With Halloween lurking around the corner and as National Cybersecurity Awareness Month comes to a close, the McGuireWoods Data Privacy & Cybersecurity Practice Group reminds you to not wait to be spooked by a cybersecurity incident or haunted by the task of maintaining your cybersecurity program.
Today’s threat landscape is rapidly changing and accelerated evermore…
California’s Invasion of Privacy Act (CIPA) is a 1967 criminal wiretapping statute being stretched to govern 2025-era internet technologies. The result has been a patchwork of conflicting decisions that turn on hair-splitting distinctions about what it means to “read” a communication “in transit,” whether URLs and clickstream data constitute “contents,” and how third-party service providers…
Regulators of data privacy laws have expressed a desire in recent months to intensify enforcement around opt-out preference signals, also known as universal opt-out mechanisms (the “Opt-Out Signals”).
Opt-Out Signals allow consumers to automatically opt-out of the sale and sharing of personal information for targeted advertising across all websites they may visit through an internet…
In 2020, California was the first mover in state comprehensive privacy law legislation, a distinction it held for approximately three years before other states took similar action. Indeed, eighteen additional states have passed their own privacy bills, along with many complementary laws related to children’s privacy, consumer health data privacy, biometric data privacy, and data…
In a recent decision, the U.S. District Court for the Northern District of California has construed the private right of action provision under the California Consumer Privacy Act (CCPA) broadly, which increases business risk to tracking technologies lawsuits that are already rampant.…
On March 7, 2025, the California Privacy Protection Agency (“CPPA”), which is tasked with enforcing the California Consumer Privacy Act (“CCPA”) entered a Stipulated Final Order (“Order”) with American Honda Motor Co., Inc. (“Honda”), fining Honda $632,500. This Order is instructive as to CPPA’s views on various topics covered by the CCPA. Among other things,…
On January 10, 2025, in the waning days of the Biden Administration, the Consumer Financial Protection Bureau issued a Request for Information Regarding the Collection, Use, and Monetization of Consumer Payment and Other Personal Financial Data. The Request signals the Bureau’s strong concern with the ways financial institutions, and particularly new financial tools like widespread…
In response to increased cybersecurity threats and significant regulatory enforcement actions, on Dec. 27, 2024, the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking seeking to enhance cybersecurity protections under the Security Rule implemented pursuant to the Health Insurance Portability and Accountability Act of 1996. While the proposed rule is…
On Oct. 22, 2024, the Securities and Exchange Commission (SEC) announced settled charges against four current and former public companies, Unisys, Avaya Holdings, Check Point Software Technologies and Mimecast, for allegedly making materially misleading statements in their public disclosures regarding cybersecurity intrusions and risks following the SolarWinds Corporation software hack. This wave of enforcement actions…
After a nearly five-year rulemaking process, the U.S. Department of Defense (DoD) published the Final Cybersecurity Maturity Model Certification 2.0 (CMMC) program rule in the Federal Register on Oct. 15, 2024, codified at 32 CFR Part 170. Contract clauses implementing the CMMC program rule will be issued as part of the Defense Federal Acquisition Supplement,…
