Data Privacy, Cybersecurity, and AI

Covered financial institutions now face heightened expectations in relation to cybersecurity governance, risk assessment, and incident reporting.

By Jenny Cieplak, Tony Kim, Arthur Long, Clayton Northouse, Serrin Turner, Yvette D. Valdez, Deric Behar, and Molly Whitman

The New York State Department of Financial Services’ (DFS) amendments (the Amendments) to its cybersecurity regulations, which were adopted last month with the first implementation deadline of December 1, 2023, impose new and enhanced requirements on covered entities.

On November 1, 2023, the DFS announced the Amendments to its regulations that were initially published in 2017 (23 NYCRR part 500). The changes impose more demanding requirements for larger entities, new obligations to report ransomware incidents and payments, and expanded oversight responsibilities for board and senior management. Requirements related to business continuity and disaster recovery have also been included for the first time.

A new publication from the UK’s financial regulator signals to firms that they should take steps to manage risks in the use of AI.

By Stuart Davis, Fiona M. Maclean, Gabriel Lakeman, and Imaan Nazir

The UK’s Financial Conduct Authority (FCA) has published its latest board minutes highlighting its increasing focus on artificial intelligence (AI), in which it “raised the question of how one could ‘foresee harm’ (under the new Consumer Duty), and also give customers appropriate disclosure, in the context of the operation of AI”. This publication indicates that AI continues to be a key area of attention within the FCA. It also demonstrates that the FCA believes its existing powers and rules already impose substantive requirements on regulated firms considering deploying AI in their services.

The government has announced it will come up with a new code of practice to replace an earlier approach that faced opposition from the creative sectors.

By Deborah Kirk and Brett Shandler

Latham previously reported on the UK government’s proposal to introduce a new copyright and database exception that allows text and data mining (TDM) for any purpose, provided that the party employing TDM obtains lawful access to the material (June 2022 TDM Proposal). The UK government has now announced that it is abandoning this proposal, and intends to consult with AI firms and rightholders to produce a code of practice to support AI firms to access copyrighted work as an input to their models, whilst ensuring protections on generated output to support rightholders. It has foreshadowed that this code of practice, due by summer 2023, may be followed up with legislation if it is not adopted or agreement is not reached.

A proposed broad copyright exception for text and data mining that favours AI developers is unlikely to be welcome news for rightholders.

By Deborah Kirk, and Brett Shandler

On 28 June 2022, the UK government published its response to its consultation on “Artificial Intelligence and IP: Copyright and Patents”, which commenced in October 2021 (Response).

Among other points,[1] the government has indicated its intention to introduce a new copyright and database exception that allows text and data mining

Latham lawyers explore the latest insurtech trends and regulatory developments impacting the sector in Europe and Asia.

Disruptive technology is revolutionizing insurance, enabling insurers to achieve growth by leveraging big data and creating innovative solutions to enhance customers’ digital experience. We are pleased to launch Insurtech Insights, a series of webcasts to discuss the most recent trends in the insurtech space and how to navigate regulatory developments.

The French Data Protection Authority’s white paper discusses how companies can comply with data privacy and security obligations.

By Christian F. McDermott, Myria Saarinen, Calum Docherty, Charlotte Guerin, Jiou (Alex) Park, and Amy Smyth

The use of card, contactless, and innovative digital payment solutions has significantly increased in recent years, fueled by the immediate impacts of the ongoing COVID-19 pandemic and the longer-term growth of e-commerce and open banking. In this context, the legal and regulatory environment around payment data is no longer limited to traditional actors in the banking sector or the long-established ambit of banking secrecy rules. As such, stakeholders from fintech startups to established technology giants face an increasing patchwork of compliance obligations.

An FCA report evaluates the chequered implementation of technology change and identifies risks and best practices to help firms better navigate this change.

By Andrew C. Moyle, Alain Traill, and Jagveen S. Tyndall

Of the nearly 1,000 “material incidents” reported to the UK’s Financial Conduct Authority (FCA) in 2019, 17% were caused by change-related activity. It was against this backdrop that, on 5 February 2021, the FCA set out the findings of its review entitled Implementing Technology Change regarding the execution of technology change within the financial services sector (the Report). While the Report focuses on the UK, its findings apply equally to financial services organisations implementing technology change across all geographies.

The HKMA introduces a new data sharing initiative, reported on the central bank digital currency initiative, and outlined regtech plans.

 By Simon Hawkins, Kieran Donovan, and Kenneth Y.F. Hui

The fifth annual Hong Kong Fintech Week conference kicked off with speeches and panels from both Hong Kong and international regulatory representatives, in addition to key market players. Topics explored ranged from the impact and complications of technology and big data to notable technological trends that have emerged as a result of the pandemic.

An ECON draft report on digital finance recommends legislative action in relation to cryptoassets and cyber resilience and a framework for digital onboarding.

By Stuart Davis, Sam Maxson, and Anna Lewis-Martinez

On 4 June 2020, the European Parliament’s Economic and Monetary Affairs Committee (ECON) published a draft report setting out its recommendations to the European Commission on digital finance, including emerging risks in cryptoassets and regulatory and supervisory challenges in the area of financial services, institutions, and markets.

The aim of the draft report is to address the main areas that demand a pan-European regulatory response to digital finance. Three priority areas are highlighted for consideration for legislative action: cryptoassets, cyber resilience, and data. These areas are noted as key to the future development of digital finance in the EU.

The resource aims to help businesses create more resilient supply chains and trusted data by responsibly deploying blockchain technology.

By Stuart Davis, Fiona Maclean, Andrew Moyle, Jenny Cieplak, Mitch Rabinowitz and Masha Smith

The World Economic Forum has launched a new, first-of-its-kind resource — Redesigning Trust: Blockchain Deployment Toolkit (Toolkit) — to help organizations responsibly develop and deploy blockchain technology based on their business needs. The resource aims to address the need for more resilience, trust, and efficiency in global supply chains.

The Toolkit reflects the ongoing efforts of numerous experts at the intersection of law and technology to document blockchain deployment best practices. It contains 14 modules addressing key topics, considerations, and challenges implicated in blockchain deployments. Latham lawyers both drafted and contributed to sections on Consortium Governance, Data Protection, Personal Data Handling, and Legal and Regulatory Compliance.