Data Dive

As of January 9, 2023, the comment period has closed for sweeping new regulations by the New York Department of Financial Services (NYDFS). Published on November 9, 2022, the new proposed amendments to the NYDFS Part 500 Cybersecurity Rules (the “Proposed Amendments”) include significant new obligations for covered companies’ cybersecurity programs and reflect pre-proposal comments from both consumers and businesses.

On August 24, 2022, California Attorney General Rob Bonta (AG) announced a proposed settlement with beauty retailer Sephora USA, Inc. to resolve claims that Sephora violated the California Consumer Privacy Act (CCPA). Under the settlement, Sephora must pay $1.2 million and commit to comply with the CCPA and relevant provisions of the California Privacy Rights Act (CPRA) when they become operative on January 1, 2023. This is the first public enforcement action by the AG under the CCPA.

The UK government is clearly keen to attract artificial intelligence (AI) developers to the UK by promising a regulatory environment that will nurture development and innovation. In its recently published Policy Paper, the UK government presented early proposals for what the UK’s regulatory framework in respect of AI might look like (the “Framework”). This follows the National Artificial Intelligence Strategy, which was published in September 2021 and specified AI regulation as a priority for the UK government. Whilst these early proposals are very high level, we set out the key points of interest in this post.

On Tuesday, the Department of Justice (DOJ) released its Comprehensive Cyber Review report (the “Review”) summarizing its review of the Department’s cyber-related activities and its recommendations around the Department’s “offensive” (i.e., cyber threat investigations and enforcement) and “defensive” (i.e., Department system protections) cyber capabilities. One element of the Review addressed federal contractor and vendor cybersecurity, and noted that “many of the cybersecurity provisions and standards set forth for federal contractors were found to be insufficiently rigorous,” and that the Department has offered to assist the Federal Acquisition Regulatory Council in updating cybersecurity contract terms, which is an effort that is underway pursuant to E.O. 14028.

The European Parliament has reached agreement on the text of the Digital Services Act (DSA). The DSA is new legislation that will require certain providers of online services to comply with new obligations in order to ensure online safety and to prevent the spread of illegal content. The practical effects of the legislation will likely include increased compliance costs for businesses, possible organisational/personnel changes at a compliance level and increased accountability to relevant authorities.