In a new episode of the Compliance & Legal Risk podcast, Avi Gesser from Debevoise’s Data Strategy and Security Group contributed to an insightful conversation with Ronald J. Coleman of Georgetown Law, Mutale Nkonde of AI For the People, and Todd Marlin of Ernst & Young on the emerging legal and regulatory risks associated with artificial intelligence (“AI”). During the podcast, participants discussed: What…

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an updated advisory (the “Advisory”) on sanctions risks associated with payments to threat actors in connection with cyber ransoms. The Advisory reminds companies that all parties associated with the payment of a cyber ransom—including victims, financial institutions, insurance firms, and other companies facilitating…

As part of our ongoing series on enforcement actions by the Securities and Exchange Commission (“SEC”) in data- and cybersecurity-related matters (here, here, and here), we have been closely tracking regulatory developments and gathering insights on enforcement trends.  Last week, the SEC announced that App Annie and its former CEO and Chairman, Bertrand Schmitt, (“App Annie”) had agreed to a…

Last week, the California Privacy Protection Agency (the “Agency”) invited public comment on its preliminary rulemaking. As previously discussed, the California Privacy Rights Act (“CPRA”) established the Agency and tasked it with adopting additional implementing regulations and enforcing the California Consumer Privacy Act (“CCPA”). The CPRA, approved by California voters in 2020, does not take full effect until January 1,…

Key takeaways from developments this August include: Indications of what the UK’s post-Brexit data transfer arrangements might look like – companies transferring data from the UK will want to follow the Information Commissioner’s Office (“ICO”) consultation carefully; Welcome news for companies defending data breach claims in the UK following a court decision which significantly narrows the kinds of harm claimants…

On August 30, 2021, the SEC filed settled enforcement actions against three groups of broker-dealers and investment advisers for failing to protect confidential customer information in violation of Rule 30(a) of Regulation S-P (the “Safeguards Rule” or “Rule”).  One group of the entities was also found to have violated Section 206(4) of the Advisers Act and Rule 206(4)-7, by allegedly…

On 1 July 2021,[1] Federal Law No. 236-FZ on the Internet Activities of Foreign Entities in the Russian Federation (the “Law”)[2] came into force, requiring establishment of local presence, such as a branch, a representative office, or a subsidiary, for foreign Internet companies whose activities are focused on Russian users.  The Law supplements the personal data localisation requirements under the…

The U.S. Securities and Exchange Commission this week took the rare step of penalizing a company for its allegedly poor disclosure of a cyber incident. The SEC announced a $1 million civil penalty against Pearson plc (“Pearson”), a London-based educational publishing company that is a U.S. securities issuer. The penalty resolves charges that Pearson misled investors related to a 2018…

European Data Protection Roundup – July Key takeaways from developments this July include: a blockbuster €746 million fine against Amazon – the largest ever GDPR penalty – showing the Regulation’s teeth; the challenges of GDPR-compliant facial recognition, after a Spanish supermarket chain was fined €2.5 million for ostensible GDPR failings; a reminder of the importance of setting and enforcing appropriate…

Earlier this year, we wrote about the SEC’s cybersecurity priorities. Since then, the SEC announced a settlement with First American Title Insurance and Services (“First American”) for violating Rule 13a-15(a) of the Exchange Act, and issued a voluntary request for information to a number of companies in connection with the SolarWinds cyber attack (“Voluntary Request”). In this Debevoise Data Blog…