Two months after the New York Department of Financial Services (“NYDFS”) updated its Frequently Asked Questions (“FAQs”), which we wrote about here, NYDFS has released updated FAQs on multifactor authentication (“MFA”) that further clarify 23 NYCRR § 500.12. As we previously reported, the FAQs from December 2025 provided prescriptive guidance, including clarifications on technical requirements […]
About Ashley Miller
Rhode Island’s New Cybersecurity Law for Nonbank Financial Institutions
Rhode Island has enacted Senate Bill 603 (SB603), effective July 2, 2025, establishing a comprehensive cybersecurity framework for nonbank financial institutions licensed by the state’s Department of Business Regulation (DBR). Although SB603 is closely modeled after the New York Department of Financial Services’ (NYDFS) Cybersecurity Regulation, 23 NYCRR Part 500 (Part 500), SB603 introduces several […]
Back from the Brink: District Court Clears Air Regarding Individualized Damages Assessment in Data Breach Cases
On June 27, 2025, the District Court for the Middle District of Florida, on remand from the Eleventh Circuit, reversed course when it denied class certification to a group of plaintiffs who were purportedly impacted by a spring 2018 cyberattack on Brinker International, Inc., the parent company of the popular chain restaurant, Chili’s. The recent […]
Virginia Legislature Passes Second US AI Governance Act behind Colorado: Comparing the AI Acts
On February 20, 2025, the Virginia legislature passed the High-Risk Artificial Intelligence Developer and Deployer Act (House Bill 2094, the “VA AI Act”) that mandates developers and deployers of high-risk artificial intelligence systems (“HRAI systems”) to adhere to specific governance requirements. The VA AI Act will come into effect on July 1, 2026 (if Virginia […]
Massachusetts Top Court Torpedoes Website Analytics Wiretapping Class Action
On October 24, 2024, in a long-awaited decision in Vita v. New England Baptist Hospital, Massachusetts’ highest court snuffed out an attempt to use the state’s 1968 Wiretap Act to impose liability on a hospital system for its use of third-party analytics technologies on its website. The case had been closely watched by the business […]