Crisis & Data Breach Response

Britain’s Financial Regulators Raise the Bar on Cyber Reporting and Resilience

April 20, 2026 By Kelly Hagedorn and Kristen Bartolotta

Cyber risk has shifted from a technical issue to a systemic one and Britain’s financial regulators are making that reality unmistakably clear. On March 18, 2026, the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and Bank of England announced a new, unified cyber and operational resilience framework that strengthens the requirements on how firms […]

Connecticut Proposes Mandatory Forensic Investigation and Reporting for Large Scale Data Breaches

March 31, 2026 By Kim Peretti and Alysa Austin

Connecticut lawmakers have introduced legislation that, if enacted, would significantly expand breach-response obligations for organizations affected by large-scale cybersecurity incidents. As proposed, Raised Senate Bill 117 (SB 117), would create a new category of “massive” data breaches and impose mandatory forensic investigation and reporting requirements that go well beyond Connecticut’s existing breach notification framework. What […]

CISA Warns Organizations to Harden Endpoint Management Systems Following Cyberattack on Stryker Corporation

March 31, 2026 By Kim Peretti and Andrew Rice

On March 18, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert (the Alert) urging U.S. organizations to harden their endpoint management systems following the March 11, 2026 cyberattack against medical technology firm Stryker Corporation (Stryker), which disrupted Stryker’s internal Microsoft environment. CISA stated that it is conducting enhanced coordination with federal partners, […]

CISA Revives CIRCIA Rulemaking

March 2, 2026 By Kim Peretti and Lance Taubin

Almost two years after seeking stakeholder input about a final rule under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the Cybersecurity and Infrastructure Security Agency (CISA) announced that it will hold virtual town hall meetings for certain industry sectors in March and April 2026 to solicit additional input on the Notice […]

New Jersey Expands HIPAA-Based Exemptions Under Its Comprehensive Privacy Law

February 16, 2026 By Jennifer Everett, Dorian Simmons and Sara Pullen

On January 20, 2026, the New Jersey Governor signed Assembly Bill A5017 (“Amendment”), amending the New Jersey Data Protection Act (“NJDPA”). The Amendment exempts data that is not protected health information (“non-PHI”) from the NJDPA when it is handled by covered entities or business associates in accordance with the privacy and security requirements of the […]