Cybersecurity – Debevoise Data Blog

Artificial Intelligence

CIPA Litigation: Trends Regarding Tracking Technology and AI

By: Avi Gesser, Jim Pastore, Matt Kelly, Johanna Skrzypczyk, Gabriel Kohan, Joshua Plastrik and Annabella M. Waszkiewicz June 4, 2025

Many businesses use customer-tracking technology and other tools—such as pixels, session replay, software development kits (“SDKs”), and chatbots—to improve website user experiences, understand customer behavior, train their technology, and gauge…

SEC

Financial Services Industry Petitions the SEC for a Rulemaking to Amend the Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure Rule

By: Erez Liebermann, Benjamin R. Pedersen, John Jacob, Stephanie Thomas and Cindy Tu May 27, 2025

Debevoise’s Data Strategy and Security group recently assisted five leading financial services industry trade associations in preparing a joint rulemaking petition in response to the Securities and Exchange Commission’s (“SEC”)…

CCPA

CPPA Proposed Rulemaking Package Part 1 – Cybersecurity Audits

By: Avi Gesser, Matt Kelly, Johanna Skrzypczyk, HJ Brehmer, Amer Mneimneh, Ned Terrace and Mengyi Xu December 3, 2024

On November 22, 2024, the California Privacy Protection Agency (the “CPPA”) opened the formal public comment period for its recently approved formal proposed rulemaking package for annual cybersecurity audits, automated…

Cybersecurity

HUD Proposes to Narrow its Cyber Incident Notification Requirement

By: Avi Gesser, Erez Liebermann, Anna Moody, Stephanie Thomas and Karen Joo October 10, 2024

Earlier this year, the U.S. Department of Housing and Urban Development (“HUD”) released an unannounced and immediately effective Cyber Incident Reporting Requirement (the “Original Requirements”) in Mortgagee Letter 2024-10, which…

Cybersecurity

The EU’s Draft NIS2 Regulations: Appropriate ICT Security Measures and Serious Incident Reporting

By: Robert Maddox and Martha Hirst August 12, 2024

The European Commission has published a draft regulation containing further detail on the “technical and methodological” security measures, and cybersecurity incident reporting threshold triggers, under the incoming NIS2 directive (the…

Cybersecurity

Very Broad and Very Fast: The New Federal Housing Administration’s 12-Hour Cyber Incident Notification Rule

By: Courtney M. Dankworth, Avi Gesser, Satish Kini, Erez Liebermann, Gregory Lyons, Matt Kelly, Anna Moody, Jehan A. Patterson, Alexandra Mogul, Michelle Huang and Karen Joo May 28, 2024

On May 23, 2024, the U.S. Department of Housing and Urban Development (“HUD”) announced that, effective immediately, Federal Housing Administration (“FHA”)-approved Mortgagees are subject to a drastically heightened cybersecurity incident…

Cybersecurity

The SEC Adopts Significant Cybersecurity Amendments to Reg S-P

By: Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Erez Liebermann, Sheena Paul, Marc Ponchione, Julie M. Riewe, Jeff Robins, Kristin Snyder, Anna Moody, Johanna Skrzypczyk, Suchita Mandavilli Brundage and Ned Terrace May 17, 2024

On May 16, 2024, the SEC adopted amendments to Regulation S-P (“Reg S-P”) one year after its proposed amendments (the “Proposed Amendments”). The finalized amendments (“Amended Reg S-P”) largely track…

Announcement

Announcing the Debevoise Tracker for Cybersecurity Incident Disclosure on Form 8-K

By: Avi Gesser, Benjamin R. Pedersen, John Jacob and Talia Lorch March 6, 2024

In July, we previewed the new rules adopted by the Securities and Exchange Commission (“SEC”) for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. Under these rules, Item 1.05 of…

CJEU

European Data Protection Roundup – January 2024

By: Robert Maddox, Friedrich Popp, Fanny Gauthier, Martha Hirst, Jeevika Bali, Samuel Thomson and Alexia Turpin February 28, 2024

Key takeaways from January include: Transparency about data processing and retention: In a reminder of the importance of transparency under the GDPR, and the need for companies to make their…

Automated Decision Making

European Data Protection Roundup – December 2023

By: Robert Maddox, Friedrich Popp, Sergej Bräuer, Fanny Gauthier, Aisling Cowell, Martha Hirst, Oliver Binns, Ryan Fincham, Samuel Thomson and Alexia Turpin January 25, 2024

Key takeaways from December include: Concept of non-material damage under GDPR: In an expansive reading of the right to compensation under GDPR, a data subject’s fear that their personal data…