Data Security

Subscribe to Data Security via RSS
istock_102344703_og_cybersecurity-privacy

Key Point: Under the revised NYDFS Cybersecurity Regulation, covered entities must implement and enforce MFA for all access to all information systems — not just adopt MFA tools — and carefully document any CISO-approved compensating controls. Given the November 1, 2025 effective date of the new, expanded MFA requirement, and the annual certification of compliance for 2025 due April 15, 2026, now is the time for covered entities to review carefully their compliance in view of the NYDFS interpretations and guidance.

In this special joint episode of The Consumer Finance Podcast and Payments Pros, Taylor Gess and Kim Phan discuss key privacy and data security risks in point-of-sale finance. They dive into regulators’ growing view that every player in the payments chain shares responsibility for protecting data, highlighting best practices for vendor management, PCI DSS oversight, and incident response planning. The episode also touches on the shifting patchwork of state privacy and breach notification laws, GLBA exemptions, and the risks of data monetization, including when packaging and selling transaction data can trigger Fair Credit Reporting Act obligations.

TPL_Podcasts_RegulatoryOversight_LinkedIn-690x361

In this episode of our special 12 Days of Regulatory Insights podcast series, Ashley Taylor, co-leader of Troutman Pepper Locke’s State AG team, sits down with Privacy and Cyber chair Ron Raether to discuss how state attorneys general (AGs) are shaping the regulatory landscape for social media and the broader ad tech ecosystem.

The Oklahoma state flag waving along with the national flag of the United States of America

Key point: Oklahoma recently updated its breach notification statute for the first time since enactment, aligning with broader state trends and underscoring the ongoing, continuous review of data breach notification laws by lawmakers.

Effective January 1, 2026, Oklahoma’s Senate Bill 626 substantially revises the state’s data breach notification statute by expanding the definition of personal information, introducing a regulatory notice requirement, and updating safe-harbor exemptions. The amendments are the first changes to the law since it was enacted in 2008 and are consistent with trends in other states in recent years. For example, California adopted similar amendments set to take effect on January 1, 2026.

The below article provides an overview of the amendments.

Privacy_1200x600_GettyImages-1952157610

Key point: The Third Circuit Court of Appeals recently issued an opinion affirming the dismissal of a class action complaint asserting both California Invasion of Privacy Act (CIPA) and California Medical Information Act (CMIA) claims, providing helpful guidance on the application of the “party exception” defense to a wiretap claim, as well as the meaning of “medical information” under the CMIA claim.

Security_1200x600_GettyImages-1162361864

Troutman Pepper Locke attorneys assess California’s collaboration with other foreign governments on promoting privacy rights and what this means for the future of data protection worldwide.

The California Privacy Protection Agency recently announced that it signed a declaration of cooperation on privacy protections or collaboration with the UK Information Commissioner’s Office, its latest collaboration with a foreign government.