Anthropic’s April 7, 2026 announcement that it built a model too powerful for public consumption, Claude Mythos Preview (Mythos), marks a notable moment for the legal, compliance, and cybersecurity communities. It is no surprise that the US Department of the
NY DFS’s new MFA guidance: closing common gaps before the next exam
Multi‑factor authentication (MFA) is now a well-established baseline cybersecurity control. The amended New York Department of Financial Services (NY DFS) solidified that understanding and expanded MFA requirements under 23 NYCRR Part 500 (the NY DFS
Getting ready for California’s new cybersecurity audit requirements
On January 1, 2026, the California Privacy Protection Agency’s (“CalPrivacy”) cybersecurity audit regulations (the “Regulations”) took effect after several years of rulemaking and public comment. As previewed in the Data Protection Report, certain businesses subject to the California Consumer
Partial compliance is noncompliance: Lessons from California’s $2.75 million settlement with Disney
On February 11, 2026, California Attorney General Rob Bonta announced a $2.75 million settlement with The Walt Disney Company (“Disney”), the largest civil penalty to date under the California Consumer Privacy Act as amended by the California Privacy Rights Act
The DOJ’s civil cyber-fraud initiative lives on: Insights from cybersecurity enforcement through the False Claims Act
The False Claims Act (“FCA”), the U.S. federal government’s principal civil anti-fraud statute, imposes liability on entities that knowingly submit, or cause the submission of, false or misleading claims for payment to the United States. The FCA has long served
SEC statement clarifies material cybersecurity incident disclosure requirement
SEC final rule on reporting material cybersecurity incidents
In July 2023, the US Securities and Exchange Commission (SEC) finalized its rule requiring public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K. Though materiality is not a