On August 11, 2022, the Federal Trade Commission (the “FTC”) announced its Advance Notice of Proposed Rulemaking (the “ANPR”) seeking public comment on 95 questions focused on harms stemming from “commercial surveillance and lax data security practices” and whether new trade regulation rules under section 18 of the FTC Act are needed to protect people’s privacy and information. In Part…

On August 11, 2022, the Federal Trade Commission (“FTC”) announced its Advance Notice of Proposed Rulemaking (“ANPR”) seeking public comment on 95 questions focused on purported harms stemming from “commercial surveillance and lax data security practices.” The ANPR also invites views as to whether new trade regulation rules under Section 18 of the FTC Act, or other regulatory alternatives, are…

On Wednesday, August 17, 2022, at 11:00 AM Eastern, Debevoise’s Avi Gesser and Anna Gressel joined Nicolette Nowak from Beamery to discuss New York City’s Automated Employment Decision Tool Law (“AEDT”), other similar laws and regulations, and what AI application providers can do to best assist their customers’ compliance efforts. More information on Beamery’s webcast, “Impending AI Regulatory Changes in…

On Friday, August 19, 2022, Eric Dinallo had a discussion with Connecticut Insurance Commissioner Andrew Mais on artificial intelligence and discrimination in the insurance industry, including on the risks of proxy discrimination and the recent Connecticut Notice on big data and avoiding bias when using AI.  Avi Gesser, the co-chair of the Debevoise Data Strategy and Security group, joined that…

On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Part 500 Cybersecurity Rules. We provided our initial thoughts on the Draft Amendments in a blog post, and then had a webcast on August 5, 2022, during which we received dozens of questions, some of which we did not have time to answer.…

On July 27, 2022, the Securities and Exchange Commission (“SEC”) separately charged three financial institutions with violations of Rule 201 of Regulation S-ID (“Reg S-ID”), also known as the Identity Theft Red Flags Rule (“Red Flags Rule”). The announcement of multiple Reg S-ID enforcement settlements (all of which were investigated by the SEC’s recently expanded Crypto Assets and Cyber Unit…

On Friday, August 5, 2022, Eric Dinallo, Luke Dembosky, Avi Gesser, Erez Liebermann, and Charu Chandrasekhar participated in a webcast on the proposed draft amendments to the NYDFS cyber rules. The webinar examined the draft amendments and the implications they may have for insurance companies and other NYDFS-regulated entities. The discussion covered: New governance, technology, and notification-related obligations proposed under…

On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Part 500 Cybersecurity Rules, which include a mandatory 24-hour notification for cyber ransom payments, annual independent cybersecurity audits for larger entities, increased expectations for board expertise, and tough new restrictions on privileged accounts. There will be a very short pre-proposal comment period (ending…

On July 8, 2022, the California Privacy Protection Agency (the “Agency”) issued a Notice of Proposed Rulemaking, kicking off a forty-five day comment period for proposed updates to the California Consumer Privacy Act (“CCPA”) regulations. These updates streamline the CCPA regulations and revise them to reflect the changes made by the amendments in the Consumer Privacy Rights Act of 2020…

On July 8, 2022, the U.S. Department of Justice (the “DOJ”) announced that Aerojet Rocketdyne (“Aerojet”), a California-based aerospace and defense contractor, agreed to pay $9 million to resolve allegations that it violated the False Claims Act (the “FCA”) by misrepresenting its compliance with cybersecurity requirements in federal government contracts. The DOJ’s announcement follows the court’s approval of a tentative…