Between May and August, regulators dropped four headline penalties and one U-turn that quietly re-wrote the rules for marketers, banks and mobile carriers. Below is a five-line brief on each event, followed by a one-week action list you can start on Monday.
- NYDFS Cyber-Security Update — July 2025
Headline: Multi-factor authentication is now mandatory for ALL privileged accounts, not just external-facing ones.
Fallout: Two regional banks received conditional licences after auditors found shared service accounts without hardware tokens.
Do This Week: Print the list of admin accounts from Active Directory; any without a FIDO2 key attached gets suspended until one is ordered. - American Privacy Rights Act (APRA) — Introduced June 2025
Headline: A federal pre-emption clause that wipes state patchwork—if it passes.
Fallout: Companies that built separate Utah and California workflows are re-writing them into one “highest-bar” track to avoid a second refactor.
Do This Week: Map your current controls to APRA’s draft schedule; the comparison sheet is already on GitHub (CC-BY). - FCC Geolocation Fines — May 2025
Headline: $200 million across three carriers for selling real-time location without explicit opt-in.
Fallout: Carriers now push a mandatory “refresh consent” text every 90 days; churn rose 1.3 % in Q3.
Do This Week: Audit every third-party contract that contains latitude/longitude fields; if consent language is missing, trigger a 30-day cure notice. - Google Cookie Pause — August 2025
Headline: Third-party cookie deprecation delayed again—this time until Q3 2026.
Fallout: Ad-tech stocks dipped; privacy teams kept their “post-cookie” budget anyway.
Do This Week: Re-route that budget into first-party server logs and contextual placement trials—competitors are already booking premium inventory. - RockYou2025 Password Dump — June 2025
Headline: 10 billion plaintext credentials circulated on a torrent labelled “for research”.
Fallout: NCSC recorded a 300 % spike in credential-stuffing attacks against retail log-ins during July.
Do This Week: Run your customer e-mail list through Have I Been Pwned API; force-reset any hit that also holds payment data.
Key Take-away
Regulation is moving from “notice and consent” to “prove it or pay”. Pick one headline, finish the one-week task, and you will enter Q4 with a shorter audit queue than your competitors.
正文完
