCPA”) regulations. These updates streamline the CCPA regulations and revise them to reflect the changes made by the amendments in the Consumer Privacy Rights Act of 2020…

On July 8, 2022, the U.S. Department of Justice (the “DOJ”) announced that Aerojet Rocketdyne (“Aerojet”), a California-based aerospace and defense contractor, agreed to pay $9 million to resolve allegations that it violated the False Claims Act (the “FCA”) by misrepresenting its compliance with cybersecurity requirements in federal government contracts. The DOJ’s announcement follows the court’s approval of a tentative…

On July 5, 2022, the European Parliament voted to approve the final text of the Digital Services Act (“DSA” or the “Act”), a landmark regulation that—along with its sister regulation, the Digital Markets Act (“DMA”)—is poised to transform the global regulatory landscape for social media platforms, hosting services like cloud service providers, and other online intermediaries. Lawmakers have billed the…

A growing number of employers are turning to artificial intelligence (“AI”) tools to assist in recruiting and other employment decisions. According to Forbes, almost all Fortune 500 companies use talent-sifting software, and more than half of human resource leaders in the U.S. leverage predictive algorithms to support hiring. Widespread adoption of these tools has led to concerns from regulators and…

On June 21, 2022, the House Energy and Commerce Committee formally introduced a new federal privacy bill: the American Data Privacy and Protection Act (“ADPPA”). Notably, the ADPPA has diverse support from both branches of Congress and both political parties. The ADPPA aims to create a national framework that would preempt many, but not all, state privacy laws. It is…

On Friday, July 15, 2022, Eric Dinallo, Avi Gesser, Erez Liebermann, and Anna Gressel participated in the latest installment of Debevoise’s Insurance Series webcast to discuss the implications of the recent California Insurance Department Bulletin on Allegations of Racial Bias and Unfair Discrimination in Marketing, Rating, Underwriting, and Claims Practices by the Insurance Industry.  Their discussion included: The scope of…