The Digital Download provides a quarterly snapshot of emerging issues at the intersection of privacy, cybersecurity, and data strategy. It brings together Alston & Bird’s thought leadership, publications, events, and firm news into a single, easy to navigate resource.
Publications & Advisories
- April 27, 2026 – Cynthia Cole, Dorian Simmons, and Anna von Spakovsky published “States’ Privacy Law Enforcement Moves Echo Pre-SOX Environment” in Bloomberg Law.
- April 13, 2026 – Cynthia Cole and Dorian Simmons published “Privacy, Cyber & Data Strategy Advisory | Top AI, Privacy, and Cyber Enforcement Takeaways from the 2026 IAPP Global Summit.”
- April 10, 2026 – Cynthia Cole published “The Chief Legal Officer: Strategy and Judgment on the Corporate Board” in Direct Women.
- April 9 & 13, 2026 – As a part of Alston & Bird’s Health Data Monetization video series, Jennifer Everett presented “Designing Privacy-First Monetization,” discussing how considerations such as AI governance, downstream use, and national-security rules shape modern data strategies. Dan Felz presented “From Data to Durable Growth,” outlining common monetization models, from internal analytics and AI to partnerships and research, and underscoring why market-ready governance is essential to scaling these initiatives responsibly.
- March 25, 2026 – Cynthia Cole and Anna von Spakovsky published “AI on the Contracts Stage: Enter the AI Playbook” on Law.com.
- February 24, 2026 – Kim Peretti and Lance Taubin published “How AI Is Changing the Incident Response Landscape: What GCs Need to Know” on Law.com.
- February 19, 2026 – Angela Burnette and Jennifer Pike published “Health Care Advisory | A New Day for OCR’s Data Breach Portal: Are You Ready?”
- February 6, 2026 – Kelly Hagedorn, Wim Nauwelaerts, Hanna Hewitt, and Christian Seremetis published “Privacy, Cyber & Data Strategy Advisory | The DSA and GDPR: 5 Ways These Laws Work Together.”
- February 2026 – Kelly Hagedorn, Cara Peterman, Alice Portnoy, Sierra Shear, Hanna Hewitt, and John Evan Laughter published “Cybersecurity Resources for Boards in the United States, United Kingdom, and European Union” in Pratt’s Privacy & Cybersecurity Law Report.
- February 2026 – David Keating, Kim Peretti, Lance Taubin, and Santi Villar published “California Expands the Impact of the California Consumer Privacy Act with Sweeping New Rules on Cybersecurity Audits, Automated Decisionmaking Technologies, and Privacy Risk Assessments” in Pratt’s Privacy & Cybersecurity Law Report.
- February 2026 – Maki DePalo and Hyun Jai Oh published “Navigating Minors’ Privacy and Online Safety Laws: A Strategic Guide for Businesses” in Pratt’s Privacy & Cybersecurity Law Report.
Selected U.S. Privacy & Cyber Updates
One Federal Privacy Bill to Rule Them All?
On April 21, 2026, Republican lawmakers on the House Energy & Commerce Committee introduced the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act, the SECURE Data Act. The Act is designed to create a comprehensive nationwide framework governing consumer privacy and personal data protection in the United States. If enacted, the Act would significantly reshape the U.S. privacy landscape by establishing uniform consumer rights, clarifying obligations for businesses nationwide, and displacing much of the current state-by-state regime.
On March 16, 2026, the Delaware Court of Chancery issued an opinion finding that the CEO of a major gaming company followed guidance from ChatGPT to breach a $500 million acquisition agreement. This dispute joins a growing list of cases in which chatbot records have entered the courtroom as evidence against users.
Your AI Scribe May Be Taking Notes (and Plaintiffs Are Too)
On April 7, 2026, several plaintiffs filed a class action complaint in the Northern District of California against Sutter Health, Memorial Health Services Inc., and Memorial Care Medical Foundation. The complaint alleges the defendants illegally recorded the plaintiffs’ confidential medical information by using an AI-powered “ambient clinical documentation” tool to record clinician-patient conversations during medical visits. This suit may highlight a growing litigation risk for the health care systems deploying conversational AI technologies, as well as processes and patient consents that can mitigate these risks.
On April 21, 2026, the Computer & Communications Industry Association voluntarily dismissed its constitutional challenge to the Utah App Store Accountability Act. The dismissal follows statutory amendments enacted earlier this year that removed the Utah attorney general’s authority to enforce the law. This sequence of events underscores the increasingly complex and rapidly developing nature of minors’ online safety regulations.
New York AI Disclosure Bill Passes State Legislature
New York Assembly Bill A3411B passed its third reading in the Senate on March 9, 2026, sending it through the legislature and preparing it for delivery to Governor Kathy Hochul. If enacted, the bill will require owners, licensees, and operators of generative AI systems to display a clear and conspicuous notice on system user interfaces that generative AI outputs may be inaccurate. If signed, it will go into effect 90 days after becoming law.
Cybercrime Trends to Watch: Takeaways from the FBI’s 2025 IC3 Annual Report
On April 6, 2026, the Federal Bureau of Investigation (FBI) released its 2025 IC3 Annual Report, which provides key trends, case data, and other statistics related to the FBI’s ongoing efforts to combat emerging cybersecurity threats. For the first time, the IC3 report documents the growing use of AI by cybercriminals to conduct successful fraud schemes by generating convincing phishing emails, synthetic video content, and voice cloning. The FBI received more than 22,000 complaints referencing AI, with adjusted losses exceeding $893 million.
“Show Your Work, AI”: Congress Pushes for AI Model Transparency
On March 26, 2026, a bipartisan group of U.S. lawmakers introduced H.R.8094, the AI Foundation Model Transparency Act of 2026 (AI FMTA). At its core, the AI FMTA would require developers of certain large AI models, like ChatGPT or Claude, to publicly disclose key information about how the models are trained, what the models are designed to do, where the limitations and risks lie, and how the models are evaluated and monitored. The purpose is to provide the public with transparency but not to regulate AI.
Key AI, Cybersecurity, and Privacy Takeaways from the NAIC 2026 Spring Meeting
In March, the National Association of Insurance Commissioners (NAIC) held its 2026 Spring National Meeting in San Diego. During the meeting, the Innovation, Cybersecurity, and Technology Committee, along with its working groups on third-party data and models, Big Data and artificial intelligence, and cybersecurity, addressed key developments in oversight of third-party data and models, insurer use of artificial intelligence, cybersecurity preparedness, and consumer privacy.
California Jumps into AI Procurement with State Governing Principles in an Executive Order
On March 30, 2026, California Governor Gavin Newsom signed executive order N-5-26, aimed at governing the responsible procurement and deployment of generative artificial intelligence across California’s government. The order builds on executive order N-12-23, issued in September 2023, by directing a series of actions across multiple state agencies, with most deliverables due within 120 days.
Connecticut Proposes Mandatory Forensic Investigation and Reporting for Large-Scale Data Breaches
Connecticut lawmakers have introduced legislation that, if enacted, would significantly expand breach-response obligations for organizations affected by large-scale cybersecurity incidents. Raised Senate Bill 117 would create a new category of “massive” data breaches and impose mandatory forensic investigation and reporting requirements that go well beyond Connecticut’s existing breach notification framework.
On March 20, 2026, the Trump Administration released its National Policy Framework for Artificial Intelligence, a legislative recommendation document intended to guide Congress in establishing a unified federal approach to artificial intelligence governance. The White House’s new AI Framework follows Senator Marsha Blackburn’s March 18, 2026 legislative discussion draft, the Trump America AI Act. Blackburn’s draft generally reflects the priorities outlined in the AI Framework, with notable differences in the areas of copyright protections, liability for AI developers, and the proposed repeal of Section 230 of the Communications Act.
A New U.S. Cyber Strategy: President Trump’s Cyber Strategy for America
A newly released U.S. government cyber strategy outlines a more assertive and coordinated national posture toward cybersecurity. The strategy acknowledges that cyberspace is central to economic security, national defense, and everyday life. In doing so, it warns that cyber threats now affect everything from critical infrastructure to small businesses and individuals. These cyber threats are no longer viewed as isolated technical incidents. Instead, they are treated as persistent national security challenges driven by hostile states, criminal organizations, and the misuse of emerging technologies.
U.S. Senator Marsha Blackburn Proposes National AI Legislative Framework
On March 18, 2026, U.S. Senator Marsha Blackburn issued an AI legislative framework discussion draft, the Trump America AI Act. According to Blackburn, this intends to codify President Trump’s December 11, 2025 Executive Order for establishing a uniform federal AI policy. Blackburn stated, “[President Trump] called on Congress to pass federal standards and protections to solve the patchwork of state laws that has hindered AI innovation.” The AI discussion draft, Blackburn said, is intended to broadly protect “children, creators, conservatives, and communities from exploitation, abuse, and censorship and ensure American AI companies can innovate without cumbersome regulation.”
Ninth Circuit Partially Lifts Injunction Against California Age-Appropriate Design Code Act
On March 12, 2026, the Ninth Circuit partially vacated the preliminary injunction by the Northern District of California that had blocked the enforcement of the California Age-Appropriate Design Code Act (CAADCA). Several key CAADCA provisions remain enjoined, but the Ninth Circuit’s latest decision allows a number of substantive obligations to take effect as the case returns to the district court for further review.
On March 6, 2026, the California Privacy Protection Agency (CalPrivacy) published an invitation for preliminary comments seeking public input on whether regulatory changes are needed in two related areas under the California Consumer Privacy Act (CCPA): (1) reducing friction in exercising privacy rights; and (2) the operation and use of opt-out preference signals.
CalPrivacy Goes to the Board with Digital-Advertising-Focused Enforcement
On February 27, 2026, CalPrivacy issued an order requiring a sports-focused media and technology company to pay a $1.1 million administrative fine for violations of the CCPA. The action continues California regulators’ scrutiny of how companies deploy cookies, software development kits, and other online tracking technologies for digital advertising.
On February 25, 2026, the Federal Trade Commission (FTC) issued an enforcement policy statement announcing that it will not bring enforcement actions under the Children’s Online Privacy Protection Act (COPPA) Rule against operators of general audience sites and services and mixed audience sites and services that collect, use, or disclose personal information for the sole purpose of determining a user’s age without first obtaining verifiable parental consent.
NYDFS Revises Prescriptive FAQs on Multifactor Authentication
Two months after the New York Department of Financial Services (NYDFS) updated its frequently asked questions (FAQs), the NYDFS released updated FAQs on multifactor authentication (MFA) that further clarify 23 NYCRR § 500.12. The FAQs from December 2025 provided prescriptive guidance, including clarifications on technical requirements for the “possession” factor and risks associated with push-based authentication methods, and MFA for external-facing websites. The newly revised FAQs suggest the NYDFS is continuing to refine and clarify its expectations for MFA.
Threat Actors Exploit Google’s Gemini to Accelerate Cyberattacks
Google Threat Intelligence Group (GTIG) has reported that cybercriminals—in particular, state-sponsored threat actors from North Korea, Iran, China, and Russia—are misusing Gemini, Google’s large language model, to support all stages of their attack life cycle. Specifically, GTIG observed threat actors using Gemini to code and script tasks, accelerate reconnaissance, research publicly known vulnerabilities, and enable malware development and post-compromise activity.
CISA Revives CIRCIA Rulemaking
Almost two years after seeking stakeholder input about a final rule under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the Cybersecurity and Infrastructure Security Agency (CISA) announced that it will hold virtual town hall meetings for certain industry sectors in March and April 2026 to solicit additional input on the notice of proposed rulemaking. As noted in our prior advisory, CISA extended the deadline to issue final rules to May 2026.
FTC Sends Letters Reminding Data Brokers of Their Obligations Under PADFAA
On February 9, 2026, the FTC sent letters to 13 data brokers reminding them of their obligations to comply with the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA). We previously wrote an article and Peter Swire published a white paper at the Cross-Border Data Forum describing PADFAA in detail. PADFAA went into effect on June 24, 2024.
On February 10, 2026, the Southern District of New York held that a criminal defendant could not claim attorney-client privilege over documents he produced using a commercially available artificial intelligence tool—even though he had input privileged information from his lawyers into the tool. This case is likely of interest to companies working to manage internal uses of AI tools and to operations of corporate legal departments.
New Jersey Expands HIPAA-Based Exemptions Under Its Comprehensive Privacy Law
On January 20, 2026, the New Jersey governor signed Assembly Bill A5017, amending the New Jersey Data Protection Act (NJDPA). The amendment exempts data that is not protected health information (non-PHI) from the NJDPA when it is handled by covered entities or business associates in accordance with the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA). Examples of non-PHI may include website technical and analytics data or mobile application data that is not integrated into clinical care workflows.
FBI Launches Operation Winter SHIELD in Effort to Advance Cyber Resilience Across Critical Sectors
On January 28, 2026, the FBI announced the launch of Operation Winter SHIELD, a coordinated initiative designed to promote adoption of core defensive measures that are shown to mitigate common intrusion vectors. Operation Winter SHIELD identifies 10 priority actions the FBI views as important in improving organizational cyber resilience.
FTC Reverses Rytr Consent Order Amid Push for Federal AI Standards
On December 22, 2025, the FTC set aside its 2024 consent order against Rytr, a generative-AI-powered company, concluding that the original complaint “failed to satisfy the legal requirements of the FTC Act” and that the order unduly burdened AI innovation in violation of the Trump Administration’s January 2025 AI Executive Order and America’s AI Action Plan, which prioritize fostering AI adoption.
Selected Global Privacy & Cyber Updates
The World Data Organization: A New Player in Global Data Governance—What Businesses Need to Know
On March 30, 2026, the World Data Organization (WDO) was officially launched. The WDO describes itself as a nongovernmental, nonprofit organization headquartered in Beijing, with a stated mission of “bridging the data divide, unlocking data’s value, and powering the digital economy.”
Secure Connectivity for Operational Technology—UK NCSC Publishes New Guidance
The UK National Cyber Security Centre (NCSC) published guidance to help organizations design, secure, and manage operational technology environments. It sets out eight core principles to improve resilience, reduce exposure, and support secure architectural decision-making. The NCSC positions these as goals rather than minimum requirements, and operators of essential services (including those within scope of the UK NIS Regulations) will find them particularly relevant.
Britain’s Financial Regulators Raise the Bar on Cyber Reporting and Resilience
Cyber risk has shifted from a technical issue to a systemic one, and Britain’s financial regulators are making that reality unmistakably clear. On March 18, 2026, the Financial Conduct Authority, Prudential Regulation Authority, and Bank of England announced a new, unified cyber and operational resilience framework that strengthens the requirements on how firms must prepare for, respond to, and report service disruptions.
On March 10, 2026, the European Data Protection Board and the European Data Protection Supervisor issued a joint opinion on the European Commission’s proposed EU Biotech Act—a forthcoming legislative framework expected to materially affect how clinical trials are designed, conducted, and governed in the EU. The proposal, introduced in December 2025, would amend key EU life sciences legislation, including the EU Clinical Trials Regulation, and introduce new requirements for the use of advanced technologies such as artificial intelligence across the medicinal product life cycle.
EU Moves Toward a Single Entry Point for Security Incident Reporting
On March 17, 2026, the European Parliament published a briefing signaling continued momentum toward the creation of an EU-wide single entry point for security incident reporting. The initiative is part of the European Commission’s proposed Digital Omnibus legislative package and is intended to simplify how organizations report incidents—including personal data breaches—under multiple EU legal frameworks.
Spanish DPA Releases Agentic AI Guidance
In early January 2026, the Spanish Data Protection Authority issued new guidance on the privacy and data protection risks associated with uploading images or photos—whether directly or indirectly identifying individuals—into generative AI tools. The guidance is particularly focused on situations where those images are hosted by third-party online services or digital platforms.
Events
- June 29, 2026 – Sara Pullen will speak on the panel “What’s New in Health Privacy” at the American Health Law Association’s Annual Meeting.
- June 8–9, 2026 – Kim Peretti will co-chair, provide opening remarks, and speak on the panel “Global Data Breach: The Cybersecurity Risks Aren’t Hypothetical” and Gavin Reinke will speak on the panel “Courting Trouble: Insights on the Latest Privacy and Data Security Litigation” during the Twenty-Seventh Annual Institute on Privacy and Cybersecurity Law.
- June 4, 2026 – Kim Peretti will speak on the panel “Cybersecurity and National Security: Current Threats and Challenges” and Kelly Hagedorn will speak on the panel “The EU/UK Cyber Regulatory Landscape—Patchwork or Minefield?” during the Incident Response Forum London 2026.
- May 20, 2026 – Paul Greaves will present “Privacy Risks with GenAI and Content Creation: Where Does the Data Go?” during the ERA Conference: Artificial Intelligence, Data Governance, and Protection in the EU.
- May 19–20, 2026 – Rachel Lowe will speak on the panel “Litigation Focus: California Invasion of Privacy Act (CIPA)” during the NetDiligence Cyber Risk Summit.
- May 14–15, 2026 – Cynthia Cole spoke on the panel “Specialty Areas in Private Acquisitions or Sales: International Aspects and Intellectual Property” at Acquiring or Selling the Privately Held Company 2026.
- May 14, 2026 – Lance Taubin spoke on the panel “Incident Response Tabletop” during the 2026 Cybersecurity & Operational Resilience Conference hosted by the Institute of International Bankers.
- May 4–7, 2026 – Paul Greaves spoke on the panel “The EU Data Act—Customers’ Rights to Access and Use Data from Connected Products” during IFAT Munich 2026.
- May 3–6, 2026 – Jennifer Everett and Jennifer Pike spoke on the panel “The Legal Lab: Turning Privacy into a Marketing Advantage” during the 31st Healthcare Marketing & Physician Strategies Summit.
- April 22, 2026 – Lance Taubin spoke on the panel “Your Company’s AI Systems: The New Target for Cyber Attackers” during the Incident Response Forum D.C. 2026.
- March 30, 2026 – Jennifer Everett moderated and Cynthia Cole spoke on the panel “What the Next Generation of Oversight and Enforcement Should Look Like,” focusing on AI legislation, enforcement, and policy, during Alston & Bird’s luncheon during the IAPP Global Privacy Summit 2026.
- March 18, 2026 – Julie Mediamolle and Courtney Quirós presented “Avoid the PAIn: AI Disclosures and Emerging Securities Liability” and Cynthia Cole and Dorian Simmons presented “Data Democracy to Digital Anarchy: Where Are We Headed Now” during the 12th program in the Alston & Bird AI Legal Insights: Shaping Tomorrow Webinar Series that took place during Alston & Bird’s 2026 Annual Alumni, Friends & Client CLE.
- March 12, 2026 – Jennifer Pike and Sara Pullen discussed key takeaways, including how health care organizations are moving beyond AI experimentation to focus on maturity, ROI, and governance, in this Healthy Byte from the 2026 HIMSS Global Health Conference.
- March 11–13, 2026 – Kim Peretti spoke at the CISO Summit 2026 hosted by Ballistic Ventures.
- March 3–4, 2026 – Dorian Simmons spoke on the panel “AI Product Counseling: Dos and Don’ts” and Lance Taubin spoke on the panel “Incident Response: When & How to Bring in Law Enforcement” during the 2026 Privacy & Technology Law Forum.
In the News
- April 22, 2026 – Kim Peretti is quoted on the potential impacts of Anthropic’s new Mythos Model for companies and their boards in Cybersecurity Law Report.
- April 20, 2026 – Lance Taubin is featured discussing his path to partnership at Alston & Bird on Law.com.
- April 8, 2026 – Cynthia Cole is quoted on compliance representations and warranties, sharing insights on negotiation strategy in Anti-Corruption Report.
- March 25, 2026 – Cynthia Cole is quoted on the continued importance of businesses complying with representations and warranties and broader compliance requirements in Anti-Corruption Report.
- March 9, 2026 – Dorian Simmons is featured discussing key compliance considerations under the California Consumer Privacy Act following recent enforcement orders from the California Privacy Protection Agency in Privacy Daily Report.
- March 4, 2026 – Andrew Liebler and Lance Taubin are featured discussing two recent cases signaling that the Department of Justice is intensifying enforcement of cybersecurity fraud involving Department of Defense contractors in Federal News Network.
- February 24, 2026 – Peter Swire is quoted on the organizational challenges of personal data as a dual-threat asset in IAPP.
- February 24, 2026 – Kim Peretti and Lance Taubin are noted as top authors in JD Supra’s 2026 “Readers Choice Awards.”
Press Releases
Alston & Bird Partners Named to Cybersecurity Docket’s 2026 ‘Incident Response Elite’
Alston & Bird partners across four different offices —Kim Peretti (Washington, D.C.), partner and co-chair of Alston & Bird’s Privacy, Cyber & Data Strategy Team and National Security & Digital Crimes Team; Wim Nauwelaerts, partner-in-charge of the Brussels office and leader of the European Privacy & Cybersecurity Team; and Kelly Hagedorn (London) and Lance Taubin (New York), partners on the Privacy, Cyber & Data Strategy Team—have been named to Cybersecurity Docket’s 2026 “Incident Response Elite.”
The Legal 500 Honors Alston & Bird’s Brussels Office in 2026
Alston & Bird has been recognized for excellence in EU Regulatory: Privacy and Data Protection for Belgium by The Legal 500 Europe, Middle East & Africa 2026. The ranking includes two “Client Satisfaction Accolades”: Lawyer & team quality and Sector knowledge.
Chambers Europe 2026 Recognizes Leading Lawyers at Alston & Bird
Alston & Bird has been acknowledged in the 2026 edition of Chambers Europe, with multiple attorneys recognized for their excellent client service, including Wim Nauwelaerts, partner in the Privacy, Cyber & Data Strategy Group.
Alston & Bird Improves Rankings in Chambers Global 2026
Alston & Bird has been acknowledged in the 2026 edition of Chambers Global, including recognition for the practice areas of Privacy & Data Security: The Elite and Privacy & Data Security: Healthcare. Kim Peretti is recognized for Privacy & Data Security: Cybersecurity and Privacy & Data Security: Healthcare. Kristy Brown is recognized for Privacy & Data Security: Litigation.
“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti and David Keating. It is edited by Hanna Hewitt, Alice Portnoy, Seol Namgoong, and Anna von Spakovsky.
For additional updates, please be sure to visit our blog at www.alstonprivacy.com.
Stay ahead of evolving ransomware threats with Alston & Bird’s Ransomware Fusion Center. Our Privacy, Cyber & Data Strategy Team offers comprehensive resources and expert guidance to help your organization prepare for and respond to ransomware incidents. Visit Alston & Bird’s Ransomware Fusion Center to learn more and access our tools.
The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.