Cybersecurity

The landscape of data protection and privacy continues to expand, and with that expansion comes increased scrutiny and the promise of increased enforcement. 2025 will mark a convergence of the proliferation of artificial intelligence, a growing understanding of and desire to exercise consumer rights and protections and new legislation, meaning increased regulatory enforcement is inevitable. This article explores the impending new legislative landscape, what increased enforcement may look like and how companies can prepare for optimal compliance.

A strong Do Not Call Policy (DNC) is vital to comply with the Telephone Consumer Protection Act. Ensuring robust DNC compliance protects an organization's reputation and increases consumer trust. Below is a practical guide for building and implementing DNC policies that ensure compliance and reduce liability.

In Anderson v. TikTok, Inc., the Third Circuit held that the liability of an Internet Service Provider such as TikTok depended on whether TikTok was sharing content via the platform’s algorithm or engaged in something more. The question of whether TikTok’s recommendation algorithm transformed content into TikTok’s own expressive activity was not immunized by Section 230 and has disrupted the protection previously enjoyed by Internet platforms like TikTok.

The proliferation of data breaches and increased sophistication of criminal attack vectors has led more states to enact their own reasonable security provisions as part of the patchwork quilt of privacy laws. Nineteen of the U.S. states which have enacted comprehensive privacy laws along with Florida’s Digital Bill of Rights (which took effect summer 2024) have provisions requiring controllers and businesses to establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data.

The DOJ has proposed a rule that would regulate certain transactions involving bulk sensitive personal data. The rule would implement a complex regulatory framework, with civil and criminal enforcement, that is similar to sanctions and export licensing regimes. It also implicates federal cybersecurity requirements, government contracting and CFIUS actions.

The Second Circuit’s decision is notable in that it signals a reversal of the recent trend of dismissals of VPPA claims in courts across the country and could trigger a significant increase in VPPA lawsuits. Although organizations have grappled with VPPA claims for several years, this decision is another red flag to organizations to take immediate steps and ensure compliance with privacy laws to mitigate the risks of VPPA claims.

With cyberattacks on the rise and class actions arising from cyberattacks being filed at an increased rate, executives and board members increasingly face the risk of being individually targeted in lawsuits brought by class action plaintiffs and governmental bodies alleging individual liability for data security failures.

On November 1, significant revisions to the regulations enforced by the New York Department of Financial Services (DFS) — the state’s financial services regulator — went into effect. The DFS revisions create a long-arm provision in that the changes affect not only New York State companies, but also their affiliates, and therefore the revisions could have an impact far beyond New York State borders.