On March 20, 2026, the White House unveiled its National Policy Framework for Artificial Intelligence, providing a blueprint on legislative recommendations and urging Congress to act. It recommends that Congress create a unified federal standard to reduce the regulatory friction of competing state AI regimes, promote AI innovation, and develop an AI-ready workforce, while ensuring the protection of children, consumers, and intellectual property rights.
Continue Reading White House Releases AI Legislative Recommendations—Congress Has the Blueprint, but Questions RemainCalPrivacy Ramps Up Privacy Enforcement
The California Privacy Protection Agency (CalPrivacy) is entering an aggressive new phase of privacy regulation and enforcement, of which companies doing business in California should be aware. CalPrivacy already brought enforcement actions against many companies, maintains over 100 active investigations and has signaled an increased pace of enforcement.
Continue Reading CalPrivacy Ramps Up Privacy EnforcementProtecting Employee Information From Tax Season Phishing Schemes
Overview
As we enter the 2026 tax filing season, organizations face a heightened risk of cyberattacks targeting employee information. Tax season is a busy time for cybercriminals, who ramp up efforts to trick businesses and individuals into sharing personal information. Bad actors can use stolen personally identifying information (“PII”) in a variety of harmful ways, including to file fraudulent tax returns and claim refunds. Below we provide an overview of the current threat landscape, key warning signs to watch for, practical prevention strategies, and guidance on legal obligations if your organization is targeted.
Continue Reading Protecting Employee Information From Tax Season Phishing SchemesWhen AI Isn’t Privileged, Confirmed: SDNY’s Written Opinion Elaborates on Confidentiality, Work Product, and Waiver
On Feb. 10, 2026, U.S. District Judge Jed Rakoff of the Southern District of New York issued a bench ruling holding that a defendant’s use of generative AI to analyze legal exposure is not protected under attorney-client privilege or the work product doctrine. See When AI Isn’t Privileged: SDNY Rules Generative AI Documents Not Protected. On Feb. 17, 2026, Judge Rakoff issued a written opinion confirming the bench ruling and adding important analysis. Read on to learn what the opinion adds on confidentiality, work product and waiver, and for details of the practical implications and open questions left by Judge Rakoff’s opinion.
When AI Isn’t Privileged: SDNY Rules Generative AI Documents Not Protected
On Feb. 10, 2026, the U.S. District Court for the Southern District of New York held that a defendant’s use of generative AI to analyze legal exposure is not protected under attorney-client privilege or the work product doctrine. The decision has important implications as clients and nonlawyers increasingly use generative AI tools to assess legal risk, despite disclaimers by AI companies that their tools do not provide legal advice. Use of public AI tools creates significant privilege risks because these tools often lack confidentiality protections and are typically not used under counsel’s direction.
Data Privacy Day 2026: What Changed on Jan. 1 — And What to Watch Next
Data Privacy Day offers a natural checkpoint to take stock of a fast‑moving legal landscape. As of January 1, 2026, several significant U.S. state privacy laws and regulatory updates are now live, with additional U.S. and global milestones queued up throughout 2026. Below we summarize important changes already in effect and highlight issues to monitor as the year unfolds.
Continue Reading Data Privacy Day 2026: What Changed on Jan. 1 — And What to Watch NextFDA and EMA Provide Guiding Principles for AI in Drug Development
On Jan. 14, 2026, the U.S. Food and Drug Administration (FDA) and the European Medicines Agency (EMA) jointly released the “Guiding Principles of Good AI Practice in Drug Development,” a set of 10 high-level principles intended to steer the safe and responsible use of AI across the product lifecycle. While not formal industry guidance, the document provides important insights into FDA and EMA thinking on the deployment of AI during drug and biologic product development and signals future regulatory guidance from both regulators. Read on for further details and takeaways for regulated industry.
SEC Voluntarily Dismisses Landmark Enforcement Action Against SolarWinds and its CISO
On November 20, 2025, the Securities and Exchange Commission and defendants SolarWinds Corp. and Timothy G. Brown filed a joint stipulation to dismiss with prejudice the SEC’s civil enforcement action pending in the Southern District of New York. The SEC would dismiss all claims concerning the conduct alleged in the SEC’s Amended Complaint and includes broad waivers and releases by the defendants of any related claims against the SEC and its personnel. This follows a July 2, 2025 letter to the court that stated that the parties had reached a settlement in principle, and sought time “to finalize the paperwork for the settlement, and for the Commissioners to then consider and determine whether to approve the settlement.” The stipulated dismissal does not address what may have changed, and why the matter ultimately resolved through a dismissal rather than a settlement.
Continue Reading SEC Voluntarily Dismisses Landmark Enforcement Action Against SolarWinds and its CISONYDFS Issues Guidance on Third-Party Cybersecurity Risk Management: What Regulated Entities Need to Know
Overview
On October 21, 2025, the New York State Department of Financial Services (NYDFS) released comprehensive guidance for registrants regarding management of cybersecurity risks associated with third-party service providers (TPSPs) including cloud computing, file transfer system, AI and fintech solutions.[1] As reliance on external vendors for critical technology services grows, so too do the cyber threats to operations and sensitive customer data. The guidance clarifies regulatory expectations, highlights best practices, and underscores the importance of robust third-party risk management throughout the entire vendor relationship lifecycle. In summary, companies can outsource functions but will still retain responsibility for cybersecurity oversight.
Continue Reading NYDFS Issues Guidance on Third-Party Cybersecurity Risk Management: What Regulated Entities Need to KnowHalloween Reminder – Don’t Get Haunted by Hacks
With Halloween lurking around the corner and as National Cybersecurity Awareness Month comes to a close, the McGuireWoods Data Privacy & Cybersecurity Practice Group reminds you to not wait to be spooked by a cybersecurity incident or haunted by the task of maintaining your cybersecurity program.
Today’s threat landscape is rapidly changing and accelerated evermore by the capabilities of AI and automation on both sides of the cyber battlefield. Organizations that stay ahead are using established cybersecurity frameworks to provide a strong architecture on which to continuously evolve their cybersecurity program and testing their response to the latest threats through tabletop exercises. By leveraging modern technologies, such as AI-enabled detection, zero trust architectures, automated configuration management, and secure-by-design engineering, leading organizations are making cybersecurity not just stronger, but measurably faster, leaner, and more resilient.
Continue Reading Halloween Reminder – Don’t Get Haunted by Hacks