Dechert Cyber Bits
Issue 97 - June 11, 2026
NYDFS Urges Regulated Entities to Prepare for Frontier AI Cyber Threats
On May 21, 2026, the New York State Department of Financial Services (“NYDFS”) issued an Industry Letter warning the public, and NYDFS-regulated entities specifically, of the heightened cybersecurity risks associated with “Frontier AI Models.” The letter is a response to the increasing concern that AI will not only help chief information security officers identify and remediate vulnerabilities but will also help threat actors find and exploit those same security flaws. NYDFS urged regulated entities to improve their security posture before those capabilities become broadly available.
This new guidance builds on NYDFS’s October 2024 Guidance on cybersecurity risks arising from AI, which focused on AI-enabled deepfakes, phishing schemes, and enhanced cyberattacks. It also follows New York’s December 2025 enactment of the RAISE Act, which requires certain frontier AI developers to publish safety protocols, report critical-harm incidents, and submit to oversight by a new office within NYDFS.
The letter urges regulated entities to reassess risk assessments, vulnerability management timelines, legacy systems, third-party dependencies, and secure programming practices. New York State Acting Chief Cyber Officer Michaela Lee framed the letter as a proactive blueprint aimed to “strengthen financial resilience” and push the state as a leader in “innovation and security.”
Takeaway: Regulated financial institutions cannot sit on the sidelines as AI reshapes cybersecurity. Although this latest guidance imposes no new legal obligations, companies should expect regulators to ask a simple question: what did you do when AI-enabled cyber risk became foreseeable? Companies will want to revisit risk assessments, accelerate vulnerability management where warranted, map critical third-party dependencies, and test incident response and recovery plans against AI-enabled threat scenarios.
FTC Puts “Nudify” Platforms on Notice Under the TAKE IT DOWN Act
On May 20, 2026, just one day after the TAKE IT DOWN Act (“TIDA”) went into effect, the Federal Trade Commission (“FTC”) sent warning letters to 12 companies offering so-called “nudify” tools—AI-enabled tools that allow users to transform clothed images into nonconsensual sexualized images. The FTC warned that platforms must provide a process for victims to request removal of nonconsensual intimate images. The warning letters followed an earlier round of letters from FTC Chairman Andrew N. Ferguson to major web hosting and social media platforms, reminding them that TIDA’s notice-and-removal requirements took effect on May 19, 2026.
Signed into law in May 2025, TIDA criminalizes the nonconsensual publication of intimate images, including AI-generated deepfakes, and gives the FTC authority to enforce the statute’s platform notice-and-removal requirements. Covered platforms must provide a clear process for victims to request removal, remove covered images and known identical copies within 48 hours of receiving a valid request, and make reasonable efforts to identify and remove duplicate content on their platforms.
FTC Commissioner Mark Meador identified enforcement as a “top priority” for the agency. Violation of TIDA could result in civil penalties of up to $53,088 per violation. The Department of Justice has already initiated two actions under the law.
Takeaway: The FTC is not easing into TIDA enforcement. It is moving first against the obvious targets—major platforms and AI “nudify” services—but the law sweeps more broadly. Businesses that host, curate, or distribute user-generated intimate content should review whether they qualify as covered platforms, confirm that their takedown process is clear and accessible, build a 48-hour response workflow, and test whether they can identify and remove known identical copies once a valid request arrives. While the penalties may seem modest, “per violation” penalties rack up very quickly to substantial sums when talking about high usage platforms.
FTC Settles with Cox Media Group and Its Partners for Marketing an “Active Listening” AI Service That Never Actually Listened
On May 28, 2026, the Federal Trade Commission (“FTC”) announced proposed settlements with Georgia-based CMG Media Corporation, doing business as Cox Media Group (“CMG”), and two marketing partners, New Hampshire-based MindSift LLC (“MindSift”) and Wisconsin-based 1010 Digital Works LLC (“1010 Digital Works”), resolving allegations that the companies violated Section 5 of the FTC Act by allegedly deceiving customers about an “Active Listening” branded marketing service.
In complaints against each of CMG, MindSift, and 1010 Digital Works, the FTC alleged that the companies falsely marketed an AI-powered service purportedly capable of listening to consumers’ conversations through smart devices to target localized advertising. In reality, the FTC alleged, the service did not use voice data or listen to consumers’ conversations, nor did it accurately place ads in customers’ desired locations, but rather consisted of reselling email lists obtained from other data brokers. Critically, the allegations included that the companies misrepresented that consumers had “opted in” to the service (when they had simply accepted the mandatory terms of service for the app). Finally, the FTC alleged that MindSift and 1010 Digital Works bore direct responsibility for CMG’s deceptive practices, having supplied marketing materials and responses to customer inquiries that misrepresented the Active Listening service’s capabilities. None of the companies admitted any wrongdoing in connection with the settlements.
Under the proposed orders, CMG agreed to pay $880,000, while MindSift and 1010 Digital Works each settled for $25,000, with such funds to be used to redress impacted CMG customers. Each company is also prohibited on a go forward basis from misrepresenting the qualities or features of its advertising or marketing services, the data-collection and use of voice data and whether consumers have provided consent, and the geographic targeting capabilities of its advertising or marketing services.
Takeaway: The settlements are notable for several reasons. First, the three-party settlement structure demonstrates that the FTC is prepared to pursue enforcement across marketing vendors that it perceives as enabling deceptive practices, not limiting its action to those with direct consumer relationships. Second, the FTC’s willingness to bring Section 5 charges over an operationally nonexistent AI capability, rather than one that worked but caused harm, sets a precedent for any company whose AI marketing claims run ahead of actual technical capabilities. Finally, the settlements also reinforce that the FTC’s consent standard requires more than acceptance of mandatory terms of service. Companies offering AI-powered or data-driven advertising services will want to carefully review the accuracy of their marketing claims, the robustness of their consumer consent mechanisms, and their potential liability exposure arising from partner and vendor relationships. For more insight into the FTC’s approach to AI regulation, see Cyber Bits Issue 95.
European Commission Fines Temu €200 Million Under EU Digital Services Act
On June 4, 2026, the European Commission issued a €200 million fine against Temu, the Chinese-owned e-commerce platform, for failing to comply with its risk-assessment obligations under the Digital Services Act (DSA).
Under the DSA, organizations designated as providing “very large online platforms” are required to “diligently identify, analyze and assess any systemic risks in the Union stemming from the design or functioning of their service and its related systems”. According to the Commission, Temu’s assessment of the risks of illegal products on the platform was deficient. The Commission alleged that Temu’s 2024 risk assessment was inadequate because: (a) it relied on generic, sector-wide information rather than platform-specific data; (b) it significantly underestimated the likelihood of EU consumers encountering illegal products on the platform; and (c) it did not properly address how systems within the platform could increase dissemination of illegal products.
Among the evidence relied on by the Commission was a mystery shopping exercise it had commissioned that revealed that a very high percentage of chargers sampled from Temu's platform failed basic electrical safety tests, while a high percentage of tested baby toys posed safety risks of medium to high severity, either due to the presence of chemicals exceeding legal safety limits or suffocation hazards from detachable parts. The Commission has required Temu to submit an action plan before the end of August 2026 setting out proposed measures to remedy the alleged risk-assessment failures.
Temu has stated publicly that it disagrees with the Commission’s decision and considers the amount of the fine to be disproportionate, as well as explaining that the decision (relating-back to 2024) did not reflect its current systems.
Takeaway: Temu has until 28th August to respond to the ruling. They may follow X and appeal to the General Court. The Commission has been active in investigating the relatively short list of platforms designated as “very large online platforms” under the DSA and issuing preliminary findings against a number of them. The fine issued against Temu is, however, one of the first fines under the DSA and indicates the Commission’s expectation that risk assessments under the DSA be targeted and based on platform-specific evidence of how the platform is operating in practice. Organizations designated as “very large online platforms” will want to consider reviewing their risk assessments against real-world data.
Dechert Tidbits
Bank of England, UK Financial Conduct Authority and UK Treasury Publish Joint Statement on Frontier AI Models and Cyber Resilience
In a joint statement the Bank of England, FCA and HM Treasury warned that malicious use of AI is reshaping the cyber threat landscape and posing material risks to operational resilience, customers, and market stability in the financial sector. The statement sets out high-level recommendations for governance, risk management and incident response for regulated financial firms.
In 2025, Dechert’s Cyber, Privacy & AI team achieved top individual and group rankings in The Legal 500 and Chambers USA. Global Chair and Partner Brenda Sharton, a Law360 MVP, and Partner Ben Sadun, a Law360 Rising Star, were recognized for their leadership and contributions to the team’s achievements. The team was also recognized in Law.com’s “Litigators of the Week” column for its recent victory for Flo Health, a matter that showcased the team’s strategic excellence. Thank you to our clients for entrusting us with the types of matters that led to these recognitions.
Recent News and Publications
- AI Cyberattacks Call for Company Preparation to Limit Fallout (March 31, 2026)
- Dechert Adds Former Microsoft Cybersecurity Counsel J.J. Jones as Partner (March 11, 2026)
- Wake Up Call: Simpson Thacher misses appeal deadline (March 11, 2026)
- Microsoft Cybersecurity Legal Official Jones Exits for Dechert (March 10, 2026)
- Dechert Appoints J.J. Jones as Partner (March 10, 2026)
- Dechert Continues Lateral Hiring Momentum with Addition of Cybersecurity, Privacy and AI Expert J.J. Jones PR Newswire (March 10, 2026)
- Dechert Lands Ex-Microsoft, Google Atty In San Francisco – Law360 (March 10, 2026)
- Cybersecurity & Privacy Group Of The Year: Dechert – Law360 (February 2026)
- Law360's Practice Group of the Year for Cybersecurity & Privacy – Law360 (January 2026)
- MVP: Dechert’s Brenda Sharton – Law360 (November 2025)
- Litigator of the Week Runners-Up and Shout-Outs – Law.com (August 8, 2025)
- 2025 Rising Star: Dechert's Benjamin Sadun – Law360 (July 21, 2025)
-
- Brenda Sharton Q&A (Profiles in Diversity Journal Q4 2024 "All Colors, All Leaders" issue)
- Disclosing Personal Data to Non-EU Authorities - GDPR Guidance Published (Dechert OnPoint published December 18, 2024)
- MVP: Dechert's Brenda Sharton - (Law360 October 10, 2024)
- Brantley et al. v. Prisma Labs, Inc. (Global Legal Chronicle published August 31, 2024)
- Law360's Legal Lions of The Week (Law360 published August 9, 2024)
- Lensa AI App Creator Shakes Ill. Biometric Privacy Suit (Law360 published August 6, 2024)
- Prisma Labs Skirts BIPA Suit Over Training of Its AI Photo App (Bloomberg Law published August 6, 2024)
- A New UK Labour Government: A Fresh Approach to AI Regulation (Dechert OnPoint published July 9, 2024)
- The EU AI Act: An Overview (Dechert OnPoint published May 13, 2024)
- Tribunal Overturns UK ICO’s Enforcement Action Against Clearview AI (Dechert OnPoint published November 8, 2023)
- 5 Takeaways from ICO's Biometric Recognition Guidance (Published in Law360, October 18, 2023)
- Bridge Over Troubled Data Flows: UK-US Data Bridge Approved (Dechert OnPoint published September 22, 2023)
- US-EU Plan On AI Illustrates Differing Opinions On Regulation (Published in Law360, August 2, 2023)
- SEC Final Rule Exempts ABS Issuers from New Cybersecurity Disclosure and Reporting Requirements (Dechert OnPoint published August 16, 2023)
- SEC Finalizes Cybersecurity Disclosure Rules for Public Companies (Dechert OnPoint published August 7, 2023)
- Ready. Set. Flow: Green Light from the Commission for EU-U.S. Data Privacy Framework (Dechert OnPoint published July 11, 2023)
- EU General Court Examines Data Anonymisation and Pseudonymisation (Dechert OnPoint published May 25, 2023)
- SEC Proposes New Cybersecurity Risk Management Rule for Various Market Entities (Dechert OnPoint published May 10, 2023)
- Artificial Intelligence: Legal and Regulatory Issues for Financial Institutions (Dechert OnPoint published April 26, 2023)
- BioDech | A Global Life Sciences Broadcast Series - What Every Life Sciences Company Needs to Know About Cybersecurity
- The group was named 2022 Law360 Practice Group of the Year.
- Winner of the International Association of Privacy Professionals (“IAPP”) Legal Innovation Award for the Americas for 2022, for its work with client Flo Health, Inc., the world’s leading women’s health App on its “Anonymous Mode” feature in the wake of the Dobbs decision by the U.S. Supreme Court.
- Recognized as a 2022 “Standout” by London’s Financial Times in a legal innovation award for the Americas in the category of “Innovation in Enabling Business Resilience.”
- Exploiting Public Health Data for R&D: UK Progresses Secure Data Environments (Dechert OnPoint published July 20, 2023)
- EU Data and Digital Drive: 10 Things to Know About the Digital Services Act (Dechert OnPoint published February 17, 2023) By: Paul Kavanagh, Dr. Olaf Fasshauer, and Madeleine White.
- Your Company’s Data Is for Sale on the Dark Web. Should you Buy it Back? (Published in the Harvard Business Review January 4, 2023) By: Brenda Sharton.
- Brenda Sharton and Steven Rabitz quoted in Plan Sponsors Have Myriad Responsibilities to Protect Against Cyberthreats (Published in PLANSPONSOR December 22, 2022).
- English High Court Maintains Claimant’s Anonymity in Cyberattack Case (Dechert OnPoint published December 19, 2022) By: Paul Kavanagh, Brenda Sharton, Dylan Balbirnie, and Anita Hodea.
- The entry into force of the Digital Markets Act kicks off new era of digital regulation in Europe (Dechert OnPoint published October 25, 2022), by members of the Dechert antitrust practice.
- Brenda Sharton was named a 2022 Law360 MVP for Cybersecurity & Privacy.
- Brenda Sharton was recognized as one of Massachusetts Lawyers Weekly's Go To Cybersecurity/Data Privacy Lawyers for 2022 (Published in Mass. Lawyers Weekly October 31st issue)
- Practice leaders Brenda Sharton and Karen Neuman are discussed in Litigation Leaders: Dechert’s Cathy Botticelli and Jonathan Streeter on Counseling Clients With an Eye Toward Avoiding Litigation (Published in Law.com August 15, 2022).
- Brenda Sharton quoted in Why hackers are able to steal billions of dollars worth of cryptocurrency (Published in the Washington Post August 11, 2022).
- FDA Medical Device Cyber Guidance Protects Patients, Cos. (Published in Law360 June 9, 2022) By: Brenda Sharton, Emily Van Tuyl, and Kathleen Fay
- Olaf Fasshauer was ranked in the 2022 publication of German’s daily newspaper Handelsblatt (in cooperation with Best Lawyers) as best lawyers in Germany for Data Security and Privacy Law
- Brenda Sharton presented at the WSJ Pro Cyber Forum (June 1, 2022).
- Brenda Sharton was a moderator on the panel, "The Digital Transformation of Customer Experience" at the LendIt Fintech Conference (May 25, 2022).
- Ranked by The Legal 500 US – Media, Technology and Telecoms: Cyber Law (including Data Privacy and Data Protection). Brenda Sharton was named a Leading Lawyer and Hilary Bonaccorsi was named a Rising Star.
- Brenda Sharton named to Cybersecurity Docket’s Incident Response 40 2021 list.
- Dubai data protection authority plans to launch international privacy risk index and update international data transfer mechanisms (Dechert OnPoint published May 5, 2022) By: Paul Kavanagh and Dylan Balbirnie.
- Brenda Sharton quoted in Global Data Review article, "SEC proposes 4-day breach reporting rule" (April 26, 2022).
- CJEU rules on private copying exception to storage in the cloud (Dechert OnPoint published April 11, 2022) By: Paul Kavanagh and Nathan Smith.
- SEC Proposes New and Amended Cybersecurity Rules for Public Companies (Dechert OnPoint published March 17, 2022) By: Timothy Blank, Kevin Cahill, Brenda Sharton and Daniel Murdock.
- Brenda Sharton was quoted in the Law360 article, “Congress Seizes On Incident Reports In Fighting Cyberattacks” (March 16, 2022).
- 4 Takeaways For Asset Managers From SEC's Cyber Rule Plan (Published in Law360 on March 10, 2022) By: Kevin Cahill and Hilary Bonaccorsi.
- California Privacy Protection Agency Signals Delay for Final CPRA Rules & California AG Conducts CCPA Investigative Sweep (Dechert Newsflash published February 25, 2022) By: Karen Neuman, Hilary Bonaccorsi, Bailey E. Dervishi.
- SEC Proposes New Cybersecurity Rules for SEC Registered Advisers and Funds (Dechert OnPoint published February 23, 2022) By: Kevin Cahill, Timothy Blank, Brenda Sharton, Hilary Bonaccorsi, Colleen Hespeler and Bailey Dervishi.
Content Editors
Dylan Balbirnie, Eric Green, Aurelien Martinot, Morgan Shields, Benjamin Sadun
Production Editors
Dr. Olaf Fasshauer, Austin Mooney, James Smith and Benjamin Sadun
Partner Committee Editor
Dechert Cyber Bits Partner Committee
Brenda R. Sharton
Partner, Global Chair, Cyber, Privacy and AI
Boston
brenda.sharton@dechert.com
Hilary Bonaccorsi
Partner
Charlotte
hilary.bonaccorsi@dechert.com
Timothy C. Blank
Senior Counsel
Boston
timothy.blank@dechert.com
Kevin F. Cahill
Partner
Los Angeles
kevin.cahill@dechert.com
Dr. Olaf Fasshauer
National Partner
Munich
olaf.fasshauer@dechert.com
J.J. Jones
Partner
San Francisco
jakarra.jones@dechert.com
Paul Kavanagh
Partner
London
paul.kavanagh@dechert.com
Austin Mooney
Partner
Washington, DC
austin.mooney@dechert.com
Laura Rossi
Partner
Luxembourg
laura.rossi@dechert.com
Benjamin Sadun
Partner
Los Angeles
benjamin.sadun@dechert.com
Dechert’s global Cyber, Privacy and AI practice provides a multidisciplinary, integrated approach to clients’ privacy and cybersecurity needs. Our practice is top ranked by The Legal 500 and our partners are well-known thought leaders and sought after advisors in the space with unparalleled expertise and experience. Our litigation team provides pre-breach counseling and handles all aspects of data breach investigations as well as the defense of government regulatory enforcement actions and class action litigation for clients across a broad spectrum of industries. We have handled over a thousand data breach investigations of all types including nation states, ransom/cyber extortion, vendor/supply chain, DDoS, brought by threat actors of all types, from nation-state threat actors to organized crime to insiders. We also represent clients holistically through the entire life cycle of issues, providing sophisticated, solution oriented advice to clients and counseling on cutting edge data-driven products and services including for trend forecasting, personalized content and targeted advertising across sectors on such key laws as the CCPA, CPRA and state consumer privacy laws, Section 5 of the FTC Act; the EU/UK GDPR, e-Privacy Directive, and cross-border data transfers. We also conduct privacy and cybersecurity diligence for mergers and acquisitions, financings, corporate transactions, and securities offerings.
-
- Issue 96 - May 21, 2026
- Issue 95 - May 7, 2026
- Issue 94 - April 23, 2026
- IAPP Edition - April 9, 2026
- Issue 93 - March 26, 2026
- Issue 92 - March 12, 2026
- Issue 91 - February 26, 2026
- Issue 90 - February 12, 2026
- Issue 89 - January 29, 2026
- Issue 88 - January 15, 2026
- 2026 Crystal Ball Edition - December 30, 2025
-
- Issue 87 - December 11, 2025
- Issue 86 - November 20, 2025
- Issue 85 - November 5, 2025
- Issue 84 - October 23, 2025
- Issue 83 - October 9, 2025
- Issue 82 - September 25, 2025
- Issue 81 - August 21, 2025
- Issue 80 - August 7, 2025
- Issue 79 - July 24, 2025
- Issue 78 - June 26, 2025
- Issue 77 - June 12, 2025
- Issue 76 - May 15, 2025
- Issue 75 - May 1, 2025
- Issue 74 - April 10, 2025
- Issue 73 - March 27, 2025
- Issue 72 - March 13, 2025
- Issue 71 - February 27, 2025
- Issue 70 - February 13, 2025
- Issue 69 - January 30, 2025
- Issue 68 - January 16, 2025
- 2025 Crystal Ball Edition - January 2025
-
- Issue 67 - December 12, 2024
- Issue 66 - November 21, 2024
- Issue 65 - November 7, 2024
- Issue 64 - October 24, 2024
- Issue 63 - October 10, 2024
- Issue 62 - September 26, 2024
- Issue 61 - September 12, 2024
- Issue 60 - August 15, 2024
- Issue 59 - August 1, 2024
- Issue 58 - July 18, 2024
- Issue 57 - June 27, 2024
- Issue 56 - June 13, 2024
- Issue 55 - May 23, 2024
- Issue 54 - May 2, 2024
- Issue 53 - April 18, 2024
- Issue 52 - March 28, 2024
- Issue 51 - March 14, 2024
- Issue 50 - February 29, 2024
- Issue 49 - February 19, 2024
- Issue 48 - February 1, 2024
- Issue 47 - January 18, 2024
- 2024 Crystal Ball Edition - January 5, 2024
-
- Issue 46 - December 14, 2023
- Issue 45 - November 16, 2023
- Issue 44 - November 2, 2023
- Issue 43 - October 19, 2023
- Issue 42 - October 5, 2023
- Issue 41 - September 21, 2023
- Issue 40 - August 31, 2023
- Issue 39 - August 17, 2023
- Issue 38 - August 3, 2023
- Issue 37 - July 20, 2023
- Issue 36 - June 29, 2023
- Issue 35 - June 15, 2023
- Issue 34 - May 25, 2023
- Issue 33 - May 11, 2023
- Issue 32 - April 27, 2023
- Issue 31 - March 30, 2023
- Issue 30 - March 16, 2023
- Issue 29 - March 2, 2023
- Issue 28 - February 16, 2023
- Issue 27 - February 2, 2023
- Issue 26 - January 19, 2023
-
- Issue 25 - December 15, 2022
- Issue 24 - November 10, 2022
- Issue 23 - October 27, 2022
- Issue 22 - October 12, 2022
- Issue 21 - September 29, 2022
- Issue 20 - September 15, 2022
- Issue 19 - August 18, 2022
- Issue 18 - August 3, 2022
- Issue 17 - July 21, 2022
- Issue 16 - June 23, 2022
- Issue 15 - June 10, 2022
- Issue 14 - May 26, 2022
- Issue 13 - May 12, 2022
- Issue 12 - April 28, 2022
- Issue 11 - April 7, 2022
- Issue 10 - March 24, 2022
- Issue 9 - March 10, 2022
- Issue 8 - February 24, 2022
- Issue 7 - February 10, 2022
- Issue 6 - January 27, 2022
- Issue 5 - January 13, 2022
-
- Issue 4 - December 9, 2021
- Issue 3 - November 18, 2021
- Issue 2 - November 4, 2021
- Issue 1 - October 21, 2021