On April 14, 2021, the New York State Department of Financial Services (the “DFS”)  announced that its cyber enforcement action against National Securities Corporation (“National Securities”) has been resolved by a Consent Order that imposes a $3 million penalty. This is the latest step in the DFS’s very active cyber-enforcement agenda.  The charges against First American Title Insurance Company are…

March gave companies plenty to take stock of.  A multi-million euro fine for deficient vendor oversight, scrutiny of unlawful data transfers to a well-known U.S. email marketing service provider, and a €475,000 penalty for late reporting of a data breach affecting just a few thousand individuals, and more.  Here are our highlights of what you need to know. Spanish DPA…

On March 15, 2021, California’s Attorney General announced the adoption of updates to the regulations implementing the California Consumer Protection Act (“CCPA”).  The final (for now) regulations are available here. These latest updates are effective immediately. The version that took effect yesterday is substantially identical to the draft updates that the Attorney General proposed on December 10, 2020.  (We discussed…

There were a few European data protection developments in February that companies may want to have on their radar.  These include a draft adequacy decision for EU-UK data transfer, renewed focus from data protection authorities (“DPAs”) on cookies compliance, and guidance from the English courts on what constitutes unsolicited marketing.  We cover those developments (and more) below. EU publishes draft…

Earlier this week, Debevoise published an overview of the SEC’s Division of Examination Priorities for 2021. Today, we’re taking a deeper dive into one aspect of those priorities: cybersecurity as it applies to Registered Investment Advisers (“RIAs”). The recent publication of the SEC’s 2021 Division of Examination Priorities (the “2021 Priorities”) presents an opportunity to look back at the cybersecurity work of…

Last year, we discussed the first enforcement action brought by the New York State Department of Financial Services (“DFS”), which involved charges against First American Title Insurance Company. That hearing is scheduled for April 5. On March 3, 2021, the DFS reached its first full resolution under its Part 500 Cybersecurity Regulation, a Consent Order with Residential Mortgage Services that…

Virginia has just become the second U.S. state  with a comprehensive privacy law, with Governor Ralph Northam’s signing of the Virginia Consumer Data Protection Act (“VCDPA”) on March 2, 2021. The VCDPA bears a strong resemblance to the California Consumer Privacy Act (“CCPA”). It also pulls U.S. law in the direction of its overseas cousin, the European Union’s General Data…

On March 3, 2021, Anna Gressel and Avi Gesser from our Data Strategy and Security Group had a very interesting conversation on AI regulation with Kaitlin Asrow, Fintech Policy Advisor for the Federal Reserve Bank of San Francisco. During the webcast, we discussed the FRB’s recent report, “The Role of Individuals in the Data Ecosystem,” as well as: How consumer…

On February 4 and 11, 2021, Robin L. Barton of the Hedge Fund Law Report published a two-part article on the risks of business email compromise scams: Eleven Lessons From Cyber Hack That Forced an Australian Hedge Fund to Close.  The article features a lengthy interview with Avi Gesser, a partner in the Debevoise Data Strategy and Security Practice, during…

Companies face increasing cybersecurity and AI risk from third-party vendors.  Cybersecurity risks arise when companies share sensitive personal data or company information with their vendors or when their vendors have direct access to the company’s information systems. Companies using AI technology that is developed by a vendor can also face risk if the AI behaves unexpectedly, and that results in…