On November 20, 2025, the Securities and Exchange Commission and defendants SolarWinds Corp. and Timothy G. Brown filed a joint stipulation to dismiss with prejudice the SEC’s civil enforcement action pending in the Southern District of New York. The SEC would dismiss all claims concerning the conduct alleged in the SEC’s Amended Complaint and includes
NYDFS Issues Guidance on Third-Party Cybersecurity Risk Management: What Regulated Entities Need to Know
Overview
On October 21, 2025, the New York State Department of Financial Services (NYDFS) released comprehensive guidance for registrants regarding management of cybersecurity risks associated with third-party service providers (TPSPs) including cloud computing, file transfer system, AI and fintech solutions.[1] As reliance on external vendors for critical technology services grows, so too do the cyber threats to operations and sensitive customer data. The guidance clarifies regulatory expectations, highlights best practices, and underscores the importance of robust third-party risk management throughout the entire vendor relationship lifecycle. In summary, companies can outsource functions but will still retain responsibility for cybersecurity oversight.Continue Reading NYDFS Issues Guidance on Third-Party Cybersecurity Risk Management: What Regulated Entities Need to Know
Halloween Reminder – Don’t Get Haunted by Hacks
With Halloween lurking around the corner and as National Cybersecurity Awareness Month comes to a close, the McGuireWoods Data Privacy & Cybersecurity Practice Group reminds you to not wait to be spooked by a cybersecurity incident or haunted by the task of maintaining your cybersecurity program.
Today’s threat landscape is rapidly changing and accelerated evermore by the capabilities of AI and automation on both sides of the cyber battlefield. Organizations that stay ahead are using established cybersecurity frameworks to provide a strong architecture on which to continuously evolve their cybersecurity program and testing their response to the latest threats through tabletop exercises. By leveraging modern technologies, such as AI-enabled detection, zero trust architectures, automated configuration management, and secure-by-design engineering, leading organizations are making cybersecurity not just stronger, but measurably faster, leaner, and more resilient.Continue Reading Halloween Reminder – Don’t Get Haunted by Hacks
New CCPA Rules Are Here: Is Your Business Ready for What’s Next?
In a significant step toward strengthening consumer privacy protections, the California Privacy Protection Agency (CPPA) board has officially adopted a comprehensive set of updates to the California Consumer Privacy Act (CCPA) regulations. These long-anticipated regulations—covering cybersecurity audits, risk assessments, and automated decision-making technology (ADMT)—mark a pivotal shift in the state’s data privacy enforcement landscape.Continue Reading New CCPA Rules Are Here: Is Your Business Ready for What’s Next?
State AGs Step Up Enforcement: Recent Lessons from Privacy Law Enforcement in Connecticut and Nebraska
In 2020, California was the first mover in state comprehensive privacy law legislation, a distinction it held for approximately three years before other states took similar action. Indeed, eighteen additional states have passed their own privacy bills, along with many complementary laws related to children’s privacy, consumer health data privacy, biometric data privacy, and data broker practices. Notwithstanding these efforts, California has retained its reputation as the most formidable state enforcer of privacy law protections—until now, at least. As we explain, recent enforcement actions by the Attorneys General of Connecticut and Nebraska highlight an important shift: states beyond California are not only enacting laws aimed at safeguarding privacy, they are taking action to demonstrate that those laws have teeth.Continue Reading State AGs Step Up Enforcement: Recent Lessons from Privacy Law Enforcement in Connecticut and Nebraska
Businesses Beware: The California Privacy Protection Agency Is Taking a Strict View on CCPA Compliance and Seeking to Impose Maximum Fines for Non-Compliance
On March 7, 2025, the California Privacy Protection Agency (“CPPA”), which is tasked with enforcing the California Consumer Privacy Act (“CCPA”) entered a Stipulated Final Order (“Order”) with American Honda Motor Co., Inc. (“Honda”), fining Honda $632,500. This Order is instructive as to CPPA’s views on various topics covered by the CCPA. Among other things, the Order makes clear that:Continue Reading Businesses Beware: The California Privacy Protection Agency Is Taking a Strict View on CCPA Compliance and Seeking to Impose Maximum Fines for Non-Compliance