In Part 1 of this series, we discussed the annual cybersecurity audit requirements in the California Privacy Protection Agency (the “CPPA”)’s proposed rulemaking package (the “Draft Regulations”). In Part 2, we discussed the Draft Regulations’ provisions on automated decision-making technology (“ADMT”). In this Part 3, we discuss the Draft Regulations’ amendments to existing privacy-related requirements under the California Consumer Privacy…

Debevoise & Plimpton LLP partners Luke Dembosky, Erez Liebermann and Jim Pastore have again been named to Cybersecurity Docket’s “Incident Response 50 List” for 2025. The list recognizes the “50 best data breach response lawyers in the business” and the top incident response attorneys and compliance professionals who not only have the right credentials and experience to manage a data…

On March 12, 2025, the California Privacy Protection Agency (the “CPPA”) announced a decision and stipulated final order stemming from its investigation of the American Honda Motor Company’s (the “Company” or “Honda”) data privacy practices. In addition to implementing changes in its practices, the Company agreed to pay an administrative fine of $632,500. The decision details various failures to appropriately…

On April 9, 2025, the U.S. Securities and Exchange Commission (the “SEC”) and the U.S. Attorney’s Office for the Southern District of New York filed parallel actions against Albert Saniger, the former CEO of Nate, Inc. (“Nate”), alleging that he made materially false and misleading statements to investors about the company’s artificial intelligence (“AI”) capabilities. This matter is particularly noteworthy…

Most companies have implemented protocols for when an employee emails confidential information to the wrong person.  A new version of that problem occurs when an employee uploads sensitive information to a consumer (i.e., not enterprise) AI tool, which gives rise to the following questions: Can the data be clawed back or deleted, and if so, how? Can humans at the…