Publications & Advisories
- May 8, 2025 – Alex Brown, Kate Hanniford, Kim Peretti, Matt Atha, and Kristen Bartolotta published “Privacy, Cyber & Data Strategy Advisory | First 100 Days – Federal Privacy and Cybersecurity Regulation and Enforcement Under the Second Trump Administration.”
- April 16, 2025 – Kim Peretti, Lance Taubin, Ashley Miller, and Carson Kuck published “Privacy, Cyber & Data Strategy Advisory | Cybersecurity Controls: What Do Regulators Expect Nowadays?”
- April 9, 2025 – Jennifer Everett and Dorian Simmons published “Protecting Data and Avoiding Pitfalls with AI Assets During M&A” in Bloomberg Law.
- April 3, 2025 – Paul Greaves published the case summary “Compensation for Non-material Damages Resulting from Unlawful Transfers of Personal Data (Bindl v Commission)” in LexisNexis.
- March 26, 2025 – Jen Pike, Jennifer Everett, and Evan Collier assessed the focus of the Privacy Working Group based off the request for information issued by the House Committee on Energy and Commerce and discussed potential HIPAA exemptions, private rights of action, and increased responsibility to protect Americans’ personal information in a Healthy Byte video.
- March 5, 2025 – Jennifer Everett and Sean Sullivan discussed the trending topics at the 2025 HIMSS Global Health Conference, including integrating maturing generative artificial intelligence, workforce development, and cybersecurity, in a Healthy Byte video.
Selected U.S. Privacy & Cyber Updates
DOJ Settles False Claims Act Case with MORSECORP over Cybersecurity Program
On March 26, 2025, the U.S. Department of Justice (DOJ) announced that it had reached an agreement with MORSECORP Inc. to settle alleged violations of the False Claims Act, specifically involving MORSE’s cybersecurity program. The DOJ and MORSE—a government contractor that provides services to the Departments of the Army and Air Force—agreed to a settlement of $4.6 million, with 18.5% ($851,000) of the settlement agreement provided to the whistleblower who brought the FCA case.
Additional Cybersecurity Requirements of NYDFS Part 500 Take Effect Today
On May 1, 2025, additional enhanced cybersecurity controls required by the Second Amendment to the New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR Part 500) take effect. Although the Second Amendment was originally adopted in November 2023, the NYDFS established a multiyear rollout of the Second Amendment’s requirements, implementing several tranches from November 2023 through November 2025.
Arkansas Enacts Children and Teens’ Online Privacy Protection Act
On April 21, 2025, Arkansas Governor Sarah Huckabee Sanders signed into law the Arkansas Children and Teens’ Online Privacy Protection Act, which will become effective on July 1, 2026. It draws inspiration from the federal Children and Teens’ Online Privacy Protection Act (COPPA 2.0) and provides stronger privacy protections for Arkansas children under 13 and those aged 13 to 16. This Act continues the trend of state-level efforts to extend online privacy protections, which have been traditionally offered to children under 13 by the federal COPPA, to older teens.
FTC Publishes Amendments to COPPA Rule
On April 22, 2025, the FTC published the finalized amendments to the Children’s Online Privacy Protection Rule that would impose additional restrictions on website and online service operators that collect personal information from children under the age of 13. The amendments will become effective on June 23, 2025. Operators subject to the COPPA Rule will have until April 22, 2026 to comply with additional requirements. The new requirements for organizations offering safe harbor programs will have earlier compliance deadlines ranging from 90 days to six months from the amendments’ publication.
State Regulators Form Privacy Law Implementation and Enforcement Group
On April 16, 2025, the California Privacy Protection Agency (CPPA) announced that eight state regulators have established a coalition called the Consortium of Privacy Regulators to collaborate on the implementation and enforcement of their privacy laws. According to announcements from the CPPA and California Attorney General Rob Bonta, the consortium aims to coordinate enforcement efforts, share priorities, and discuss developments in privacy law.
Court Enjoins Enforcement of California Age-Appropriate Design Code Act
On March 13, 2025, the Northern District of California granted a preliminary injunction preventing the California attorney general (AG) from enforcing the California Age-Appropriate Design Code Act (CAADCA). The decision followed the California AG’s agreement to delay the enforcement of CAADCA until April 5, 2025. As of now, the California AG has not announced whether his office will appeal the injunction.
FCC Announces New National Security Unit Focusing on State-Sponsored Cyber Threats
On March 13, 2025, the FCC Chairman Brendan Carr announced the creation of a Council on National Security with Adam Chan serving as the director. This new council will be composed of eight bureaus and offices within the FCC and will “leverage the full range of the Commission’s regulatory, investigatory, and enforcement authorities to promote America’s national security and counter foreign adversaries.” Notably, the FCC specifically indicated that this council would focus “particularly [on] the threats posed by the People’s Republic of China and the Chinese Communist Party.”
California Attorney General Targets Location Data in New Investigative Sweep
On March 10, 2025, the California AG Rob Bonta announced a new investigative sweep under the California Consumer Privacy Act. We have anticipated this sweep for some time based on the focus and the direction of a number of inquiries, investigations, and enforcement proceedings initiated by Bonta’s office over the past 12–24 months.
California Attorney General Delays Enforcement of CAADCA Amid Legal Challenge
On March 4, 2025, the California AG announced a further delay in the enforcement of CAADCA until April 5, 2025. Initially operative on July 1, 2024, CAADCA’s enforcement had already been postponed to March 6, 2025 due to a trade association’s challenge to the statute’s validity. This second postponement comes as businesses await the district court’s decision on the trade association’s motion for a preliminary injunction to prevent the AG from enforcing CAADCA.
New York Passes Health Privacy Law – Your Questions Answered
The New York state legislature passed the Health Information Privacy Act on January 22, 2025, marking the second state to introduce a comprehensive consumer health data law. If signed into law, the NYHIPA imposes more stringent obligations on organizations that handle “regulated health information.”
Congress Seeks Comments on Comprehensive Federal Data Privacy Law
Since the first comprehensive state data privacy law went into effect in California in 2020, 18 other states have enacted comprehensive data privacy laws, with 14 others currently moving through their state legislative process. These state laws are proliferating at a breakneck pace and leaving in their wake regulated entities grappling with a complex web of disparate requirements. While there is currently no federal standard to override this patchwork of state laws, on February 12, 2025, the House Committee on Energy and Commerce announced the creation of a Privacy Working Group. The Privacy Working Group is now seeking stakeholder input on its efforts through a request for information published on February 21, 2025.
Ghost (Cring) Ransomware: Understanding the Threat & How Enterprises Can Defend Themselves
On February 19, 2025, the Cybersecurity and Infrastructure Security Agency, in collaboration with the FBI and the Multi-State Information Sharing and Analysis Center, issued a joint cybersecurity advisory on the growing threat of Ghost (Cring) ransomware. Active since early 2021, this ransomware group has targeted organizations in over 70 countries, exploiting unpatched software, weak credentials, and outdated security configurations to infiltrate enterprise networks.
Ransom Payments at a Historic Low According to Report
On February 4, 2025, Coveware Inc. released its quarterly ransomware report for the fourth quarter of 2024 and identified that the percentage of victims paying ransoms fell to a historic low of 25%. While the average amount of a payment in Q4 2024 rose 16% quarter over quarter to $553,959, the median amount dropped a significant 45% to $110,890. The median is generally a better indicator of the market because it is not skewed by very high or low payments.
Selected Global Privacy & Cybersecurity Updates
UK Data Protection Regulator Fines UK Law Firm ~$80,000 Following Ransomware Incident
On April 14, 2025, the UK data protection regulator, the Information Commissioner’s Office (ICO), fined DPP Law £60,000 (approximately $80,000) following a ransomware incident. For the first time, the ICO has commented on the issue of a delay in notifying a personal data breach. The ICO considered that DPP’s failure to notify the ICO of the personal data breach within 72 hours was an aggravating factor and increased its fine.
UK Government Publishes Cyber Governance Code of Practice for Boards and Directors
On April 8, 2025, the UK government published the Cyber Code of Practice to support board directors in governing cybersecurity risks. The code is available online. The ICO is actively investigating and, in some instances, fining companies for personal data breaches caused by cybersecurity issues. It is therefore more important than ever for board directors to both engage with and mitigate against cyber risks.
UK’s Data Protection Regulator Fines a UK SaaS Provider ~$4 Million Following a Ransomware Incident
On March 26, 2025, the ICO fined Advanced Computer Software Group Ltd £3.07 million (approximately $4 million). In its penalty notice, the ICO found that Advanced failed to implement appropriate technical and organisational measures required by the UK GDPR.
European Commission Moves to Extend Free Flows of Personal Data to the UK
On March 18, 2025, the European Commission proposed to extend its adequacy decision in favor of the UK for an additional six-month period. This would allow free flows of personal data from the EU to the UK to continue until December 2025. The existing adequacy decision – which was adopted in 2021 in light of the UK’s departure from the European Union – is currently due to expire on June 27, 2025.
Belgian Data Protection Authority Issues Updated Guidance on Direct Marketing Rules
On March 10, 2025, the Belgian Data Protection Authority (BDPA) updated its 2020 guidance on the processing of personal data for direct marketing purposes. The BDPA reviewed its original guidance to help companies from all sectors navigate applicable EU privacy and data protection law requirements in view of recent technological and legal developments.
Events
- May 7–9, 2025 – Jennifer Everett and Wim Nauwelaerts spoke on the “Governing Intelligence: Navigating Compliance, Regulatory Frontiers in Litigation in 2025” and “Negotiating Data and AI-Related Contract Terms: Challenges, Trends, and Best Practices” panels, respectively, at the Privacy + Security Forum.
- May 7–8, 2025 – Jennifer Everett spoke on the “AI, Security, and the Practice of Law” panel at the Global Technology, Education & Careers Forum.
- May 7, 2025 – Kelly Hagedorn and Kate Hanniford presented at the “AI Breakfast Panel.”
- May 1, 2025 - Kelly Hagedorn and Hanna Hewitt presented at the webinar “DSARs in 2025: Navigating the Complex Landscape with Confidence.”
- April 30, 2025 – Kim Peretti and Cara Peterman presented a tabletop exercise simulating a cyberattack, geared toward boards of directors at NACD Leading Minds of Governance & Tech.
- April 28–29, 2025 – Kate Hanniford spoke on the “Cybersecurity, Privacy, and Data Protection Ethics Issues in Private Equity” panel at PLI’s Annual Private Equity Forum.
- April 23–24, 2025 – Paul Greaves presented during the “EU AI Act – Challenges and Solutions” session at the IAPP Global Privacy Summit.
- April 22, 2025 – Kim Peretti spoke on the panel “Incident Response: State of Play” at Incident Response Forum Masterclass 2025.
- March 26, 2025 – Kelly Hagedorn, Wim Nauwelaerts, and Eileen Scofield presented the webinar “AI Legal Insights: Shaping Tomorrow – AI in the Workplace: Regulatory Challenges in Europe and the U.S.”
- March 26, 2025 – David Keating and Alex Brown presented “Federal and State Privacy Regulation in 2025: Enforcement Trends, Regulatory Pitfalls and State Law Legislative Developments” in an IAPP KnowledgeNet Seminar.
- March 20–21, 2025 – Kim Peretti spoke on the panel “Salt Typhoon and Other Catastrophic Cybersecurity Threats” at the 2025 Privacy and Emerging Technology National Institute.
- March 5, 2025 – Dorian Simmons and Yin Tydir spoke on the panels “Contracts for AI Solutions” and “How to Get into Technology Transactions,” respectively, at the Privacy & Technology Law Section Forum.
- February 27, 2025 – Kelly Hagedorn spoke on the panel “The Near-Term Impact of the UK’s AI and Cyber-Security Reforms” at teissLondon2025: The European Information Security Summit.
- February 26, 2025 – Wim Nauwelaerts and Paul Greaves presented “AI Legal Insights: Shaping Tomorrow – AI Regulation: Recent Developments in the EU and UK.”
In the News
- April 8, 2025 – Sara Pullen Guercio is quoted on states’ efforts to enact privacy laws that cover consumers’ neural data in Bloomberg Law.
- April 1, 2025 – Sara Pullen Guercio is quoted on the legal issues surrounding the recent advances in wearable neurotech devices in the ABA Journal.
- March 27, 2025 – Jennifer Everett is quoted on the future of efforts to regulate artificial intelligence at the federal and state levels in American Banker.
- March 3, 2025 – Kirk Bradley, Kim Peretti, Rob Stone, Tim Trysla, and Lance Taubin are noted as top authors in JD Supra’s 2025 “Readers Choice Awards.”
Press Releases
Kim Peretti, partner and co-chair of Alston & Bird’s Privacy, Cyber & Data Strategy Team and National Security & Digital Crimes Team, and Kate Hanniford, partner in the firm’s Privacy, Cyber & Data Strategy Team, have again been named to Cybersecurity Docket’s 2025 “Incident Response 50.”
Alston & Bird Represents T2S Solutions in Acquisition of Blue Marble Communications
Alston & Bird represented T2S Solutions, a founder-led provider of advanced technologies that support U.S. defense, intelligence, and national security missions, on its acquisition of Blue Marble Communications, a leading provider of space-qualified communications and computing technologies. Headquartered in Belcamp, Maryland, T2S Solutions is a portfolio company of Madison Dearborn Partners.
Leadership Council on Legal Diversity Honors Dorian Simmons as a 2025 Pathfinder
Alston & Bird is pleased to announce that Dorian Simmons, senior associate on the firm’s Privacy, Cyber & Data Strategy Team, has been named a member of the 2025 class of Pathfinders. The LCLD Fellows program offers professional and personal development opportunities and leadership training and relationship-building resources to high-potential, mid-career attorneys at LCLD member organizations.
Alston & Bird Increases Rankings in Chambers Global 2025
Alston & Bird has been recognized in the 2025 edition of Chambers Global, with 12 practices and 24 lawyers cited for excellence.
“The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti and David Keating. It is edited by Paul Greaves, Yin Tydir, Lance Taubin, and Hanna Hewitt.
For additional updates, please be sure to visit our blog at www.alstonprivacy.com.
Stay ahead of evolving ransomware threats with Alston & Bird’s Ransomware Fusion Center. Our Privacy, Cyber & Data Strategy Team offers comprehensive resources and expert guidance to help your organization prepare for and respond to ransomware incidents. Visit Alston & Bird’s Ransomware Fusion Center to learn more and access our tools.
The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.