• |

    Dec. 24, 2025

Six Articles on Leading Issues of 2025

The past year kept companies juggling data governance and compliance tasks. They raced to rein in AI, fortify cybersecurity and patch privacy gaps as state regulators circled like hawks. The Cybersecurity Law Report covered issues that demanded readers’ utmost attention. California Invasion of Privacy Act lawsuits piled up, hitting businesses across the economy. AI risk rocketed to the top of boardroom agendas, privacy litigation delivered a blockbuster Meta verdict and regulators zeroed in on kids’ data. Cyber rules toughened with the SEC’s overhaul of Regulation S‑P, while the DOJ’s guidance on its bulk sensitive data rules sent compliance teams scrambling. Many intriguing issues and developments for 2026 are already evident. The Cybersecurity Law Report will resume its distinctive and often unparalleled coverage of the next wave of AI, privacy, and cybersecurity developments on January 7, 2026. Happy holidays!

How to Create a Program to Combat Deepfakes

Deepfakes are not just another cybersecurity risk. They can strike at the heart of corporate credibility and undermine everyday business interactions. AI-based detection tech is improving and may help combat the threat but is untested. Thus, a comprehensive program is needed to strengthen defenses and the response. With insights and recommendations from practitioners at Baker Donelson, DeleteMe, Fisher Phillips and Gartner, this article provided a detailed framework for mitigating deepfake risk and presented pitfalls to avoid in the battle against this pervasive fraud.

DOJ Guidance on Bulk Sensitive Data Rules Series

The DOJ has issued guidance to facilitate compliance with its final rules, referred to as the Data Security Program (DSP), implementing former President Biden’s Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. Though much of DOJ’s guidance material rearticulates language in the DSP, it includes some notable new compliance information for organizations. This two-part article series highlighted the key elements of the guidance, with commentary from Edward McNicholas, a partner at Ropes & Gray. The first installment covered the enforcement grace period, definitions of bulk data and covered persons, and prohibited transactions. Part two distilled guidance on DSP requirements around the data compliance program, recordkeeping, reporting, licenses and advisory opinions.

Guide to AI Risk Assessments

Touted as a transformative tool for boosting productivity, elevating efficiency and crunching lots of data really fast, AI is impacting seemingly every industry. Along with AI’s tremendous potential, however, comes risk. An AI risk assessment can help identify potential issues like bias, security vulnerabilities and privacy concerns, and inform mitigation strategies. This article, with insights from Covington & Burling and PwC, offered practical guidance for assessing risk – including whom to involve, timing and identifying key risks – and addressed how to use the results to help mitigate risks.

CIPA Jury Verdict Against Meta Series

In a rare digital privacy verdict, a federal jury held in July 2025 that Meta illegally eavesdropped on millions of women who entered menstrual and pregnancy health data into the Flo Period and Ovulation Tracker app (Flo app). Meta’s violation of the California Invasion of Privacy Act (CIPA) could trigger statutory damages, when they are decided in 2026, that run into the hundreds of millions of dollars. The verdict warns the multitudes of companies that receive data from a software development kit that they may have CIPA liability. The first article in a two-part series about CIPA lawsuits examined the plaintiffs’ successful strategies to persuade the jury that Meta intentionally eavesdropped on them in Flo’s app without consent, and the dynamics of trying privacy cases before a jury, with commentary from privacy litigators at Farella, Braun & Martel, Holland & Knight, Troutman Amin and a plaintiffs’ attorney who reached a $725‑million settlement with Meta. Part two discussed the implications of Meta’s trial loss for other companies, with lessons about consent, software development kit use, AI training notice, anonymization and class action waivers, and distilled the cloudy CIPA litigation landscape, which has seen several notable but clashing pretrial decisions in 2025.

What to Know About the Sleeping Giant That Is the SEC’s Amended Reg S‑P

The time to comply with the SEC’s amendments to Regulation S‑P (Amendments), adopted in May 2024, has arrived. The Amendments substantially expand requirements for safeguarding customer information, with mandates around the incident response program, customer notice, service provider oversight and recordkeeping. The changes pertaining to notice and incident response program requirements will prove particularly challenging for covered institutions, including investment advisers. In this guest article, Goodwin partner Kaitlin Betancourt examined those challenges and offered practical compliance guidance.

Children’s Privacy Grows Up Series

Children’s online privacy is not just for tweens and half-pints anymore. Companies are increasingly blocking targeted advertising to teen users in response to demanding laws in Texas, Maryland, Colorado, Connecticut and several other states that are designed to protect minors up to age 18. Additionally, the FTC began 2025 by adding multiple new hurdles and friction points for companies that collect the data of children under 13 by amending its Children’s Online Privacy Protection Act Rule (Amended Rule) for the first time since 2013. The first article in this three-part series discussed the key pacesetter laws that emerged in 2024 to regulate minors’ online activities and examined the most significant trends shaping this increasingly difficult compliance area. Part two addressed the new legal framework around minors’ privacy, spotlighted the Amended Rule’s most significant changes and examined their impact on companies’ compliance. The third article provided practical compliance considerations for businesses around requirements common to multiple laws, discussed a unified approach to protecting a vulnerable group and offered sources for guidance in avoiding regulators’ attention.

Most-Read Articles

Women to Watch: Contributions, Achievements and Observations of Outstanding Female Professionals

To mark International Women’s Day, women editors and reporters at ION Analytics interviewed outstanding women in the industries and jurisdictions we cover. In this part, Law Report Group editors Jill Abitbol, Robin L. Barton and Megan Zwiebel profile notable women in data privacy, cybersecurity, private funds and anti-corruption law, including Anne-Gabrielle Haie, Jessica Lee, Micaela McMurrough, Laura Perkins, Amanda Raad, Madelyn Calabrese, Ranah Esmaili and Genna Garver. Enjoy reading their inspiring remarks here.

Celebrating Data Privacy Day 2025

Read the full brief here.

Cybersecurity Awareness Month

Read the full brief here.