Key takeaways from October include: Employee monitoring: Following new guidance issued by the UK ICO, employers may want to review their existing employee monitoring to ensure it meets the regulator’s latest expectations, including ensuring that any monitoring is necessary, proportionate, and conducted transparently. Data protection & AI: In particular: (i) the French CNIL published its first set of guidance on…

On November 16, 2023, the Committee on Professional Responsibility and Conduct for the State Bar of California (“COPRAC”) provided initial recommendations regarding use of generative AI by lawyers (the “Guidance”). The Guidance uses the existing Rules of Professional Conduct as a framework, but recognizes that generative AI is a rapidly evolving technology that might necessitate new regulation and rules in…

On Thursday, December 7th, 8:10-8:55 AM (ET), Robert Maddox will speak on a virtual panel entitled “Incident Response in Europe: State of Play.” To learn more about the conference please click here. To register for free, please click here and contact us for the Debevoise registration code. Incident Response Forum Europe 2023 is a unique, one-day conference that brings together…

On November 7, 2023, the profilic ransomware group AlphV (a/k/a “BlackCat”) reportedly breached software company MeridianLink’s information systems, exfiltrated data and demanded payment in exchange for not publicly releasing the stolen data.   While this type of cybersecurity incident has become increasingly common, the threat actor’s next move was less predictable. AlphV filed a whistleblower tip with the U.S. Securities and…

As will be discussed in our November 28, 2023 webcast, on November 1, 2023, the New York Department of Financial Services (“NYDFS” or the “Department”) announced the adoption of the second amendment to its Cybersecurity Regulation (the “Second Amendment” or “Final Amendment”) that reflects NYDFS’s revisions as a result of comments it received on the proposed amendment released in June…

On 26 October 2023, the Bank of England, Prudential Regulation Authority (“PRA”) and Financial Conduct Authority (“FCA”, collectively the “UK Financial Authorities”) published FS2/23 on Artificial Intelligence and Machine Learning (the “Response Paper”). It summarises participants’ responses to the October 2022 AI discussion paper (DP5/22, the “Discussion Paper”), which outlined the UK Financial Authorities’ proposed approach to AI regulation. The…

On October 27, 2023, the Federal Trade Commission (“FTC”) approved an amendment (“Amended Rule”) to the Standards for Safeguarding Customer Information (the “Safeguards Rule”) that will require non-banking financial institutions (“covered entities”) to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the unauthorized acquisition of unencrypted customer information…

SIFMA and SIFMA AMG Comment on the SEC’s Proposed Rules for BDs and RIAs Among its many uses in the financial world, technology can improve operational efficiencies, reduce risk and provide valuable information and services to clients. In this joint post with SIFMA, we explore how new rules proposed by the U.S. Securities and Exchange Commission, purportedly focused on predictive…

On October 20, 2023, Avi Gesser, Kristin Snyder and Matt Kelly from the Debevoise AI Practice Group, hosted a webcast that reviewed some of the key challenges for deployment of AI systems, along with special guest, Andrew McLaughlin, Co-founder & Partner at Higher Ground Labs. They also discussed a practical framework for analyzing AI adoption risk and some of the…

Key takeaways from September include: UK-US data bridge: From 12 October 2023, UK businesses will be able to transfer personal data to certain US organisations certified under a UK-specific extension to the EU-U.S. Data Privacy Framework, without additional GDPR safeguards; AI Foundation Models: Consumers and developers of AI Foundation models (“FMs”) should take care to ensure they respect existing data…