Digital Download December 2025

The Digital Download | Alston & Bird’s Privacy & Data Security Newsletter | December 2025

Publications & Advisories

Selected U.S. Privacy & Cyber Updates

SEC Dismisses Remaining Claims Against SolarWinds

On November 20, 2025, the Securities and Exchange Commission (SEC) dismissed its landmark enforcement action against SolarWinds Corp. and the company’s chief information security officer, Tim Brown. In 2023, the SEC’s enforcement action broke new ground as the first formal action by the commission against a CISO and the first civil fraud action litigated by the SEC related to a public company’s cybersecurity disclosures.

Closing the Privacy Gap: HIPRA Targets Health Apps and Wearables

On November 4, 2025, Senator Bill Cassidy, M.D. (R-LA) introduced the Health Information Privacy Reform Act (HIPRA), a bill aimed at closing a gap in health data protections. According to the press release, HIPRA is intended to “expand health privacy protections to account for new technologies that are not currently required to have privacy protections, such as wearables and health apps.”

CMMC Brings New Era of Cybersecurity Compliance for Defense Contractors

The Department of Defense’s final rule implementing the Cybersecurity Maturity Model Certification (CMMC) program took effect on November 10, 2025, ushering in a new era of obligations for defense contractors. Over the next three years, contractors that process federal contract information or controlled unclassified information should expect to see the requirements of the CMMC program implemented into their existing contracts and should expect to flow down those requirements to their subcontractors as well.

HIPAA Security Rule: Still on Track for Finalization

Since the Department of Health and Human Services Office for Civil Rights (OCR) published a proposed rule to overhaul the HIPAA Security Rule in January 2025, many in the health care and privacy community have wondered whether the rule would quietly fade away. However, despite sharp criticisms and industry pushback, recent developments confirm that the OCR has kept the rule’s finalization on its official regulatory agenda for May 2026.

NYDFS Issues Guidance on Managing Risks Related to Third-Party Service Providers

On October 21, 2025, the New York Department of Financial Services (NYDFS) published an industry letter outlining guidance on managing risks related to third-party service providers (TPSPs). The NYDFS recognizes that as covered entities become more reliant on TPSPs, managing TPSPs “remains a crucial element of a Covered Entity’s cybersecurity program.” The letter outlines the actions and advice covered entities should take while progressing through the life cycle of a TPSP relationship.

Key Breach Notification Updates in California and Oklahoma for 2026

Effective January 1, 2026, new legislation in California and Oklahoma will introduce important updates to each state’s breach notification requirements. These changes may significantly impact breach response obligations for businesses operating in or handling data related to residents of these states.

California Enacts Digital Age Verification Law

On October 13, 2025, California Governor Gavin Newsom signed Assembly Bill 1043, the Digital Age Assurance Act, into law. Effective January 1, 2027, the act introduces a device-based age verification system designed to create safer digital environments for children under 18. The act underscores a trend of state laws that require age verification or assurance to address growing concerns about the risks children face online, such as exposure to harmful content, cyberbullying, and predatory data management practices.

Government Shutdown Creates Lapse in Cyber Threat Information Sharing

On September 30, the day before the recent federal government shutdown, a 10-year-old cybersecurity law expired before it could be reauthorized. The Cybersecurity Information Sharing Act of 2015 provided a mechanism for private companies to share information with the federal government about cyber threats in return for certain legal protections.

FTC Cracks Down on Messaging App Operator on Child Data Exploitation

On September 29, 2025, the Federal Trade Commission (FTC) announced legal action against the operator of the anonymous messaging app Sendit and its CEO for violations of multiple consumer protection and privacy laws. The complaint, filed in the Central District of California by the Department of Justice at the request of the FTC, alleges violations of the Children’s Online Privacy Protection Act (COPPA), COPPA Rule, Section 5(a) of the FTC Act, and the Restore Online Shoppers’ Confidence Act. The FTC seeks a permanent injunction, monetary relief, and civil penalties.

Unlocking the MIND Act: The Senate to Take on the Challenge of Neurotechnology

On September 24, 2025, Senators Maria Cantwell (D-WA), Chuck Schumer (D-NY), and Ed Markey (D-MA) announced they will introduce the Management of Individuals’ Neural Data (MIND) Act of 2025. If enacted, the MIND Act will direct the FTC to conduct a comprehensive study and report on the collection, processing, storage, sale, and transfer of neural data and related data and to recommend a regulatory framework for their protection.

California Finalizes New and Amended CCPA Regulations

On September 23, 2025, the California Privacy Protection Agency (CPPA) announced that the California Office of Administrative Law (OAL) had approved the new and amended California Consumer Privacy Act (CCPA) regulations that the CPPA delivered to OAL for approval following the CPPA’s July 24, 2025 board meeting. This was the last step under California law to formal adoption of the new and amended regulations.

Texas Expands Data Broker Act Requirements

On September 1, 2025, the amendments to the Texas Data Broker Act became effective. The act, which originally came into effect on September 1, 2023, defines “data brokers” as business entities that derive their principal source of revenue from collecting, processing, or transferring personal data that they did not collect directly from consumers. The law requires data brokers to post an online notice of their status as a data broker, register annually with the Texas Secretary of State, and implement a written information security program.

United States, International Coalition Issue Joint Warning of Increasing PRC-Backed Threat Activity

On August 27, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the NSA, FBI, and Department of Defense Cyber Crime Center (DC3) issued a joint advisory highlighting increased cyber threat activity linked to threat actors affiliated with the People’s Republic of China. The advisory was co-authored and endorsed by international cybersecurity partners from Australia, Canada, New Zealand, the United Kingdom, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain.

CISA Gives Itself an Extension for Cyber Incident Reporting Rules

CISA has extended the deadline for it to issue final rules about mandatory incident reporting for critical infrastructure entities. The original deadline of October 2025 was pushed by six months to May 2026. Under the Cyber Incident Reporting for Critical Infrastructure Act, passed in 2022, critical infrastructure entities are required to report cybersecurity incidents and ransom payments to CISA.

Compliance Deadline for Colorado AI Act Delayed Until June 30, 2026

On August 28, 2025, Colorado Governor Jared Polis signed Senate Bill 25B-004 into law, extending the compliance deadline of the Colorado Artificial Intelligence Act (CAIA) from February 1, 2026, to June 30, 2026. The bill does not alter the CAIA’s substantive requirements. But it remains uncertain whether the Colorado legislature will introduce further amendments to the CAIA during the upcoming regular legislative session before the CAIA’s obligations take effect.

Multistate Privacy Investigative Sweep Targeting Website Global Privacy Control Noncompliance

On September 9, 2025, the CPPA announced a joint investigation sweep, in coordination with the attorneys general of California, Colorado, and Connecticut, targeting businesses that may be failing to honor consumers’ opt-out requests submitted via Global Privacy Control signals. The CPPA’s announcement underscores a growing trend of multijurisdictional collaboration among regulators to enforce consumer data privacy laws.

Rhode Island’s New Cybersecurity Law for Nonbank Financial Institutions

Rhode Island has enacted Senate Bill 603 (SB603), effective July 2, 2025, establishing a comprehensive cybersecurity framework for nonbank financial institutions licensed by the state’s Department of Business Regulation. Although SB603 is closely modeled after New York’s Cybersecurity Regulation, 23 NYCRR Part 500, SB603 introduces several notable deviations that may influence compliance strategies—particularly for institutions licensed in both jurisdictions.

DOJ Settles Cyber Qui Tam Action Against Illumina for Allegedly Unsecured Genomic Sequencing Products

On July 31, 2025, the Department of Justice announced a $9.8 million settlement with Illumina Inc. to resolve alleged False Claims Act (FCA) violations based on cybersecurity vulnerabilities and shortcomings in its genomic sequencing products. Of the total settlement, $1.9 million will be paid to the qui tam whistleblower who brought the FCA case—Illumina’s former director of platform management.

CISA and FBI Joint Update on Scattered Spider: Evolving Threats and Mitigation Guidance

On July 29, 2025, CISA, the FBI, and international partners issued an updated advisory highlighting the evolving tactics, techniques, and procedures of the cybercriminal group Scattered Spider. First identified in 2023, this group is notorious for targeting large enterprises and their contracted IT help desks, often leveraging advanced social engineering techniques to infiltrate systems and exfiltrate sensitive data.

Selected Global Privacy & Cyber Updates

The EU Digital Omnibus: A European Data Law Shake-Up May Be Coming

On November 19, the European Commission released its EU Digital Omnibus proposal, a 153-page document accompanied by an explanatory memorandum and a staff working document. This proposal introduces amendments, deletions, and replacements to several cornerstone EU digital laws.

UK Cybersecurity Legislation Soon to Be Introduced

The UK government has introduced the Cyber Security and Resilience (Network and Information Systems) Bill to Parliament, marking the most significant update to the UK’s cyber legislation since 2018. The bill aims to strengthen national security and protect critical infrastructure networks in key sectors from increasingly sophisticated cyber threats.

UK’s National Cyber Security Centre Releases 2025 Annual Review

The UK’s National Cyber Security Centre (NCSC) has released its annual review for 2025. As in 2024, the report covers the UK’s cybersecurity position and the country’s readiness to deal with those threats.

UK Data Protection Regulator Fines Capita ~$18.8 Million Following a Ransomware Attack

On October 15, 2025, the UK’s Information Commissioner’s Office (ICO) fined Capita plc and Capita Pension Solutions Limited £14 million (~$18.8 million) for failing to implement adequate security measures to protect the personal data of over 6.6 million individuals following a ransomware attack by Black Basta.

The EU Data Act Comes into Force

The EU officially adopted the Data Act in January 2024, and it came into force on September 12, 2025. The Data Act builds on existing laws like the General Data Protection Regulation and the Data Governance Act. Now that the legislation is active, companies that fall under its scope must proactively review its provisions and ensure they comply with the new obligations.

Chilean Regulator Launches Public Consultation on New Cybersecurity Law

On 16 September 2025, the Chilean Cybersecurity Agency (Agencia Nacional de Ciberseguridad) launched a public consultation on its provisional list of companies that may be classified as “operators of vital importance” (operadores de importancia vital, or OVI) under the recently enacted Chilean Cybersecurity Law. This list reveals that nearly 1,700 companies active in various sectors could qualify as OVIs. The consultation period lasted 30 days and offered an opportunity for stakeholders and the public to provide feedback on the preliminary list of OVIs that may ultimately be subject to the cybersecurity law’s most stringent cybersecurity requirements.

Events

  • December 9, 2025 – Jennifer Everett, Dorian Simmons, and Martha Doty will host “Automated Decisions, Human Consequences: Navigating AI and Employment Law” as a part of Alston & Bird’s AI Legal Insights: Shaping Tomorrow Webinar Series.
  • November 18–20, 2025 – Alston & Bird hosted a reception and dinner during the IAPP European Data Protection Congress (EDPC) in Brussels, Belgium, including a special fireside chat with Isabelle Vereecken, Head of Secretariat for the European Data Protection Board, and Joe Jones, Director of Research & Insights at IAPP. Paul Greaves led the roundtable “The EU Data Act: Compliance Challenges and Solutions” at the EDPC.
  • November 12–14, 2025 – David Keating spoke on the panel “Agentic AI: Privacy in the Age of Autonomous AI Agents” and Kate Hanniford and Dorian Simmons spoke on the panel “Regulators Aren’t Buying It: Mitigating Enforcement Risk in Digital Advertising” at the Privacy + Security Forum, Fall Academy.
  • November 6, 2025 – Kelly Hagedorn and Kate Hanniford presented “Securing the Deal: Cyber Risk Management in Corporate Transactions.”
  • November 5, 2025 – Alston & Bird and the Cross-Border Data Forum co-hosted the Alston & Bird and Cross-Border Data Forum Fall Conference.
  • October 27–28, 2025 – David Keating and Rachel Lowe spoke on the panel “From Privacy to AI: Lessons from California’s Regulatory Frontlines” at the California Retail Law Summit sponsored by the National Retail Federation.
  • October 22, 2025 – Kim Peretti and Cara Peterman spoke at the webinar “A Strategic Approach to Cyber Crisis Readiness: Before, During, and After an Incident” for Ready Set GC.
  • September 30, 2025 – Dorian Simmons moderated the panel “Oversight, Top of Mind: Navigating Privacy and Security at the Board Level” at an IAPP Atlanta KnowledgeNet Meeting hosted by Alston & Bird.
  • September 25, 2025 – Kate Hanniford spoke during the webinar “Cyber Incident Readiness and Response Through a Wider Lens” hosted by Today’s General Counsel.

In the News

  • September 24, 2025 – Jennifer Everett and Jennifer Pike are featured on the impacts that privacy laws and AI are having on health care marketing in Touch Point Media.
  • August 6, 2025 – Jennifer Everett is quoted on the Trump Administration’s recently released action plan to promote growth in the U.S. artificial intelligence sector in CIO Dive.

Press Releases

Alston & Bird Earns 131 Tier-1 Rankings in 2026 Best Law Firms

Alston & Bird has been honored as one of the nation’s top law firms in the 2026 edition of Best Law Firms®, ranked by Best Lawyers. The firm received 30 national tier-one practice rankings and 101 metropolitan tier-one practice rankings across all U.S. offices.

Alston & Bird Advises TrueCar on $227 Million Go-Private Acquisition by Fair Holdings

Alston & Bird advised TrueCar, a nationally recognized digital automotive marketplace, on its recently announced agreement to be acquired by Fair Holdings Inc., an entity led by TrueCar founder Scott Painter, in an all-cash, go-private transaction valued at approximately $227 million. Cara Peterman and Dorian Simmons from our Privacy, Cyber & Data Strategy Team represent TrueCar.

 “The Digital Download” is produced by Alston & Bird’s Privacy, Cyber & Data Strategy Team, led by Kim Peretti and David Keating. It is edited by Hanna Hewitt, Alice Portnoy, Andrew Rice, and Anna von Spakovsky.

For additional updates, please be sure to visit our blog at www.alstonprivacy.com.

Stay ahead of evolving ransomware threats with Alston & Bird’s Ransomware Fusion Center. Our Privacy, Cyber & Data Strategy Team offers comprehensive resources and expert guidance to help your organization prepare for and respond to ransomware incidents. Visit Alston & Bird’s Ransomware Fusion Center to learn more and access our tools.

The Digital Download, as well as any articles or other content linked to or otherwise cited by or attached to it, is not intended to constitute and should not be relied upon as or construed to be legal advice.
Kimberly Kiefer Peretti
Partner
Phone: +1 202 239 3720
Email: kimberly.peretti@alston.com
David C. Keating
Partner
Phone: +1 404 881 7355
Other Phone: +1 202 239 3921
Email: david.keating@alston.com
Media Contact
Alex Wolfe
Communications Director
New York
Phone: +1 212 210 9442
Email: alex.wolfe@alston.com
Related Services & Industries

This website uses cookies to improve functionality and performance. For more information, see our Privacy Statement. Additional details for California consumers can be found here.