Category Archives: Technology

It May Not Be Worth the Paper (or Pixel) It’s Written On (Part 2): A Fresh Look at Common Responses to Bolster Export Controls Compliance Programs as BIS Primes the Corporate Enforcement Engine

by Brent Carlson and Michael Huneke

Photos of the authors

Brent Carlson and Michael Huneke (photos courtesy of authors)

Amid reports of continued export controls diversion[1] to entities in locations including China, Russia, Iran, and North Korea, the U.S. Commerce Department’s Bureau of Industry and Security (“BIS”) has been priming the corporate enforcement engine.[2] This dynamic increases challenges for in-house legal and compliance teams to respond to BIS’ latest moves and bolster compliance program effectiveness. In this new environment, the greatest compliance risks revolve around explaining and defending relationships with distributors and resellers in the face of allegations and reports of product diversion or other “red flags” indicating the same—a task made more nuanced under the “high probability” standard of “knowledge” recently highlighted by BIS in new guidance issued on July 10, 2024 (the “July 10 BIS Guidance”).[3]

In Part 1 we previously discussed the practice of using letters of assurance—and the problems of relying solely upon them without resolving related red flags—to bolster export controls compliance programs in response to the new BIS enforcement playbook.[4] In Part 2 we now examine other common responses based on legacy approaches to export controls and why they are ineffective—and even detrimental—in today’s new and evolving enforcement environment.

Continue reading

Cyber Experts React to Court Decision in the SEC’s SolarWinds Enforcement Action

Editor’s Note: PCCE has been watching the developments in the SEC’s enforcement action against SolarWinds and its CISO over allegedly misleading disclosures and controls failures related to the compromise of its Orion product by putative Russian hackers. In this post, cybersecurity experts and lawyers discuss the recent decision by U.S. District Judge Paul Engelmayer to dismiss most of the SEC’s claims in the case.

Photos of the authors

Top left to right: Randal Milch, Judy Titera, James Haldin, and Alan Wilson. Bottom left to right: Matthew Beville, Elizabeth Roper, and Jerome Tomas. (Photos courtesy of authors)

Continue reading

Treasury’s Report on AI (Part 2) – Managing AI-Specific Cybersecurity Risks in the Financial Sector

by Avi Gesser, Erez Liebermann, Matt Kelly, Jackie Dorward, and Joshua A. Goland

Photos of authors.

Top: Avi Gesser, Erez Liebermann, and Matt Kelly. Bottom: Jackie Dorward and Joshua A. Goland (Photos courtesy of Debevoise & Plimpton LLP)

This is the second post in the two-part Debevoise Data Blog series covering the U.S. Treasury Department’s report on Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector (the “Report”).

In Part 1, we addressed the Report’s coverage of the state of AI regulation and best practices recommendations for AI risk management and governance. In Part 2, we review the Report’s assessment of AI-enhanced cybersecurity risks, as well as the risks of attacks against AI systems, and offer guidance on how financial institutions can respond to both types of risks.

Continue reading

Does California’s Delete Act Have the “DROP” on Data Brokers?: Updates and Insights from the Recent Stakeholder Session

 by Christine E. Lyon, Christine Chong, Jackson Myers, and Ortal Isaac

Photos of the authors

From left to right: Christine E. Lyon, Christine Chong and Jackson Myers. (Photos courtesy of Freshfields Bruckhaus Deringer LLP)

The California Delete Act will make it easier for California consumers to request deletion of their personal information by so-called “data brokers,” a term that is much broader than companies may expect (see our prior blog post here). In particular, the Delete Act provides for a universal data deletion mechanism—known as the Data Broker Delete Requests and Opt-Out Platform, or “DROP”—that will allow any California consumer to make a single request for the deletion of their personal information by certain, or all, registered data brokers. In turn, by August 2026, data brokers will be required to regularly monitor, process, and honor deletion requests submitted through the DROP.

While the DROP’s policy objectives are fairly straightforward, it is less clear how the DROP will work in practice. For example, what measures will be taken to verify the identity of the consumer making the request, to ensure that the requesting party is the consumer they claim to be? What measures will be taken to verify that a person claiming to act as an authorized agent for a consumer actually has the right to request deletion of that consumer’s personal information? Unauthorized deletion of personal information may result in inconvenience or even loss or harm to individuals, which raises the stakes for the California Privacy Protection Agency (CPPA) as the agency responsible for building the DROP.

Continue reading

Biden Administration Releases Proposed Rule on Outbound Investments in China

by Paul D. Marquardt and Kendall Howell

Photos of authors

From left to right: Paul D. Marquardt and Kendall Howell (Photos courtesy of Davis Polk & Wardwell LLP)

The Biden administration released its proposed rule that would establish a regulatory framework for outbound investments in China, following its advanced notice of proposed rulemaking released last August.

On June 21, 2024, the U.S. Department of the Treasury (Treasury) released its long-awaited notice of proposed rulemaking that would impose controls on outbound investments in China (the Proposed Rule). The Proposed Rule follows Treasury’s advanced notice of proposed rulemaking (the ANPRM) released in August 2023 (discussed in this client update) and implements the Biden administration’s Executive Order 14105 (the Executive Order), which proposed a high-level framework to mitigate the risks to U.S. national security interests stemming from U.S. outbound investments in “countries of concern” (currently only China). Like the Executive Order and ANPRM, the Proposed Rule reflects an effort by the Biden administration to adopt a “narrow and targeted” program and is in large part directed at the “intangible benefits” of U.S. investment (e.g., management expertise, prestige, and know-how), rather than capital alone.[1]

Continue reading

CNIL Publishes New Guidelines on the Development of AI Systems

by David Dumont and Tiago Sérgio Cabral

Photos of the authors

David Dumont and Tiago Sérgio Cabral (photos courtesy of Hunton Andrews Kurth LLP)

On June 7, 2024, following a public consultation, the French Data Protection Authority (the “CNIL”) published the final version of its guidelines addressing the development of AI systems from a data protection perspective (the “Guidelines”). Read our blog on the pre-public consultation version of these Guidelines.

In the Guidelines, the CNIL states that, in its view, the successful development of AI systems can be reconciled with the challenges of protecting privacy.

Continue reading

US Antitrust Regulators Threaten Ephemeral Messaging Users and Their Counsel with Obstruction Charges

by Jeremy Calsyn, Nowell Bamberger, Charles P. Balaan, and Joseph M. Kay

Photos of authors

Left to right: Jeremy Calsyn, Nowell Bamberger, Charles P. Balaan, and Joseph M. Kay (photos courtesy of Cleary Gottlieb Steen & Hamilton LLP)

In recent months, federal regulators have made statements that companies and their counsel may be subject to criminal prosecution if they fail to preserve ephemeral messaging data when they receive a subpoena or other legal process.  In January 2024, the Deputy Assistant Attorney General for Criminal Enforcement at the DOJ Antitrust Division warned “failure to produce” ephemeral messaging may result in obstruction charges.[1]  Speaking at the ABA Antitrust Spring Meeting in April 2024, a lawyer for the Antitrust Division echoed that the DOJ “will not hesitate to bring obstruction charges” against company counsel and their clients if clients fail to properly retain so-called “ephemeral messages.[2]  This is consistent with other recent warnings from the DOJ.[3]

The agencies’ focus on features of ephemeral messaging, which they argue can be used to hamper investigations, ignores the fact that ephemeral messaging applications have a legitimate role in the workplace where data security and management is paramount.  Despite the advantages of ephemeral messaging, clients should be aware of the legal and other risks presented by these applications and implement clear information retention policies that account for the organization’s duty to preserve information for litigation and government investigations. 

Continue reading

Recently Enacted AI Law in Colorado: Yet Another Reason to Implement an AI Governance Program

by Avi GesserErez Liebermann, Matt KellyMartha HirstAndreas Constantine PavlouCameron Sharp, and Annabella M. Waszkiewicz

Photos of the authors.

Top left to right: Avi Gesser, Erez Liebermann, Matt Kelly, and Martha Hirst. Bottom left to right: Andreas Constantine Pavlou, Cameron Sharp, and Annabella M. Waszkiewicz. (Photos courtesy of Debevoise & Plimpton LLP)

On May 17, 2024, Colorado passed Senate Bill 24-205 (“the Colorado AI Law” or “the Law”), a broad law regulating so-called high-risk AI systems that will become effective on February 1, 2026.  The law imposes sweeping obligations on both AI system deployers and developers doing business in Colorado, including a duty of reasonable care to protect Colorado residents from any known or reasonably foreseeable risks of algorithmic discrimination.

Continue reading

Succor Borne Every Minute

by Michael Atleson

Federal Trade Commission

Earnest chats with objects are not so unusual. Mark “The Bird” Fidrych, the famed Detroit Tiger, used to stand on the pitching mound whispering to the baseball. Forky, the highly animate utensil from Toy Story 4, once posed deep questions about friendship to a ceramic mug. And many of us have made repeated queries of the Magic 8 Ball despite its limited set of randomly generated answers.

Our talking to computers also goes way back, and that history is getting weirder. We’re seeing a wave of avatars and bots marketed to provide companionship, romance, therapy, or portals to dead loved ones, and even meet religious needs. It may be a function of AI companies making chatbots better at human mimicry in order to convince us that chatbots have social value worth paying for. Consider that some of these companies compare their products to magic (they aren’t), talk about the products having feelings (they don’t), or admit they just want people to feel that the products are magic or have feelings.

Continue reading

Land of 10,000 Data Lakes: Minnesota Consumer Data Privacy Act Signed into Law

by Nancy Libin, John D. Seiver, and Jevan Hutson

Photo of the authors.

From left to right: Nancy Libin, John D. Seiver, and Jevan Hutson. (Photos courtesy of Davis Wright Tremaine LLP)

Minnesota is the 18th state to enact a consumer data privacy law.

On May 25, 2024, Minnesota Governor Tim Walz signed the Minnesota Consumer Data Privacy Act (the “Act”), which takes effect on July 31, 2025, for most controllers and on July 31, 2029, for certain postsecondary educational institutions. Minnesota is the 18th state to enact a comprehensive consumer data privacy law.

The Act adopts the same framework as most other state privacy laws but includes several novel provisions, including broader rights for Minnesota residents who are subject to profiling in furtherance of decisions that produce legal or similarly significant effects.

We highlight key aspects of the Act below.

Continue reading