Data Privacy Day offers a natural checkpoint to take stock of a fast‑moving legal landscape. As of January 1, 2026, several significant U.S. state privacy laws and regulatory updates are now live, with additional U.S. and global milestones queued up throughout 2026. Below we summarize important changes already in effect and highlight issues to monitor as the year unfolds.
Continue Reading Data Privacy Day 2026: What Changed on Jan. 1 — And What to Watch NextOn Jan. 14, 2026, the U.S. Food and Drug Administration (FDA) and the European Medicines Agency (EMA) jointly released the “Guiding Principles of Good AI Practice in Drug Development,” a set of 10 high-level principles intended to steer the safe and responsible use of AI across the product lifecycle. While not formal industry guidance, the document provides important insights into FDA and EMA thinking on the deployment of AI during drug and biologic product development and signals future regulatory guidance from both regulators. Read on for further details and takeaways for regulated industry.
On November 20, 2025, the Securities and Exchange Commission and defendants SolarWinds Corp. and Timothy G. Brown filed a joint stipulation to dismiss with prejudice the SEC’s civil enforcement action pending in the Southern District of New York. The SEC would dismiss all claims concerning the conduct alleged in the SEC’s Amended Complaint and includes broad waivers and releases by the defendants of any related claims against the SEC and its personnel. This follows a July 2, 2025 letter to the court that stated that the parties had reached a settlement in principle, and sought time “to finalize the paperwork for the settlement, and for the Commissioners to then consider and determine whether to approve the settlement.” The stipulated dismissal does not address what may have changed, and why the matter ultimately resolved through a dismissal rather than a settlement.
The Commission filed suit on October 20, 2023, and filed an Amended Complaint on February 16, 2024. On July 18, 2024, the court granted the defendants’ motion to dismiss in part and denied it in part. That ruling dismissed SEC claims that statements made by SolarWinds regarding a significant cyber incident and its cybersecurity preparedness and risks had been misleading, and also dismissed SEC claims relating to SolarWinds’s internal accounting controls. The stipulation cites that ruling and notes that, in light of the court’s decision and “in the exercise of its discretion,” the Commission determined that dismissal with prejudice is appropriate.
The SEC explicitly cautions that the decision to seek dismissal “does not necessarily reflect the Commission’s position on any other case.” But while not strictly precedential, the decision to dismiss such a high-profile enforcement action is very significant. This case attracted worldwide attention when filed, particularly because it was the first time the SEC had named a cyber security professional as an individual defendant. After its filing, many CISOs in the US thought differently about their potential personal liability in the event of a cyber incident. It also led executive leadership and directors to prioritize corporate cyber regulatory issues.
Among the reasons the SEC may have decided to dismiss this case now could include concern within the SEC that it could not prove its claims at trial. Had the case proceeded to trial, the SEC would have had the burden to prove that a security statement SolarWinds published on its website concerning its cyber readiness and processes was fraudulent. SolarWinds had publicly disclosed evidence it believed refuted the SEC claims, which may have influenced the SEC’s decision. The dismissal could also indicate that current SEC leadership is now pursuing a different approach to cybersecurity enforcement more broadly. Unfortunately, the dismissal stipulation was silent as to what motivated the the SEC’s decision, nor have any Commissioners publicly discussed it.
In our view, the dismissal is a consequential development for issuers, CISOs, and boards navigating cybersecurity risk oversight, disclosure obligations, and incident response. It reflects the real-world litigation risks and pleading challenges the government faces when advancing complex disclosure and internal controls theories in the cybersecurity context. It also illustrates that judicial scrutiny at the motion-to-dismiss stage can materially shape the trajectory and resolution of such actions. For publicly traded companies, even if this dismissal indicates that that the risk of an SEC enforcement action based on claims relating to cyber risk or incident disclosures is lower, that does not necessarily reduce the likelihood or duration of an SEC investigation.
Although difficult to resist, public companies should not infer a relaxation of expectations. The SEC’s reservation of its broader enforcement posture suggests that the Commission will continue to calibrate cases based on the particular facts, law, and litigation posture that develop in court. Also, a future administration may have a different cyber enforcement appetite, and have jurisdiction over decisions being made today. Companies should continue to prioritize timely, accurate, and decision-useful disclosures; maintain robust escalation protocols between security teams and disclosure committees; and ensure that public statements about cybersecurity posture and risk oversight align with internal realities and board-level oversight. These are prudent governance measures irrespective of any single case outcome.
*David Hirsch led the Crypto Assets and Cyber Unit at the SEC at the time the SEC filed its suit against SolarWinds. This alert is based only on publicly available information and litigation developments that occurred after he left the agency.
Overview
On October 21, 2025, the New York State Department of Financial Services (NYDFS) released comprehensive guidance for registrants regarding management of cybersecurity risks associated with third-party service providers (TPSPs) including cloud computing, file transfer system, AI and fintech solutions.[1] As reliance on external vendors for critical technology services grows, so too do the cyber threats to operations and sensitive customer data. The guidance clarifies regulatory expectations, highlights best practices, and underscores the importance of robust third-party risk management throughout the entire vendor relationship lifecycle. In summary, companies can outsource functions but will still retain responsibility for cybersecurity oversight.
Continue Reading NYDFS Issues Guidance on Third-Party Cybersecurity Risk Management: What Regulated Entities Need to KnowWith Halloween lurking around the corner and as National Cybersecurity Awareness Month comes to a close, the McGuireWoods Data Privacy & Cybersecurity Practice Group reminds you to not wait to be spooked by a cybersecurity incident or haunted by the task of maintaining your cybersecurity program.
Today’s threat landscape is rapidly changing and accelerated evermore by the capabilities of AI and automation on both sides of the cyber battlefield. Organizations that stay ahead are using established cybersecurity frameworks to provide a strong architecture on which to continuously evolve their cybersecurity program and testing their response to the latest threats through tabletop exercises. By leveraging modern technologies, such as AI-enabled detection, zero trust architectures, automated configuration management, and secure-by-design engineering, leading organizations are making cybersecurity not just stronger, but measurably faster, leaner, and more resilient.
Continue Reading Halloween Reminder – Don’t Get Haunted by HacksCalifornia’s Invasion of Privacy Act (CIPA) is a 1967 criminal wiretapping statute being stretched to govern 2025-era internet technologies. The result has been a patchwork of conflicting decisions that turn on hair-splitting distinctions about what it means to “read” a communication “in transit,” whether URLs and clickstream data constitute “contents,” and how third-party service providers fit within a statute that never contemplated real-time web analytics, session replay tools, or ad technology.
Continue Reading California’s CIPA Jurisprudence Is Unworkable: The Legislature Should Fix It—Starting With SB 690In a significant step toward strengthening consumer privacy protections, the California Privacy Protection Agency (CPPA) board has officially adopted a comprehensive set of updates to the California Consumer Privacy Act (CCPA) regulations. These long-anticipated regulations—covering cybersecurity audits, risk assessments, and automated decision-making technology (ADMT)—mark a pivotal shift in the state’s data privacy enforcement landscape.
Continue Reading New CCPA Rules Are Here: Is Your Business Ready for What’s Next?Regulators of data privacy laws have expressed a desire in recent months to intensify enforcement around opt-out preference signals, also known as universal opt-out mechanisms (the “Opt-Out Signals”).
Opt-Out Signals allow consumers to automatically opt-out of the sale and sharing of personal information for targeted advertising across all websites they may visit through an internet browser or mobile operating system.
Currently, although most browsers provide users some level of privacy settings, of the approximately eleven states that require businesses to honor Opt-Out Signals, none require that browsers actually provide those signals.
If a business fails to comply with an Opt-Out Signal, regulators can impose fines and other penalties for noncompliance. In September 2025, state regulators in various states, including California, Colorado and Connecticut indicated expanded enforcement through investigative sweeps of companies’ compliance with consumer requests to opt-out, including those related to Opt-Out Signals.
Also in September 2025, the California legislature passed AB 566, the California Opt Me Out Act, which if signed by the governor, would require both internet browsers and mobile operating systems to offer these Opt-Out Signals in their settings. Though unclear how many people will be aware of, or how many will elect to, use Opt-Out Signals, the universal opt-out mechanism will allow consumers to avoid opting out from each individual website, and will require businesses to navigate further compliance and implementation burdens.
After years of waiting, the U.S. Department of Defense (DoD) posted to the Federal Register for public inspection on Sept. 9, 2025, a final rule implementing the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) standards into the Defense Federal Acquisition Regulation Supplement, formally published on Sept. 10, 2025. CMMC 2.0 is a fundamental shift in how the DoD approaches and implements cybersecurity requirements for controlled defense information.
The requirements are effective Nov. 10, 2025, and pertain to all DoD contractors and subcontractors. Defense contractors should ensure compliance with the standards as soon as possible to maintain eligibility to compete for DoD contracts and perform subcontracts, as well as avoid bid protests and/or civil False Claims Act allegations.
Read on to learn more about the final rule and its implications.
In 2020, California was the first mover in state comprehensive privacy law legislation, a distinction it held for approximately three years before other states took similar action. Indeed, eighteen additional states have passed their own privacy bills, along with many complementary laws related to children’s privacy, consumer health data privacy, biometric data privacy, and data broker practices. Notwithstanding these efforts, California has retained its reputation as the most formidable state enforcer of privacy law protections—until now, at least. As we explain, recent enforcement actions by the Attorneys General of Connecticut and Nebraska highlight an important shift: states beyond California are not only enacting laws aimed at safeguarding privacy, they are taking action to demonstrate that those laws have teeth.
Continue Reading State AGs Step Up Enforcement: Recent Lessons from Privacy Law Enforcement in Connecticut and Nebraska