An analysis of 100 breaches and thousands of resultant press reports reveals that empathy and transparency, not perfection, define the new standard of crisis leadership. While in legal and professional parlance the term empathy can be seen as soft and not willing to go to the mattresses with aggression, it is actually a superpower. It has helped uncover critical facts, earn trust and keep clients out of proverbial hot water time and time again. The breach research conducted for this article shows that empathy is not only good business, but also a powerful risk mitigation technique. It builds real and enduring trust with regulators, demonstrating that a company and its incident response team are reliable doers and solvers. While assertiveness has its place, starting with empathy yields deeper insights and stronger relationships.

By showing humanity, the combined team of Lowenstein Sandler and Intrepid Agency has identified errors buried deep in log files, gained insight into legacy systems that clients were initially hesitant to acknowledge and built relationships that transcend transactional business to communicate with clarity. Empathy cuts through the corporate noise, the posturing, the politics, the fear, and gets to the truth, however uncomfortable – it is the reason results happen and the key ingredient when the phone rings in a breach.

This article parses the research findings, sets forth the elements for crafting a trust-building response to an incident, provides guidance for putting those elements to work and offers examples of companies that got it right.

See “‘Everyone Wants to Speak to the CISO’ and Other Realities of Addressing Vendor Breaches” (May 14, 2025).

The Research: 100 Breaches, One Pattern

When a call is made following an incident, what follows the ringtone and the obligatory hello is almost never a technical crisis alone. It is the start of a deeply human crisis that happens to involve technology.

Fear often takes control during an incident, and the instinct to hide, minimize or delay can overpower reason and logic. However, research and more than a decade of breach response experience show that the words we choose determine whether we move from panic to progress.

Methodology

The authors examined 100 public breach announcements and corresponding press reports across industries – including healthcare, finance, technology and retail – to evaluate the impact of language and tone on trust. The announcements were drawn from authoritative sources, including the Privacy Rights Clearinghouse, state AG websites that publicly disclose breaches, the Department of Health and Human Services’ “Over 500” breach list and the Identity Theft Resource Center.

Using three large language generative AI models, the authors analyzed press coverage within two months of each public breach announcement to assess the language used and classify trust outcomes based on the prevalence and tone of positive or negative media reporting. While the research cannot be fully comprehensive, using AI allowed for analysis of a significant volume of press with speed. Where possible, the authors supplemented the media analysis with the SEC 8‑K announcements that tend to drive an important piece of the press cycles for public companies.

Findings

The findings were striking – tone predicted recovery more strongly than breach severity. The most significant predictor of restored customer, client and business partner trust was not how quickly a company patched systems; it was how quickly it spoke the truth. Often, this concept of “truth sunlight” runs completely counter to what many corporate teams expect, especially in the dark ominous cloud, and in the fearful first hour, after disaster strikes.

The chart below sets forth common breach tone architypes and their “trust outcome,” which was measured by assessing whether the entity faced press skewering or praise. Notably, the press often drove the messages that were also picked up in regulatory enforcement and resultant class action suits.

Figure 1: Breach Tone Architypes – Which Build Trust?

Tone Category	Frequency in Breach Comms	Trust Outcome	Common Traits	Examples of Language[1]:
Transparent Technician (the CISO)	28%	High	Plainspoken, timely, detailed Reduces fear, shows operational control Comms often delivered by the CISO/security team Comms can be reinforced by the CEO Sufficient facts were available	At 2:17 a.m., threat detection systems identified ransomware encrypting our accounting servers. Containment was completed within 34 minutes. No client data was exfiltrated; backups were restored at 6:00 a.m. from system images. A phishing campaign compromised three employee credentials on July 8. The attacker accessed one shared drive for 22 minutes; audit logs confirm no access to classified systems. All passwords rotated within two hours. Larger breaches with technical alert pages and real-time alerting and downtime awareness/status.
Empathetic Responder (CISO, CEO, with assistance from branch offices)	24%	High	Empathetic (acknowledges impact on people) Forward-looking Uses “I” or “we” for accountability Calm, factual and caring Connects response to values (e.g., safety, trust, learning) Sufficient facts were available to humanize the announcement CEO or COO typically take lead in comms	A vendor breach affected about 2 million of our customers. We paused transactions and alerted them personally where we found fraud. We are also sitting down with the supplier’s security team to ensure this does not happen again. We isolated the affected servers and restored all systems within three days. We recognize this disruption impacted operations, and our teams worked continuous shifts to contain the breach. Through quick action, we limited exposure to under 10% of client data and ensured full system restoration.
Technical Overloader (CISO, CEO)	12%	Moderate	Complex and jargon-heavy Difficult for a general audience to understand Did not accompany a plain-language statement for clarity	An unauthorized actor exploited a CVE‑086‑75309 vulnerability in the WAF reverse proxy layer, triggering an anomalous TLS handshake loop and buffer overflow leading to a session token expiration. Public S3 object ACLs were mis-set to READ allowing enumerated GET requests from external IPs. Bucket policies have been reverted and IAM role boundaries enforced.
Legalistic Shielder (CISO, CEO)	26%	Low	Defensive and vague (e.g., “may have impacted,” “certain systems”) Attempts to minimize liability Sounds evasive, erodes trust Could increase liability once deployed	We experienced a cybersecurity incident that may have affected certain systems. We immediately engaged a leading forensics firm to assist. A vendor experienced a data security issue which may have impacted some of our systems.
Defensive Deflector (CISO, CEO)	10%	Very Low	Vague and blame-shifting Evasive, worst when blame is abstract Sometimes necessary if offender is uncooperative Should leverage business relationships to elicit more concrete language Often overlaps with Legalistic Shielder tone	A former employee may have acted outside of established company policy. A third-party vendor experienced a security incident that may have impacted some of our customers.

Three Elements of Trust-Building Statements

The elements that add up to incident response messaging trust include candor, humility, and relentless remediation.

Element 1: Candor

When a breach or privacy event occurs, the instinct to minimize or obscure the facts is strong. But history shows that lack of transparency only deepens the damage.

Early Openness

Equifax’s vague statements and delayed disclosure after its 2017 breach led to congressional hearings, executive resignations and a $700‑million settlement. In contrast, Maersk’s openness about the NotPetya attack – admitting the scale and impact – earned praise and enabled a swift recovery. Transparency is not just the right thing to do. It is essential for protecting reputation and restoring trust.

Avoiding Legalese

When breach disclosures are wrapped in legalese, they tend to conceal more than they reveal. Engineered language might minimize liability, but it can also obscure facts and erode trust, which ultimately creates more liability.

Companies should not ignore the law. Compliance is non-negotiable. But when there is flexibility, they should choose plain language. Below some examples of legal-sounding statements that can be clarified:

• May have impacted certain systems. If the facts are unclear, companies should simply state what is known and what is still being investigated.
• No evidence of misuse at this time. If evidence is insufficient in the first instance, companies should clarify ongoing monitoring efforts and their commitment to transparency.
• Out of an abundance of caution, we are notifying the potentially affected individuals. If a company is notifying broadly to protect customers, it should say so plainly.
• We continue to assess the scope and impact of the incident. If the full scope of the incident is uncertain, companies should instead share confirmed facts and acknowledge ongoing investigation.

Many breach professionals have used the aforementioned phrases; the goal is to minimize them when possible and prioritize candor. Clear, honest communication builds trust and strengthens an organization’s reputation.

See “Cyber Crisis Communications – ‘No Comment’ Is Not an Option” (Sep. 7, 2022).

Element 2: Humility

Incidents expose vulnerabilities, both technical and organizational. A humble response acknowledges this and avoids defensiveness. The analysis of the 100 breaches revealed that “Empathetic Responder” tone statements achieved the highest trust outcome scores based on favorable coverage and fewer follow-on enforcement actions. Language such as “We’re still investigating, but we know this much so far” generated more trust than generic assurances like “We take this seriously.” Humility does not weaken credibility, it anchors it.

Element 3: Relentless Remediation

Relentless remediation means transforming every breach into a training dataset for improvement. For example, when a company experiences data poisoning, where attackers manipulate training data to corrupt AI models, transparent disclosure and rapid remediation are essential to restore trust and prevent further harm. The lesson is clear: progress is built on smart iteration, not perfection.

Putting the Elements to Work

Eliminating Fear-Driven Decisions

The most vulnerable system in any breach is not the network; it is the people responding to it. When professionals fear for their jobs or reputations, especially in those tense first hours, that fear can lead to mistakes, cover-ups and poor judgment. Good counsel and communications teams understand this and step in to help, offering guidance and reassurance when it is needed most. That is why accountability, transparency and empathy matter just as much as technical containment. Candor, humility and relentless remediation are not just public relations strategies. They are the antidote to panic and the foundation for recovery.

The analysis across 100 breach communications shows that words carry weight equal to system architecture. Companies that lead with candor recover faster. Those that show humility retain trust. Those that remediate relentlessly build resilience. Fear cannot be eliminated from crisis, but companies can design cultures where truth becomes the first instinct, not the last resort. It is time to recognize, reward and cultivate this critical asset. Fear is contagious, but so is candor.

See “New Pressures Shift Best Practices for Ransomware Crisis Communications” (Oct. 13, 2021).

Educating Lawyers on Tech

The breach research and the calls the authors receive every Friday at 5 p.m. reveal one truth: candor, humility and relentless remediation are only possible when legal counsel truly understands the technology. When lawyers are trying to catch up with engineers, candor slows, humility becomes hesitation and remediation turns into paperwork instead of progress.

Lawyers who are fluent in both law and multiple areas of technology create a faster and more credible response. They can interpret complex facts quickly and translate them into precise legal narratives that withstand regulatory scrutiny. When the CISO mentions a kernel exploit, they know exactly which kernel. When regulators ask when the system was isolated, they have the time stamp and can explain the isolation architecture.

Lawyers with technological knowledge are even more effective when supported by former DOJ and state AG lawyers, who bring immediate regulatory credibility to every response. Together, they bridge disciplines such as privacy, cybersecurity, AI, telecommunications and enforcement, allowing them to understand facts, restore control and lead with authority when systems falter.

See “What Does It Mean to Be Technologically Competent?” (May 15, 2019).

Coordinating Legal and Crisis Communications Teams

An effective breach-response team also includes crisis communications professionals with deep experience managing cyber incidents and an understanding of how to partner with technical legal counsel. This coordinated team can translate complex technical facts into clear, human-centered language without compromising legal accuracy or regulatory readiness, and do so throughout the response.

Division of Responsibility

Even attorneys with exceptional communication instincts should not be expected to carry the full weight of tone, empathy and contextual framing on their own. Their role is to ensure accuracy, structural integrity and regulatory defensibility. Crisis-seasoned professionals bring a parallel discipline – crafting messages that are compassionate, accessible and stabilizing under pressure. Empathy and clarity are specialties in the same way as forensics, incident containment and legal interpretation. The first draft of a breach message, produced under technical or legal urgency, is rarely the version stakeholders need.

Skilled communicators collaborate with legal and other response team members to refine that draft, so it speaks to human impact without weakening legal positioning, transforming facts into plainspoken understanding. This division of responsibility enables focus. Attorneys shoulder the burden of legal risk. Crisis communications experts shoulder the burden of public trust. Incident response works when those burdens are shared, balanced and aligned, when accuracy and empathy are synchronized rather than competing.

Advance Preparation

Because of the need for coordination, the worst time for public relations and legal to meet is in the fog of an active incident, which is sardonically referred to as a “shotgun wedding.” Without established relationships or shared workflows, tone becomes inconsistent, response time slows, and fear and uncertainty fill the gaps where trust should be. Assembling a team under duress, with no established process, no shared vocabulary, no coordinated guardrails and no unified understanding of what trustworthy communication looks like is problematic.

The antidote is preparation. It is imperative to integrate legal and communications collaboration during planning, tabletop exercises and risk assessments, not after systems go down. In those moments of preparation, legal establishes the boundaries of accuracy and risk, and communications establishes the cadence, tone and clarity needed for trust. Together, they build the shared mental model an organization must rely on during a crisis.

And when a breach does occur, that preparation pays dividends. Instead of scrambling or contradicting one another, the team moves with practiced coordination. Instead of defensiveness, the response is grounded in clarity. Messaging becomes a steady, trust-building narrative rather than a rush of reactive statements. This is how empathy becomes operational, how it becomes muscle memory rather than an aspiration spoken in hindsight. With that foundation in place, the structure of the team becomes clear and legal’s role comes into sharper focus.

It is important to emphasize that in effective breach response, legal is not a speed bump; it is the control system that stabilizes crisis response. A team that unites legal precision, technical literacy and skilled communication moves at the pace of the breach, not the pace of paperwork. That speed turns panic into process and process into trust.

See this three-part series on when and how legal and information security should engage on cyber strategy: “It Starts With Governance” (Mar. 28, 2018), “Assessments and Incident Response” (Apr. 11, 2018), and “Vendors and M&A” (Apr. 18, 2018).

Crafting Trust-Based Holding Statements When Facts Are Scarce

The trust-building statements within the Figure 1 chart take facts to be effective. However, in the first hours of an incident, facts are often incomplete, and it may be too early to confirm whether the event qualifies as a “breach” under regulatory definitions. At the same time, media, clients and internal teams expect clarity. In some cases, leaks or event circumstances such as ransomware disruption can force a response before companies are fully ready to make a disclosure.

When in the fog of investigation, companies should adhere to the following lodestars to avoid an evasive response:

• be honest about what you know (and do not know);
• stay calm and disciplined; and
• ensure structural safety in your messaging – be legally accurate, non-misleading and transparent without sounding defensive.

When true breach facts are unknown, an “I don’t know yet” statement can be used to describe the investigation and recovery process to ensure accuracy and not overpromise. The chart below reflects examples of “I don’t know yet” holding statements, contrasting evasive responses with trust-building alternatives.

Figure 2: Comparison of Statements

Evasive Response	Trust-Building Response
We cannot comment at this time.	We’re still gathering facts. The systems team began its review this morning, and we’ll share confirmed information as soon as it is verified.
The cause of the incident is under investigation.	Right now, we know a system alert triggered overnight, but we haven’t confirmed its cause. Our first priority is isolating data that could pose a risk to our valued customers and partners.
It’s too early to tell how many people are affected.	We don’t yet have a verified count of affected records. This will take time. Our analysts are reviewing access logs to determine scope, and we’ll update once that verification is complete.

Patterns of Praise: Who Gets It Right?

The following companies proved that speed, honesty and empathy are not opposites, but rather dependencies.

Cisco (2022 Breach)

Cisco’s response emphasized transparency and control, repeatedly assuring stakeholders that products, services and sensitive customer data were unaffected. The company quickly contained the attack, shared technical details via blog posts and collaborated with law enforcement, positioning the event as a learning opportunity for the security community. Analysts framed the breach as a “wake-up call” for credential hygiene rather than a catastrophic failure, reinforcing Cisco’s credibility despite the Yanluowang group’s claims.

Cloudflare (Cloudbleed 2017)

Faced with a severe vulnerability, Cloudflare acted decisively, patching the bug within hours, disabling risky features and working with Google to scrub cached data. Within 72 hours, CEO Matthew Prince published a detailed postmortem explaining the root cause and mitigation steps. This radical transparency turned a potential public relations disaster into a trust-building moment, earning praise for speed and openness.

Marriott (2018 Breach)

The Marriott breach exposed millions of guest records, creating a major reputational challenge. Marriott adopted voluntary disclosure, promptly notifying regulators and customers, and committed to years of remediation, strengthening security programs, settling with regulators and maintaining ongoing communication. This sustained transparency and accountability helped Marriott rebuild trust and reinforce its reputation as a brand committed to integrity and customer protection.

See “Ten Steps for Effective Crisis Communications” (Dec. 19, 2018).

 

Amy Mushahwar is the chair of Lowenstein’s data privacy, security, safety & risk management practice, leading a multidisciplinary team that unites law, technology and human insight to help organizations design, defend and sustain trusted systems in an increasingly intelligent world. She is a legal-technology leader, former CISO and technologist who advises innovators who believe progress and protection must move in synchrony. With more than 20 years dedicated to a technology-enabled law practice, and firsthand leadership experience, Mushahwar bridges the space between boardroom accountability and engineering reality. She has responded to hundreds of incidents, including breaches involving millions of individuals and thousands of companies. Her particular specialty is scaling communications and operations for large-scale incident response. Mushahwar has significant understanding of threat intelligence, security service provider stacks, business continuity and AI that helps her look holistically at a client’s business operations and IT in crisis.

Chris Thomas, APR, is president of Intrepid Agency and has 30 years of experience managing more than 300 issues and crises including for Fortune 500 companies, global brands, government agencies and professional sports teams. He has led communications responses for more than a dozen data breaches. In addition, Thomas helps organizations prepare for cybersecurity incidents through crisis communication planning, crisis media spokesperson trainings and simulation exercises.

On March 6, 2026, the administration released “President Trump’s Cyber Strategy for America” (Strategy), revealing the administration’s overarching cybersecurity priorities and promise of future action. Broadly, the Strategy encourages a more offense-oriented approach in cyberspace and greater public-private coordination to disrupt threat actors and protect American networks and technology.

The Strategy is divided into six “Pillars of Action.” The first two pillars, on aggressively undermining adversaries’ behavior and advancing “common sense regulation,” stand out from the Biden administration’s objectives and dovetail with this administration’s overall rhetoric. The other four are staples of recent national cyber strategies.

Executive Order 14390 (Cybercrime EO), released the same day as the Strategy, targets transnational criminal organizations (TCOs) engaged in cybercrime and fraud schemes. More than the Strategy, the EO breaks ground by giving “a signal from the White House that we haven’t gotten before, in a space where we are all trying to figure out what to do,” said Nicole Tisdale, interim senior director of Aspen Digital. Only the White House could elevate the campaign against consumer swindles and corporate fraud across agency and enforcement silos, she told the Cybersecurity Law Report, explaining that while DOJ can pursue fraud cases, for example, it lacks the authority to convene and coordinate all the relevant players.

This article explains the likely impacts of the Strategy and the Cybercrime EO on companies and national policy, and discusses key aspects to watch, with commentary from Tisdale and leading practitioners from Boies Schiller and Skadden. It also includes National Cyber Director Sean Cairncross’ subsequent public comments on administration plans and analysis from a Venable webinar.

See “Decoding the Administration’s First Cyber Executive Order” (Jun. 25, 2025).

Six Pillars and a Few Pilot Programs

The six-page Strategy provides few implementation specifics, unlike the Biden administration’s 28-page EO on national cybersecurity in early 2025 (subsequently softened by the Trump administration).

See “How the 2025 Cybersecurity Executive Order Affects Business” (Feb. 5, 2025).

Overarching Theme: Innovation and Technology Dominance

The Strategy’s themes – deterrence, regulatory streamlining, federal systems modernization, infrastructure security and workforce growth – make it “almost a status quo statement,” Tisdale observed. The consistency helps companies. “Businesses operate more than every four years. [The Strategy supports] investments that [enterprises] made during the Biden administration that now carry over into the Trump administration,” she said.

The Strategy is concise by design, noted Venable senior director of cybersecurity services Caitlin Clarke. “It establishes a posture, it defines priorities and it sets direction,” she said. The document promises to “unleash innovation, accelerate economic growth, and secure American technology dominance.” It states that cyberspace is central to economic security as well as national security, and that nation-states and criminal networks are targeting American companies’ emerging technologies as well as critical infrastructure, she highlighted.

The final Biden cyber EO mentioned “Promoting Innovation” in its title and directed funding and actions to accelerate AI development and deployment, but lacked the economic rhetoric in this Strategy.

See “SEC Commissioners Urge Balance of Crypto Innovation and Privacy” (Jan. 21, 2026).

Pillar I: Impose Costs on Adversaries to Stop Their Behavior

In three speeches following the release of the Strategy, National Cyber Director Sean Cairncross reiterated that the White House aims to deter and disrupt adversaries by combining America’s private-sector prowess with public players’ capacities.

Information Sharing

“Shaping Adversary Behavior,” pillar one, aims to impose real costs on malicious actors. “Implicit in this pillar is the recognition that many advanced persistent threats and ransomware actors have operated at low risk and with high reward,” Clarke noted.

The Strategy acknowledges that deterring adversaries will require both defensive and offensive actions. Cairncross revealed that the government plans to pressure bad actors by coordinating operational cyber, diplomatic, legal and military capabilities, but also “we are looking for real partnership” with companies to fully knock back cyber enemies, he said during a March 17, 2026, fireside at Auburn University. “The ability of our private sector to illuminate the battlefield, from what they’re seeing, to inform and share information” with the U.S. government will help the nation get ahead of adversaries, he emphasized.

Pillar one suggests that the U.S. government could demand that cybersecurity firms and other companies that amass threat intelligence align with the national mission and share information with it, Skadden partner Bill Ridgway told the Cybersecurity Law Report. The difficulty with providing such details is that “a lot of the information that a cybersecurity firm may accumulate through client engagements is confidential,” requiring diligent sorting before sharing, he noted. The bigger and persistent obstacle, though, is that companies can face liability for sharing information that turns out to be inaccurate and affects another party that acts on it, he observed.

“We’re looking for ways to streamline information sharing from the [U.S. government] side,” Cairncross pledged at a Billington event on March 9, 2026. The government has had its own problems with sorting and delay that has limited such collaboration, he acknowledged. “Often, how we know things is extremely sensitive, what we know is less so,” so the goal is “to figure out how to communicate that in a helpful, actionable way,” he said.

See “Cyber Information Sharing Leader Discusses Frenemies, AI and Key Law Soon to Expire” (Aug. 6, 2025).

Companies Hacking Back at the Enemy

The administration is assessing “what do we need to do to better protect industry from foreign adversaries and criminals, and how can we create space for the industry to react,” Cairncross said at a USTelecom event on March 9, 2026.

Legal risks must be addressed before companies will agree to “hack back” at adversaries (beyond some disruption of attacker networks). “When it comes to [creating] a genuine open playing field for offensive cybersecurity that is realistic for folks in the private sector,” Ridgway said, “there would have to be quite an overhaul in the law because existing regimes and a lot of state law analogs” do not offer protection to companies, with many uncertainties and “overlapping jurisdictions,” he added.

Some cyber leaders, maybe with a federal background, would relish taking action to neutralize attackers despite the legal gray area. The Trump administration might be receptive “if any company wanted to take a little more of a swashbuckling attitude towards the problem” and run their plans by the administration, Boies Schiller partner Dan Boyle told the Cybersecurity Law Report.

See “Prioritizing Public-Private Partnerships in an Increasingly Complex Regulatory Environment” (Mar. 2, 2022).

Pillar II: Promote “Common Sense Regulation”

This pillar denounces “costly checklists” of compliance mandates, vowing to “streamline” the regulatory burdens that impede companies’ investment in added cybersecurity. What actions will result from this deregulation promise are harder to predict, Ridgway said. “It bears similarities to the things we’ve seen in the AI policy that the administration has put forward in terms of trying to reduce regulation,” he added, alluding to the administration’s framework to preempt state AI laws.

Any pullback in federal cyber regulation likely would not impact companies much unless the effort includes preemption of other regulations, Ridgway posited. “For global businesses, a lot of the cybersecurity requirements that are most relevant to them either come from overseas jurisdictions or from the states active in this space, and less from the federal government,” he elaborated.

In terms of genuine investment, the administration expects private sector CEOs to “dedicate some real resources” to improved cybersecurity, Cairncross warned during the USTelecom speech. While “Director Cairncross called for industry to uphold standards like security and privacy by design,” he also “said that the administration was going to do its part to streamline regulations and compliance burdens,” Clarke pointed out.

Should the administration extend its streamlining federal regulations to better harmonize them, American cybersecurity and the private sector would benefit, Tisdale pointed out. “I was excited for that [goal] to get top billing. As we’ve been talking and working with the White House, it has been top of mind” in the discussions, she shared. When Congress and agencies write laws, the drafters rarely know “the full universe” of other regulations that could clash with the proposed law, which is a pervasive hindrance on legislation and compliance, she elaborated.

See “Navigating DoD’s Final Cybersecurity Maturity Model Certification Program Rules” (Oct. 1, 2025).

Pillar IV: Secure Critical Infrastructure

The Strategy’s foreword highlights that cyberattacks’ business and economic costs are “disrupting critical services like healthcare, banking, food supply, and water treatment.”

In one of the most concrete steps associated with the Strategy, Cairncross announced a plan to launch pilot programs for different sectors. Initial sectors that will be addressed include water in Texas, beef and agriculture in South Dakota and rural hospitals.

“It was very telling that water continues to be at the top of everybody’s worry and priority list across multiple administrations,” Tisdale noted. Adversaries are targeting water systems, while data centers add further strain to already vulnerable systems in many swaths of the country, she pointed out.

This pillar explicitly “leans into a partnership model,” Clarke observed. Public-private coordination in critical infrastructure really matters because the “owners and operators are not federal entities, they’re private companies or even local authorities” at the state, tribal and territorial levels, she said. The partnership will also support continuity of operations and recovery, “to ensure that essential services can function even if they are targeted,” she added.

Regulation shadows Pillar IV. The Cybersecurity and Infrastructure Security Agency (CISA) delayed issuing its final rule to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) until May 2026, Ridgway noted. Companies are watching to see how much “this pillar will interact with the guidance that the critical infrastructure sectors are anticipating,” he reported. That guidance will show how the administration balances the need for heightened security requirements in the riskiest sectors with its pledge to lower regulatory burdens.

See “Cyber Risks in Aviation: Navigating Turbulent Skies Ahead” (Mar. 22, 2023).

Pillars III, V, VI: Breakthroughs on Longstanding Priorities?

Pillar III avers that the administration will accelerate modern security for federal government networks. “Federal networks remain high value targets. They store sensitive data, support national security operations and underpin public trust,” making modernization for federal networks crucial, Clarke emphasized.

Pillar III stands out for presenting zero trust “as a baseline architecture, moving away from perimeter-based security towards continuous verification of users, devices and access privileges,” Clarke said. It also endorses “post-quantum cryptography, cloud transition, AI-powered cybersecurity solutions and proactive threat hunting,” she added.

Pillar V pledges to advance American superiority in key technologies, by “implement[ing] AI-enabled cyber tools to detect, divert, and deceive threat actors. We will rapidly adopt and promote agentic AI in ways that securely scale network defense and disruption.” It also promises cyber diplomacy to ensure U.S. leadership in generative AI and agentic AI.

Pillar VI addresses a perennial issue, gaps plaguing the U.S. cyber workforce. Entry-level jobs in security are scarce, but “there are a ton of open mid-level jobs. The trouble is the pipeline of getting people to those necessary points” in experience, noted Ari Schwartz, Venable managing director of cybersecurity services. Cairncross revealed a plan to establish a federal cyber academy with “a foundry” and “an accelerator” that would draw private sector innovation and capacity to help develop the workforce.

See “Senior Commerce Official Discusses Supply Chain Security and Cyber Policy” (Oct. 21, 2020).

Executive Order on Frauds and Scams

The Cybercrime EO stands out for strengthening coordination to address an avalanche of AI swindles, promising to help combat ransomware and possibly routing funds to victims.

Creation of Coordination Mechanism

The Cybercrime EO, titled “Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens,” directs agencies to strengthen coordination against TCOs, develop action plans to prevent cyber-enabled fraud, and integrate law enforcement, intelligence, diplomatic, and cyber capabilities to protect Americans. It aims to disrupt criminal infrastructure, paralleling Pillar I.

The administration is addressing a ripening issue, Boyle said. “The AI tools becoming available to cybercriminals, combined with the volume of funds and the alleged involvement of nation states, makes this problem seem like it can’t really be ignored,” he summarized.

The Cybercrime EO directs Cairncross and several cabinet secretaries to create an action plan within 120 days to dismantle and disrupt the TCOs running cyber scam centers. It builds on EO 14159 of January 2025, which addresses drug-related TCOs targeting Americans. The action plan will create an operational cell within the National Coordination Center (NCC) launched by the earlier EO on TCOs.

“The coordination mechanism within the NCC is a really good sign,” Tisdale opined. “Coordination is a thing nobody gets excited about, but it is noticed when it’s missing,” she pointed out. “One of the hardest things for the private sector is navigating who to talk to” about problems, she said.

The Cybercrime EO parallels the Strategy in elevating ransomware ecosystems and overseas scam centers to a national security threat that merits “an integrated response combining intelligence, law enforcement, economic tools, and cyber operations,” Clarke observed.

To successfully address the scam center problem, agencies the Cybercrime EO omits should also be involved, Tisdale stressed. The SEC, FTC and U.S. Trade Representative (USTR) all should have a role, she said. USTR negotiates and has levers that the FBI does not have. Designating a group as a TCO “requires a lot of diplomatic negotiations” with countries that may be turning a blind eye to scam farms’ criminality, Tisdale spotlighted.

See “How Designating TCOs As Terrorist Organizations Creates Risks for Financial Institutions and Beyond” (Jun. 4, 2025).

Impact on Businesses Fighting Ransomware

If the government designates ransomware groups and skilled social engineering networks as TCOs, it will affect companies’ decisions on whether to pay, Ridgway cautioned. Nearly half the companies facing a ransom end up paying it, cybersecurity company Sophos reported in 2025, but the proportion could shrink with TCO designations for cybercrimes as companies would want to avoid the risk of violating sanctions, he predicted.

The Cybercrime EO’s concrete measures could benefit the private sector, Ridgway continued. Companies have been “receptive to the idea that this [battle] could be better organized and there might be some tools that the U.S. government could use to help companies” facing these issues.

A TCO designation for scam perpetrators might chip away at the success of AI-enhanced swindles and ransomware exploits. The perpetration of fraud in Poland, for example, shows the power of AI to fuel scams, Tisdale pointed out. Relatively few people speak Polish and fraud-pushing bots had never mastered its many dialects. However, as country officials recently told Tisdale, for the first time, scam messages are now mastering the Polish dialects and fooling their fellow citizens.

See “Reference Guide to 2025 Executive Orders for Compliance Professionals” (Apr. 9, 2025).

Victim Restoration and Its Challenges

The Cybercrime EO directs the U.S. AG to report in 90 days on establishing a victim restoration program from funds clawed back from predatory ransomware schemes. “That signal to the American public is important” given the societal costs of fraud, Tisdale opined.

Companies are eager to confirm the program will cover them, Ridgway observed. “A lot of the larger payments to [crime] groups are coming from major companies that have either been ransomed or socially engineered,” he reported.

The EO meshes with the administration’s friendliness toward cryptocurrency players, Boyle noted. The government knows “it will not recover these funds and get them back to victims” without the assistance of cryptocurrency exchanges and issuers. The administration policy that digital assets should be retained for a national bitcoin reserve foreshadowed this effort by exempting the funds to be returned to verified victims, he pointed out.

See “SEC Commissioners Urge Balance of Crypto Innovation and Privacy” (Jan. 21, 2026).

On February 25, 2026, the FTC issued an enforcement policy statement (Statement) intended to “promote innovation in, and the responsible use of, age-verification mechanisms.” The Statement provides that the FTC will not take enforcement action against websites and services that do not target children as their primary audience that collect PI from children for age verification purposes without parental consent, provided they comply with the conditions set forth in the Statement. This article discusses the Statement, with practical insights on how it will affect organizations from Jennie Cunningham, counsel at Nelson Mullins, and Philip Yannella, a partner at Blank Rome.

See our three-part series “Children’s Privacy Grows Up”: Examining New Laws That Now Protect Older Teens (Jan. 15, 2025), FTC Amends COPPA Rule and Targets Data Sharing (Jan. 29, 2025), and “Seven Compliance Areas for Protecting Teens” (Feb. 12, 2025).

COPPA Rule

The Children’s Online Privacy Protection Act (COPPA) Rule (Rule or COPPA Rule) prohibits unfair or deceptive acts or practices in connection with the collection, use or disclosure of PI from or about children on the internet. It makes it unlawful for “any operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting or maintaining personal information from a child, to collect personal information from a child in a manner that violates” the Rule’s requirements, which include:

• providing notice on the website or service of its collection practices;
• obtaining “verifiable parental consent” before collecting, using or disseminating a child’s PI;
• providing a reasonable means for parents to review such information and prohibit further use or maintenance of it;
• not conditioning a child’s participation in the site’s or service’s activities on providing more information than reasonably necessary to permit such participation; and
• having reasonable procedures to protect any PI collected from children.

Under the Rule, “child” means a person under the age of 13.

See “Takeaways From 2018 COPPA Developments and a Forward-Thinking Approach to Compliance” (Mar. 13, 2019).

Enforcement Statement

“Age verification technologies are some of the most child-protective technologies to emerge in decades,” said Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection, in the press release announcing the Statement. The Statement “incentivizes operators to use these innovative tools, empowering parents to protect their children online,” he noted.

See “Enforcement Lessons From Disney and Four Other FTC Children’s Privacy Actions” (Jan. 28, 2026).

Age-Verification Mechanisms

In response to the proliferation of online sites directed to children and/or that gather children’s information, several states have enacted laws requiring social media sites and certain other websites to use age-verification mechanisms, according to the Statement. For purposes of the Statement, such mechanisms include:

• age estimation tools;
• age verification tools; and
• age inference tools that infer a user’s likely age or age range based on various signals.

Such mechanisms obtain and analyze information from users to determine whether to grant the user access and whether to impose any restrictions or protections, according to the Statement.       

See “Navigating Three New State Laws That Require Apple and Google App Stores to Check All Users’ Ages” (Aug. 13, 2025).

Covered Sites

The Rule defines an operator of a “website or online service directed to children” somewhat circularly as “a commercial website or online service, or portion thereof, that is targeted to children.” The Statement covers a narrower group of only operators of websites and online services that are either:

• mixed audience sites or services, which are those “directed to children” but that do not “target children as [their] primary audience” and meet certain other criteria; or
• general audience sites.

The operators of such mixed and general audience sites are referred to in the Statement as “Relevant Operators.”

Addressing the Dilemma

Some Relevant Operators only seek verifiable parental consent for users they have determined are children. Many make that determination by simply requesting users to provide their age before interacting with the site or service. Use of age-verification mechanisms could place Relevant Operators between a rock and a hard place because certain age-verification mechanisms require collection of PI from the user – including users who are children. By collecting children’s PI without parental consent, a Relevant Operator may violate the COPPA Rule.

To address Relevant Operators’ concern, the Statement sets forth the means by which Relevant Operators can “utilize age-verification mechanisms without subjecting themselves to the risk of enforcement under the COPPA Rule.” Provided a Relevant Operator complies with the conditions set forth in the Statement, the FTC “will not bring an enforcement action under the COPPA Rule against a Relevant Operator that collects, uses, or discloses personal information for the purpose of determining a user’s age (Age Verification Purposes) without first obtaining verifiable parental consent.”

The Statement does not change the FTC’s position that operators of any sites or services primarily directed to children must treat all users as children and, therefore, comply with the COPPA Rule with respect to all users.

Conditions

The enforcement policy set forth in the Statement applies only if the Relevant Operator:

• does not use or disclose information collected for Age Verification Purposes (Verification Information) for any other purpose;
• discloses Verification Information only to those third parties that the Relevant Operator has taken reasonable steps to determine are capable of maintaining the confidentiality, security and integrity of the information, including by obtaining written assurances that such third parties will:
  • employ reasonable measures to do so;
  • not use or disclose Verification Information for any other purpose; and
  • delete the Verification Information promptly after fulfilling the Age Verification Purposes;
• does not retain Verification Information longer than necessary to fulfill the Age Verification Purposes and deletes such information promptly thereafter;
• provides clear notice to parents and children in the privacy policy of its collection of Verification Information;
• employs reasonable security safeguards for Verification Information; and
• takes reasonable steps to determine that the age verification mechanism is likely to provide reasonably accurate results as to the user’s age.

A Relevant Operator must also be in compliance with the requirements of the COPPA Rule “in every other respect with regard to personal information collected from children,” cautions the Statement.

The Statement “does not create any substantive rights or entitlements,” the FTC stressed. The agency retains its right to investigate and bring enforcement actions for violations. It does, however, intend to begin a review of the COPPA Rule to address age-verification mechanisms. The Statement will remain in effect until it is withdrawn or the COPPA Rule is amended.

Implications of Statement and Associated Challenges

Some companies may take “a wait-and-see approach while rulemaking occurs to avoid investing significant resources into age verification solutions that may ultimately be insufficient or too risky from a privacy standpoint,” predicted Cunningham, who noted that the views she expressed are her own and not those of her firm or any client. Others may rely on the Statement to test different age verification solutions and strategies. Whichever route they take, companies will also have to take into account relevant state laws, including those covering age assurance, age verification and app store accountability, as well as state guidance on age verification processes.

Though helpful, the Statement is not a “panacea for all the regulatory compliance headaches that these online sites are facing for children’s data,” noted Yannella. “The good news for websites that collect children’s data is that the FTC’s safe harbor does lay out some clear rules that may alleviate some of the guesswork that these websites have to go through when making decisions about age verification technologies.”

See “The Practical and Legal Complexities of Online Age Verification” (Jun. 21, 2023).

Clarification of Enforcement Focus

“It appears the current FTC is going to continue to enforce COPPA as one of the FTC’s traditional/core statutory enforcement authorities,” observed Cunningham. While the FTC under prior administrations concentrated on a range of industries and sectors, the current FTC seems to be focusing primarily on sectors and companies that are providing websites, goods and services aimed at children. Given the Statement’s focus on mixed use and general audience sites, the FTC is likely to target similar companies whose services appeal to children even though they are not the primary audience, such as certain gaming, streaming and media companies.

See our two-part series on the FTC’s NGL Labs settlement signaling stricter children’s enforcement: “Key Violations and Settlement Terms” (Sep. 18, 2024), and “Compliance Lessons” (Sep. 25, 2024).

A De Facto National Standard?

“This guidance – particularly if it becomes part of the COPPA Rule as the FTC signals – could be very valuable for age verification developers and websites choosing among an array of age verification technologies,” Yannella posited. The FTC’s approach may be “more restrictive than is strictly necessary for some companies, depending on their regulatory footprint, but the benefits of a clear standard may be preferable to trying to comply with the least restrictive standard possible just because a certain state allows it,” he added. “The hope is that the FTC’s safe harbor becomes a de facto national standard and that states adopt the safe harbor,” which “really could make life easier for many websites,” he said.

Most companies subject to COPPA are also subject to state privacy law requirements concerning minors, noted Cunningham. Such companies “will have to grapple with ‘robust’ age verification at some point. It is only a matter of time and how long they think they can wait out technical specifications from the relevant industries and regulators,” she added.

Uncertainty Around How to Synthesize Compliance

Cunningham is not certain a national compliance standard will emerge. States have adopted a patchwork of privacy laws and/or laws aimed at protecting children when they are online. “The laws are different enough that it’s going to be very challenging to design a universal approach to compliance,” she predicted. Moreover, some of those laws may not survive legal challenges. The Statement gives companies “some breathing room to test methods of dealing with the state requirements and building them into existing workflows, but it does not offer prescriptive solutions or address how to synthesize the various requirements,” she explained.

Although there is widespread agreement that children must be protected when online, state AGs and the private sector continue to grapple with how to assess the risks associated with collecting minors’ personal data for age verification purposes, and the technology for age verification “is not yet settled, and each method carries significant privacy risks,” Cunningham continued. Consequently, some states may choose to impose stricter guardrails than those in the Statement.

It remains to be seen how all the different federal and state requirements will ultimately fit together – and how companies will comply with all those requirements. Having different solutions for different jurisdictions risks “data and users falling through gaps, being technologically unworkable, and creating multiple threat vectors by which the data could be accessed,” noted Cunningham. On the other hand, “having just one solution risks creating a consolidated age bracket repository that is controlled by just a few major platforms/companies,” she posited. In the face of this uncertainty, one of the most important things that organizations can do is to take the issue seriously, work toward “reasonable” solutions and document their efforts.

Yannella likewise highlighted the challenges posed by different standards. “Partly due to a lack of progress at the federal level, we are in the midst of an explosion in state children’s privacy laws” including, for example, age-appropriate design codes, children’s privacy laws and revisions to comprehensive privacy laws, he noted. Consequently, age assurance may now be required for many different types of websites. “I don’t know that the FTC guidelines will change this momentum. California, Texas, Colorado and several other states could continue to pass or enforce existing laws that have different age verification standards,” he added. Moreover, states are not required to follow the FTC’s approach. Consequently, companies are likely to face disparate regulatory approaches unless and until Congress adopts a new comprehensive children’s privacy law that preempts state law or at least sets a floor for compliance.

See “FTC and State Enforcers Reveal What’s Next and What to Do About It” (Oct. 2, 2024).

Responsibility for Vendor Management

The Statement “highlights the importance of vendor management, particularly with respect to the age verification vendors,” noted Cunningham. “The privacy and security risks and benefits of various age verification techniques have not been resolved or fully addressed.” The Statement makes companies responsible for thoroughly vetting vendors that may be new to age verification, identity verification or consent management. Moreover, some of the conditions for complying with the Statement are potentially open to interpretation. Notably, “each mention of ‘reasonableness’ adds a layer of uncertainty,” she cautioned.

See our two-part series on privacy and security provisions in vendor agreements: “Assessing the Risks” (Mar. 17, 2021), and “Key Data Processing Considerations” (Mar. 24, 2021).

Data Risk

The Statement “creates a whole new vector that could expose companies due to the significantly greater amount of sensitive data that they would collect in doing age verification,” cautioned Cunningham. The risk associated with holding such data includes data breaches, commercial surveillance, use in profiling or targeted advertising, and third-party risks. Those risks have been and continue “to be [among] the key areas of debate in this area.” One of the significant guardrails contemplated by the Statement is the requirement for prompt deletion of age verification information. However, companies that do not wish to handle any such data must rely on third parties to properly effect deletion.

See “Illuminate Settlements Signal Regulator Focus on Children’s Data” (Dec. 17, 2025).

User Friction

Integrating age verification into existing privacy programs without creating friction that drives users away is one of the key issues facing businesses, according to Cunningham. The particular approach will depend on many factors, including the particular business and business model. While the Statement’s conditions require companies to take reasonable steps to determine verification accuracy, “what is ‘reasonable’ for one company or sector might not be reasonable for another,” she offered.

Inconsistent Results

Another significant concern, Cunningham said, is how to deal with inconsistent results or results that conflict with other information a company has about a user. For example, should a company in that position:

• have more than one verification method;
• ask for even more information; or
• block any users for whom it cannot resolve the verification issue?

Age Verification Best Practices

Companies must not ignore the issue of determining whether children are accessing their websites or services, cautioned Cunningham. Accordingly, she advised, to ensure appropriate age verification steps are taken, companies should:

• establish or enhance processes for thorough vetting of verification solutions and vendors, including:
  • understanding:
    • how the technology and algorithms function;
    • what data they collect;
    • how and when data is deleted; and
    • how they address conflicting or inconsistent outputs and results;
  • retaining outside experts to assist when needed; and
  • assessing the implications of AI deployment;
• have robust third-party risk and vendor management programs;
• ensure data protection agreements and vendor contracts explicitly address the safeguards required by the Statement;
• ensure that tracking technologies, scripts and other such mechanisms are not being deployed in connection with an age verification solution or, when necessary, that they are appropriately vetted;
• establish a process for documenting what the company believes to be “reasonable” steps under the Statement;
• ensure privacy notices are clear about what information is collected and for what purposes, taking into account both federal and state requirements; and
• conduct periodic risk and privacy impact assessments.

 See “How Companies Can Meet Growing Regulatory Scrutiny Around Sharing Children’s Data” (Feb. 11, 2026).

Legal AI company Harvey has hired Keith Enright, former Google CPO, as its chief strategy officer. Enright joins the company from Gibson Dunn & Crutcher, where he was partner and co-chaired the firm’s tech and innovation industry group and AI practice group.

In his new role, Enright will engage with the judiciary, bar associations, legal educators and policymakers as courts, regulators, and law schools grapple with the implications of AI in legal practice. He will also oversee hiring for new enterprise vertical leads as Harvey deepens its penetration in banking, private equity and other high-value sectors.

Enright previously served as Google’s CPO for 13 years, where he led the global privacy, legal, compliance and consumer protection teams, and contributed to company strategy on headline policy and legal issues. He earlier served as CPO of Macy’s.

For commentary from Enright, see “Tips From Big Tech Leaders on Navigating Global Privacy Regulations” (Dec. 3, 2025); “CPOs Weigh In on Navigating Myriad Privacy and Security Laws Amid Dizzying Technological Advancements,” (Jun. 28, 2023); and “Tips From Google, Chase and P&G Privacy Officers on Developing Strong Privacy Leadership and When to Use Outside Counsel” (Aug. 23, 2017).