Privacy & Cyber Regulatory Enforcement

NYDFS Issues Guidance on Managing Risks Related to Third-Party Service Providers

October 27, 2025 By Kate Hanniford, Lance Taubin and Carson Kuck

On October 21, 2025, the New York Department of Financial Services (“NYDFS”) published an Industry Letter (the “Letter”) outlining guidance on managing risks related to third-party service providers (“TPSPs”). NYDFS recognizes that as covered entities become more reliant on TPSPs, managing TPSPs “remains a crucial element of a Covered Entity’s cybersecurity program.” The Letter outlines […]

Key Breach Notification Updates in California and Oklahoma for 2026

October 24, 2025 By Kim Peretti and Alysa Austin

Effective January 1, 2026, new legislation in California and Oklahoma will introduce important updates to each state’s breach notification requirements. These changes may significantly impact breach response obligations for businesses operating in or handling data related to residents of these states. Below is a summary of the key provisions under each law. California – Senate […]

California Enacts Digital Age Verification Law

October 23, 2025 By Maki DePalo and Hyun Jai Oh

On October 13, 2025, California Governor Gavin Newsom signed Assembly Bill 1043, the Digital Age Assurance Act (Act), into law. Effective January 1, 2027, the Act introduces a device-based age verification system designed to create safer digital environments for children under 18. The Act underscores a trend of state laws that require age verification or […]

UK Data Protection Regulator Fines Capita ~$18.8 Million Following a Ransomware Attack

October 20, 2025 By Hanna Hewitt and Kelly Hagedorn

On October 15, 2025, the UK’s Information Commissioner’s Office (ICO) fined Capita plc and Capita Pension Solutions Limited (collectively “Capita”) £14 million (~$18.8 million) for failing to implement adequate security measures to protect the personal data of over ~6.6 million individuals following a ransomware attack by Black Basta. The ICO’s penalty notice is available here. […]

FTC Cracks Down on Messaging App Operator on Child Data Exploitation

October 2, 2025 By Kathleen Benway, Alex Brown, Maki DePalo, Jennifer Everett and Lili Song

On September 29, 2025, the Federal Trade Commission (FTC) announced a legal action against the operator of the anonymous messaging app Sendit and its CEO for violations of multiple consumer protection and privacy laws. The complaint, filed in the United States District Court for the Central District of California by the Department of Justice at […]