The Financial Conduct Authority (FCA) has published Policy Statement PS26/2 together with final guidance in FG26/3 and FG26/4. The Prudential Regulation Authority (PRA) has also published PS7/26 alongside Supervisory Statement SS1/26 and an update to SS2/21. PS26/2 and PS7/26 introduce a new UK framework for reporting serious operational incidents and material third-party arrangements. The framework was developed by the FCA, PRA, and the Bank of England and is intended to give the regulators better visibility of operational disruption and third-party dependencies and to support a more data-driven supervisory approach.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Leonard Nghttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngLeonard Ng2026-04-16 09:03:322026-04-15 17:14:06UK Operational Incident and Third-Party Reporting Rules: What Firms Should Do Now
The Chambers Global Practice Guide for Cybersecurity 2026 has been published. The guide provides the latest legal information on cybersecurity law and regulation, including in relation to critical infrastructure, financial sector operation resilience, cyber-resilience, and ICT certification. The guide also covers the intersection of cybersecurity with data protection law, developments in AI and healthcare regulation.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2025/05/MN-24013-Data-Matters-Blog-Imagery-Refresh_A-20.jpg606833William RM Longhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngWilliam RM Long2026-04-15 13:30:572026-04-15 13:30:57Chambers 2026 Global Practice Guide for Cybersecurity
The National Association of Insurance Commissioners (NAIC) held its Spring 2026 National Meeting (Spring Meeting) March 22–25, 2026. This blog post summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include progress on addressing regulatory concerns related to indexed annuity illustrations, establishment of a new working group on market conduct modernization, exposure of a risk-based capital (RBC) adjustment framework for collateral loans, a Securities Valuation Office (SVO) report on resource strain caused by increased Private Letter Rating filings, multiple revisions to statements of statutory accounting principles (including guidance on sale-leasebacks, repurchase agreements and residential mortgage loans held in statutory trusts, and proposed disclosures for funding agreement-backed financing programs), and updates on the pilot phase of the AI Systems Evaluation Tool.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Andrew R. Hollandhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngAndrew R. Holland2026-04-14 11:01:052026-04-14 11:06:19Regulatory Update: National Association of Insurance Commissioners Spring 2026 National Meeting
On March 31, 2026, the Office of the United States Trade Representative (“USTR”) furnished its annual National Trade Estimate Report, which identifies foreign trade barriers affecting U.S. companies, including several developments relating to India’s digital regulatory frameworks. The Report arrives at a time when India is assuming an increasingly central role in the global strategies of U.S. companies, reflecting sustained growth in its digital economy, a rapidly expanding middle class, and deeper U.S.-India trade engagement. At the same time, India’s regulatory framework governing digital platforms, data, and content is evolving in ways that are increasingly consequential for companies operating in the market. The Report highlights several of these developments, including content moderation requirements, data governance measures affecting cross-border flows, and ongoing concerns regarding intellectual property protection.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2025/05/MN-24013-Data-Matters-Blog-Imagery-Refresh_B_4.jpg606833David Lashwayhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngDavid Lashway2026-04-13 12:12:592026-04-13 12:12:59India’s Digital Regulation in Focus: Implications of the 2026 United States Trade Representative Report for American Companies
Last week, the Seventh Circuit issued a critical opinion for companies facing lawsuits under the Illinois Biometric Information Privacy Act (“BIPA”). In Clay v. Union Pacific Railroad Co., No. 25-2185, 2026 WL 891902 (7th Cir. Apr. 1, 2026), the court held that a 2024 amendment to BIPA that limited damages to one recovery per person and not “per-scan” (each time a biometric identifier is collected) applies retroactively to cases pending at the time the amendment was enacted.
As courts have begun addressing generative AI in the privilege and work product context, they are also confronting related disputes in the context of protective orders. Recent decisions Morgan v. V2X, Inc. and Jeffries v. Harcros Chemicals, Inc. show that disagreements about how protective orders should address the use of AI in discovery — issues previously handled through negotiation — now will be informed by guidance from the courts.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2025/01/MN-24013-Data-Matters-Blog-Imagery-Refresh_B_10.jpg606833David A. Gordonhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngDavid A. Gordon2026-04-06 15:37:192026-04-06 15:37:19Generative AI in Discovery: Protective Orders as an Emerging Point of Dispute
In Bradley v. DentalPlans.com, 2026 WL 788856 (D. Md. Mar. 20, 2026), a federal district court in Maryland held that the Telephone Consumer Protection Act (TCPA or Act) does not require written consent before a person can receive automated or prerecorded telemarketing calls. The decision adds to a growing list of post-Loper Bright cases rejecting a rule by the Federal Communications Commission (FCC or Commission) requiring written (rather than verbal) consent.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Ian M. Rosshttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngIan M. Ross2026-03-27 14:54:122026-03-30 17:18:35Maryland District Court Relies on Loper Bright to Hold Written Consent for Telemarketing Calls Not Required
For many years, the privacy community took the position that the state of California was the leading data privacy regulator. The state of New York, with its active cyber enforcement by the New York Department of Financial Services, was a close second. However, in the past two years, Texas has emerged not only as a significant privacy regulator but also as an aggressive enforcer of its laws.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2025/05/MN-24013-Data-Matters-Blog-Imagery-Refresh_A-19.jpg606833Garrett Lancehttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngGarrett Lance2026-03-26 09:42:132026-03-26 09:42:13There’s a New Sheriff in Town — Texas as Privacy Regulator
UK Operational Incident and Third-Party Reporting Rules: What Firms Should Do Now
The Financial Conduct Authority (FCA) has published Policy Statement PS26/2 together with final guidance in FG26/3 and FG26/4. The Prudential Regulation Authority (PRA) has also published PS7/26 alongside Supervisory Statement SS1/26 and an update to SS2/21. PS26/2 and PS7/26 introduce a new UK framework for reporting serious operational incidents and material third-party arrangements. The framework was developed by the FCA, PRA, and the Bank of England and is intended to give the regulators better visibility of operational disruption and third-party dependencies and to support a more data-driven supervisory approach.
(more…)
Leonard Ng
London, Singapore
lng@sidley.com
James Phythian-Adams
London
jphythianadams@sidley.com
Francesca Blythe
London
fblythe@sidley.com
Eleanor Dodding
London
edodding@sidley.com
Arjun Lakhani
London
arjun.lakhani@sidley.com
Andrea M. Hynes
London
ahynes@sidley.com
Qalid Mohamed
London
qmohamed@sidley.com
Julie Rodriguez
London
julie.rodriguez@sidley.com
Chambers 2026 Global Practice Guide for Cybersecurity
The Chambers Global Practice Guide for Cybersecurity 2026 has been published. The guide provides the latest legal information on cybersecurity law and regulation, including in relation to critical infrastructure, financial sector operation resilience, cyber-resilience, and ICT certification. The guide also covers the intersection of cybersecurity with data protection law, developments in AI and healthcare regulation.
(more…)
William RM Long
London
wlong@sidley.com
Francesca Blythe
London
fblythe@sidley.com
Eleanor Dodding
London
edodding@sidley.com
Matthias Bruynseraede
London
mbruynseraede@sidley.com
Regulatory Update: National Association of Insurance Commissioners Spring 2026 National Meeting
The National Association of Insurance Commissioners (NAIC) held its Spring 2026 National Meeting (Spring Meeting) March 22–25, 2026. This blog post summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include progress on addressing regulatory concerns related to indexed annuity illustrations, establishment of a new working group on market conduct modernization, exposure of a risk-based capital (RBC) adjustment framework for collateral loans, a Securities Valuation Office (SVO) report on resource strain caused by increased Private Letter Rating filings, multiple revisions to statements of statutory accounting principles (including guidance on sale-leasebacks, repurchase agreements and residential mortgage loans held in statutory trusts, and proposed disclosures for funding agreement-backed financing programs), and updates on the pilot phase of the AI Systems Evaluation Tool.
(more…)
Andrew R. Holland
New York
aholland@sidley.com
Stephanie H. Dobecki
Chicago
sdobecki@sidley.com
Sara N. Africano
Chicago
safricano@sidley.com
Ellen M. Dunn
New York
edunn@sidley.com
Michael L. Rosenfield
Los Angeles
mrosenfield@sidley.com
Jacob A. Grossman
Chicago
jgrossman@sidley.com
Lucas J. Grisham
Chicago
lgrisham@sidley.com
Ian Schmidt
Chicago
ian.schmidt@sidley.com
India’s Digital Regulation in Focus: Implications of the 2026 United States Trade Representative Report for American Companies
On March 31, 2026, the Office of the United States Trade Representative (“USTR”) furnished its annual National Trade Estimate Report, which identifies foreign trade barriers affecting U.S. companies, including several developments relating to India’s digital regulatory frameworks. The Report arrives at a time when India is assuming an increasingly central role in the global strategies of U.S. companies, reflecting sustained growth in its digital economy, a rapidly expanding middle class, and deeper U.S.-India trade engagement. At the same time, India’s regulatory framework governing digital platforms, data, and content is evolving in ways that are increasingly consequential for companies operating in the market. The Report highlights several of these developments, including content moderation requirements, data governance measures affecting cross-border flows, and ongoing concerns regarding intellectual property protection.
(more…)
David Lashway
Washington D.C.
dlashway@sidley.com
Michael C. Hochman
Washington, D.C.
michael.hochman@sidley.com
Ash Nagdev
Palo Alto
anagdev@sidley.com
Ben Cross
Chicago
bcross@sidley.com
Seventh Circuit Limits Potential Damages Under BIPA, Holds 2024 Amendment Applies Retroactively
Last week, the Seventh Circuit issued a critical opinion for companies facing lawsuits under the Illinois Biometric Information Privacy Act (“BIPA”). In Clay v. Union Pacific Railroad Co., No. 25-2185, 2026 WL 891902 (7th Cir. Apr. 1, 2026), the court held that a 2024 amendment to BIPA that limited damages to one recovery per person and not “per-scan” (each time a biometric identifier is collected) applies retroactively to cases pending at the time the amendment was enacted.
(more…)
Kathleen Carlson
Chicago
kathleen.carlson@sidley.com
Lawrence P. Fogel
Chicago
lawrence.fogel@sidley.com
Andrew F. Rodheim
Chicago
arodheim@sidley.com
W. Stuart Whitney
Chicago
wstuart.whitney@sidley.com
Generative AI in Discovery: Protective Orders as an Emerging Point of Dispute
As courts have begun addressing generative AI in the privilege and work product context, they are also confronting related disputes in the context of protective orders. Recent decisions Morgan v. V2X, Inc. and Jeffries v. Harcros Chemicals, Inc. show that disagreements about how protective orders should address the use of AI in discovery — issues previously handled through negotiation — now will be informed by guidance from the courts.
(more…)
David A. Gordon
Chicago
dgordon@sidley.com
Takayuki Ono
Chicago, Tokyo
tono@sidley.com
Matt S. Jackson
Chicago
matthew.jackson@sidley.com
Daniel Lim
Washington, D.C.
daniel.lim@sidley.com
Stephen Beemsterboer
Chicago
sbeemsterboer@sidley.com
Kseniya K. Belysheva
Los Angeles
kbelysheva@sidley.com
Maryland District Court Relies on Loper Bright to Hold Written Consent for Telemarketing Calls Not Required
In Bradley v. DentalPlans.com, 2026 WL 788856 (D. Md. Mar. 20, 2026), a federal district court in Maryland held that the Telephone Consumer Protection Act (TCPA or Act) does not require written consent before a person can receive automated or prerecorded telemarketing calls. The decision adds to a growing list of post-Loper Bright cases rejecting a rule by the Federal Communications Commission (FCC or Commission) requiring written (rather than verbal) consent.
(more…)
Ian M. Ross
Miami
iross@sidley.com
Jacquelyn E. Fradette
Washington, D.C.
jfradette@sidley.com
Peter Bruland
Washington, D.C.
pbruland@sidley.com
Michael Loedel
Washington, D.C.
michael.loedel@sidley.com
There’s a New Sheriff in Town — Texas as Privacy Regulator
For many years, the privacy community took the position that the state of California was the leading data privacy regulator. The state of New York, with its active cyber enforcement by the New York Department of Financial Services, was a close second. However, in the past two years, Texas has emerged not only as a significant privacy regulator but also as an aggressive enforcer of its laws.
(more…)
Garrett Lance
Washington, D.C.
glance@sidley.com
Upcoming Events
Resources