Edward McNicholas at Ropes & Gray LLP

Supreme Court to Consider the Video Privacy Protection Act

Last week, the U.S. Supreme Court agreed to hear a case that is expected to resolve a long-developing split among federal courts of appeals over the scope of the Video Privacy Protection Act of 1988 (“VPPA”), 18 U.S.C. §...more

2/4/2026 / Appellate Courts , Class Action , Consumer Privacy Rights , Data Privacy , Data-Sharing , Litigation Strategies , Online Platforms , Personal Information , SCOTUS , Split of Authority , Statutory Interpretation , Video Privacy Protection Act , Web Tracking , Websites

NYDFS Regulated Entities Face Stronger Cybersecurity Regulations

The New York Department of Financial Services (“NYDFS”) implemented the final phases of amendments to its NYDFS Cybersecurity Regulation (23 NYCRR Part 500) in May and November....more

1/20/2026 / Asset Management , Compliance , Cybersecurity , Data Security , Financial Institutions , Multi-Factor Authentication , New Guidance , New Regulations , New York , NYDFS , Regulatory Oversight , Regulatory Requirements , Risk Management , Third-Party Service Provider , Vulnerability Assessments

California’s CCPA Cybersecurity Audit Rule Takes Effect: What Businesses Need to Know

The California Consumer Privacy Act (“CCPA”) has entered yet another new chapter – audits. On January 1, 2026, the California Privacy Protection Agency (“CPPA”) regulations took effect, establishing comprehensive...more

1/15/2026 / Audits , California , California Consumer Privacy Act (CCPA) , California Privacy Protection Agency (CPPA) , Compliance Dates , Compliance Monitoring , Cybersecurity , Data Privacy , Data Protection , Data Security , New Regulations , Regulatory Requirements , Risk Assessment , Risk Management , State Privacy Laws

On the Fourth Day of Data… All is Calm, All is Bright? Securing Agentic AI Before the Lights Go Out

As 2025 draws to a close and some organizations slip into a quieter holiday rhythm, their AI systems continue humming in the background—summarizing customer inquiries, triaging security alerts, generating code, and...more

12/18/2025 / AI Act , Artificial Intelligence , Compliance , Cyber Threats , Cybersecurity , Data Privacy , Data Protection , Data Security , Digital Operational Resilience Act (DORA) , Emerging Technologies , EU , Governance Standards , Incident Response Plans , NIST , Regulatory Requirements , Risk Management , Third-Party Risk

Responding to the SitusAMC Data Breach

Recently, major media reported that a key financial services provider, SitusAMC, suffered a substantial data security incident. This Alert summarizes what we know so far, the possible legal implications, and some action items...more

12/2/2025 / Contract Terms , Corporate Counsel , Cybersecurity , Data Breach , Data Privacy , Data Protection , Data Security , Financial Services Industry , Incident Response Plans , Popular , Regulatory Requirements , Reporting Requirements , Risk Management , State Data Breach Notification Statutes , Third-Party Relationships , Third-Party Service Provider

Initial Guidance on Responding to the SitusAMC Data Breach

Over the last weekend, major media reported that a key financial services provider, SitusAMC, suffered a substantial data security incident. This Alert summarizes what we know so far, the possible legal implications, and some...more

11/26/2025 / Contract Terms , Cybersecurity , Data Breach , Data Privacy , Data Protection , Data Security , Due Diligence , Financial Institutions , Financial Services Industry , General Data Protection Regulation (GDPR) , Notice Requirements , Notification Requirements , Regulatory Oversight , Regulatory Requirements , Reporting Requirements , Third-Party Service Provider

Pixel Litigation Risk at Financial Institutions

An increasingly aggressive plaintiffs’ bar has brought purported class action suits based on the nearly ubiquitous use of tracking technologies used for website analytics. Although any actual harm to the plaintiffs is...more

7/14/2025 / California Consumer Privacy Act (CCPA) , Class Action , Compliance , Consent , Consumer Privacy Rights , Cookies , Data Privacy , Data Protection , Financial Institutions , Gramm-Leach-Blilely Act , Privacy Laws , Third-Party , Web Tracking

[Podcast] R&G Tech Studio: AI Innovation vs. Safety—Insights on a New Executive Order

On this episode of the R&G Tech Studio podcast, Ropes & Gray partners and co-leaders of the firm’s AI initiative, Megan Baca and Ed McNicholas, delve into the key implications of President Trump’s new AI Executive Order...more

5/9/2025 / AI Act , Artificial Intelligence , Biden Administration , Compliance , Executive Orders , Innovation , National Security , Regulatory Agenda , Regulatory Requirements , Trump Administration

DOJ Releases FAQs and Compliance Guidance for Final Rule Restricting Flow of Bulk Sensitive Personal Data to China and other...

On April 11, 2025, the Department of Justice (“DOJ”) released additional detail regarding the Final Rule implementing former President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal...more

4/15/2025 / China , Compliance , Corporate Counsel , Data Privacy , Department of Justice (DOJ) , Enforcement Actions , Executive Orders , Final Rules , New Guidance , Personal Data , Sensitive Personal Information

DOJ Bulk Data Final Rule Update

Today, the Department of Justice’s (“DOJ”) Final Rule implementing former President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by...more

4/9/2025 / Biden Administration , Data Collection , Data Privacy , Department of Justice (DOJ) , Executive Orders , Final Rules , National Security , Personal Data , Regulatory Requirements , Sensitive Personal Information

DOJ Issues Final Rule Restricting Flow of Bulk Sensitive Personal Data to China and Other Countries of Concern

On January 8, 2025, the Department of Justice (“DOJ”) published its Final Rule to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States...more

DOJ Issues Notice of Proposed Rulemaking to Restrict Flow of Bulk Sensitive Personal Data to China and other Countries of Concern

On October 29, 2024, the Department of Justice (“DOJ”) published its Notice of Proposed Rulemaking (“NPRM”) to implement President Biden’s Executive Order 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data...more

SEC Announces Settlements with Four Issuers regarding Cybersecurity Disclosures

On October 22, 2024, the Securities and Exchange Commission (“SEC”) filed settled enforcement orders involving four current and former public companies – Unisys Corp., Avaya Holdings Corp., Check Point Software Ltd, and...more

11/1/2024 / Corporate Governance , Cybersecurity , Data Breach , Disclosure Requirements , Enforcement Actions , Failure To Disclose , Publicly-Traded Companies , Securities and Exchange Commission (SEC) , Securities Regulation , Securities Violations , SolarWinds

Edward McNicholas

Ropes & Gray LLP

Popular Topics by This Author

Latest Publications