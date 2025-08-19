Publications & Advisories

Selected U.S. Privacy & Cyber Updates

Microsoft Announces Two New On-Premises SharePoint Vulnerabilities

On July 19, 2025, Microsoft announced two new vulnerabilities that are actively being exploited (CVE-2025-49704 and CVE-2025-49706) and relate to on-premises Microsoft SharePoint instances that are exposed to the internet. CVE-2025-49704 is a remote code execution vulnerability, which allows an attacker to run malicious code on a target system. CVE-2025-49706 is a spoofing vulnerability, which allows attackers to disguise themselves as known or trusted sources to have the system perform unintended actions.

CPPA Board Votes to Adopt CCPA Regulations; Open DROP Rules to Public Comment

On July 24, 2025, the California Privacy Protection Agency (CPPA) board voted to adopt draft regulations under the California Consumer Privacy Act (CCPA) for cybersecurity audits, risk assessments, automated decision-making technologies, and the CCPA's application to insurance companies. The approved regulations also include certain updates to the existing CCPA regulations.

SEC Withdraws Proposed Cyber-Related Rule Applicable to Broker-Dealers and Signals SolarWinds Settlement on the Horizon

On June 12, 2025, the Securities and Exchange Commission announced the withdrawal of several Biden-era regulations, including a proposed rule that would have required a broad range of platforms and financial intermediaries (such as broker-dealers, clearing agencies, national securities exchanges, and transfer agents) to adopt policies and procedures that address cybersecurity risks.

New York Department of Health Issues Urgent Cybersecurity Warning Following U.S. Strikes on Iranian Nuclear Facilities

The New York State Department of Health issued an urgent cybersecurity advisory warning of increased threat levels and a higher likelihood of cybersecurity attacks from Iranian state-backed actors following U.S. military strikes on the Fordow, Natanz, and Isfahan nuclear facilities in Iran.

Texas Enacts Responsible AI Governance Act

On June 22, 2025, Texas Governor Greg Abbott signed House Bill 149, the Texas Responsible Artificial Intelligence Governance Act (TRAIGA), into law. TRAIGA imposes obligations and prohibitions on businesses and governmental entities for certain uses of artificial intelligence (AI), amends the Texas Capture or Use of Biometric Identifier Act to include certain exemptions, and amends the Texas Data Privacy and Security Act to require processors to help controllers protect personal information processed by an AI system.

Back from the Brink: District Court Clears Air Regarding Individualized Damages Assessment in Data Breach Cases

On June 27, 2025, the Middle District of Florida, on remand from the Eleventh Circuit, reversed course when it denied class certification to a group of plaintiffs who were purportedly impacted by a spring 2018 cyberattack on Brinker International Inc., the parent company of the popular chain restaurant Chili's.

NYDFS Issues Guidance on Heightened Cybersecurity and Sanctions Risk from Global Conflict

On June 23, 2025, the New York State Department of Financial Services issued an industry letter encouraging all regulated entities to review their cybersecurity and sanctions compliance programs in light of heightened geopolitical tensions. The letter emphasizes the elevated risk environment and reaffirms the department's expectations that covered institutions maintain robust controls and remain vigilant in mitigating cyber and sanctions-related threats.

Are You Ready for the Department of Justice's Bulk Data Transfer Rule?

On July 8, 2025, the U.S. Department of Justice lifted its self-imposed pause on enforcing certain violations of its Rule Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons. The Bulk Data Rule, which took effect on April 8, 2025, implemented Biden-era Executive Order 14117 ("Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern"), which the Trump Administration kept in force after taking office.

Trump Administration Releases Cyber Executive Order Revealing Renewed Strategy for U.S. Cybersecurity

On June 6, 2025, President Trump issued an Executive Order (EO) ("Sustaining Select Efforts to Strengthen the Nation's Cybersecurity"), amending certain prior directives established by the Biden and Obama Administrations. Importantly, the Administration's new directive maintains continuity of the cybersecurity goals of prior Administrations and demonstrates that cybersecurity remains a bipartisan priority. However, the new EO narrows the scope of the federal government's role and introduces a new strategy for achieving those goals.

New Artificial Intelligence Laws in Effect in Utah

On May 7, 2025, three new AI laws in Utah took effect. These laws require businesses to make "you're talking to a bot" disclosures and comply with privacy requirements when using AI in consumer transactions, mental health chatbots, and certain content used for advertising, fundraising, or endorsements.

NY Passes Law Governing Personalized Algorithmic Pricing; AI Companions

On May 9, 2025, New York Governor Kathy Hochul signed Assembly Bill A3008 into law. The omnibus legislation mandates transparency in personalized algorithmic pricing. The new law also requires operators of AI companions to implement safety protocols and disclose bot usage to consumers.

Suite Victory: Marriott Finally Checks Out of Court

On June 3, 2025, the Fourth Circuit issued a pivotal ruling in long-standing litigation against Marriott International Inc. arising out of a 2018 data breach involving its Starwood Preferred Guest Program. In reversing the lower court's grant of class certification, the Fourth Circuit determined that the customers' contractual agreements with Marriott included enforceable class action waivers and that those waivers applied to bar all asserted claims.

DOJ Settles Another False Claims Act Case for Alleged Failures in Implementing NIST SP 800-171 and Basic Cybersecurity Controls

On May 1, 2025, the DOJ announced a settlement under the False Claims Act involving defense contractors Raytheon Company, RTX Corporation, and Nightwing Group—the successor owner to one of Raytheon's cybersecurity business lines. The companies agreed to pay $8.4 million to resolve allegations of noncompliance with federal cybersecurity requirements.

Texas AG Secures $1.375 Billion from Google: Key Takeaways for Companies Collecting Consumer Data

On May 9, 2025, Texas Attorney General Ken Paxton announced a $1.375 billion settlement with Google—the largest state-level privacy settlement reached against Google to date. The settlement resolves lawsuits filed in 2022 alleging that Google unlawfully collected, stored, and used Texans' sensitive personal data without consent, including location information, biometric identifiers, and web-browsing activity.

CISA Issues Enhanced Guidance to Mitigate Cyber Threats to Operational Technology Systems

On May 6, 2025, the Cybersecurity and Infrastructure Security Agency, in coordination with the FBI, Environmental Protection Agency, and Department of Energy, issued a joint fact sheet, "Primary Mitigations to Reduce Cyber Threats to Operational Technology." The document highlights priority actions that owners and operators of operational technology systems may wish to consider in light of persistent and evolving cyber threats targeting critical infrastructure.

CPPA Issues Revised Draft CCPA Regulations; Votes to Initiate Public Comment Period

On May 1, 2025, the CPPA board convened to discuss revisions to the CCPA draft regulations on cybersecurity audits, risk assessments, automatic decision-making technology, insurance, and updates to the existing CCPA regulations.

Selected Global Privacy & Cyber Updates

EU-Wide Breach Notification Template on the Horizon

Following their recent meeting in Finland July 1–2, 2025, the EU data protection authorities, acting through the European Data Protection Board, announced their intention to release new tools and an EU-wide data breach notification template to help companies comply with the requirements of the EU GDPR.

Inside the SK Telecom Data Breach: What Happened and What Companies Can Learn

In April 2025, SK Telecom, South Korea's largest mobile carrier, formally notified regulators of a significant data breach that compromised sensitive SIM card data belonging to nearly 27 million users. Following an investigation, the Ministry of Science and ICT and the Korea Internet & Security Agency concluded in July 2025 that SK Telecom was negligent in its account information management practices and in complying with its breach reporting obligations. As a result, the company was fined 30 million won (approx. $22,000).

UK Data Protection Regulator Fines 23andMe ~$3.1 Million Following Credential Stuffing Attack

On June 5, 2025, the UK's Information Commissioner's Office fined 23andMe £2.31 million (approx. $3.1 million). The fine was for failing to implement adequate security measures to protect the personal data of over 155,000 UK users. The penalty followed a joint investigation with the Office of the Privacy Commissioner of Canada, highlighting how regulators are increasingly working together to investigate breaches of data protection legislation.

European Vulnerability Database Published by the European Union Agency for Cybersecurity

The European Union Agency for Cybersecurity has launched the European Vulnerability Database, a tool designed to enhance digital security across the EU. It is a centralized database containing information on cybersecurity vulnerabilities affecting information technology products and services.

UK Publishes Software Security Code

On May 7, 2025, the National Cyber Security Centre and the Department of Science, Innovation and Technology published the Software Security Code of Practice. The purpose of the Code is to help software vendors and their customers reduce the likelihood and impact of software supply chain attacks by implementing good practices throughout the entire product life cycle.

Events

