Category Archives: Data Management

Beware the Tariff DDP Trap: Managing Hidden Import Liabilities Before They Bite

by Jonny Frank and Jerry McAdams 

Photos of authors

Left to right: Jonny Frank and Jerry McAdams  (photos courtesy of StoneTurn Group, LLP)

Looking to mitigate tariffs, companies are purchasing foreign products through Duty Paid (“DDP”) transactions marketed by foreign suppliers as turnkey solutions.  DDPs promise efficiency but often deliver exposure. Under U.S. law, the importer—not the supplier—remains legally responsible for accurate customs declarations, tariff payments, and regulatory compliance. When suppliers cut corners or game the system, the importer inherits the fallout, including potential Customs Border Protection (“CBP”) penalties, DOJ criminal prosecution and False Claim Act (“FCA”) exposure.

Continue reading

Future-Proofing Private Equity and Venture Capital: Leveraging AI for Strategic Advantage and Higher Returns

by Sabrina Hannam, Ibe Imo, Shana Sharan, and Ash Buonasera

Left to right: Sabrina Hannam, Ibe Imo, Shana Sharan and Ash Buonasera (photos courtesy of Boardswell)

In the high-stakes world of private equity, venture capital, and technology, a silent revolution is underway, transforming the very essence of how firms operate and compete. It’s a story not of human titans clashing in boardrooms, but of a new collaborator—Artificial Intelligence (AI)—that is rewriting the rules of engagement for human capital management. Once a tool for streamlining simple tasks, AI has evolved into a “digital colleague,” capable of autonomous decision-making and strategic support that extends far beyond the traditional confines of talent acquisition. This shift is challenging long-held practices and heralding an era where success is no longer solely defined by human intuition but by a symbiotic relationship between bold leadership and intelligent machines. Continue reading

California Adopts New Employment Al Regulations Effective October 1, 2025

by Arsen Kourinian, Ruth Zadikany, and Remy N. Merritt

Left to right: Arsen Kourinian, Ruth Zadikany, and Remy N. Merritt (photos courtesy of Mayer Brown)

The California Civil Rights Council (CRC) recently announced that it has finalized regulations that clarify how California’s anti-discrimination laws apply to the use of artificial intelligence (Al) and automated decision systems (ADSs) in employment decision-making (the “Regulations”). The Regulations provide that the use of an ADS (including Al) in making employment decisions can violate California law if such tools discriminate against employees or applicants — either directly or due to disparate impact — on the basis of protected characteristics (including race, age, religious creed, national origin, gender, and disability).

Continue reading

2024 Year in Review: Data Breach Litigation

by Kirk Nahra, Molly Jennings, Ali Jessani, and Rachel Greene

Photos of the authors

Left to Right: Kirk Nahra, Molly Jennings, Ali Jessani and Rachel Greene. (Photos courtesy of WilmerHale)

One of the main risks for a company in the event of a data breach is the threat of litigation. Data breach litigation continued to proliferate in 2024, as it has in prior years.

In the past year, plaintiffs continued to seek relief following data breaches under state common-law doctrines, and the Alabama Supreme Court joined the other state courts of last resort who have addressed data-breach litigation in published decisions.  Federal data breach plaintiffs contended with standing issues in the wake of the Supreme Court’s decision in TransUnion LLC v. Ramirez, and an apparent circuit split between the Tenth and Eleventh Circuits deepened when the Third Circuit weighed in.  The District of New Jersey also provided further guidance to companies on the scope of the attorney-client privilege when responding to data breaches.  This post examines these trends.  

Continue reading

Lessons Learned: One Year of Form 8-K Material Cybersecurity Incident Reporting

by Charu A. ChandrasekharErez LiebermannBenjamin R. Pedersen, Paul M. RodelMatt Kelly, Anna Moody, John Jacob, and Talia Lorch 

Photos of authors.

Top (left to right): Charu A. Chandrasekhar, Erez Liebermann, Benjamin R. Pedersen, and Paul M. Rodel. Bottom (left to right): Matt Kelly, Anna Moody, John Jacob, and Talia Lorch. (Photos of courtesy of Debevoise & Plimpton LLP)

On December 18, 2023, the Securities and Exchange Commission’s (the “SEC”) rule requiring disclosure of material cybersecurity incidents became effective. To date, 26 companies have reported a cybersecurity incident under the new Item 1.05 of Form 8-K (“Item 1.05”). After over a year of mandatory cybersecurity incident reporting, we examine the key trends and takeaways.

Key Takeaways from a Year of Cybersecurity Incident Reporting on Form 8-K

In early 2024, companies filed a flurry of Forms 8-K under Item 1.05, which stated that the relevant cybersecurity incidents did not have material impacts on the companies’ financial conditions or results of operations. These disclosures were in response to the SEC’s rules requiring that cybersecurity incident disclosures include a description of “the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the issuer, including its financial condition and results of operations.” Following these disclosures, the SEC clarified its expectations for cybersecurity incident reporting in a statement issued by the Director of the SEC’s Division of Corporation Finance (the “Statement”), as well as through several comment letters issued by the Staff of the SEC (the “Staff”) to companies which filed Item 1.05 Forms 8-K.

Continue reading

Personal and Ephemeral Messaging Platforms: A Priority Target for Enforcement and Regulators.

by David Craig, Michael Koenig, and Mark Rosman

Photos of the authors

Left to right: David Craig, Michael Koenig, and Mark Rosman (photos courtesy of Secretariat and Proskauer Rose)

In the not-too-distant past, professionals used email as their primary, if not their only, means of electronic communication. Texting was a futuristic novelty but also clumsy endeavor requiring between one and four button pushes on a small keypad to produce a single letter on an even smaller screen. It goes without saying, text messaging was ill-suited for rapid and substantive business communications. While a company’s employees occasionally sent work-related text messages for scheduling purposes, clear dividing lines generally existed between personal and professional communication. This made litigation holds and discovery relatively straight forward: discoverable business-related communications were in one bucket and non-discoverable personal communications were in another.

Continue reading

Children’s Online Privacy: Recent Actions by the States and the FTC

by Amber C. Thomson, Howard W. Waltzman, Kathryn Allen, and Megan P. Von Borstel

Photos of authors.

Amber C. Thomson, Howard W. Waltzman, Kathryn Allen, and Megan P. Von Borstel (Photos courtesy of Mayer Brown)

As the digital world becomes an integral part of children’s lives, state legislatures are placing greater emphasis on regulating how companies handle children’s personal information. This article explores the recent developments in state and federal children’s privacy legislation, examining how states are shaping the future of online safety for minors and shedding light on amendments to the federal Children’s Online Privacy Protection Act.

As social media companies and digital services providers increasingly cater to younger audiences, state legislatures are placing greater emphasis on regulating how companies handle children’s personal information. This Legal Update explores the recent developments in state and federal children’s privacy legislation, examining how states are shaping the future of online safety for minors and shedding light on amendments to the federal Children’s Online Privacy Protection Act (“COPPA”).

Continue reading

DOJ Issues Final Rule Targeting Foreign Access to Americans’ Sensitive Data

by Michael T. Borgia and Assaf Ariely

Photos of Author

Michael T. Borgia and Assaf Ariely (photos courtesy of Davis Wright Tremaine LLP)

The U.S. Department of Justice (DOJ) has issued a comprehensive final rule (the “Rule”) targeting foreign access to sensitive U.S. data, including Americans’ “bulk” sensitive personal data.

The Rule, which DOJ announced on December 27, 2024, prohibits and restricts U.S. persons from entering into certain transactions involving access by “countries of concern” and “covered persons” to “bulk U.S. sensitive personal data” and “government-related data” by “countries of concern” and “covered persons.” “U.S. persons” subject to the Rule are defined broadly to include any U.S. citizen, national, or lawful person, any entity organized under the laws of the United States or any U.S. jurisdiction, and any person physically within the United States.

Continue reading

Sweeping AI Legislation Under Consideration in Virginia

by Beth Waller and Patrick Austin

Photos of authors

Beth Burgin Waller and Patrick J. Austin (photos courtesy of Woods Rogers Vandeventer Black PLC)

Virginia, a leader in technology and privacy related regulations, is methodically examining artificial intelligence legislation.  In particular, significant legislation establishing a regulatory framework for high-risk Artificial Intelligence (AI) systems is currently being considered by the Virginia General Assembly’s Joint Commission on Technology and Science (JCOTS). JCOTs – a permanent legislative agency that studies and develops technology and science related policies in Virginia – has held several hearings on the topic in an effort to hear expertise related to AI issues and has formed an AI specific Subcommittee.  The JCOTS AI Subcommittee is considering two pieces of legislation that would govern the use of high-risk AI systems by public entities and private sector entities.

Continue reading

Protecting Consumers’ Location Data: Key Takeaways from Four Recent Cases

by Bhavna Changrani

Photo courtesy of the author

Photo courtesy of the author

Since the start of this year, the FTC has announced four groundbreaking cases addressing issues with how businesses collect and, in some cases misuse, people’s location data. If your business collects, buys, sells, or uses location data, take a minute to read about the FTC’s most recent enforcement actions against data brokers and aggregators — MobilewallaGravy/Venntel, InMarket, and X-Mode/Outlogic — and consider these takeaways:

Continue reading