istock_102344703_og_cybersecurity-privacy

Key Point: Under the revised NYDFS Cybersecurity Regulation, covered entities must implement and enforce MFA for all access to all information systems — not just adopt MFA tools — and carefully document any CISO-approved compensating controls. Given the November 1, 2025 effective date of the new, expanded MFA requirement, and the annual certification of compliance for 2025 due April 15, 2026, now is the time for covered entities to review carefully their compliance in view of the NYDFS interpretations and guidance.

Key point: Last week, chatbot bills crossed chambers in Arizona and Iowa and advanced out of committees in five states, a health care-related AI bill crossed chambers in Kentucky, and provenance bills advanced out of committees in Utah and New York.

Below is the seventh update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the contents provided below are time-sensitive and subject to change.

Key point: Alabama’s House passed a consumer data privacy bill, amendments advanced in Utah and Virginia, and the text of the latest CTDPA amendment was filed.

Below is the seventh update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.

Privacy_1200x600_GettyImages-2154887234

This article takes the next step and focuses on what businesses can do before an incident to structure their vendor relationships and IR plans in alignment with these key legal lessons. We focus on four core IR vendor types: digital forensics vendors, restoration vendors, public relations (PR)/communications firms, and data mining/data review vendors.

Key point: Last week, chatbot bills crossed chambers in four states and advanced out of committees in four other states, Utah’s provenance bill crossed chambers, and Florida’s AI Bill of Rights moved out of a second Senate committee.

Below is the sixth update on the status of proposed state AI legislation in 2026. These posts track state AI bills that can directly or indirectly affect private-sector AI developers and deployers. These posts do not track AI bills that focus on government use of AI; insurance; workgroups; education; legal settings; name, image, and likeness; deepfakes; CSAM and sexual material; and election interference. As always, the content provided below is time-sensitive and subject to change.

Key point: Oklahoma is on the cusp of becoming the 20th state to pass a consumer data privacy law while Alabama’s app store bill was signed into law and app store bills crossed chambers in Kansas, South Dakota, and Wisconsin.

Below is the sixth update on the status of proposed state privacy legislation in 2026. This post covers updates on proposed bills dealing with consumer data privacy, children’s privacy, biometric privacy, data brokers, and consumer health data privacy. As always, the contents provided below are time-sensitive and subject to change.

In this special joint episode of The Consumer Finance Podcast and Payments Pros, Taylor Gess and Kim Phan discuss key privacy and data security risks in point-of-sale finance. They dive into regulators’ growing view that every player in the payments chain shares responsibility for protecting data, highlighting best practices for vendor management, PCI DSS oversight, and incident response planning. The episode also touches on the shifting patchwork of state privacy and breach notification laws, GLBA exemptions, and the risks of data monetization, including when packaging and selling transaction data can trigger Fair Credit Reporting Act obligations.

Webinars_1200x600_GettyImages-1406524821

With state legislatures reconvening for 2026, numerous states are considering privacy and AI bills on a broad range of topics. In the AI space, these bills cover high-risk activities, chatbots, pricing, disclosures, provenance, employment, and health, among other topics. In the privacy space, these bills cover consumer data privacy, teen’s privacy, biometric privacy, consumer health data privacy, and data brokers.

Key point: Last week, chatbot bills crossed chambers in Virginia and Washington, Tennessee’s Senate passed a health care-related AI bill, a Utah bill drew the attention of the Trump administration, and a new bill was introduced to amend California’s AI Transparency Act.

Below is the fifth update on the status