On November 20, 2025, the Securities and Exchange Commission and defendants SolarWinds Corp. and Timothy G. Brown filed a joint stipulation to dismiss with prejudice the SEC’s civil enforcement action pending in the Southern District of New York. The SEC would dismiss all claims concerning the conduct alleged in the SEC’s Amended Complaint and includes
Department of Defense Issues Final Rule on Cybersecurity Standards for Contractors
After years of waiting, the U.S. Department of Defense (DoD) posted to the Federal Register for public inspection on Sept. 9, 2025, a final rule implementing the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) standards into the Defense Federal Acquisition Regulation Supplement, formally published on Sept. 10, 2025. CMMC 2.0 is a fundamental shift in how the
State AGs Step Up Enforcement: Recent Lessons from Privacy Law Enforcement in Connecticut and Nebraska
In 2020, California was the first mover in state comprehensive privacy law legislation, a distinction it held for approximately three years before other states took similar action. Indeed, eighteen additional states have passed their own privacy bills, along with many complementary laws related to children’s privacy, consumer health data privacy, biometric data privacy, and data broker practices. Notwithstanding these efforts, California has retained its reputation as the most formidable state enforcer of privacy law protections—until now, at least. As we explain, recent enforcement actions by the Attorneys General of Connecticut and Nebraska highlight an important shift: states beyond California are not only enacting laws aimed at safeguarding privacy, they are taking action to demonstrate that those laws have teeth.Continue Reading State AGs Step Up Enforcement: Recent Lessons from Privacy Law Enforcement in Connecticut and Nebraska
With Compliance Date for Reg S-P Amendments Looming, Is Your Firm Ready Yet?
In a recent speech, Acting Director of the SEC’s Division of Examinations (Exams) Keith Cassidy reminded SEC registrants of the new requirements imposed by the amendments to Regulation S-P. He noted that the dates for compliance are approaching and provided information about how Exams intends to proceed. The bottom line on compliance preparedness is that
SEC Settles Charges for Alleged Misleading Disclosures, Shedding Light on Materiality in Cyber Context
On Oct. 22, 2024, the Securities and Exchange Commission (SEC) announced settled charges against four current and former public companies, Unisys, Avaya Holdings, Check Point Software Technologies and Mimecast, for allegedly making materially misleading statements in their public disclosures regarding cybersecurity intrusions and risks following the SolarWinds Corporation software hack. This wave of enforcement actions
Homeland Security and HHS Release Interactive Healthcare Cybersecurity Toolkit
In light of a significant rise in cyberattacks against hospitals and health systems, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the U.S. Department of Health and Human Services recently released a cybersecurity toolkit. Read on for details about the toolkit and how the federal government is prioritizing cybersecurity in healthcare.
DHS Issues Final Rule Regulating Federal Contractors’ Handling of Controlled Unclassified Information
On June 21, the U.S. Department of Homeland Security issued a long-anticipated cybersecurity final rule that revises an existing clause and adds two new clauses to the Homeland Security Acquisition Regulation related to contractors’ handling of controlled unclassified information.
Read on for highlights from this rule, which goes into effect July 21 and is likely
33 State Attorneys General Urge Federal Trade Commission to Take Action on Corporate Surveillance
A bipartisan coalition of state attorneys general sent a comment letter to the Federal Trade Commission highlighting the risks to consumers from businesses’ surveillance and their collection and storage of data such as health information and location tracking.
Read on for details about this development and how companies that collect such information can minimize risks
First CCPA Enforcement Action Shows Accepting User-Enabled Global Privacy Controls Is Mandatory
On Wednesday, August 24, 2022, the California Attorney General released a public statement addressing its first enforcement action under the California Consumer Privacy Act (“CCPA”) against Sephora. The Attorney General alleged that Sephora failed to disclose to consumers that it was selling personal information, it failed to honor requests submitted through Global Privacy Controls (“GPC”), and it failed to cure these violations within the 30-day period. The parties settled for a $1.2M fine and injunctive relief requiring Sephora to comply with the CCPA and accept GPC.
Continue Reading First CCPA Enforcement Action Shows Accepting User-Enabled Global Privacy Controls Is Mandatory
SEC Expands Enforcement Unit Tasked With Protecting Crypto Markets
Reflecting its determination to monitor the crypto markets, the U.S. Securities and Exchange Commission announced today that it was renaming the Cyber Unit the “Crypto Assets and Cyber Unit” and nearly doubling its size, from 30 to 50 members. The additional permanent positions will include investigative staff attorneys, trial lawyers and fraud analysts, who will