Since we last wrote about data minimization, there have been several regulatory developments that illustrate the increasing operational and regulatory risks of keeping large volumes of old data. As cyber threats continue to grow, and consumers gain more privacy rights over their personal data, businesses need robust data minimization programs that can significantly reduce the amount of sensitive data they…

Effective May 7, 2022, most New York employers must notify their employees of any electronic monitoring by posting a notice in the workplace. Additionally, employers must give express written notice to all new employees of any electronic monitoring the employer performs and obtain written or electronic acknowledgment of such monitoring. The law applies broadly to any employer that is an…

On February 9, 2022, the SEC released its much-anticipated proposed rules relating to cybersecurity risk management, incident reporting, and disclosure for investment advisers and funds.  Many of the proposals follow the trends that members of the Debevoise Data Strategy & Security and White Collar & Regulatory Defense practice groups discussed during a November 2021 webcast on the SEC’s Cybersecurity Year…

On Friday, February 11, 2022, Eric Dinallo and Marshal Bozzo of Debevoise’s Insurance Regulatory practice and Avi Gesser and Anna Gressel of Debevoise’s Data Strategy & Security Group, hosted Part II of their webcast on Artificial Intelligence and Discrimination in the Insurance industry. The team discussed the rapidly emerging regulatory landscape around AI and discrimination. Topics included: Regulatory developments since…

On February 2, 2022, Luke Dembosky, the Co-Chair of the Debevoise Data Strategy & Security Group, participated in a fireside chat with Justin Herring, the Executive Deputy Superintendent for the Cybersecurity Division of the New York Department of Financial Services (NYDFS), and Sachin Bansal, the Chief Business & Legal Officer at SecurityScorecard, which organized the event.  The discussion covered a…

The Banking Group of Debevoise & Plimpton LLP has launched the Debevoise Fintech Blog to help financial institutions sift through this complex legal landscape and keep abreast of developments in fintech and digital assets. The blog will cover topics spanning the fintech and digital assets regulatory landscape, including stablecoin, custody, anti-money laundering and sanctions, securities law, money transmission, capital and…

On January 28, 2022, California Attorney General Rob Bonta announced that his office sent notices alleging noncompliance with the California Consumer Privacy Act (“CCPA”) to a number of companies operating customer loyalty programs. This sweep of notices follows the Attorney General’s initial round issued on July 1, 2020 and was summarized in the Attorney General’s July 2021 enforcement examples, which…

In September 2020, we wrote about the risks of credential stuffing attacks following the New York Attorney General’s (NYAG) settlement with Dunkin’ Donuts. Since then, these attacks have continued, and regulators’ expectations of companies’ efforts to reduce the risk of credential stuffing attacks for their customers’ online accounts have increased. On January 5, 2022, the NYAG’s Bureau of Internet and…

On January 24, 2022, SEC Chair Gary Gensler gave a speech on cybersecurity rulemaking to the Annual Securities Regulation Institute, outlining a number of key points he expects the SEC will consider in 2022 and emphasizing the SEC’s “key role” on the federal government’s “Team Cyber.”  A number of these proposed changes – including broadening the scope of existing SEC…