Tag Archives: Ned Terrace

CPPA Proposed Rulemaking Package Part 1 – Cybersecurity Audits

by Avi Gesser, Matt Kelly, Johanna N. Skrzypczyk, H. Jacqueline Brehmer, Ned Terrace, Mengyi Xu, and Amer Mneimneh

Photos of the authors

Top: Avi Gesser, Matt Kelly, and Johanna N. Skrzypczyk,. Bottom: H. Jacqueline Brehmer, Ned Terrace, and Mengyi Xu. (Photos courtesy of Debevoise & Plimpton LLP)

Key Takeaways

  • On November 22, 2024, the California Privacy Protection Agency (CPPA) launched a formal public comment period on its draft regulations addressing annual cybersecurity audits and other privacy obligations under the California Consumer Privacy Act (CCPA).
  • These proposed rules aim to establish robust standards for thorough and independent cybersecurity audits, delineating both procedural and substantive requirements for businesses processing personal information.
  • In this update, we provide an overview of the new cybersecurity audit provisions, including key thresholds for applicability, detailed audit expectations, and the evolving regulatory landscape shaping cybersecurity compliance.

Continue reading

Managing Cybersecurity Risks Arising from AI — New Guidance from the NYDFS

by Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Erez Liebermann, Marshal Bozzo, Johanna Skrzypczyk, Ned Terrace, and Mengyi Xu.

Photos of the authors

Top left to right: Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, and Erez Liebermann. 
Bottom left to right: Marshal Bozzo, Johanna Skrzypczyk, Ned Terrace, and Mengyi Xu. (Photos courtesy of Debevoise & Plimpton LLP)

On October 16, 2024, the New York Department of Financial Services (the “NYDFS”) issued an Industry Letter providing guidance on assessing cybersecurity risks associated with the use of AI (the “Guidance”) under the existing 23 NYCRR Part 500 (“Part 500” or “Cybersecurity Regulation”) framework. The Guidance applies to entities that are covered by Part 500 (i.e., entities with a license under the New York Banking Law, Insurance Law or Financial Services Law), but it provides valuable direction to all companies for managing the new cybersecurity risks associated with AI.

The NYDFS makes clear that the Guidance does not impose any new requirements beyond those already contained in the Cybersecurity Regulation. Instead, the Guidance is meant to explain how covered entities should use the Part 500 framework to address cybersecurity risks associated with AI and build controls to mitigate such risks. It also encourages companies to explore the potential cybersecurity benefits from integrating AI into cybersecurity tools (e.g., reviewing security logs and alerts, analyzing behavior, detecting anomalies, and predicting potential security threats). Entities that are covered by Part 500, especially those that have deployed AI in significant ways, should review the Guidance carefully, along with their current cybersecurity policies and controls, to see if any enhancements are appropriate.

Continue reading

30 Days to Form ADV: Have You Reviewed Your AI Disclosures?

by Charu ChandrasekharAvi GesserKristin SnyderJulie M. RieweMarc PonchioneMatt KellySheena PaulMengyi Xu, and Ned Terrace

Photos authors

Top left to right: Charu Chandrasekhar, Avi Gesser, Kristin Snyder, Julie M. Riewe, and Marc Ponchione.
Bottom left to right: Matt Kelly, Sheena Paul, Mengyi Xu, and Ned Terrace. (Photos courtesy of Debevoise & Plimpton LLP)

Registered investment advisers (“RIAs”) have swiftly embraced AI for investment strategy, market research, portfolio management, trading, risk management, and operations. In response to the exploding use of AI across the securities markets, Chair Gensler of the Securities and Exchange Commission (“SEC”) has declared that he plans to prioritize securities fraud in connection with AI disclosures and warned market participants against “AI washing.” Chair Gensler’s statements reflect the SEC’s sharpening scrutiny of AI usage by registrants. The SEC’s Division of Examinations included AI as one of its 2024 examination priorities, and also launched a widespread AI sweep of RIAs focused on AI in connection with advertising, disclosures, investment decisions, and marketing. The SEC previously charged an RIA in connection with misleading Form ADV Part 2A disclosures regarding the risks associated with its use of an AI-based trading tool.

Continue reading

Achieving Sensible AI Regulation

by Melissa MacGregor (SIFMA), Avi Gesser, Matt Kelly, Stephanie Thomas, and Ned Terrace

Photos of the authors

Top righ to left: Melissa MacGregor (SIFMA), Avi Gesser, and Matt Kelly.
Bottom right to left: Stephanie Thomas, Ned Terrace, and Esther Tetruashvily.
(Photos courtesy of the authors).

The proliferation of AI tools and rapid pace of AI adoption have led to calls for new regulation at all levels. President Biden recently said “[w]e need to manage the risks [of AI] to our society, to our economy, and our national security.” The Senate Judiciary Subcommittee on Privacy, Technology and the Law recently held a hearing on “Rules for Artificial Intelligence” to discuss the need for AI regulation, while Senate Majority Leader Schumer released a strategy to regulate AI

Continue reading

Overview of Global AI Regulatory Developments and Some Tips to Reduce Risk

by Avi Gesser, Matt Kelly, Anna Gressel, Corey Goldstein, Samuel Allaman, Michael Pizzi, Jackie Dorward, Lex Gaillard, and Ned Terrace

Photos of the authors

Top row from left to right: Avi Gesser, Matt Kelly, Anna Gressel, Corey Goldstein, and Samuel Allaman
Bottom row from left to right: Michael Pizzi, Jackie Dorward, Lex Gaillard, and Ned Terrace (photos courtesy of Debevoise & Plimpton LLP)

With last week’s political deal in European Parliament to advance the European Union’s groundbreaking AI Act (the “EU AI Act”), Europe is one step closer to enacting the world’s first comprehensive AI regulatory framework. Yet while the EU is poised to become the first jurisdiction to take this step, other countries are not far behind. In recent months, the U.S., Canada, Brazil, and China have all introduced measures that illustrate their respective goals and approaches to regulating AI, with the AI regimes in Canada and Brazil appearing to be modeled substantially on the EU AI Act.

In this blog post, we provide an overview of these legislative developments, highlighting key similarities, differences and trends between each country’s approach as well as providing a few considerations for companies deploying significant AI systems.

Continue reading

A Late Winter Blizzard of SEC Cybersecurity Rulemaking: the Proposed BD Cybersecurity Rules and Expanded Reg S-P and Reg SCI Obligations

by Luke Dembosky, Avi Gesser, Erez Liebermann, Marc Ponchione, Julie M. Riewe, Jeff Robins, Kristin Snyder, Charu A. Chandrasekhar, Sheena Paul, Suchita Brundage, Michael R. Roberts, Mengyi Xu, and Ned Terrace

Photos of the authors

Top row from left to right: Luke Dembosky, Avi Gesser, Erez Liebermann, Marc Ponchione, Julie M. Riewe, and Jeff Robins.
Bottom row from left to right: Kristin Snyder, Charu A. Chandrasekhar, Sheena Paul, Suchita Brundage, Michael R. Roberts, and Mengyi Xu.
(Photos courtesy of Debevoise & Plimpton LLP)

On March 15, 2023, the U.S. Securities and Exchange Commission (the “SEC”) released a suite of proposed new rules (the “Proposed Rules”) that include:

  • Proposed new cybersecurity rules for broker-dealers, security-based swap dealers, major security-based swap participants, transfer agents, a variety of market infrastructure providers (national securities exchanges, clearing agencies, and security-based swap data repositories), and securities SROs (collectively, “Market Entities”) that would impose new policies and procedures requirements and incident notification obligations (“BD Cyber Proposal”);
  • Amendments to Regulation S-P (“Reg S-P”) that would require the implementation of an incident response program, including a new customer notification obligation; expand the scope of the existing requirements relating to the safeguarding of “customer” information and the disposal of “consumer” information relating to individuals (the “Safeguards and Disposal Rules”); and impose new recordkeeping requirements (“Reg S-P Proposal”); and
  • Amendments to Regulation SCI (“Reg SCI”) to expand the scope of covered entities to cover certain broker-dealers without an ATS and security-based swap data repositories and to update requirements relating to policies and procedures, incident notification, and other compliance obligations (“Reg SCI Proposal”).

Continue reading

The Arrival of 2023 U.S. State Privacy Laws – Part 2: Colorado Update

by Avi Gesser, Johanna Skrzypczyk, Michael R. Roberts, Alessandra G. Masciandaro, and Ned Terrace

The figure provides photos of the authors

From left to right: Avi Gesser, Johanna Skrzypczyk, Michael R. Roberts, and Alessandra G. Masciandaro

On February 1, 2023, the Colorado Attorney General (“COAG”) held a public hearing as part of its rulemaking process for the Colorado Privacy Act (“ColoPA”). Ahead of the hearing, the COAG released its third draft of proposed rules (“proposed rules”) for the ColoPA. Here in Part 2 of our 2023 U.S. State Privacy Laws series, we review key components of the proposed rules and takeaways from the public hearing. Part 1 of this Data Blog series discussed recent developments in the rulemaking for the California Privacy Rights Act.

This post addresses the timeline for COAG rulemaking and the current proposed rules relating to (1) new responsibilities for controllers related to consumer rights, (2) privacy notices, (3) universal opt-out mechanisms, (4) consent for processing sensitive data, (5) biometric data, (6) data minimization, (7) data protection assessments, and (8) profiling. Companies subject to ColoPA should review their practices to ensure compliance before ColoPA’s July 1, 2023 effective date.

Continue reading