On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) issued proposed rules (the “Proposed Rules”) that would require broker-dealers and investment advisers (collectively, “firms”) to evaluate their use of predictive data analytics (“PDA”) and other covered technologies in connection with investor interactions and to eliminate or neutralize certain conflicts of interest associated with such use. The Proposed Rules…

On July 26, 2023, the SEC adopted long-anticipated final rules on cybersecurity risk management, strategy, governance and incident disclosure for issuers (“Final Rules”). We summarized the key obligations under the Final Rules, and changes from the Proposing Release,[1] in our July 27, 2023 update. In this companion update, we discuss key takeaways across three areas for issuers to consider: Disclosure…

U.S. state privacy continues to be at the forefront of legislative and policymaking activity. Although states continue to pass comprehensive privacy laws in 2023, Washington’s My Health My Data Act (“MHMDA”) deserves closer attention due to its breadth as well as its novel—and potentially onerous—provisions. This post highlights key aspects of the MHMDA with a focus on net-new provisions that…

On July 10, 2023, the European Commission adopted with immediate effect an adequacy decision for the EU-U.S. Data Privacy Framework (the “DPF”). The decision enables businesses in Europe to transfer personal data to DPF-certified U.S. businesses without having to implement additional data protection safeguards. In this Debevoise Data Blog post, we explain the DPF’s scope and operation, discuss implications for…

On July 26, 2023, the SEC adopted the long-anticipated final rules on cybersecurity risk management, strategy, governance, and incident disclosure for issuers. The new rules are part of the SEC’s larger efforts focused on cybersecurity regulation with a growing universe of rules aimed at different types of SEC registrants, including: (i) its proposed cybersecurity rules for registered investment advisers and funds and market entities,…

On July 14, 2023, California Attorney General Rob Bonta announced a California Consumer Privacy Act (“CCPA”) enforcement sweep focused on large California employers’ compliance with the CCPA’s requirements applicable to the personal information of employees and job applicants. This is a clear signal that the Attorney General will not wait to pursue enforcement of these provisions, even though the California…

The proliferation of AI tools and rapid pace of AI adoption have led to calls for new regulation at all levels. President Biden recently said “[w]e need to manage the risks [of AI] to our society, to our economy, and our national security.” The Senate Judiciary Subcommittee on Privacy, Technology and the Law recently held a hearing on “Rules for…

On June 28, 2023, the New York Department of Financial Services (“NYDFS”) announced its Revised Proposed Second Amendment to its Cybersecurity Regulation, 23 NYCRR Part 500 (the “Revised Amendment” or “June 2023 Amendment”), which reflects revisions made by the NYDFS as a result of comments it received on its Initial Proposed Second Amendment released in November 2022 (the “Initial Amendment”…

On Friday, July 7th, 2023, Eric Dinallo, Avi Gesser, Erez Liebermann, Marshal Bozzo, and Stephanie Thomas hosted a webcast that examined the Revised Proposed 2nd Amendment to the Part 500 Cybersecurity Rules released by the New York Department of Financial Services and discussed what changes were made, what still needs fixing, and the implications that the new draft may have…

On June 22, 2023, Robert Maddox, International Counsel, and Tristan Lockwood, Associate, delivered the latest instalment of the Debevoise London insurance industry webinar series, focusing on the European Union’s Digital Operational Resilience Act and what it means for the Insurance Sector. Topics included: The history and context of DORA; Management obligations and the role of the Board; Incident reporting, operational…