Author Archives: Judy Jiang

Incident Response Plans Are Now Accounting Controls? SEC Brings First-Ever Settled Cybersecurity Internal Controls Charges

by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Erez Liebermann, Benjamin R. Pedersen, Julie M. Riewe, Matt Kelly, and Anna Moody

Photos of the authors

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky and Erez Liebermann. Bottom left to right: Benjamin R. Pedersen, Julie M. Riewe, Matt Kelly and Anna Moody. (Photos courtesy of Debevoise & Plimpton LLP)

In an unprecedented settlement, on June 18, 2024, the U.S. Securities & Exchange Commission (the “SEC”) announced that communications and marketing provider R.R. Donnelley & Sons Co. (“RRD”) agreed to pay approximately $2.1 million to resolve charges arising out of its response to a 2021 ransomware attack. According to the SEC, RRD’s response to the attack revealed deficiencies in its cybersecurity policies and procedures and related disclosure controls. Specifically, in addition to asserting that RRD had failed to gather and review information about the incident for potential disclosure on a timely basis, the SEC alleged that RRD had failed to implement a “system of cybersecurity-related internal accounting controls” to provide reasonable assurances that access to the company’s assets—namely, its information technology systems and networks—was permitted only with management’s authorization. In particular, the SEC alleged that RRD failed to properly instruct the firm responsible for managing its cybersecurity alerts on how to prioritize such alerts, and then failed to act upon the incoming alerts from this firm.

Continue reading

The Need to Integrate Externalities, Market Failures, and Collective Action Problems in Antitrust Analysis—Thoughts on the US House Judiciary Committee Report on ESG Investigation and the Rebuttal Report

by Maurits Dolmans

Photo of the author.

Photo courtesy of Cleary Gottlieb Steen & Hamilton LLP.

On June 11, 2024, the US House Judiciary Committee released an interim staff report titled “Climate Control: Exposing the Decarbonization Collusion in Environmental, Social and Governance (ESG) Investing” (the “Majority Report). This was followed by a hearing by the House Judiciary Committee on June 12.

The Majority Report contains strongly worded conclusions.  It argues that a “climate cartel’ of left-wing environmental activists and major financial institutions has colluded to force American companies to ‘decarbonize’ and reach ‘net zero.’”  Organizations like Climate Action 100+, Ceres, CalPERS, and Arjuna, for instance, allegedly “declared war on the American way of life,” to limit how Americans “drive, fly, and eat.”  They did this “by forcing corporations to disclose their carbon emissions, to reduce their carbon emissions, and … handcuffing company leadership and muzzling corporate free speech and petitioning.”  Employing nice alliteration, it is said they “collude to kill carbon.”  It is suggested that corporate compliance with the goals of the Paris Agreement raises prices to American consumers—ignoring the OPEC+ output reductions, the wars in Ukraine and the Middle East, and the Houthi attacks on shipping, but also the long-term costs of climate change, the findings of the International Energy Agency that no new fossil fuel development is needed to meet current and expected demand, and that renewables and nuclear energy are increasingly cheaper than fossil fuels.  The Majority Report boasts of the effect of antitrust threats in causing firms to shy away from cooperation to mitigate the climate risk.

Continue reading

Recently Enacted AI Law in Colorado: Yet Another Reason to Implement an AI Governance Program

by Avi GesserErez Liebermann, Matt KellyMartha HirstAndreas Constantine PavlouCameron Sharp, and Annabella M. Waszkiewicz

Photos of the authors.

Top left to right: Avi Gesser, Erez Liebermann, Matt Kelly, and Martha Hirst. Bottom left to right: Andreas Constantine Pavlou, Cameron Sharp, and Annabella M. Waszkiewicz. (Photos courtesy of Debevoise & Plimpton LLP)

On May 17, 2024, Colorado passed Senate Bill 24-205 (“the Colorado AI Law” or “the Law”), a broad law regulating so-called high-risk AI systems that will become effective on February 1, 2026.  The law imposes sweeping obligations on both AI system deployers and developers doing business in Colorado, including a duty of reasonable care to protect Colorado residents from any known or reasonably foreseeable risks of algorithmic discrimination.

Continue reading

Land of 10,000 Data Lakes: Minnesota Consumer Data Privacy Act Signed into Law

by Nancy Libin, John D. Seiver, and Jevan Hutson

Photo of the authors.

From left to right: Nancy Libin, John D. Seiver, and Jevan Hutson. (Photos courtesy of Davis Wright Tremaine LLP)

Minnesota is the 18th state to enact a consumer data privacy law.

On May 25, 2024, Minnesota Governor Tim Walz signed the Minnesota Consumer Data Privacy Act (the “Act”), which takes effect on July 31, 2025, for most controllers and on July 31, 2029, for certain postsecondary educational institutions. Minnesota is the 18th state to enact a comprehensive consumer data privacy law.

The Act adopts the same framework as most other state privacy laws but includes several novel provisions, including broader rights for Minnesota residents who are subject to profiling in furtherance of decisions that produce legal or similarly significant effects.

We highlight key aspects of the Act below.

Continue reading

SEC Adopts Amendments to Regulation S-P That Require Reporting Breaches of “Sensitive Customer Information”

by Mike Borgia and Andrew Lewis

From left to right: Mike Borgia and Andrew Lewis (Photos courtesy of authors)

Broker-dealers, registered investment advisors, and funds are now required to report breaches of “sensitive” nonpublic personal information (NPI) to affected individuals.

On May 15, the Securities and Exchange Commission adopted amendments to Regulation S-P, which covers broker-dealers, registered investment advisors (RIAs), and investment companies (funds). These entities are now required to report data breaches affecting “sensitive customer information,” which is “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”

The amendments were originally proposed on March 15, 2023 (covered in a previous post). The amendments will go into effect 60 days after they are published in the Federal Register.

Continue reading