Checking a customer’s ID is not just for cigarette and liquor sales anymore. Texas, Utah and Louisiana have enacted “app store accountability” laws (App Store Laws) that will require Google and Apple to verify the age of all users seeking to download an app.

App stores must sort visitors into four age ranges – child, young teenager, older teen and adult – and seek parental consent for minors, then pass details to the app owner or developer (owner). Google and Apple could well decide to require all app store visitors to submit a photo ID or biometric selfie to address their new legal liability. Texas’ law, which goes into effect in January 2026, requires parents to show they have legal authority for their children. Utah’s law, already in effect with a compliance deadline of May 2026, establishes a private right of action for aggrieved parents or minors. Louisiana’s law takes effect in July 2026.

The App Store Laws create a duty for each app owner to know the age ranges of app-using residents, regardless of the app’s content or intended audience. “Texas is the second most populous state in the country. It is likely that all app developers will have to comply with the law,” said Loeb & Loeb partner Nerissa Coyle McGinn. While the app stores must handle the initial ID verifications, app owners face decisions about product strategy, user interfaces, handling sensitive data and more.

Soon, websites also may need to directly verify their users’ ages. On June 27, 2025, the U.S. Supreme Court ruled that an earlier Texas age verification law applying to adult websites is constitutional. Twenty‑three other states have similar laws, some of which were enjoined before the decision.

This article, with insights from experts at Blank Rome, Loeb & Loeb, Pillsbury, Sheppard Mullin and Wilson Sonsini, examines the three new laws, and discusses their implications and uncertainties. It also offers compliance strategies and addresses the practical effects for companies of broader changes in age verification law, including the recent U.S. Supreme Court decision in Free Speech Coalition v. Paxton.

See “The Practical and Legal Complexities of Online Age Verification” (Jun. 21, 2023).

Opposition and Justification

Google and Apple, the main targets of these laws, lobbied hard against them, asserting they were gatekeepers for the app market in the most minimal sense. Apple’s CEO called Texas’ governor, to no avail. Elected officials, who broadly have accused Big Tech of hurting the lives of children and families, have now hung substantial verification costs on the two most prominent U.S. portals for tech products. “The title of the laws, app store accountability, shows that this is changing the conversation” about interventions for child safety and minors’ privacy, Pillsbury partner Shruti Bhutani Arora told the Cybersecurity Law Report.

The laws have yet to be challenged, but precedents exist giving citizens a right to access “public forums” without identity gatekeeping. Utah, Texas and 10 others have enacted social media laws requiring age verification, but federal courts have enjoined several on right-to-access grounds.

Campaigners for app store laws emphasize that these laws regulate contracts rather than public forum access. “We don’t allow kids to enter into contracts anywhere else. If they’re at a bank and they want a credit card, you’d better believe that it’s the bank that’s verifying the kid’s age,” said Alabama Senator Katie Britt at an FTC workshop in June 2025.

See “Creating Enforceable Online Agreements” (Jul. 9, 2025).

Obligations for App Stores

The App Store Laws impose extensive requirements, which will drive app stores to communicate far more frequently with both app owners and families.

See “Apple Overhauls Privacy for iPhone Apps, but Will It Enforce Its Policies?” (Sep. 23, 2020).

Must Assist Parents’ Oversight

App stores must link all minors’ accounts with the account of a parent or guardian (parents). They must alert parents of the app’s rating, the content or elements that prompted its rating, its sharing of personal data and its measures to protect users’ data.

The laws differ notably on authenticating parents, Wilson Sonsini partner Christopher Olsen told the Cybersecurity Law Report. “Texas requires that an app store verify that the parent account belongs to an individual with legal authority over the minor,” while the other two states oblige the app stores to verify the adult is 18 or older, he highlighted.

Must Use Reasonable Verification Methods

Under the new laws, the app stores must use “commercially reasonable” methods to verify ages. The laws offer developers a safe harbor for using “widely adopted” industry standards in good faith. Utah’s law directs the Division of Consumer Protection to create age verification standards.

See “Google’s Wiretap Cases Highlight Evolving Privacy Transparency Standards” (Jan. 24, 2024).

Must Obtain Specific Consent From Parents

App stores likely will communicate with parents well past the initial download. The stores must obtain parents’ affirmative consent for every download and in-app purchase. App stores must not rely on a parent’s blanket consent, Texas’ law clarifies.

When an app changes its terms, content or practices, the store must alert parents and obtain fresh consent.

See our three-part series “Children’s Privacy Grows Up”: Examining New Laws That Now Protect Older Teens (Jan. 15, 2025), FTC Amends COPPA Rule and Targets Data Sharing (Jan. 29, 2025), and Seven Compliance Areas for Protecting Teens (Feb. 12, 2025).

Obligations for App Owners

App owners must give each app store the age rating and elements justifying it. They must alert the app store about changes to the app’s data processing activities, monetization features, user experience and functionality.

Owners also must set up procedures to handle all users’ age categorization, parental consents and revocations, and strictly limit use of this data to ongoing policing of the minor’s app transactions.

Each App Store Law forbids companies from enforcing a contract with minor users without parental consent, which may require changes in their terms of service.

With three states seeking to rein in app stores, other states might act against them, too, setting up the “potential for conflicting compliance obligations for businesses through a patchwork of state laws,” Sheppard Mullin partner Wynter Deagle told the Cybersecurity Law Report.

See “Creating Enforceable Online Agreements” (Jul. 9, 2025).

Uncertainties About Interpretations of App Store Laws

The App Store Laws have similar provisions, but “applicability will turn on how aggressively regulators interpret the definitions,” Deagle said. An “app store” is defined across the laws as a “website, software application, or other electronic service that distributes software applications” to a “wireless” mobile device.

For “apps,” Texas and Louisiana refer only to “software." Utah more broadly defines apps as “a software application or electronic service.”

Legislators signaled that they “had in mind the traditional app stores and app context, but ‘app store’ can be read more broadly” than the two phone giants, Olsen noted. An aggressive enforcer might try to extend “app store” to include connected gaming systems, extended-reality headsets, smart watches and glasses, or social media services offering choices of apps to run on mobile devices.

Podcast services also might be affected by interpretations of “app store” or “apps.” None of the laws exclude “electronic services” or software for downloads of developers’ audio files. “Companies are wrestling with finding the most reasonable interpretation of the laws without a lot of confidence that states will agree with them down the line,” Olsen reported.

“There are no judicial or AG interpretations at this point to rely on. Additional guidance from the states would be very helpful,” Olsen added.

Top Court Blesses Website Age Verification Law

Websites face legal uncertainties, too. Many states have passed strict age verification laws targeting access to online adult content such as pornography, gambling or violent games. In June 2025, the U.S. Supreme Court’s Free Speech Coalition v. Paxton decision boosted the campaign to require age verifications. It held Texas H.B. 1181 to be constitutional. The law mandates each adult provide proof that they are at least 18 years old to prevent “access to sexual material harmful to minors.”

The Court strikingly reasoned that Texas’ law did not ban adults’ access to content, requiring only an intermediate level of scrutiny. The majority concluded that the burden to adults was “incidental” to serving the legitimate objective of denying children access to harmful content. “The dissent disagreed on the level of scrutiny, but said it was not clear that the law would fail even if it required strict scrutiny,” noted Blank Rome partner Philip Yannella.

The decision seems to put state website laws on firm footing. “Given the endorsement of age restriction laws by the Supreme Court, a patchwork of state laws seems likely,” Deagle predicted. These laws already vary on applicability. Some apply to “adult-oriented” websites, others to “displaying material harmful to minors” or “hosting harmful or obscene” content. “Other states may seek to broaden the scope of website age-verification laws to businesses unrelated to adult content,” she said.

Also adding pressure to companies are a few states’ age-appropriate design codes, some of which require websites to have “actual knowledge” of minors' ages.

Compliance Strategies and Implications

“The social media laws and the age-appropriate design codes, if they are upheld,” will push a broader swath of companies to seek to verify ages on their own, regardless of the app stores’ approach, Yannella noted.

“A lot of companies don’t have age verification systems in place. They’re used to living in a world where the only real law they had to worry about was the Children’s Online Privacy Protection Act,” Yannella said. The App Store Laws “will require another level of tech compliance from anyone offering a tool through an app store [that is] potentially used by minors,” he advised.

Alert the Stakeholders

Compliance tasks for age verification often reverberate across IT, legal, product design and marketing.

On the data compliance side, “because the verifications collect information that could be classified as sensitive personal information, this is as complicated as it gets. It may require hiring a vendor, a technical build,” and reviewing privacy and security procedures, Bhutani Arora said. The effect on minors and families will lead to business strategy discussions. Deploying an age verification technology to be effective and user-friendly will involve “a company’s disparate stakeholders undertaking months of discussions and deliberations” to settle on the policies and procedures. “It’s a whole company-wide effort to adjust. It’s not flipping a switch,” she stressed.

The App Store Laws’ requirements move beyond a one-time age verification at registration to a continuous process, said Coyle McGinn. “The laws require apps to institute processes to ensure that the consent has been given for each purchase on the app. Because these updating and verification requirements are ongoing, it will be very costly and challenging for the apps to implement,” she noted.

Evaluate Business Impact on App

“There will be a stronger impact on businesses that provide products or services to minors because of the accompanying consent requirements,” Deagle observed. This additional step burdens parents and could lead to fewer app downloads or purchases, she highlighted.

Beyond maintaining the number of downloads, user retention is crucial, Bhutani Arora advised. “The deliberation [about age verification’s impact] can lead to redesigning or redefining what the product is,” she posited. For example, the company may need to consider whether to make an under‑18 version – or not offer the products or service to under 18s, she noted.

Coordinate Compliance With Multiple Laws

The App Store Laws and state privacy laws do not necessarily mesh. “The mandatory collection and sharing of age information may be viewed as inconsistent with principles of data minimization and limited data sharing that regulators have emphasized in other contexts,” Olsen observed.

Balancing the different laws’ requirements plays out behind the scenes in a series of decisions about the personal data used in verifications. Companies make choices about how much data to store, how to “update the security protocols and privacy protocols protecting that data, and how to update the company’s forward-facing documents like privacy policies, which will say how the company collects and retains the information,” Bhutani Arora enumerated.

Attention to enforcement focus and trends will be important as well. Companies conducting their own verification should keep in mind that regulators are examining dark patterns around age checks, Bhutani Arora noted. In a settlement with Tilting Point, the California AG and the Los Angeles County District Attorney criticized the company’s interface that asked users for their age.

See “Scrutiny Over Dark Patterns Presents Further Challenges in Online Contracting” (Jan. 18, 2023).

Assess the Verification Methods on the Market

“There are many technologies that say they verify age, but some don’t really do very much,” Yannella observed. One common approach uses data from identification uploads to check users against giant age databases. Another entails using credit card checks. Most avoid verification methods involving face scanning or other biometric age checks, he reported.

No consensus exists on what methods will satisfy an “actual knowledge” requirement. “We know that a simple age gate asking for a birthday will NOT satisfy standards,” Coyle McGinn noted, “but it is still up in the air what would be ‘reasonable’ under these statutes.”

Deagle predicted that “we will see state legislators and regulators start to weigh in more on what they consider ‘commercially reasonable’ in the context of an app or website. While many companies are using some method, most of those methods have never been battle-tested,” she observed.

Probe and Audit Vendors’ Practices

Companies evaluating verification vendors should look for age verification solutions that are privacy-preserving, secure, and scalable across devices and jurisdictions. New-generation tools claim to reduce privacy risk by confirming a user’s identity and age, then will “drop a cookie on a person’s browser that says this person is 18 or 17. No personally identifiable information is otherwise retained. I don’t have a lot of clients that are using that type of tool yet,” Yannella noted. “The only criticism I’ve really heard is no one is really sure it works.”

Companies must ask for the storage and sharing policies, proof of the underlying verification technology and otherwise validate the product. “Accuracy is really important” for companies to check before using a technology on their website or app, Bhutani Arora advised. So is reputation, Yannella added.

Skepticism about effectiveness should remain companies’ default. Businesspeople spending on age-check technology bemoan that “any kid who really wants to access a site can get around an age verification tool by using a VPN,” Yannella said.

The vendor array might shift, Olsen pointed out, predicting “that third-party age verification providers will continue to innovate in this area to enhance privacy-preserving techniques given the prevalence of these new laws that render their services more valuable.”

See “Checklist for Selecting Privacy Tech Solutions” (Nov. 1, 2023).

Prepare to Catch Violators

With the App Store Laws, Coyle McGinn noted, the app owner may have to prohibit a requested purchase or, “if a minor does not meet the statutory requirements to use the app, may have to kick the minor out of the app.” Companies need to consider communications for these sensitive tasks.

Similarly, companies must prepare for consent revocations, including how to verify the parent’s identity and check if a minor is emancipated, Bhutani Arora recommended.

On the technical side, companies may have to engineer how to receive the app stores’ signals. Google and Apple have different platform technologies, and their approaches to age verification may not fully mesh.

Now that three states have burdened the mobile phone giants with age verification obligations, copycat state laws or congressional action over the next couple years could shift the main age-checking responsibilities to a wider array of digital gateways like app stores, devices and browsers.

Or the laws may be challenged in court or changed under pressure. In the near term, companies owning apps and websites still will need to decide whether they must become age-checking door monitors, asking for customer IDs and collecting signed permission slips from the parents of minors.

Private sector firms have made modest progress in recent years when it comes to adopting cybersecurity best practices, according to Commodity Futures Trading Commission (CFTC) Commissioner Kristin N. Johnson. In remarks delivered on July 14, 2025, at the Regulators Roundtable on Financial Markets Innovation and Supervision of Emergent Technology, the Commissioner discussed international cybersecurity defenses and protocols, and highlighted acute dangers in a heavily interdependent business world where a contagion of breaches, or “domino effect,” is all too likely. She noted that the expertise and technology that firms leverage in the hope of shielding their own data and systems often fail to take account of the dangers that a breach might occur at the nexuses of interaction between a firm and a central counterparty or other vendor or service provider.

The dangers of third-party exposure, failures of counterparty risk management, cross-border attacks and breaches, and the growing use of IT infiltrators and AI on the part of rogue states, hackers and other bad actors are all issues of grave concern and call for improved third-party risk management, bolstering cross-border regulatory and enforcement efforts and the sharing of actionable threat intelligence among firms, the Commissioner argued.

This article covers key takeaways from Johnson’s remarks with practical commentary on insider threats, third-party risk mitigation, and incident preparation and response from cybersecurity experts at Debevoise & Plimpton and Otterbourg.

See “Strengthening Cyber Defenses in an Ever-Evolving Threat Landscape” (Jun. 4, 2025).

Encouraging Steps

Not all of Johnson’s assessment of the state of cyber preparedness in the United States and abroad was negative. On the contrary, her remarks cited evidence of significant progress in recent years toward achieving higher levels of operational resilience.

Some of the initiatives Johnson alluded to have come directly from her own agency. For example, in December 2023, the CFTC issued a proposed rule, which quickly met with unanimous approval, aiming to establish an operational resilience framework that would help future commission merchants, swap dealers and major swap participants “identify, monitor, manage, and assess risks relating to information and technology security, third-party relationships, and emergencies or other significant disruptions to normal business operations,” she noted.

The operational resilience framework approach can help bolster preparedness in a market where cyber resilience “is only as strong as its weakest link,” Johnson argued. She went on to enumerate a number of concerning gaps in the defenses of firms both within and outside the CFTC’s regulatory purview.

Continuing Vulnerability Highlights Need to Improve Key Defenses

For all the positive signs, the Commissioner noted that the Market Risk Advisory Committee (MRAC) she sponsors at the CFTC found cyber-resilience issues that the CFTC’s December 2023 proposal did not sufficiently address. In particular, the risks facing CFTC-regulated central counterparties – and, by extension, firms that do business with them and become vulnerable to potential contagion – did not get enough attention.

The Central Counterparty Risk and Governance Subcommittee (of the MRAC) identified a need to “improve upon the existing framework and require that derivatives clearing organizations establish, implement and maintain a third-party relationship management program,” Johnson noted. “Once again, this highlights the importance of international collaboration, in setting the standard for best practices, and for developing policies that are familiar to global market participants,” she said.

Johnson’s comments align with a broad shift in perceptions about how the nature of cyber threats have evolved in recent years, Debevoise & Plimpton partner Luke Dembosky told the Cybersecurity Law Report. The antiquated view that cybersecurity was an issue only a discrete division within a firm – typically an IT or information security team with limited resources and capabilities – had to worry about has given way to a far broader view of cyber risks and how to respond to them, he observed. A growing number of private sector players are urging senior management, from CEOs and boards of directors on down, to be more cognizant of the risks of doing business in an interconnected world and to develop and implement plans that involve more proactive testing along with up-to-the-minute plans and playbooks, he added.

“We’re seeing threat actors penetrate email, penetrate chats, and get into communications about the response – both the plans to try to eradicate their access and, potentially, any plan to negotiate with them over a ransom,” Dembosky observed. Firms have to identify alternative communications platforms, “so that you’re not left trying to figure out how your board, your response team and your negotiators are all going to communicate with you in the crisis.” Out-of-band communications methods are key if a firm suspects a threat actor may be able to eavesdrop on its usual systems, he advised.

See “Leading Attack Vectors and Other Key Findings From Verizon 2025 Data Breach Investigations Report” (Jun. 25, 2025).

Infiltration by North Korea’s IT Workers

If effective defenses, which Johnson calls for, are to be implemented, the most prevalent cybersecurity threats need to be more widely understood, Dembosky urged.

Evolution of a Calculated Threat

Although the dangers of bad actors gaining access to systems and data under a pretense of carrying out legitimate IT roles are not new, the specific provenance of one of the most serious threats is only starting to get the attention it warrants, Dembosky opined. That threat is a program that North Korea undertook shortly before the Covid-19 pandemic and has pursued vigorously since then, he observed. The program involves surreptitiously inserting remote IT workers into the workforces of the U.S. and other powers, with a view to collecting salaries and sometimes stealing data to support regime objectives.

“Either as full-time employees or as contractors, thousands of North Korean IT workers have been placed inside hundreds if not thousands of Western companies,” Dembosky stated. “The FBI and [Cybersecurity and Infrastructure Security Agency (CISA)] have warned industries that if you’re of any size and scale and you outsource IT functions and allow remote work, you may well have North Korean workers passing themselves off as someone else.”

In the last few years, Dembosky continued, he and his colleagues have advised clients that fell victim to this schemes in dozens of cases. All too often, firms may have been lulled by the sense that they were paying for wholly legitimate (and, of course, legal) outsourcing. In some cases, they may even have made use of a placement agency, unaware of the dangers they courted by establishing a nexus of interaction between their systems and data and a third-party service provider that had not undergone proper screening, he reported.

The threat has evolved considerably over time, Dembosky observed. Originally, some of the North Korean IT workers may have simply collected a salary, just like their counterparts from other countries. Then, they started to steal, or attempt to steal, data. “In the current iteration of the scheme – in some cases – they are threatening to dump the data on a public site unless they are paid the equivalent of a ‘severance,’” he said.

See also “Recognizing the Signs of Remote Employee Fraud to Save Money and Data” (Jun. 11, 2025).

Legality of Ransom Payments

Companies that discover infiltration and data theft by a fraudulent worker are caught in something of a double bind, because they want to protect the integrity of their data but do not want to break the law by making payments to bad actors, Dembosky noted. When a fraudulent worker is caught and terminated, the last bit of leverage they have is to extract some monetary penalty. But “it’s illegal to pay them” pursuant to U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) regulations, he noted.

Even if a firm feels that paying a “severance,” and preventing the dumping of its data on a public site will protect against further exposure of the data, the law applies, Dembosky said. OFAC sanctions can seriously complicate efforts to resolve the situation. A firm could apply to the Treasury Department for an emergency license, “but it’s certainly not the norm.” Thus, a firm can be stuck in a situation where it is unable to legally pay, “and the penalties for paying illegally are criminal,” he added.

See “Steps to Take After OFAC and FinCEN’s Warnings on Ransomware Payoffs” (Oct. 21, 2020).

Risk Mitigation Steps

Firms can minimize the risk of infiltration by fraudulent workers by investing in screening of prospective remote workers and outside service providers, even if they have made their services available through a reputable placement agency or otherwise act under the imprimatur of a respected source, Dembosky suggested.

Fortunately, the issue is very much on the radar of law enforcement, advisory bodies and tech firms. “There are patterns to the way that North Koreans carry out the scheme that one could learn about,” Dembosky said. “Speak with a trusted vendor in the space, consult with the FBI,” he advised.

Firms can consult with their local FBI office through InfraGard, for example, which makes such consultations between business and federal law enforcement possible, Dembosky continued. Another source is the Financial Services Information Sharing and Analysis Center, or FS‑ISAC. On the tech side, many resources are available, including sophisticated endpoint detection and recovery tools, he added.

Firms that may not “have the resources to do a full vetting of everybody” can prioritize vetting certain people, such as those who will work on their AI development program and/or the coding of the software that assesses lending and development risk, or who have access to the full trove of their investor data, Dembosky suggested.

International Cybersecurity Coordination in Public and Private Sectors

Johnson repeatedly emphasized the degree to which the digitization of commerce has made jurisdictional and national boundaries immaterial in considering the scope and severity of cyber risk. “The threats or risks born in one nation may quickly ripple across continents,” Johnson stated.

A weakness in a third-party service provider can cripple many financial institutions across jurisdictions in one fell swoop, Johnson warned. The severity of the danger underscores the need for a number of changes and protocols to foster a more united, holistic approach, she urged.

Johnson’s acknowledgement of the need for a cross-jurisdictional approach on the part of regulators, and their proactive stance toward registered entities’ adherence to cybersecurity standards and systems, is in line with current realities in the private sector, Dembosky affirmed. She recognizes that there is “intra-company dependence not just geographically, but across different functions within a company,” he observed. “And she emphasizes third-party issues because most businesses are far too complex just to rely on their own operations. They’ve got external people processing transactions, handling pieces of their data, doing certain clearing functions or performing other critical steps. And the diligence on that, historically, has been pretty static.”

See “Can the Cybersecurity Industry Improve Cooperation to Beat Threats?” (Jan. 13, 2021).

Cross-Border Regulatory Efforts

The scope of the threat calls for aligning supervisory approaches across borders, with a view to countering cyber risk in a coordinated manner, Johnson opined. Although some regulators, such as the Financial Stability Board (FSB) and CPMI-IOSCO, have set forth the principles they intend to pursue, Johnson warned that a fragmented approach will not be sufficient and called for global implementation. Among the standards that Johnson argued should be part of regulators’ shared expectations are ISO 27001, the National Institute of Standards and Technology, and the FSB’s cyber incident response guidance.

“It is worth exploring mutual recognition of cyber audits and certifications for third-party providers, especially cloud platforms,” Johnson added.

The reality is that the experience and sophistication of regulators in different territories and jurisdictions vary widely, Dembosky noted. “Sometimes, it isn’t well-understood how long it takes to get answers, and how much of a crush the first days of an incident response are,” Dembosky commented. There is now generally “a high level of incident response maturity in the West, but we do encounter regulators, especially in other parts of the world, who think that their 30 questions need to be answered immediately in the midst of a breach. And that often reflects a lack of understanding and experience with how incidents go and what the company has to prioritize in the immediate response,” he explained.

See “E.U. Coordinated Enforcement Framework Focuses on DPOs” (Sept. 6, 2023).

Evolving Third-Party Diligence Standards

Johnson urged firms to change how they supervise the cyber readiness and trustworthiness of entities and resources they rely upon. “We need a coordinated approach to supervising these critical third parties – through shared resilience testing, pooled audits, and transparent incident reporting,” she stated.

Proper third-party supervision includes “sending counterparties a questionnaire before you contract with them, Dembosky advised, which asks, “Do you have cyber insurance? Do you have a response plan? Have you had an incident in the past year or two?” The questionnaire is “important, but it’s not enough. You need to understand how [counterparties] are going to interact with you, if there is a gray area for you or for them, what they’re going to share with you and vice versa, and how you’re going to communicate. And you need to monitor this going forward – it can’t be one-and-done on diligence.”

See “‘Everyone Wants to Speak to the CISO’ and Other Realities of Addressing Vendor Breaches” (May 14, 2025).

Disclosure of Breaches

Sharing Actionable Intel

It is imperative for not only government regulators but also private sector players to take a more proactive role in sharing information about cyber threats and incidents with others in the market, Johnson stressed. There is a role for private firms in building mutually accessible, real-time alert systems and threat-sharing protocols, she said.

“Silence, in the cyber domain, is a vulnerability,” she added, advocating for “transparent incident reporting” as a means to bolster critical awareness across industries and jurisdictions.

Johnson’s emphasis on transparent reporting signals certain problems with the manner in which some firms have disclosed, or failed to disclose, breaches in the past, limiting the ability of cyber experts to respond and adapt to the breaches by devising and implementing better defenses, Dembosky observed.

“Historically, there has been an impression that companies have underreported incidents, or, when they have reported them, they have not shared the story in a ‘fulsome’ manner. Certainly, the Biden Justice Department suggested that it wanted more fulsome reporting of cyber incidents,” Dembosky shared.

“The SEC, of course, under its last Chair, Gary Gensler, was quite aggressive about the level of detail that it required,” he added. “CISA has promulgated highly detailed reporting requirements, but we’ll have to see whether they eventually come into effect as written, or whether they will be amended or set aside by the new administration.”

See “How Will the Biden Administration’s Approach to Cybersecurity Impact the Private Sector?” (Dec. 16, 2020).

Timing Issue

“A lot of the new rulemaking is designed to get more information out of companies. That is a wholesome objective, but there’s a sweet spot in terms of the timing for incident reporting,” Dembosky noted.

Right after a cyber breach occurs or is detected, a firm’s personnel will understandably have extremely urgent tasks to handle that supersede information sharing. Any proposed amendments to disclosure protocols must take into account that reality.

“In the scramble of musical chairs to try to regain control of your network in the first 48 to 72 hours, it’s the wrong time to be stopping to draft detailed regulatory reports,” Dembosky clarified. “You may have to get word out to the market, but to require a firm to write up a detailed report for the regulators in that time period is a mistake.”

See “Navigating the Interplay of Breach Response and Breach Notification” (Oct. 26, 2022).

Incident Response Plans

The longstanding focus, on the part of regulators and companies, on preventing cyber breaches is all well and good, but, in Johnson’s view, present realities necessitate anticipating that attacks will happen and investing in effective responses. Understanding that reality has numerous implications for firms’ budgets, operations, and internal and external compliance cultures.

The investment “means building interoperable incident response plans,” which include “conducting joint cyber drills and tabletop exercise simulations and establishing trusted communications channels” that can be activated instantly in the event of cross-border incident, she stated.

Johnson’s sense that it is necessary to treat cyber breaches as a question of “when, not if” is in line with the views of most professionals in the cybersecurity realm, affirmed Erik Weinick, a member at Otterbourg. “We focus on prevention, but in today’s threat landscape, we must assume that breaches will occur and focus on how we will respond,” he stated.

Delegating Communications Authority

Johnson could have gone into more detail on the designation of personnel within a firm who will be ready and available to respond when a breach occurs, Dembosky opined. Although it might seem an obvious step, not all companies have delegated responsibility for handling the response to a breach and making statements to the media if that course is deemed prudent. All too often, the assumption is that the most senior executive will be the first and last port of call. Unless there is a plan in place for the CEO to speak publicly, it would be a mistake to wake the company leader, perhaps in a different time zone, with a call in the small hours of the morning, he cautioned.

“There will always be some scramble, because there will be differing facts in every instance. But you want to focus on what the strategic issues are and make sure everyone knows their role and responsibility,” Dembosky advised. “Where and when will information make its way up to the senior leadership? How will we make sure they’re not overwhelmed at a senior level with all the blocking and tackling? Those work streams can be addressed down in the war room. If you dump everything on the CEO’s desk, the response will break down.”

When formulating an incident response plan, and determining who will be responsible for what, it is crucial to anticipate how a potential incident could affect the form in which such information will be accessible. If available only in electronic form – in a system that has been shut down – a contact list for employees designated to handle incident response will be inaccessible when most needed. “Those simple things don’t always seem like big issues. But you can’t really even get off the launch pad unless you can communicate effectively as part of your response plan,” Dembosky noted.

See “Cyber Crisis Communications – ‘No Comment’ Is Not an Option” (Sep. 7, 2022).

Addressing Overconcentration Risk and Supply Chain Gaps

Johnson stressed the dangers inherent in overconcentration of resources and reliance on a narrow range of counterparties and vendors. She identified three categories of counterparties that companies tend to rely on excessively, fostering opportunities for bad actors:

1. cloud providers;
2. fintech APIs; and
3. software stacks.

Johnson’s perspective aligns with private sector cybersecurity professionals’ views, affirmed Weinick. “In some instances, there is an overreliance on a small number of vendors and outside service providers,” he summarized, which can be efficient, “but it also leaves us highly vulnerable.”

See “How to Select the Latest Cloud Security Tools and Platforms” (Aug. 21, 2024); and “FTC Settlement Spotlights Security of APIs Proliferating Across the Internet” (Mar. 5, 2025).

Making Due Investments

Even in the face of severe threat, some private sector players are simply not directing enough of their operating budgets to cyber defenses, Weinick observed.

Part of the issue here, he posited, is psychological in nature. To marshal the resources and exercise the discipline needed to invest huge sums of money on programs and protocols that are preventive or reactive in nature – i.e., addressing threats that a firm has so far been lucky enough to avoid – can be challenging, he elaborated, illustrating his point with an analogy. “It’s kind of like asbestos removal for the construction industry. It’s costly, and there’s no immediate, obvious benefit to the bottom line. You spend all this time and money, and the room still looks the same once the asbestos is removed,” he said.

That example may help people understand why some firms are dragging their feet when it comes to what is obviously one of the gravest, fastest-evolving threats they are likely to face. “When it comes to cybersecurity, you often don’t notice the issue until there’s a problem, and that’s why it is very easy to deprioritize it when it comes to budgeting, allocating resources and making sure that people are trained properly,” Weinick observed.

Cybersecurity must “be something that everybody in the organization takes seriously, because people represent the greatest vulnerabilities. They are the avenues that threat actors use to blow an organization wide open, what they view as the easiest way in,” Weinick instructed.

After a long gestation period, the so-called Italian Sunshine Act (Act) was finally approved by Law No. 62 of May 31, 2022, setting forth provisions on transparency in relations between healthcare companies, government healthcare professionals (HCPs) and healthcare organizations (HCOs). However, it has taken almost three years for the Ministry of Health (MOH) to meet with healthcare industry associations to share its expectations on how the Act will be implemented logistically. Those expectations are surprising and significant in that companies will be required to publish the details of all transfers of value to HCPs and HCOs on an e-registry managed by the MOH (the Transparent Healthcare Registry or Registry).

This article reviews the trend over the last decade toward increased government transparency in Italy and how it led to the passage of the Act, what the Act requires of companies and how companies should react.

See “Takeaways From FTC’s Orders Targeting Digital Health Companies” (May 8, 2024).

Sunshine Is the Best Disinfectant

The Act addresses two related trends in Italy’s government administration over the past two decades: an increased desire for transparency and less tolerance for conflicts of interest. The Act is meant to increase visibility into healthcare spending and, as a result, decrease instances of conflicts of interest that can lead to criminal corruption.

Transparency

Transparency is a cornerstone of the Italian legal system and government administration. The government’s decision-making process is meant to be clearly visible so that citizens can be fully informed about the democratic functioning of institutions. Transparency promotes Italian citizens’ participation in government and helps to protect their rights. Additionally, transparency is an important asset in the fight against corruption. Generalized access to data related to public administration enables a form of citizen control with the primary purpose of preventing bribery, corruption and other illegal behaviors.

With that value in mind, there have been a number of steps taken to increase government transparency. For example, the government has introduced Transparent Administration sections to the websites of each government body. On these websites, government bodies list where contracts were awarded, what service providers get paid and remuneration for civil servants.

The Act is part of Italy’s move toward further transparency, but in a new form where it is private healthcare companies that must supply the data rather than public entities. This is a reversal of perspective where the responsibility for transparency in this sensitive sector falls on private entities as well as the government.

See “Healthline’s Record-Setting CCPA Settlement Offers Lessons on Transparency and Opt-Outs” (Aug. 6, 2025).

Increasing Scrutiny of Conflicts of Interest

Under Articles 97, 98 and 54 of the Italian Constitution, public officials are required to be impartial in the fulfillment of their roles, with a duty of loyalty and exclusive service to the nation. In 2012, Italy adopted new anti-corruption laws that included more explicit laws around conflicts of interest and strict sanctions for violations.

As conflicts of interest become an increasing concern, information on transfers of value to HCPs and HCOs will draw attention to possible conflicts of interest in the healthcare sector. Thus, the Act is a tool to decrease governmental conflicts of interest in the healthcare sector by raising awareness of where they are present.

Liability for Bid Rigging

Prevention of improper payments to HCPs and HCOs is even more critical for healthcare companies given additional legislative changes. In 2001, Legislative Decree 231/2001 introduced the liability of companies for illegal acts committed by company agents. In 2023, additional legislation was passed that added bid rigging, interference with the tender process and fraudulent transfers of value to the list of crimes committed by directors, employees and agents for which a company can be held liable.

As a consequence of this legislative change, any undue payment or illicit interference with the tender process, either before the call for a public tender or immediately thereafter, would trigger the application of heavy criminal penalties not only for the individual who committed the violation but also for the relevant company. Those penalties could include restraining measures such as being prohibited from entering into public contracts for a period of three years, restrictions on access to public funds, prohibitions on advertising the company’s goods and services, and significant pecuniary fines.

The requirements of the Act draw the attention of investigators to any suspicious interaction with HCPs and HCOs, especially when the HCOs are involved in public tenders. Investigators will be able to cross-check the information published in the Transparent Healthcare Registry with the information on contracts awarded by public administrations, which is publicly available, according to Italian law. The combination of the data available in the Transparent Healthcare Registry and the Transparent Administration sections of public administration websites could highlight possible conflicts of interest.

The Act Changes the Landscape

The Transparent Healthcare Registry will allow all citizens to freely access data regarding transfers of value from companies operating in the healthcare sector and the relevant HCPs and HCOs. The goals of the Registry are noble – to increase transparency and decrease government spending – but it may put significant burden on healthcare companies.

Goals to Increase Transparency and Decrease Spending

The Act was inspired by the U.S. Physician Payments Sunshine Act of 2010 and the French Loi Bertrand of 2011. The goal of the Act is to prevent corruption in the healthcare sector, as well as to avoid conflicts of interest between HCPs/HCOs and the pharmaceutical, biomedical and other health-related industries.

Another relevant goal of the Act is to control public health expenditures. There is a popular belief that public healthcare spending is inflated due to inappropriate interactions between healthcare companies and HCPs/HCOs. HCPs and HCOs receive scientific, commercial and promotional information on the most innovative products, which could lead to benefits for patients and the National Health Service, but also to increased public spending. Thus, the Registry could be seen as an indirect way to curb spending.

When Disclosure Is Necessary

The Act requires mandatory disclosure of disbursements of money, goods, services and other benefits to HCPs and HCOs. For HCPs, disclosure is required when a disbursement has a value higher than €100 ($117) or a total annual value higher than €1,000 ($1,117). For HCOs, disclosure is required for transfers of value exceeding the €1,000 threshold or a total annual value of €2,500 ($2,928). Agreements between companies and HCPs or HCOs that produce direct or indirect benefits, consisting of participation in conferences, training events, advisory boards, scientific committees or research, consulting or proctoring services, are also subject to disclosure.

Additional transparency obligations are placed on individuals who hold shares in healthcare companies or have received remuneration for the economic use of industrial or intellectual property rights.

Penalties

Penalties for noncompliance include pecuniary fines and the publication of sanction measures in a dedicated section of the Transparent Healthcare Registry for a period of not less than 90 days.

Depending on the specific interaction, companies failing to disclose the relevant data can be sanctioned with a pecuniary fine up to €50,000 ($58,569) or €1,000 ($1,117) increased by 20 times the value of the transaction to which the omission refers. Moreover, companies that provide false declarations are subject to a pecuniary fine up to €100,000 ($117,137), unless the conduct constitutes a criminal offence.

The Act’s Impact So Far

These new obligations have had a significant impact already. The Act requires that healthcare companies carefully monitor interactions with HCPs/HCOs, and collect and promptly communicate to the MOH a significant amount of data that will be made available to the public.

Farmindustria, the Italian pharmaceutical industry association, and Confindustria Dispositivi Medici, the medical devices industry association in Italy, have voluntarily adopted disclosure obligations. However, these self-imposed obligations were significantly less burdensome than those now required under the Act.

Moreover, HCPs and HCOs used to be able to keep information about their interactions with healthcare companies on privacy grounds, but no more. The Act mandates that privacy consent is automatically granted when a relevant transfer of value takes place.

Further differences between the disclosure obligations under the Act as compared to the previous industry association disclosure regime include: (1) pecuniary sanctions for non-disclosure, late disclosure and submission of incomplete information; and (2) the introduction of the Registry.

Tuning Up Compliance

From an operational point of view, companies in the healthcare sector must be ready to deal with the most immediate consequences and operational implications of the Act.

Coordinate Data Collection

Each company must identify a person responsible for collecting and reporting all data related to relationships with HCPs and HCOs to the MOH.

In large companies, the designated person may need to coordinate significant amounts of data from multiple business functions in order to capture all information covered by the Act.

Invitations of HCPs to conferences, congresses or other scientific information sharing meetings are a good example of how complicated the data reporting requirements of the Act can be for a large company. These invitations may be considered marketing activities, charitable donations or sponsorships. In each case, a different internal team at the company may be involved, and, indeed, multiple teams might be involved in a single event.

Due to this complexity, the designated person responsible for reporting may need authority and support to establish procedures to ensure proper data collection.

See our two-part series on emerging issues in workplace privacy: “Data Collected and Employees’ Perspectives” (Oct. 23, 2024), and “Regulations and Compliance Strategies” (Oct. 30, 2024).

Consider Data Privacy

The implementation of the Act requires disclosure of many transactions involving HCPs and HCOs, including those that could be considered a source of potential conflicts of interest. With this change, investigators will be able to access information about suspicious transfers of value or awards of contracts both from the government administration receiving the value through the Transparent Administration sections of their websites, and from the private company providing the value through the Registry. Thus, information that was previously considered confidential and, in some cases, even protected by privacy laws, will soon become public.

Further, as noted above, the Act expressly provides that consent to the disclosure and processing of data by HCPs and HCOs is considered to be implicitly granted through the acceptance of the transfer of value. However, companies are required to provide HCPs and HCOs with a privacy notice indicating that the data will be published in the Registry. This is a significant legislative change, since HCPs and HCOs were previously able to prevent the publication of data pertaining to them by refusing consent to the disclosure.

See “Practical Strategies for Effective Consent Management” (Sep. 25, 2024).

Vet Conflicts of Interest

With conflicts of interest now firmly in the spotlight due to the Act, companies in the healthcare sector should take a look at the adequacy of their internal controls for preventing conflicts. Companies will need to be able to verify that transfers of value, whether direct or indirect, offered to HCPs working for customers of healthcare companies are in line with best compliance practices and do not give rise to suspicions or misunderstandings.

For example, paying HCPs to serve on advisory boards or as speakers at industry events could be misinterpreted if payments are made during negotiations for contracts or during bidding for public tenders. Sponsorship of events and congresses can raise similar concerns.

Thus, the implementation of the Act should be regarded as an opportunity to update companies’ internal compliance programs for the prevention of conflict of interests.

Companies should adopt specific policies and procedures and update their internal compliance models under Legislative Decree No. 231/2001 to avoid – as much as possible – interactions with HCPs and HCOs when a public procurement proceeding is pending or when business relationships are in place.

 

Roberto Cursano is a partner at Studio Legale Delfino e Associati Willkie Farr & Gallagher LLP, based in Rome, Italy. His practice focuses on public law, compliance, investigations and trade compliance issues. A former official of the MOH, he has significant experience in the healthcare and life sciences industry. Cursano assists clients with regulatory matters, including those related to research and development, manufacturing, marketing of medical products, product recalls, and interactions with HCPs and HCOs.