Category Archives: Cybercrime & Cybersecurity

The Newest Form of the Romance Scam: Corporate Insider Fraud Through Outsider Threat – How AI is Allowing Scammers to Make it Appear that Authorized Employees are Conducting Authorized Activity When the Opposite is True

by Tom Melvin, Rich Kando, and Kevin Madura

Left to right: Tom Melvin, Rich Kando, and Kevin Madura (photos courtesy of AlixPartners LLP)

Today’s most-concerning corporate romance is not on Coldplay’s kiss cam. Artificial-intelligence (AI)-enabled document creation, synthetic IDs, face swapping, and impersonated voice overlays have made online scams more dangerous and more ubiquitous than ever. Armed with those new tools, scammers once used them primarily to defraud individuals, with an estimated loss of $75 billion[1] is targeting corporate bank accounts and data repositories. Enter the corporate romance scam as a direct threat to two of a company’s most highly valuable assets: cash and data.

Continue reading

CPPA Adopts Long Awaited Rulemaking Package

by Avi Gesser, Johanna N. Skrzypczyk, HJ Brehmer, and Melyssa Eigen

Left to right: Avi Gesser, Johanna N. Skrzypczyk, HJ Brehmer, and Melyssa Eigen (photos courtesy of Debevoise & Plimpton LLP)

The California Privacy Protection Agency (the “CPPA”) Board met on July 24, 2025, to decide whether to adopt its comprehensive rulemaking package covering cybersecurity audits, automated decision-making technology, and other adjustments to its existing regulations (collectively, the “Draft Regulations”). We have written about these topics in December 2024, February 2025, and May 2025 respectively. Ultimately, after its initial 45-day comment period and additional revisions, the Board decided to finalize the text of the rulemaking package (the “Regulations”).

Continue reading

Maturing Compliance with the Bulk Sensitive Data Rule before the July 8, 2025 Safe Harbor Expires

by Luke Dembosky, Avi Gesser, Erez Liebermann, Rick Sofield, Johanna N. Skrzypczyk, and Mengyi Xu

Top left to right: Luke Dembosky, Avi Gesser, Erez Liebermann, Rick Sofield, Johanna N. Skrzypczyk, and Mengyi Xu (photos courtesy of Debevoise & Plimpton LLP)

All eyes are on the DOJ Bulk Sensitive Data Rule (28 C.F.R. Part 202) and July 8, 2025, when the recently announced good-faith safe harbor expires. The rule, which the Department of Justice now refers to as the Data Security Program (the “DSP”), creates a comprehensive export control regime to restrict the transfer of bulk sensitive personal and government-related data to foreign adversaries deemed threats to U.S. national security. On April 11, 2025, shortly after the first effective date of the DSP, the National Security Division (“NSD”) of DOJ issued a suite of three policy and guidance documents to facilitate compliance with the DSP, including a 90-day civil enforcement safe harbor for good-faith compliance. As previously discussed, the DSP seeks to address the bipartisan concern that sensitive datasets could be exploited by foreign adversaries for espionage, cyberattacks, malign influence, and coercion, which would undermine the United States’ national security interests.

Continue reading

2024 Year in Review: Data Breach Litigation

by Kirk Nahra, Molly Jennings, Ali Jessani, and Rachel Greene

Photos of the authors

Left to Right: Kirk Nahra, Molly Jennings, Ali Jessani and Rachel Greene. (Photos courtesy of WilmerHale)

One of the main risks for a company in the event of a data breach is the threat of litigation. Data breach litigation continued to proliferate in 2024, as it has in prior years.

In the past year, plaintiffs continued to seek relief following data breaches under state common-law doctrines, and the Alabama Supreme Court joined the other state courts of last resort who have addressed data-breach litigation in published decisions.  Federal data breach plaintiffs contended with standing issues in the wake of the Supreme Court’s decision in TransUnion LLC v. Ramirez, and an apparent circuit split between the Tenth and Eleventh Circuits deepened when the Third Circuit weighed in.  The District of New Jersey also provided further guidance to companies on the scope of the attorney-client privilege when responding to data breaches.  This post examines these trends.  

Continue reading

The Rise of Audits as a Regulatory Tool for Tech

by Janet Kim, Matthew Bruce, Lutz Riede, Tristan Lockwood, Fiona McHugh, Florentine Schulte-Rudzio, and Bhavya Sharma

Photos of the authors

Top left to right: Janet Kim, Matthew Bruce, Lutz Riede, and Tristan Lockwood. Bottom left to right: Fiona McHugh, Florentine Schulte-Rudzio, and Bhavya Sharma (photos courtesy of Freshfields LLP)

As technology evolves, so do challenges in effectively regulating it. In an era where there is increasing focus on effective oversight of digital platforms, legislators are turning to audits as a go-to tool. This blog explores the reasons behind the growing adoption of audits in digital regulation, focusing on key legislative frameworks such as the EU’s Digital Services Act (DSA) and the UK’s Online Safety Act (OSA), and also explores the scope of audits in AI and other digital regulation. It also includes some practical tips for businesses navigating these new audit regimes.

Continue reading

Lessons Learned: One Year of Form 8-K Material Cybersecurity Incident Reporting

by Charu A. ChandrasekharErez LiebermannBenjamin R. Pedersen, Paul M. RodelMatt Kelly, Anna Moody, John Jacob, and Talia Lorch 

Photos of authors.

Top (left to right): Charu A. Chandrasekhar, Erez Liebermann, Benjamin R. Pedersen, and Paul M. Rodel. Bottom (left to right): Matt Kelly, Anna Moody, John Jacob, and Talia Lorch. (Photos of courtesy of Debevoise & Plimpton LLP)

On December 18, 2023, the Securities and Exchange Commission’s (the “SEC”) rule requiring disclosure of material cybersecurity incidents became effective. To date, 26 companies have reported a cybersecurity incident under the new Item 1.05 of Form 8-K (“Item 1.05”). After over a year of mandatory cybersecurity incident reporting, we examine the key trends and takeaways.

Key Takeaways from a Year of Cybersecurity Incident Reporting on Form 8-K

In early 2024, companies filed a flurry of Forms 8-K under Item 1.05, which stated that the relevant cybersecurity incidents did not have material impacts on the companies’ financial conditions or results of operations. These disclosures were in response to the SEC’s rules requiring that cybersecurity incident disclosures include a description of “the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the issuer, including its financial condition and results of operations.” Following these disclosures, the SEC clarified its expectations for cybersecurity incident reporting in a statement issued by the Director of the SEC’s Division of Corporation Finance (the “Statement”), as well as through several comment letters issued by the Staff of the SEC (the “Staff”) to companies which filed Item 1.05 Forms 8-K.

Continue reading

Children’s Online Privacy: Recent Actions by the States and the FTC

by Amber C. Thomson, Howard W. Waltzman, Kathryn Allen, and Megan P. Von Borstel

Photos of authors.

Amber C. Thomson, Howard W. Waltzman, Kathryn Allen, and Megan P. Von Borstel (Photos courtesy of Mayer Brown)

As the digital world becomes an integral part of children’s lives, state legislatures are placing greater emphasis on regulating how companies handle children’s personal information. This article explores the recent developments in state and federal children’s privacy legislation, examining how states are shaping the future of online safety for minors and shedding light on amendments to the federal Children’s Online Privacy Protection Act.

As social media companies and digital services providers increasingly cater to younger audiences, state legislatures are placing greater emphasis on regulating how companies handle children’s personal information. This Legal Update explores the recent developments in state and federal children’s privacy legislation, examining how states are shaping the future of online safety for minors and shedding light on amendments to the federal Children’s Online Privacy Protection Act (“COPPA”).

Continue reading

SEC’s Focus on Cyber and AI to Continue Under Trump Administration

by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Erez Liebermann, Julie M. Riewe, Jeff Robins, Kristin A. Snyder, and Cameron Sharp

Photos of the authors

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, and Avi Gesser. Bottom left to right: Erez Liebermann, Julie M. Riewe, Jeff Robins, and Kristin A. Snyder. (Photos courtesy of Debevoise & Plimpton LLP).

On February 20, 2025, the SEC announced the creation of the Cyber and Emerging Technologies Unit (“CETU”) to focus on “combatting cyber-related misconduct and to protect retail investors from bad actors in the emerging technologies space.” In this blog post, we provide an overview of the announcement, which illustrates that the Trump administration will continue to prioritize SEC cybersecurity and artificial intelligence examinations and enforcement, with a particular emphasis on fraudulent conduct impacting retail investors.

Continue reading

FTC’s Consent Order Against Marriott: Expectations for Reasonable Security

by Erez LiebermannJim PastoreChristopher S. FordMichael BloomMengyi XuAchutha Raman, and Michelle Shen  

Photos of the authors

Top left to right: Erez Liebermann, Jim Pastore, Christopher S. Ford, Michael Bloom.
Bottom left to right: Mengyi Xu, Achuta Raman and Michelle Shen. (Photos courtesy of the authors.)

Introduction

On December 20, 2024, the Federal Trade Commission (the “FTC”) finalized a consent agreement (“Consent Order”) with Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC (collectively, “Marriott”) to settle allegations that Marriott failed to implement reasonable data security measures, resulting in three large data breaches from 2014 to 2020 and affecting more than 344 million customers worldwide. With obligations extending 20 years, the Consent Order requires Marriott to, among other remedial steps, implement a comprehensive information security program (“ISP”) with prescribed security measures, the effectiveness of which will be subject to a third-party independent biennial assessment. Key elements of the required ISP include multi-factor authentication (“MFA”), encryption, asset inventory, written documentation, and vulnerability and patch management. The final Consent Order is materially identical to the proposal announced on October 9, 2024.

Continue reading

Thoughts for Boards: Key Issues in Corporate Governance for 2025

by Martin Lipton, Steven A. Rosenblum, Karessa L. Cain, Elina Tetelbaum, and Hannah Clark

Photos of the authors

Left to right: Martin Lipton, Steven A. Rosenblum, Karessa L. Cain, Elina Tetelbaum, and Hannah Clark (photos courtesy of Wachtell, Lipton, Rosen & Katz)

As we look ahead to the challenges and opportunities facing boards of directors in this new year, it is illuminating to reflect on how much has changed in corporate governance. Over the last five decades, we have been on the front lines with our clients as the evolution of corporate governance has been propelled by multiple crises and systemic shocks—including the Enron and WorldCom scandals and ensuing Sarbanes-Oxley legislation, which prompted incremental layers of disclosure and regulations, followed by the financial crisis and subsequent Dodd-Frank reforms, and most recently the Covid pandemic, which intensified the spotlight on ESG and stakeholder governance. In the private ordering arena, ISS and shareholder activists were remarkably successful in changing the status quo for once-common governance features like staggered board structures, and we saw the shelving of poison pills—a defense we originated and subsequently defended in Moran, Airgas and other cases. These trends have, in turn, increased the prevalence and omnipresent threat of proxy fights. And as the corporate governance debates have continued to evolve, we have seen institutional investors become increasingly active participants, with detailed and often diverging policies setting forth their priorities, preferences and perspectives on issues ranging from climate disclosures to DEI to over-boarded directors. The compounding effect is that boards today are expected to navigate a corporate governance landscape that has become much more complex and nuanced, with an expanding set of expectations for their oversight role and responsibilities.

Continue reading