Privacy & Cyber Regulatory Enforcement

NYDFS Revises Prescriptive FAQs on Multifactor Authentication

March 5, 2026 By Kim Peretti, Kate Hanniford, Lance Taubin, Ashley Miller and Carson Kuck

Two months after the New York Department of Financial Services (“NYDFS”) updated its Frequently Asked Questions (“FAQs”), which we wrote about here, NYDFS has released updated FAQs on multifactor authentication (“MFA”) that further clarify 23 NYCRR § 500.12. As we previously reported, the FAQs from December 2025 provided prescriptive guidance, including clarifications on technical requirements […]

CISA Revives CIRCIA Rulemaking

March 2, 2026 By Kim Peretti, Lance Taubin and Scott Hilsen

Almost two years after seeking stakeholder input about a final rule under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the Cybersecurity and Infrastructure Security Agency (CISA) announced that it will hold virtual town hall meetings for certain industry sectors in March and April 2026 to solicit additional input on the Notice […]

FTC Sends Letters Reminding Data Brokers of their Obligations under PADFAA

February 25, 2026 By Jennifer Everett, Daniel Felz, Alex Brown and Santi Villar

On February 9, 2026, the Federal Trade Commission (“FTC”) sent letters to thirteen data brokers reminding them of their obligations to comply with the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (“PADFAA”). We previously wrote an article and Peter Swire published a white paper at the Cross-Border Data Forum (“CBDF”) describing PADFAA in […]

FBI Launches Operation Winter SHIELD in Effort to Advance Cyber Resilience Across Critical Sectors

February 4, 2026 By Kim Peretti, Lance Taubin and Andrew Rice

On January 28, 2026, the Federal Bureau of Investigation (FBI) announced the launch of Operation Winter SHIELD, a coordinated initiative designed to promote adoption of core defensive measures that are shown to mitigate common intrusion vectors. Operation Winter SHIELD identifies ten priority actions the FBI views as important in improving organizational cyber resilience. The FBI […]

FTC Reverses Rytr Consent Order Amid Push for Federal AI Standards

February 3, 2026 By Kathleen Benway, Alex Brown, Jennifer Everett, Daniel Felz and Lili Song

On December 22, 2025, the Federal Trade Commission (FTC) set aside its 2024 consent order against Rytr, a generative AI-powered company, concluding that the original complaint “failed to satisfy the legal requirements of the FTC Act” and that the order unduly burdened AI innovation in violation of the Trump Administration’s January 2025 AI Executive Order […]