On February 4 and 11, 2021, Robin L. Barton of the Hedge Fund Law Report published a two-part article on the risks of business email compromise scams: Eleven Lessons From Cyber Hack That Forced an Australian Hedge Fund to Close.  The article features a lengthy interview with Avi Gesser, a partner in the Debevoise Data Strategy and Security Practice, during…

Companies face increasing cybersecurity and AI risk from third-party vendors.  Cybersecurity risks arise when companies share sensitive personal data or company information with their vendors or when their vendors have direct access to the company’s information systems. Companies using AI technology that is developed by a vendor can also face risk if the AI behaves unexpectedly, and that results in…

As covered in our Annual Review, 2020 was a blockbuster year for European data protection. If January is anything to go by, 2021 will be the same.  New data breach notification guidance from the European Data Protection Board (“EDPB”), multi-million Euro penalties from DPAs in Germany, Spain and Norway, and court rulings on discriminatory use of algorithms, the one-stop-shop and…

On 19 January 2021, the UK Information Commissioner’s Office (the “ICO”) published its September 2020 letter to the Securities and Exchange Commission (the “SEC”) analysing the GDPR’s impact on UK-based SEC-regulated firms’ (“SEC–Regulated UK Firms”) ability to comply with SEC data requests. Although the letter was greeted by Acting SEC Chairman Roisman as confirmation that the “UK GDPR does not…

Over two years since the GDPR came into force, the full extent of its impact is still developing at pace.  In this post, we look back at the 2020 European data protection landscape and five trends that help companies understand not only where we are, but where data protection enforcement, litigation, and practice may be headed. 1. Enforcement against a…

Introduction For those following emerging artificial intelligence (“AI”) regulations and enforcement closely, one issue of great interest is remedies. In particular: in what circumstances, if any, would regulators or courts find that a flawed machine learning or AI model must be scrapped entirely? A hot-off-the-press decision from the U.S. Federal Trade Commission (the “FTC”) suggests regulators will not shy away…

On January 6, 2021, Avi Gesser and Anna Gressel from Debevoise’s Data Strategy and Security Group and Keith Slattery from Debevoise’s Insurance Group has an insightful conversation with Stefan Toi from Aon Cyber Solutions and Marcello Antonucci from Beazley on cyber insurance coverage and the gaps it may leave for the unique risks posed by artificial intelligence. During the webcast,…

On January 12, Judge James Boasberg of the U.S. District Court for the District of Columbia granted plaintiff Guo Wengui’s motion to compel production of a report (the “Report”)—and related materials—prepared by forensic vendor Duff & Phelps in Guo’s lawsuit against the law firm that formerly represented him, Clark Hill, PLC (the “Firm”).  See Wengui v. Clark Hill, PLC, No.…

Regulators in the United States and abroad are showing increasing interest in pursuing enforcement actions against companies that deploy artificial intelligence, machine learning, or algorithmic-based applications (“AI”) in a way that the regulators perceive as harmful to the public. These regulators expect transparent and comprehensive disclosures by companies regarding AI that can negatively affect clients or customers. The United States…

On January 12, 2021, the Federal Deposit Insurance Corporation (“FDIC”), the Office of the Comptroller of the Currency (“OCC”) and the Federal Reserve Board (“FRB”) (together the “Agencies”) published a notice of proposed rulemaking (“Proposed Rule”) that would significantly update the Agencies’ guidance on data breach response. The Proposed Rule would impose prompt reporting requirements on banking organizations and their…