Many businesses use customer-tracking technology and other tools—such as pixels, session replay, software development kits (“SDKs”), and chatbots—to improve website user experiences, understand customer behavior, train their technology, and gauge…
Debevoise’s Data Strategy and Security group recently assisted five leading financial services industry trade associations in preparing a joint rulemaking petition in response to the Securities and Exchange Commission’s (“SEC”)…
On November 22, 2024, the California Privacy Protection Agency (the “CPPA”) opened the formal public comment period for its recently approved formal proposed rulemaking package for annual cybersecurity audits, automated…
Earlier this year, the U.S. Department of Housing and Urban Development (“HUD”) released an unannounced and immediately effective Cyber Incident Reporting Requirement (the “Original Requirements”) in Mortgagee Letter 2024-10, which…
The European Commission has published a draft regulation containing further detail on the “technical and methodological” security measures, and cybersecurity incident reporting threshold triggers, under the incoming NIS2 directive (the…
On May 23, 2024, the U.S. Department of Housing and Urban Development (“HUD”) announced that, effective immediately, Federal Housing Administration (“FHA”)-approved Mortgagees are subject to a drastically heightened cybersecurity incident…
On May 16, 2024, the SEC adopted amendments to Regulation S-P (“Reg S-P”) one year after its proposed amendments (the “Proposed Amendments”). The finalized amendments (“Amended Reg S-P”) largely track…
In July, we previewed the new rules adopted by the Securities and Exchange Commission (“SEC”) for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. Under these rules, Item 1.05 of…
Key takeaways from January include: Transparency about data processing and retention: In a reminder of the importance of transparency under the GDPR, and the need for companies to make their…
Key takeaways from December include: Concept of non-material damage under GDPR: In an expansive reading of the right to compensation under GDPR, a data subject’s fear that their personal data…