On April 26, 2024, the Federal Trade Commission (the “FTC”) issued a controversial final rule (the “Final Rule”) that, among other things, expands the scope of the Health Breach Notification Rule (the “HBNR” or the “Rule”) to apply to health apps and related technologies. Driven by the popularity and increasing variety of direct-to-consumer healthcare technologies, many companies that do not…

On May 16, 2024, the SEC adopted amendments to Regulation S-P (“Reg S-P”) one year after its proposed amendments (the “Proposed Amendments”). The finalized amendments (“Amended Reg S-P”) largely track the Proposed Amendments and include significant requirements related to (1) incident response programs, (2) 30-day customer notifications of data breaches, (3) service provider oversight, (4) the scope of the Safeguards…

With the EU Digital Operational Resilience Act (“DORA”) implementation deadline set for January 2025, many financial services firms are spending 2024 preparing for the new regime. Amongst many operational resilience and management oversight requirements, DORA will require covered entities to monitor for, identify, and classify Information and Communications Technology (“ICT”)-related incidents (“incidents”) and cyber threats and report them under certain…

Despite much fanfare, and a process that seems to edge ever nearer to completion, the EU AI Act still has not been formally adopted. The Act still has to undergo a final European Council vote before it can be published in the Official Journal, 20 days after which it will be finally adopted; this is widely expected to occur sometime…

The integration of artificial intelligence into companies’ business practices poses increased cybersecurity risks, which we have previously written about here. As AI systems become ubiquitous, they also become targets for cyberattacks due to their valuable data and operational significance, and because their rapid development may leave certain AI systems outside some of a company’s robust cybersecurity controls. As the U.S.…

On March 27, 2024, the U.S. Department of Treasury (“Treasury”) released a report on Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector (the “Report”). The Report was released in response to President Biden’s Executive Order (“EO”) 14110 on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, which spearheaded a government-wide effort to issue Artificial Intelligence (“AI”)…

Key takeaways from March include: CNIL data security practice guide: The French DPA published an update of its data security practice guide for data protection officers, chief information security officers, computer scientists and legal experts. DPA powers to order deletion: Per a recent CJEU decision, DPAs can inquire whether personal data has been unlawfully processed and order the deletion without…

As artificial intelligence (“AI”) use and capabilities surge, a new risk is emerging for companies: AI whistleblowers. Both increased regulatory scrutiny over AI use and record-breaking whistleblower activity has set the stage for an escalation of AI whistleblower-related enforcement. As we’ve previously written and spoken about, the risk of AI whistleblowers is rising as whistleblower protections and awards expand, internal…

On April 29th, 2024, Debevoise partner Erez Liebermann were joined in conversation with Todd Conklin, the Chief Artificial Intelligence Officer and Deputy Assistant Secretary of Cyber at the U.S. Department of the Treasury. They discussed the recent report by the U.S. Department of the Treasury on “Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Sector.” If you were unable to…