Data Privacy Day offers a natural checkpoint to take stock of a fast‑moving legal landscape. As of January 1, 2026, several significant U.S. state privacy laws and regulatory updates are now live, with additional U.S. and global milestones queued up throughout 2026. Below we summarize important changes already in effect and highlight issues to monitor as the year unfolds.
Continue Reading Data Privacy Day 2026: What Changed on Jan. 1 — And What to Watch NextOn November 20, 2025, the Securities and Exchange Commission and defendants SolarWinds Corp. and Timothy G. Brown filed a joint stipulation to dismiss with prejudice the SEC’s civil enforcement action pending in the Southern District of New York. The SEC would dismiss all claims concerning the conduct alleged in the SEC’s Amended Complaint and includes broad waivers and releases by the defendants of any related claims against the SEC and its personnel. This follows a July 2, 2025 letter to the court that stated that the parties had reached a settlement in principle, and sought time “to finalize the paperwork for the settlement, and for the Commissioners to then consider and determine whether to approve the settlement.” The stipulated dismissal does not address what may have changed, and why the matter ultimately resolved through a dismissal rather than a settlement.
Continue Reading SEC Voluntarily Dismisses Landmark Enforcement Action Against SolarWinds and its CISOOverview
On October 21, 2025, the New York State Department of Financial Services (NYDFS) released comprehensive guidance for registrants regarding management of cybersecurity risks associated with third-party service providers (TPSPs) including cloud computing, file transfer system, AI and fintech solutions.[1] As reliance on external vendors for critical technology services grows, so too do the cyber threats to operations and sensitive customer data. The guidance clarifies regulatory expectations, highlights best practices, and underscores the importance of robust third-party risk management throughout the entire vendor relationship lifecycle. In summary, companies can outsource functions but will still retain responsibility for cybersecurity oversight.
Continue Reading NYDFS Issues Guidance on Third-Party Cybersecurity Risk Management: What Regulated Entities Need to KnowWith Halloween lurking around the corner and as National Cybersecurity Awareness Month comes to a close, the McGuireWoods Data Privacy & Cybersecurity Practice Group reminds you to not wait to be spooked by a cybersecurity incident or haunted by the task of maintaining your cybersecurity program.
Today’s threat landscape is rapidly changing and accelerated evermore by the capabilities of AI and automation on both sides of the cyber battlefield. Organizations that stay ahead are using established cybersecurity frameworks to provide a strong architecture on which to continuously evolve their cybersecurity program and testing their response to the latest threats through tabletop exercises. By leveraging modern technologies, such as AI-enabled detection, zero trust architectures, automated configuration management, and secure-by-design engineering, leading organizations are making cybersecurity not just stronger, but measurably faster, leaner, and more resilient.
Continue Reading Halloween Reminder – Don’t Get Haunted by HacksIn a significant step toward strengthening consumer privacy protections, the California Privacy Protection Agency (CPPA) board has officially adopted a comprehensive set of updates to the California Consumer Privacy Act (CCPA) regulations. These long-anticipated regulations—covering cybersecurity audits, risk assessments, and automated decision-making technology (ADMT)—mark a pivotal shift in the state’s data privacy enforcement landscape.
Continue Reading New CCPA Rules Are Here: Is Your Business Ready for What’s Next?In 2020, California was the first mover in state comprehensive privacy law legislation, a distinction it held for approximately three years before other states took similar action. Indeed, eighteen additional states have passed their own privacy bills, along with many complementary laws related to children’s privacy, consumer health data privacy, biometric data privacy, and data broker practices. Notwithstanding these efforts, California has retained its reputation as the most formidable state enforcer of privacy law protections—until now, at least. As we explain, recent enforcement actions by the Attorneys General of Connecticut and Nebraska highlight an important shift: states beyond California are not only enacting laws aimed at safeguarding privacy, they are taking action to demonstrate that those laws have teeth.
Continue Reading State AGs Step Up Enforcement: Recent Lessons from Privacy Law Enforcement in Connecticut and NebraskaIn a recent speech, Acting Director of the SEC’s Division of Examinations (Exams) Keith Cassidy reminded SEC registrants of the new requirements imposed by the amendments to Regulation S-P. He noted that the dates for compliance are approaching and provided information about how Exams intends to proceed. The bottom line on compliance preparedness is that
On March 7, 2025, the California Privacy Protection Agency (“CPPA”), which is tasked with enforcing the California Consumer Privacy Act (“CCPA”) entered a Stipulated Final Order (“Order”) with American Honda Motor Co., Inc. (“Honda”), fining Honda $632,500. This Order is instructive as to CPPA’s views on various topics covered by the CCPA. Among other things, the Order makes clear that:
Continue Reading Businesses Beware: The California Privacy Protection Agency Is Taking a Strict View on CCPA Compliance and Seeking to Impose Maximum Fines for Non-Compliance