Compliance

Subscribe to Compliance via RSS
Cybersecurity_682462080

Key Point: With the June 3, 2026, compliance deadline fast approaching, small firms subject to amended Regulation S‑P under the Gramm-Leach-Bliley Act (GLBA) should be in the final stages of updating their privacy and safeguards programs. In January 2026, the Securities and Exchange Commission (SEC) held an outreach event to help small firms comply with the amendments to Regulation S-P. This webinar was geared toward small firms in advance of the June 3, 2026, compliance deadline. The SEC highlighted new Regulation S-P compliance obligations, SEC exam team approaches moving forward, and held an examination workshop, which included an incident response tabletop discussion, review of a sample document request list, and a mock examination session.

Data_1200x600_GettyImages-2157013271

On April 22, the U.S. House of Representatives Financial Services Committee and the Energy and Commerce Committee jointly unveiled a paired privacy package that, taken together, would substantially recast the federal obligations for the treatment of consumer data. The “Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act” (the GUARD Financial Data Act) would update and enhance Title V of the Gramm‑Leach‑Bliley Act (GLBA) for financial institutions. The “Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act” (the SECURE Data Act) would create a national, cross‑sector privacy framework that would have applicability and features similar to the current patchwork of state comprehensive privacy laws, with strong entity-level and data-level exemptions for financial institutions and financial data subject to GLBA (and for HIPAA-covered entities and business associates, certain nonprofits, and institutions of higher education).

Security_1200x600_GettyImages-2170887175

Welcome to Part Two of our series that examines the ECPA as a private right of action for privacy policy inaccuracies.  In Part One of this series, we examined how a wave of state-law wiretapping litigation — predominantly under California’s Invasion of Privacy Act (CIPA) — set the stage for a new and more expansive federal class action litigation threat.  After years of plaintiffs targeting websites that deploy tracking technologies such as pixels and cookies, a series of defense wins in 2025 (and pending legislative action) encouraged plaintiffs’ firms to seek alternative theories. They found one in the Electronic Communications Privacy Act (ECPA). 

AI_chatbot_1200x600_GettyImages-1472037495

In Parts 1-3 of this series, we covered the mechanics of the CCPA’s new cybersecurity audit requirement: who is covered, when audits are required, what must be audited, who can perform the audit, how it fits with existing security frameworks, and what needs to be documented.

Privacy_1200x600_GettyImages-1952157610

Key Points: An August 2025 federal court ruling has opened the door for plaintiffs to use alleged inaccuracies or misrepresentations in a company’s privacy policy and other privacy disclosures as the basis for a federal wiretapping claim under the Electronic Communications Privacy Act (“ECPA”).

Unlike state wiretapping claims like CIPA, class action plaintiffs can file ECPA claims nationwide and they can carry statutory damages of $100 per day of violation or $10,000, whichever is greater. Plaintiffs’ firms are increasingly leading with ECPA claims in demand letters and class action complaints.

Companies can take steps to help insulate themselves from litigation by assessing and modifying their privacy policy and other data processing disclosures.

Introduction

Any company with a privacy policy that operates a website using so-called tracking technologies such as pixels, cookies, software development kits, or third-party analytics tools (which is practically every company) should be aware of the real class action risk associated with the federal wiretapping law known as the Electronic Communications Privacy Act (ECPA or Wiretap Act) and its “crime-tort” exception.  We have data mined and analyzed thousands of privacy lawsuits using AI to track plaintiff lawyers’ allegations and patterns.

Cyber_1200x600_GettyImages-1987307560

In Part 1 of this series, we outlined the basics of the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement: who is covered, when audits are required, and the key obligations to keep in mind. In Part 2, we explored the mechanics and explained what the California Privacy Protection Agency (CalPrivacy) expects the cybersecurity audit to look like in practice, including what must be evaluated, who may conduct the audit, how thorough it must be, and what goes into the audit report.

Cyber_1200x600_GettyImages-2155090853

In Part 1 of this series, we walked through the basics of the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement: which businesses are covered, when audits are required, and the high-level obligations to have on your radar.

This five-part series provides an introductory roadmap to the California Consumer Privacy Act’s (CCPA) new cybersecurity audit requirement and the California Privacy Protection Agency’s (CalPrivacy) implementing regulations.

istock_102344703_og_cybersecurity-privacy

Key Point: Under the revised NYDFS Cybersecurity Regulation, covered entities must implement and enforce MFA for all access to all information systems — not just adopt MFA tools — and carefully document any CISO-approved compensating controls. Given the November 1, 2025 effective date of the new, expanded MFA requirement, and the annual certification of compliance for 2025 due April 15, 2026, now is the time for covered entities to review carefully their compliance in view of the NYDFS interpretations and guidance.