Regulatory Enforcement

FTC Targets EdTech Data Practices in Final Order Following Major Student Data Breach

June 18, 2026 By Maki DePalo, Jennifer Everett, Yin Tydir and Lili Song

On June 5, 2026, the Federal Trade Commission (“FTC”) gave final approval to a modified consent order against Illuminate Education, Inc. (“EdTech Provider”), a K-12 software vendor, settling allegations that the EdTech Provider did not adequately protect the personal data of more than 10 million students. The action — which follows a public comment period […]

NYDFS Issues Frontier AI Advisory and Guidance for Heightened Cyber Threat Environment

May 26, 2026 By Kim Peretti, Ashley Miller, Lance Taubin and Taylor Veracka

On May 21, 2026, the New York Department of Financial Services (“NYDFS”) issued two Industry Letters to the organizations it regulates (“Regulated Entities”): “Heightened Cybersecurity Risks Associated with Frontier AI Models” (the “Advisory”) and “Guidance on Measures Regulated Entities Should Consider in a Heightened Cybersecurity Threat Environment” (the “Guidance”) (collectively, the “Letters”). The Letters discuss […]

Key AI, Cybersecurity, and Privacy Takeaways from the NAIC 2026 Spring Meeting

April 1, 2026 By Dorian Simmons

From March 22–25, the National Association of Insurance Commissioners (“NAIC”) held its 2026 Spring National Meeting in San Diego, California. During the meeting, the Innovation, Cybersecurity, and Technology Committee, along with its working groups on Third-Party Data and Models, Big Data and Artificial Intelligence, and Cybersecurity, addressed key developments regarding oversight of third-party data and […]

CalPrivacy Goes to the Board with Digital Advertising-Focused Enforcement

March 9, 2026 By Cynthia Cole, Dorian Simmons and Anna von Spakovsky

On February 27, 2026, the California Privacy Protection Agency (“CalPrivacy”) issued an order (the “Order”) requiring a sports-focused media and technology company (the “Company”) to pay a $1.10 million administrative fine for violations of the California Consumer Privacy Act (“CCPA”). The action continues California regulators’ scrutiny of how companies deploy cookies, software development kits and […]

CISA Revives CIRCIA Rulemaking

March 2, 2026 By Kim Peretti and Lance Taubin

Almost two years after seeking stakeholder input about a final rule under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the Cybersecurity and Infrastructure Security Agency (CISA) announced that it will hold virtual town hall meetings for certain industry sectors in March and April 2026 to solicit additional input on the Notice […]