Debevoise Data Blog – Page 23

Biden Administration Proposes to Limit Access to Sensitive Personal Data by Countries of Concern

By: Satish Kini, Rick Sofield, Erez Liebermann, Robert Dura, Taylor Richards, Stephanie Thomas, Jordan Corrente Beck and Yair Strachman November 6, 2024

The Department of Justice (“DOJ”) has moved ahead with its effort to protect Americans’ sensitive personal data and U.S. government data from exploitation by countries of concern or related covered persons, issuing a Notice of Proposed Rulemaking (the “Proposal”) that closely tracks its earlier Advance Notice of Proposed Rulemaking (the “Advance Notice”). The Advance Notice had been released in February concurrently…

Cyber Whistleblower Leads to DOJ Civil Settlement

By: Avi Gesser, Luke Dembosky, Andrew M. Levine, Erez Liebermann, Jim Pastore, Stephanie Cipolla and Michelle Shen November 4, 2024

On October 22, 2024, the U.S. Department of Justice (“DOJ”) announced that The Pennsylvania State University (“Penn State”), a public university in University Park, Pennsylvania, agreed to pay $1.25 million to resolve allegations that it violated the False Claims Act (the “FCA”). Specifically, Penn State allegedly failed to meet cybersecurity requirements in federal government contracts, misrepresented compliance timelines and plans,…

Webcast – Tips on Managing Cybersecurity Risks Arising from AI – New Guidance from the NYDFS

By: Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser and Erez Liebermann October 30, 2024

On November 8th, Avi Gesser, Luke Dembosky, Erez Lieberman, and Charu Chandrasekhar from the Debevoise Data Strategy and Security Group discussed the recent NYDFS Industry Letter providing guidance on assessing cybersecurity risks associated with the use of AI. The webcast provided a deeper dive into the topics covered in our recent blog post including: The cybersecurity-related AI risks that companies…

NYDFS Part 500, One Year Later (Part One) – New Requirements Effective November 1, 2024

By: Avi Gesser, Erez Liebermann, Stephanie Thomas and Joshua A. Goland October 30, 2024

November 1, 2024, marks the one-year anniversary of the second amendment to the New York Department of Financial Services’ (“NYDFS” or the “Department”) Cybersecurity Regulation (the “Regulation” or “Part 500”). It is also the date that a number of new requirements under Part 500 come into effect, including requirements surrounding governance, encryption, and incident response and business continuity planning. In…

SEC Charges Four Companies for Misleading Cyber Disclosures

By: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Erez Liebermann, Benjamin R. Pedersen, Julie M. Riewe, Matt Kelly, Anna Moody, Kelly Donoghue, Ciera Mandelsberg and Noah L. Schwartz October 28, 2024

On October 22, 2024, the U.S. Securities and Exchange Commission (the “SEC”) announced settled charges in separate actions against four technology companies—Avaya Holdings Corp. (“Avaya”), Check Point Software Technologies Ltd. (“Check Point”), Mimecast Limited (“Mimecast”), and Unisys Corp. (“Unisys”)—each of which was a downstream victim of the unprecedented 2020 cyber-attack in which threat actors believed to be state-sponsored hackers in…