The California Privacy Protection Agency (CalPrivacy) is entering an aggressive new phase of privacy regulation and enforcement, of which companies doing business in California should be aware. CalPrivacy already brought enforcement actions against many companies, maintains over 100 active investigations and has signaled an increased pace of enforcement.

A key development is the establishment of its new Audits Division, which will develop and apply privacy-compliance audit procedures and conduct complex regulatory examinations of businesses. Audits may focus on overall compliance or specific statutory requirements, particular industries or practices, or specific privacy harms such as the collection of children’s data.

CalPrivacy also proposed a whistleblower protection law, AB 2021, designed to incentivize insiders to report privacy violations. The bill would provide awards of between 15% and 33% of amounts collected by CalPrivacy, along with strong anti-retaliation protections.

Businesses subject to California privacy law should take note of these enforcement developments, take their data privacy obligations seriously and prepare accordingly. CalPrivacy emphasized that it is publishing bulletins and guidance to help businesses operationalize their compliance obligations, with quick guides and compliance checklists.

Overview

As we enter the 2026 tax filing season, organizations face a heightened risk of cyberattacks targeting employee information. Tax season is a busy time for cybercriminals, who ramp up efforts to trick businesses and individuals into sharing personal information. Bad actors can use stolen personally identifying information (“PII”) in a variety of harmful ways, including to file fraudulent tax returns and claim refunds. Below we provide an overview of the current threat landscape, key warning signs to watch for, practical prevention strategies, and guidance on legal obligations if your organization is targeted.

Continue Reading Protecting Employee Information From Tax Season Phishing Schemes

On Feb. 10, 2026, U.S. District Judge Jed Rakoff of the Southern District of New York issued a bench ruling holding that a defendant’s use of generative AI to analyze legal exposure is not protected under attorney-client privilege or the work product doctrine. See When AI Isn’t Privileged: SDNY Rules Generative AI Documents Not Protected. On Feb. 17, 2026, Judge Rakoff issued a written opinion confirming the bench ruling and adding important analysis. Read on to learn what the opinion adds on confidentiality, work product and waiver, and for details of the practical implications and open questions left by Judge Rakoff’s opinion.

Read more

On Feb. 10, 2026, the U.S. District Court for the Southern District of New York held that a defendant’s use of generative AI to analyze legal exposure is not protected under attorney-client privilege or the work product doctrine. The decision has important implications as clients and nonlawyers increasingly use generative AI tools to assess legal risk, despite disclaimers by AI companies that their tools do not provide legal advice. Use of public AI tools creates significant privilege risks because these tools often lack confidentiality protections and are typically not used under counsel’s direction.

Read more

Data Privacy Day offers a natural checkpoint to take stock of a fast‑moving legal landscape. As of January 1, 2026, several significant U.S. state privacy laws and regulatory updates are now live, with additional U.S. and global milestones queued up throughout 2026. Below we summarize important changes already in effect and highlight issues to monitor as the year unfolds.

Continue Reading Data Privacy Day 2026: What Changed on Jan. 1 — And What to Watch Next

On Jan. 14, 2026, the U.S. Food and Drug Administration (FDA) and the European Medicines Agency (EMA) jointly released the “Guiding Principles of Good AI Practice in Drug Development,” a set of 10 high-level principles intended to steer the safe and responsible use of AI across the product lifecycle. While not formal industry guidance, the document provides important insights into FDA and EMA thinking on the deployment of AI during drug and biologic product development and signals future regulatory guidance from both regulators. Read on for further details and takeaways for regulated industry.

Read more

On November 20, 2025, the Securities and Exchange Commission and defendants SolarWinds Corp. and Timothy G. Brown filed a joint stipulation to dismiss with prejudice the SEC’s civil enforcement action pending in the Southern District of New York. The SEC would dismiss all claims concerning the conduct alleged in the SEC’s Amended Complaint and includes broad waivers and releases by the defendants of any related claims against the SEC and its personnel. This follows a July 2, 2025 letter to the court that stated that the parties had reached a settlement in principle, and sought time “to finalize the paperwork for the settlement, and for the Commissioners to then consider and determine whether to approve the settlement.”  The stipulated dismissal does not address what may have changed, and why the matter ultimately resolved through a dismissal rather than a settlement. 

Procedural Posture and Disposition

The Commission filed suit on October 20, 2023, and filed an Amended Complaint on February 16, 2024. On July 18, 2024, the court granted the defendants’ motion to dismiss in part and denied it in part. That ruling dismissed SEC claims that statements made by SolarWinds regarding a significant cyber incident and its cybersecurity preparedness and risks had been misleading, and also dismissed SEC claims relating to SolarWinds’s internal accounting controls.  The stipulation cites that ruling and notes that, in light of the court’s decision and “in the exercise of its discretion,” the Commission determined that dismissal with prejudice is appropriate.

What the Dismissal Means—and What It Does Not

The SEC explicitly cautions that the decision to seek dismissal “does not necessarily reflect the Commission’s position on any other case.” But while not strictly precedential, the decision to dismiss such a high-profile enforcement action is very significant.  This case attracted worldwide attention when filed, particularly because it was the first time the SEC had named a cyber security professional as an individual defendant.  After its filing, many CISOs in the US thought differently about their potential personal liability in the event of a cyber incident.  It also led executive leadership and directors to prioritize corporate cyber regulatory issues. 

Among the reasons the SEC may have decided to dismiss this case now could include concern within the SEC that it could not prove its claims at trial.  Had the case proceeded to trial, the SEC would have had the burden to prove that a security statement SolarWinds published on its website concerning its cyber readiness and processes was fraudulent.  SolarWinds had publicly disclosed evidence it believed refuted the SEC claims, which may have influenced the SEC’s decision.  The dismissal could also indicate that current SEC leadership is now pursuing a different approach to cybersecurity enforcement more broadly.  Unfortunately, the dismissal stipulation was silent as to what motivated the the SEC’s decision, nor have any Commissioners publicly discussed it. 

Practical Implications for Public Companies and Executives

In our view, the dismissal is a consequential development for issuers, CISOs, and boards navigating cybersecurity risk oversight, disclosure obligations, and incident response. It reflects the real-world litigation risks and pleading challenges the government faces when advancing complex disclosure and internal controls theories in the cybersecurity context. It also illustrates that judicial scrutiny at the motion-to-dismiss stage can materially shape the trajectory and resolution of such actions.  For publicly traded companies, even if this dismissal indicates that that the risk of an SEC enforcement action based on claims relating to cyber risk or incident disclosures is lower, that does not necessarily reduce the likelihood or duration of an SEC investigation.

Although difficult to resist, public companies should not infer a relaxation of expectations. The SEC’s reservation of its broader enforcement posture suggests that the Commission will continue to calibrate cases based on the particular facts, law, and litigation posture that develop in court.  Also, a future administration may have a different cyber enforcement appetite, and have jurisdiction over decisions being made today.  Companies should continue to prioritize timely, accurate, and decision-useful disclosures; maintain robust escalation protocols between security teams and disclosure committees; and ensure that public statements about cybersecurity posture and risk oversight align with internal realities and board-level oversight. These are prudent governance measures irrespective of any single case outcome.

*David Hirsch led the Crypto Assets and Cyber Unit at the SEC at the time the SEC filed its suit against SolarWinds.  This alert is based only on publicly available information and litigation developments that occurred after he left the agency.  

Overview

On October 21, 2025, the New York State Department of Financial Services (NYDFS) released comprehensive guidance for registrants regarding management of cybersecurity risks associated with third-party service providers (TPSPs) including cloud computing, file transfer system, AI and fintech solutions.[1] As reliance on external vendors for critical technology services grows, so too do the cyber threats to operations and sensitive customer data. The guidance clarifies regulatory expectations, highlights best practices, and underscores the importance of robust third-party risk management throughout the entire vendor relationship lifecycle.  In summary, companies can outsource functions but will still retain responsibility for cybersecurity oversight.

Continue Reading NYDFS Issues Guidance on Third-Party Cybersecurity Risk Management: What Regulated Entities Need to Know

With Halloween lurking around the corner and as National Cybersecurity Awareness Month comes to a close, the McGuireWoods Data Privacy & Cybersecurity Practice Group reminds you to not wait to be spooked by a cybersecurity incident or haunted by the task of maintaining your cybersecurity program.

Today’s threat landscape is rapidly changing and accelerated evermore by the capabilities of AI and automation on both sides of the cyber battlefield. Organizations that stay ahead are using established cybersecurity frameworks to provide a strong architecture on which to continuously evolve their cybersecurity program and testing their response to the latest threats through tabletop exercises. By leveraging modern technologies, such as AI-enabled detection, zero trust architectures, automated configuration management, and secure-by-design engineering, leading organizations are making cybersecurity not just stronger, but measurably faster, leaner, and more resilient.

Continue Reading Halloween Reminder – Don’t Get Haunted by Hacks

California’s Invasion of Privacy Act (CIPA) is a 1967 criminal wiretapping statute being stretched to govern 2025-era internet technologies.  The result has been a patchwork of conflicting decisions that turn on hair-splitting distinctions about what it means to “read” a communication “in transit,” whether URLs and clickstream data constitute “contents,” and how third-party service providers fit within a statute that never contemplated real-time web analytics, session replay tools, or ad technology.

Continue Reading California’s CIPA Jurisprudence Is Unworkable: The Legislature Should Fix It—Starting With SB 690