Alston & Bird Privacy, Cyber & Data Strategy Blog

NYDFS Releases New Prescriptive FAQs on MFA

December 22, 2025 By Kim Peretti, Kate Hanniford, Lance Taubin and Carson Kuck

The New York Department of Financial Services (NYDFS) has released a new set of Frequently Asked Questions (FAQs 18–23) under 23 NYCRR Part 500, reinforcing its position that multifactor authentication (MFA) remains a critical component of a covered entity’s cybersecurity program. These FAQs provide highly prescriptive guidance, including clarifications on technical requirements for the “possession” factor and risks associated with push-based authentication methods. We have summarized below the … [Read more] about NYDFS Releases New Prescriptive FAQs on MFA

How to Comply with the EU AI Act: Guidance from the Spanish AI Regulator

December 15, 2025 By Alice Portnoy and Wim Nauwelaerts

On December 10, the Spanish supervisory authority for the EU AI Act (Agencia Española de Supervisión de Inteligencia Artificial, or AESIA) published a set of 16 detailed guidelines and non-binding checklists (available online here in Spanish) … [Read more] about How to Comply with the EU AI Act: Guidance from the Spanish AI Regulator

New EU Regulation Clarifies Cybersecurity Rules for IoT Devices and Other ‘Products with Digital Elements’

December 10, 2025 By Paul Greaves, Wim Nauwelaerts and Kelly Hagedorn

On November 28 2025, the European Commission adopted a regulation implementing the Cyber Resilience Act (‘CRA’) – an EU-wide law which lays down cybersecurity requirements for companies that design and sell ‘products with digital elements’. PDEs can … [Read more] about New EU Regulation Clarifies Cybersecurity Rules for IoT Devices and Other ‘Products with Digital Elements’

California AG Announces $1.4 Million Settlement with Mobile App Provider for Alleged CCPA Violations

December 1, 2025 By Maki DePalo, David Keating and Hyun Jai Oh

On November 21, 2025, California Attorney General (AG) Rob Bonta announced a $1.4 million settlement with Jam City, Inc. (company), a mobile game app company, for alleged failures to enable in-app opt-outs from the sale and sharing of personal … [Read more] about California AG Announces $1.4 Million Settlement with Mobile App Provider for Alleged CCPA Violations

SEC Dismisses Remaining Claims Against SolarWinds

November 24, 2025 By Cara Peterman, Sierra Shear and Madeleine Juszynski Davidson

On November 20, 2025, the Securities and Exchange Commission (SEC) dismissed its landmark enforcement action against SolarWinds Corp. and the company’s Chief Information Security Officer, Tim Brown. In 2023, the SEC’s enforcement action broke new … [Read more] about SEC Dismisses Remaining Claims Against SolarWinds