This five-part series provides an introductory roadmap to the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement and the California Privacy Protection Agency’s (CalPrivacy) implementing regulations.
FirstEnergy and Your IR Team: Structuring Expert Involvement to Preserve Privilege
This article takes the next step and focuses on what businesses can do before an incident to structure their vendor relationships and IR plans in alignment with these key legal lessons. We focus on four core IR vendor types: digital forensics vendors, restoration vendors, public relations (PR)/communications firms, and data mining/data review vendors.
‘FirstEnergy’ and Incident Response: Preserving Privilege in Cyber Investigations
Reprinted with permission from the February 9, 2026 edition of The Legal Intelligencer. © 2026 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For permission to reprint or license this article, please contact 877-256-2472 or asset-and-logo-licensing@alm.com.
Investigations led by counsel, triggered by legal risk, and designed to elicit legal advice remain protected, even if their findings later inform business decisions. For cyber incidents, FirstEnergy outlines how to structure IR investigations to maximize privilege and work product protection while supporting an effective technical and business response.
Oklahoma Amends Data Breach Notification Statute
Key point: Oklahoma recently updated its breach notification statute for the first time since enactment, aligning with broader state trends and underscoring the ongoing, continuous review of data breach notification laws by lawmakers.
Effective January 1, 2026, Oklahoma’s Senate Bill 626 substantially revises the state’s data breach notification statute by expanding the definition of personal information, introducing a regulatory notice requirement, and updating safe-harbor exemptions. The amendments are the first changes to the law since it was enacted in 2008 and are consistent with trends in other states in recent years. For example, California adopted similar amendments set to take effect on January 1, 2026.
The below article provides an overview of the amendments.
California Amends Breach Notification Statute
Key Point: California’s existing breach notification statute was amended to include more decisive guidelines for reporting to individuals and regulators.
On October 5, 2025, California Governor Gavin Newsom signed SB-446 into law, which bill sponsor Sen. Melissa Hurtado (D-CA) indicates is aimed at “closing a critical loophole” in California’s existing breach notification statute. Below, we first provide a brief background on the scope of the law and then discuss the amendment.
CPPA Announces $1.35M Enforcement Action
Key point: The enforcement action alleges that the retailer failed to provide adequate privacy disclosures to website visitors and job applicants, failed to effectuate opt-out requests, including recognizing the Global Privacy Control signal, and lacked legally compliant data processing agreements with third parties.
Peabody Settlement Reaffirms Massachusetts AG’s Commitment to Protecting Consumer Personal Information
Key point: Regulators will ensure corporate accountability by imposing stringent sanctions on businesses that are perceived as neglecting the protection of consumer personal information.
3 Takeaways From Recent Cyberattacks On Healthcare Cos.
Published in Law360 on June 4, 2025. © Copyright 2025, Portfolio Media, Inc., publisher of Law360. Reprinted here with permission.
Significant data breaches have affected major players in the healthcare industry in the last year, with the methods of attack being as diverse as the affected entities themselves.