On April 30, 2026, the New York Department of Financial Services (NYDFS) announced a consent order with Delta Dental Insurance Company and Delta Dental of New York, Inc. for alleged violations of the NYDFS Cybersecurity Regulation relating to the 2023
Navigating AI compliance with HIPAA essentials
Healthcare providers are increasingly deploying artificial intelligence (AI) tools for diagnostics, documentation and operational efficiency. In fact, over the last few months, large AI platforms are now marketing AI-enabled tools directly to healthcare providers. Providers must navigate a
Complaint accuses OpenAI of practicing law without a license
A popular public AI tool has been accused in federal court of practicing law without a license. Please see the post on the Artificial Intelligence page of Inside Tech Law: AI in litigation series: Complaint accuses OpenAI of practicing law
NY DFS’s new MFA guidance: closing common gaps before the next exam
Multi‑factor authentication (MFA) is now a well-established baseline cybersecurity control. The amended New York Department of Financial Services (NY DFS) solidified that understanding and expanded MFA requirements under 23 NYCRR Part 500 (the NY DFS
HHS and state AGs fine ambulance firm over $500,000, require enhanced security, privacy, and data minimization practices
Earlier this year, the Attorneys General of Massachusetts and Connecticut entered into settlement agreements with Comstar, LLC, an ambulance billing firm, relating to alleged HIPAA regulation violations in connection with a ransomware incident. Comstar is a business associate under HIPAA
AI and privilege: Assessing recent court rulings
We recently drafted an article that discussed court decisions that reached very different conclusions about how the attorney-client privilege and work product doctrine apply to materials submitted to and created by generative AI (GenAI) tools. A recent decision from the
New York’s algorithmic pricing law
On November 10, 2025, New York’s disclosure law on algorithmic pricing went into effect. This post will describe the law, a recent federal court case, and some potential effects, using precise geolocation data as an example.
The law
The law
Regulators, including FCC, emphasize third party vendor cybersecurity monitoring requirements
Many data breaches occur not at the company that controls or owns the data, but rather at the company’s third-party service providers or vendors. Regulators have noticed and have begun placing emphasis on a company’s obligation to monitor its service
Service provider outages test customer resiliency
On November 18, 2025, companies had another opportunity to test their resiliency when connectivity and security provider Cloudflare had an outage of about four hours, which resulted in several popular websites going offline while others managed to provide some services
NYDFS releases guidance on third-party service provider risks
On October 21, 2025, the New York Department of Financial Services (NYDFS) issued guidance to help licensees comply with its cybersecurity regulation. The non-exclusive checklists may be of interest to companies not licensed by NYDFS and even those not