Categories
Archives
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
Data Matters
Cybersecurity, Privacy, Data Protection, Artificial Intelligence, Internet Law, and Policy
Women in Privacy – Global Privacy Leadership Lunch
Join us in Brussels for our next Women in Privacy – Global Privacy Leadership Lunch.
(more…)
Data Matters Contributors
sidleyprivacyblog@sidley.com
U.S. SEC Regulation S-P and Checklist: Compliance Deadline, December 3, 2025, Approaching for Large Entities
On May 16, 2024, the U.S. Securities and Exchange Commission (SEC or Commission) issued amendments to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, which became effective on August 2, 2024 (the Final Amendments). The deadline for larger entities to comply with the Final Amendments is December 3, 2025, and for smaller entities, June 3, 2026.
(more…)
Ranah Esmaili
Washington, D.C.
resmaili@sidley.com
Jonathan M. Wilan
Washington, D.C.
jwilan@sidley.com
New York Department of Financial Services (NYDFS) Clarifies Expectations for Third-Party Cybersecurity Risks Under its Cybersecurity Regulation, and Additional Amendments Go into Effect on November 1, 2025
On October 21, 2025, NYDFS, the New York State agency responsible for regulating financial services and products, issued an Industry Letter clarifying how “Covered Entities”[1] should manage cybersecurity risks arising from Third‑Party Service Providers (TPSPs) under the NYDFS Cybersecurity Regulation (23 NYCRR Part 500).
(more…)
David Lashway
Washington D.C.
dlashway@sidley.com
Jennifer Seale
Washington, D.C.
jseale@sidley.com
Michael Hochman
Washington, D.C.
michael.hochman@sidley.com
Sasha Hondagneu-Messner
New York
shondagneumessner@sidley.com
EU Court of Justice Issues Landmark Judgment on Concept of “Personal Data”
On 4 September 2025, the EU Court of Justice (the “CJEU”) issued a landmark ruling in SRB v. EDPS confirming that pseudonymous data is not automatically personal data in all cases (the “SRB Case”). Instead, the key question is whether the controller can realistically re-identify the individual. This judgment is expected to have a significant impact on instances where effective technical and/or organisational measures prevent re-identification by the controller. Importantly, although the ruling arose under EU Regulation 2019/1725 – i.e., the EU data protection law applicable to EU Institutions (such as the Commission) – the CJEU confirmed that the same interpretation applies under the General Data Protection Regulation (the “GDPR”).
(more…)
Francesca Blythe
London
fblythe@sidley.com
Lauren Cuyvers
Brussels
lcuyvers@sidley.com
Oscar Beghin
Dr. Kwabena Tenkorang
Trainee Solicitor
ktenkorang@sidley.com
Regulatory Update: National Association of Insurance Commissioners Summer 2025 National Meeting
The National Association of Insurance Commissioners (NAIC) held its Summer 2025 National Meeting (Summer Meeting) August 10–13, 2025. This blog summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Summer Meeting. Highlights include adoption of guidance on asset adequacy testing for reinsurance transactions, renewed focus on the risks of offshore reinsurance transactions, evaluation of insurers’ use of funding-agreement-backed note (FABN) and funding-agreement-backed securities (FABS) programs, and consideration of additional regulatory frameworks to address insurers’ use of artificial intelligence (AI).
(more…)
Andrew R. Holland
New York
aholland@sidley.com
Sara N. Africano
Chicago
safricano@sidley.com
Stephanie H. Dobecki
Chicago
sdobecki@sidley.com
Ellen M. Dunn
New York
edunn@sidley.com
Michael L. Rosenfield
Los Angeles
mrosenfield@sidley.com
Chris H. Burusco
Los Angeles
cburusco@sidley.com
Jacob A. Grossman
Chicago
jgrossman@sidley.com
Texting in Texas: The State Expands Telemarketing Registration Requirements to Include Text Marketers
Texas has amended its telephone solicitation and telemarketing law (the Texas “mini-TCPA” — after the federal Telephone Consumer Protection Act) to require certain businesses that engage in text marketing to register with the Texas Secretary of State and make detailed disclosures, pay registration fees, and post a $10,000 security deposit. The amendments, which were enacted by Senate Bill 140 and went into effect on September 1, 2025, also make certain violations of the Texas mini-TCPA de facto violations of the state’s deceptive trade practices law, which includes a private right of action and can carry significant penalties. While the law includes several provisions that will likely exempt established businesses that obtain one-to-one opt-in consent for text marketing messages and other types of calls, in light of the substantial fines and private right of action, businesses will want to carefully review the application of these new amendments to their marketing programs.
(more…)
Garrett Lance
Washington, D.C.
glance@sidley.com
Jonathan M. Wilan
Washington, D.C.
jwilan@sidley.com
Ian M. Ross
Miami
iross@sidley.com
Sheri Porath Rockwell
Century City
sheri.rockwell@sidley.com
Van Buren in Action: Third Circuit Rejects Application of the Computer Fraud and Abuse Act (CFAA) to Violations of Workplace Policies
On August 26, 2025, the Third Circuit issued an opinion in NRA Group, LLC v. Durenleau, limiting the application of the CFAA in the workplace. In a case of first impression for the Third Circuit, the Court specifically held that employees with legitimate access to company systems did not violate the CFAA by violating their employer’s computer-use policies absent any “evidence of code-based hacking.” Applying the Supreme Court’s Van Buren v. United States “gates-up-or-down” framework, the Third Circuit interpreted “without authorization” and “exceeds authorized access” under the CFAA narrowly – focusing on actual access prohibitions and restrictions. The ruling thus shields workplace computer-use policy violations by current employees, such as password sharing or improper data use, from CFAA liability (both civil and criminal) and steers employers toward other legal remedies.
(more…)
David Lashway
Washington D.C.
dlashway@sidley.com
John Woods
Washington, D.C.
jwoods@sidley.com
Philip Robbins
Brad A. Carney
Washington, D.C.
brad.carney@sidley.com
New Digital Health Ecosystem and HIPAA Flexibilities Facilitate Sharing of Patient Health Information
Earlier this month, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), released a new Frequently Asked Question (FAQ) related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, which establishes national standards to safeguard “protected health information” or “PHI.”
(more…)
Elizabeth Hardcastle
Washington, D.C.
ehardcastle@sidley.com
Rina Mady
Chicago
rmady@sidley.com
Meenakshi Datta
Chicago
mdatta@sidley.com
Ellie L. DeGarmo
Washington, D.C.
ellie.degarmo@sidley.com
Upcoming Events
Data Protection in Financial Services Week 2025
Women in Privacy – Global Privacy Leadership Lunch
Resources