Enforcement - Federal Agency and State AG Action

Subscribe to Enforcement - Federal Agency and State AG Action via RSS

The General Services Administration Federal Acquisition Service has released draft contract terms and conditions related to AI-related procurements through a new proposed GSAR clause 552.239-7001, “Basic Safeguarding of Artificial Intelligence Systems” (February 2026), that would impose material new requirements on contractors and service providers supplying AI capabilities to the federal government. If adopted, the clause

On Friday, April 3, 2026, the U.S. District Court for the District of Massachusetts preliminarily enjoined the Trump administration from requiring public colleges and universities in 17 states to submit seven years’ worth of Integrated Postsecondary Education Data System (IPEDS) Admission and Consumer Transparency Supplement (ACTS) survey data. The reporting deadline for the members of

On November 20, 2025, the Securities and Exchange Commission and defendants SolarWinds Corp. and Timothy G. Brown filed a joint stipulation to dismiss with prejudice the SEC’s civil enforcement action pending in the Southern District of New York. The SEC would dismiss all claims concerning the conduct alleged in the SEC’s Amended Complaint and includes broad waivers and releases by the defendants of any related claims against the SEC and its personnel. This follows a July 2, 2025 letter to the court that stated that the parties had reached a settlement in principle, and sought time “to finalize the paperwork for the settlement, and for the Commissioners to then consider and determine whether to approve the settlement.”  The stipulated dismissal does not address what may have changed, and why the matter ultimately resolved through a dismissal rather than a settlement. 

Continue Reading SEC Voluntarily Dismisses Landmark Enforcement Action Against SolarWinds and its CISO

After years of waiting, the U.S. Department of Defense (DoD) posted to the Federal Register for public inspection on Sept. 9, 2025, a final rule implementing the Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) standards into the Defense Federal Acquisition Regulation Supplement, formally published on Sept. 10, 2025. CMMC 2.0 is a fundamental shift in how the

In 2020, California was the first mover in state comprehensive privacy law legislation, a distinction it held for approximately three years before other states took similar action.  Indeed, eighteen additional states have passed their own privacy bills, along with many complementary laws related to children’s privacy, consumer health data privacy, biometric data privacy, and data broker practices.  Notwithstanding these efforts, California has retained its reputation as the most formidable state enforcer of privacy law protections—until now, at least.  As we explain, recent enforcement actions by the Attorneys General of Connecticut and Nebraska highlight an important shift: states beyond California are not only enacting laws aimed at safeguarding privacy, they are taking action to demonstrate that those laws have teeth.

Continue Reading State AGs Step Up Enforcement: Recent Lessons from Privacy Law Enforcement in Connecticut and Nebraska

In a recent speech, Acting Director of the SEC’s Division of Examinations (Exams) Keith Cassidy reminded SEC registrants of the new requirements imposed by the amendments to Regulation S-P. He noted that the dates for compliance are approaching and provided information about how Exams intends to proceed. The bottom line on compliance preparedness is that

On Oct. 22, 2024, the Securities and Exchange Commission (SEC) announced settled charges against four current and former public companies, Unisys, Avaya Holdings, Check Point Software Technologies and Mimecast, for allegedly making materially misleading statements in their public disclosures regarding cybersecurity intrusions and risks following the SolarWinds Corporation software hack. This wave of enforcement actions

In light of a significant rise in cyberattacks against hospitals and health systems, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the U.S. Department of Health and Human Services recently released a cybersecurity toolkit. Read on for details about the toolkit and how the federal government is prioritizing cybersecurity in healthcare.

On June 21, the U.S. Department of Homeland Security issued a long-anticipated cybersecurity final rule that revises an existing clause and adds two new clauses to the Homeland Security Acquisition Regulation related to contractors’ handling of controlled unclassified information.

Read on for highlights from this rule, which goes into effect July 21 and is likely

A bipartisan coalition of state attorneys general sent a comment letter to the Federal Trade Commission highlighting the risks to consumers from businesses’ surveillance and their collection and storage of data such as health information and location tracking.

Read on for details about this development and how companies that collect such information can minimize risks