Photo of Andrew Konia

Andrew Konia

Subscribe to Andrew Konia's Posts

Andrew’s practice is singularly focused on protecting clients’ businesses and data, anticipating disputes, and strengthening their competitive position in the marketplace. As chair of the firm’s data privacy and security team, Andrew leads a nationally recognized team of professionals dedicated to protecting clients’ systems, networks and data, managing information, and responding to cyber incidents.

Contact:Read more about Andrew Konia

Overview

On October 21, 2025, the New York State Department of Financial Services (NYDFS) released comprehensive guidance for registrants regarding management of cybersecurity risks associated with third-party service providers (TPSPs) including cloud computing, file transfer system, AI and fintech solutions.[1] As reliance on external vendors for critical technology services grows, so too do the cyber threats to operations and sensitive customer data. The guidance clarifies regulatory expectations, highlights best practices, and underscores the importance of robust third-party risk management throughout the entire vendor relationship lifecycle.  In summary, companies can outsource functions but will still retain responsibility for cybersecurity oversight.Continue Reading NYDFS Issues Guidance on Third-Party Cybersecurity Risk Management: What Regulated Entities Need to Know

With Halloween lurking around the corner and as National Cybersecurity Awareness Month comes to a close, the McGuireWoods Data Privacy & Cybersecurity Practice Group reminds you to not wait to be spooked by a cybersecurity incident or haunted by the task of maintaining your cybersecurity program.

Today’s threat landscape is rapidly changing and accelerated evermore by the capabilities of AI and automation on both sides of the cyber battlefield. Organizations that stay ahead are using established cybersecurity frameworks to provide a strong architecture on which to continuously evolve their cybersecurity program and testing their response to the latest threats through tabletop exercises. By leveraging modern technologies, such as AI-enabled detection, zero trust architectures, automated configuration management, and secure-by-design engineering, leading organizations are making cybersecurity not just stronger, but measurably faster, leaner, and more resilient.Continue Reading Halloween Reminder – Don’t Get Haunted by Hacks

After years of waiting, the U.S. Department of Defense (DoD) posted to the Federal Register for public inspection on Sept. 9, 2025, a final rule implementing the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) standards into the Defense Federal Acquisition Regulation Supplement, formally published on Sept. 10, 2025. CMMC 2.0 is a fundamental shift in how the

On June 3, 2025, the California Senate unanimously voted to amend the California Invasion of Privacy Act (“CIPA”) to exclude cookies and other commonly used internet tracking technologies from CIPA under certain circumstances.  The bill, Senate Bill 690, if passed by the other chamber and signed by the governor, will exempt companies who use tracking technologies for a “commercial business purpose” from the wiretapping provisions of CIPA.Continue Reading Emerging Defense in CIPA Lawsuits: Potent Yet Constrained by Legal and Technical Limitations

On Oct. 22, 2024, the Securities and Exchange Commission (SEC) announced settled charges against four current and former public companies, Unisys, Avaya Holdings, Check Point Software Technologies and Mimecast, for allegedly making materially misleading statements in their public disclosures regarding cybersecurity intrusions and risks following the SolarWinds Corporation software hack. This wave of enforcement actions

After a nearly five-year rulemaking process, the U.S. Department of Defense (DoD) published the Final Cybersecurity Maturity Model Certification 2.0 (CMMC) program rule in the Federal Register on Oct. 15, 2024, codified at 32 CFR Part 170. Contract clauses implementing the CMMC program rule will be issued as part of the Defense Federal Acquisition Supplement

On July 26, the U.S. Securities and Exchange Commission adopted new rules regarding public companies’ reporting of (i) cybersecurity incidents, (ii) policies and procedures for identifying and managing cybersecurity risks and (iii) management and board roles in implementing cybersecurity policies and procedures. Read on for details about the new rules and recommended next steps for

On June 21, the U.S. Department of Homeland Security issued a long-anticipated cybersecurity final rule that revises an existing clause and adds two new clauses to the Homeland Security Acquisition Regulation related to contractors’ handling of controlled unclassified information.

Read on for highlights from this rule, which goes into effect July 21 and is likely

As 2022 draws to a close, it is important to keep in mind that key state-level regulations on consumer and employee data privacy will become effective as soon as 2023 begins. Data security measures, personal data processing activities and privacy policies of businesses covered by the regulations are now proscribed specific standards and requirements in

During the 2022 Federal Identity Forum & Exposition on Sept. 7, FinCEN acting Deputing Director Jimmy Kirby emphasized the importance of securing digital identity as “fundamental to the effectiveness” of every financial institution’s anti-money laundering/countering the financing of terrorism (AML/CFT) program.

Read on for details and analysis of his remarks and proactive steps financial institutions