Miranda Rutherford

Miranda Rutherford is an associate in the firm’s Palo Alto office and a member of the Data Privacy and Cybersecurity practice. Miranda advises clients on a broad array of cybersecurity and privacy issues, with a focus on security incident response, preparedness, and related investigations. She has expertise in assessing cybersecurity controls and practices for network security at the company or cloud scale, and advising on compliance with U.S. government security authorizations, cybersecurity regulations, and national security laws. Miranda also counsels clients on compliance with federal and state privacy laws, and represents clients in government investigations related to cybersecurity, privacy, and the False Claims Act.

Miranda maintains an active pro bono practice advising non-profit clients on privacy and cybersecurity compliance, as well as litigating in civil rights and family law matters.

Prior to joining the firm, Miranda was a law clerk to the Honorable James Donato, United States District Judge for the Northern District of California.

Contact:

NYDFS Publishes Industry Guidance on Managing Cyber Risks Related to Third-Party Service Providers

By Micaela McMurrough, Caleb Skeath, Miranda Rutherford & Analese Bridges on October 30, 2025

Posted in Cybersecurity

On October 21, 2025, the New York State Department of Financial Services (“NYDFS”) issued an industry letter (the “Guidance”) highlighting the cybersecurity risks related to Covered Entities’ use of Third-Party Service Providers (“TPSPs”) and providing strategies to address these risks. The Guidance is addressed to all Covered Entities subject to NYDFS’s cybersecurity regulation codified at 23 NYCRR Part 500 (“Cybersecurity Regulation”), which requires Covered Entities to implement a comprehensive cybersecurity program that includes written policies addressing TPSP risks as well as due diligence, contractual requirements, and periodic assessments for TPSPs. While the Guidance is explicit that it “does not impose any new requirements” beyond those already included in the Cybersecurity Regulation, it provides significant additional detail to clarify how to comply with existing requirements and offers industry best practices to mitigate TPSP-related cyber risks. As the Guidance suggests that NYDFS will continue to focus on TPSP-related cyber risks, Covered Entities should consider reviewing their TPSP oversight and management against the specific recommendations from the Guidance and adjusting their practices where appropriate. Alongside a review of TPSP oversight and management, Covered Entities may also consider reviewing their implementation of the provisions of the Cybersecurity Regulation requiring multifactor authentication, asset management, and data retention, which take effect on November 1, 2025.Continue Reading NYDFS Publishes Industry Guidance on Managing Cyber Risks Related to Third-Party Service Providers

New York State Department of Financial Services Issues Guidance on Cybersecurity, Sanctions, and Virtual Currency Following Escalation of Iran Conflict

By Micaela McMurrough, Ashden Fein, Caleb Skeath, Mark Young, David Fagan, Jim Garland, Moriah Daugherty, Emily Pehrsson, Claire O'Rourke, Miranda Rutherford, John Webster Leslie & Matthew Harden on June 23, 2025

Posted in Cybersecurity

On June 23, 2025, the New York State Department of Financial Services (“NY DFS”) issued guidance to NY DFS-regulated individuals and entities regarding the impact of “ongoing global conflicts” to the financial sector. The guidance follows a bulletin from the U.S. Department of Homeland Security about the “heightened threat environment” in the United States, which specifically references cyber attacks. The NY DFS guidance highlights three key areas of focus: cybersecurity, sanctions, and virtual currency, and may be helpful for organizations across industries globally:Continue Reading New York State Department of Financial Services Issues Guidance on Cybersecurity, Sanctions, and Virtual Currency Following Escalation of Iran Conflict

California Privacy Protection Agency Holds Public Hearings on Proposed Regulations

By Lindsey Tonsager, Libbie Canter, Natalie Dugan & Miranda Rutherford on August 31, 2022

Posted in California Privacy Rights Act

The California Privacy Protection Agency (“CPPA”) held two public hearings last week on its proposed regulations. Continue Reading California Privacy Protection Agency Holds Public Hearings on Proposed Regulations

California Privacy Protection Agency Staff Posts Draft Rules Implementing the CPRA

By Lindsey Tonsager, Libbie Canter & Miranda Rutherford on May 30, 2022

Posted in Uncategorized

In advance of the June 8, 2022 board meeting, the California Privacy Protection Agency (CPPA) staff has posted draft rules implementing the California Privacy Rights Act (CPRA). The draft regulations keep much of the pre-existing California Consumer Privacy Act (CCPA) regulations intact, but modify certain provisions and propose new regulations. …

New Jersey Law Requires Employers to Provide Notice Before Tracking Vehicles

By Natalie Dugan, Libbie Canter & Miranda Rutherford on February 22, 2022

Posted in Autonomous Vehicles, Privacy and Data Security, Surveillance, U.S. Federal and State Legislative Initiatives

On January 18, 2022, a New Jersey bill which prohibits employers from making use of tracking devices in vehicles operated by employees without providing written notice was passed into law. See Assembly Bill A3950. Effective April 18, 2022, the law will subject employers that knowingly make use of a “tracking device” in a vehicle used by an employee without providing written notice to the employee to civil penalties not exceeding $1,000 for the first violation and not exceeding $2,500 for the second violation. Id.
Continue Reading New Jersey Law Requires Employers to Provide Notice Before Tracking Vehicles

Inside Privacy