Publications & Advisories
- August 1, 2025 – David Teske and John Lesko published "Privacy, Cyber & Data Strategy Advisory | Trump Administration's AI Action Plan to Promote the U.S. AI Industry Through Deregulation, Expanded Infrastructure, and Diplomacy."
- July 24, 2025 – Drew Rolle, David Teske, and John Lesko published "Privacy, Cyber & Data Strategy / White Collar, Government & Internal Investigations Advisory | GENIUS Act Establishes Federal Regulatory Oversight of Global Stablecoin Industry."
- July 15, 2025 – Kim Peretti, Kelly Hagedorn, and Lance Taubin published "5 Things Manufacturing GCs Should Know About Cyber Risk" in Law360.
- July 15, 2025 – Kelly Hagedorn, Alice Portnoy, and Hanna Hewitt published "Navigating a New Era of Reporting Cyber Incidents in the UK and EU" in Den Hollander's Compliance, Ethics & Sustainability Journal.
- June 25, 2025 – Kim Peretti and Alysa Austin published "Privacy, Cyber & Data Strategy Advisory | Data Breach Data Reviews: Challenges and What You Need to Know."
- June 20, 2025 – Kate Hanniford, Jennifer Everett, Alysa Austin, and Zain Haq published "Privacy, Cyber & Data Strategy Advisory | NSA, CISA, FBI, and International Partners Issue Joint Guidance on AI Data Security."
- June 18, 2025 – Kim Peretti, Andrew Liebler, and Samantha Skolnick published "Policy Shifts May Follow Burst of Defense Cyber Settlements" in Law360.
- May 1, 2025 – Wim Nauwelaerts published "Cybersecurity 2025: Belgium" in Chambers Global Practice Guides: Cybersecurity 2025.
Selected U.S. Privacy & Cyber Updates
Microsoft Announces Two New On-Premises SharePoint Vulnerabilities
On July 19, 2025, Microsoft announced two new vulnerabilities that are actively being exploited (CVE-2025-49704 and CVE-2025-49706) and relate to on-premises Microsoft SharePoint instances that are exposed to the internet. CVE-2025-49704 is a remote code execution vulnerability, which allows an attacker to run malicious code on a target system. CVE-2025-49706 is a spoofing vulnerability, which allows attackers to disguise themselves as known or trusted sources to have the system perform unintended actions.
CPPA Board Votes to Adopt CCPA Regulations; Open DROP Rules to Public Comment
On July 24, 2025, the California Privacy Protection Agency (CPPA) board voted to adopt draft regulations under the California Consumer Privacy Act (CCPA) for cybersecurity audits, risk assessments, automated decision-making technologies, and the CCPA's application to insurance companies. The approved regulations also include certain updates to the existing CCPA regulations.
On June 12, 2025, the Securities and Exchange Commission announced the withdrawal of several Biden-era regulations, including a proposed rule that would have required a broad range of platforms and financial intermediaries (such as broker-dealers, clearing agencies, national securities exchanges, and transfer agents) to adopt policies and procedures that address cybersecurity risks.
The New York State Department of Health issued an urgent cybersecurity advisory warning of increased threat levels and a higher likelihood of cybersecurity attacks from Iranian state-backed actors following U.S. military strikes on the Fordow, Natanz, and Isfahan nuclear facilities in Iran.
Texas Enacts Responsible AI Governance Act
On June 22, 2025, Texas Governor Greg Abbott signed House Bill 149, the Texas Responsible Artificial Intelligence Governance Act (TRAIGA), into law. TRAIGA imposes obligations and prohibitions on businesses and governmental entities for certain uses of artificial intelligence (AI), amends the Texas Capture or Use of Biometric Identifier Act to include certain exemptions, and amends the Texas Data Privacy and Security Act to require processors to help controllers protect personal information processed by an AI system.
On June 27, 2025, the Middle District of Florida, on remand from the Eleventh Circuit, reversed course when it denied class certification to a group of plaintiffs who were purportedly impacted by a spring 2018 cyberattack on Brinker International Inc., the parent company of the popular chain restaurant Chili's.
NYDFS Issues Guidance on Heightened Cybersecurity and Sanctions Risk from Global Conflict
On June 23, 2025, the New York State Department of Financial Services issued an industry letter encouraging all regulated entities to review their cybersecurity and sanctions compliance programs in light of heightened geopolitical tensions. The letter emphasizes the elevated risk environment and reaffirms the department's expectations that covered institutions maintain robust controls and remain vigilant in mitigating cyber and sanctions-related threats.
Are You Ready for the Department of Justice's Bulk Data Transfer Rule?
On July 8, 2025, the U.S. Department of Justice lifted its self-imposed pause on enforcing certain violations of its Rule Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons. The Bulk Data Rule, which took effect on April 8, 2025, implemented Biden-era Executive Order 14117 ("Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern"), which the Trump Administration kept in force after taking office.
On June 6, 2025, President Trump issued an Executive Order (EO) ("Sustaining Select Efforts to Strengthen the Nation's Cybersecurity"), amending certain prior directives established by the Biden and Obama Administrations. Importantly, the Administration's new directive maintains continuity of the cybersecurity goals of prior Administrations and demonstrates that cybersecurity remains a bipartisan priority. However, the new EO narrows the scope of the federal government's role and introduces a new strategy for achieving those goals.
New Artificial Intelligence Laws in Effect in Utah
On May 7, 2025, three new AI laws in Utah took effect. These laws require businesses to make "you're talking to a bot" disclosures and comply with privacy requirements when using AI in consumer transactions, mental health chatbots, and certain content used for advertising, fundraising, or endorsements.
NY Passes Law Governing Personalized Algorithmic Pricing; AI Companions
On May 9, 2025, New York Governor Kathy Hochul signed Assembly Bill A3008 into law. The omnibus legislation mandates transparency in personalized algorithmic pricing. The new law also requires operators of AI companions to implement safety protocols and disclose bot usage to consumers.
Suite Victory: Marriott Finally Checks Out of Court
On June 3, 2025, the Fourth Circuit issued a pivotal ruling in long-standing litigation against Marriott International Inc. arising out of a 2018 data breach involving its Starwood Preferred Guest Program. In reversing the lower court's grant of class certification, the Fourth Circuit determined that the customers' contractual agreements with Marriott included enforceable class action waivers and that those waivers applied to bar all asserted claims.
On May 1, 2025, the DOJ announced a settlement under the False Claims Act involving defense contractors Raytheon Company, RTX Corporation, and Nightwing Group—the successor owner to one of Raytheon's cybersecurity business lines. The companies agreed to pay $8.4 million to resolve allegations of noncompliance with federal cybersecurity requirements.
Texas AG Secures $1.375 Billion from Google: Key Takeaways for Companies Collecting Consumer Data
On May 9, 2025, Texas Attorney General Ken Paxton announced a $1.375 billion settlement with Google—the largest state-level privacy settlement reached against Google to date. The settlement resolves lawsuits filed in 2022 alleging that Google unlawfully collected, stored, and used Texans' sensitive personal data without consent, including location information, biometric identifiers, and web-browsing activity.
CISA Issues Enhanced Guidance to Mitigate Cyber Threats to Operational Technology Systems
On May 6, 2025, the Cybersecurity and Infrastructure Security Agency, in coordination with the FBI, Environmental Protection Agency, and Department of Energy, issued a joint fact sheet, "Primary Mitigations to Reduce Cyber Threats to Operational Technology." The document highlights priority actions that owners and operators of operational technology systems may wish to consider in light of persistent and evolving cyber threats targeting critical infrastructure.
CPPA Issues Revised Draft CCPA Regulations; Votes to Initiate Public Comment Period
On May 1, 2025, the CPPA board convened to discuss revisions to the CCPA draft regulations on cybersecurity audits, risk assessments, automatic decision-making technology, insurance, and updates to the existing CCPA regulations.
Selected Global Privacy & Cyber Updates
EU-Wide Breach Notification Template on the Horizon
Following their recent meeting in Finland July 1–2, 2025, the EU data protection authorities, acting through the European Data Protection Board, announced their intention to release new tools and an EU-wide data breach notification template to help companies comply with the requirements of the EU GDPR.
Inside the SK Telecom Data Breach: What Happened and What Companies Can Learn
In April 2025, SK Telecom, South Korea's largest mobile carrier, formally notified regulators of a significant data breach that compromised sensitive SIM card data belonging to nearly 27 million users. Following an investigation, the Ministry of Science and ICT and the Korea Internet & Security Agency concluded in July 2025 that SK Telecom was negligent in its account information management practices and in complying with its breach reporting obligations. As a result, the company was fined 30 million won (approx. $22,000).
UK Data Protection Regulator Fines 23andMe ~$3.1 Million Following Credential Stuffing Attack
On June 5, 2025, the UK's Information Commissioner's Office fined 23andMe £2.31 million (approx. $3.1 million). The fine was for failing to implement adequate security measures to protect the personal data of over 155,000 UK users. The penalty followed a joint investigation with the Office of the Privacy Commissioner of Canada, highlighting how regulators are increasingly working together to investigate breaches of data protection legislation.
European Vulnerability Database Published by the European Union Agency for Cybersecurity
The European Union Agency for Cybersecurity has launched the European Vulnerability Database, a tool designed to enhance digital security across the EU. It is a centralized database containing information on cybersecurity vulnerabilities affecting information technology products and services.
UK Publishes Software Security Code
On May 7, 2025, the National Cyber Security Centre and the Department of Science, Innovation and Technology published the Software Security Code of Practice. The purpose of the Code is to help software vendors and their customers reduce the likelihood and impact of software supply chain attacks by implementing good practices throughout the entire product life cycle.
Events
- July 16, 2025 – Kim Peretti, Dan Felz, Kelly Hagedorn, Rachel Lowe, and Peter Swire presented during the Sixth Annual Privacy, Cyber & Data Strategy Summit.
- June 24, 2025 – David Teske, Dorian Simmons, and Hyun Jai Oh presented the webinar "AI Legal Insights: Shaping Tomorrow – Landscape Update: U.S. AI Legislative and Enforcement."
- June 17–19, 2025 – Kelly Hagedorn spoke on the panel "Are You Prepared? A Deep Dive into Operational Resilience, Cyber Security & Third-Party Risk" at the ISLA 32nd Annual Securities Finance & Collateral Management Conference.
- June 12, 2025 – Kate Hanniford and Kelly Hagedorn presented "Scattered Spider: Who Are They and How Have They Brought UK Retailers to Their Knees."
- June 9–10, 2025 – Kim Peretti chaired and provided opening remarks for the 26th Annual Institute on Privacy and Cybersecurity Law. Kelly Hagedorn spoke on the panel "EU and UK Privacy Developments: New Directions and New Challenges."
- June 5, 2025 – Dan Felz spoke on the panels "International Perspective on AI" and "AI Roundtable Discussion" at the AI Decoded event hosted by Taylor Wessing.
- May 20, 2025 – Jennifer Everett and Kelly Hagedorn presented "Women in Cyber: Global Cybersecurity Compliance: Addressing Breaches Beyond the Usual Jurisdictions."
- May 13–15, 2025 – Kristy Brown spoke on the panel "The Rise of Collective Claims via Mass Arbitrations: Powerful Tool or Contentious Development" at the NetDiligence Cyber Risk Summit.
In the News
- June 4, 2025 – Kim Peretti is featured on the challenges companies face in defending against cyberattacks in Cybersecurity Law Report.
Press Releases
Alston & Bird Advises Stratos Wealth Holdings on Securing $527 Million Strategic Investment from SEI
Alston & Bird represented Stratos Wealth Holdings and its Stratos business, a family of companies focused on supporting the success of financial advisors, in securing a $527 million strategic growth investment from SEI, a global provider of financial technology, operations, and asset management services. Dan Felz from our Privacy, Cyber & Data Strategy Team represented Stratos.
Alston & Bird Increases Recognitions in The Legal 500 US 2025
Alston & Bird has been ranked in seven practice areas in the 2025 edition of The Legal 500 United States. The rankings include Media, Technology, and Telecoms: Cyber law. Kim Peretti continues to be named a "Leading Partner" in Cyber Law.
Alston & Bird Continues to Increase Rankings in Chambers USA 2025
Alston & Bird has received significant recognition in the 2025 edition of Chambers USA: America's Leading Lawyers for Business, with 77 practice rankings and 164 leading lawyer listings.
Our Privacy, Cyber & Data Strategy Team is ranked in Band 4 for Privacy & Data Security: The Elite and Band 2 for Privacy & Data Security: Healthcare. Kim Peretti is ranked in Band 1 for Privacy & Data Security: Cybersecurity and Band 3 for Privacy & Data Security: Healthcare. Kristy Brown is ranked in Band 3 for Privacy & Data Security: Litigation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
