Author Archives: fjf4471

Defense Department Unveils Final Rule for CMMC 2.0 Program: The Time Is Now for Defense Contractors To Get Compliant

by Beth Burgin Waller, Anthony Mazzeo, and Patrick Austin

Photos of the authors

Left to right: Beth Burgin Waller, Anthony Mazzeo, and Patrick Austin. (photos courtesy of authors)

If you work for a defense contractor or subcontractor responsible for handling controlled unclassified information (CUI) and/or federal contract information (FCI), the U.S. Department of Defense posted the final rule for the highly anticipated Cybersecurity Maturity Model Certification 2.0 program (CMMC 2.0 or the Final Rule).  Issuance of the Final Rule (full text available here in PDF format) likely means DoD will begin implementing new, stringent cybersecurity standards for defense contractors at some point in early-to-mid 2025.   

Continue reading

Long-Awaited U.S. Outbound Investment Regime Published, Will Become Effective January 2, 2025

by Chase Kaniecki, Samuel H. Chang, B.J. Altvater, and Ryan Brown

Photos of the authors

Left to right: Chase Kaniecki, Samuel H. Chang, B.J. Altvater, and Ryan Brown (Photos courtesy of Cleary Gottlieb Steen & Hamilton LLP)

On October 28, 2024, the U.S. Department of the Treasury (“Treasury”) issued a long-awaited Final Rule (the “Final Rule”) implementing the U.S. Outbound Investment Security Program (the “Program”).[1]  Under the Program, effective January 2, 2025, U.S. persons will be prohibited from engaging in, or required to notify Treasury regarding, a broad range of transactions involving entities engaged in certain activities relating to semiconductors and microelectronics, quantum information technologies, and artificial intelligence (“AI”) systems in “countries of concern” (presently limited to China, Hong Kong, and Macau). 

Continue reading

U.S. Attorney Office “Whistleblower” Programs Sow Confusion and Pose Risks to Corporate Whistleblowers

by David Colapinto and Geoff Schweller

Photos of authors

Left to right: David Colapinto and Geoff Schweller.(Photos courtesy of Kohn, Kohn & Colapinto LLP)

In recent weeks, a number of U.S. Attorneys’ Offices (USAOs) across the country have rolled out “Whistleblower Pilot Programs” offering the potential of non-prosecution agreements in exchange for voluntary self-disclosure of criminal conduct by participants in non-violent offenses. These “whistleblower” programs, announced within the same timeframe as the Department of Justice’s new Corporate Whistleblower Awards Pilot Program, can sow confusion among would-be-whistleblowers as well as attorneys and pose significant risks to corporate informants as these Pilot Programs differ greatly from other well-known corporate whistleblower programs, such as the Securities and Exchange Commission (SEC) Whistleblower Program.

Continue reading

Managing Cybersecurity Risks Arising from AI — New Guidance from the NYDFS

by Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Erez Liebermann, Marshal Bozzo, Johanna Skrzypczyk, Ned Terrace, and Mengyi Xu.

Photos of the authors

Top left to right: Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, and Erez Liebermann. 
Bottom left to right: Marshal Bozzo, Johanna Skrzypczyk, Ned Terrace, and Mengyi Xu. (Photos courtesy of Debevoise & Plimpton LLP)

On October 16, 2024, the New York Department of Financial Services (the “NYDFS”) issued an Industry Letter providing guidance on assessing cybersecurity risks associated with the use of AI (the “Guidance”) under the existing 23 NYCRR Part 500 (“Part 500” or “Cybersecurity Regulation”) framework. The Guidance applies to entities that are covered by Part 500 (i.e., entities with a license under the New York Banking Law, Insurance Law or Financial Services Law), but it provides valuable direction to all companies for managing the new cybersecurity risks associated with AI.

The NYDFS makes clear that the Guidance does not impose any new requirements beyond those already contained in the Cybersecurity Regulation. Instead, the Guidance is meant to explain how covered entities should use the Part 500 framework to address cybersecurity risks associated with AI and build controls to mitigate such risks. It also encourages companies to explore the potential cybersecurity benefits from integrating AI into cybersecurity tools (e.g., reviewing security logs and alerts, analyzing behavior, detecting anomalies, and predicting potential security threats). Entities that are covered by Part 500, especially those that have deployed AI in significant ways, should review the Guidance carefully, along with their current cybersecurity policies and controls, to see if any enhancements are appropriate.

Continue reading

OFAC Extends Recordkeeping Requirements

by Satish M. Kini, Robert T. Dura, Aseel M. Rabie, Jonathan R. Wong, and Yair Strachman

Photos of authors

Left to right: Satish M. Kini, Robert T. Dura, Aseel M. Rabie, Jonathan R. Wong, and Yair Strachman (Photos courtesy of Debevoise & Plimpton LLP)

Earlier this month, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) issued an Interim Final Rule (“IFR”) to extend OFAC’s current recordkeeping requirements from five to 10 years. The IFR was published in the Federal Register on September 13, 2024, with public comments due by October 15, 2024. The new recordkeeping requirements are set to take effect on March 12, 2025.

The IFR follows amendments to the statute of limitations in the International Emergency Economic Powers Act (“IEEPA”) and the Trading with the Enemy Act (“TWEA”), two statutes that authorize many of OFAC’s sanctions programs. The new 10-year statute of limitations—codified at 50 U.S.C. §§ 1705(d) and 4315(d)—became effective on April 24, 2024, and was discussed in our Debevoise Client Update available here. In July 2024, OFAC issued guidance on how it interpreted the new statute of limitations and signaled that it also would extend its recordkeeping requirements, as we noted here.

Continue reading

DOJ Releases Updated Evaluation of Corporate Compliance Programs Guidance

by Ann SultanJohn E. Davis, and Kathryn Cameron Atkinson

Photos of the Authors.

Left to right: Ann Sultan, John E. Davis, and Kathryn Cameron Atkinson. (Photos courtesy of Miler Chevalier Chartered)

On September 23, 2024, in conjunction with a related speech at the Society of Corporate Compliance and Ethics (SCCE) Compliance & Ethics Institute by Principal Deputy Assistant Attorney General (PDAAG) Nicole M. Argentieri, the U.S. Department of Justice (DOJ) released an updated version of its guidance to prosecutors on the Evaluation of Corporate Compliance Programs (updated ECCP). The DOJ last updated this guidance in March 2023. View a redline comparison of the September 2024 updates to the March 2023 version here.

The DOJ’s substantive revisions for this round of updates focused primarily on using data and technology related to various compliance program elements, integrating and adapting to lessons learned from other companies, and reporting. As PDAAG Argentieri noted, the DOJ “regularly evaluate[s] our policies and enforcement tools, including the ECCP, to account for changing circumstances and new risks.”

Continue reading

Federal Court Invalidates NYC Law Requiring Food Delivery Apps to Share Customer Data with Restaurants

by Phyllis H. Marcus and Robert Edwards

Photo of author

Photo courtesy of Hunton Andrews Kurth LLP

On September 24, 2024, a federal district court held that New York City’s “Customer Data Law” violates the First Amendment. Passed in the summer of 2021, the law requires food-delivery apps to share customer-specific data with restaurants that prepare delivered meals.

The New York City Council enacted the Customer Data Law to boost the local restaurant industry in the wake of the pandemic. The law requires food-delivery apps to provide restaurants (upon the restaurants’ request) with each diner’s full name, email address, phone number, delivery address, and order contents. Customers may opt out of such sharing. The law’s supporters argue that requiring such disclosure addresses exploitation by the delivery apps and helps restaurants advertise more effectively.

Continue reading

SEC Disbands ESG Enforcement Task Force

by John F. Savarese, Wayne M. Carlin, David B. Anders, and Carmen X. W. Lu

Photos of authors

Left to right: John F. Savarese, Wayne M. Carlin, David B. Anders and Carmen X. W. Lu. (Photos courtesy of Wachtell, Lipton, Rosen & Katz)

The U.S. Securities and Exchange Commission (“SEC”) has disbanded its Climate and ESG Task Force in the Division of Enforcement. The Task Force was established in March 2021 with the purpose of identifying ESG-related misconduct, including material gaps or misstatements in issuers’ disclosure of climate risks, and assessing disclosure and compliance issues relating to investment advisers’ and funds’ ESG strategies. According to the SEC, the “expertise developed by the task force now resides across the Division” signaling that the SEC will continue to pursue ESG-related matters as part of its broader enforcement strategy.

Continue reading