On August 20, 2021, China’s Standing Committee of the National People’s Congress passed the Personal Information Protection Law (“PIPL”).1 The PIPL will take effect on November 1, 2021.2 A breakdown of the PIPL follows. High-level takeaways: With the PIPL, China is joining, if not leading, the global movement toward more and not less restriction on the processing of personal information.…

On September 22, 2021, the Cybersecurity and Infrastructure Security Agency (“CISA”) issued its preliminary cybersecurity performance goals for critical infrastructure. These voluntary goals, which were initially announced in President Biden’s July 28, 2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, represent a non-exhaustive guide of high-level cybersecurity best practices and are intended to support the development…

On October 8, 2021, Eric Dinallo and Marshal Bozzo of Debevoise’s Insurance Regulatory practice and Avi Gesser and Anna Gressel of Debevoise’s Data Strategy & Security Group, held an engaging webcast on on the recent focus by insurance regulators on artificial intelligence (AI) and discrimination. Topics included: Recent NAIC activity, including its investigation into racial discrimination in the insurance industry;…

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Asset Control (“OFAC”) released an updated advisory (the “Advisory”) on the sanctions risks associated with facilitating ransomware payments. The Advisory applies to victims of ransomware attacks, as well as companies that facilitate payments to threat actors, including financial institutions. In Part 1, we discussed the Advisory generally,…

Almost everyone working in cybersecurity compliance is aware that each U.S. state has its own set of breach notification requirements. What is less known is that many of these states also impose substantive cybersecurity requirements. In this Debevoise Data Blog post, we examine the general cybersecurity obligations under state law, including common themes and recent developments. History of State Law…

In a new episode of the Compliance & Legal Risk podcast, Avi Gesser from Debevoise’s Data Strategy and Security Group contributed to an insightful conversation with Ronald J. Coleman of Georgetown Law, Mutale Nkonde of AI For the People, and Todd Marlin of Ernst & Young on the emerging legal and regulatory risks associated with artificial intelligence (“AI”). During the podcast, participants discussed: What…

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an updated advisory (the “Advisory”) on sanctions risks associated with payments to threat actors in connection with cyber ransoms. The Advisory reminds companies that all parties associated with the payment of a cyber ransom—including victims, financial institutions, insurance firms, and other companies facilitating…

As part of our ongoing series on enforcement actions by the Securities and Exchange Commission (“SEC”) in data- and cybersecurity-related matters (here, here, and here), we have been closely tracking regulatory developments and gathering insights on enforcement trends.  Last week, the SEC announced that App Annie and its former CEO and Chairman, Bertrand Schmitt, (“App Annie”) had agreed to a…

Last week, the California Privacy Protection Agency (the “Agency”) invited public comment on its preliminary rulemaking. As previously discussed, the California Privacy Rights Act (“CPRA”) established the Agency and tasked it with adopting additional implementing regulations and enforcing the California Consumer Privacy Act (“CCPA”). The CPRA, approved by California voters in 2020, does not take full effect until January 1,…

Key takeaways from developments this August include: Indications of what the UK’s post-Brexit data transfer arrangements might look like – companies transferring data from the UK will want to follow the Information Commissioner’s Office (“ICO”) consultation carefully; Welcome news for companies defending data breach claims in the UK following a court decision which significantly narrows the kinds of harm claimants…