On April 26, 2024, the Federal Trade Commission (the “FTC”) issued a controversial final rule (the “Final Rule”) that, among other things, expands the scope of the Health Breach Notification Rule (the “HBNR” or the “Rule”) to apply to health apps and related technologies. Driven by the popularity and increasing variety of direct-to-consumer healthcare technologies, many companies that do not…

On May 16, 2024, the SEC adopted amendments to Regulation S-P (“Reg S-P”) one year after its proposed amendments (the “Proposed Amendments”). The finalized amendments (“Amended Reg S-P”) largely track the Proposed Amendments and include significant requirements related to (1) incident response programs, (2) 30-day customer notifications of data breaches, (3) service provider oversight, (4) the scope of the Safeguards…

With the EU Digital Operational Resilience Act (“DORA”) implementation deadline set for January 2025, many financial services firms are spending 2024 preparing for the new regime. Amongst many operational resilience and management oversight requirements, DORA will require covered entities to monitor for, identify, and classify Information and Communications Technology (“ICT”)-related incidents (“incidents”) and cyber threats and report them under certain…

Despite much fanfare, and a process that seems to edge ever nearer to completion, the EU AI Act still has not been formally adopted. The Act still has to undergo a final European Council vote before it can be published in the Official Journal, 20 days after which it will be finally adopted; this is widely expected to occur sometime…

The integration of artificial intelligence into companies’ business practices poses increased cybersecurity risks, which we have previously written about here. As AI systems become ubiquitous, they also become targets for cyberattacks due to their valuable data and operational significance, and because their rapid development may leave certain AI systems outside some of a company’s robust cybersecurity controls. As the U.S.…