Tag Archives: Mengyi Xu

New Automated Decision-Making Laws: Four Tips for Compliance

by Avi Gesser, Robert Maddox, Anna Gressel, Mengyi Xu, Samuel Allaman, Andres Gutierrez

With the widespread adoption of artificial intelligence (“AI”) and other complex algorithms across industries, many business decisions that used to be made by humans are now being made (either solely or primarily) by algorithms or models. Examples of automated decision-making (“ADM”) include determining:

  • Who gets an interview, a job, a promotion, or employment discipline;
  • Which ads get displayed for a user on a website or a social media feed;
  • Whether someone’s credit application should be approved, and at what interest rate;
  • Which investments should be made;
  • When a car should break or swerve to stay in a lane;
  • Which emails are spam and should not be read; and
  • Which transactions should be flagged or blocked as possibly fraudulent, money laundering, or in violation of sanctions regulations.

Continue reading

The SEC’s New Risk Alert Warns about the Use of Alternative Data

by Andrew J. CeresneyAvi Gesser, Julie M. Riewe, Kristin A. Snyder, Jonathan R. TuttleCharu A. Chandrasekhar, and Mengyi Xu

On April 26, 2022, the Division of Examinations (“EXAMS”) of the Securities and Exchange Commission (the “SEC”) issued a Risk Alert titled “Investment Adviser MNPI Compliance Issues” (“Risk Alert”) on the use of alternative data.  The Risk Alert outlines EXAMS’ recent observations on compliance deficiencies related to Section 204A of the Investment Advisers Act of 1940—including deficiencies relating to policies and procedures for alternative data—and Rule 204A-1 (the “Code of Ethics Rule”).  Based on the Risk Alert, and the recent SEC enforcement action in this area, we offer three takeaways for investment advisers to reduce their risk when purchasing and using alternative data.

Continue reading

Three Takeaways from the IOSCO Report to Securities Regulators on Artificial Intelligence

by Avi Gesser, Anna R. Gressel, and Mengyi Xu

On September 7, 2021, the Board of the International Organization of Securities Commissions (“IOSCO”) issued a final report (PDF: 446 KB) entitled “The Use of Artificial Intelligence and Machine Learning by Market Intermediaries and Asset Managers” (the “Report”), which aims to assist IOSCO members in supervising their regulated entities over the use of AI and ML.

While non-binding, the Report is likely to serve at least as a key frame of reference—if not as a benchmark—for the development of more tailored supervisory approaches by securities regulators around the globe. While the concepts in the Report are not new, they reflect an acknowledgement that existing regulations may not be sufficient to mitigate the wide variety of AI-risks, and that new and tailored regulations targeting asset managers and market intermediaries’ use of AI may be needed.

Continue reading

Recent SEC Enforcement Action Against App Annie Signals Continuing Focus on Data-related Disclosure and Policy Violations

by Avi Gesser, Charu Chandrasekhar, Eric SilverbergMengyi Xu, and Adrian Gonzalez

As part of our ongoing series on enforcement actions by the Securities and Exchange Commission (“SEC”) in data- and cybersecurity-related matters (here, here, and here), we have been closely tracking regulatory developments and gathering insights on enforcement trends.  Last week, the SEC announced that App Annie and its former CEO and Chairman, Bertrand Schmitt, (“App Annie”) had agreed to a $10.3 million payment to settle charges for engaging in fraudulent practices and making material misrepresentations about its data use from 2014 to 2018 (the “Relevant Period”) in violation of Section 10(b) of the Securities Exchange Act of 1934 (“Exchange Act”) and Rule 10b-5 thereunder (“SEC Order”). Although not explicitly articulated in the SEC Order, the SEC’s basis for jurisdiction was ostensibly the fact that the app aggregated public company data.  This is the SEC’s first enforcement action against an alternative data provider.  As was the case in the BlueCrest settlement late last year, the App Annie enforcement action underscores the importance of making accurate disclosures regarding data collection and use, and the regulatory risk for companies that do not follow their data policies and procedures.

Continue reading

Effective Access Controls, Timely Breach Notification, and Other Takeaways from the Latest NYDFS Cyber Resolution

by Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Johanna Skrzypczyk, Christopher S. Ford, Parker Eudy, and Mengyi Xu

On April 14, 2021, the New York State Department of Financial Services (the “DFS”)  announced that its cyber-enforcement action against National Securities Corporation (“National Securities”) has been resolved by a Consent Order (PDF: 550 KB) that imposes a $3 million penalty. This is the latest step in the DFS’s very active cyber-enforcement agenda. The charges against First American Title Insurance Company are pending with an August 16 hearing date, and last month, the DFS reached its first full cybersecurity resolution with Residential Mortgage Services.

Continue reading

Court Chips Away at Privilege Protections for Cyber Forensic Reports

by Jim Pastore, Luke Dembosky, Jeremy Feigelson, Avi Gesser, Corey Goldstein, and Mengyi Xu

On January 12, Judge James Boasberg of the U.S. District Court for the District of Columbia granted plaintiff Guo Wengui’s motion to compel production of a report (the “Report”) —and related materials—prepared by forensic vendor Duff & Phelps in Guo’s lawsuit against the law firm that formerly represented him, Clark Hill, PLC (the “Firm”). See Wengui v. Clark Hill, PLC, No. 19-cv-3195 (JEB), 2021 WL 106417 (D.D.C. Jan. 12, 2021). The court rejected claims the Report was protected by the work-product doctrine and attorney-client privilege.

Continue reading

Post-Election Law Privacy Law Prospects

by Jeremy Feigelson, Avi Gesser, Jim Pastore, Frank Colleluori, Mengyi Xu, Jeffrey Cunard, Luke Dembosky, and Tigist Kassahun

California voters have approved the new California Privacy Rights Act (“CPRA”). The margin was 56% – 44% – comfortable, if significantly tighter than pre-election polling that showed CPRA winning in a landslide. That comes on the heels of the California Attorney General’s release of still more proposed amendments to the regulations for the existing California Consumer Privacy Act (“CCPA”). Below we sum up these important changes emerging from Sacramento. We also note some possible Election Day impacts on the privacy law reforms that have been percolating in Washington, D.C.

Continue reading

Schrems II – Where are we now?

by Luke DemboskyJeremy FeigelsonAvi GesserJim Pastore,  Friedrich Popp, Christopher Garrett, Fanny Gauthier, Robert Maddox, and Mengyi Xu

As covered in our previous blog post, the CJEU has invalidated the EU-U.S. Privacy Shield for cross-border transfers of personal data from the EU to the U.S. (the “Schrems II” decision) and cast significant doubts over whether companies can continue to use the European Commission-approved Standard Contractual Clauses (“SCCs”) to transfer EU personal data to the U.S., or to other jurisdictions with similarly broad surveillance regimes.

Continue reading

First Enforcement Action by New York DFS Under Its Cyber Rules Shows Where Companies Face Regulatory Risk – Six Quick Takeaways

by Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Lisa Zornberg, Zila Reyes Acosta-Grimes, Michael BloomChristopher S. Ford, and Mengyi Xu

The New York State Department of Financial Services (“DFS”) issued a Statement of Charges and Notice of Hearing (PDF: 278 KB) (the “Charges”) on July 21, 2020 against First American Title Insurance Company (“First American”) for multiple violations of the DFS Part 500 Cybersecurity Regulation (PDF: 97.4 KB) (the “Regulation”), including:

    • Failure to perform an adequate risk assessment
    • Failure to maintain proper access controls
    • Failure to provide adequate security training for cybersecurity employees
    • Failure to encrypt certain nonpublic information

The Charges carry potential penalties of up to $1,000 per violation, and in its press release, the DFS asserts that each instance of nonpublic information that was accessed by an unauthorized person constitutes a separate violation. The Charges allege that hundreds of millions of documents were at risk, more than 350,000 documents were accessed without authorization, and a sample of 1,000 documents found that 30% contained nonpublic information.

Continue reading

Preparing for and Responding to Ransomware Attacks: Thirteen Lessons from the NIST Framework and Recent Events

by Luke Dembosky, Avi Gesser, H Jacqueline BrehmerRobert Maddox, Dr. Friedrich Popp, and Mengyi Xu

Ransomware attacks continue to plague businesses across the globe. As companies enhance their defenses, attackers increase the sophistication of their software and its deployment. Ransomware attacks used to be limited to the locking of a company’s computer system by encryption software and a demand to pay in order to obtain the key, but not anymore.

In early June 2020, for example, the REvil ransomware group auctioned off three databases containing approximately 22,000 stolen files that were associated with a Canadian agricultural firm, for a starting price of $50,000, after the victim refused or failed to pay the ransom. This sale reflects a growing trend of ransomware attacks that includes theft of sensitive company data, along with the usual locking up of computer systems, as a means of amplifying the pressure on victim entities. As a result, companies that have operational backup systems, and therefore do not need to pay the ransom to get access to their data, may still consider paying in order to prevent the public release of their stolen confidential information.

Continue reading